2
0

quic_tls.c 28 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879
  1. /*
  2. * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <openssl/ssl.h>
  10. #include "internal/recordmethod.h"
  11. #include "internal/quic_tls.h"
  12. #include "../ssl_local.h"
  13. #include "internal/quic_error.h"
  14. #define QUIC_TLS_FATAL(rl, ad, err) \
  15. do { \
  16. if ((rl) != NULL) (rl)->alert = (ad); \
  17. ERR_raise(ERR_LIB_SSL, (err)); \
  18. if ((rl) != NULL) (rl)->qtls->inerror = 1; \
  19. } while(0)
  20. struct quic_tls_st {
  21. QUIC_TLS_ARGS args;
  22. /*
  23. * Transport parameters which client should send. Buffer lifetime must
  24. * exceed the lifetime of the QUIC_TLS object.
  25. */
  26. const unsigned char *local_transport_params;
  27. size_t local_transport_params_len;
  28. ERR_STATE *error_state;
  29. /*
  30. * QUIC error code (usually in the TLS Alert-mapped CRYPTO_ERR range). Valid
  31. * only if inerror is 1.
  32. */
  33. uint64_t error_code;
  34. /*
  35. * Error message with static storage duration. Valid only if inerror is 1.
  36. * Should be suitable for encapsulation in a CONNECTION_CLOSE frame.
  37. */
  38. const char *error_msg;
  39. /* Whether our SSL object for TLS has been configured for use in QUIC */
  40. unsigned int configured : 1;
  41. /* Set if we have hit any error state */
  42. unsigned int inerror : 1;
  43. /* Set if the handshake has completed */
  44. unsigned int complete : 1;
  45. };
  46. struct ossl_record_layer_st {
  47. QUIC_TLS *qtls;
  48. /* Protection level */
  49. int level;
  50. /* Only used for retry flags */
  51. BIO *dummybio;
  52. /* Number of bytes written so far if we are part way through a write */
  53. size_t written;
  54. /* If we are part way through a write, a copy of the template */
  55. OSSL_RECORD_TEMPLATE template;
  56. /*
  57. * If we hit an error, what alert code should be used
  58. */
  59. int alert;
  60. /* Amount of crypto stream data we read in the last call to quic_read_record */
  61. size_t recread;
  62. /* Amount of crypto stream data read but not yet released */
  63. size_t recunreleased;
  64. /* Callbacks */
  65. OSSL_FUNC_rlayer_msg_callback_fn *msg_callback;
  66. void *cbarg;
  67. };
  68. static int quic_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio);
  69. static int quic_free(OSSL_RECORD_LAYER *r);
  70. static int
  71. quic_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
  72. int role, int direction, int level, uint16_t epoch,
  73. unsigned char *secret, size_t secretlen,
  74. unsigned char *key, size_t keylen, unsigned char *iv,
  75. size_t ivlen, unsigned char *mackey, size_t mackeylen,
  76. const EVP_CIPHER *ciph, size_t taglen,
  77. int mactype,
  78. const EVP_MD *md, COMP_METHOD *comp,
  79. const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
  80. BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
  81. const OSSL_PARAM *settings, const OSSL_PARAM *options,
  82. const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
  83. OSSL_RECORD_LAYER **retrl)
  84. {
  85. OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
  86. uint32_t enc_level;
  87. int qdir;
  88. uint32_t suite_id = 0;
  89. if (rl == NULL) {
  90. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  91. return 0;
  92. }
  93. rl->qtls = (QUIC_TLS *)rlarg;
