xref: /aosp_15_r20/external/cronet/net/third_party/quiche/src/quiche/quic/core/crypto/channel_id.cc (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "quiche/quic/core/crypto/channel_id.h"
6 
7 #include <cstdint>
8 
9 #include "absl/strings/string_view.h"
10 #include "openssl/bn.h"
11 #include "openssl/ec.h"
12 #include "openssl/ecdsa.h"
13 #include "openssl/nid.h"
14 #include "openssl/sha.h"
15 
16 namespace quic {
17 
18 // static
19 const char ChannelIDVerifier::kContextStr[] = "QUIC ChannelID";
20 // static
21 const char ChannelIDVerifier::kClientToServerStr[] = "client -> server";
22 
23 // static
Verify(absl::string_view key,absl::string_view signed_data,absl::string_view signature)24 bool ChannelIDVerifier::Verify(absl::string_view key,
25                                absl::string_view signed_data,
26                                absl::string_view signature) {
27   return VerifyRaw(key, signed_data, signature, true);
28 }
29 
30 // static
VerifyRaw(absl::string_view key,absl::string_view signed_data,absl::string_view signature,bool is_channel_id_signature)31 bool ChannelIDVerifier::VerifyRaw(absl::string_view key,
32                                   absl::string_view signed_data,
33                                   absl::string_view signature,
34                                   bool is_channel_id_signature) {
35   if (key.size() != 32 * 2 || signature.size() != 32 * 2) {
36     return false;
37   }
38 
39   bssl::UniquePtr<EC_GROUP> p256(
40       EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
41   if (p256.get() == nullptr) {
42     return false;
43   }
44 
45   bssl::UniquePtr<BIGNUM> x(BN_new()), y(BN_new()), r(BN_new()), s(BN_new());
46 
47   ECDSA_SIG sig;
48   sig.r = r.get();
49   sig.s = s.get();
50 
51   const uint8_t* key_bytes = reinterpret_cast<const uint8_t*>(key.data());
52   const uint8_t* signature_bytes =
53       reinterpret_cast<const uint8_t*>(signature.data());
54 
55   if (BN_bin2bn(key_bytes + 0, 32, x.get()) == nullptr ||
56       BN_bin2bn(key_bytes + 32, 32, y.get()) == nullptr ||
57       BN_bin2bn(signature_bytes + 0, 32, sig.r) == nullptr ||
58       BN_bin2bn(signature_bytes + 32, 32, sig.s) == nullptr) {
59     return false;
60   }
61 
62   bssl::UniquePtr<EC_POINT> point(EC_POINT_new(p256.get()));
63   if (point.get() == nullptr ||
64       !EC_POINT_set_affine_coordinates_GFp(p256.get(), point.get(), x.get(),
65                                            y.get(), nullptr)) {
66     return false;
67   }
68 
69   bssl::UniquePtr<EC_KEY> ecdsa_key(EC_KEY_new());
70   if (ecdsa_key.get() == nullptr ||
71       !EC_KEY_set_group(ecdsa_key.get(), p256.get()) ||
72       !EC_KEY_set_public_key(ecdsa_key.get(), point.get())) {
73     return false;
74   }
75 
76   SHA256_CTX sha256;
77   SHA256_Init(&sha256);
78   if (is_channel_id_signature) {
79     SHA256_Update(&sha256, kContextStr, strlen(kContextStr) + 1);
80     SHA256_Update(&sha256, kClientToServerStr, strlen(kClientToServerStr) + 1);
81   }
82   SHA256_Update(&sha256, signed_data.data(), signed_data.size());
83 
84   unsigned char digest[SHA256_DIGEST_LENGTH];
85   SHA256_Final(digest, &sha256);
86 
87   return ECDSA_do_verify(digest, sizeof(digest), &sig, ecdsa_key.get()) == 1;
88 }
89 
90 }  // namespace quic
91