1 /*
2 * nghttp2 - HTTP/2 C Library
3 *
4 * Copyright (c) 2021 Tatsuhiro Tsujikawa
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining
7 * a copy of this software and associated documentation files (the
8 * "Software"), to deal in the Software without restriction, including
9 * without limitation the rights to use, copy, modify, merge, publish,
10 * distribute, sublicense, and/or sell copies of the Software, and to
11 * permit persons to whom the Software is furnished to do so, subject to
12 * the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be
15 * included in all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
18 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
19 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
20 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
21 * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
22 * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
23 * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
24 */
25 #include "shrpx_quic.h"
26
27 #include <sys/types.h>
28 #include <sys/socket.h>
29 #include <netdb.h>
30 #include <netinet/udp.h>
31
32 #include <array>
33 #include <chrono>
34
35 #include <ngtcp2/ngtcp2_crypto.h>
36
37 #include <nghttp3/nghttp3.h>
38
39 #include <openssl/rand.h>
40
41 #include "shrpx_config.h"
42 #include "shrpx_log.h"
43 #include "util.h"
44 #include "xsi_strerror.h"
45
operator ==(const ngtcp2_cid & lhs,const ngtcp2_cid & rhs)46 bool operator==(const ngtcp2_cid &lhs, const ngtcp2_cid &rhs) {
47 return ngtcp2_cid_eq(&lhs, &rhs);
48 }
49
50 namespace shrpx {
51
quic_timestamp()52 ngtcp2_tstamp quic_timestamp() {
53 return std::chrono::duration_cast<std::chrono::nanoseconds>(
54 std::chrono::steady_clock::now().time_since_epoch())
55 .count();
56 }
57
quic_send_packet(const UpstreamAddr * faddr,const sockaddr * remote_sa,size_t remote_salen,const sockaddr * local_sa,size_t local_salen,const ngtcp2_pkt_info & pi,const uint8_t * data,size_t datalen,size_t gso_size)58 int quic_send_packet(const UpstreamAddr *faddr, const sockaddr *remote_sa,
59 size_t remote_salen, const sockaddr *local_sa,
60 size_t local_salen, const ngtcp2_pkt_info &pi,
61 const uint8_t *data, size_t datalen, size_t gso_size) {
62 iovec msg_iov = {const_cast<uint8_t *>(data), datalen};
63 msghdr msg{};
64 msg.msg_name = const_cast<sockaddr *>(remote_sa);
65 msg.msg_namelen = remote_salen;
66 msg.msg_iov = &msg_iov;
67 msg.msg_iovlen = 1;
68
69 uint8_t msg_ctrl[
70 #ifdef UDP_SEGMENT
71 CMSG_SPACE(sizeof(uint16_t)) +
72 #endif // UDP_SEGMENT
73 CMSG_SPACE(sizeof(in6_pktinfo))];
74
75 memset(msg_ctrl, 0, sizeof(msg_ctrl));
76
77 msg.msg_control = msg_ctrl;
78 msg.msg_controllen = sizeof(msg_ctrl);
79
80 size_t controllen = 0;
81
82 auto cm = CMSG_FIRSTHDR(&msg);
83
84 switch (local_sa->sa_family) {
85 case AF_INET: {
86 controllen += CMSG_SPACE(sizeof(in_pktinfo));
87 cm->cmsg_level = IPPROTO_IP;
88 cm->cmsg_type = IP_PKTINFO;
89 cm->cmsg_len = CMSG_LEN(sizeof(in_pktinfo));
90 auto pktinfo = reinterpret_cast<in_pktinfo *>(CMSG_DATA(cm));
91 memset(pktinfo, 0, sizeof(in_pktinfo));
92 auto addrin =