  94. rl->level = level;
  95. if (!quic_set1_bio(rl, transport)) {
  96. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  97. goto err;
  98. }
  99. rl->cbarg = cbarg;
  100. *retrl = rl;
  101. if (fns != NULL) {
  102. for (; fns->function_id != 0; fns++) {
  103. switch (fns->function_id) {
  104. break;
  105. case OSSL_FUNC_RLAYER_MSG_CALLBACK:
  106. rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns);
  107. break;
  108. default:
  109. /* Just ignore anything we don't understand */
  110. break;
  111. }
  112. }
  113. }
  114. switch (level) {
  115. case OSSL_RECORD_PROTECTION_LEVEL_NONE:
  116. return 1;
  117. case OSSL_RECORD_PROTECTION_LEVEL_EARLY:
  118. enc_level = QUIC_ENC_LEVEL_0RTT;
  119. break;
  120. case OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE:
  121. enc_level = QUIC_ENC_LEVEL_HANDSHAKE;
  122. break;
  123. case OSSL_RECORD_PROTECTION_LEVEL_APPLICATION:
  124. enc_level = QUIC_ENC_LEVEL_1RTT;
  125. break;
  126. default:
  127. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  128. goto err;
  129. }
  130. if (direction == OSSL_RECORD_DIRECTION_READ)
  131. qdir = 0;
  132. else
  133. qdir = 1;
  134. if (EVP_CIPHER_is_a(ciph, "AES-128-GCM")) {
  135. suite_id = QRL_SUITE_AES128GCM;
  136. } else if (EVP_CIPHER_is_a(ciph, "AES-256-GCM")) {
  137. suite_id = QRL_SUITE_AES256GCM;
  138. } else if (EVP_CIPHER_is_a(ciph, "CHACHA20-POLY1305")) {
  139. suite_id = QRL_SUITE_CHACHA20POLY1305;
  140. } else {
  141. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE);
  142. goto err;
  143. }
  144. /* We pass a ref to the md in a successful yield_secret_cb call */
  145. /* TODO(QUIC FUTURE): This cast is horrible. We should try and remove it */
  146. if (!EVP_MD_up_ref((EVP_MD *)kdfdigest)) {
  147. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  148. goto err;
  149. }
  150. if (!rl->qtls->args.yield_secret_cb(enc_level, qdir, suite_id,
  151. (EVP_MD *)kdfdigest, secret, secretlen,
  152. rl->qtls->args.yield_secret_cb_arg)) {
  153. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  154. EVP_MD_free((EVP_MD *)kdfdigest);
  155. goto err;
  156. }
  157. return 1;
  158. err:
  159. *retrl = NULL;
  160. quic_free(rl);
  161. return 0;
  162. }
  163. static int quic_free(OSSL_RECORD_LAYER *rl)
  164. {
  165. if (rl == NULL)
  166. return 1;
  167. BIO_free(rl->dummybio);
  168. OPENSSL_free(rl);
  169. return 1;
  170. }
  171. static int quic_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
  172. {
  173. /*
  174. * Read ahead isn't really a thing for QUIC so we never have unprocessed
  175. * data pending
  176. */
  177. return 0;
  178. }
  179. static int quic_processed_read_pending(OSSL_RECORD_LAYER *rl)
  180. {
  181. /*
  182. * This is currently only ever used by:
  183. * - SSL_has_pending()
  184. * - to check whether we have more records that we want to supply to the
  185. * upper layers
  186. *
  187. * We only ever supply 1 record at a time to the upper layers, and
  188. * SSL_has_pending() will go via the QUIC method not the TLS method so that
  189. * use case doesn't apply here.
  190. * Therefore we can ignore this for now and always return 0. We might
  191. * eventually want to change this to check in the receive buffers to see if
  192. * we have any more data pending.
