quic_tls.c 28 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887
  1. /*
  2. * Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <openssl/ssl.h>
  10. #include "internal/recordmethod.h"
  11. #include "internal/quic_tls.h"
  12. #include "../ssl_local.h"
  13. #include "internal/quic_error.h"
  14. #include "internal/ssl_unwrap.h"
  15. #define QUIC_TLS_FATAL(rl, ad, err) \
  16. do { \
  17. if ((rl) != NULL) (rl)->alert = (ad); \
  18. ERR_raise(ERR_LIB_SSL, (err)); \
  19. if ((rl) != NULL) (rl)->qtls->inerror = 1; \
  20. } while(0)
  21. struct quic_tls_st {
  22. QUIC_TLS_ARGS args;
  23. /*
  24. * Transport parameters which client should send. Buffer lifetime must
  25. * exceed the lifetime of the QUIC_TLS object.
  26. */
  27. const unsigned char *local_transport_params;
  28. size_t local_transport_params_len;
  29. ERR_STATE *error_state;
  30. /*
  31. * QUIC error code (usually in the TLS Alert-mapped CRYPTO_ERR range). Valid
  32. * only if inerror is 1.
  33. */
  34. uint64_t error_code;
  35. /*
  36. * Error message with static storage duration. Valid only if inerror is 1.
  37. * Should be suitable for encapsulation in a CONNECTION_CLOSE frame.
  38. */
  39. const char *error_msg;
  40. /* Whether our SSL object for TLS has been configured for use in QUIC */
  41. unsigned int configured : 1;
  42. /* Set if we have hit any error state */
  43. unsigned int inerror : 1;
  44. /* Set if the handshake has completed */
  45. unsigned int complete : 1;
  46. /* Set if we have consumed the local transport parameters yet. */
  47. unsigned int local_transport_params_consumed : 1;
  48. };
  49. struct ossl_record_layer_st {
  50. QUIC_TLS *qtls;
  51. /* Protection level */
  52. int level;
  53. /* Only used for retry flags */
  54. BIO *dummybio;
  55. /* Number of bytes written so far if we are part way through a write */
  56. size_t written;
  57. /* If we are part way through a write, a copy of the template */
  58. OSSL_RECORD_TEMPLATE template;
  59. /*
  60. * If we hit an error, what alert code should be used
  61. */
  62. int alert;
  63. /* Amount of crypto stream data we read in the last call to quic_read_record */
  64. size_t recread;
  65. /* Amount of crypto stream data read but not yet released */
  66. size_t recunreleased;
  67. /* Callbacks */
  68. OSSL_FUNC_rlayer_msg_callback_fn *msg_callback;
  69. void *cbarg;
  70. };
  71. static int quic_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio);
  72. static int quic_free(OSSL_RECORD_LAYER *r);
  73. static int
  74. quic_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
  75. int role, int direction, int level, uint16_t epoch,
  76. unsigned char *secret, size_t secretlen,
  77. unsigned char *key, size_t keylen, unsigned char *iv,
  78. size_t ivlen, unsigned char *mackey, size_t mackeylen,
  79. const EVP_CIPHER *ciph, size_t taglen,
  80. int mactype,
  81. const EVP_MD *md, COMP_METHOD *comp,
  82. const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
  83. BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
  84. const OSSL_PARAM *settings, const OSSL_PARAM *options,
  85. const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
  86. OSSL_RECORD_LAYER **retrl)
  87. {
  88. OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
  89. uint32_t enc_level;
  90. int qdir;
  91. uint32_t suite_id = 0;
  92. if (rl == NULL) {
