noq_proto/crypto/
ring_like.rs

1#[cfg(all(feature = "aws-lc-rs", not(feature = "ring")))]
2use aws_lc_rs::{aead, hkdf, hmac};
3#[cfg(feature = "ring")]
4use ring::{aead, hkdf, hmac};
5
6use crate::crypto::{self, CryptoError};
7
8impl crypto::HmacKey for hmac::Key {
9    fn sign(&self, data: &[u8], out: &mut [u8]) {
10        out.copy_from_slice(hmac::sign(self, data).as_ref());
11    }
12
13    fn signature_len(&self) -> usize {
14        32
15    }
16
17    fn verify(&self, data: &[u8], signature: &[u8]) -> Result<(), CryptoError> {
18        hmac::verify(self, data, signature).map_err(|_| CryptoError)
19    }
20}
21
22/// Implements retry token encryption using HKDF followed by AES-256-GCM.
23///
24/// This construction was originally defined in
25/// <https://github.com/quinn-rs/quinn/issues/783>. The goal is to produce tokens that look
26/// random to clients, but contain decryptable information for the server.
27///
28/// The problem is the 12-byte nonce in AES-GCM: I suspect the original authors of this
29/// code didn't like the fact that it limits you to ~2^32 safe encryptions before you're getting
30/// into "dangerous" nonce-reuse territory with randomly-generated nonces.
31/// You can't use sequence numbers either, though, because that doesn't look random to
32/// clients and leaks information.
33pub(crate) struct RetryTokenKey(hkdf::Prk);
34
35impl RetryTokenKey {
36    pub(crate) fn new(rng: &mut impl rand::Rng) -> Self {
37        let mut master_key = [0u8; 64];
38        rng.fill_bytes(&mut master_key);
39        let master_key = hkdf::Salt::new(hkdf::HKDF_SHA256, &[]).extract(&master_key);
40        Self(master_key)
41    }
42
43    fn derive_aead(&self, token_nonce: u128) -> aead::LessSafeKey {
44        let nonce_bytes = token_nonce.to_le_bytes();
45        let info = &[&nonce_bytes[..]];
46        let okm = self.0.expand(info, hkdf::HKDF_SHA256).unwrap();
47
48        let mut key_buffer = [0u8; 32];
49        okm.fill(&mut key_buffer).unwrap();
50
51        let key = aead::UnboundKey::new(&aead::AES_256_GCM, &key_buffer).unwrap();
52        aead::LessSafeKey::new(key)
53    }
54}
55
56impl crypto::HandshakeTokenKey for RetryTokenKey {
57    fn seal(&self, token_nonce: u128, data: &mut Vec<u8>) -> Result<(), CryptoError> {
58        let aead_key = self.derive_aead(token_nonce);
59        let nonce = aead::Nonce::assume_unique_for_key([0u8; 12]); // See docs for RetryTokenKey
60        let aad = aead::Aad::empty();
61        aead_key
62            .seal_in_place_append_tag(nonce, aad, data)
63            .map_err(|_| CryptoError)?;
64        Ok(())
65    }
66
67    fn open<'a>(&self, token_nonce: u128, data: &'a mut [u8]) -> Result<&'a [u8], CryptoError> {
68        let aead_key = self.derive_aead(token_nonce);
69        let aad = aead::Aad::empty();
70        let nonce = aead::Nonce::assume_unique_for_key([0u8; 12]); // See docs for RetryTokenKey
71        Ok(aead_key
72            .open_in_place(nonce, aad, data)
73            .map_err(|_| CryptoError)?)
74    }
75}