  193. */
  194. return 0;
  195. }
  196. static size_t quic_get_max_records(OSSL_RECORD_LAYER *rl, uint8_t type,
  197. size_t len,
  198. size_t maxfrag, size_t *preffrag)
  199. {
  200. return 1;
  201. }
  202. static int quic_write_records(OSSL_RECORD_LAYER *rl,
  203. OSSL_RECORD_TEMPLATE *template,
  204. size_t numtempl)
  205. {
  206. size_t consumed;
  207. unsigned char alert;
  208. if (!ossl_assert(numtempl == 1)) {
  209. /* How could this be? quic_get_max_records() always returns 1 */
  210. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  211. return OSSL_RECORD_RETURN_FATAL;
  212. }
  213. BIO_clear_retry_flags(rl->dummybio);
  214. if (rl->msg_callback != NULL) {
  215. unsigned char dummyrec[SSL3_RT_HEADER_LENGTH];
  216. /*
  217. * For the purposes of the callback we "pretend" to be normal TLS,
  218. * and manufacture a dummy record header
  219. */
  220. dummyrec[0] = (rl->level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
  221. ? template->type
  222. : SSL3_RT_APPLICATION_DATA;
  223. dummyrec[1] = (unsigned char)((template->version >> 8) & 0xff);
  224. dummyrec[2] = (unsigned char)(template->version & 0xff);
  225. /*
  226. * We assume that buflen is always <= UINT16_MAX. Since this is
  227. * generated by libssl itself we actually expect it to never
  228. * exceed SSL3_RT_MAX_PLAIN_LENGTH - so it should be a safe
  229. * assumption
  230. */
  231. dummyrec[3] = (unsigned char)((template->buflen >> 8) & 0xff);
  232. dummyrec[4] = (unsigned char)(template->buflen & 0xff);
  233. rl->msg_callback(1, TLS1_3_VERSION, SSL3_RT_HEADER, dummyrec,
  234. SSL3_RT_HEADER_LENGTH, rl->cbarg);
  235. if (rl->level != OSSL_RECORD_PROTECTION_LEVEL_NONE) {
  236. rl->msg_callback(1, TLS1_3_VERSION, SSL3_RT_INNER_CONTENT_TYPE,
  237. &template->type, 1, rl->cbarg);
  238. }
  239. }
  240. switch (template->type) {
  241. case SSL3_RT_ALERT:
  242. if (template->buflen != 2) {
  243. /*
  244. * We assume that libssl always sends both bytes of an alert to
  245. * us in one go, and never fragments it. If we ever get more
  246. * or less bytes than exactly 2 then this is very unexpected.
  247. */
  248. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_VALUE);
  249. return OSSL_RECORD_RETURN_FATAL;
  250. }
  251. /*
  252. * Byte 0 is the alert level (we ignore it) and byte 1 is the alert
  253. * description that we are actually interested in.
  254. */
  255. alert = template->buf[1];
  256. if (!rl->qtls->args.alert_cb(rl->qtls->args.alert_cb_arg, alert)) {
  257. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  258. return OSSL_RECORD_RETURN_FATAL;
  259. }
  260. break;
  261. case SSL3_RT_HANDSHAKE:
  262. /*
  263. * We expect this to only fail on some fatal error (e.g. malloc
  264. * failure)
  265. */
  266. if (!rl->qtls->args.crypto_send_cb(template->buf + rl->written,
  267. template->buflen - rl->written,
  268. &consumed,
  269. rl->qtls->args.crypto_send_cb_arg)) {
  270. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  271. return OSSL_RECORD_RETURN_FATAL;
  272. }
  273. /*
  274. * We might have written less than we wanted to if we have filled the
  275. * send stream buffer.
  276. */
  277. if (consumed + rl->written != template->buflen) {
  278. if (!ossl_assert(consumed + rl->written < template->buflen)) {
  279. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  280. return OSSL_RECORD_RETURN_FATAL;
  281. }
  282. /*
  283. * We've not written everything we wanted to. Take a copy of the
  284. * template, remember how much we wrote so far and signal a retry.
