Use standard KDF for stateless retry (#5232)

* Implement SP800-108 CTR-HMAC KBKDF and use it for stateless retry key generation.

* Add tests

Author: anrossi

src/core/partition.c

@@ -98,19 +98,24 @@ QuicPartitionGetStatelessRetryKey(
     }
 
     //
-    // Generate a new key from the base retry key combined with the index.
+    // Generate a new key from the base retry secret using SP800-108 CTR-HMAC.
     //
-    uint8_t RawKey[CXPLAT_AEAD_AES_256_GCM_SIZE];
-    CxPlatCopyMemory(
-        RawKey,
-        MsQuicLib.StatelessRetry.BaseSecret,
-        MsQuicLib.StatelessRetry.SecretLength);
-    for (size_t i = 0; i < sizeof(KeyIndex); ++i) {
-        RawKey[i] ^= ((uint8_t*)&KeyIndex)[i];
+    uint8_t RawKey[CXPLAT_AEAD_MAX_SIZE];
+    QUIC_STATUS Status =
+        CxPlatKbKdfDerive(
+            MsQuicLib.StatelessRetry.BaseSecret,
+            MsQuicLib.StatelessRetry.SecretLength,
+            "QUIC Stateless Retry Key",
+            (uint8_t*)&KeyIndex,
+            sizeof(KeyIndex),
+            MsQuicLib.StatelessRetry.SecretLength,
+            RawKey);
+    if (QUIC_FAILED(Status)) {
+        return NULL;
     }
 
     CXPLAT_KEY* NewKey;
-    QUIC_STATUS Status =
+    Status =
         CxPlatKeyCreate(
             MsQuicLib.StatelessRetry.AeadAlgorithm,
             RawKey,
@@ -121,12 +126,14 @@ QuicPartitionGetStatelessRetryKey(
             "[ lib] ERROR, %u, %s.",
             Status,
             "Create stateless retry key");
+        CxPlatSecureZeroMemory(RawKey, sizeof(RawKey));
         return NULL;
     }
 
     CxPlatKeyFree(Partition->StatelessRetryKeys[KeyIndex & 1].Key);
     Partition->StatelessRetryKeys[KeyIndex & 1].Key = NewKey;
     Partition->StatelessRetryKeys[KeyIndex & 1].Index = KeyIndex;
+    CxPlatSecureZeroMemory(RawKey, sizeof(RawKey));
 
     return NewKey;
 }

src/inc/quic_crypt.h

@@ -394,6 +394,18 @@ CxPlatCryptSupports(
     CXPLAT_AEAD_TYPE AeadType
     );
 
+_IRQL_requires_max_(PASSIVE_LEVEL)
+QUIC_STATUS
+CxPlatKbKdfDerive(
+    _In_reads_(SecretLength) const uint8_t* Secret,
+    _In_ uint32_t SecretLength,
+    _In_z_ const char* Label,
+    _In_reads_opt_(ContextLength) const uint8_t* Context,
+    _In_ uint32_t ContextLength,
+    _In_ uint32_t OutputLength,
+    _Out_writes_(OutputLength) uint8_t* Output
+    );
+
 #if defined(__cplusplus)
 }
 #endif

src/platform/crypt_bcrypt.c

@@ -46,12 +46,14 @@ BCRYPT_ALG_HANDLE CXPLAT_HMAC_SHA384_ALG_HANDLE;
 BCRYPT_ALG_HANDLE CXPLAT_HMAC_SHA512_ALG_HANDLE;
 BCRYPT_ALG_HANDLE CXPLAT_AES_ECB_ALG_HANDLE;
 BCRYPT_ALG_HANDLE CXPLAT_AES_GCM_ALG_HANDLE;
+BCRYPT_ALG_HANDLE CXPLAT_SP800108_CTR_HMAC_ALG_HANDLE;
 #else
 BCRYPT_ALG_HANDLE CXPLAT_HMAC_SHA256_ALG_HANDLE = BCRYPT_HMAC_SHA256_ALG_HANDLE;
 BCRYPT_ALG_HANDLE CXPLAT_HMAC_SHA384_ALG_HANDLE = BCRYPT_HMAC_SHA384_ALG_HANDLE;
 BCRYPT_ALG_HANDLE CXPLAT_HMAC_SHA512_ALG_HANDLE = BCRYPT_HMAC_SHA512_ALG_HANDLE;
 BCRYPT_ALG_HANDLE CXPLAT_AES_ECB_ALG_HANDLE = BCRYPT_AES_ECB_ALG_HANDLE;
 BCRYPT_ALG_HANDLE CXPLAT_AES_GCM_ALG_HANDLE = BCRYPT_AES_GCM_ALG_HANDLE;
+BCRYPT_ALG_HANDLE CXPLAT_SP800108_CTR_HMAC_ALG_HANDLE = BCRYPT_SP800108_CTR_HMAC_ALG_HANDLE;
 #endif
 BCRYPT_ALG_HANDLE CXPLAT_CHACHA20_POLY1305_ALG_HANDLE = NULL;
 
