Home Explore Help
Sign In
OWEALs
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
2
0
Fork 0
Files Issues 8 Wiki
Tree: 52030f182b
Branches Tags
wolfssl
/
src
/
quic.c

quic.c 42 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392 
  1. /* quic.c
    2. 

  2.  *
    3. 

  3.  * Copyright (C) 2006-2024 wolfSSL Inc.
    4. 

  4.  *
    5. 

  5.  * This file is part of wolfSSL.
    6. 

  6.  *
    7. 

  7.  * wolfSSL is free software; you can redistribute it and/or modify
    8. 

  8.  * it under the terms of the GNU General Public License as published by
    9. 

  9.  * the Free Software Foundation; either version 2 of the License, or
    10. 

  10.  * (at your option) any later version.
    11. 

  11.  *
    12. 

  12.  * wolfSSL is distributed in the hope that it will be useful,
    13. 

  13.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
    14. 

  14.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    15. 

  15.  * GNU General Public License for more details.
    16. 

  16.  *
    17. 

  17.  * You should have received a copy of the GNU General Public License
    18. 

  18.  * along with this program; if not, write to the Free Software
    19. 

  19.  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
    20. 

  20.  */
    21. 

  21. 

  22. 

  23.   /* Name change compatibility layer no longer needs to be included here */
    24. 

  24. 

  25. #ifdef HAVE_CONFIG_H
    26. 

  26.     #include <config.h>
    27. 

  27. #endif
    28. 

  28. 

  29. #include <wolfssl/wolfcrypt/settings.h>
    30. 

  30. #ifdef NO_INLINE
    31. 

  31.     #include <wolfssl/wolfcrypt/misc.h>
    32. 

  32. #else
    33. 

  33.     #define WOLFSSL_MISC_INCLUDED
    34. 

  34.     #include <wolfcrypt/src/misc.c>
    35. 

  35. #endif
    36. 

  36. 

  37. #ifndef WOLFCRYPT_ONLY
    38. 

  38. #ifdef WOLFSSL_QUIC
    39. 

  39. 

  40. #include <wolfssl/error-ssl.h>
    41. 

  41. #include <wolfssl/ssl.h>
    42. 

  42. #include <wolfssl/internal.h>
    43. 

  43. 

  44. #include <wolfssl/openssl/buffer.h>
    45. 

  45. #include <wolfssl/openssl/ecdsa.h>
    46. 

  46. #include <wolfssl/openssl/evp.h>
    47. 

  47. #include <wolfssl/openssl/kdf.h>
    48. 

  48. 

  49. 

  50. static int qr_length(const uint8_t *data, size_t len)
    51. 

  51. {
    52. 

  52.     word32 rlen;
    53. 

  53.     if (len < 4) {
    54. 

  54.         return 0;
    55. 

  55.     }
    56. 

  56.     c24to32(&data[1], &rlen);
    57. 

  57.     return (int)rlen + 4;
    58. 

  58. }
    59. 

  59. 

  60. static void quic_record_free(WOLFSSL *ssl, QuicRecord *r)
    61. 

  61. {
    62. 

  62.     (void)ssl;
    63. 

  63.     if (r->data) {
    64. 

  64.         ForceZero(r->data, r->capacity);
    65. 

  65.         XFREE(r->data, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
    66. 

  66.     }
    67. 

  67.     XFREE(r, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
    68. 

  68. }
    69. 

  69. 

  70. 

  71. static QuicRecord *quic_record_make(WOLFSSL *ssl,
    72. 

  72.                                     WOLFSSL_ENCRYPTION_LEVEL level,
    73. 

  73.                                     const uint8_t *data, size_t len)
    74. 

  74. {
    75. 

  75.     QuicRecord *qr;
    76. 

  76. 

  77.     qr = (QuicRecord*)XMALLOC(sizeof(*qr), ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
    78. 

  78.     if (qr) {
    79. 

  79.         memset(qr, 0, sizeof(*qr));
    80. 

  80.         qr->level = level;
    81. 

  81.         if (level == wolfssl_encryption_early_data) {
    82. 

  82.             qr->capacity = qr->len = (word32)len;
    83. 

  83.         }
    84. 

  84.         else {
    85. 

  85.             qr->capacity = qr->len = (word32) qr_length(data, len);
    86. 

  86.             if (qr->capacity > WOLFSSL_QUIC_MAX_RECORD_CAPACITY) {
    87. 

  87.                 WOLFSSL_MSG("QUIC length read larger than expected");
    88. 

  88.                 quic_record_free(ssl, qr);
    89. 

  89.                 return NULL;
    90. 

  90.             }
    91. 

  91.         }
    92. 

  92.         if (qr->capacity == 0) {
    93. 

  93.             qr->capacity = 2*1024;
    94. 

  94.         }
    95. 

  95.         qr->data = (uint8_t*)XMALLOC(qr->capacity, ssl->heap,
    96. 

  96.                                      DYNAMIC_TYPE_TMP_BUFFER);
    97. 

  97.         if (!qr->data) {
    98. 

  98.             quic_record_free(ssl, qr);
    99. 

  99.             return NULL;
    100. 

  100.         }
    101. 

  101.     }
    102. 

  102.     return qr;
    103. 

  103. }
    104. 

  104. 

  105. static int quic_record_complete(QuicRecord *r)
    106. 

  106. {
    107. 

  107.     return r->len && r->end >= r->len;
    108. 

  108. }
    109. 

  109. 

  110. static int quic_record_done(QuicRecord *r)
    111. 

  111. {
    112. 

  112.     return r->len && r->end >= r->len && r->start >= r->end;
    113. 

  113. }
    114. 

  114. 

  115. static int quic_record_append(WOLFSSL *ssl, QuicRecord *qr, const uint8_t *data,
    116. 

  116.                               size_t len, size_t *pconsumed)
    117. 

  117. {
    118. 

  118.     size_t missing, consumed = 0;
    119. 

  119.     int ret = WOLFSSL_SUCCESS;
    120. 

  120. 

  121.     (void)ssl;
    122. 

  122.     if (!qr->len && len) {
    123. 

  123.         missing = 4 - qr->end;
    124. 

  124.         if (len < missing) {
    125. 

  125.             XMEMCPY(qr->data + qr->end, data, len);
    126. 

  126.             qr->end += (word32)len;
    127. 

  127.             consumed = len;
    128. 

  128.             goto cleanup; /* len consumed, but qr->len still unknown */
    129. 

  129.         }
    130. 

  130.         XMEMCPY(qr->data + qr->end, data, missing);
    131. 

  131.         qr->end += (word32)missing;
    132. 

  132.         len -= missing;
    133. 

  133.         data += missing;
    134. 

  134.         consumed = missing;
    135. 

  135. 

  136.         qr->len = (word32)qr_length(qr->data, qr->end);
    137. 

  137. 

  138.         /* sanity check on length read from wire before use */
    139. 

  139.         if (qr->len > WOLFSSL_QUIC_MAX_RECORD_CAPACITY) {
    140. 

  140.             WOLFSSL_MSG("Length read for quic is larger than expected");
    141. 

  141.             ret = BUFFER_E;
    142. 

  142.             goto cleanup;
    143. 

  143.         }
    144. 

  144. 

  145.         if (qr->len > qr->capacity) {
    146. 

  146.             uint8_t *ndata = (uint8_t*)XREALLOC(qr->data, qr->len, ssl->heap,
    147. 

  147.                                                 DYNAMIC_TYPE_TMP_BUFFER);
    148. 

  148.             if (!ndata) {
    149. 

  149.                 ret = WOLFSSL_FAILURE;
    150. 

  150.                 goto cleanup;
    151. 

  151.             }
    152. 

  152.             qr->data = ndata;
    153. 

  153.             qr->capacity = qr->len;
    154. 

  154.         }
    155. 

  155.     }
    156. 

  156. 

  157.     if (quic_record_complete(qr) || len == 0) {
    158. 

  158.         return 0;
    159. 

  159.     }
    160. 

  160. 

  161.     missing = qr->len - qr->end;
    162. 

  162.     if (len > missing) {
    163. 

  163.         len = missing;
    164. 

  164.     }
    165. 

  165.     XMEMCPY(qr->data + qr->end, data, len);
    166. 

  166.     qr->end += (word32)len;
    167. 

  167.     consumed += len;
    168. 

  168. 

  169. cleanup:
    170. 

  170.     *pconsumed = (ret == WOLFSSL_SUCCESS) ? consumed : 0;
    171. 

  171.     return ret;
    172. 

  172. }
    173. 

  173. 

  174. 

  175. static word32 add_rec_header(byte* output, word32 length, byte type)
    176. 

  176. {
    177. 

  177.     RecordLayerHeader* rl;
    178. 

  178. 

  179.     /* record layer header */
    180. 

  180.     rl = (RecordLayerHeader*)output;
    181. 

  181.     if (rl == NULL) {
    182. 

  182.         return 0;
    183. 

  183.     }
    184. 

  184.     rl->type    = type;
    185. 

  185.     rl->pvMajor = SSLv3_MAJOR;
    186. 

  186.     rl->pvMinor = TLSv1_2_MINOR;
    187. 

  187.     c16toa((word16)length, rl->length);
    188. 

  188.     return RECORD_HEADER_SZ;
    189. 

  189. }
    190. 

  190. 

  191. static sword32 quic_record_transfer(QuicRecord* qr, byte* buf, word32 sz)
    192. 

  192. {
    193. 

  193.     word32 len = qr->end - qr->start;
    194. 

  194.     word32 offset = 0;
    195. 

  195.     word32 rlen;
    196. 

  196. 

  197.     if (len <= 0) {
    198. 

  198.         return 0;
    199. 

  199.     }
    200. 

  200. 

  201.     /* We check if the buf is at least RECORD_HEADER_SZ */
    202. 