  93. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  94. return 0;
  95. }
  96. rl->qtls = (QUIC_TLS *)rlarg;
  97. rl->level = level;
  98. if (!quic_set1_bio(rl, transport)) {
  99. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  100. goto err;
  101. }
  102. rl->cbarg = cbarg;
  103. *retrl = rl;
  104. if (fns != NULL) {
  105. for (; fns->function_id != 0; fns++) {
  106. switch (fns->function_id) {
  107. break;
  108. case OSSL_FUNC_RLAYER_MSG_CALLBACK:
  109. rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns);
  110. break;
  111. default:
  112. /* Just ignore anything we don't understand */
  113. break;
  114. }
  115. }
  116. }
  117. switch (level) {
  118. case OSSL_RECORD_PROTECTION_LEVEL_NONE:
  119. return 1;
  120. case OSSL_RECORD_PROTECTION_LEVEL_EARLY:
  121. enc_level = QUIC_ENC_LEVEL_0RTT;
  122. break;
  123. case OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE:
  124. enc_level = QUIC_ENC_LEVEL_HANDSHAKE;
  125. break;
  126. case OSSL_RECORD_PROTECTION_LEVEL_APPLICATION:
  127. enc_level = QUIC_ENC_LEVEL_1RTT;
  128. break;
  129. default:
  130. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  131. goto err;
  132. }
  133. if (direction == OSSL_RECORD_DIRECTION_READ)
  134. qdir = 0;
  135. else
  136. qdir = 1;
  137. if (EVP_CIPHER_is_a(ciph, "AES-128-GCM")) {
  138. suite_id = QRL_SUITE_AES128GCM;
  139. } else if (EVP_CIPHER_is_a(ciph, "AES-256-GCM")) {
  140. suite_id = QRL_SUITE_AES256GCM;
  141. } else if (EVP_CIPHER_is_a(ciph, "CHACHA20-POLY1305")) {
  142. suite_id = QRL_SUITE_CHACHA20POLY1305;
  143. } else {
  144. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE);
  145. goto err;
  146. }
  147. /* We pass a ref to the md in a successful yield_secret_cb call */
  148. /* TODO(QUIC FUTURE): This cast is horrible. We should try and remove it */
  149. if (!EVP_MD_up_ref((EVP_MD *)kdfdigest)) {
  150. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  151. goto err;
  152. }
  153. if (!rl->qtls->args.yield_secret_cb(enc_level, qdir, suite_id,
  154. (EVP_MD *)kdfdigest, secret, secretlen,
  155. rl->qtls->args.yield_secret_cb_arg)) {
  156. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  157. EVP_MD_free((EVP_MD *)kdfdigest);
  158. goto err;
  159. }
  160. return 1;
  161. err:
  162. *retrl = NULL;
  163. quic_free(rl);
  164. return 0;
  165. }
  166. static int quic_free(OSSL_RECORD_LAYER *rl)
  167. {
  168. if (rl == NULL)
  169. return 1;
  170. BIO_free(rl->dummybio);
  171. OPENSSL_free(rl);
  172. return 1;
  173. }
  174. static int quic_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
  175. {
  176. /*
  177. * Read ahead isn't really a thing for QUIC so we never have unprocessed
  178. * data pending
  179. */
  180. return 0;
  181. }
  182. static int quic_processed_read_pending(OSSL_RECORD_LAYER *rl)
  183. {
  184. /*
  185. * This is currently only ever used by:
  186. * - SSL_has_pending()
  187. * - to check whether we have more records that we want to supply to the
  188. * upper layers
  189. *
  190. * We only ever supply 1 record at a time to the upper layers, and
  191. * SSL_has_pending() will go via the QUIC method not the TLS method so that
  192. * use case doesn't apply here.
  193. * Therefore we can ignore this for now and always return 0. We might
  194. * eventually want to change this to check in the receive buffers to see if
  195. * we have any more data pending.
