github.com/metacubex/quic-go@v0.44.1-0.20240520163451-20b689a59136/internal/handshake/initial_aead.go (about)

     1  package handshake
     2  
     3  import (
     4  	"crypto"
     5  	"crypto/tls"
     6  
     7  	"golang.org/x/crypto/hkdf"
     8  
     9  	"github.com/metacubex/quic-go/internal/protocol"
    10  )
    11  
    12  var (
    13  	quicSaltV1 = []byte{0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a}
    14  	quicSaltV2 = []byte{0x0d, 0xed, 0xe3, 0xde, 0xf7, 0x00, 0xa6, 0xdb, 0x81, 0x93, 0x81, 0xbe, 0x6e, 0x26, 0x9d, 0xcb, 0xf9, 0xbd, 0x2e, 0xd9}
    15  )
    16  
    17  const (
    18  	hkdfLabelKeyV1 = "quic key"
    19  	hkdfLabelKeyV2 = "quicv2 key"
    20  	hkdfLabelIVV1  = "quic iv"
    21  	hkdfLabelIVV2  = "quicv2 iv"
    22  )
    23  
    24  func getSalt(v protocol.Version) []byte {
    25  	if v == protocol.Version2 {
    26  		return quicSaltV2
    27  	}
    28  	return quicSaltV1
    29  }
    30  
    31  var initialSuite = getCipherSuite(tls.TLS_AES_128_GCM_SHA256)
    32  
    33  // NewInitialAEAD creates a new AEAD for Initial encryption / decryption.
    34  func NewInitialAEAD(connID protocol.ConnectionID, pers protocol.Perspective, v protocol.Version) (LongHeaderSealer, LongHeaderOpener) {
    35  	clientSecret, serverSecret := computeSecrets(connID, v)
    36  	var mySecret, otherSecret []byte
    37  	if pers == protocol.PerspectiveClient {
    38  		mySecret = clientSecret
    39  		otherSecret = serverSecret
    40  	} else {
    41  		mySecret = serverSecret
    42  		otherSecret = clientSecret
    43  	}
    44  	myKey, myIV := computeInitialKeyAndIV(mySecret, v)
    45  	otherKey, otherIV := computeInitialKeyAndIV(otherSecret, v)
    46  
    47  	encrypter := initialSuite.AEAD(myKey, myIV)
    48  	decrypter := initialSuite.AEAD(otherKey, otherIV)
    49  
    50  	return newLongHeaderSealer(encrypter, newHeaderProtector(initialSuite, mySecret, true, v)),
    51  		newLongHeaderOpener(decrypter, newAESHeaderProtector(initialSuite, otherSecret, true, hkdfHeaderProtectionLabel(v)))
    52  }
    53  
    54  func computeSecrets(connID protocol.ConnectionID, v protocol.Version) (clientSecret, serverSecret []byte) {
    55  	initialSecret := hkdf.Extract(crypto.SHA256.New, connID.Bytes(), getSalt(v))
    56  	clientSecret = hkdfExpandLabel(crypto.SHA256, initialSecret, []byte{}, "client in", crypto.SHA256.Size())
    57  	serverSecret = hkdfExpandLabel(crypto.SHA256, initialSecret, []byte{}, "server in", crypto.SHA256.Size())
    58  	return
    59  }
    60  
    61  func computeInitialKeyAndIV(secret []byte, v protocol.Version) (key, iv []byte) {
    62  	keyLabel := hkdfLabelKeyV1
    63  	ivLabel := hkdfLabelIVV1
    64  	if v == protocol.Version2 {
    65  		keyLabel = hkdfLabelKeyV2
    66  		ivLabel = hkdfLabelIVV2
    67  	}
    68  	key = hkdfExpandLabel(crypto.SHA256, secret, []byte{}, keyLabel, 16)
    69  	iv = hkdfExpandLabel(crypto.SHA256, secret, []byte{}, ivLabel, 12)
    70  	return
    71  }