Line data Source code
1 : #include "fd_quic_common.h"
2 : #include "fd_quic_retry_private.h"
3 : #include "crypto/fd_quic_crypto_suites.h"
4 : #include "fd_quic_conn_id.h"
5 : #include "fd_quic_enum.h"
6 : #include "fd_quic_private.h"
7 : #include "../../ballet/aes/fd_aes_gcm.h"
8 : #include <assert.h>
9 :
10 : FD_STATIC_ASSERT( FD_QUIC_RETRY_LOCAL_SZ==
11 : FD_QUIC_MAX_FOOTPRINT(retry_hdr) +
12 : sizeof(fd_quic_retry_token_t) +
13 : FD_QUIC_CRYPTO_TAG_SZ,
14 : layout );
15 :
16 : ulong
17 : fd_quic_retry_pseudo(
18 : uchar out[ FD_QUIC_RETRY_MAX_PSEUDO_SZ ],
19 : void const * retry_pkt,
20 : ulong retry_pkt_sz,
21 6002838 : fd_quic_conn_id_t const * orig_dst_conn_id ) {
22 :
23 6002838 : if( FD_UNLIKELY( retry_pkt_sz <= FD_QUIC_CRYPTO_TAG_SZ ||
24 6002838 : retry_pkt_sz > FD_QUIC_RETRY_MAX_SZ ) ) {
25 0 : return FD_QUIC_PARSE_FAIL;
26 0 : }
27 :
28 : /* Retry Pseudo-Packet {
29 : ODCID Length (8),
30 : Original Destination Connection ID (0..160),
31 : Header Form (1) = 1,
32 : Fixed Bit (1) = 1,
33 : Long Packet Type (2) = 3,
34 : Unused (4),
35 : Version (32),
36 : DCID Len (8),
37 : Destination Connection ID (0..160),
38 : SCID Len (8),
39 : Source Connection ID (0..160),
40 : Retry Token (..),
41 : } */
42 :
43 6002838 : uchar * cur_ptr = out;
44 :
45 6002838 : cur_ptr[0] = (uchar)orig_dst_conn_id->sz;
46 6002838 : cur_ptr += 1;
47 :
48 6002838 : memcpy( cur_ptr, orig_dst_conn_id->conn_id, FD_QUIC_MAX_CONN_ID_SZ ); /* oversz is safe */
49 6002838 : cur_ptr += orig_dst_conn_id->sz;
50 :
51 6002838 : ulong stripped_retry_sz = retry_pkt_sz - FD_QUIC_CRYPTO_TAG_SZ; /* >0 */
52 6002838 : fd_memcpy( cur_ptr, retry_pkt, stripped_retry_sz );
53 6002838 : cur_ptr += stripped_retry_sz;
54 :
55 6002838 : return (ulong)cur_ptr - (ulong)out;
56 6002838 : }
57 :
58 : ulong
59 : fd_quic_retry_create(
60 : uchar retry[FD_QUIC_RETRY_LOCAL_SZ], /* out */
61 : fd_quic_pkt_t const * pkt,
62 : fd_rng_t * rng,
63 : uchar const retry_secret[ FD_QUIC_RETRY_SECRET_SZ ],
64 : uchar const retry_iv[ FD_QUIC_RETRY_IV_SZ ],
65 : fd_quic_conn_id_t const * orig_dst_conn_id,
66 : fd_quic_conn_id_t const * src_conn_id,
67 : ulong new_conn_id,
68 : ulong expire_at
69 3000108 : ) {
70 :
71 3000108 : uchar * out_ptr = retry;
72 3000108 : ulong out_free = FD_QUIC_RETRY_LOCAL_SZ;
73 :
74 : /* Craft a new Retry packet */
75 :
76 3000108 : fd_quic_retry_hdr_t retry_hdr[1] = {{
77 3000108 : .h0 = 0xf0,
78 3000108 : .version = 1,
79 3000108 : .dst_conn_id_len = src_conn_id->sz,
80 : // .dst_conn_id (initialized below)
81 3000108 : .src_conn_id_len = FD_QUIC_CONN_ID_SZ,
82 : // .src_conn_id (initialized below)
83 3000108 : }};
84 3000108 : memcpy( retry_hdr->dst_conn_id, src_conn_id->conn_id, FD_QUIC_MAX_CONN_ID_SZ );
85 3000108 : FD_STORE( ulong, retry_hdr->src_conn_id, new_conn_id );
86 3000108 : ulong rc = fd_quic_encode_retry_hdr( retry, FD_QUIC_RETRY_LOCAL_SZ, retry_hdr );
87 3000108 : assert( rc!=FD_QUIC_PARSE_FAIL );
88 3000108 : if( FD_UNLIKELY( rc==FD_QUIC_PARSE_FAIL ) ) FD_LOG_CRIT(( "fd_quic_encode_retry_hdr failed" ));
89 3000108 : out_ptr += rc;
90 3000108 : out_free -= rc;
91 :