93 reinterpret_cast<sockaddr_in *>(const_cast<sockaddr *>(local_sa));
94 pktinfo->ipi_spec_dst = addrin->sin_addr;
95 break;
96 }
97 case AF_INET6: {
98 controllen += CMSG_SPACE(sizeof(in6_pktinfo));
99 cm->cmsg_level = IPPROTO_IPV6;
100 cm->cmsg_type = IPV6_PKTINFO;
101 cm->cmsg_len = CMSG_LEN(sizeof(in6_pktinfo));
102 auto pktinfo = reinterpret_cast<in6_pktinfo *>(CMSG_DATA(cm));
103 memset(pktinfo, 0, sizeof(in6_pktinfo));
104 auto addrin =
105 reinterpret_cast<sockaddr_in6 *>(const_cast<sockaddr *>(local_sa));
106 pktinfo->ipi6_addr = addrin->sin6_addr;
107 break;
108 }
109 default:
110 assert(0);
111 }
112
113 #ifdef UDP_SEGMENT
114 if (gso_size && datalen > gso_size) {
115 controllen += CMSG_SPACE(sizeof(uint16_t));
116 cm = CMSG_NXTHDR(&msg, cm);
117 cm->cmsg_level = SOL_UDP;
118 cm->cmsg_type = UDP_SEGMENT;
119 cm->cmsg_len = CMSG_LEN(sizeof(uint16_t));
120 *(reinterpret_cast<uint16_t *>(CMSG_DATA(cm))) = gso_size;
121 }
122 #endif // UDP_SEGMENT
123
124 msg.msg_controllen = controllen;
125
126 util::fd_set_send_ecn(faddr->fd, local_sa->sa_family, pi.ecn);
127
128 ssize_t nwrite;
129
130 do {
131 nwrite = sendmsg(faddr->fd, &msg, 0);
132 } while (nwrite == -1 && errno == EINTR);
133
134 if (nwrite == -1) {
135 if (LOG_ENABLED(INFO)) {
136 auto error = errno;
137 LOG(INFO) << "sendmsg failed: errno=" << error;
138 }
139
140 return -errno;
141 }
142
143 if (LOG_ENABLED(INFO)) {
144 LOG(INFO) << "QUIC sent packet: local="
145 << util::to_numeric_addr(local_sa, local_salen)
146 << " remote=" << util::to_numeric_addr(remote_sa, remote_salen)
147 << " ecn=" << log::hex << pi.ecn << log::dec << " " << nwrite
148 << " bytes";
149 }
150
151 return 0;
152 }
153
generate_quic_retry_connection_id(ngtcp2_cid & cid,size_t cidlen,const uint8_t * server_id,uint8_t km_id,const uint8_t * key)154 int generate_quic_retry_connection_id(ngtcp2_cid &cid, size_t cidlen,
155 const uint8_t *server_id, uint8_t km_id,
156 const uint8_t *key) {
157 assert(cidlen == SHRPX_QUIC_SCIDLEN);
158
159 if (RAND_bytes(cid.data, cidlen) != 1) {
160 return -1;
161 }
162
163 cid.datalen = cidlen;
164
165 cid.data[0] = (cid.data[0] & 0x3f) | km_id;
166
167 auto p = cid.data + SHRPX_QUIC_CID_PREFIX_OFFSET;
168
169 std::copy_n(server_id, SHRPX_QUIC_SERVER_IDLEN, p);
170
171 return encrypt_quic_connection_id(p, p, key);
172 }
173
generate_quic_connection_id(ngtcp2_cid & cid,size_t cidlen,const uint8_t * cid_prefix,uint8_t km_id,const uint8_t * key)174 int generate_quic_connection_id(ngtcp2_cid &cid, size_t cidlen,
175 const uint8_t *cid_prefix, uint8_t km_id,
176 const uint8_t *key) {
177 assert(cidlen == SHRPX_QUIC_SCIDLEN);
178
179 if (RAND_bytes(cid.data, cidlen) != 1) {
180 return -1;
181 }
182
183 cid.datalen = cidlen;
184
185 cid.data[0] = (cid.data[0] & 0x3f) | km_id;
186
187 auto p = cid.data + SHRPX_QUIC_CID_PREFIX_OFFSET;
188
189 std::copy_n(cid_prefix, SHRPX_QUIC_CID_PREFIXLEN, p);
190
191 return encrypt_quic_connection_id(p, p, key);
192 }
193
encrypt_quic_connection_id(uint8_t * dest,const uint8_t * src,const uint8_t * key)194 int encrypt_quic_connection_id(uint8_t *dest, const uint8_t *src,