  196. */
  197. return 0;
  198. }
  199. static size_t quic_get_max_records(OSSL_RECORD_LAYER *rl, uint8_t type,
  200. size_t len,
  201. size_t maxfrag, size_t *preffrag)
  202. {
  203. return 1;
  204. }
  205. static int quic_write_records(OSSL_RECORD_LAYER *rl,
  206. OSSL_RECORD_TEMPLATE *template,
  207. size_t numtempl)
  208. {
  209. size_t consumed;
  210. unsigned char alert;
  211. if (!ossl_assert(numtempl == 1)) {
  212. /* How could this be? quic_get_max_records() always returns 1 */
  213. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  214. return OSSL_RECORD_RETURN_FATAL;
  215. }
  216. BIO_clear_retry_flags(rl->dummybio);
  217. if (rl->msg_callback != NULL) {
  218. unsigned char dummyrec[SSL3_RT_HEADER_LENGTH];
  219. /*
  220. * For the purposes of the callback we "pretend" to be normal TLS,
  221. * and manufacture a dummy record header
  222. */
  223. dummyrec[0] = (rl->level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
  224. ? template->type
  225. : SSL3_RT_APPLICATION_DATA;
  226. dummyrec[1] = (unsigned char)((template->version >> 8) & 0xff);
  227. dummyrec[2] = (unsigned char)(template->version & 0xff);
  228. /*
  229. * We assume that buflen is always <= UINT16_MAX. Since this is
  230. * generated by libssl itself we actually expect it to never
  231. * exceed SSL3_RT_MAX_PLAIN_LENGTH - so it should be a safe
  232. * assumption
  233. */
  234. dummyrec[3] = (unsigned char)((template->buflen >> 8) & 0xff);
  235. dummyrec[4] = (unsigned char)(template->buflen & 0xff);
  236. rl->msg_callback(1, TLS1_3_VERSION, SSL3_RT_HEADER, dummyrec,
  237. SSL3_RT_HEADER_LENGTH, rl->cbarg);
  238. if (rl->level != OSSL_RECORD_PROTECTION_LEVEL_NONE) {
  239. rl->msg_callback(1, TLS1_3_VERSION, SSL3_RT_INNER_CONTENT_TYPE,
  240. &template->type, 1, rl->cbarg);
  241. }
  242. }
  243. switch (template->type) {
  244. case SSL3_RT_ALERT:
  245. if (template->buflen != 2) {
  246. /*
  247. * We assume that libssl always sends both bytes of an alert to
  248. * us in one go, and never fragments it. If we ever get more
  249. * or less bytes than exactly 2 then this is very unexpected.
  250. */
  251. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_VALUE);
  252. return OSSL_RECORD_RETURN_FATAL;
  253. }
  254. /*
  255. * Byte 0 is the alert level (we ignore it) and byte 1 is the alert
  256. * description that we are actually interested in.
  257. */
  258. alert = template->buf[1];
  259. if (!rl->qtls->args.alert_cb(rl->qtls->args.alert_cb_arg, alert)) {
  260. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  261. return OSSL_RECORD_RETURN_FATAL;
  262. }
  263. break;
  264. case SSL3_RT_HANDSHAKE:
  265. /*
  266. * We expect this to only fail on some fatal error (e.g. malloc
  267. * failure)
  268. */
  269. if (!rl->qtls->args.crypto_send_cb(template->buf + rl->written,
  270. template->buflen - rl->written,
  271. &consumed,
  272. rl->qtls->args.crypto_send_cb_arg)) {
  273. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  274. return OSSL_RECORD_RETURN_FATAL;
  275. }
  276. /*
  277. * We might have written less than we wanted to if we have filled the
  278. * send stream buffer.
  279. */
  280. if (consumed + rl->written != template->buflen) {
  281. if (!ossl_assert(consumed + rl->written < template->buflen)) {
  282. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  283. return OSSL_RECORD_RETURN_FATAL;
  284. }
  285. /*
  286. * We've not written everything we wanted to. Take a copy of the
  287. * template, remember how much we wrote so far and signal a retry.
