github.com/metacubex/quic-go@v0.44.1-0.20240520163451-20b689a59136/internal/handshake/initial_aead.go (about) 1 package handshake 2 3 import ( 4 "crypto" 5 "crypto/tls" 6 7 "golang.org/x/crypto/hkdf" 8 9 "github.com/metacubex/quic-go/internal/protocol" 10 ) 11 12 var ( 13 quicSaltV1 = []byte{0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a} 14 quicSaltV2 = []byte{0x0d, 0xed, 0xe3, 0xde, 0xf7, 0x00, 0xa6, 0xdb, 0x81, 0x93, 0x81, 0xbe, 0x6e, 0x26, 0x9d, 0xcb, 0xf9, 0xbd, 0x2e, 0xd9} 15 ) 16 17 const ( 18 hkdfLabelKeyV1 = "quic key" 19 hkdfLabelKeyV2 = "quicv2 key" 20 hkdfLabelIVV1 = "quic iv" 21 hkdfLabelIVV2 = "quicv2 iv" 22 ) 23 24 func getSalt(v protocol.Version) []byte { 25 if v == protocol.Version2 { 26 return quicSaltV2 27 } 28 return quicSaltV1 29 } 30 31 var initialSuite = getCipherSuite(tls.TLS_AES_128_GCM_SHA256) 32 33 // NewInitialAEAD creates a new AEAD for Initial encryption / decryption. 34 func NewInitialAEAD(connID protocol.ConnectionID, pers protocol.Perspective, v protocol.Version) (LongHeaderSealer, LongHeaderOpener) { 35 clientSecret, serverSecret := computeSecrets(connID, v) 36 var mySecret, otherSecret []byte 37 if pers == protocol.PerspectiveClient { 38 mySecret = clientSecret 39 otherSecret = serverSecret 40 } else { 41 mySecret = serverSecret 42 otherSecret = clientSecret 43 } 44 myKey, myIV := computeInitialKeyAndIV(mySecret, v) 45 otherKey, otherIV := computeInitialKeyAndIV(otherSecret, v) 46 47 encrypter := initialSuite.AEAD(myKey, myIV) 48 decrypter := initialSuite.AEAD(otherKey, otherIV) 49 50 return newLongHeaderSealer(encrypter, newHeaderProtector(initialSuite, mySecret, true, v)), 51 newLongHeaderOpener(decrypter, newAESHeaderProtector(initialSuite, otherSecret, true, hkdfHeaderProtectionLabel(v))) 52 } 53 54 func computeSecrets(connID protocol.ConnectionID, v protocol.Version) (clientSecret, serverSecret []byte) { 55 initialSecret := hkdf.Extract(crypto.SHA256.New, connID.Bytes(), getSalt(v)) 56 clientSecret = hkdfExpandLabel(crypto.SHA256, initialSecret, []byte{}, "client in", crypto.SHA256.Size()) 57 serverSecret = hkdfExpandLabel(crypto.SHA256, initialSecret, []byte{}, "server in", crypto.SHA256.Size()) 58 return 59 } 60 61 func computeInitialKeyAndIV(secret []byte, v protocol.Version) (key, iv []byte) { 62 keyLabel := hkdfLabelKeyV1 63 ivLabel := hkdfLabelIVV1 64 if v == protocol.Version2 { 65 keyLabel = hkdfLabelKeyV2 66 ivLabel = hkdfLabelIVV2 67 } 68 key = hkdfExpandLabel(crypto.SHA256, secret, []byte{}, keyLabel, 16) 69 iv = hkdfExpandLabel(crypto.SHA256, secret, []byte{}, ivLabel, 12) 70 return 71 }