1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
/*
* include/types/quic_tls.h
* This file provides definitions for QUIC-TLS.
*
* Copyright 2019 HAProxy Technologies, Frederic Lecaille <flecaille@haproxy.com>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*/
#ifndef _TYPES_QUIC_TLS_H
#define _TYPES_QUIC_TLS_H
#ifdef USE_QUIC
#ifndef USE_OPENSSL
#error "Must define USE_OPENSSL"
#endif
#include <openssl/evp.h>
/* It seems TLS 1.3 ciphersuites macros differ between openssl and boringssl */
#if defined(OPENSSL_IS_BORINGSSL)
#if !defined(TLS1_3_CK_AES_128_GCM_SHA256)
#define TLS1_3_CK_AES_128_GCM_SHA256 TLS1_CK_AES_128_GCM_SHA256
#endif
#if !defined(TLS1_3_CK_AES_256_GCM_SHA384)
#define TLS1_3_CK_AES_256_GCM_SHA384 TLS1_CK_AES_256_GCM_SHA384
#endif
#if !defined(TLS1_3_CK_CHACHA20_POLY1305_SHA256)
#define TLS1_3_CK_CHACHA20_POLY1305_SHA256 TLS1_CK_CHACHA20_POLY1305_SHA256
#endif
#if !defined(TLS1_3_CK_AES_128_CCM_SHA256)
/* Note that TLS1_CK_AES_128_CCM_SHA256 is not defined in boringssl */
#define TLS1_3_CK_AES_128_CCM_SHA256 0x03001304
#endif
#endif
/* AEAD iv and secrete key lengths */
#define QUIC_TLS_IV_LEN 12 /* bytes */
#define QUIC_TLS_KEY_LEN 32 /* bytes */
#define QUIC_TLS_SECRET_LEN 64 /* bytes */
/* The ciphersuites for AEAD QUIC-TLS have 16-bytes authentication tags */
#define QUIC_TLS_TAG_LEN 16 /* bytes */
/* The TLS extensions for QUIC transport parameters */
#define TLS_EXTENSION_QUIC_TRANSPORT_PARAMETERS 0x0039
#define TLS_EXTENSION_QUIC_TRANSPORT_PARAMETERS_DRAFT 0xffa5
extern struct pool_head *pool_head_quic_tls_secret;
extern struct pool_head *pool_head_quic_tls_iv;
extern struct pool_head *pool_head_quic_tls_key;
#define QUIC_HKDF_KEY_LABEL_V1 "quic key"
#define QUIC_HKDF_IV_LABEL_V1 "quic iv"
#define QUIC_HKDF_HP_LABEL_V1 "quic hp"
#define QUIC_HKDF_KU_LABEL_V1 "quic ku"
#define QUIC_HKDF_KEY_LABEL_V2 "quicv2 key"
#define QUIC_HKDF_IV_LABEL_V2 "quicv2 iv"
#define QUIC_HKDF_HP_LABEL_V2 "quicv2 hp"
#define QUIC_HKDF_KU_LABEL_V2 "quicv2 ku"
#define QUIC_TLS_RETRY_KEY_DRAFT \
"\xcc\xce\x18\x7e\xd0\x9a\x09\xd0\x57\x28\x15\x5a\x6c\xb9\x6b\xe1"
#define QUIC_TLS_RETRY_NONCE_DRAFT \
"\xe5\x49\x30\xf9\x7f\x21\x36\xf0\x53\x0a\x8c\x1c"
#define QUIC_TLS_RETRY_KEY_V1 \
"\xbe\x0c\x69\x0b\x9f\x66\x57\x5a\x1d\x76\x6b\x54\xe3\x68\xc8\x4e"
#define QUIC_TLS_RETRY_NONCE_V1 \
"\x46\x15\x99\xd3\x5d\x63\x2b\xf2\x23\x98\x25\xbb"
#define QUIC_TLS_RETRY_KEY_V2_DRAFT \
"\xba\x85\x8d\xc7\xb4\x3d\xe5\xdb\xf8\x76\x17\xff\x4a\xb2\x53\xdb"
#define QUIC_TLS_RETRY_NONCE_V2_DRAFT \
"\x14\x1b\x99\xc2\x39\xb0\x3e\x78\x5d\x6a\x2e\x9f"
/* QUIC handshake states for both clients and servers. */
enum quic_handshake_state {
QUIC_HS_ST_CLIENT_HANDSHAKE_FAILED,
QUIC_HS_ST_SERVER_HANDSHAKE_FAILED,
QUIC_HS_ST_CLIENT_INITIAL,
QUIC_HS_ST_CLIENT_HANDSHAKE,
QUIC_HS_ST_SERVER_INITIAL,
QUIC_HS_ST_SERVER_HANDSHAKE,
/* Common to servers and clients */
QUIC_HS_ST_COMPLETE,
QUIC_HS_ST_CONFIRMED,
};
/* QUIC TLS level encryption */
enum quic_tls_enc_level {
QUIC_TLS_ENC_LEVEL_NONE = -1,
QUIC_TLS_ENC_LEVEL_INITIAL,
QUIC_TLS_ENC_LEVEL_EARLY_DATA,
QUIC_TLS_ENC_LEVEL_HANDSHAKE,
QUIC_TLS_ENC_LEVEL_APP,
/* Please do not insert any value after this following one */
QUIC_TLS_ENC_LEVEL_MAX,
};
/* QUIC packet number spaces */
enum quic_tls_pktns {
QUIC_TLS_PKTNS_INITIAL,
QUIC_TLS_PKTNS_HANDSHAKE,
QUIC_TLS_PKTNS_01RTT,
/* Please do not insert any value after this following one */
QUIC_TLS_PKTNS_MAX,
};
extern unsigned char initial_salt[20];
extern const unsigned char initial_salt_draft_29[20];
extern const unsigned char initial_salt_v1[20];
extern const unsigned char initial_salt_v2_draft[20];
/* Key phase used for Key Update */
struct quic_tls_kp {
EVP_CIPHER_CTX *ctx;
unsigned char *secret;
size_t secretlen;
unsigned char *iv;
size_t ivlen;
unsigned char *key;
size_t keylen;
uint64_t count;
int64_t pn;
unsigned char flags;
};
/* Key update phase bit */
#define QUIC_FL_TLS_KP_BIT_SET (1 << 0)
/* Flag to be used when TLS secrets have been discarded. */
#define QUIC_FL_TLS_SECRETS_DCD (1 << 1)
struct quic_tls_secrets {
EVP_CIPHER_CTX *ctx;
const EVP_CIPHER *aead;
const EVP_MD *md;
EVP_CIPHER_CTX *hp_ctx;
const EVP_CIPHER *hp;
unsigned char *secret;
size_t secretlen;
/* Header protection key.
* Note: the header protection is applied after packet protection.
* As the header belong to the data, its protection must be removed before removing
* the packet protection.
*/
unsigned char hp_key[32];
unsigned char *iv;
size_t ivlen;
unsigned char *key;
size_t keylen;
int64_t pn;
};
struct quic_tls_ctx {
struct quic_tls_secrets rx;
struct quic_tls_secrets tx;
unsigned char flags;
};
#endif /* USE_QUIC */
#endif /* _TYPES_QUIC_TLS_H */
|
