quic: refactor keys for key updates

Refactor how we store encryption keys in preparation for adding
support for key updates.

Previously, we had a single "keys" type containing header and packet
protection key material. With key update, the 1-RTT header protection
keys are consistent across the lifetime of a connection, while
packet protection keys vary. Separate out the header and packet
protection keys into distinct types.

Add "fixed" key types for keys which remain fixed across a
connection's lifetime and do not update. For the moment,
1-RTT keys are still fixed.

Remove a number of can-never-happen error returns from
key handling paths. We were previously inconsistent about
where to panic and where to return an error on these paths;
we now consistently panic in paths where errors can only
occur due to a bug. (For example, attempting to create an
AEAD with an incorrect secret size.)

No functional changes, this is purely refactoring.

For golang/go#58547

Change-Id: I49f83091517186e452845b65a1597add60e5fc92
Reviewed-on: https://go-review.googlesource.com/c/net/+/529155
Reviewed-by: Jonathan Amsterdam <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>

Author: neild

internal/quic/conn.go

@@ -42,10 +42,11 @@ type Conn struct {
 	idleTimeout    time.Time
 
 	// Packet protection keys, CRYPTO streams, and TLS state.
-	rkeys  [numberSpaceCount]keys
-	wkeys  [numberSpaceCount]keys
-	crypto [numberSpaceCount]cryptoStream
-	tls    *tls.QUICConn
+	keysInitial   fixedKeyPair
+	keysHandshake fixedKeyPair
+	keysAppData   fixedKeyPair
+	crypto        [numberSpaceCount]cryptoStream
+	tls           *tls.QUICConn
 
 	// handshakeConfirmed is set when the handshake is confirmed.
 	// For server connections, it tracks sending HANDSHAKE_DONE.
@@ -156,8 +157,12 @@ func (c *Conn) confirmHandshake(now time.Time) {
 // discardKeys discards unused packet protection keys.
 // https://www.rfc-editor.org/rfc/rfc9001#section-4.9
 func (c *Conn) discardKeys(now time.Time, space numberSpace) {
-	c.rkeys[space].discard()
-	c.wkeys[space].discard()
+	switch space {
+	case initialSpace:
+		c.keysInitial.discard()
+	case handshakeSpace:
+		c.keysHandshake.discard()
+	}
 	c.loss.discardKeys(now, space)
 }
 

internal/quic/conn_recv.go

@@ -26,9 +26,9 @@ func (c *Conn) handleDatagram(now time.Time, dgram *datagram) {
 				// https://www.rfc-editor.org/rfc/rfc9000#section-14.1-4
 				return
 			}
-			n = c.handleLongHeader(now, ptype, initialSpace, buf)
+			n = c.handleLongHeader(now, ptype, initialSpace, c.keysInitial.r, buf)
 		case packetTypeHandshake:
-			n = c.handleLongHeader(now, ptype, handshakeSpace, buf)
+			n = c.handleLongHeader(now, ptype, handshakeSpace, c.keysHandshake.r, buf)
 		case packetType1RTT:
 			n = c.handle1RTT(now, buf)
 		default:
@@ -43,13 +43,13 @@ func (c *Conn) handleDatagram(now time.Time, dgram *datagram) {
 	}
 }
 
-func (c *Conn) handleLongHeader(now time.Time, ptype packetType, space numberSpace, buf []byte) int {
-	if !c.rkeys[space].isSet() {
+func (c *Conn) handleLongHeader(now time.Time, ptype packetType, space numberSpace, k fixedKeys, buf []byte) int {
+	if !k.isSet() {
 		return skipLongHeaderPacket(buf)
 	}
 
 	pnumMax := c.acks[space].largestSeen()
-	p, n := parseLongHeaderPacket(buf, c.rkeys[space], pnumMax)
+	p, n := parseLongHeaderPacket(buf, k, pnumMax)
 	if n < 0 {
 		return -1
 	}
@@ -82,14 +82,14 @@ func (c *Conn) handleLongHeader(now time.Time, ptype packetType, space numberSpa
 }
 
 func (c *Conn) handle1RTT(now time.Time, buf []byte) int {
-	if !c.rkeys[appDataSpace].isSet() {
+	if !c.keysAppData.canRead() {
 		// 1-RTT packets extend to the end of the datagram,
 		// so skip the remainder of the datagram if we can't parse this.
 		return len(buf)
 	}
 