92 : /* Craft a new retry token */
93 :
94 3000108 : fd_quic_retry_token_t * retry_token = fd_type_pun( out_ptr );
95 3000108 : assert( out_free >= sizeof(fd_quic_retry_token_t) );
96 :
97 3000108 : uint src_ip4_addr = FD_LOAD( uint, pkt->ip4->saddr_c ); /* net order */
98 3000108 : ushort src_udp_port = (ushort)fd_ushort_bswap( (ushort)pkt->udp->net_sport );
99 :
100 3000108 : fd_quic_retry_data_new( &retry_token->data, rng );
101 3000108 : fd_quic_retry_data_set_ip4( &retry_token->data, src_ip4_addr );
102 3000108 : retry_token->data.udp_port = (ushort)src_udp_port;
103 3000108 : retry_token->data.expire_comp = expire_at >> FD_QUIC_RETRY_EXPIRE_SHIFT;
104 :
105 3000108 : retry_token->data.rscid = new_conn_id;
106 3000108 : retry_token->data.odcid_sz = orig_dst_conn_id->sz;
107 3000108 : memcpy( retry_token->data.odcid, orig_dst_conn_id->conn_id, FD_QUIC_MAX_CONN_ID_SZ ); /* oversz copy ok */
108 :
109 : /* Create the inner integrity tag (non-standard) */
110 :
111 3000108 : fd_aes_gcm_t aes_gcm[1];
112 3000108 : fd_quic_retry_token_sign( retry_token, aes_gcm, retry_secret, retry_iv );
113 3000108 : memset( aes_gcm, 0, sizeof(fd_aes_gcm_t) );
114 :
115 3000108 : out_ptr += sizeof(fd_quic_retry_token_t);
116 3000108 : out_free -= sizeof(fd_quic_retry_token_t);
117 :
118 : # if FD_QUIC_DISABLE_CRYPTO
119 :
120 : memset( out_ptr, 0, FD_QUIC_CRYPTO_TAG_SZ );
121 : out_ptr += FD_QUIC_CRYPTO_TAG_SZ;
122 : out_free -= FD_QUIC_CRYPTO_TAG_SZ;
123 :
124 : # else
125 :
126 : /* Create the outer integrity tag (standard) */
127 :
128 3000108 : ulong retry_unsigned_sz = (ulong)out_ptr - (ulong)retry;
129 :
130 3000108 : uchar retry_pseudo_buf[ FD_QUIC_RETRY_MAX_PSEUDO_SZ ];
131 3000108 : ulong retry_pseudo_sz = fd_quic_retry_pseudo( retry_pseudo_buf, retry, retry_unsigned_sz + FD_QUIC_CRYPTO_TAG_SZ, orig_dst_conn_id );
132 3000108 : if( FD_UNLIKELY( retry_pseudo_sz==FD_QUIC_PARSE_FAIL ) ) FD_LOG_ERR(( "fd_quic_retry_pseudo_hdr failed" ));
133 3000108 : fd_quic_retry_integrity_tag_sign( aes_gcm, retry_pseudo_buf, retry_pseudo_sz, out_ptr );
134 3000108 : out_ptr += FD_QUIC_CRYPTO_TAG_SZ;
135 3000108 : out_free -= FD_QUIC_CRYPTO_TAG_SZ;
136 :
137 3000108 : # endif /* FD_QUIC_DISABLE_CRYPTO */
138 :
139 3000108 : assert( (ulong)out_ptr - (ulong)retry <= FD_QUIC_RETRY_LOCAL_SZ );
140 0 : ulong retry_sz = (ulong)out_ptr - (ulong)retry;
141 3000108 : return retry_sz;
142 3000108 : }
143 :
144 : int
145 : fd_quic_retry_server_verify(
146 : fd_quic_pkt_t const * pkt,
147 : fd_quic_initial_t const * initial,
148 : fd_quic_conn_id_t * orig_dst_conn_id, /* out */
149 : ulong * retry_src_conn_id, /* out */
150 : uchar const retry_secret[ FD_QUIC_RETRY_SECRET_SZ ],
151 : uchar const retry_iv[ FD_QUIC_RETRY_IV_SZ ],
152 : ulong now,
153 : ulong ttl
154 3002091 : ) {
155 :
156 : /* We told the client to retry with a DCID chosen by us, and we
157 : always use conn IDs of the same size */
158 3002091 : if( FD_UNLIKELY( initial->dst_conn_id_len != FD_QUIC_CONN_ID_SZ ) ) {
159 15 : FD_DEBUG( FD_LOG_DEBUG(( "Retry with weird dst conn ID sz, rejecting" )); )
160 15 : return FD_QUIC_FAILED;
161 15 : }