  202.     if (sz < RECORD_HEADER_SZ) {
    203. 

  203.         return WOLFSSL_FATAL_ERROR;
    204. 

  204.     }
    205. 

  205. 

  206.     if (qr->rec_hdr_remain == 0) {
    207. 

  207.         /* start a new TLS record */
    208. 

  208.         rlen = (qr->len <= (word32)MAX_RECORD_SIZE) ?
    209. 

  209.                 qr->len : (word32)MAX_RECORD_SIZE;
    210. 

  210.         offset += add_rec_header(buf, rlen,
    211. 

  211.                                  (qr->level == wolfssl_encryption_early_data) ?
    212. 

  212.                                   application_data : handshake);
    213. 

  213.         qr->rec_hdr_remain = rlen;
    214. 

  214.         sz -= offset;
    215. 

  215.     }
    216. 

  216.     if (len > qr->rec_hdr_remain) {
    217. 

  217.         len = qr->rec_hdr_remain;
    218. 

  218.     }
    219. 

  219.     if (len > sz) {
    220. 

  220.         len = sz;
    221. 

  221.     }
    222. 

  222.     if (len > 0) {
    223. 

  223.         XMEMCPY(buf + offset, qr->data + qr->start, len);
    224. 

  224.         qr->start += len;
    225. 

  225.         qr->rec_hdr_remain -= len;
    226. 

  226.     }
    227. 

  227.     return (sword32)(len + offset);
    228. 

  228. }
    229. 

  229. 

  230. 

  231. const QuicTransportParam* QuicTransportParam_new(const uint8_t* data,
    232. 

  232.                                                  size_t len, void* heap)
    233. 

  233. {
    234. 

  234.     QuicTransportParam* tp;
    235. 

  235. 

  236.     if (len > 65353) return NULL;
    237. 

  237.     tp = (QuicTransportParam*)XMALLOC(sizeof(*tp), heap, DYNAMIC_TYPE_TLSX);
    238. 

  238.     if (!tp) return NULL;
    239. 

  239.     tp->data = (uint8_t*)XMALLOC(len, heap, DYNAMIC_TYPE_TLSX);
    240. 

  240.     if (!tp->data) {
    241. 

  241.         XFREE(tp, heap, DYNAMIC_TYPE_TLSX);
    242. 

  242.         return NULL;
    243. 

  243.     }
    244. 

  244.     XMEMCPY((uint8_t*)tp->data, data, len);
    245. 

  245.     tp->len = (word16)len;
    246. 

  246.     return tp;
    247. 

  247. }
    248. 

  248. 

  249. const QuicTransportParam* QuicTransportParam_dup(const QuicTransportParam* tp,
    250. 

  250.                                                  void* heap)
    251. 

  251. {
    252. 

  252.     QuicTransportParam* tp2;
    253. 

  253.     tp2 = (QuicTransportParam*)XMALLOC(sizeof(*tp2), heap, DYNAMIC_TYPE_TLSX);
    254. 

  254.     if (!tp2) return NULL;
    255. 

  255.     tp2->data = (uint8_t*)XMALLOC(tp->len, heap, DYNAMIC_TYPE_TLSX);
    256. 

  256.     if (!tp2->data) {
    257. 

  257.         XFREE(tp2, heap, DYNAMIC_TYPE_TLSX);
    258. 

  258.         return NULL;
    259. 

  259.     }
    260. 

  260.     XMEMCPY((uint8_t*)tp2->data, tp->data, tp->len);
    261. 

  261.     tp2->len = tp->len;
    262. 

  262.     return tp2;
    263. 

  263. }
    264. 

  264. 

  265. void QuicTransportParam_free(const QuicTransportParam* tp, void* heap)
    266. 

  266. {
    267. 

  267.     (void)heap;
    268. 

  268.     if (tp) {
    269. 

  269.         if (tp->data) XFREE((uint8_t*)tp->data, heap, DYNAMIC_TYPE_TLSX);
    270. 

  270.         XFREE((void*)tp, heap, DYNAMIC_TYPE_TLSX);
    271. 

  271.     }
    272. 

  272. }
    273. 

  273. 

  274. 

  275. void wolfSSL_quic_clear(WOLFSSL* ssl)
    276. 

  276. {
    277. 

  277.     QuicEncData* qd;
    278. 

  278. 

  279.     /* keep
    280. 

  280.      * - ssl->quic.transport_local
    281. 

  281.      * - ssl->quic.method
    282. 

  282.      * - ssl->quic.transport_version
    283. 

  283.      * reset/free everything else
    284. 

  284.      */
    285. 

  285.     if (ssl->quic.transport_peer) {
    286. 

  286.         QTP_FREE(ssl->quic.transport_peer, ssl->heap);
    287. 

  287.         ssl->quic.transport_peer = NULL;
    288. 

  288.     }
    289. 

  289.     if (ssl->quic.transport_peer_draft) {
    290. 

  290.         QTP_FREE(ssl->quic.transport_peer_draft, ssl->heap);
    291. 

  291.         ssl->quic.transport_peer_draft = NULL;
    292. 

  292.     }
    293. 

  293.     ssl->quic.enc_level_write = wolfssl_encryption_initial;
    294. 

  294.     ssl->quic.enc_level_latest_recvd = wolfssl_encryption_initial;
    295. 

  295. 

  296.     while ((qd = ssl->quic.input_head)) {
    297. 

  297.         ssl->quic.input_head = qd->next;
    298. 

  298.         quic_record_free(ssl, qd);
    299. 

  299.     }
    300. 

  300.     ssl->quic.input_tail = NULL;
    301. 

  301.     ssl->quic.output_rec_remain = 0;
    302. 

  302. 

  303.     if (ssl->quic.scratch) {
    304. 

  304.         quic_record_free(ssl, ssl->quic.scratch);
    305. 

  305.         ssl->quic.scratch = NULL;
    306. 

  306.     }
    307. 

  307. }
    308. 

  308. 

  309. 

  310. void wolfSSL_quic_free(WOLFSSL* ssl)
    311. 

  311. {
    312. 

  312.     wolfSSL_quic_clear(ssl);
    313. 

  313.     if (ssl->quic.transport_local) {
    314. 

  314.         QTP_FREE(ssl->quic.transport_local, ssl->heap);
    315. 

  315.         ssl->quic.transport_local = NULL;
    316. 

  316.     }
    317. 

  317. 

  318.     ssl->quic.method = NULL;
    319. 

  319. }
    320. 

  320. 

  321. 

  322. static int ctx_check_quic_compat(const WOLFSSL_CTX* ctx)
    323. 

  323. {
    324. 

  324.     WOLFSSL_ENTER("ctx_check_quic_compat");
    325. 

  325.     if (ctx->method->version.major != SSLv3_MAJOR
    326. 

  326.         || ctx->method->version.minor != TLSv1_3_MINOR
    327. 

  327.         || (ctx->method->downgrade && ctx->minDowngrade < TLSv1_3_MINOR)) {
    328. 

  328.         WOLFSSL_MSG_EX("ctx not quic compatible: vmajor=%d, vminor=%d, downgrade=%d",
    329. 

  329.                        ctx->method->version.major,
    330. 

  330.                        ctx->method->version.minor,
    331. 

  331.                        ctx->method->downgrade
    332. 

  332.                       );
    333. 

  333.         return WOLFSSL_FAILURE;
    334. 

  334.     }
    335. 

  335.     return WOLFSSL_SUCCESS;
    336. 

  336. }
    337. 

  337. 

  338. static int check_method_sanity(const WOLFSSL_QUIC_METHOD* m)
    339. 

  339. {
    340. 

  340.     WOLFSSL_ENTER("check_method_sanity");
    341. 

  341.     if (m && m->set_encryption_secrets
    342. 

  342.         && m->add_handshake_data
    343. 

  343.         && m->flush_flight
    344. 

  344.         && m->send_alert) {
    345. 

  345.         return WOLFSSL_SUCCESS;
    346. 

  346.     }
    347. 

  347.     return WOLFSSL_FAILURE;
    348. 

  348. }
    349. 

  349. 

  350. int wolfSSL_CTX_set_quic_method(WOLFSSL_CTX* ctx,
    351. 

  351.                                 const WOLFSSL_QUIC_METHOD* quic_method)
    352. 

  352. {
    353. 

  353.     WOLFSSL_ENTER("wolfSSL_CTX_set_quic_method");
    354. 

  354.     if (ctx_check_quic_compat(ctx) != WOLFSSL_SUCCESS
    355. 

  355.         || check_method_sanity(quic_method) != WOLFSSL_SUCCESS) {
    356. 

  356.         return WOLFSSL_FAILURE;
    357. 

  357.     }
    358. 

  358.     ctx->quic.method = quic_method;
    359. 

  359.     return WOLFSSL_SUCCESS;
    360. 

  360. }
    361. 

  361. 

  362. 

  363. int wolfSSL_set_quic_method(WOLFSSL* ssl,
    364. 

  364.                             const WOLFSSL_QUIC_METHOD* quic_method)
    365. 

  365. {
    366. 

  366.     WOLFSSL_ENTER("wolfSSL_set_quic_method");
    367. 

  367.     if (ctx_check_quic_compat(ssl->ctx) != WOLFSSL_SUCCESS
    368. 

  368.         || check_method_sanity(quic_method) != WOLFSSL_SUCCESS) {
    369. 

  369.         return WOLFSSL_FAILURE;
    370. 

  370.     }
    371. 

  371.     ssl->quic.method = quic_method;
    372. 

  372.     return WOLFSSL_SUCCESS;
    373. 

  373. }
    374. 

  374. 

  375. 

  376. int wolfSSL_is_quic(WOLFSSL* ssl)
    377. 

  377. {
    378. 

  378.     return WOLFSSL_IS_QUIC(ssl);
    379. 

  379. }
    380. 

  380. 

  381. 