  285. * The buffer supplied in the template is guaranteed to be the same
  286. * on a retry for handshake data
  287. */
  288. rl->written += consumed;
  289. rl->template = *template;
  290. BIO_set_retry_write(rl->dummybio);
  291. return OSSL_RECORD_RETURN_RETRY;
  292. }
  293. rl->written = 0;
  294. break;
  295. default:
  296. /* Anything else is unexpected and an error */
  297. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  298. return OSSL_RECORD_RETURN_FATAL;
  299. }
  300. return OSSL_RECORD_RETURN_SUCCESS;
  301. }
  302. static int quic_retry_write_records(OSSL_RECORD_LAYER *rl)
  303. {
  304. return quic_write_records(rl, &rl->template, 1);
  305. }
  306. static int quic_read_record(OSSL_RECORD_LAYER *rl, void **rechandle,
  307. int *rversion, uint8_t *type, const unsigned char **data,
  308. size_t *datalen, uint16_t *epoch,
  309. unsigned char *seq_num)
  310. {
  311. if (rl->recread != 0 || rl->recunreleased != 0)
  312. return OSSL_RECORD_RETURN_FATAL;
  313. BIO_clear_retry_flags(rl->dummybio);
  314. if (!rl->qtls->args.crypto_recv_rcd_cb(data, datalen,
  315. rl->qtls->args.crypto_recv_rcd_cb_arg)) {
  316. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  317. return OSSL_RECORD_RETURN_FATAL;
  318. }
  319. if (*datalen == 0) {
  320. BIO_set_retry_read(rl->dummybio);
  321. return OSSL_RECORD_RETURN_RETRY;
  322. }
  323. *rechandle = rl;
  324. *rversion = TLS1_3_VERSION;
  325. *type = SSL3_RT_HANDSHAKE;
  326. rl->recread = rl->recunreleased = *datalen;
  327. /* epoch/seq_num are not relevant for TLS */
  328. if (rl->msg_callback != NULL) {
  329. unsigned char dummyrec[SSL3_RT_HEADER_LENGTH];
  330. /*
  331. * For the purposes of the callback we "pretend" to be normal TLS,
  332. * and manufacture a dummy record header
  333. */
  334. dummyrec[0] = (rl->level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
  335. ? SSL3_RT_HANDSHAKE
  336. : SSL3_RT_APPLICATION_DATA;
  337. dummyrec[1] = (unsigned char)((TLS1_2_VERSION >> 8) & 0xff);
  338. dummyrec[2] = (unsigned char)(TLS1_2_VERSION & 0xff);
  339. /*
  340. * *datalen will always fit into 2 bytes because our original buffer
  341. * size is less than that.
  342. */
  343. dummyrec[3] = (unsigned char)((*datalen >> 8) & 0xff);
  344. dummyrec[4] = (unsigned char)(*datalen & 0xff);
  345. rl->msg_callback(0, TLS1_3_VERSION, SSL3_RT_HEADER, dummyrec,
  346. SSL3_RT_HEADER_LENGTH, rl->cbarg);
  347. rl->msg_callback(0, TLS1_3_VERSION, SSL3_RT_INNER_CONTENT_TYPE, type, 1,
  348. rl->cbarg);
  349. }
  350. return OSSL_RECORD_RETURN_SUCCESS;
  351. }
  352. static int quic_release_record(OSSL_RECORD_LAYER *rl, void *rechandle,
  353. size_t length)
  354. {
  355. if (!ossl_assert(rl->recread > 0)
  356. || !ossl_assert(rl->recunreleased <= rl->recread)
  357. || !ossl_assert(rl == rechandle)
  358. || !ossl_assert(length <= rl->recunreleased)) {
  359. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  360. return OSSL_RECORD_RETURN_FATAL;
  361. }
  362. rl->recunreleased -= length;
  363. if (rl->recunreleased > 0)
  364. return OSSL_RECORD_RETURN_SUCCESS;
  365. if (!rl->qtls->args.crypto_release_rcd_cb(rl->recread,
  366. rl->qtls->args.crypto_release_rcd_cb_arg)) {
  367. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  368. return OSSL_RECORD_RETURN_FATAL;
  369. }
  370. rl->recread = 0;
  371. return OSSL_RECORD_RETURN_SUCCESS;
  372. }
  373. static int quic_get_alert_code(OSSL_RECORD_LAYER *rl)
  374. {
  375. return rl->alert;
  376. }
  377. static int quic_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
  378. {
  379. /* We only support TLSv1.3, so its bad if we negotiate anything else */
  380. if (!ossl_assert(version == TLS1_3_VERSION)) {
  381. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  382. return 0;
  383. }
  384. return 1;
  385. }
  386. static void quic_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow)
  387. {
  388. /* We don't care */
  389. }
  390. static void quic_set_first_handshake(OSSL_RECORD_LAYER *rl, int first)
  391. {
  392. /* We don't care */
  393. }
  394. static void quic_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines)
  395. {
  396. /* We don't care */
  397. }
  398. static void quic_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr,
  399. const char **longstr)
  400. {
  401. /*
  402. * According to the docs, valid read state strings are: "RH"/"read header",
  403. * "RB"/"read body", and "unknown"/"unknown". We don't read records in quite
  404. * that way, so we report every "normal" state as "read header". In the
  405. * event of error then we report "unknown".