162 :
163 : /* fd_quic always uses retry tokens of the same size */
164 3002076 : if( FD_UNLIKELY( initial->token_len != sizeof(fd_quic_retry_token_t) ) ) {
165 12 : FD_DEBUG( FD_LOG_DEBUG(( "Retry with weird token sz, rejecting" )); )
166 12 : return FD_QUIC_FAILED;
167 12 : }
168 :
169 3002064 : fd_quic_retry_token_t const * retry_token = fd_type_pun_const( initial->token );
170 3002064 : if( FD_UNLIKELY( retry_token->data.odcid_sz > FD_QUIC_MAX_CONN_ID_SZ ) ) {
171 0 : FD_DEBUG( FD_LOG_DEBUG(( "Retry token with invalid ODCID or RSCID, rejecting" )); )
172 0 : return FD_QUIC_FAILED;
173 0 : }
174 :
175 3002064 : fd_aes_gcm_t aes_gcm[1];
176 3002064 : int vfy_res = fd_quic_retry_token_verify( retry_token, aes_gcm, retry_secret, retry_iv );
177 3002064 : memset( aes_gcm, 0, sizeof(fd_aes_gcm_t) );
178 :
179 3002064 : uint pkt_ip4 = FD_LOAD( uint, pkt->ip4->saddr_c );
180 3002064 : uint retry_ip4 = FD_LOAD( uint, retry_token->data.ip6_addr + 12 );
181 3002064 : int is_ip4 = 0==memcmp( retry_token->data.ip6_addr, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff", 12 );
182 3002064 : uint pkt_port = fd_ushort_bswap( (ushort)pkt->udp->net_sport );
183 3002064 : uint retry_port = retry_token->data.udp_port;
184 3002064 : ulong expire_at = retry_token->data.expire_comp << FD_QUIC_RETRY_EXPIRE_SHIFT;
185 3002064 : ulong expire_before = now + ttl;
186 :
187 3002064 : int is_match =
188 3002064 : vfy_res == FD_QUIC_SUCCESS &&
189 3002064 : is_ip4 &&
190 3002064 : pkt_ip4 == retry_ip4 &&
191 3002064 : pkt_port == retry_port &&
192 3002064 : now < expire_at &&
193 3002064 : expire_at < expire_before; /* token was issued in the future */
194 :
195 3002064 : FD_DEBUG(
196 3002064 : if( vfy_res!=FD_QUIC_SUCCESS ) FD_LOG_DEBUG(( "Invalid Retry Token" ));
197 3002064 : else if( now >= expire_at ) FD_LOG_DEBUG(( "Expired Retry Token" ));
198 3002064 : else if( expire_at >= expire_before ) FD_LOG_WARNING(( "Retry Token issued in the future" ));
199 3002064 : else if( !is_match ) FD_LOG_DEBUG(( "Foreign Retry Token" ));
200 3002064 : )
201 :
202 3002064 : orig_dst_conn_id->sz = (uchar)retry_token->data.odcid_sz;
203 3002064 : memcpy( orig_dst_conn_id->conn_id, retry_token->data.odcid, FD_QUIC_MAX_CONN_ID_SZ ); /* oversz copy ok */
204 3002064 : *retry_src_conn_id = retry_token->data.rscid;
205 :
206 3002064 : return is_match ? FD_QUIC_SUCCESS : FD_QUIC_FAILED;
207 3002064 : }
208 :
209 : int
210 : fd_quic_retry_client_verify( uchar const * const retry_ptr,
211 : ulong const retry_sz,
212 : fd_quic_conn_id_t const * orig_dst_conn_id,
213 : fd_quic_conn_id_t * src_conn_id, /* out */
214 : uchar const ** token,
215 3002766 : ulong * token_sz ) {
216 :
217 3002766 : uchar const * cur_ptr = retry_ptr;
218 3002766 : ulong cur_sz = retry_sz;
219 :
220 : /* Consume retry header */
221 :
222 3002766 : fd_quic_retry_hdr_t retry_hdr[1] = {{0}};
223 3002766 : ulong decode_rc = fd_quic_decode_retry_hdr( retry_hdr, cur_ptr, cur_sz );
224 3002766 : if( FD_UNLIKELY( decode_rc == FD_QUIC_PARSE_FAIL ) ) {
225 24 : FD_DEBUG( FD_LOG_DEBUG(( "fd_quic_decode_retry failed" )); )
226 24 : return FD_QUIC_FAILED;