@@ -204,6 +206,21 @@ CxPlatCryptInitialize(
         }
     }
 
+    Status =
+        BCryptOpenAlgorithmProvider(
+            &CXPLAT_SP800108_CTR_HMAC_ALG_HANDLE,
+            BCRYPT_SP800108_CTR_HMAC_ALGORITHM,
+            MS_PRIMITIVE_PROVIDER,
+            BCRYPT_PROV_DISPATCH);
+    if (!NT_SUCCESS(Status)) {
+        QuicTraceEvent(
+            LibraryErrorStatus,
+            "[ lib] ERROR, %u, %s.",
+            Status,
+            "Open SP800-108 CTR HMAC KDF algorithm");
+        goto Error;
+    }
+
 Error:
 
     if (!NT_SUCCESS(Status)) {
@@ -231,6 +248,10 @@ CxPlatCryptInitialize(
             BCryptCloseAlgorithmProvider(CXPLAT_CHACHA20_POLY1305_ALG_HANDLE, 0);
             CXPLAT_CHACHA20_POLY1305_ALG_HANDLE = NULL;
         }
+        if (CXPLAT_SP800108_CTR_HMAC_ALG_HANDLE) {
+            BCryptCloseAlgorithmProvider(CXPLAT_SP800108_CTR_HMAC_ALG_HANDLE, 0);
+            CXPLAT_SP800108_CTR_HMAC_ALG_HANDLE = NULL;
+        }
     }
 
     return NtStatusToQuicStatus(Status);
@@ -304,11 +325,13 @@ CxPlatCryptUninitialize(
     )
 {
 #ifdef _KERNEL_MODE
+    BCryptCloseAlgorithmProvider(CXPLAT_SP800108_CTR_HMAC_ALG_HANDLE, 0);
     BCryptCloseAlgorithmProvider(CXPLAT_HMAC_SHA256_ALG_HANDLE, 0);
     BCryptCloseAlgorithmProvider(CXPLAT_HMAC_SHA384_ALG_HANDLE, 0);
     BCryptCloseAlgorithmProvider(CXPLAT_HMAC_SHA512_ALG_HANDLE, 0);
     BCryptCloseAlgorithmProvider(CXPLAT_AES_ECB_ALG_HANDLE, 0);
     BCryptCloseAlgorithmProvider(CXPLAT_AES_GCM_ALG_HANDLE, 0);
+    CXPLAT_SP800108_CTR_HMAC_ALG_HANDLE = NULL;
     CXPLAT_HMAC_SHA256_ALG_HANDLE = NULL;
     CXPLAT_HMAC_SHA384_ALG_HANDLE = NULL;
     CXPLAT_HMAC_SHA512_ALG_HANDLE = NULL;
@@ -764,3 +787,83 @@ CxPlatHashCompute(
 