  406. */
  407. if (rl->qtls->inerror) {
  408. if (shortstr != NULL)
  409. *shortstr = "unknown";
  410. if (longstr != NULL)
  411. *longstr = "unknown";
  412. } else {
  413. if (shortstr != NULL)
  414. *shortstr = "RH";
  415. if (longstr != NULL)
  416. *longstr = "read header";
  417. }
  418. }
  419. static int quic_set_options(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options)
  420. {
  421. /*
  422. * We don't support any options yet - but we might do at some point so
  423. * this could be useful.
  424. */
  425. return 1;
  426. }
  427. static const COMP_METHOD *quic_get_compression(OSSL_RECORD_LAYER *rl)
  428. {
  429. /* We only support TLSv1.3 which doesn't have compression */
  430. return NULL;
  431. }
  432. static void quic_set_max_frag_len(OSSL_RECORD_LAYER *rl, size_t max_frag_len)
  433. {
  434. /* This really doesn't make any sense for QUIC. Ignore it */
  435. }
  436. static int quic_alloc_buffers(OSSL_RECORD_LAYER *rl)
  437. {
  438. /*
  439. * This is a hint only. We don't support it (yet), so just ignore the
  440. * request
  441. */
  442. return 1;
  443. }
  444. static int quic_free_buffers(OSSL_RECORD_LAYER *rl)
  445. {
  446. /*
  447. * This is a hint only. We don't support it (yet), so just ignore the
  448. * request
  449. */
  450. return 1;
  451. }
  452. static int quic_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
  453. {
  454. if (bio != NULL && !BIO_up_ref(bio))
  455. return 0;
  456. BIO_free(rl->dummybio);
  457. rl->dummybio = bio;
  458. return 1;
  459. }
  460. /*
  461. * Never called functions
  462. *
  463. * Due to the way we are configured and used we never expect any of the next set
  464. * of functions to be called. Therefore we set them to always fail.
