add support for ChaCha20 header protection

2025-04-05 05:07:36 +03:00 · 2019-09-07 11:06:30 +07:00 · 2019-09-07 11:06:30 +07:00 · fa89ec345a
commit fa89ec345a
parent 33b74fca79
6 changed files with 398 additions and 285 deletions
--- a/go.mod
+++ b/go.mod
@ -3,9 +3,11 @@ module github.com/lucas-clemente/quic-go
 go 1.13
 require (
 	github.com/alangpierce/go-forceexport v0.0.0-20160317203124-8f1d6941cd75
 	github.com/cheekybits/genny v1.0.0
 	github.com/golang/mock v1.2.0
 	github.com/golang/protobuf v1.3.0
 	github.com/marten-seemann/chacha20 v0.2.0
 	github.com/marten-seemann/qpack v0.1.0
 	github.com/marten-seemann/qtls v0.4.0
 	github.com/onsi/ginkgo v1.7.0
--- a/go.sum
+++ b/go.sum
@ -1,3 +1,5 @@
 github.com/alangpierce/go-forceexport v0.0.0-20160317203124-8f1d6941cd75 h1:3ILjVyslFbc4jl1w5TWuvvslFD/nDfR2H8tVaMVLrEY=
 github.com/alangpierce/go-forceexport v0.0.0-20160317203124-8f1d6941cd75/go.mod h1:uAXEEpARkRhCZfEvy/y0Jcc888f9tHCc1W7/UeEtreE=
 github.com/cheekybits/genny v1.0.0 h1:uGGa4nei+j20rOSeDeP5Of12XVm7TGUd4dJA9RDitfE=
 github.com/cheekybits/genny v1.0.0/go.mod h1:+tQajlRqAUrPI7DOSpB0XAqZYtQakVtB7wXkRAgjxjQ=
 github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
@ -9,6 +11,8 @@ github.com/golang/protobuf v1.3.0 h1:kbxbvI4Un1LUWKxufD+BiE6AEExYYgkQLQmLFqA1LFk
 github.com/golang/protobuf v1.3.0/go.mod h1:Qd/q+1AKNOZr9uGQzbzCmRO6sUih6GTPZv6a1/R87v0=
 github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/marten-seemann/chacha20 v0.2.0 h1:f40vqzzx+3GdOmzQoItkLX5WLvHgPgyYqFFIO5Gh4hQ=
 github.com/marten-seemann/chacha20 v0.2.0/go.mod h1:HSdjFau7GzYRj+ahFNwsO3ouVJr1HFkWoEwNDb4TMtE=
 github.com/marten-seemann/qpack v0.1.0 h1:/0M7lkda/6mus9B8u34Asqm8ZhHAAt9Ho0vniNuVSVg=
 github.com/marten-seemann/qpack v0.1.0/go.mod h1:LFt1NU/Ptjip0C2CPkhimBz5CGE3WGDAUWqna+CNTrI=
 github.com/marten-seemann/qtls v0.4.0 h1:HM9ftULNeuhGiCliIfPKvp5VDJw6pvi/Ghq6PYf7B0E=
--- a/internal/handshake/aead_test.go
+++ b/internal/handshake/aead_test.go
@ -4,12 +4,19 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/rand"
 	"fmt"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 )
 var _ = Describe("AEAD", func() {
 	for i := range cipherSuites {
 		cs := cipherSuites[i]
 		Context(fmt.Sprintf("using %s", cs.name), func() {
 			suite := cs.suite
 			getSealerAndOpener := func() (LongHeaderSealer, LongHeaderOpener) {
 				key := make([]byte, 16)
 				hpKey := make([]byte, 16)
@ -20,8 +27,8 @@ var _ = Describe("AEAD", func() {
 				aead, err := cipher.NewGCM(block)
 				Expect(err).ToNot(HaveOccurred())
-		return newLongHeaderSealer(aead, newHeaderProtector(aesSuite, key, true)),
+				return newLongHeaderSealer(aead, newHeaderProtector(suite, key, true)),
-			newLongHeaderOpener(aead, newAESHeaderProtector(aesSuite, key, true))
+					newLongHeaderOpener(aead, newHeaderProtector(suite, key, true))
 			}
 			Context("message encryption", func() {
@ -84,3 +91,5 @@ var _ = Describe("AEAD", func() {
 				})
 			})
 		})
 	}
 })
--- a/internal/handshake/handshake_suite_test.go
+++ b/internal/handshake/handshake_suite_test.go
@ -2,7 +2,9 @@ package handshake
 import (
 	"crypto"
 	"crypto/cipher"
 	"github.com/alangpierce/go-forceexport"
 	"github.com/golang/mock/gomock"
 	"github.com/marten-seemann/qtls"
@ -27,9 +29,48 @@ var _ = AfterEach(func() {
 	mockCtrl.Finish()
 })
-var aesSuite = &qtls.CipherSuiteTLS13{
+var aeadChaCha20Poly1305 func(key, nonceMask []byte) cipher.AEAD
 var cipherSuites = []struct {
 	name  string
 	suite *qtls.CipherSuiteTLS13
 }{
 	{
 		name: "TLS_AES_128_GCM_SHA256",
 		suite: &qtls.CipherSuiteTLS13{
 			ID:     qtls.TLS_AES_128_GCM_SHA256,
 			KeyLen: 16,
 			AEAD:   qtls.AEADAESGCMTLS13,
 			Hash:   crypto.SHA256,
 		},
 	},
 	{
 		name: "TLS_AES_256_GCM_SHA384",
 		suite: &qtls.CipherSuiteTLS13{
 			ID:     qtls.TLS_AES_256_GCM_SHA384,
 			KeyLen: 32,
 			AEAD:   qtls.AEADAESGCMTLS13,
