blob: 5dc39d1d9d817cd6608338184b977649b6e2e118 [file] [log] [blame]
// Copyright 2023 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
//go:build go1.21
package quic
import (
"bytes"
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"encoding/binary"
"net/netip"
"time"
"golang.org/x/crypto/chacha20poly1305"
)
// AEAD and nonce used to compute the Retry Integrity Tag.
// https://www.rfc-editor.org/rfc/rfc9001#section-5.8
var (
retrySecret = []byte{0xbe, 0x0c, 0x69, 0x0b, 0x9f, 0x66, 0x57, 0x5a, 0x1d, 0x76, 0x6b, 0x54, 0xe3, 0x68, 0xc8, 0x4e}
retryNonce = []byte{0x46, 0x15, 0x99, 0xd3, 0x5d, 0x63, 0x2b, 0xf2, 0x23, 0x98, 0x25, 0xbb}
retryAEAD = func() cipher.AEAD {
c, err := aes.NewCipher(retrySecret)
if err != nil {
panic(err)
}
aead, err := cipher.NewGCM(c)
if err != nil {
panic(err)
}
return aead
}()
)
// retryTokenValidityPeriod is how long we accept a Retry packet token after sending it.
const retryTokenValidityPeriod = 5 * time.Second
// retryState generates and validates an endpoint's retry tokens.
type retryState struct {
aead cipher.AEAD
}
func (rs *retryState) init() error {
// Retry tokens are authenticated using a per-server key chosen at start time.
// TODO: Provide a way for the user to set this key.
secret := make([]byte, chacha20poly1305.KeySize)
if _, err := rand.Read(secret); err != nil {
return err
}
aead, err := chacha20poly1305.NewX(secret)
if err != nil {
panic(err)
}
rs.aead = aead
return nil
}
// Retry tokens are encrypted with an AEAD.
// The plaintext contains the time the token was created and
// the original destination connection ID.
// The additional data contains the sender's source address and original source connection ID.
// The token nonce is randomly generated.
// We use the nonce as the Source Connection ID of the Retry packet.
// Since the 24-byte XChaCha20-Poly1305 nonce is too large to fit in a 20-byte connection ID,
// we include the remaining 4 bytes of nonce in the token.
//
// Token {
// Last 4 Bytes of Nonce (32),
// Ciphertext (..),
// }
//
// Plaintext {
// Timestamp (64),
// Original Destination Connection ID,
// }
//
//
// Additional Data {
// Original Source Connection ID Length (8),
// Original Source Connection ID (..),
// IP Address (32..128),
// Port (16),
// }
//
// TODO: Consider using AES-256-GCM-SIV once crypto/tls supports it.
func (rs *retryState) makeToken(now time.Time, srcConnID, origDstConnID []byte, addr netip.AddrPort) (token, newDstConnID []byte, err error) {
nonce := make([]byte, rs.aead.NonceSize())
if _, err := rand.Read(nonce); err != nil {
return nil, nil, err
}
var plaintext []byte
plaintext = binary.BigEndian.AppendUint64(plaintext, uint64(now.Unix()))
plaintext = append(plaintext, origDstConnID...)
token = append(token, nonce[maxConnIDLen:]...)
token = rs.aead.Seal(token, nonce, plaintext, rs.additionalData(srcConnID, addr))
return token, nonce[:maxConnIDLen], nil
}
func (rs *retryState) validateToken(now time.Time, token, srcConnID, dstConnID []byte, addr netip.AddrPort) (origDstConnID []byte, ok bool) {
tokenNonceLen := rs.aead.NonceSize() - maxConnIDLen
if len(token) < tokenNonceLen {
return nil, false
}
nonce := append([]byte{}, dstConnID...)
nonce = append(nonce, token[:tokenNonceLen]...)
ciphertext := token[tokenNonceLen:]
plaintext, err := rs.aead.Open(nil, nonce, ciphertext, rs.additionalData(srcConnID, addr))
if err != nil {
return nil, false
}
if len(plaintext) < 8 {
return nil, false
}
when := time.Unix(int64(binary.BigEndian.Uint64(plaintext)), 0)
origDstConnID = plaintext[8:]
// We allow for tokens created in the future (up to the validity period),
// which likely indicates that the system clock was adjusted backwards.
