github.com/sagernet/sing-box@v1.9.0-rc.20/common/sniff/internal/qtls/qtls.go (about) 1 package qtls 2 3 import ( 4 "crypto" 5 "crypto/aes" 6 "crypto/cipher" 7 "encoding/binary" 8 "io" 9 10 "golang.org/x/crypto/hkdf" 11 ) 12 13 const ( 14 VersionDraft29 = 0xff00001d 15 Version1 = 0x1 16 Version2 = 0x6b3343cf 17 ) 18 19 var ( 20 SaltOld = []byte{0xaf, 0xbf, 0xec, 0x28, 0x99, 0x93, 0xd2, 0x4c, 0x9e, 0x97, 0x86, 0xf1, 0x9c, 0x61, 0x11, 0xe0, 0x43, 0x90, 0xa8, 0x99} 21 SaltV1 = []byte{0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a} 22 SaltV2 = []byte{0x0d, 0xed, 0xe3, 0xde, 0xf7, 0x00, 0xa6, 0xdb, 0x81, 0x93, 0x81, 0xbe, 0x6e, 0x26, 0x9d, 0xcb, 0xf9, 0xbd, 0x2e, 0xd9} 23 ) 24 25 const ( 26 HKDFLabelKeyV1 = "quic key" 27 HKDFLabelKeyV2 = "quicv2 key" 28 HKDFLabelIVV1 = "quic iv" 29 HKDFLabelIVV2 = "quicv2 iv" 30 HKDFLabelHeaderProtectionV1 = "quic hp" 31 HKDFLabelHeaderProtectionV2 = "quicv2 hp" 32 ) 33 34 func AEADAESGCMTLS13(key, nonceMask []byte) cipher.AEAD { 35 if len(nonceMask) != 12 { 36 panic("tls: internal error: wrong nonce length") 37 } 38 aes, err := aes.NewCipher(key) 39 if err != nil { 40 panic(err) 41 } 42 aead, err := cipher.NewGCM(aes) 43 if err != nil { 44 panic(err) 45 } 46 47 ret := &xorNonceAEAD{aead: aead} 48 copy(ret.nonceMask[:], nonceMask) 49 return ret 50 } 51 52 type xorNonceAEAD struct { 53 nonceMask [12]byte 54 aead cipher.AEAD 55 } 56 57 func (f *xorNonceAEAD) NonceSize() int { return 8 } // 64-bit sequence number 58 func (f *xorNonceAEAD) Overhead() int { return f.aead.Overhead() } 59 func (f *xorNonceAEAD) explicitNonceLen() int { return 0 } 60 61 func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { 62 for i, b := range nonce { 63 f.nonceMask[4+i] ^= b 64 } 65 result := f.aead.Seal(out, f.nonceMask[:], plaintext, additionalData) 66 for i, b := range nonce { 67 f.nonceMask[4+i] ^= b 68 } 69 70 return result 71 } 72 73 func (f *xorNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) { 74 for i, b := range nonce { 75 f.nonceMask[4+i] ^= b 76 } 77 result, err := f.aead.Open(out, f.nonceMask[:], ciphertext, additionalData) 78 for i, b := range nonce { 79 f.nonceMask[4+i] ^= b 80 } 81 82 return result, err 83 } 84 85 func HKDFExpandLabel(hash crypto.Hash, secret, context []byte, label string, length int) []byte { 86 b := make([]byte, 3, 3+6+len(label)+1+len(context)) 87 binary.BigEndian.PutUint16(b, uint16(length)) 88 b[2] = uint8(6 + len(label)) 89 b = append(b, []byte("tls13 ")...) 90 b = append(b, []byte(label)...) 91 b = b[:3+6+len(label)+1] 92 b[3+6+len(label)] = uint8(len(context)) 93 b = append(b, context...) 94 out := make([]byte, length) 95 n, err := hkdf.Expand(hash.New, secret, b).Read(out) 96 if err != nil || n != length { 97 panic("quic: HKDF-Expand-Label invocation failed unexpectedly") 98 } 99 return out 100 } 101 102 func ReadUvarint(r io.ByteReader) (uint64, error) { 103 firstByte, err := r.ReadByte() 104 if err != nil { 105 return 0, err 106 } 107 // the first two bits of the first byte encode the length 108 len := 1 << ((firstByte & 0xc0) >> 6) 109 b1 := firstByte & (0xff - 0xc0) 110 if len == 1 { 111 return uint64(b1), nil 112 } 113 b2, err := r.ReadByte() 114 if err != nil { 115 return 0, err 116 } 117 if len == 2 { 118 return uint64(b2) + uint64(b1)<<8, nil 119 } 120 b3, err := r.ReadByte() 121 if err != nil { 122 return 0, err 123 } 124 b4, err := r.ReadByte() 125 if err != nil { 126 return 0, err 127 } 128 if len == 4 { 129 return uint64(b4) + uint64(b3)<<8 + uint64(b2)<<16 + uint64(b1)<<24, nil 130 } 131 b5, err := r.ReadByte() 132 if err != nil { 133 return 0, err 134 } 135 b6, err := r.ReadByte() 136 if err != nil { 137 return 0, err 138 } 139 b7, err := r.ReadByte() 140 if err != nil { 141 return 0, err 142 } 143 b8, err := r.ReadByte() 144 if err != nil { 145 return 0, err 146 } 147 return uint64(b8) + uint64(b7)<<8 + uint64(b6)<<16 + uint64(b5)<<24 + uint64(b4)<<32 + uint64(b3)<<40 + uint64(b2)<<48 + uint64(b1)<<56, nil 148 }