195 const uint8_t *key) {
196 auto ctx = EVP_CIPHER_CTX_new();
197 auto d = defer(EVP_CIPHER_CTX_free, ctx);
198
199 if (!EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), nullptr, key, nullptr)) {
200 return -1;
201 }
202
203 EVP_CIPHER_CTX_set_padding(ctx, 0);
204
205 int len;
206
207 if (!EVP_EncryptUpdate(ctx, dest, &len, src, SHRPX_QUIC_DECRYPTED_DCIDLEN) ||
208 !EVP_EncryptFinal_ex(ctx, dest + len, &len)) {
209 return -1;
210 }
211
212 return 0;
213 }
214
decrypt_quic_connection_id(uint8_t * dest,const uint8_t * src,const uint8_t * key)215 int decrypt_quic_connection_id(uint8_t *dest, const uint8_t *src,
216 const uint8_t *key) {
217 auto ctx = EVP_CIPHER_CTX_new();
218 auto d = defer(EVP_CIPHER_CTX_free, ctx);
219
220 if (!EVP_DecryptInit_ex(ctx, EVP_aes_128_ecb(), nullptr, key, nullptr)) {
221 return -1;
222 }
223
224 EVP_CIPHER_CTX_set_padding(ctx, 0);
225
226 int len;
227
228 if (!EVP_DecryptUpdate(ctx, dest, &len, src, SHRPX_QUIC_DECRYPTED_DCIDLEN) ||
229 !EVP_DecryptFinal_ex(ctx, dest + len, &len)) {
230 return -1;
231 }
232
233 return 0;
234 }
235
generate_quic_hashed_connection_id(ngtcp2_cid & dest,const Address & remote_addr,const Address & local_addr,const ngtcp2_cid & cid)236 int generate_quic_hashed_connection_id(ngtcp2_cid &dest,
237 const Address &remote_addr,
238 const Address &local_addr,
239 const ngtcp2_cid &cid) {
240 auto ctx = EVP_MD_CTX_new();
241 auto d = defer(EVP_MD_CTX_free, ctx);
242
243 std::array<uint8_t, 32> h;
244 unsigned int hlen = EVP_MD_size(EVP_sha256());
245
246 if (!EVP_DigestInit_ex(ctx, EVP_sha256(), nullptr) ||
247 !EVP_DigestUpdate(ctx, &remote_addr.su.sa, remote_addr.len) ||
248 !EVP_DigestUpdate(ctx, &local_addr.su.sa, local_addr.len) ||
249 !EVP_DigestUpdate(ctx, cid.data, cid.datalen) ||
250 !EVP_DigestFinal_ex(ctx, h.data(), &hlen)) {
251 return -1;
252 }
253
254 assert(hlen == h.size());
255
256 std::copy_n(std::begin(h), sizeof(dest.data), std::begin(dest.data));
257 dest.datalen = sizeof(dest.data);
258
259 return 0;
260 }
261
generate_quic_stateless_reset_token(uint8_t * token,const ngtcp2_cid & cid,const uint8_t * secret,size_t secretlen)262 int generate_quic_stateless_reset_token(uint8_t *token, const ngtcp2_cid &cid,
263 const uint8_t *secret,
264 size_t secretlen) {
265 if (ngtcp2_crypto_generate_stateless_reset_token(token, secret, secretlen,
266 &cid) != 0) {
267 return -1;
268 }
269
270 return 0;
271 }
272
generate_retry_token(uint8_t * token,size_t & tokenlen,uint32_t version,const sockaddr * sa,socklen_t salen,const ngtcp2_cid & retry_scid,const ngtcp2_cid & odcid,const uint8_t * secret,size_t secretlen)273 int generate_retry_token(uint8_t *token, size_t &tokenlen, uint32_t version,
274 const sockaddr *sa, socklen_t salen,
275 const ngtcp2_cid &retry_scid, const ngtcp2_cid &odcid,
276 const uint8_t *secret, size_t secretlen) {
277 auto t = std::chrono::duration_cast<std::chrono::nanoseconds>(
278 std::chrono::system_clock::now().time_since_epoch())
279 .count();
280
281 auto stokenlen = ngtcp2_crypto_generate_retry_token(
282 token, secret, secretlen, version, sa, salen, &retry_scid, &odcid, t);