     return NtStatusToQuicStatus(Status);
 }
+
+_IRQL_requires_max_(PASSIVE_LEVEL)
+QUIC_STATUS
+CxPlatKbKdfDerive(
+    _In_reads_(SecretLength) const uint8_t* Secret,
+    _In_ uint32_t SecretLength,
+    _In_z_ const char* Label,
+    _In_reads_opt_(ContextLength) const uint8_t* Context,
+    _In_ uint32_t ContextLength,
+    _In_ uint32_t OutputLength,
+    _Out_writes_(OutputLength) uint8_t* Output
+    )
+{
+    BCRYPT_KEY_HANDLE KeyHandle = NULL;
+    NTSTATUS Status =
+        BCryptGenerateSymmetricKey(
+            CXPLAT_SP800108_CTR_HMAC_ALG_HANDLE,
+            &KeyHandle,
+            NULL, // Let BCrypt manage the memory
+            0,
+            (UCHAR*)Secret,
+            SecretLength,
+            0);
+    if (!NT_SUCCESS(Status)) {
+        QuicTraceEvent(
+            LibraryErrorStatus,
+            "[ lib] ERROR, %u, %s.",
+            Status,
+            "BCryptGenerateSymmetricKey for KDF");
+        goto Error;
+    }
+
+    BCryptBuffer ParameterList[3];
+    ParameterList[0].BufferType = KDF_HASH_ALGORITHM;
+    ParameterList[0].pvBuffer = (PVOID)BCRYPT_SHA256_ALGORITHM;
+    ParameterList[0].cbBuffer = sizeof(BCRYPT_SHA256_ALGORITHM);
+
+    ParameterList[1].BufferType = KDF_LABEL;
+    ParameterList[1].pvBuffer = (PVOID)Label;
+    ParameterList[1].cbBuffer = (ULONG)strnlen_s(Label, 255);
+
+    ParameterList[2].BufferType = KDF_CONTEXT;
+    ParameterList[2].pvBuffer = (PVOID)Context;
+    ParameterList[2].cbBuffer = ContextLength;
+
+    BCryptBufferDesc Parameters;
+    Parameters.ulVersion = BCRYPTBUFFER_VERSION;
+    Parameters.cBuffers = ARRAYSIZE(ParameterList);
+    Parameters.pBuffers = ParameterList;
+
+    //
+    // Derive the key using SP800-108 CTR mode
+    //
+    ULONG DerivedKeyLength = 0;
+    Status =
+        BCryptKeyDerivation(
+            KeyHandle,
+            &Parameters,
+            Output,
+            OutputLength,
+            &DerivedKeyLength,
+            0);
+    if (!NT_SUCCESS(Status)) {
+        QuicTraceEvent(
+            LibraryErrorStatus,
+            "[ lib] ERROR, %u, %s.",
+            Status,
+            "BCryptKeyDerivation SP800-108 CTR");
+        goto Error;
+    }
+
+    CXPLAT_DBG_ASSERT(DerivedKeyLength == OutputLength);
+
+Error:
+    if (KeyHandle) {
+        BCryptDestroyKey(KeyHandle);
+    }
+
+    return NtStatusToQuicStatus(Status);
+}

src/platform/crypt_openssl.c

@@ -711,3 +711,62 @@ CxPlatHashCompute(
     CXPLAT_FRE_ASSERT(ActualOutputSize == OutputLength);
     return QUIC_STATUS_SUCCESS;
 }
+
+_IRQL_requires_max_(PASSIVE_LEVEL)
+QUIC_STATUS
+CxPlatKbKdfDerive(
+    _In_reads_(SecretLength) const uint8_t* Secret,
+    _In_ uint32_t SecretLength,
+    _In_z_ const char* Label,
+    _In_reads_opt_(ContextLength) const uint8_t* Context,
+    _In_ uint32_t ContextLength,
+    _In_ uint32_t OutputLength,
+    _Out_writes_(OutputLength) uint8_t* Output
+    )
+{
+    QUIC_STATUS Status = QUIC_STATUS_SUCCESS;
+    EVP_KDF* Kdf;
+    EVP_KDF_CTX* KdfCtx;
+    OSSL_PARAM Params[6];
+
+    Kdf = EVP_KDF_fetch(NULL, "KBKDF", NULL);
+    KdfCtx = EVP_KDF_CTX_new(Kdf);
+    EVP_KDF_free(Kdf);
+
+    Params[0] =
+        OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,"SHA2-256", 0);
+
+    Params[1] =
+        OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,"HMAC", 0);
+
+    Params[2] =
+        OSSL_PARAM_construct_octet_string(
+            OSSL_KDF_PARAM_KEY,
+            (void*)Secret,
+            SecretLength);
+
+    Params[3] =
+        OSSL_PARAM_construct_octet_string(
+            OSSL_KDF_PARAM_SALT,
+            (void*)Label,
+            strnlen(Label, 255));
+
+    Params[4] =
+        OSSL_PARAM_construct_octet_string(
+            OSSL_KDF_PARAM_INFO,
+            (void*)Context,
+            ContextLength);
+
+    Params[5] = OSSL_PARAM_construct_end();
+
+    if (EVP_KDF_derive(KdfCtx, Output, OutputLength, Params) <= 0) {
+        QuicTraceEvent(
+            LibraryError,
+            "[ lib] ERROR, %s.",
+            "EVP_KDF_derive failed");
+        Status = QUIC_STATUS_INTERNAL_ERROR;
+    }
+
+    EVP_KDF_CTX_free(KdfCtx);
+    return Status;
+}