  288. * The buffer supplied in the template is guaranteed to be the same
  289. * on a retry for handshake data
  290. */
  291. rl->written += consumed;
  292. rl->template = *template;
  293. BIO_set_retry_write(rl->dummybio);
  294. return OSSL_RECORD_RETURN_RETRY;
  295. }
  296. rl->written = 0;
  297. break;
  298. default:
  299. /* Anything else is unexpected and an error */
  300. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  301. return OSSL_RECORD_RETURN_FATAL;
  302. }
  303. return OSSL_RECORD_RETURN_SUCCESS;
  304. }
  305. static int quic_retry_write_records(OSSL_RECORD_LAYER *rl)
  306. {
  307. return quic_write_records(rl, &rl->template, 1);
  308. }
  309. static int quic_read_record(OSSL_RECORD_LAYER *rl, void **rechandle,
  310. int *rversion, uint8_t *type, const unsigned char **data,
  311. size_t *datalen, uint16_t *epoch,
  312. unsigned char *seq_num)
  313. {
  314. if (rl->recread != 0 || rl->recunreleased != 0)
  315. return OSSL_RECORD_RETURN_FATAL;
  316. BIO_clear_retry_flags(rl->dummybio);
  317. if (!rl->qtls->args.crypto_recv_rcd_cb(data, datalen,
  318. rl->qtls->args.crypto_recv_rcd_cb_arg)) {
  319. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  320. return OSSL_RECORD_RETURN_FATAL;
  321. }
  322. if (*datalen == 0) {
  323. BIO_set_retry_read(rl->dummybio);
  324. return OSSL_RECORD_RETURN_RETRY;
  325. }
  326. *rechandle = rl;
  327. *rversion = TLS1_3_VERSION;
  328. *type = SSL3_RT_HANDSHAKE;
  329. rl->recread = rl->recunreleased = *datalen;
  330. /* epoch/seq_num are not relevant for TLS */
  331. if (rl->msg_callback != NULL) {
  332. unsigned char dummyrec[SSL3_RT_HEADER_LENGTH];
  333. /*
  334. * For the purposes of the callback we "pretend" to be normal TLS,
  335. * and manufacture a dummy record header
  336. */
  337. dummyrec[0] = (rl->level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
  338. ? SSL3_RT_HANDSHAKE
  339. : SSL3_RT_APPLICATION_DATA;
  340. dummyrec[1] = (unsigned char)((TLS1_2_VERSION >> 8) & 0xff);
  341. dummyrec[2] = (unsigned char)(TLS1_2_VERSION & 0xff);
  342. /*
  343. * *datalen will always fit into 2 bytes because our original buffer
  344. * size is less than that.
  345. */
  346. dummyrec[3] = (unsigned char)((*datalen >> 8) & 0xff);
  347. dummyrec[4] = (unsigned char)(*datalen & 0xff);
  348. rl->msg_callback(0, TLS1_3_VERSION, SSL3_RT_HEADER, dummyrec,
  349. SSL3_RT_HEADER_LENGTH, rl->cbarg);
  350. rl->msg_callback(0, TLS1_3_VERSION, SSL3_RT_INNER_CONTENT_TYPE, type, 1,
  351. rl->cbarg);
  352. }
  353. return OSSL_RECORD_RETURN_SUCCESS;
  354. }
  355. static int quic_release_record(OSSL_RECORD_LAYER *rl, void *rechandle,
  356. size_t length)
  357. {
  358. if (!ossl_assert(rl->recread > 0)
  359. || !ossl_assert(rl->recunreleased <= rl->recread)
  360. || !ossl_assert(rl == rechandle)
  361. || !ossl_assert(length <= rl->recunreleased)) {
  362. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  363. return OSSL_RECORD_RETURN_FATAL;
  364. }
  365. rl->recunreleased -= length;
  366. if (rl->recunreleased > 0)
  367. return OSSL_RECORD_RETURN_SUCCESS;
  368. if (!rl->qtls->args.crypto_release_rcd_cb(rl->recread,
  369. rl->qtls->args.crypto_release_rcd_cb_arg)) {
  370. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  371. return OSSL_RECORD_RETURN_FATAL;
  372. }
  373. rl->recread = 0;
  374. return OSSL_RECORD_RETURN_SUCCESS;
  375. }
  376. static int quic_get_alert_code(OSSL_RECORD_LAYER *rl)
  377. {
  378. return rl->alert;
  379. }
  380. static int quic_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
  381. {
  382. /* We only support TLSv1.3, so its bad if we negotiate anything else */
  383. if (!ossl_assert(version == TLS1_3_VERSION)) {
  384. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  385. return 0;
  386. }
  387. return 1;
  388. }
  389. static void quic_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow)
  390. {
  391. /* We don't care */
  392. }
  393. static void quic_set_first_handshake(OSSL_RECORD_LAYER *rl, int first)
  394. {
  395. /* We don't care */
  396. }
  397. static void quic_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines)
  398. {
  399. /* We don't care */
  400. }
  401. static void quic_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr,
  402. const char **longstr)
  403. {
  404. /*
  405. * According to the docs, valid read state strings are: "RH"/"read header",
  406. * "RB"/"read body", and "unknown"/"unknown". We don't read records in quite
  407. * that way, so we report every "normal" state as "read header". In the
  408. * event of error then we report "unknown".