  465. */
  466. static size_t quic_app_data_pending(OSSL_RECORD_LAYER *rl)
  467. {
  468. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  469. return (size_t)ossl_assert(0);
  470. }
  471. static size_t quic_get_max_record_overhead(OSSL_RECORD_LAYER *rl)
  472. {
  473. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  474. return (size_t)ossl_assert(0);
  475. }
  476. static int quic_increment_sequence_ctr(OSSL_RECORD_LAYER *rl)
  477. {
  478. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  479. return ossl_assert(0);
  480. }
  481. /* End of never called functions */
  482. static const OSSL_RECORD_METHOD quic_tls_record_method = {
  483. quic_new_record_layer,
  484. quic_free,
  485. quic_unprocessed_read_pending,
  486. quic_processed_read_pending,
  487. quic_app_data_pending, /* Never called */
  488. quic_get_max_records,
  489. quic_write_records,
  490. quic_retry_write_records,
  491. quic_read_record,
  492. quic_release_record,
  493. quic_get_alert_code,
  494. quic_set1_bio,
  495. quic_set_protocol_version,
  496. quic_set_plain_alerts,
  497. quic_set_first_handshake,
  498. quic_set_max_pipelines,
  499. NULL, /* set_in_init: Optional - we don't need it */
  500. quic_get_state,
  501. quic_set_options,
  502. quic_get_compression,
  503. quic_set_max_frag_len,
  504. quic_get_max_record_overhead, /* Never called */
  505. quic_increment_sequence_ctr, /* Never called */
  506. quic_alloc_buffers,
  507. quic_free_buffers
  508. };
  509. static int add_transport_params_cb(SSL *s, unsigned int ext_type,
  510. unsigned int context,
  511. const unsigned char **out, size_t *outlen,
  512. X509 *x, size_t chainidx, int *al,
  513. void *add_arg)
  514. {
  515. QUIC_TLS *qtls = add_arg;
  516. *out = qtls->local_transport_params;
  517. *outlen = qtls->local_transport_params_len;
  518. return 1;
  519. }
  520. static void free_transport_params_cb(SSL *s, unsigned int ext_type,
  521. unsigned int context,
  522. const unsigned char *out,
  523. void *add_arg)
  524. {
  525. }
  526. static int parse_transport_params_cb(SSL *s, unsigned int ext_type,
  527. unsigned int context,
  528. const unsigned char *in,
  529. size_t inlen, X509 *x,
  530. size_t chainidx,
  531. int *al, void *parse_arg)
  532. {
  533. QUIC_TLS *qtls = parse_arg;
  534. return qtls->args.got_transport_params_cb(in, inlen,
  535. qtls->args.got_transport_params_cb_arg);
  536. }
  537. QUIC_TLS *ossl_quic_tls_new(const QUIC_TLS_ARGS *args)
  538. {
  539. QUIC_TLS *qtls;
  540. if (args->crypto_send_cb == NULL
  541. || args->crypto_recv_rcd_cb == NULL
  542. || args->crypto_release_rcd_cb == NULL) {
  543. ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
  544. return NULL;
  545. }
  546. qtls = OPENSSL_zalloc(sizeof(*qtls));
  547. if (qtls == NULL)
  548. return NULL;
  549. if ((qtls->error_state = OSSL_ERR_STATE_new()) == NULL) {
  550. OPENSSL_free(qtls);
  551. return NULL;
  552. }
  553. qtls->args = *args;
  554. return qtls;
  555. }
  556. void ossl_quic_tls_free(QUIC_TLS *qtls)
  557. {
  558. if (qtls == NULL)
  559. return;
  560. OSSL_ERR_STATE_free(qtls->error_state);
  561. OPENSSL_free(qtls);
  562. }
  563. static int raise_error(QUIC_TLS *qtls, uint64_t error_code,
  564. const char *error_msg,
  565. const char *src_file,
  566. int src_line,
  567. const char *src_func)
  568. {
  569. /*
  570. * When QTLS fails, add a "cover letter" error with information, potentially
  571. * with any underlying libssl errors underneath it (but our cover error may
  572. * be the only error in some cases). Then capture this into an ERR_STATE so
  573. * we can report it later if need be when the QUIC_CHANNEL asks for it.
  574. */
  575. ERR_new();
  576. ERR_set_debug(src_file, src_line, src_func);
  577. ERR_set_error(ERR_LIB_SSL, SSL_R_QUIC_HANDSHAKE_LAYER_ERROR,
  578. "handshake layer error, error code %llu (0x%llx) (\"%s\")",
  579. error_code, error_code, error_msg);
  580. OSSL_ERR_STATE_save_to_mark(qtls->error_state);
  581. /*
  582. * We record the error information reported via the QUIC protocol
  583. * separately.