 			Hash:   crypto.SHA384,
 		},
 	},
 	{
 		name: "TLS_CHACHA20_POLY1305_SHA256",
 		suite: &qtls.CipherSuiteTLS13{
 			ID:     qtls.TLS_CHACHA20_POLY1305_SHA256,
 			KeyLen: 32,
 			AEAD:   nil, // will be set by init
 			Hash:   crypto.SHA256,
 		},
 	},
 }
 func init() {
 	if err := forceexport.GetFunc(&aeadChaCha20Poly1305, "github.com/marten-seemann/qtls.aeadChaCha20Poly1305"); err != nil {
 		panic(err)
 	}
 	for _, s := range cipherSuites {
 		if s.suite.ID == qtls.TLS_CHACHA20_POLY1305_SHA256 {
 			s.suite.AEAD = aeadChaCha20Poly1305
 		}
 	}
 }
--- a/internal/handshake/header_protector.go
+++ b/internal/handshake/header_protector.go
@ -5,6 +5,7 @@ import (
 	"crypto/cipher"
 	"fmt"
 	"github.com/marten-seemann/chacha20"
 	"github.com/marten-seemann/qtls"
 )
@ -18,8 +19,7 @@ func newHeaderProtector(suite *qtls.CipherSuiteTLS13, trafficSecret []byte, isLo
 	case qtls.TLS_AES_128_GCM_SHA256, qtls.TLS_AES_256_GCM_SHA384:
 		return newAESHeaderProtector(suite, trafficSecret, isLongHeader)
 	case qtls.TLS_CHACHA20_POLY1305_SHA256:
-		// TODO: implement ChaCha header protection
+		return newChaChaHeaderProtector(suite, trafficSecret, isLongHeader)
 		fallthrough
 	default:
 		panic(fmt.Sprintf("Invalid cipher suite id: %d", suite.ID))
 	}
@ -69,3 +69,51 @@ func (p *aesHeaderProtector) apply(sample []byte, firstByte *byte, hdrBytes []by
 		hdrBytes[i] ^= p.mask[i+1]
 	}
 }
 type chachaHeaderProtector struct {
 	mask [5]byte
 	key          [32]byte
 	sampleBuf    [16]byte
 	isLongHeader bool
 }
 var _ headerProtector = &chachaHeaderProtector{}
 func newChaChaHeaderProtector(suite *qtls.CipherSuiteTLS13, trafficSecret []byte, isLongHeader bool) headerProtector {
 	hpKey := qtls.HkdfExpandLabel(suite.Hash, trafficSecret, []byte{}, "quic hp", suite.KeyLen)
 	p := &chachaHeaderProtector{
 		isLongHeader: isLongHeader,
 	}
 	copy(p.key[:], hpKey)
 	return p
 }
 func (p *chachaHeaderProtector) DecryptHeader(sample []byte, firstByte *byte, hdrBytes []byte) {
 	p.apply(sample, firstByte, hdrBytes)
 }
 func (p *chachaHeaderProtector) EncryptHeader(sample []byte, firstByte *byte, hdrBytes []byte) {
 	p.apply(sample, firstByte, hdrBytes)
 }
 func (p *chachaHeaderProtector) apply(sample []byte, firstByte *byte, hdrBytes []byte) {
 	if len(sample) < len(p.mask) {
 		panic("invalid sample size")
 	}
 	for i := 0; i < 5; i++ {
 		p.mask[i] = 0
 	}
 	copy(p.sampleBuf[:], sample)
 	chacha20.XORKeyStream(p.mask[:], p.mask[:], &p.sampleBuf, &p.key)
 	if p.isLongHeader {
 		*firstByte ^= p.mask[0] & 0xf
 	} else {
 		*firstByte ^= p.mask[0] & 0x1f
 	}
 	for i := range hdrBytes {
 		hdrBytes[i] ^= p.mask[i+1]
 	}
 }
--- a/internal/handshake/updatable_aead_test.go
+++ b/internal/handshake/updatable_aead_test.go
@ -2,6 +2,7 @@ package handshake
 import (
 	"crypto/rand"
 	"fmt"
 	"os"
 	"time"
@ -13,6 +14,12 @@ import (
 )
 var _ = Describe("Updatable AEAD", func() {
 	for i := range cipherSuites {
 		cs := cipherSuites[i]
 		Context(fmt.Sprintf("using %s", cs.name), func() {
 			suite := cs.suite
 			getPeers := func(rttStats *congestion.RTTStats) (client, server *updatableAEAD) {
 				trafficSecret1 := make([]byte, 16)
 				trafficSecret2 := make([]byte, 16)
@ -21,10 +28,10 @@ var _ = Describe("Updatable AEAD", func() {
 				client = newUpdatableAEAD(rttStats, utils.DefaultLogger)
 				server = newUpdatableAEAD(rttStats, utils.DefaultLogger)
-		client.SetReadKey(aesSuite, trafficSecret2)
+				client.SetReadKey(suite, trafficSecret2)
-		client.SetWriteKey(aesSuite, trafficSecret1)
+				client.SetWriteKey(suite, trafficSecret1)
-		server.SetReadKey(aesSuite, trafficSecret1)
+				server.SetReadKey(suite, trafficSecret1)
-		server.SetWriteKey(aesSuite, trafficSecret2)
+				server.SetWriteKey(suite, trafficSecret2)
 				return
 			}
@ -246,3 +253,5 @@ var _ = Describe("Updatable AEAD", func() {
 				})
 			})
 		})
 	}
 })