  409. */
  410. if (rl->qtls->inerror) {
  411. if (shortstr != NULL)
  412. *shortstr = "unknown";
  413. if (longstr != NULL)
  414. *longstr = "unknown";
  415. } else {
  416. if (shortstr != NULL)
  417. *shortstr = "RH";
  418. if (longstr != NULL)
  419. *longstr = "read header";
  420. }
  421. }
  422. static int quic_set_options(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options)
  423. {
  424. /*
  425. * We don't support any options yet - but we might do at some point so
  426. * this could be useful.
  427. */
  428. return 1;
  429. }
  430. static const COMP_METHOD *quic_get_compression(OSSL_RECORD_LAYER *rl)
  431. {
  432. /* We only support TLSv1.3 which doesn't have compression */
  433. return NULL;
  434. }
  435. static void quic_set_max_frag_len(OSSL_RECORD_LAYER *rl, size_t max_frag_len)
  436. {
  437. /* This really doesn't make any sense for QUIC. Ignore it */
  438. }
  439. static int quic_alloc_buffers(OSSL_RECORD_LAYER *rl)
  440. {
  441. /*
  442. * This is a hint only. We don't support it (yet), so just ignore the
  443. * request
  444. */
  445. return 1;
  446. }
  447. static int quic_free_buffers(OSSL_RECORD_LAYER *rl)
  448. {
  449. /*
  450. * This is a hint only. We don't support it (yet), so just ignore the
  451. * request
  452. */
  453. return 1;
  454. }
  455. static int quic_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
  456. {
  457. if (bio != NULL && !BIO_up_ref(bio))
  458. return 0;
  459. BIO_free(rl->dummybio);
  460. rl->dummybio = bio;
  461. return 1;
  462. }
  463. /*
  464. * Never called functions
  465. *
  466. * Due to the way we are configured and used we never expect any of the next set
  467. * of functions to be called. Therefore we set them to always fail.