  584. */
  585. qtls->error_code = error_code;
  586. qtls->error_msg = error_msg;
  587. qtls->inerror = 1;
  588. ERR_pop_to_mark();
  589. return 0;
  590. }
  591. #define RAISE_ERROR(qtls, error_code, error_msg) \
  592. raise_error((qtls), (error_code), (error_msg), \
  593. OPENSSL_FILE, OPENSSL_LINE, OPENSSL_FUNC)
  594. #define RAISE_INTERNAL_ERROR(qtls) \
  595. RAISE_ERROR((qtls), QUIC_ERR_INTERNAL_ERROR, "internal error")
  596. int ossl_quic_tls_tick(QUIC_TLS *qtls)
  597. {
  598. int ret, err;
  599. const unsigned char *alpn;
  600. unsigned int alpnlen;
  601. if (qtls->inerror)
  602. return 0;
  603. /*
  604. * SSL_get_error does not truly know what the cause of an SSL_read failure
  605. * is and to some extent guesses based on contextual information. In
  606. * particular, if there is _any_ ERR on the error stack, SSL_ERROR_SSL or
  607. * SSL_ERROR_SYSCALL will be returned no matter what and there is no
  608. * possibility of SSL_ERROR_WANT_READ/WRITE being returned, even if that was
  609. * the actual cause of the SSL_read() failure.
  610. *
  611. * This means that ordinarily, the below code might not work right if the
  612. * application has any ERR on the error stack. In order to make this code
  613. * perform correctly regardless of prior ERR state, we use a variant of
  614. * SSL_get_error() which ignores the error stack. However, some ERRs are
  615. * raised by SSL_read() and actually indicate that something has gone wrong
  616. * during the call to SSL_read(). We therefore adopt a strategy of marking
  617. * the ERR stack and seeing if any errors get appended during the call to
  618. * SSL_read(). If they are, we assume SSL_read() has raised an error and
  619. * that we should use normal SSL_get_error() handling.
  620. *
  621. * NOTE: Ensure all escape paths from this function call
  622. * ERR_clear_to_mark(). The RAISE macros handle this in failure cases.
  623. */
  624. ERR_set_mark();
  625. if (!qtls->configured) {
  626. SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
  627. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(sc);
  628. BIO *nullbio;
  629. /*
  630. * No matter how the user has configured us, there are certain
  631. * requirements for QUIC-TLS that we enforce
  632. */
  633. /* ALPN is a requirement for QUIC and must be set */
  634. if (qtls->args.is_server) {
  635. if (sctx->ext.alpn_select_cb == NULL)
  636. return RAISE_INTERNAL_ERROR(qtls);
  637. } else {
  638. if (sc->ext.alpn == NULL || sc->ext.alpn_len == 0)
  639. return RAISE_ERROR(qtls, QUIC_ERR_CRYPTO_NO_APP_PROTO,
  640. "ALPN must be configured when using QUIC");
  641. }
  642. if (!SSL_set_min_proto_version(qtls->args.s, TLS1_3_VERSION))
  643. return RAISE_INTERNAL_ERROR(qtls);
  644. SSL_clear_options(qtls->args.s, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
  645. ossl_ssl_set_custom_record_layer(sc, &quic_tls_record_method, qtls);
  646. if (!ossl_tls_add_custom_ext_intern(NULL, &sc->cert->custext,
  647. qtls->args.is_server ? ENDPOINT_SERVER
  648. : ENDPOINT_CLIENT,
  649. TLSEXT_TYPE_quic_transport_parameters,
  650. SSL_EXT_TLS1_3_ONLY
  651. | SSL_EXT_CLIENT_HELLO
  652. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  653. add_transport_params_cb,
  654. free_transport_params_cb, qtls,
  655. parse_transport_params_cb, qtls))
  656. return RAISE_INTERNAL_ERROR(qtls);
  657. nullbio = BIO_new(BIO_s_null());
  658. if (nullbio == NULL)
  659. return RAISE_INTERNAL_ERROR(qtls);
  660. /*
  661. * Our custom record layer doesn't use the BIO - but libssl generally
  662. * expects one to be present.
