github.com/sagernet/quic-go@v0.43.1-beta.1/internal/handshake/initial_aead.go (about)

     1  package handshake
     2  
     3  import (
     4  	"crypto"
     5  	"crypto/tls"
     6  
     7  	"github.com/sagernet/quic-go/internal/protocol"
     8  	"golang.org/x/crypto/hkdf"
     9  )
    10  
    11  var (
    12  	quicSaltV1 = []byte{0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a}
    13  	quicSaltV2 = []byte{0x0d, 0xed, 0xe3, 0xde, 0xf7, 0x00, 0xa6, 0xdb, 0x81, 0x93, 0x81, 0xbe, 0x6e, 0x26, 0x9d, 0xcb, 0xf9, 0xbd, 0x2e, 0xd9}
    14  )
    15  
    16  const (
    17  	hkdfLabelKeyV1 = "quic key"
    18  	hkdfLabelKeyV2 = "quicv2 key"
    19  	hkdfLabelIVV1  = "quic iv"
    20  	hkdfLabelIVV2  = "quicv2 iv"
    21  )
    22  
    23  func getSalt(v protocol.Version) []byte {
    24  	if v == protocol.Version2 {
    25  		return quicSaltV2
    26  	}
    27  	return quicSaltV1
    28  }
    29  
    30  var initialSuite = getCipherSuite(tls.TLS_AES_128_GCM_SHA256)
    31  
    32  // NewInitialAEAD creates a new AEAD for Initial encryption / decryption.
    33  func NewInitialAEAD(connID protocol.ConnectionID, pers protocol.Perspective, v protocol.Version) (LongHeaderSealer, LongHeaderOpener) {
    34  	clientSecret, serverSecret := computeSecrets(connID, v)
    35  	var mySecret, otherSecret []byte
    36  	if pers == protocol.PerspectiveClient {
    37  		mySecret = clientSecret
    38  		otherSecret = serverSecret
    39  	} else {
    40  		mySecret = serverSecret
    41  		otherSecret = clientSecret
    42  	}
    43  	myKey, myIV := computeInitialKeyAndIV(mySecret, v)
    44  	otherKey, otherIV := computeInitialKeyAndIV(otherSecret, v)
    45  
    46  	encrypter := initialSuite.AEAD(myKey, myIV)
    47  	decrypter := initialSuite.AEAD(otherKey, otherIV)
    48  
    49  	return newLongHeaderSealer(encrypter, newHeaderProtector(initialSuite, mySecret, true, v)),
    50  		newLongHeaderOpener(decrypter, newAESHeaderProtector(initialSuite, otherSecret, true, hkdfHeaderProtectionLabel(v)))
    51  }
    52  
    53  func computeSecrets(connID protocol.ConnectionID, v protocol.Version) (clientSecret, serverSecret []byte) {
    54  	initialSecret := hkdf.Extract(crypto.SHA256.New, connID.Bytes(), getSalt(v))
    55  	clientSecret = hkdfExpandLabel(crypto.SHA256, initialSecret, []byte{}, "client in", crypto.SHA256.Size())
    56  	serverSecret = hkdfExpandLabel(crypto.SHA256, initialSecret, []byte{}, "server in", crypto.SHA256.Size())
    57  	return
    58  }
    59  
    60  func computeInitialKeyAndIV(secret []byte, v protocol.Version) (key, iv []byte) {
    61  	keyLabel := hkdfLabelKeyV1
    62  	ivLabel := hkdfLabelIVV1
    63  	if v == protocol.Version2 {
    64  		keyLabel = hkdfLabelKeyV2
    65  		ivLabel = hkdfLabelIVV2
    66  	}
    67  	key = hkdfExpandLabel(crypto.SHA256, secret, []byte{}, keyLabel, 16)
    68  	iv = hkdfExpandLabel(crypto.SHA256, secret, []byte{}, ivLabel, 12)
    69  	return
    70  }