  468. */
  469. static size_t quic_app_data_pending(OSSL_RECORD_LAYER *rl)
  470. {
  471. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  472. return (size_t)ossl_assert(0);
  473. }
  474. static size_t quic_get_max_record_overhead(OSSL_RECORD_LAYER *rl)
  475. {
  476. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  477. return (size_t)ossl_assert(0);
  478. }
  479. static int quic_increment_sequence_ctr(OSSL_RECORD_LAYER *rl)
  480. {
  481. QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  482. return ossl_assert(0);
  483. }
  484. /* End of never called functions */
  485. static const OSSL_RECORD_METHOD quic_tls_record_method = {
  486. quic_new_record_layer,
  487. quic_free,
  488. quic_unprocessed_read_pending,
  489. quic_processed_read_pending,
  490. quic_app_data_pending, /* Never called */
  491. quic_get_max_records,
  492. quic_write_records,
  493. quic_retry_write_records,
  494. quic_read_record,
  495. quic_release_record,
  496. quic_get_alert_code,
  497. quic_set1_bio,
  498. quic_set_protocol_version,
  499. quic_set_plain_alerts,
  500. quic_set_first_handshake,
  501. quic_set_max_pipelines,
  502. NULL, /* set_in_init: Optional - we don't need it */
  503. quic_get_state,
  504. quic_set_options,
  505. quic_get_compression,
  506. quic_set_max_frag_len,
  507. quic_get_max_record_overhead, /* Never called */
  508. quic_increment_sequence_ctr, /* Never called */
  509. quic_alloc_buffers,
  510. quic_free_buffers
  511. };
  512. static int add_transport_params_cb(SSL *s, unsigned int ext_type,
  513. unsigned int context,
  514. const unsigned char **out, size_t *outlen,
  515. X509 *x, size_t chainidx, int *al,
  516. void *add_arg)
  517. {
  518. QUIC_TLS *qtls = add_arg;
  519. *out = qtls->local_transport_params;
  520. *outlen = qtls->local_transport_params_len;
  521. qtls->local_transport_params_consumed = 1;
  522. return 1;
  523. }
  524. static void free_transport_params_cb(SSL *s, unsigned int ext_type,
  525. unsigned int context,
  526. const unsigned char *out,
  527. void *add_arg)
  528. {
  529. }
  530. static int parse_transport_params_cb(SSL *s, unsigned int ext_type,
  531. unsigned int context,
  532. const unsigned char *in,
  533. size_t inlen, X509 *x,
  534. size_t chainidx,
  535. int *al, void *parse_arg)
  536. {
  537. QUIC_TLS *qtls = parse_arg;
  538. return qtls->args.got_transport_params_cb(in, inlen,
  539. qtls->args.got_transport_params_cb_arg);
  540. }
  541. QUIC_TLS *ossl_quic_tls_new(const QUIC_TLS_ARGS *args)
  542. {
  543. QUIC_TLS *qtls;
  544. if (args->crypto_send_cb == NULL
  545. || args->crypto_recv_rcd_cb == NULL
  546. || args->crypto_release_rcd_cb == NULL) {
  547. ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
  548. return NULL;
  549. }
  550. qtls = OPENSSL_zalloc(sizeof(*qtls));
  551. if (qtls == NULL)
  552. return NULL;
  553. if ((qtls->error_state = OSSL_ERR_STATE_new()) == NULL) {
  554. OPENSSL_free(qtls);
  555. return NULL;
  556. }
  557. qtls->args = *args;
  558. return qtls;
  559. }
  560. void ossl_quic_tls_free(QUIC_TLS *qtls)
  561. {
  562. if (qtls == NULL)
  563. return;
  564. OSSL_ERR_STATE_free(qtls->error_state);
  565. OPENSSL_free(qtls);
  566. }
  567. static int raise_error(QUIC_TLS *qtls, uint64_t error_code,
  568. const char *error_msg,
  569. const char *src_file,
  570. int src_line,
  571. const char *src_func)
  572. {
  573. /*
  574. * When QTLS fails, add a "cover letter" error with information, potentially
  575. * with any underlying libssl errors underneath it (but our cover error may
  576. * be the only error in some cases). Then capture this into an ERR_STATE so
  577. * we can report it later if need be when the QUIC_CHANNEL asks for it.
  578. */
  579. ERR_new();
  580. ERR_set_debug(src_file, src_line, src_func);
  581. ERR_set_error(ERR_LIB_SSL, SSL_R_QUIC_HANDSHAKE_LAYER_ERROR,
  582. "handshake layer error, error code %llu (0x%llx) (\"%s\")",
  583. error_code, error_code, error_msg);
  584. OSSL_ERR_STATE_save_to_mark(qtls->error_state);
  585. /*
  586. * We record the error information reported via the QUIC protocol
  587. * separately.