src/platform/unittest/CryptTest.cpp

@@ -348,6 +348,47 @@ struct CryptTest : public ::testing::TestWithParam<int32_t>
 
         QuicPacketKeyFree(PacketKey);
     }
+
+    bool
+    TestKbKdfDerive(
+        _In_ QuicBuffer& Key,
+        _In_ const uint32_t OutputLength,
+        _In_ QuicBuffer& ExpectedOutput)
+    {
+        uint8_t Output[CXPLAT_AEAD_MAX_SIZE];
+        if (OutputLength > sizeof(Output)) {
+            //
+            // Ensure the test doesn't overrun the buffer.
+            //
+            GTEST_LOG_(ERROR) << "OutputLength is larger than buffer.";
+            return false;
+        }
+        CxPlatZeroMemory(Output, OutputLength);
+        uint64_t Context = 1752112221;
+        const char* Label = "test";
+        const uint32_t ContextLength = (uint32_t)sizeof(Context);
+
+        QUIC_STATUS Status =
+            CxPlatKbKdfDerive(
+                Key.Data,
+                Key.Length,
+                Label,
+                (uint8_t*)&Context,
+                ContextLength,
+                OutputLength,
+                Output);
+        if (QUIC_FAILED(Status)) {
+            GTEST_LOG_(ERROR) << "CxPlatKbKdfDerive failed with " << std::hex << Status;
+            return false;
+        }
+        
+        if (memcmp(ExpectedOutput.Data, Output, ExpectedOutput.Length) != 0) {
+            LogTestBuffer("Expected Output:     ", ExpectedOutput.Data, ExpectedOutput.Length);
+            LogTestBuffer("Calculated Output:   ", Output, ExpectedOutput.Length);
+            return false;
+        }
+        return true;
+    }
 };
 
 TEST_F(CryptTest, WellKnownClientInitialv1)
@@ -488,6 +529,44 @@ TEST_F(CryptTest, HpMaskAes128)
     CxPlatHpKeyFree(HpKey);
 }
 
+TEST_F(CryptTest, KbKdfDerive)
+{
+    QuicBuffer Key256("3edc6b5b8f7aadbd713732b482b8f979286e1ea3b8f8f99c30c884cfe3349b83");
+
+    QuicBuffer ExpectedOutput256_Key256("B7BFF374C8928335AA41589D41084B64211876771C459C23B06BA4A2EA89B5AE");
+    if (!TestKbKdfDerive(
+        Key256,
+        ExpectedOutput256_Key256.Length,
+        ExpectedOutput256_Key256)) {
+        FAIL();
+    }
+
+    QuicBuffer ExpectedOutput128_Key256("2775BB8F82B3B5EB667C8CF548C2F06F");
+    if (!TestKbKdfDerive(
+        Key256,
+        ExpectedOutput128_Key256.Length,
+        ExpectedOutput128_Key256)) {
+        FAIL();
+    }
+
+    QuicBuffer Key128("5ddd79f7b33f1f4a6dd57c34a8eec42e");
+    QuicBuffer ExpectedOutput256_Key128("0D90AEEEA79D7068283FC33561277AD8B641F5D0F2C47A3360DE8BBCB2D1A6E6");
+    if (!TestKbKdfDerive(
+        Key128,
+        ExpectedOutput256_Key128.Length,
+        ExpectedOutput256_Key128)) {
+        FAIL();
+    }
+
+    QuicBuffer ExpectedOutput128_Key128("3D49CD6A27AC5CA5F0F51893A755D160");
+    if (!TestKbKdfDerive(
+        Key128,
+        ExpectedOutput128_Key128.Length,
+        ExpectedOutput128_Key128)) {
+        FAIL();
+    }
+}
+
 TEST_P(CryptTest, Encryption)
 {