  382. WOLFSSL_ENCRYPTION_LEVEL wolfSSL_quic_read_level(const WOLFSSL* ssl)
    383. 

  383. {
    384. 

  384.     return ssl->quic.enc_level_read;
    385. 

  385. }
    386. 

  386. 

  387. 

  388. WOLFSSL_ENCRYPTION_LEVEL wolfSSL_quic_write_level(const WOLFSSL* ssl)
    389. 

  389. {
    390. 

  390.     return ssl->quic.enc_level_write;
    391. 

  391. }
    392. 

  392. 

  393. 

  394. int wolfSSL_set_quic_transport_params(WOLFSSL* ssl,
    395. 

  395.                                       const uint8_t* params,
    396. 

  396.                                       size_t params_len)
    397. 

  397. {
    398. 

  398.     const QuicTransportParam* tp;
    399. 

  399.     int ret = WOLFSSL_SUCCESS;
    400. 

  400. 

  401.     WOLFSSL_ENTER("wolfSSL_set_quic_transport_params");
    402. 

  402. 

  403.     if (!params || params_len == 0) {
    404. 

  404.         tp = NULL;
    405. 

  405.     }
    406. 

  406.     else {
    407. 

  407.         tp = QuicTransportParam_new(params, params_len, ssl->heap);
    408. 

  408.         if (!tp) {
    409. 

  409.             ret = WOLFSSL_FAILURE;
    410. 

  410.             goto cleanup;
    411. 

  411.         }
    412. 

  412.     }
    413. 

  413.     if (ssl->quic.transport_local)
    414. 

  414.         QTP_FREE(ssl->quic.transport_local, ssl->heap);
    415. 

  415.     ssl->quic.transport_local = tp;
    416. 

  416. 

  417. cleanup:
    418. 

  418.     WOLFSSL_LEAVE("wolfSSL_set_quic_transport_params", ret);
    419. 

  419.     return ret;
    420. 

  420. }
    421. 

  421. 

  422. 

  423. void wolfSSL_get_peer_quic_transport_params(const WOLFSSL* ssl,
    424. 

  424.                                             const uint8_t** out_params,
    425. 

  425.                                             size_t* out_params_len)
    426. 

  426. {
    427. 

  427.     const QuicTransportParam* tp = ssl->quic.transport_peer ?
    428. 

  428.         ssl->quic.transport_peer : ssl->quic.transport_peer_draft;
    429. 

  429. 

  430.     *out_params = tp ? tp->data : NULL;
    431. 

  431.     *out_params_len = tp ? tp->len : 0;
    432. 

  432. }
    433. 

  433. 

  434. 

  435. int wolfSSL_get_peer_quic_transport_version(const WOLFSSL* ssl)
    436. 

  436. {
    437. 

  437.     return ssl->quic.transport_peer ?
    438. 

  438.         TLSX_KEY_QUIC_TP_PARAMS : (ssl->quic.transport_peer_draft ?
    439. 

  439.         TLSX_KEY_QUIC_TP_PARAMS : -1);
    440. 

  440. }
    441. 

  441. 

  442. 

  443. void wolfSSL_set_quic_use_legacy_codepoint(WOLFSSL* ssl, int use_legacy)
    444. 

  444. {
    445. 

  445.     ssl->quic.transport_version = use_legacy ? TLSX_KEY_QUIC_TP_PARAMS_DRAFT
    446. 

  446.         : TLSX_KEY_QUIC_TP_PARAMS;
    447. 

  447. }
    448. 

  448. 

  449. void wolfSSL_set_quic_transport_version(WOLFSSL* ssl, int version)
    450. 

  450. {
    451. 

  451.     if (version == TLSX_KEY_QUIC_TP_PARAMS
    452. 

  452.         || version == TLSX_KEY_QUIC_TP_PARAMS_DRAFT
    453. 

  453.         || !version) {
    454. 

  454.         ssl->quic.transport_version = version;
    455. 

  455.     }
    456. 

  456.     else {
    457. 

  457.         WOLFSSL_MSG("wolfSSL_set_quic_transport_version: invalid version");
    458. 

  458.     }
    459. 

  459. }
    460. 

  460. 

  461. 

  462. int wolfSSL_get_quic_transport_version(const WOLFSSL* ssl)
    463. 

  463. {
    464. 

  464.     return ssl->quic.transport_version;
    465. 

  465. }
    466. 

  466. 

  467. 

  468. int wolfSSL_quic_add_transport_extensions(WOLFSSL* ssl, int msg_type)
    469. 

  469. {
    470. 

  470.     /* RFC 9001, ch. 8.2: "The quic_transport_parameters extension is carried
    471. 

  471.      * in the ClientHello and the EncryptedExtensions messages during the
    472. 

  472.      * handshake. Endpoints MUST send the quic_transport_parameters extension;"
    473. 

  473.      * Which means, at least one. There can be more to signal compatibility to
    474. 

  474.      * older/newer versions.
    475. 

  475.      */
    476. 

  476.     int ret = 0, is_resp = (msg_type == encrypted_extensions);
    477. 

  477. 

  478.     if (ssl->quic.transport_local == NULL) {
    479. 

  479.         return QUIC_TP_MISSING_E;
    480. 

  480.     }
    481. 

  481. 

  482.     if (is_resp) {
    483. 

  483.         /* server response: time to decide which version to use */
    484. 

  484.         if (ssl->quic.transport_peer && ssl->quic.transport_peer_draft) {
    485. 

  485.             if (ssl->quic.transport_version == TLSX_KEY_QUIC_TP_PARAMS_DRAFT) {
    486. 

  486.                 ret = TLSX_QuicTP_Use(ssl,
    487. 

  487.                                       TLSX_KEY_QUIC_TP_PARAMS_DRAFT, is_resp);
    488. 

  488.                 QTP_FREE(ssl->quic.transport_peer, ssl->heap);
    489. 

  489.                 ssl->quic.transport_peer = NULL;
    490. 

  490.             }
    491. 

  491.             else {
    492. 

  492.                 ret = TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS, is_resp);
    493. 

  493.                 QTP_FREE(ssl->quic.transport_peer_draft,
    494. 

  494.                                         ssl->heap);
    495. 

  495.                 ssl->quic.transport_peer_draft = NULL;
    496. 

  496.             }
    497. 

  497.         }
    498. 

  498.         else {
    499. 

  499.             if (ssl->quic.transport_version == TLSX_KEY_QUIC_TP_PARAMS_DRAFT
    500. 

  500.                 && ssl->quic.transport_peer_draft) {
    501. 

  501.                 ret = TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS_DRAFT,
    502. 

  502.                                       is_resp);
    503. 

  503.             }
    504. 

  504.             else if (ssl->quic.transport_peer) {
    505. 

  505.                 ret = TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS, is_resp);
    506. 

  506.             }
    507. 

  507.             else {
    508. 

  508.                 /* no match, send none, will let the client fail */
    509. 

  509.             }
    510. 

  510.         }
    511. 

  511.     }
    512. 

  512.     else {
    513. 

  513.         /* client hello */
    514. 

  514.         if (ssl->quic.transport_version == 0) {
    515. 

  515.             /* not being set to a particular id, we send both draft+v1 */
    516. 

  516.             ret = TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS, is_resp)
    517. 

  517.                 || TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS_DRAFT, is_resp);
    518. 

  518.         }
    519. 

  519.         else {
    520. 

  520.             /* otherwise, send the version configured */
    521. 

  521.             ret = TLSX_QuicTP_Use(ssl, (TLSX_Type)ssl->quic.transport_version,
    522. 

  522.                                   is_resp);
    523. 

  523.         }
    524. 

  524.     }
    525. 

  525.     return ret;
    526. 

  526. }
    527. 

  527. 

  528. 

  529. #define QUIC_HS_FLIGHT_LIMIT_DEFAULT      (16*  1024)
    530. 

  530. 

  531. size_t wolfSSL_quic_max_handshake_flight_len(const WOLFSSL* ssl,
    532. 

  532.                                              WOLFSSL_ENCRYPTION_LEVEL level)
    533. 

  533. {
    534. 

  534.     switch (level) {
    535. 

  535.         case wolfssl_encryption_initial:
    536. 

  536.         case wolfssl_encryption_application:
    537. 

  537.                 return QUIC_HS_FLIGHT_LIMIT_DEFAULT;
    538. 

  538.         case wolfssl_encryption_early_data:
    539. 

  539.             return 0; /* QUIC does not send at this level */
    540. 

  540.         case wolfssl_encryption_handshake:
    541. 

  541.             /* during handshake itself, certificates may be exchanged which
    542. 

  542.              * exceed our default limit, advise a higher limit one.
    543. 

  543.              */
    544. 

  544.             if (ssl->options.side == WOLFSSL_SERVER_END) {
    545. 

  545.                 if (ssl->options.verifyPeer
    546. 

  546.                     && MAX_CERTIFICATE_SZ > QUIC_HS_FLIGHT_LIMIT_DEFAULT)
    547. 

  547.                     return MAX_CERTIFICATE_SZ;
    548. 

  548.             }
    549. 

  549.             else {
    550. 

  550.                 /* clients may receive the server cert chain
    551. 

  551.                  */
    552. 

  552.                 if (2*MAX_CERTIFICATE_SZ > QUIC_HS_FLIGHT_LIMIT_DEFAULT)
    553. 

  553.                     return 2*MAX_CERTIFICATE_SZ;
    554. 

  554.             }
    555. 

  555.             return QUIC_HS_FLIGHT_LIMIT_DEFAULT;
    556. 

  556.     }
    557. 

  557.     return 0;
    558. 

  558. }
    559. 

  559. 

  560. 

  561. #ifdef WOLFSSL_EARLY_DATA
    562. 

  562. void wolfSSL_set_quic_early_data_enabled(WOLFSSL* ssl, int enabled)
    563. 