 	pnumMax := c.acks[appDataSpace].largestSeen()
-	p, n := parse1RTTPacket(buf, c.rkeys[appDataSpace], connIDLen, pnumMax)
+	p, n := parse1RTTPacket(buf, c.keysAppData.r, connIDLen, pnumMax)
 	if n < 0 {
 		return -1
 	}

internal/quic/conn_send.go

@@ -59,7 +59,7 @@ func (c *Conn) maybeSend(now time.Time) (next time.Time) {
 		// Initial packet.
 		pad := false
 		var sentInitial *sentPacket
-		if k := c.wkeys[initialSpace]; k.isSet() {
+		if c.keysInitial.canWrite() {
 			pnumMaxAcked := c.acks[initialSpace].largestSeen()
 			pnum := c.loss.nextNumber(initialSpace)
 			p := longPacket{
@@ -74,7 +74,7 @@ func (c *Conn) maybeSend(now time.Time) (next time.Time) {
 			if logPackets {
 				logSentPacket(c, packetTypeInitial, pnum, p.srcConnID, p.dstConnID, c.w.payload())
 			}
-			sentInitial = c.w.finishProtectedLongHeaderPacket(pnumMaxAcked, k, p)
+			sentInitial = c.w.finishProtectedLongHeaderPacket(pnumMaxAcked, c.keysInitial.w, p)
 			if sentInitial != nil {
 				// Client initial packets need to be sent in a datagram padded to
 				// at least 1200 bytes. We can't add the padding yet, however,
@@ -86,7 +86,7 @@ func (c *Conn) maybeSend(now time.Time) (next time.Time) {
 		}
 
 		// Handshake packet.
-		if k := c.wkeys[handshakeSpace]; k.isSet() {
+		if c.keysHandshake.canWrite() {
 			pnumMaxAcked := c.acks[handshakeSpace].largestSeen()
 			pnum := c.loss.nextNumber(handshakeSpace)
 			p := longPacket{
@@ -101,7 +101,7 @@ func (c *Conn) maybeSend(now time.Time) (next time.Time) {
 			if logPackets {
 				logSentPacket(c, packetTypeHandshake, pnum, p.srcConnID, p.dstConnID, c.w.payload())
 			}
-			if sent := c.w.finishProtectedLongHeaderPacket(pnumMaxAcked, k, p); sent != nil {
+			if sent := c.w.finishProtectedLongHeaderPacket(pnumMaxAcked, c.keysHandshake.w, p); sent != nil {
 				c.loss.packetSent(now, handshakeSpace, sent)
 				if c.side == clientSide {
 					// "[...] a client MUST discard Initial keys when it first
@@ -113,7 +113,7 @@ func (c *Conn) maybeSend(now time.Time) (next time.Time) {
 		}
 
 		// 1-RTT packet.
-		if k := c.wkeys[appDataSpace]; k.isSet() {
+		if c.keysAppData.canWrite() {
 			pnumMaxAcked := c.acks[appDataSpace].largestSeen()
 			pnum := c.loss.nextNumber(appDataSpace)
 			c.w.start1RTTPacket(pnum, pnumMaxAcked, dstConnID)
@@ -128,7 +128,7 @@ func (c *Conn) maybeSend(now time.Time) (next time.Time) {
 			if logPackets {
 				logSentPacket(c, packetType1RTT, pnum, nil, dstConnID, c.w.payload())
 			}
-			if sent := c.w.finish1RTTPacket(pnum, pnumMaxAcked, dstConnID, k); sent != nil {
+			if sent := c.w.finish1RTTPacket(pnum, pnumMaxAcked, dstConnID, c.keysAppData.w); sent != nil {
 				c.loss.packetSent(now, appDataSpace, sent)
 			}
 		}
@@ -157,7 +157,10 @@ func (c *Conn) maybeSend(now time.Time) (next time.Time) {
 					sentInitial.inFlight = true
 				}
 			}
-			if k := c.wkeys[initialSpace]; k.isSet() {
+			// If we're a client and this Initial packet is coalesced
+			// with a Handshake packet, then we've discarded Initial keys
+			// since constructing the packet and shouldn't record it as in-flight.
+			if c.keysInitial.canWrite() {
 				c.loss.packetSent(now, initialSpace, sentInitial)
 			}
 		}

internal/quic/conn_test.go

@@ -113,15 +113,18 @@ type testConn struct {
 	timerLastFired time.Time
 	idlec          chan struct{} // only accessed on the conn's loop
 