  663. */
  664. SSL_set_bio(qtls->args.s, nullbio, nullbio);
  665. if (qtls->args.is_server)
  666. SSL_set_accept_state(qtls->args.s);
  667. else
  668. SSL_set_connect_state(qtls->args.s);
  669. qtls->configured = 1;
  670. }
  671. if (qtls->complete)
  672. /*
  673. * There should never be app data to read, but calling SSL_read() will
  674. * ensure any post-handshake messages are processed.
  675. */
  676. ret = SSL_read(qtls->args.s, NULL, 0);
  677. else
  678. ret = SSL_do_handshake(qtls->args.s);
  679. if (ret <= 0) {
  680. err = ossl_ssl_get_error(qtls->args.s, ret,
  681. /*check_err=*/ERR_count_to_mark() > 0);
  682. switch (err) {
  683. case SSL_ERROR_WANT_READ:
  684. case SSL_ERROR_WANT_WRITE:
  685. case SSL_ERROR_WANT_CLIENT_HELLO_CB:
  686. case SSL_ERROR_WANT_X509_LOOKUP:
  687. case SSL_ERROR_WANT_RETRY_VERIFY:
  688. ERR_pop_to_mark();
  689. return 1;
  690. default:
  691. return RAISE_INTERNAL_ERROR(qtls);
  692. }
  693. }
  694. if (!qtls->complete) {
  695. /* Validate that we have ALPN */
  696. SSL_get0_alpn_selected(qtls->args.s, &alpn, &alpnlen);
  697. if (alpn == NULL || alpnlen == 0)
  698. return RAISE_ERROR(qtls, QUIC_ERR_CRYPTO_NO_APP_PROTO,
  699. "no application protocol negotiated");
  700. qtls->complete = 1;
  701. ERR_pop_to_mark();
  702. return qtls->args.handshake_complete_cb(qtls->args.handshake_complete_cb_arg);
  703. }
  704. ERR_pop_to_mark();
  705. return 1;
  706. }
  707. int ossl_quic_tls_set_transport_params(QUIC_TLS *qtls,
  708. const unsigned char *transport_params,
  709. size_t transport_params_len)
  710. {
  711. qtls->local_transport_params = transport_params;
  712. qtls->local_transport_params_len = transport_params_len;
  713. return 1;
  714. }
  715. int ossl_quic_tls_get_error(QUIC_TLS *qtls,
  716. uint64_t *error_code,
  717. const char **error_msg,
  718. ERR_STATE **error_state)
  719. {
  720. if (qtls->inerror) {
  721. *error_code = qtls->error_code;
  722. *error_msg = qtls->error_msg;
  723. *error_state = qtls->error_state;
  724. }
  725. return qtls->inerror;
  726. }
  727. /*
  728. * Returns true if the last handshake record message we processed was a
  729. * CertificateRequest
  730. */
  731. int ossl_quic_tls_is_cert_request(QUIC_TLS *qtls)
  732. {
  733. SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
  734. return sc->s3.tmp.message_type == SSL3_MT_CERTIFICATE_REQUEST;
  735. }
  736. /*
  737. * Returns true if the last session associated with the connection has an
  738. * invalid max_early_data value for QUIC.
  739. */
  740. int ossl_quic_tls_has_bad_max_early_data(QUIC_TLS *qtls)
  741. {
  742. uint32_t max_early_data = SSL_get0_session(qtls->args.s)->ext.max_early_data;
  743. /*
  744. * If max_early_data was present we always ensure a non-zero value is
  745. * stored in the session for QUIC. Therefore if max_early_data == 0 here
  746. * we can be confident that it was not present in the NewSessionTicket
  747. */
  748. return max_early_data != 0xffffffff && max_early_data != 0;
  749. }