  588. */
  589. qtls->error_code = error_code;
  590. qtls->error_msg = error_msg;
  591. qtls->inerror = 1;
  592. ERR_pop_to_mark();
  593. return 0;
  594. }
  595. #define RAISE_ERROR(qtls, error_code, error_msg) \
  596. raise_error((qtls), (error_code), (error_msg), \
  597. OPENSSL_FILE, OPENSSL_LINE, OPENSSL_FUNC)
  598. #define RAISE_INTERNAL_ERROR(qtls) \
  599. RAISE_ERROR((qtls), OSSL_QUIC_ERR_INTERNAL_ERROR, "internal error")
  600. int ossl_quic_tls_tick(QUIC_TLS *qtls)
  601. {
  602. int ret, err;
  603. const unsigned char *alpn;
  604. unsigned int alpnlen;
  605. if (qtls->inerror)
  606. return 0;
  607. /*
  608. * SSL_get_error does not truly know what the cause of an SSL_read failure
  609. * is and to some extent guesses based on contextual information. In
  610. * particular, if there is _any_ ERR on the error stack, SSL_ERROR_SSL or
  611. * SSL_ERROR_SYSCALL will be returned no matter what and there is no
  612. * possibility of SSL_ERROR_WANT_READ/WRITE being returned, even if that was
  613. * the actual cause of the SSL_read() failure.
  614. *
  615. * This means that ordinarily, the below code might not work right if the
  616. * application has any ERR on the error stack. In order to make this code
  617. * perform correctly regardless of prior ERR state, we use a variant of
  618. * SSL_get_error() which ignores the error stack. However, some ERRs are
  619. * raised by SSL_read() and actually indicate that something has gone wrong
  620. * during the call to SSL_read(). We therefore adopt a strategy of marking
  621. * the ERR stack and seeing if any errors get appended during the call to
  622. * SSL_read(). If they are, we assume SSL_read() has raised an error and
  623. * that we should use normal SSL_get_error() handling.
  624. *
  625. * NOTE: Ensure all escape paths from this function call
  626. * ERR_clear_to_mark(). The RAISE macros handle this in failure cases.
  627. */
  628. ERR_set_mark();
  629. if (!qtls->configured) {
  630. SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
  631. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(sc);
  632. BIO *nullbio;
  633. /*
  634. * No matter how the user has configured us, there are certain
  635. * requirements for QUIC-TLS that we enforce
  636. */
  637. /* ALPN is a requirement for QUIC and must be set */
  638. if (qtls->args.is_server) {
  639. if (sctx->ext.alpn_select_cb == NULL)
  640. return RAISE_INTERNAL_ERROR(qtls);
  641. } else {
  642. if (sc->ext.alpn == NULL || sc->ext.alpn_len == 0)
  643. return RAISE_ERROR(qtls, OSSL_QUIC_ERR_CRYPTO_NO_APP_PROTO,
  644. "ALPN must be configured when using QUIC");
  645. }
  646. if (!SSL_set_min_proto_version(qtls->args.s, TLS1_3_VERSION))
  647. return RAISE_INTERNAL_ERROR(qtls);
  648. SSL_clear_options(qtls->args.s, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
  649. ossl_ssl_set_custom_record_layer(sc, &quic_tls_record_method, qtls);
  650. if (!ossl_tls_add_custom_ext_intern(NULL, &sc->cert->custext,
  651. qtls->args.is_server ? ENDPOINT_SERVER
  652. : ENDPOINT_CLIENT,
  653. TLSEXT_TYPE_quic_transport_parameters,
  654. SSL_EXT_TLS1_3_ONLY
  655. | SSL_EXT_CLIENT_HELLO
  656. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  657. add_transport_params_cb,
  658. free_transport_params_cb, qtls,
  659. parse_transport_params_cb, qtls))
  660. return RAISE_INTERNAL_ERROR(qtls);
  661. nullbio = BIO_new(BIO_s_null());
  662. if (nullbio == NULL)
  663. return RAISE_INTERNAL_ERROR(qtls);
  664. /*
  665. * Our custom record layer doesn't use the BIO - but libssl generally
  666. * expects one to be present.