-	// Read and write keys are distinct from the conn's keys,
+	// Keys are distinct from the conn's keys,
 	// because the test may know about keys before the conn does.
 	// For example, when sending a datagram with coalesced
 	// Initial and Handshake packets to a client conn,
 	// we use Handshake keys to encrypt the packet.
 	// The client only acquires those keys when it processes
 	// the Initial packet.
-	rkeys [numberSpaceCount]keyData // for packets sent to the conn
-	wkeys [numberSpaceCount]keyData // for packets sent by the conn
+	keysInitial   fixedKeyPair
+	keysHandshake fixedKeyPair
+	keysAppData   fixedKeyPair
+	rsecrets      [numberSpaceCount]testKeySecret
+	wsecrets      [numberSpaceCount]testKeySecret
 
 	// testConn uses a test hook to snoop on the conn's TLS events.
 	// CRYPTO data produced by the conn's QUICConn is placed in
@@ -156,10 +159,9 @@ type testConn struct {
 	asyncTestState
 }
 
-type keyData struct {
+type testKeySecret struct {
 	suite  uint16
 	secret []byte
-	k      keys
 }
 
 // newTestConn creates a Conn for testing.
@@ -225,8 +227,8 @@ func newTestConn(t *testing.T, side connSide, opts ...any) *testConn {
 	}
 	tc.conn = conn
 
-	tc.wkeys[initialSpace].k = conn.wkeys[initialSpace]
-	tc.rkeys[initialSpace].k = conn.rkeys[initialSpace]
+	tc.keysInitial.r = conn.keysInitial.w
+	tc.keysInitial.w = conn.keysInitial.r
 