  563. {
    564. 

  564.     /* This only has effect on server and when the handshake has
    565. 

  565.      * not started yet.
    566. 

  566.      * This function is part of the quictls/openssl API and does
    567. 

  567.      * not return any error, sadly. So we just ignore any
    568. 

  568.      * unsuccessful use. But we can produce some warnings.
    569. 

  569.      */
    570. 

  570.     if (!WOLFSSL_IS_QUIC(ssl)) {
    571. 

  571.         WOLFSSL_MSG("wolfSSL_set_quic_early_data_enabled: not a QUIC SSL");
    572. 

  572.     }
    573. 

  573.     else if (ssl->options.handShakeState != NULL_STATE) {
    574. 

  574.         WOLFSSL_MSG("wolfSSL_set_quic_early_data_enabled: handshake started");
    575. 

  575.     }
    576. 

  576.     else {
    577. 

  577.         wolfSSL_set_max_early_data(ssl, enabled ? UINT32_MAX : 0);
    578. 

  578.     }
    579. 

  579. }
    580. 

  580. #endif /* WOLFSSL_EARLY_DATA */
    581. 

  581. 

  582. int wolfSSL_quic_do_handshake(WOLFSSL* ssl)
    583. 

  583. {
    584. 

  584.     int ret = WOLFSSL_SUCCESS;
    585. 

  585. 

  586.     WOLFSSL_ENTER("wolfSSL_quic_do_handshake");
    587. 

  587. 

  588.     if (!wolfSSL_is_quic(ssl)) {
    589. 

  589.         WOLFSSL_MSG("WOLFSSL_QUIC_DO_HANDSHAKE not a QUIC SSL");
    590. 

  590.         ret = WOLFSSL_FAILURE;
    591. 

  591.         goto cleanup;
    592. 

  592.     }
    593. 

  593. 

  594.     while (ssl->options.handShakeState != HANDSHAKE_DONE) {
    595. 

  595.         /* Peculiar: do_handshake() is successful, but the state
    596. 

  596.          * indicates that we are not DONE. This seems to happen
    597. 

  597.          * when resuming sessions and an EARLY_DATA indicator
    598. 

  598.          * is presented by the client.
    599. 

  599.          * Theory: wolfSSL expects the APP to read the early data
    600. 

  600.          * and silently continues the handshake when the EndOfEarlyData
    601. 

  601.          * and the client Finished arrives.
    602. 

  602.          * This confuses the QUIC state handling.
    603. 

  603.          */
    604. 

  604. #ifdef WOLFSSL_EARLY_DATA
    605. 

  605.         if (ssl->options.maxEarlyDataSz) {
    606. 

  606.             byte tmpbuffer[256];
    607. 

  607.             int len;
    608. 

  608. 

  609.             if (ssl->options.side == WOLFSSL_CLIENT_END) {
    610. 

  610.                 if (ssl->options.resuming) {
    611. 

  611.                     ret = wolfSSL_write_early_data(ssl, tmpbuffer, 0, &len);
    612. 

  612.                 }
    613. 

  613.             }
    614. 

  614.             else {
    615. 

  615.                 ret = wolfSSL_read_early_data(ssl, tmpbuffer,
    616. 

  616.                                               sizeof(tmpbuffer), &len);
    617. 

  617.                 if (ret < 0 && ssl->error == WC_NO_ERR_TRACE(ZERO_RETURN)) {
    618. 

  618.                     /* this is expected, since QUIC handles the actual early
    619. 

  619.                      * data separately. */
    620. 

  620.                     ret = WOLFSSL_SUCCESS;
    621. 

  621.                 }
    622. 

  622.             }
    623. 

  623.             if (ret < 0) {
    624. 

  624.                 goto cleanup;
    625. 

  625.             }
    626. 

  626.         }
    627. 

  627. #endif /* WOLFSSL_EARLY_DATA */
    628. 

  628. 

  629.         ret = wolfSSL_SSL_do_handshake_internal(ssl);
    630. 

  630.         if (ret <= 0)
    631. 

  631.             goto cleanup;
    632. 

  632.     }
    633. 

  633. 

  634. cleanup:
    635. 

  635.     if (ret <= 0
    636. 

  636.         && ssl->options.handShakeState == HANDSHAKE_DONE
    637. 

  637.         && (ssl->error == WC_NO_ERR_TRACE(ZERO_RETURN) ||
    638. 

  638.             ssl->error == WC_NO_ERR_TRACE(WANT_READ)))
    639. 

  639.     {
    640. 

  640.         ret = WOLFSSL_SUCCESS;
    641. 

  641.     }
    642. 

  642.     if (ret == WOLFSSL_SUCCESS) {
    643. 

  643.         ssl->error = WOLFSSL_ERROR_NONE;
    644. 

  644.     }
    645. 

  645.     WOLFSSL_LEAVE("wolfSSL_quic_do_handshake", ret);
    646. 

  646.     return ret;
    647. 

  647. }
    648. 

  648. 

  649. int wolfSSL_quic_read_write(WOLFSSL* ssl)
    650. 

  650. {
    651. 

  651.     int ret = WOLFSSL_SUCCESS;
    652. 

  652. 

  653.     WOLFSSL_ENTER("wolfSSL_quic_read_write");
    654. 

  654. 

  655.     if (!wolfSSL_is_quic(ssl)) {
    656. 

  656.         WOLFSSL_MSG("WOLFSSL_QUIC_READ_WRITE not a QUIC SSL");
    657. 

  657.         ret = WOLFSSL_FAILURE;
    658. 

  658.         goto cleanup;
    659. 

  659.     }
    660. 

  660. 

  661.     if (ssl->options.handShakeState != HANDSHAKE_DONE) {
    662. 

  662.         ret = wolfSSL_quic_do_handshake(ssl);
    663. 

  663.         if (ret != WOLFSSL_SUCCESS)
    664. 

  664.             goto cleanup;
    665. 

  665.     }
    666. 

  666. 

  667.     ret = wolfSSL_process_quic_post_handshake(ssl);
    668. 

  668. 

  669. cleanup:
    670. 

  670.     WOLFSSL_LEAVE("wolfSSL_quic_read_write", ret);
    671. 

  671.     return ret;
    672. 

  672. }
    673. 

  673. 

  674. int wolfSSL_process_quic_post_handshake(WOLFSSL* ssl)
    675. 

  675. {
    676. 

  676.     int ret = WOLFSSL_SUCCESS, nret;
    677. 

  677. 

  678.     WOLFSSL_ENTER("wolfSSL_process_quic_post_handshake");
    679. 

  679. 

  680.     if (!wolfSSL_is_quic(ssl)) {
    681. 

  681.         WOLFSSL_MSG("WOLFSSL_QUIC_POST_HS not a QUIC SSL");
    682. 

  682.         ret = WOLFSSL_FAILURE;
    683. 

  683.         goto cleanup;
    684. 

  684.     }
    685. 

  685. 

  686.     if (ssl->options.handShakeState != HANDSHAKE_DONE) {
    687. 

  687.         WOLFSSL_MSG("WOLFSSL_QUIC_POST_HS handshake is not done yet");
    688. 

  688.         ret = WOLFSSL_FAILURE;
    689. 

  689.         goto cleanup;
    690. 

  690.     }
    691. 

  691. 

  692.     while (ssl->quic.input_head != NULL
    693. 

  693.            || ssl->buffers.inputBuffer.length > 0) {
    694. 

  694.         if ((nret = ProcessReply(ssl)) < 0) {
    695. 

  695.             ret = nret;
    696. 

  696.             break;
    697. 

  697.         }
    698. 

  698.     }
    699. 

  699.     while (ssl->buffers.outputBuffer.length > 0) {
    700. 

  700.         SendBuffered(ssl);
    701. 

  701.     }
    702. 

  702. 

  703. cleanup:
    704. 

  704.     WOLFSSL_LEAVE("wolfSSL_process_quic_post_handshake", ret);
    705. 

  705.     return ret;
    706. 

  706. }
    707. 

  707. 

  708. 

  709. int wolfSSL_provide_quic_data(WOLFSSL* ssl, WOLFSSL_ENCRYPTION_LEVEL level,
    710. 

  710.                               const uint8_t* data, size_t len)
    711. 

  711. {
    712. 

  712.     int ret = WOLFSSL_SUCCESS;
    713. 

  713.     size_t l;
    714. 

  714. 

  715.     WOLFSSL_ENTER("wolfSSL_provide_quic_data");
    716. 

  716.     if (!wolfSSL_is_quic(ssl)) {
    717. 

  717.         WOLFSSL_MSG("WOLFSSL_QUIC_PROVIDE_DATA not a QUIC SSL");
    718. 

  718.         ret = WOLFSSL_FAILURE;
    719. 

  719.         goto cleanup;
    720. 

  720.     }
    721. 

  721. 

  722.     if (level < wolfSSL_quic_read_level(ssl)
    723. 

  723.         || (ssl->quic.input_tail && level < ssl->quic.input_tail->level)
    724. 

  724.         || level < ssl->quic.enc_level_latest_recvd) {
    725. 

  725.         WOLFSSL_MSG("WOLFSSL_QUIC_PROVIDE_DATA wrong encryption level");
    726. 

  726.         ret = WOLFSSL_FAILURE;
    727. 

  727.         goto cleanup;
    728. 

  728.     }
    729. 

  729. 

  730.     while (len > 0) {
    731. 

  731.         if (ssl->quic.scratch) {
    732. 

  732.             if (ssl->quic.scratch->level != level) {
    733. 

  733.                 WOLFSSL_MSG("WOLFSSL_QUIC_PROVIDE_DATA wrong encryption level");
    734. 

  734.                 ret = WOLFSSL_FAILURE;
    735. 

  735.                 goto cleanup;
    736. 

  736.             }
    737. 

  737. 

