quic-go/internal/handshake/aead.go

package handshake

import (
	"crypto/cipher"
	"encoding/binary"

	"github.com/lucas-clemente/quic-go/internal/protocol"
	"github.com/lucas-clemente/quic-go/internal/qtls"
	"github.com/lucas-clemente/quic-go/internal/utils"
)

func createAEAD(suite *qtls.CipherSuiteTLS13, trafficSecret []byte) cipher.AEAD {
	key := hkdfExpandLabel(suite.Hash, trafficSecret, []byte{}, "quic key", suite.KeyLen)
	iv := hkdfExpandLabel(suite.Hash, trafficSecret, []byte{}, "quic iv", suite.IVLen())
	return suite.AEAD(key, iv)
}

type longHeaderSealer struct {
	aead            cipher.AEAD
	headerProtector headerProtector

	// use a single slice to avoid allocations
	nonceBuf []byte
}

var _ LongHeaderSealer = &longHeaderSealer{}

func newLongHeaderSealer(aead cipher.AEAD, headerProtector headerProtector) LongHeaderSealer {
	return &longHeaderSealer{
		aead:            aead,
		headerProtector: headerProtector,
		nonceBuf:        make([]byte, aead.NonceSize()),
	}
}

func (s *longHeaderSealer) Seal(dst, src []byte, pn protocol.PacketNumber, ad []byte) []byte {
	binary.BigEndian.PutUint64(s.nonceBuf[len(s.nonceBuf)-8:], uint64(pn))
	// The AEAD we're using here will be the qtls.aeadAESGCM13.
	// It uses the nonce provided here and XOR it with the IV.
	return s.aead.Seal(dst, s.nonceBuf, src, ad)
}

func (s *longHeaderSealer) EncryptHeader(sample []byte, firstByte *byte, pnBytes []byte) {
	s.headerProtector.EncryptHeader(sample, firstByte, pnBytes)
}

func (s *longHeaderSealer) Overhead() int {
	return s.aead.Overhead()
}

type longHeaderOpener struct {
	aead            cipher.AEAD
	headerProtector headerProtector
	highestRcvdPN   protocol.PacketNumber // highest packet number received (which could be successfully unprotected)

	// use a single slice to avoid allocations
	nonceBuf []byte
}

var _ LongHeaderOpener = &longHeaderOpener{}

func newLongHeaderOpener(aead cipher.AEAD, headerProtector headerProtector) LongHeaderOpener {
	return &longHeaderOpener{
		aead:            aead,
		headerProtector: headerProtector,
		nonceBuf:        make([]byte, aead.NonceSize()),
	}
}

func (o *longHeaderOpener) DecodePacketNumber(wirePN protocol.PacketNumber, wirePNLen protocol.PacketNumberLen) protocol.PacketNumber {
	return protocol.DecodePacketNumber(wirePNLen, o.highestRcvdPN, wirePN)
}

func (o *longHeaderOpener) Open(dst, src []byte, pn protocol.PacketNumber, ad []byte) ([]byte, error) {
	binary.BigEndian.PutUint64(o.nonceBuf[len(o.nonceBuf)-8:], uint64(pn))
	// The AEAD we're using here will be the qtls.aeadAESGCM13.
	// It uses the nonce provided here and XOR it with the IV.
	dec, err := o.aead.Open(dst, o.nonceBuf, src, ad)
	if err == nil {
		o.highestRcvdPN = utils.MaxPacketNumber(o.highestRcvdPN, pn)
	} else {
		err = ErrDecryptionFailed
	}
	return dec, err
}

func (o *longHeaderOpener) DecryptHeader(sample []byte, firstByte *byte, pnBytes []byte) {
	o.headerProtector.DecryptHeader(sample, firstByte, pnBytes)
}

type handshakeSealer struct {
	LongHeaderSealer

	dropInitialKeys func()
	dropped         bool
}

func newHandshakeSealer(
	aead cipher.AEAD,
	headerProtector headerProtector,
	dropInitialKeys func(),
	perspective protocol.Perspective,
) LongHeaderSealer {
	sealer := newLongHeaderSealer(aead, headerProtector)
	// The client drops Initial keys when sending the first Handshake packet.
	if perspective == protocol.PerspectiveServer {
		return sealer
	}
	return &handshakeSealer{
		LongHeaderSealer: sealer,
		dropInitialKeys:  dropInitialKeys,
	}
}

func (s *handshakeSealer) Seal(dst, src []byte, pn protocol.PacketNumber, ad []byte) []byte {
	data := s.LongHeaderSealer.Seal(dst, src, pn, ad)
	if !s.dropped {
		s.dropInitialKeys()
		s.dropped = true
	}
	return data
}

type handshakeOpener struct {
	LongHeaderOpener

	dropInitialKeys func()
	dropped         bool
}

func newHandshakeOpener(
	aead cipher.AEAD,
	headerProtector headerProtector,
	dropInitialKeys func(),
	perspective protocol.Perspective,
) LongHeaderOpener {
	opener := newLongHeaderOpener(aead, headerProtector)
	// The server drops Initial keys when first successfully processing a Handshake packet.
	if perspective == protocol.PerspectiveClient {
		return opener
	}
	return &handshakeOpener{
		LongHeaderOpener: opener,
		dropInitialKeys:  dropInitialKeys,
	}
}

func (o *handshakeOpener) Open(dst, src []byte, pn protocol.PacketNumber, ad []byte) ([]byte, error) {
	dec, err := o.LongHeaderOpener.Open(dst, src, pn, ad)
	if err == nil && !o.dropped {
		o.dropInitialKeys()
		o.dropped = true
	}
	return dec, err
}