283 if (stokenlen < 0) {
284 return -1;
285 }
286
287 tokenlen = stokenlen;
288
289 return 0;
290 }
291
verify_retry_token(ngtcp2_cid & odcid,const uint8_t * token,size_t tokenlen,uint32_t version,const ngtcp2_cid & dcid,const sockaddr * sa,socklen_t salen,const uint8_t * secret,size_t secretlen)292 int verify_retry_token(ngtcp2_cid &odcid, const uint8_t *token, size_t tokenlen,
293 uint32_t version, const ngtcp2_cid &dcid,
294 const sockaddr *sa, socklen_t salen,
295 const uint8_t *secret, size_t secretlen) {
296
297 auto t = std::chrono::duration_cast<std::chrono::nanoseconds>(
298 std::chrono::system_clock::now().time_since_epoch())
299 .count();
300
301 if (ngtcp2_crypto_verify_retry_token(&odcid, token, tokenlen, secret,
302 secretlen, version, sa, salen, &dcid,
303 10 * NGTCP2_SECONDS, t) != 0) {
304 return -1;
305 }
306
307 return 0;
308 }
309
generate_token(uint8_t * token,size_t & tokenlen,const sockaddr * sa,size_t salen,const uint8_t * secret,size_t secretlen)310 int generate_token(uint8_t *token, size_t &tokenlen, const sockaddr *sa,
311 size_t salen, const uint8_t *secret, size_t secretlen) {
312 auto t = std::chrono::duration_cast<std::chrono::nanoseconds>(
313 std::chrono::system_clock::now().time_since_epoch())
314 .count();
315
316 auto stokenlen = ngtcp2_crypto_generate_regular_token(
317 token, secret, secretlen, sa, salen, t);
318 if (stokenlen < 0) {
319 return -1;
320 }
321
322 tokenlen = stokenlen;
323
324 return 0;
325 }
326
verify_token(const uint8_t * token,size_t tokenlen,const sockaddr * sa,socklen_t salen,const uint8_t * secret,size_t secretlen)327 int verify_token(const uint8_t *token, size_t tokenlen, const sockaddr *sa,
328 socklen_t salen, const uint8_t *secret, size_t secretlen) {
329 auto t = std::chrono::duration_cast<std::chrono::nanoseconds>(
330 std::chrono::system_clock::now().time_since_epoch())
331 .count();
332
333 if (ngtcp2_crypto_verify_regular_token(token, tokenlen, secret, secretlen, sa,
334 salen, 3600 * NGTCP2_SECONDS,
335 t) != 0) {
336 return -1;
337 }
338
339 return 0;
340 }
341
generate_quic_connection_id_encryption_key(uint8_t * key,size_t keylen,const uint8_t * secret,size_t secretlen,const uint8_t * salt,size_t saltlen)342 int generate_quic_connection_id_encryption_key(uint8_t *key, size_t keylen,
343 const uint8_t *secret,
344 size_t secretlen,
345 const uint8_t *salt,
346 size_t saltlen) {
347 constexpr uint8_t info[] = "connection id encryption key";
348 ngtcp2_crypto_md sha256;
349 ngtcp2_crypto_md_init(
350 &sha256, reinterpret_cast<void *>(const_cast<EVP_MD *>(EVP_sha256())));
351
352 if (ngtcp2_crypto_hkdf(key, keylen, &sha256, secret, secretlen, salt, saltlen,
353 info, str_size(info)) != 0) {
354 return -1;
355 }
356
357 return 0;
358 }
359
360 const QUICKeyingMaterial *
select_quic_keying_material(const QUICKeyingMaterials & qkms,uint8_t km_id)361 select_quic_keying_material(const QUICKeyingMaterials &qkms, uint8_t km_id) {
362 for (auto &qkm : qkms.keying_materials) {
363 if (km_id == qkm.id) {
364 return &qkm;
365 }
366 }
367
368 return &qkms.keying_materials.front();
369 }
370
371 } // namespace shrpx
372