if d := abs(now.Sub(when)); d > retryTokenValidityPeriod {
return nil, false
}
return origDstConnID, true
}
func (rs *retryState) additionalData(srcConnID []byte, addr netip.AddrPort) []byte {
var additional []byte
additional = appendUint8Bytes(additional, srcConnID)
additional = append(additional, addr.Addr().AsSlice()...)
additional = binary.BigEndian.AppendUint16(additional, addr.Port())
return additional
}
func (e *Endpoint) validateInitialAddress(now time.Time, p genericLongPacket, peerAddr netip.AddrPort) (origDstConnID []byte, ok bool) {
// The retry token is at the start of an Initial packet's data.
token, n := consumeUint8Bytes(p.data)
if n < 0 {
// We've already validated that the packet is at least 1200 bytes long,
// so there's no way for even a maximum size token to not fit.
// Check anyway.
return nil, false
}
if len(token) == 0 {
// The sender has not provided a token.
// Send a Retry packet to them with one.
e.sendRetry(now, p, peerAddr)
return nil, false
}
origDstConnID, ok = e.retry.validateToken(now, token, p.srcConnID, p.dstConnID, peerAddr)
if !ok {
// This does not seem to be a valid token.
// Close the connection with an INVALID_TOKEN error.
// https://www.rfc-editor.org/rfc/rfc9000#section-8.1.2-5
e.sendConnectionClose(p, peerAddr, errInvalidToken)
return nil, false
}
return origDstConnID, true
}
func (e *Endpoint) sendRetry(now time.Time, p genericLongPacket, peerAddr netip.AddrPort) {
token, srcConnID, err := e.retry.makeToken(now, p.srcConnID, p.dstConnID, peerAddr)
if err != nil {
return
}
b := encodeRetryPacket(p.dstConnID, retryPacket{
dstConnID: p.srcConnID,
srcConnID: srcConnID,
token: token,
})
e.sendDatagram(datagram{
b: b,
peerAddr: peerAddr,
})
}
type retryPacket struct {
dstConnID []byte
srcConnID []byte
token []byte
}
func encodeRetryPacket(originalDstConnID []byte, p retryPacket) []byte {
// Retry packets include an integrity tag, computed by AEAD_AES_128_GCM over
// the original destination connection ID followed by the Retry packet
// (less the integrity tag itself).
// https://www.rfc-editor.org/rfc/rfc9001#section-5.8
//
// Create the pseudo-packet (including the original DCID), append the tag,
// and return the Retry packet.
var b []byte
b = appendUint8Bytes(b, originalDstConnID) // Original Destination Connection ID
start := len(b) // start of the Retry packet
b = append(b, headerFormLong|fixedBit|longPacketTypeRetry)
b = binary.BigEndian.AppendUint32(b, quicVersion1) // Version
b = appendUint8Bytes(b, p.dstConnID) // Destination Connection ID
b = appendUint8Bytes(b, p.srcConnID) // Source Connection ID
b = append(b, p.token...) // Token
b = retryAEAD.Seal(b, retryNonce, nil, b) // Retry Integrity Tag
return b[start:]
}
func parseRetryPacket(b, origDstConnID []byte) (p retryPacket, ok bool) {
const retryIntegrityTagLength = 128 / 8
lp, ok := parseGenericLongHeaderPacket(b)
if !ok {
return retryPacket{}, false
}
if len(lp.data) < retryIntegrityTagLength {
return retryPacket{}, false
}
gotTag := lp.data[len(lp.data)-retryIntegrityTagLength:]
// Create the pseudo-packet consisting of the original destination connection ID
// followed by the Retry packet (less the integrity tag).
// Use this to validate the packet integrity tag.
pseudo := appendUint8Bytes(nil, origDstConnID)
pseudo = append(pseudo, b[:len(b)-retryIntegrityTagLength]...)
wantTag := retryAEAD.Seal(nil, retryNonce, nil, pseudo)
if !bytes.Equal(gotTag, wantTag) {
return retryPacket{}, false
}
token := lp.data[:len(lp.data)-retryIntegrityTagLength]
return retryPacket{
dstConnID: lp.dstConnID,
srcConnID: lp.srcConnID,
token: token,
}, true
}