227 24 : }
228 3002742 : cur_ptr += decode_rc;
229 3002742 : cur_sz -= decode_rc;
230 :
231 3002742 : if( FD_UNLIKELY( retry_hdr->src_conn_id_len == 0 ) ) {
232 : /* something is horribly broken or some attack - ignore packet */
233 15 : FD_DEBUG( FD_LOG_DEBUG(( "Missing source conn ID" )); )
234 15 : return FD_QUIC_FAILED;
235 15 : }
236 :
237 : /* Consume retry token
238 : > A client MUST discard a Retry packet with a zero-length Retry Token field. */
239 :
240 3002727 : if( FD_UNLIKELY( cur_sz <= FD_QUIC_CRYPTO_TAG_SZ ) ) {
241 0 : FD_DEBUG( FD_LOG_DEBUG(( "Retry packet is too small" )); )
242 0 : return FD_QUIC_FAILED;
243 0 : }
244 3002727 : uchar const * retry_token = cur_ptr;
245 3002727 : ulong retry_token_sz = cur_sz - FD_QUIC_CRYPTO_TAG_SZ;
246 3002727 : if( FD_UNLIKELY( retry_token_sz > FD_QUIC_RETRY_MAX_TOKEN_SZ ) ) {
247 0 : FD_DEBUG( FD_LOG_DEBUG(( "Retry token is too long (%lu bytes)", retry_token_sz )); )
248 0 : return FD_QUIC_FAILED;
249 0 : }
250 :
251 3002727 : cur_ptr += retry_token_sz;
252 3002727 : cur_sz -= retry_token_sz;
253 :
254 : /* Consume retry integrity tag */
255 :
256 3002727 : uchar const * retry_tag = cur_ptr;
257 3002727 : assert( cur_sz==FD_QUIC_CRYPTO_TAG_SZ );
258 3002727 : cur_ptr += FD_QUIC_CRYPTO_TAG_SZ;
259 3002727 : cur_sz -= FD_QUIC_CRYPTO_TAG_SZ;
260 :
261 : /* Construct Retry Pseudo Header required to validate Retry Integrity
262 : Tag. TODO This could be made more efficient using streaming
263 : AES-GCM. */
264 :
265 3002727 : uchar retry_pseudo_buf[ FD_QUIC_RETRY_MAX_PSEUDO_SZ ];
266 3002727 : ulong retry_pseudo_sz = fd_quic_retry_pseudo( retry_pseudo_buf, retry_ptr, retry_sz, orig_dst_conn_id );
267 3002727 : if( FD_UNLIKELY( retry_pseudo_sz==FD_QUIC_PARSE_FAIL ) ) FD_LOG_ERR(( "fd_quic_retry_pseudo_hdr failed" ));
268 :
269 : # if FD_QUIC_DISABLE_CRYPTO
270 :
271 : (void)retry_tag; /* skip verification */
272 :
273 : # else
274 :
275 : /* Validate the retry integrity tag
276 :
277 : Retry packets (see Section 17.2.5 of [QUIC-TRANSPORT]) carry a Retry Integrity Tag that
278 : provides two properties: it allows the discarding of packets that have accidentally been
279 : corrupted by the network, and only an entity that observes an Initial packet can send a valid
280 : Retry packet.*/
281 3002727 : fd_aes_gcm_t aes_gcm[1];
282 3002727 : int rc = fd_quic_retry_integrity_tag_verify( aes_gcm, retry_pseudo_buf, retry_pseudo_sz, retry_tag );
283 3002727 : if( FD_UNLIKELY( rc == FD_QUIC_FAILED ) ) {
284 : /* Clients MUST discard Retry packets that have a Retry Integrity Tag that
285 : cannot be validated */
286 2721 : FD_DEBUG( FD_LOG_DEBUG(( "Invalid retry integrity tag" )); )
287 2721 : return FD_QUIC_FAILED;
288 2721 : }
289 :
290 3000006 : # endif
291 :
292 : /* Set out params */
293 :
294 3000006 : src_conn_id[0].sz = retry_hdr->src_conn_id_len;
295 3000006 : memcpy( src_conn_id[0].conn_id, retry_hdr->src_conn_id, FD_QUIC_MAX_CONN_ID_SZ ); /* oversz copy ok */
296 :
297 3000006 : *token = retry_token;
298 3000006 : *token_sz = retry_token_sz;
299 :
300 3000006 : return FD_QUIC_SUCCESS;
301 3002727 : }
|