  738.             ret = quic_record_append(ssl, ssl->quic.scratch, data, len, &l);
    739. 

  739.             if (ret != WOLFSSL_SUCCESS) {
    740. 

  740.                 goto cleanup;
    741. 

  741.             }
    742. 

  742.             data += l;
    743. 

  743.             len -= l;
    744. 

  744.             if (quic_record_complete(ssl->quic.scratch)) {
    745. 

  745.                 if (ssl->quic.input_tail) {
    746. 

  746.                     ssl->quic.input_tail->next = ssl->quic.scratch;
    747. 

  747.                     ssl->quic.input_tail = ssl->quic.scratch;
    748. 

  748.                 }
    749. 

  749.                 else {
    750. 

  750.                     ssl->quic.input_head = ssl->quic.input_tail =
    751. 

  751.                         ssl->quic.scratch;
    752. 

  752.                 }
    753. 

  753.                 ssl->quic.scratch = NULL;
    754. 

  754.             }
    755. 

  755.         }
    756. 

  756.         else {
    757. 

  757.             /* start of next record with all bytes for the header */
    758. 

  758.             ssl->quic.scratch = quic_record_make(ssl, level, data, len);
    759. 

  759.             if (!ssl->quic.scratch) {
    760. 

  760.                 ret = WOLFSSL_FAILURE;
    761. 

  761.                 goto cleanup;
    762. 

  762.             }
    763. 

  763.         }
    764. 

  764.     }
    765. 

  765. 

  766.     ssl->quic.enc_level_latest_recvd = level;
    767. 

  767. 

  768. cleanup:
    769. 

  769.     WOLFSSL_LEAVE("wolfSSL_provide_quic_data", ret);
    770. 

  770.     return ret;
    771. 

  771. }
    772. 

  772. 

  773. 

  774. /* Called internally when SSL wants a certain amount of input. */
    775. 

  775. int wolfSSL_quic_receive(WOLFSSL* ssl, byte* buf, word32 sz)
    776. 

  776. {
    777. 

  777.     sword32 n = 0;
    778. 

  778.     int transferred = 0;
    779. 

  779. 

  780.     WOLFSSL_ENTER("wolfSSL_quic_receive");
    781. 

  781.     while (sz > 0) {
    782. 

  782.         n = 0;
    783. 

  783.         if (ssl->quic.input_head) {
    784. 

  784.             n = quic_record_transfer(ssl->quic.input_head, buf, sz);
    785. 

  785. 

  786.             /* record too small to be fit into a RecordLayerHeader struct. */
    787. 

  787.             if (n == -1) {
    788. 

  788.                 return WOLFSSL_FATAL_ERROR;
    789. 

  789.             }
    790. 

  790.             if (quic_record_done(ssl->quic.input_head)) {
    791. 

  791.                 QuicRecord* qr = ssl->quic.input_head;
    792. 

  792.                 ssl->quic.input_head = qr->next;
    793. 

  793.                 if (!qr->next) {
    794. 

  794.                     ssl->quic.input_tail = NULL;
    795. 

  795.                 }
    796. 

  796.                 quic_record_free(ssl, qr);
    797. 

  797.             }
    798. 

  798.         }
    799. 

  799. 

  800.         if (n == 0) {
    801. 

  801.             if (transferred > 0) {
    802. 

  802.                 goto cleanup;
    803. 

  803.             }
    804. 

  804.             ssl->error = transferred = WANT_READ;
    805. 

  805.             goto cleanup;
    806. 

  806.         }
    807. 

  807.         sz -= (word32)n;
    808. 

  808.         buf += n;
    809. 

  809.         transferred += (int)n;
    810. 

  810.     }
    811. 

  811. cleanup:
    812. 

  812.     WOLFSSL_LEAVE("wolfSSL_quic_receive", transferred);
    813. 

  813.     return transferred;
    814. 

  814. }
    815. 

  815. 

  816. /**
    817. 

  817.  * We need to forward the HANDSHAKE messages to the QUIC protocol stack
    818. 

  818.  * via ssl->quic.method->add_handshake_data().
    819. 

  819.  * The messages in the output buffer are unencrypted TLS records. We need
    820. 

  820.  * to forward the content of those records.
    821. 

  821.  */
    822. 

  822. static int wolfSSL_quic_send_internal(WOLFSSL* ssl)
    823. 

  823. {
    824. 

  824.     int ret = 0, aret;
    825. 

  825.     size_t len;
    826. 

  826.     RecordLayerHeader* rl;
    827. 

  827.     word16 rlen;
    828. 

  828.     word32 idx, length;
    829. 

  829.     byte* output;
    830. 

  830. 

  831.     WOLFSSL_ENTER("wolfSSL_quic_send");
    832. 

  832. 

  833.     idx = ssl->buffers.outputBuffer.idx;
    834. 

  834.     length = ssl->buffers.outputBuffer.length;
    835. 

  835.     output = ssl->buffers.outputBuffer.buffer + idx;
    836. 

  836.     while (length > 0) {
    837. 

  837.         if (ssl->quic.output_rec_remain > 0) {
    838. 

  838.             len = ssl->quic.output_rec_remain;
    839. 

  839.             if (len > length) {
    840. 

  840.                 len = length;
    841. 

  841.             }
    842. 

  842. 

  843.             aret = ssl->quic.method->add_handshake_data(ssl,
    844. 

  844.                 ssl->quic.output_rec_level, (const uint8_t*)output, len);
    845. 

  845.             if (aret != 1) {
    846. 

  846.                 /* The application has an error. General disaster. */
    847. 

  847.                 WOLFSSL_MSG("WOLFSSL_QUIC_SEND application failed");
    848. 

  848.                 ret = FWRITE_ERROR;
    849. 

  849.                 goto cleanup;
    850. 

  850.             }
    851. 

  851.             output += len;
    852. 

  852.             length -= (word32)len;
    853. 

  853.             ssl->quic.output_rec_remain -= (word32)len;
    854. 

  854.         }
    855. 

  855.         else {
    856. 

  856.             /* at start of a TLS Record */
    857. 

  857.             rl = (RecordLayerHeader*)output;
    858. 

  858.             ato16(rl->length, &rlen);
    859. 

  859.             output += RECORD_HEADER_SZ;
    860. 

  860.             length -= RECORD_HEADER_SZ;
    861. 

  861.             ssl->quic.output_rec_remain = rlen;
    862. 

  862.             ssl->quic.output_rec_level = ssl->quic.enc_level_write;
    863. 

  863.             if (rl->type == application_data) {
    864. 

  864.                 if (ssl->options.handShakeState != HANDSHAKE_DONE) {
    865. 

  865.                     ssl->quic.output_rec_level = wolfssl_encryption_early_data;
    866. 

  866.                 }
    867. 

  867.                 else {
    868. 

  868.                     WOLFSSL_MSG("WOLFSSL_QUIC_SEND app data after handshake");
    869. 

  869.                     ret = FWRITE_ERROR;
    870. 

  870.                     goto cleanup;
    871. 

  871.                 }
    872. 

  872.             }
    873. 

  873.         }
    874. 

  874.     }
    875. 

  875. 

  876.     ssl->buffers.outputBuffer.idx = 0;
    877. 

  877.     ssl->buffers.outputBuffer.length = 0;
    878. 

  878. 

  879. cleanup:
    880. 

  880.     WOLFSSL_LEAVE("wolfSSL_quic_send", ret);
    881. 

  881.     return ret;
    882. 

  882. }
    883. 

  883. 

  884. int wolfSSL_quic_send(WOLFSSL* ssl)
    885. 

  885. {
    886. 

  886.     return wolfSSL_quic_send_internal(ssl);
    887. 

  887. }
    888. 

  888. 

  889. int wolfSSL_quic_forward_secrets(WOLFSSL* ssl, int ktype, int side)
    890. 

  890. {
    891. 

  891.     const uint8_t* rx_secret = NULL, *tx_secret = NULL;
    892. 

  892.     WOLFSSL_ENCRYPTION_LEVEL level;
    893. 

  893.     int ret = 0;
    894. 

  894. 

  895.     WOLFSSL_ENTER("wolfSSL_quic_forward_secrets");
    896. 

  896.     switch (ktype) {
    897. 

  897.         case early_data_key:
    898. 

  898.             level = wolfssl_encryption_early_data;
    899. 

  899.             break;
    900. 

  900.         case handshake_key:
    901. 

  901.             level = wolfssl_encryption_handshake;
    902. 

  902.             break;
    903. 

  903.         case traffic_key:
    904. 

  904.             FALL_THROUGH;
    905. 

  905.         case update_traffic_key:
    906. 

  906.             level = wolfssl_encryption_application;
    907. 

  907.             break;
    908. 

  908.         case no_key:
    909. 

  909.             FALL_THROUGH;
    910. 

  910.         default:
    911. 

  911.             /* ignore */
    912. 

  912.             goto cleanup;
    913. 

  913.     }
    914. 

  914. 

  915.     if (side == ENCRYPT_AND_DECRYPT_SIDE || side == ENCRYPT_SIDE_ONLY) {
    916. 

  916.         tx_secret = (ssl->options.side == WOLFSSL_CLIENT_END) ?
    917. 

  917.             ssl->clientSecret : ssl->serverSecret;
    918. 

  918.     }
    919. 

  919.     if (side == ENCRYPT_AND_DECRYPT_SIDE || side == DECRYPT_SIDE_ONLY) {
    920. 

  920.         rx_secret = (ssl->options.side == WOLFSSL_CLIENT_END) ?
    921. 

  921.             ssl->serverSecret : ssl->clientSecret;
    922. 

  922.     }
    923. 

  923. 

  924.     if (!tx_secret && !rx_secret) {
    925. 

  925.         WOLFSSL_MSG("WOLFSSL_QUIC_FORWARD_SECRETS neither "
    926. 

  926.                     "enc- nor decrypt specified");
    927. 

  927.         goto cleanup;
    928. 

  928.     }
    929. 

  929. 

  930.     ret = !ssl->quic.method->set_encryption_secrets(
    931. 

  931.         ssl, level, rx_secret, tx_secret, ssl->specs.hash_size);
    932. 

  932. 

  933.     /* Having installed the secrets, any future read/write will happen
    934. 

  934.      * at the level. Except early data, which is detected on the record
    935. 

  935.      * type and the handshake state. */
    936. 

  936.      if (ktype == early_data_key) {
    937. 

  937.         goto cleanup;
    938. 

  938.      }
    939. 

  939. 

  940.      if (tx_secret && ssl->quic.enc_level_write != level) {
    941. 

  941.         ssl->quic.enc_level_write_next = level;
    942. 

  942.      }
    943. 

  943.      if (rx_secret && ssl->quic.enc_level_read != level) {
    944. 

  944.         ssl->quic.enc_level_read_next = level;
    945. 

  945.      }
    946. 

  946. 

  947. cleanup:
    948. 

  948.     WOLFSSL_LEAVE("wolfSSL_quic_forward_secrets", ret);
    949. 

  949.     return ret;
    950. 

  950. }
    951. 

  951. 

  952. int wolfSSL_quic_keys_active(WOLFSSL* ssl, enum encrypt_side side)
    953. 

  953. {
    954. 

  954.     int ret = 0;
    955. 

  955. 

  956.     WOLFSSL_ENTER("wolfSSL_quic_keys_active");
    957. 

  957.     /* Keys derived from recent secrets have been activated */
    958. 

  958.     if (side == ENCRYPT_AND_DECRYPT_SIDE || side == ENCRYPT_SIDE_ONLY) {
    959. 

  959.         /* If there is data in the output buffers, it was supposed to be
    960. 

  960.          * encrypted at the previous level. We need to remember that when
    961. 

  961.          * forwarding this data to the QUIC protocol application. */
    962. 

  962.         if (ssl->buffers.outputBuffer.length > 0) {
    963. 

  963.             ret = wolfSSL_quic_send_internal(ssl);
    964. 

  964.             if (ret)
    965. 

  965.                 goto cleanup;
    966. 

  966.         }
    967. 

  967.         ssl->quic.enc_level_write = ssl->quic.enc_level_write_next;
    968. 

  968.     }
    969. 

  969.     if (side == ENCRYPT_AND_DECRYPT_SIDE || side == DECRYPT_SIDE_ONLY) {
    970. 

  970.         ssl->quic.enc_level_read = ssl->quic.enc_level_read_next;
    971. 

  971.     }
    972. 

  972. cleanup:
    973. 

  973.     WOLFSSL_LEAVE("wolfSSL_quic_keys_active", ret);
    974. 

  974.     return ret;
    975. 

  975. }
    976. 

  976. 

  977. const WOLFSSL_EVP_CIPHER* wolfSSL_quic_get_aead(WOLFSSL* ssl)
    978. 

  978. {
    979. 

  979.     WOLFSSL_CIPHER* cipher = NULL;
    980. 

  980.     const WOLFSSL_EVP_CIPHER* evp_cipher = NULL;
    981. 

  981. 

  982.     if (ssl == NULL) {
    983. 

  983.         return NULL;
    984. 

  984.     }
    985. 

  985. 

  986.     cipher = wolfSSL_get_current_cipher(ssl);
    987. 

  987. 

  988.     if (cipher == NULL) {
    989. 

  989.         return NULL;
    990. 

  990.     }
    991. 

  991. 

  992.     switch (cipher->cipherSuite) {
    993. 

  993. #if !defined(NO_AES) && defined(HAVE_AESGCM)
    994. 

  994.         case TLS_AES_128_GCM_SHA256:
    995. 

  995.             evp_cipher = wolfSSL_EVP_aes_128_gcm();
    996. 

  996.             break;
    997. 

  997.         case TLS_AES_256_GCM_SHA384:
    998. 

  998.             evp_cipher = wolfSSL_EVP_aes_256_gcm();
    999. 

  999.             break;
    1000. 

  1000. #endif
    1001. 

  1001. #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
    1002. 

  1002.         case TLS_CHACHA20_POLY1305_SHA256:
    1003. 

  1003.             evp_cipher = wolfSSL_EVP_chacha20_poly1305();
    1004. 

  1004.             break;
    1005. 

  1005. #endif
    1006. 

  1006. #if !defined(NO_AES) && defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128)
    1007. 

  1007.         case TLS_AES_128_CCM_SHA256:
    1008. 

  1008.             evp_cipher = wolfSSL_EVP_aes_128_ccm();
    1009. 

  1009.             break;
    1010. 

  1010.         case TLS_AES_128_CCM_8_SHA256:
    1011. 

  1011.             WOLFSSL_MSG("wolfSSL_quic_get_aead: no CCM-8 support in EVP layer");
    1012. 

  1012.             evp_cipher = NULL;
    1013. 

  1013.             break;
    1014. 

  1014. #endif
    1015. 

  1015. 

  1016.         default:
    1017. 

  1017.             evp_cipher = NULL;
    1018. 

  1018.             break;
    1019. 

  1019.     }
    1020. 

  1020. 

  1021.     if (!evp_cipher) {
    1022. 

  1022.         /* should not happen, as SSL* should not have negotiated it? */
    1023. 

  1023.         WOLFSSL_MSG("wolfSSL_quic_get_aead: current cipher not supported");
    1024. 

  1024.         return NULL;
    1025. 

  1025.     }
    1026. 

  1026.     return evp_cipher;
    1027. 

  1027. }
    1028. 

  1028. 

  1029. /* currently only used if HAVE_CHACHA && HAVE_POLY1305. */
    1030. 

  1030. WC_MAYBE_UNUSED static int evp_cipher_eq(const WOLFSSL_EVP_CIPHER* c1,
    1031. 

  1031.                          const WOLFSSL_EVP_CIPHER* c2)
    1032. 

  1032. {
    1033. 

  1033.     /* We could check on nid equality, but we seem to have singulars */
    1034. 

  1034.     return c1 == c2;
    1035. 

  1035. }
    1036. 

  1036. 

  1037. const WOLFSSL_EVP_CIPHER* wolfSSL_quic_get_hp(WOLFSSL* ssl)
    1038. 

  1038. {
    1039. 

  1039.     WOLFSSL_CIPHER* cipher = NULL;
    1040. 

  1040.     const WOLFSSL_EVP_CIPHER* evp_cipher = NULL;
    1041. 

  1041. 

  1042.     if (ssl == NULL) {
    1043. 

  1043.         return NULL;
    1044. 

  1044.     }
    1045. 

  1045. 

  1046.     cipher = wolfSSL_get_current_cipher(ssl);
    1047. 

  1047. 

  1048.     if (cipher == NULL) {
    1049. 

  1049.         return NULL;
    1050. 

  1050.     }
    1051. 

  1051. 

  1052.     switch (cipher->cipherSuite) {
    1053. 

  1053. #if !defined(NO_AES) && defined(HAVE_AESGCM) && defined(WOLFSSL_AES_COUNTER)
    1054. 

  1054.         /* This has to be CTR even though the spec says that ECB is used for
    1055. 

  1055.          * mask generation. ngtcp2_crypto_hp_mask uses a hack where they pass
    1056. 

  1056.          * in the "ECB" input as the IV for the CTR cipher and then the input
    1057. 

  1057.          * is just a cleared buffer. They do this so that the EVP
    1058. 

  1058.          * init-update-final cycle can be used without the padding that is added
    1059. 

  1059.          * for EVP_aes_(128|256)_ecb. */
    1060. 

  1060. #if defined(WOLFSSL_AES_128)
    1061. 

  1061.         case TLS_AES_128_GCM_SHA256:
    1062. 

  1062.             evp_cipher = wolfSSL_EVP_aes_128_ctr();
    1063. 

  1063.             break;
    1064. 

  1064. #endif
    1065. 

  1065. #if defined(WOLFSSL_AES_256)
    1066. 

  1066.         case TLS_AES_256_GCM_SHA384:
    1067. 

  1067.             evp_cipher = wolfSSL_EVP_aes_256_ctr();
    1068. 

  1068.             break;
    1069. 

  1069. #endif
    1070. 

  1070. #endif
    1071. 

  1071. #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
    1072. 

  1072.         case TLS_CHACHA20_POLY1305_SHA256:
    1073. 

  1073.             evp_cipher = wolfSSL_EVP_chacha20();
    1074. 

  1074.             break;
    1075. 

  1075. #endif
    1076. 

  1076. #if !defined(NO_AES) && defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128) && \
    1077. 

  1077.         defined(WOLFSSL_AES_COUNTER)
    1078. 

  1078.         /* This has to be CTR. See comment above. */
    1079. 

  1079.         case TLS_AES_128_CCM_SHA256:
    1080. 

  1080.             evp_cipher = wolfSSL_EVP_aes_128_ctr();
    1081. 

  1081.             break;
    1082. 

  1082.         case TLS_AES_128_CCM_8_SHA256:
    1083. 

  1083.             WOLFSSL_MSG("wolfSSL_quic_get_hp: no CCM-8 support in EVP layer");
    1084. 

  1084.             evp_cipher = NULL;
    1085. 

  1085.             break;
    1086. 

  1086. #endif
    1087. 

  1087.         default:
    1088. 

  1088.             evp_cipher = NULL;
    1089. 

  1089.             break;
    1090. 

  1090.     }
    1091. 

  1091. 

  1092.     if (!evp_cipher) {
    1093. 

  1093.         /* should not happen, as SSL* should not have negotiated it? */
    1094. 

  1094.         WOLFSSL_MSG("wolfSSL_quic_get_hp: current cipher not supported");
    1095. 

  1095.         return NULL;
    1096. 

  1096.     }
    1097. 

  1097.     return evp_cipher;
    1098. 

  1098. }
    1099. 

  1099. 

  1100. size_t wolfSSL_quic_get_aead_tag_len(const WOLFSSL_EVP_CIPHER* aead_cipher)
    1101. 

  1101. {
    1102. 

  1102.     size_t ret;
    1103. 

  1103. #ifdef WOLFSSL_SMALL_STACK
    1104. 

  1104.     WOLFSSL_EVP_CIPHER_CTX *ctx = wolfSSL_EVP_CIPHER_CTX_new();
    1105. 

  1105.     if (ctx == NULL)
    1106. 

  1106.         return 0;
    1107. 

  1107. #else
    1108. 

  1108.     WOLFSSL_EVP_CIPHER_CTX ctx[1];
    1109. 

  1109. #endif
    1110. 

  1110. 

  1111.     XMEMSET(ctx, 0, sizeof(*ctx));
    1112. 

  1112.     if (wolfSSL_EVP_CipherInit(ctx, aead_cipher, NULL, NULL, 0)
    1113. 

  1113.         == WOLFSSL_SUCCESS) {
    1114. 

  1114.         ret = (size_t)ctx->authTagSz;
    1115. 

  1115.     } else {
    1116. 

  1116.         ret = 0;
    1117. 

  1117.     }
    1118. 

  1118. 

  1119.     (void)wolfSSL_EVP_CIPHER_CTX_cleanup(ctx);
    1120. 

  1120. #ifdef WOLFSSL_SMALL_STACK
    1121. 

  1121.     XFREE(ctx, NULL, DYNAMIC_TYPE_TMP_BUFFER);
    1122. 

  1122. #endif
    1123. 

  1123. 

  1124.     return ret;
    1125. 

  1125. }
    1126. 

  1126. 

  1127. int wolfSSL_quic_aead_is_gcm(const WOLFSSL_EVP_CIPHER* aead_cipher)
    1128. 

  1128. {
    1129. 

  1129.     return WOLFSSL_EVP_CIPHER_mode(aead_cipher) == WOLFSSL_EVP_CIPH_GCM_MODE;
    1130. 

  1130. }
    1131. 

  1131. 

  1132. int wolfSSL_quic_aead_is_ccm(const WOLFSSL_EVP_CIPHER* aead_cipher)
    1133. 

  1133. {
    1134. 

  1134.     return WOLFSSL_EVP_CIPHER_mode(aead_cipher) == WOLFSSL_EVP_CIPH_CCM_MODE;
    1135. 

  1135. }
    1136. 

  1136. 

  1137. int wolfSSL_quic_aead_is_chacha20(const WOLFSSL_EVP_CIPHER* aead_cipher)
    1138. 

  1138. {
    1139. 

  1139. #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
    1140. 

  1140.     return evp_cipher_eq(aead_cipher, wolfSSL_EVP_chacha20_poly1305());
    1141. 

  1141. #else
    1142. 

  1142.     (void)aead_cipher;
    1143. 

  1143.     return 0;
    1144. 

  1144. #endif
    1145. 

  1145. }
    1146. 

  1146. 

  1147. const WOLFSSL_EVP_MD* wolfSSL_quic_get_md(WOLFSSL* ssl)
    1148. 

  1148. {
    1149. 

  1149.     /* a copy from the handshake md setup */
    1150. 

  1150.     switch(ssl->specs.mac_algorithm) {
    1151. 

  1151.         case no_mac:
    1152. 

  1152.     #ifndef NO_MD5
    1153. 

  1153.         case md5_mac:
    1154. 

  1154.             return wolfSSL_EVP_md5();
    1155. 

  1155.     #endif
    1156. 

  1156.     #ifndef NO_SHA
    1157. 

  1157.         case sha_mac:
    1158. 

  1158.             return wolfSSL_EVP_sha1();
    1159. 

  1159.     #endif
    1160. 

  1160.     #ifdef WOLFSSL_SHA224
    1161. 

  1161.         case sha224_mac:
    1162. 

  1162.             return wolfSSL_EVP_sha224();
    1163. 

  1163.     #endif
    1164. 

  1164.         case sha256_mac:
    1165. 

  1165.             return wolfSSL_EVP_sha256();
    1166. 

  1166.     #ifdef WOLFSSL_SHA384
    1167. 

  1167.         case sha384_mac:
    1168. 

  1168.             return wolfSSL_EVP_sha384();
    1169. 

  1169.     #endif
    1170. 

  1170.     #ifdef WOLFSSL_SHA512
    1171. 

  1171.         case sha512_mac:
    1172. 

  1172.             return wolfSSL_EVP_sha512();
    1173. 

  1173.     #endif
    1174. 

  1174.         case rmd_mac:
    1175. 

  1175.         case blake2b_mac:
    1176. 

  1176.             WOLFSSL_MSG("no suitable EVP_MD");
    1177. 

  1177.             return NULL;
    1178. 

  1178.         default:
    1179. 

  1179.             WOLFSSL_MSG("Unknown mac algorithm");
    1180. 

  1180.             return NULL;
    1181. 

  1181.     }
    1182. 

  1182. }
    1183. 

  1183. 

  1184. #ifdef OPENSSL_EXTRA
    1185. 

  1185. 

  1186. int wolfSSL_quic_hkdf_extract(uint8_t* dest, const WOLFSSL_EVP_MD* md,
    1187. 

  1187.                               const uint8_t* secret, size_t secretlen,
    1188. 

  1188.                               const uint8_t* salt, size_t saltlen)
    1189. 

  1189. {
    1190. 

  1190.     WOLFSSL_EVP_PKEY_CTX* pctx = NULL;
    1191. 

  1191.     size_t destlen = (size_t)wolfSSL_EVP_MD_size(md);
    1192. 

  1192.     int ret = WOLFSSL_SUCCESS;
    1193. 

  1193. 

  1194.     WOLFSSL_ENTER("wolfSSL_quic_hkdf_extract");
    1195. 

  1195. 

  1196.     pctx = wolfSSL_EVP_PKEY_CTX_new_id(NID_hkdf, NULL);
    1197. 

  1197.     if (pctx == NULL) {
    1198. 

  1198.         ret = WOLFSSL_FAILURE;
    1199. 

  1199.         goto cleanup;
    1200. 

  1200.     }
    1201. 

  1201. 

  1202.     if (wolfSSL_EVP_PKEY_derive_init(pctx) != WOLFSSL_SUCCESS
    1203. 

  1203.         || wolfSSL_EVP_PKEY_CTX_hkdf_mode(
    1204. 

  1204.                 pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) != WOLFSSL_SUCCESS
    1205. 

  1205.         || wolfSSL_EVP_PKEY_CTX_set_hkdf_md(pctx, md) != WOLFSSL_SUCCESS
    1206. 

  1206.         || wolfSSL_EVP_PKEY_CTX_set1_hkdf_salt(
    1207. 

  1207.                 pctx, (byte*)salt, (int)saltlen) != WOLFSSL_SUCCESS
    1208. 

  1208.         || wolfSSL_EVP_PKEY_CTX_set1_hkdf_key(
    1209. 

  1209.                 pctx, (byte*)secret, (int)secretlen) != WOLFSSL_SUCCESS
    1210. 

  1210.         || wolfSSL_EVP_PKEY_derive(pctx, dest, &destlen) != WOLFSSL_SUCCESS) {
    1211. 

  1211.         ret = WOLFSSL_FAILURE;
    1212. 

  1212.         goto cleanup;
    1213. 

  1213.     }
    1214. 

  1214. 

  1215. cleanup:
    1216. 

  1216.     if (pctx)
    1217. 

  1217.         wolfSSL_EVP_PKEY_CTX_free(pctx);
    1218. 

  1218.     WOLFSSL_LEAVE("wolfSSL_quic_hkdf_extract", ret);
    1219. 

  1219.     return ret;
    1220. 

  1220. }
    1221. 

  1221. 

  1222. 

  1223. int wolfSSL_quic_hkdf_expand(uint8_t* dest, size_t destlen,
    1224. 

  1224.                              const WOLFSSL_EVP_MD* md,
    1225. 

  1225.                              const uint8_t* secret, size_t secretlen,
    1226. 

  1226.                              const uint8_t* info, size_t infolen)
    1227. 

  1227. {
    1228. 

  1228.     WOLFSSL_EVP_PKEY_CTX* pctx = NULL;
    1229. 

  1229.     int ret = WOLFSSL_SUCCESS;
    1230. 

  1230. 

  1231.     WOLFSSL_ENTER("wolfSSL_quic_hkdf_expand");
    1232. 

  1232. 

  1233.     pctx = wolfSSL_EVP_PKEY_CTX_new_id(NID_hkdf, NULL);
    1234. 

  1234.     if (pctx == NULL) {
    1235. 

  1235.         ret = WOLFSSL_FAILURE;
    1236. 

  1236.         goto cleanup;
    1237. 

  1237.     }
    1238. 

  1238. 

  1239.     if (wolfSSL_EVP_PKEY_derive_init(pctx) != WOLFSSL_SUCCESS
    1240. 

  1240.         || wolfSSL_EVP_PKEY_CTX_hkdf_mode(
    1241. 

  1241.                 pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) != WOLFSSL_SUCCESS
    1242. 

  1242.         || wolfSSL_EVP_PKEY_CTX_set_hkdf_md(pctx, md) != WOLFSSL_SUCCESS
    1243. 

  1243.         || wolfSSL_EVP_PKEY_CTX_set1_hkdf_salt(
    1244. 

  1244.                 pctx, (byte*)"", 0) != WOLFSSL_SUCCESS
    1245. 

  1245.         || wolfSSL_EVP_PKEY_CTX_set1_hkdf_key(
    1246. 

  1246.                 pctx, (byte*)secret, (int)secretlen) != WOLFSSL_SUCCESS
    1247. 

  1247.         || wolfSSL_EVP_PKEY_CTX_add1_hkdf_info(
    1248. 

  1248.                 pctx, (byte*)info, (int)infolen) != WOLFSSL_SUCCESS
    1249. 

  1249.         || wolfSSL_EVP_PKEY_derive(pctx, dest, &destlen) != WOLFSSL_SUCCESS) {
    1250. 

  1250.         ret = WOLFSSL_FAILURE;
    1251. 

  1251.         goto cleanup;
    1252. 

  1252.     }
    1253. 

  1253. 

  1254. cleanup:
    1255. 

  1255.     if (pctx)
    1256. 

  1256.         EVP_PKEY_CTX_free(pctx);
    1257. 

  1257.     WOLFSSL_LEAVE("wolfSSL_quic_hkdf_expand", ret);
    1258. 

  1258.     return ret;
    1259. 

  1259. }
    1260. 

  1260. 

  1261. 

  1262. int wolfSSL_quic_hkdf(uint8_t* dest, size_t destlen,
    1263. 

  1263.                       const WOLFSSL_EVP_MD* md,
    1264. 

  1264.                       const uint8_t* secret, size_t secretlen,
    1265. 

  1265.                       const uint8_t* salt, size_t saltlen,
    1266. 

  1266.                       const uint8_t* info, size_t infolen)
    1267. 

  1267. {
    1268. 

  1268.     WOLFSSL_EVP_PKEY_CTX* pctx = NULL;
    1269. 

  1269.     int ret = WOLFSSL_SUCCESS;
    1270. 

  1270. 

  1271.     WOLFSSL_ENTER("wolfSSL_quic_hkdf");
    1272. 

  1272. 

  1273.     pctx = wolfSSL_EVP_PKEY_CTX_new_id(NID_hkdf, NULL);
    1274. 

  1274.     if (pctx == NULL) {
    1275. 

  1275.         ret = WOLFSSL_FAILURE;
    1276. 

  1276.         goto cleanup;
    1277. 

  1277.     }
    1278. 

  1278. 

  1279.     if (wolfSSL_EVP_PKEY_derive_init(pctx) != WOLFSSL_SUCCESS
    1280. 

  1280.         || wolfSSL_EVP_PKEY_CTX_hkdf_mode(
    1281. 

  1281.                 pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND) != WOLFSSL_SUCCESS
    1282. 

  1282.         || wolfSSL_EVP_PKEY_CTX_set_hkdf_md(pctx, md) != WOLFSSL_SUCCESS
    1283. 

  1283.         || wolfSSL_EVP_PKEY_CTX_set1_hkdf_salt(
    1284. 

  1284.                 pctx, (byte*)salt, (int)saltlen) != WOLFSSL_SUCCESS
    1285. 

  1285.         || wolfSSL_EVP_PKEY_CTX_set1_hkdf_key(
    1286. 

  1286.                 pctx, (byte*)secret, (int)secretlen) != WOLFSSL_SUCCESS
    1287. 

  1287.         || wolfSSL_EVP_PKEY_CTX_add1_hkdf_info(
    1288. 

  1288.                 pctx, (byte*)info, (int)infolen) != WOLFSSL_SUCCESS
    1289. 

  1289.         || wolfSSL_EVP_PKEY_derive(pctx, dest, &destlen) != WOLFSSL_SUCCESS) {
    1290. 

  1290.         ret = WOLFSSL_FAILURE;
    1291. 

  1291.         goto cleanup;
    1292. 

  1292.     }
    1293. 

  1293. 

  1294. cleanup:
    1295. 

  1295.     if (pctx)
    1296. 

  1296.         EVP_PKEY_CTX_free(pctx);
    1297. 

  1297.     WOLFSSL_LEAVE("wolfSSL_quic_hkdf", ret);
    1298. 

  1298.     return ret;
    1299. 

  1299. }
    1300. 

  1300. 

  1301. #endif /* OPENSSL_EXTRA */
    1302. 

  1302. 

  1303. 

  1304. WOLFSSL_EVP_CIPHER_CTX* wolfSSL_quic_crypt_new(const WOLFSSL_EVP_CIPHER* cipher,
    1305. 

  1305.                                                const uint8_t* key,
    1306. 

  1306.                                                const uint8_t* iv,
    1307. 

  1307.                                                int encrypt)
    1308. 

  1308. {
    1309. 

  1309.     WOLFSSL_EVP_CIPHER_CTX* ctx;
    1310. 

  1310. 

  1311.     ctx = wolfSSL_EVP_CIPHER_CTX_new();
    1312. 

  1312.     if (ctx == NULL) {
    1313. 

  1313.         return NULL;
    1314. 

  1314.     }
    1315. 

  1315. 

  1316.     if (wolfSSL_EVP_CipherInit(ctx, cipher, key, iv, encrypt)
    1317. 

  1317.             != WOLFSSL_SUCCESS) {
    1318. 

  1318.         wolfSSL_EVP_CIPHER_CTX_free(ctx);
    1319. 

  1319.         return NULL;
    1320. 

  1320.     }
    1321. 

  1321. 

  1322.     return ctx;
    1323. 

  1323. }
    1324. 

  1324. 

  1325. 

  1326. int wolfSSL_quic_aead_encrypt(uint8_t* dest, WOLFSSL_EVP_CIPHER_CTX* ctx,
    1327. 

  1327.                               const uint8_t* plain, size_t plainlen,
    1328. 

  1328.                               const uint8_t* iv, const uint8_t* aad,
    1329. 

  1329.                               size_t aadlen)
    1330. 

  1330. {
    1331. 

  1331.     int len;
    1332. 

  1332. 

  1333.     /* A case can be made if this really should be a function in wolfSSL, since
    1334. 

  1334.      * the same should be doable from the API by a QUIC protocol stack.
    1335. 

  1335.      * What speaks for this:
    1336. 

  1336.      * - it gives us a decent testing point
    1337. 

  1337.      * - API users do not have to re-invent (it fits into ngtcp2 use).
    1338. 

  1338.      *   picotls offers a similar abstraction level for AEAD.
    1339. 

  1339.      * TODO: there is some fiddling in OpenSSL+quic in regard to CCM ciphers
    1340. 

  1340.      *       which we need to check.
    1341. 

  1341.      */
    1342. 

  1342.     if (wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 1) != WOLFSSL_SUCCESS
    1343. 

  1343.         || wolfSSL_EVP_CipherUpdate(
    1344. 

  1344.                 ctx, NULL, &len, aad, (int)aadlen) != WOLFSSL_SUCCESS
    1345. 

  1345.         || wolfSSL_EVP_CipherUpdate(
    1346. 

  1346.                 ctx, dest, &len, plain, (int)plainlen) != WOLFSSL_SUCCESS
    1347. 

  1347.         || wolfSSL_EVP_CipherFinal(ctx, dest + len, &len) != WOLFSSL_SUCCESS
    1348. 

  1348.         || wolfSSL_EVP_CIPHER_CTX_ctrl(
    1349. 

  1349.                 ctx, EVP_CTRL_AEAD_GET_TAG, ctx->authTagSz, dest + plainlen)
    1350. 

  1350.            != WOLFSSL_SUCCESS) {
    1351. 

  1351.         return WOLFSSL_FAILURE;
    1352. 

  1352.     }
    1353. 

  1353. 

  1354.     return WOLFSSL_SUCCESS;
    1355. 

  1355. }
    1356. 

  1356. 

  1357. 

  1358. int wolfSSL_quic_aead_decrypt(uint8_t* dest, WOLFSSL_EVP_CIPHER_CTX* ctx,
    1359. 

  1359.                               const uint8_t* enc, size_t enclen,
    1360. 

  1360.                               const uint8_t* iv, const uint8_t* aad,
    1361. 

  1361.                               size_t aadlen)
    1362. 

  1362. {
    1363. 

  1363.     int len;
    1364. 

  1364.     const uint8_t* tag;
    1365. 

  1365. 

  1366.     /* See rationale for wolfSSL_quic_aead_encrypt() on why this is here */
    1367. 

  1367.     if (enclen > INT_MAX || ctx->authTagSz > (int)enclen) {
    1368. 

  1368.         return WOLFSSL_FAILURE;
    1369. 

  1369.     }
    1370. 

  1370. 

  1371.     enclen -= (size_t)ctx->authTagSz;
    1372. 

  1372.     tag = enc + enclen;
    1373. 

  1373. 

  1374.     if (wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 0) != WOLFSSL_SUCCESS
    1375. 

  1375.         || wolfSSL_EVP_CIPHER_CTX_ctrl(
    1376. 

  1376.                 ctx, EVP_CTRL_AEAD_SET_TAG, ctx->authTagSz, (uint8_t*)tag)
    1377. 

  1377.             != WOLFSSL_SUCCESS
    1378. 

  1378.         || wolfSSL_EVP_CipherUpdate(ctx, NULL, &len, aad, (int)aadlen)
    1379. 

  1379.             != WOLFSSL_SUCCESS
    1380. 

  1380.         || wolfSSL_EVP_CipherUpdate(ctx, dest, &len, enc, (int)enclen)
    1381. 

  1381.             != WOLFSSL_SUCCESS
    1382. 

  1382.         || wolfSSL_EVP_CipherFinal(ctx, dest, &len) != WOLFSSL_SUCCESS) {
    1383. 

  1383.         return WOLFSSL_FAILURE;
    1384. 

  1384.     }
    1385. 

  1385. 

  1386.     return WOLFSSL_SUCCESS;
    1387. 

  1387. }
    1388. 

  1388. 

  1389. 

  1390. #endif /* WOLFSSL_QUIC */
    1391. 

  1391. #endif /* WOLFCRYPT_ONLY */
    1392. 

  1392.