  667. */
  668. SSL_set_bio(qtls->args.s, nullbio, nullbio);
  669. if (qtls->args.is_server)
  670. SSL_set_accept_state(qtls->args.s);
  671. else
  672. SSL_set_connect_state(qtls->args.s);
  673. qtls->configured = 1;
  674. }
  675. if (qtls->complete)
  676. /*
  677. * There should never be app data to read, but calling SSL_read() will
  678. * ensure any post-handshake messages are processed.
  679. */
  680. ret = SSL_read(qtls->args.s, NULL, 0);
  681. else
  682. ret = SSL_do_handshake(qtls->args.s);
  683. if (ret <= 0) {
  684. err = ossl_ssl_get_error(qtls->args.s, ret,
  685. /*check_err=*/ERR_count_to_mark() > 0);
  686. switch (err) {
  687. case SSL_ERROR_WANT_READ:
  688. case SSL_ERROR_WANT_WRITE:
  689. case SSL_ERROR_WANT_CLIENT_HELLO_CB:
  690. case SSL_ERROR_WANT_X509_LOOKUP:
  691. case SSL_ERROR_WANT_RETRY_VERIFY:
  692. ERR_pop_to_mark();
  693. return 1;
  694. default:
  695. return RAISE_INTERNAL_ERROR(qtls);
  696. }
  697. }
  698. if (!qtls->complete) {
  699. /* Validate that we have ALPN */
  700. SSL_get0_alpn_selected(qtls->args.s, &alpn, &alpnlen);
  701. if (alpn == NULL || alpnlen == 0)
  702. return RAISE_ERROR(qtls, OSSL_QUIC_ERR_CRYPTO_NO_APP_PROTO,
  703. "no application protocol negotiated");
  704. qtls->complete = 1;
  705. ERR_pop_to_mark();
  706. return qtls->args.handshake_complete_cb(qtls->args.handshake_complete_cb_arg);
  707. }
  708. ERR_pop_to_mark();
  709. return 1;
  710. }
  711. int ossl_quic_tls_set_transport_params(QUIC_TLS *qtls,
  712. const unsigned char *transport_params,
  713. size_t transport_params_len)
  714. {
  715. if (qtls->local_transport_params_consumed)
  716. return 0;
  717. qtls->local_transport_params = transport_params;
  718. qtls->local_transport_params_len = transport_params_len;
  719. return 1;
  720. }
  721. int ossl_quic_tls_get_error(QUIC_TLS *qtls,
  722. uint64_t *error_code,
  723. const char **error_msg,
  724. ERR_STATE **error_state)
  725. {
  726. if (qtls->inerror) {
  727. *error_code = qtls->error_code;
  728. *error_msg = qtls->error_msg;
  729. *error_state = qtls->error_state;
  730. }
  731. return qtls->inerror;
  732. }
  733. /*
  734. * Returns true if the last handshake record message we processed was a
  735. * CertificateRequest
  736. */
  737. int ossl_quic_tls_is_cert_request(QUIC_TLS *qtls)
  738. {
  739. SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
  740. return sc->s3.tmp.message_type == SSL3_MT_CERTIFICATE_REQUEST;
  741. }
  742. /*
  743. * Returns true if the last session associated with the connection has an
  744. * invalid max_early_data value for QUIC.
  745. */
  746. int ossl_quic_tls_has_bad_max_early_data(QUIC_TLS *qtls)
  747. {
  748. uint32_t max_early_data = SSL_get0_session(qtls->args.s)->ext.max_early_data;
  749. /*
  750. * If max_early_data was present we always ensure a non-zero value is
  751. * stored in the session for QUIC. Therefore if max_early_data == 0 here
  752. * we can be confident that it was not present in the NewSessionTicket
  753. */
  754. return max_early_data != 0xffffffff && max_early_data != 0;
  755. }