 	tc.wait()
 	return tc
@@ -611,22 +613,30 @@ func (tc *testConn) encodeTestPacket(p *testPacket, pad int) []byte {
 	for _, f := range p.frames {
 		f.write(&w)
 	}
-	space := spaceForPacketType(p.ptype)
-	if !tc.rkeys[space].k.isSet() {
-		tc.t.Fatalf("sending packet with no %v keys available", space)
-		return nil
-	}
 	w.appendPaddingTo(pad)
 	if p.ptype != packetType1RTT {
-		w.finishProtectedLongHeaderPacket(pnumMaxAcked, tc.rkeys[space].k, longPacket{
+		var k fixedKeyPair
+		switch p.ptype {
+		case packetTypeInitial:
+			k = tc.keysInitial
+		case packetTypeHandshake:
+			k = tc.keysHandshake
+		}
+		if !k.canWrite() {
+			tc.t.Fatalf("sending %v packet with no write key", p.ptype)
+		}
+		w.finishProtectedLongHeaderPacket(pnumMaxAcked, k.w, longPacket{
 			ptype:     p.ptype,
 			version:   p.version,
 			num:       p.num,
 			dstConnID: p.dstConnID,
 			srcConnID: p.srcConnID,
 		})
 	} else {
-		w.finish1RTTPacket(p.num, pnumMaxAcked, p.dstConnID, tc.rkeys[space].k)
+		if !tc.keysAppData.canWrite() {
+			tc.t.Fatalf("sending %v packet with no write key", p.ptype)
+		}
+		w.finish1RTTPacket(p.num, pnumMaxAcked, p.dstConnID, tc.keysAppData.w)
 	}
 	return w.datagram()
 }
@@ -642,13 +652,19 @@ func (tc *testConn) parseTestDatagram(buf []byte) *testDatagram {
 			break
 		}
 		ptype := getPacketType(buf)
-		space := spaceForPacketType(ptype)
-		if !tc.wkeys[space].k.isSet() {
-			tc.t.Fatalf("no keys for space %v, packet type %v", space, ptype)
-		}
 		if isLongHeader(buf[0]) {
+			var k fixedKeyPair
+			switch ptype {
+			case packetTypeInitial:
+				k = tc.keysInitial
+			case packetTypeHandshake:
+				k = tc.keysHandshake
+			}
+			if !k.canRead() {
+				tc.t.Fatalf("reading %v packet with no read key", ptype)
+			}
 			var pnumMax packetNumber // TODO: Track packet numbers.
-			p, n := parseLongHeaderPacket(buf, tc.wkeys[space].k, pnumMax)
+			p, n := parseLongHeaderPacket(buf, k.r, pnumMax)
 			if n < 0 {
 				tc.t.Fatalf("packet parse error")
 			}
@@ -666,8 +682,11 @@ func (tc *testConn) parseTestDatagram(buf []byte) *testDatagram {
 			})
 			buf = buf[n:]
 		} else {
+			if !tc.keysAppData.canRead() {
+				tc.t.Fatalf("reading 1-RTT packet with no read key")
+			}
 			var pnumMax packetNumber // TODO: Track packet numbers.
-			p, n := parse1RTTPacket(buf, tc.wkeys[space].k, len(tc.peerConnID), pnumMax)
+			p, n := parse1RTTPacket(buf, tc.keysAppData.r, len(tc.peerConnID), pnumMax)
 			if n < 0 {
 				tc.t.Fatalf("packet parse error")
 			}
@@ -747,12 +766,7 @@ type testConnHooks testConn
 // and verify that both sides of the connection are getting
 // matching keys.
 func (tc *testConnHooks) handleTLSEvent(e tls.QUICEvent) {
-	setKey := func(keys *[numberSpaceCount]keyData, e tls.QUICEvent) {
-		k, err := newKeys(e.Suite, e.Data)
-		if err != nil {
-			tc.t.Errorf("newKeys: %v", err)
-			return
-		}
+	checkKey := func(typ string, secrets *[numberSpaceCount]testKeySecret, e tls.QUICEvent) {
 		var space numberSpace
 		switch {
 		case e.Level == tls.QUICEncryptionLevelHandshake:
@@ -763,25 +777,30 @@ func (tc *testConnHooks) handleTLSEvent(e tls.QUICEvent) {
 			tc.t.Errorf("unexpected encryption level %v", e.Level)
 			return
 		}
-		s := "read"
-		if keys == &tc.wkeys {
-			s = "write"
-		}
-		if keys[space].k.isSet() {
-			if keys[space].suite != e.Suite || !bytes.Equal(keys[space].secret, e.Data) {
-				tc.t.Errorf("%v key mismatch for level for level %v", s, e.Level)
-			}
-			return
+		if secrets[space].secret == nil {
+			secrets[space].suite = e.Suite
+			secrets[space].secret = append([]byte{}, e.Data...)
+		} else if secrets[space].suite != e.Suite || !bytes.Equal(secrets[space].secret, e.Data) {
+			tc.t.Errorf("%v key mismatch for level %v", typ, e.Level)
 		}
-		keys[space].suite = e.Suite
-		keys[space].secret = append([]byte{}, e.Data...)
-		keys[space].k = k
 	}
 	switch e.Kind {
 	case tls.QUICSetReadSecret:
-		setKey(&tc.rkeys, e)
+		checkKey("read", &tc.rsecrets, e)
+		switch e.Level {
+		case tls.QUICEncryptionLevelHandshake:
+			tc.keysHandshake.w.init(e.Suite, e.Data)
+		case tls.QUICEncryptionLevelApplication:
+			tc.keysAppData.w.init(e.Suite, e.Data)
+		}
 	case tls.QUICSetWriteSecret:
-		setKey(&tc.wkeys, e)
+		checkKey("write", &tc.wsecrets, e)
+		switch e.Level {
+		case tls.QUICEncryptionLevelHandshake:
+			tc.keysHandshake.r.init(e.Suite, e.Data)
+		case tls.QUICEncryptionLevelApplication:
+			tc.keysAppData.r.init(e.Suite, e.Data)
+		}
 	case tls.QUICWriteData:
 		tc.cryptoDataOut[e.Level] = append(tc.cryptoDataOut[e.Level], e.Data...)
 		tc.peerTLSConn.HandleData(e.Level, e.Data)
@@ -792,9 +811,21 @@ func (tc *testConnHooks) handleTLSEvent(e tls.QUICEvent) {
 		case tls.QUICNoEvent:
 			return
 		case tls.QUICSetReadSecret:
-			setKey(&tc.wkeys, e)
+			checkKey("write", &tc.wsecrets, e)
+			switch e.Level {
+			case tls.QUICEncryptionLevelHandshake:
+				tc.keysHandshake.r.init(e.Suite, e.Data)
+			case tls.QUICEncryptionLevelApplication:
+				tc.keysAppData.r.init(e.Suite, e.Data)
+			}
 		case tls.QUICSetWriteSecret:
-			setKey(&tc.rkeys, e)
+			checkKey("read", &tc.rsecrets, e)
+			switch e.Level {
+			case tls.QUICEncryptionLevelHandshake:
+				tc.keysHandshake.w.init(e.Suite, e.Data)
+			case tls.QUICEncryptionLevelApplication:
+				tc.keysAppData.w.init(e.Suite, e.Data)
+			}
 		case tls.QUICWriteData:
 			tc.cryptoDataIn[e.Level] = append(tc.cryptoDataIn[e.Level], e.Data...)
 		case tls.QUICTransportParameters: