2
0

quic.c 42 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392
  1. /* quic.c
  2. *
  3. * Copyright (C) 2006-2024 wolfSSL Inc.
  4. *
  5. * This file is part of wolfSSL.
  6. *
  7. * wolfSSL is free software; you can redistribute it and/or modify
  8. * it under the terms of the GNU General Public License as published by
  9. * the Free Software Foundation; either version 2 of the License, or
  10. * (at your option) any later version.
  11. *
  12. * wolfSSL is distributed in the hope that it will be useful,
  13. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. * GNU General Public License for more details.
  16. *
  17. * You should have received a copy of the GNU General Public License
  18. * along with this program; if not, write to the Free Software
  19. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  20. */
  21. /* Name change compatibility layer no longer needs to be included here */
  22. #ifdef HAVE_CONFIG_H
  23. #include <config.h>
  24. #endif
  25. #include <wolfssl/wolfcrypt/settings.h>
  26. #ifdef NO_INLINE
  27. #include <wolfssl/wolfcrypt/misc.h>
  28. #else
  29. #define WOLFSSL_MISC_INCLUDED
  30. #include <wolfcrypt/src/misc.c>
  31. #endif
  32. #ifndef WOLFCRYPT_ONLY
  33. #ifdef WOLFSSL_QUIC
  34. #include <wolfssl/error-ssl.h>
  35. #include <wolfssl/ssl.h>
  36. #include <wolfssl/internal.h>
  37. #include <wolfssl/openssl/buffer.h>
  38. #include <wolfssl/openssl/ecdsa.h>
  39. #include <wolfssl/openssl/evp.h>
  40. #include <wolfssl/openssl/kdf.h>
  41. static int qr_length(const uint8_t *data, size_t len)
  42. {
  43. word32 rlen;
  44. if (len < 4) {
  45. return 0;
  46. }
  47. c24to32(&data[1], &rlen);
  48. return (int)rlen + 4;
  49. }
  50. static void quic_record_free(WOLFSSL *ssl, QuicRecord *r)
  51. {
  52. (void)ssl;
  53. if (r->data) {
  54. ForceZero(r->data, r->capacity);
  55. XFREE(r->data, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
  56. }
  57. XFREE(r, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
  58. }
  59. static QuicRecord *quic_record_make(WOLFSSL *ssl,
  60. WOLFSSL_ENCRYPTION_LEVEL level,
  61. const uint8_t *data, size_t len)
  62. {
  63. QuicRecord *qr;
  64. qr = (QuicRecord*)XMALLOC(sizeof(*qr), ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
  65. if (qr) {
  66. memset(qr, 0, sizeof(*qr));
  67. qr->level = level;
  68. if (level == wolfssl_encryption_early_data) {
  69. qr->capacity = qr->len = (word32)len;
  70. }
  71. else {
  72. qr->capacity = qr->len = (word32) qr_length(data, len);
  73. if (qr->capacity > WOLFSSL_QUIC_MAX_RECORD_CAPACITY) {
  74. WOLFSSL_MSG("QUIC length read larger than expected");
  75. quic_record_free(ssl, qr);
  76. return NULL;
  77. }
  78. }
  79. if (qr->capacity == 0) {
  80. qr->capacity = 2*1024;
  81. }
  82. qr->data = (uint8_t*)XMALLOC(qr->capacity, ssl->heap,
  83. DYNAMIC_TYPE_TMP_BUFFER);
  84. if (!qr->data) {
  85. quic_record_free(ssl, qr);
  86. return NULL;
  87. }
  88. }
  89. return qr;
  90. }
  91. static int quic_record_complete(QuicRecord *r)
  92. {
  93. return r->len && r->end >= r->len;
  94. }
  95. static int quic_record_done(QuicRecord *r)
  96. {
  97. return r->len && r->end >= r->len && r->start >= r->end;
  98. }
  99. static int quic_record_append(WOLFSSL *ssl, QuicRecord *qr, const uint8_t *data,
  100. size_t len, size_t *pconsumed)
  101. {
  102. size_t missing, consumed = 0;
  103. int ret = WOLFSSL_SUCCESS;
  104. (void)ssl;
  105. if (!qr->len && len) {
  106. missing = 4 - qr->end;
  107. if (len < missing) {
  108. XMEMCPY(qr->data + qr->end, data, len);
  109. qr->end += (word32)len;
  110. consumed = len;
  111. goto cleanup; /* len consumed, but qr->len still unknown */
  112. }
  113. XMEMCPY(qr->data + qr->end, data, missing);
  114. qr->end += (word32)missing;
  115. len -= missing;
  116. data += missing;
  117. consumed = missing;
  118. qr->len = (word32)qr_length(qr->data, qr->end);
  119. /* sanity check on length read from wire before use */
  120. if (qr->len > WOLFSSL_QUIC_MAX_RECORD_CAPACITY) {
  121. WOLFSSL_MSG("Length read for quic is larger than expected");
  122. ret = BUFFER_E;
  123. goto cleanup;
  124. }
  125. if (qr->len > qr->capacity) {
  126. uint8_t *ndata = (uint8_t*)XREALLOC(qr->data, qr->len, ssl->heap,
  127. DYNAMIC_TYPE_TMP_BUFFER);
  128. if (!ndata) {
  129. ret = WOLFSSL_FAILURE;
  130. goto cleanup;
  131. }
  132. qr->data = ndata;
  133. qr->capacity = qr->len;
  134. }
  135. }
  136. if (quic_record_complete(qr) || len == 0) {
  137. return 0;
  138. }
  139. missing = qr->len - qr->end;
  140. if (len > missing) {
  141. len = missing;
  142. }
  143. XMEMCPY(qr->data + qr->end, data, len);
  144. qr->end += (word32)len;
  145. consumed += len;
  146. cleanup:
  147. *pconsumed = (ret == WOLFSSL_SUCCESS) ? consumed : 0;
  148. return ret;
  149. }
  150. static word32 add_rec_header(byte* output, word32 length, byte type)
  151. {
  152. RecordLayerHeader* rl;
  153. /* record layer header */
  154. rl = (RecordLayerHeader*)output;
  155. if (rl == NULL) {
  156. return 0;
  157. }
  158. rl->type = type;
  159. rl->pvMajor = SSLv3_MAJOR;
  160. rl->pvMinor = TLSv1_2_MINOR;
  161. c16toa((word16)length, rl->length);
  162. return RECORD_HEADER_SZ;
  163. }
  164. static sword32 quic_record_transfer(QuicRecord* qr, byte* buf, word32 sz)
  165. {
  166. word32 len = qr->end - qr->start;
  167. word32 offset = 0;
  168. word32 rlen;
  169. if (len <= 0) {
  170. return 0;
  171. }
  172. /* We check if the buf is at least RECORD_HEADER_SZ */
  173. if (sz < RECORD_HEADER_SZ) {
  174. return WOLFSSL_FATAL_ERROR;
  175. }
  176. if (qr->rec_hdr_remain == 0) {
  177. /* start a new TLS record */
  178. rlen = (qr->len <= (word32)MAX_RECORD_SIZE) ?
  179. qr->len : (word32)MAX_RECORD_SIZE;
  180. offset += add_rec_header(buf, rlen,
  181. (qr->level == wolfssl_encryption_early_data) ?
  182. application_data : handshake);
  183. qr->rec_hdr_remain = rlen;
  184. sz -= offset;
  185. }
  186. if (len > qr->rec_hdr_remain) {
  187. len = qr->rec_hdr_remain;
  188. }
  189. if (len > sz) {
  190. len = sz;
  191. }
  192. if (len > 0) {
  193. XMEMCPY(buf + offset, qr->data + qr->start, len);
  194. qr->start += len;
  195. qr->rec_hdr_remain -= len;
  196. }
  197. return (sword32)(len + offset);
  198. }
  199. const QuicTransportParam* QuicTransportParam_new(const uint8_t* data,
  200. size_t len, void* heap)
  201. {
  202. QuicTransportParam* tp;
  203. if (len > 65353) return NULL;
  204. tp = (QuicTransportParam*)XMALLOC(sizeof(*tp), heap, DYNAMIC_TYPE_TLSX);
  205. if (!tp) return NULL;
  206. tp->data = (uint8_t*)XMALLOC(len, heap, DYNAMIC_TYPE_TLSX);
  207. if (!tp->data) {
  208. XFREE(tp, heap, DYNAMIC_TYPE_TLSX);
  209. return NULL;
  210. }
  211. XMEMCPY((uint8_t*)tp->data, data, len);
  212. tp->len = (word16)len;
  213. return tp;
  214. }
  215. const QuicTransportParam* QuicTransportParam_dup(const QuicTransportParam* tp,
  216. void* heap)
  217. {
  218. QuicTransportParam* tp2;
  219. tp2 = (QuicTransportParam*)XMALLOC(sizeof(*tp2), heap, DYNAMIC_TYPE_TLSX);
  220. if (!tp2) return NULL;
  221. tp2->data = (uint8_t*)XMALLOC(tp->len, heap, DYNAMIC_TYPE_TLSX);
  222. if (!tp2->data) {
  223. XFREE(tp2, heap, DYNAMIC_TYPE_TLSX);
  224. return NULL;
  225. }
  226. XMEMCPY((uint8_t*)tp2->data, tp->data, tp->len);
  227. tp2->len = tp->len;
  228. return tp2;
  229. }
  230. void QuicTransportParam_free(const QuicTransportParam* tp, void* heap)
  231. {
  232. (void)heap;
  233. if (tp) {
  234. if (tp->data) XFREE((uint8_t*)tp->data, heap, DYNAMIC_TYPE_TLSX);
  235. XFREE((void*)tp, heap, DYNAMIC_TYPE_TLSX);
  236. }
  237. }
  238. void wolfSSL_quic_clear(WOLFSSL* ssl)
  239. {
  240. QuicEncData* qd;
  241. /* keep
  242. * - ssl->quic.transport_local
  243. * - ssl->quic.method
  244. * - ssl->quic.transport_version
  245. * reset/free everything else
  246. */
  247. if (ssl->quic.transport_peer) {
  248. QTP_FREE(ssl->quic.transport_peer, ssl->heap);
  249. ssl->quic.transport_peer = NULL;
  250. }
  251. if (ssl->quic.transport_peer_draft) {
  252. QTP_FREE(ssl->quic.transport_peer_draft, ssl->heap);
  253. ssl->quic.transport_peer_draft = NULL;
  254. }
  255. ssl->quic.enc_level_write = wolfssl_encryption_initial;
  256. ssl->quic.enc_level_latest_recvd = wolfssl_encryption_initial;
  257. while ((qd = ssl->quic.input_head)) {
  258. ssl->quic.input_head = qd->next;
  259. quic_record_free(ssl, qd);
  260. }
  261. ssl->quic.input_tail = NULL;
  262. ssl->quic.output_rec_remain = 0;
  263. if (ssl->quic.scratch) {
  264. quic_record_free(ssl, ssl->quic.scratch);
  265. ssl->quic.scratch = NULL;
  266. }
  267. }
  268. void wolfSSL_quic_free(WOLFSSL* ssl)
  269. {
  270. wolfSSL_quic_clear(ssl);
  271. if (ssl->quic.transport_local) {
  272. QTP_FREE(ssl->quic.transport_local, ssl->heap);
  273. ssl->quic.transport_local = NULL;
  274. }
  275. ssl->quic.method = NULL;
  276. }
  277. static int ctx_check_quic_compat(const WOLFSSL_CTX* ctx)
  278. {
  279. WOLFSSL_ENTER("ctx_check_quic_compat");
  280. if (ctx->method->version.major != SSLv3_MAJOR
  281. || ctx->method->version.minor != TLSv1_3_MINOR
  282. || (ctx->method->downgrade && ctx->minDowngrade < TLSv1_3_MINOR)) {
  283. WOLFSSL_MSG_EX("ctx not quic compatible: vmajor=%d, vminor=%d, downgrade=%d",
  284. ctx->method->version.major,
  285. ctx->method->version.minor,
  286. ctx->method->downgrade
  287. );
  288. return WOLFSSL_FAILURE;
  289. }
  290. return WOLFSSL_SUCCESS;
  291. }
  292. static int check_method_sanity(const WOLFSSL_QUIC_METHOD* m)
  293. {
  294. WOLFSSL_ENTER("check_method_sanity");
  295. if (m && m->set_encryption_secrets
  296. && m->add_handshake_data
  297. && m->flush_flight
  298. && m->send_alert) {
  299. return WOLFSSL_SUCCESS;
  300. }
  301. return WOLFSSL_FAILURE;
  302. }
  303. int wolfSSL_CTX_set_quic_method(WOLFSSL_CTX* ctx,
  304. const WOLFSSL_QUIC_METHOD* quic_method)
  305. {
  306. WOLFSSL_ENTER("wolfSSL_CTX_set_quic_method");
  307. if (ctx_check_quic_compat(ctx) != WOLFSSL_SUCCESS
  308. || check_method_sanity(quic_method) != WOLFSSL_SUCCESS) {
  309. return WOLFSSL_FAILURE;
  310. }
  311. ctx->quic.method = quic_method;
  312. return WOLFSSL_SUCCESS;
  313. }
  314. int wolfSSL_set_quic_method(WOLFSSL* ssl,
  315. const WOLFSSL_QUIC_METHOD* quic_method)
  316. {
  317. WOLFSSL_ENTER("wolfSSL_set_quic_method");
  318. if (ctx_check_quic_compat(ssl->ctx) != WOLFSSL_SUCCESS
  319. || check_method_sanity(quic_method) != WOLFSSL_SUCCESS) {
  320. return WOLFSSL_FAILURE;
  321. }
  322. ssl->quic.method = quic_method;
  323. return WOLFSSL_SUCCESS;
  324. }
  325. int wolfSSL_is_quic(WOLFSSL* ssl)
  326. {
  327. return WOLFSSL_IS_QUIC(ssl);
  328. }
  329. WOLFSSL_ENCRYPTION_LEVEL wolfSSL_quic_read_level(const WOLFSSL* ssl)
  330. {
  331. return ssl->quic.enc_level_read;
  332. }
  333. WOLFSSL_ENCRYPTION_LEVEL wolfSSL_quic_write_level(const WOLFSSL* ssl)
  334. {
  335. return ssl->quic.enc_level_write;
  336. }
  337. int wolfSSL_set_quic_transport_params(WOLFSSL* ssl,
  338. const uint8_t* params,
  339. size_t params_len)
  340. {
  341. const QuicTransportParam* tp;
  342. int ret = WOLFSSL_SUCCESS;
  343. WOLFSSL_ENTER("wolfSSL_set_quic_transport_params");
  344. if (!params || params_len == 0) {
  345. tp = NULL;
  346. }
  347. else {
  348. tp = QuicTransportParam_new(params, params_len, ssl->heap);
  349. if (!tp) {
  350. ret = WOLFSSL_FAILURE;
  351. goto cleanup;
  352. }
  353. }
  354. if (ssl->quic.transport_local)
  355. QTP_FREE(ssl->quic.transport_local, ssl->heap);
  356. ssl->quic.transport_local = tp;
  357. cleanup:
  358. WOLFSSL_LEAVE("wolfSSL_set_quic_transport_params", ret);
  359. return ret;
  360. }
  361. void wolfSSL_get_peer_quic_transport_params(const WOLFSSL* ssl,
  362. const uint8_t** out_params,
  363. size_t* out_params_len)
  364. {
  365. const QuicTransportParam* tp = ssl->quic.transport_peer ?
  366. ssl->quic.transport_peer : ssl->quic.transport_peer_draft;
  367. *out_params = tp ? tp->data : NULL;
  368. *out_params_len = tp ? tp->len : 0;
  369. }
  370. int wolfSSL_get_peer_quic_transport_version(const WOLFSSL* ssl)
  371. {
  372. return ssl->quic.transport_peer ?
  373. TLSX_KEY_QUIC_TP_PARAMS : (ssl->quic.transport_peer_draft ?
  374. TLSX_KEY_QUIC_TP_PARAMS : -1);
  375. }
  376. void wolfSSL_set_quic_use_legacy_codepoint(WOLFSSL* ssl, int use_legacy)
  377. {
  378. ssl->quic.transport_version = use_legacy ? TLSX_KEY_QUIC_TP_PARAMS_DRAFT
  379. : TLSX_KEY_QUIC_TP_PARAMS;
  380. }
  381. void wolfSSL_set_quic_transport_version(WOLFSSL* ssl, int version)
  382. {
  383. if (version == TLSX_KEY_QUIC_TP_PARAMS
  384. || version == TLSX_KEY_QUIC_TP_PARAMS_DRAFT
  385. || !version) {
  386. ssl->quic.transport_version = version;
  387. }
  388. else {
  389. WOLFSSL_MSG("wolfSSL_set_quic_transport_version: invalid version");
  390. }
  391. }
  392. int wolfSSL_get_quic_transport_version(const WOLFSSL* ssl)
  393. {
  394. return ssl->quic.transport_version;
  395. }
  396. int wolfSSL_quic_add_transport_extensions(WOLFSSL* ssl, int msg_type)
  397. {
  398. /* RFC 9001, ch. 8.2: "The quic_transport_parameters extension is carried
  399. * in the ClientHello and the EncryptedExtensions messages during the
  400. * handshake. Endpoints MUST send the quic_transport_parameters extension;"
  401. * Which means, at least one. There can be more to signal compatibility to
  402. * older/newer versions.
  403. */
  404. int ret = 0, is_resp = (msg_type == encrypted_extensions);
  405. if (ssl->quic.transport_local == NULL) {
  406. return QUIC_TP_MISSING_E;
  407. }
  408. if (is_resp) {
  409. /* server response: time to decide which version to use */
  410. if (ssl->quic.transport_peer && ssl->quic.transport_peer_draft) {
  411. if (ssl->quic.transport_version == TLSX_KEY_QUIC_TP_PARAMS_DRAFT) {
  412. ret = TLSX_QuicTP_Use(ssl,
  413. TLSX_KEY_QUIC_TP_PARAMS_DRAFT, is_resp);
  414. QTP_FREE(ssl->quic.transport_peer, ssl->heap);
  415. ssl->quic.transport_peer = NULL;
  416. }
  417. else {
  418. ret = TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS, is_resp);
  419. QTP_FREE(ssl->quic.transport_peer_draft,
  420. ssl->heap);
  421. ssl->quic.transport_peer_draft = NULL;
  422. }
  423. }
  424. else {
  425. if (ssl->quic.transport_version == TLSX_KEY_QUIC_TP_PARAMS_DRAFT
  426. && ssl->quic.transport_peer_draft) {
  427. ret = TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS_DRAFT,
  428. is_resp);
  429. }
  430. else if (ssl->quic.transport_peer) {
  431. ret = TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS, is_resp);
  432. }
  433. else {
  434. /* no match, send none, will let the client fail */
  435. }
  436. }
  437. }
  438. else {
  439. /* client hello */
  440. if (ssl->quic.transport_version == 0) {
  441. /* not being set to a particular id, we send both draft+v1 */
  442. ret = TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS, is_resp)
  443. || TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS_DRAFT, is_resp);
  444. }
  445. else {
  446. /* otherwise, send the version configured */
  447. ret = TLSX_QuicTP_Use(ssl, (TLSX_Type)ssl->quic.transport_version,
  448. is_resp);
  449. }
  450. }
  451. return ret;
  452. }
  453. #define QUIC_HS_FLIGHT_LIMIT_DEFAULT (16* 1024)
  454. size_t wolfSSL_quic_max_handshake_flight_len(const WOLFSSL* ssl,
  455. WOLFSSL_ENCRYPTION_LEVEL level)
  456. {
  457. switch (level) {
  458. case wolfssl_encryption_initial:
  459. case wolfssl_encryption_application:
  460. return QUIC_HS_FLIGHT_LIMIT_DEFAULT;
  461. case wolfssl_encryption_early_data:
  462. return 0; /* QUIC does not send at this level */
  463. case wolfssl_encryption_handshake:
  464. /* during handshake itself, certificates may be exchanged which
  465. * exceed our default limit, advise a higher limit one.
  466. */
  467. if (ssl->options.side == WOLFSSL_SERVER_END) {
  468. if (ssl->options.verifyPeer
  469. && MAX_CERTIFICATE_SZ > QUIC_HS_FLIGHT_LIMIT_DEFAULT)
  470. return MAX_CERTIFICATE_SZ;
  471. }
  472. else {
  473. /* clients may receive the server cert chain
  474. */
  475. if (2*MAX_CERTIFICATE_SZ > QUIC_HS_FLIGHT_LIMIT_DEFAULT)
  476. return 2*MAX_CERTIFICATE_SZ;
  477. }
  478. return QUIC_HS_FLIGHT_LIMIT_DEFAULT;
  479. }
  480. return 0;
  481. }
  482. #ifdef WOLFSSL_EARLY_DATA
  483. void wolfSSL_set_quic_early_data_enabled(WOLFSSL* ssl, int enabled)
  484. {
  485. /* This only has effect on server and when the handshake has
  486. * not started yet.
  487. * This function is part of the quictls/openssl API and does
  488. * not return any error, sadly. So we just ignore any
  489. * unsuccessful use. But we can produce some warnings.
  490. */
  491. if (!WOLFSSL_IS_QUIC(ssl)) {
  492. WOLFSSL_MSG("wolfSSL_set_quic_early_data_enabled: not a QUIC SSL");
  493. }
  494. else if (ssl->options.handShakeState != NULL_STATE) {
  495. WOLFSSL_MSG("wolfSSL_set_quic_early_data_enabled: handshake started");
  496. }
  497. else {
  498. wolfSSL_set_max_early_data(ssl, enabled ? UINT32_MAX : 0);
  499. }
  500. }
  501. #endif /* WOLFSSL_EARLY_DATA */
  502. int wolfSSL_quic_do_handshake(WOLFSSL* ssl)
  503. {
  504. int ret = WOLFSSL_SUCCESS;
  505. WOLFSSL_ENTER("wolfSSL_quic_do_handshake");
  506. if (!wolfSSL_is_quic(ssl)) {
  507. WOLFSSL_MSG("WOLFSSL_QUIC_DO_HANDSHAKE not a QUIC SSL");
  508. ret = WOLFSSL_FAILURE;
  509. goto cleanup;
  510. }
  511. while (ssl->options.handShakeState != HANDSHAKE_DONE) {
  512. /* Peculiar: do_handshake() is successful, but the state
  513. * indicates that we are not DONE. This seems to happen
  514. * when resuming sessions and an EARLY_DATA indicator
  515. * is presented by the client.
  516. * Theory: wolfSSL expects the APP to read the early data
  517. * and silently continues the handshake when the EndOfEarlyData
  518. * and the client Finished arrives.
  519. * This confuses the QUIC state handling.
  520. */
  521. #ifdef WOLFSSL_EARLY_DATA
  522. if (ssl->options.maxEarlyDataSz) {
  523. byte tmpbuffer[256];
  524. int len;
  525. if (ssl->options.side == WOLFSSL_CLIENT_END) {
  526. if (ssl->options.resuming) {
  527. ret = wolfSSL_write_early_data(ssl, tmpbuffer, 0, &len);
  528. }
  529. }
  530. else {
  531. ret = wolfSSL_read_early_data(ssl, tmpbuffer,
  532. sizeof(tmpbuffer), &len);
  533. if (ret < 0 && ssl->error == WC_NO_ERR_TRACE(ZERO_RETURN)) {
  534. /* this is expected, since QUIC handles the actual early
  535. * data separately. */
  536. ret = WOLFSSL_SUCCESS;
  537. }
  538. }
  539. if (ret < 0) {
  540. goto cleanup;
  541. }
  542. }
  543. #endif /* WOLFSSL_EARLY_DATA */
  544. ret = wolfSSL_SSL_do_handshake_internal(ssl);
  545. if (ret <= 0)
  546. goto cleanup;
  547. }
  548. cleanup:
  549. if (ret <= 0
  550. && ssl->options.handShakeState == HANDSHAKE_DONE
  551. && (ssl->error == WC_NO_ERR_TRACE(ZERO_RETURN) ||
  552. ssl->error == WC_NO_ERR_TRACE(WANT_READ)))
  553. {
  554. ret = WOLFSSL_SUCCESS;
  555. }
  556. if (ret == WOLFSSL_SUCCESS) {
  557. ssl->error = WOLFSSL_ERROR_NONE;
  558. }
  559. WOLFSSL_LEAVE("wolfSSL_quic_do_handshake", ret);
  560. return ret;
  561. }
  562. int wolfSSL_quic_read_write(WOLFSSL* ssl)
  563. {
  564. int ret = WOLFSSL_SUCCESS;
  565. WOLFSSL_ENTER("wolfSSL_quic_read_write");
  566. if (!wolfSSL_is_quic(ssl)) {
  567. WOLFSSL_MSG("WOLFSSL_QUIC_READ_WRITE not a QUIC SSL");
  568. ret = WOLFSSL_FAILURE;
  569. goto cleanup;
  570. }
  571. if (ssl->options.handShakeState != HANDSHAKE_DONE) {
  572. ret = wolfSSL_quic_do_handshake(ssl);
  573. if (ret != WOLFSSL_SUCCESS)
  574. goto cleanup;
  575. }
  576. ret = wolfSSL_process_quic_post_handshake(ssl);
  577. cleanup:
  578. WOLFSSL_LEAVE("wolfSSL_quic_read_write", ret);
  579. return ret;
  580. }
  581. int wolfSSL_process_quic_post_handshake(WOLFSSL* ssl)
  582. {
  583. int ret = WOLFSSL_SUCCESS, nret;
  584. WOLFSSL_ENTER("wolfSSL_process_quic_post_handshake");
  585. if (!wolfSSL_is_quic(ssl)) {
  586. WOLFSSL_MSG("WOLFSSL_QUIC_POST_HS not a QUIC SSL");
  587. ret = WOLFSSL_FAILURE;
  588. goto cleanup;
  589. }
  590. if (ssl->options.handShakeState != HANDSHAKE_DONE) {
  591. WOLFSSL_MSG("WOLFSSL_QUIC_POST_HS handshake is not done yet");
  592. ret = WOLFSSL_FAILURE;
  593. goto cleanup;
  594. }
  595. while (ssl->quic.input_head != NULL
  596. || ssl->buffers.inputBuffer.length > 0) {
  597. if ((nret = ProcessReply(ssl)) < 0) {
  598. ret = nret;
  599. break;
  600. }
  601. }
  602. while (ssl->buffers.outputBuffer.length > 0) {
  603. SendBuffered(ssl);
  604. }
  605. cleanup:
  606. WOLFSSL_LEAVE("wolfSSL_process_quic_post_handshake", ret);
  607. return ret;
  608. }
  609. int wolfSSL_provide_quic_data(WOLFSSL* ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  610. const uint8_t* data, size_t len)
  611. {
  612. int ret = WOLFSSL_SUCCESS;
  613. size_t l;
  614. WOLFSSL_ENTER("wolfSSL_provide_quic_data");
  615. if (!wolfSSL_is_quic(ssl)) {
  616. WOLFSSL_MSG("WOLFSSL_QUIC_PROVIDE_DATA not a QUIC SSL");
  617. ret = WOLFSSL_FAILURE;
  618. goto cleanup;
  619. }
  620. if (level < wolfSSL_quic_read_level(ssl)
  621. || (ssl->quic.input_tail && level < ssl->quic.input_tail->level)
  622. || level < ssl->quic.enc_level_latest_recvd) {
  623. WOLFSSL_MSG("WOLFSSL_QUIC_PROVIDE_DATA wrong encryption level");
  624. ret = WOLFSSL_FAILURE;
  625. goto cleanup;
  626. }
  627. while (len > 0) {
  628. if (ssl->quic.scratch) {
  629. if (ssl->quic.scratch->level != level) {
  630. WOLFSSL_MSG("WOLFSSL_QUIC_PROVIDE_DATA wrong encryption level");
  631. ret = WOLFSSL_FAILURE;
  632. goto cleanup;
  633. }
  634. ret = quic_record_append(ssl, ssl->quic.scratch, data, len, &l);
  635. if (ret != WOLFSSL_SUCCESS) {
  636. goto cleanup;
  637. }
  638. data += l;
  639. len -= l;
  640. if (quic_record_complete(ssl->quic.scratch)) {
  641. if (ssl->quic.input_tail) {
  642. ssl->quic.input_tail->next = ssl->quic.scratch;
  643. ssl->quic.input_tail = ssl->quic.scratch;
  644. }
  645. else {
  646. ssl->quic.input_head = ssl->quic.input_tail =
  647. ssl->quic.scratch;
  648. }
  649. ssl->quic.scratch = NULL;
  650. }
  651. }
  652. else {
  653. /* start of next record with all bytes for the header */
  654. ssl->quic.scratch = quic_record_make(ssl, level, data, len);
  655. if (!ssl->quic.scratch) {
  656. ret = WOLFSSL_FAILURE;
  657. goto cleanup;
  658. }
  659. }
  660. }
  661. ssl->quic.enc_level_latest_recvd = level;
  662. cleanup:
  663. WOLFSSL_LEAVE("wolfSSL_provide_quic_data", ret);
  664. return ret;
  665. }
  666. /* Called internally when SSL wants a certain amount of input. */
  667. int wolfSSL_quic_receive(WOLFSSL* ssl, byte* buf, word32 sz)
  668. {
  669. sword32 n = 0;
  670. int transferred = 0;
  671. WOLFSSL_ENTER("wolfSSL_quic_receive");
  672. while (sz > 0) {
  673. n = 0;
  674. if (ssl->quic.input_head) {
  675. n = quic_record_transfer(ssl->quic.input_head, buf, sz);
  676. /* record too small to be fit into a RecordLayerHeader struct. */
  677. if (n == -1) {
  678. return WOLFSSL_FATAL_ERROR;
  679. }
  680. if (quic_record_done(ssl->quic.input_head)) {
  681. QuicRecord* qr = ssl->quic.input_head;
  682. ssl->quic.input_head = qr->next;
  683. if (!qr->next) {
  684. ssl->quic.input_tail = NULL;
  685. }
  686. quic_record_free(ssl, qr);
  687. }
  688. }
  689. if (n == 0) {
  690. if (transferred > 0) {
  691. goto cleanup;
  692. }
  693. ssl->error = transferred = WANT_READ;
  694. goto cleanup;
  695. }
  696. sz -= (word32)n;
  697. buf += n;
  698. transferred += (int)n;
  699. }
  700. cleanup:
  701. WOLFSSL_LEAVE("wolfSSL_quic_receive", transferred);
  702. return transferred;
  703. }
  704. /**
  705. * We need to forward the HANDSHAKE messages to the QUIC protocol stack
  706. * via ssl->quic.method->add_handshake_data().
  707. * The messages in the output buffer are unencrypted TLS records. We need
  708. * to forward the content of those records.
  709. */
  710. static int wolfSSL_quic_send_internal(WOLFSSL* ssl)
  711. {
  712. int ret = 0, aret;
  713. size_t len;
  714. RecordLayerHeader* rl;
  715. word16 rlen;
  716. word32 idx, length;
  717. byte* output;
  718. WOLFSSL_ENTER("wolfSSL_quic_send");
  719. idx = ssl->buffers.outputBuffer.idx;
  720. length = ssl->buffers.outputBuffer.length;
  721. output = ssl->buffers.outputBuffer.buffer + idx;
  722. while (length > 0) {
  723. if (ssl->quic.output_rec_remain > 0) {
  724. len = ssl->quic.output_rec_remain;
  725. if (len > length) {
  726. len = length;
  727. }
  728. aret = ssl->quic.method->add_handshake_data(ssl,
  729. ssl->quic.output_rec_level, (const uint8_t*)output, len);
  730. if (aret != 1) {
  731. /* The application has an error. General disaster. */
  732. WOLFSSL_MSG("WOLFSSL_QUIC_SEND application failed");
  733. ret = FWRITE_ERROR;
  734. goto cleanup;
  735. }
  736. output += len;
  737. length -= (word32)len;
  738. ssl->quic.output_rec_remain -= (word32)len;
  739. }
  740. else {
  741. /* at start of a TLS Record */
  742. rl = (RecordLayerHeader*)output;
  743. ato16(rl->length, &rlen);
  744. output += RECORD_HEADER_SZ;
  745. length -= RECORD_HEADER_SZ;
  746. ssl->quic.output_rec_remain = rlen;
  747. ssl->quic.output_rec_level = ssl->quic.enc_level_write;
  748. if (rl->type == application_data) {
  749. if (ssl->options.handShakeState != HANDSHAKE_DONE) {
  750. ssl->quic.output_rec_level = wolfssl_encryption_early_data;
  751. }
  752. else {
  753. WOLFSSL_MSG("WOLFSSL_QUIC_SEND app data after handshake");
  754. ret = FWRITE_ERROR;
  755. goto cleanup;
  756. }
  757. }
  758. }
  759. }
  760. ssl->buffers.outputBuffer.idx = 0;
  761. ssl->buffers.outputBuffer.length = 0;
  762. cleanup:
  763. WOLFSSL_LEAVE("wolfSSL_quic_send", ret);
  764. return ret;
  765. }
  766. int wolfSSL_quic_send(WOLFSSL* ssl)
  767. {
  768. return wolfSSL_quic_send_internal(ssl);
  769. }
  770. int wolfSSL_quic_forward_secrets(WOLFSSL* ssl, int ktype, int side)
  771. {
  772. const uint8_t* rx_secret = NULL, *tx_secret = NULL;
  773. WOLFSSL_ENCRYPTION_LEVEL level;
  774. int ret = 0;
  775. WOLFSSL_ENTER("wolfSSL_quic_forward_secrets");
  776. switch (ktype) {
  777. case early_data_key:
  778. level = wolfssl_encryption_early_data;
  779. break;
  780. case handshake_key:
  781. level = wolfssl_encryption_handshake;
  782. break;
  783. case traffic_key:
  784. FALL_THROUGH;
  785. case update_traffic_key:
  786. level = wolfssl_encryption_application;
  787. break;
  788. case no_key:
  789. FALL_THROUGH;
  790. default:
  791. /* ignore */
  792. goto cleanup;
  793. }
  794. if (side == ENCRYPT_AND_DECRYPT_SIDE || side == ENCRYPT_SIDE_ONLY) {
  795. tx_secret = (ssl->options.side == WOLFSSL_CLIENT_END) ?
  796. ssl->clientSecret : ssl->serverSecret;
  797. }
  798. if (side == ENCRYPT_AND_DECRYPT_SIDE || side == DECRYPT_SIDE_ONLY) {
  799. rx_secret = (ssl->options.side == WOLFSSL_CLIENT_END) ?
  800. ssl->serverSecret : ssl->clientSecret;
  801. }
  802. if (!tx_secret && !rx_secret) {
  803. WOLFSSL_MSG("WOLFSSL_QUIC_FORWARD_SECRETS neither "
  804. "enc- nor decrypt specified");
  805. goto cleanup;
  806. }
  807. ret = !ssl->quic.method->set_encryption_secrets(
  808. ssl, level, rx_secret, tx_secret, ssl->specs.hash_size);
  809. /* Having installed the secrets, any future read/write will happen
  810. * at the level. Except early data, which is detected on the record
  811. * type and the handshake state. */
  812. if (ktype == early_data_key) {
  813. goto cleanup;
  814. }
  815. if (tx_secret && ssl->quic.enc_level_write != level) {
  816. ssl->quic.enc_level_write_next = level;
  817. }
  818. if (rx_secret && ssl->quic.enc_level_read != level) {
  819. ssl->quic.enc_level_read_next = level;
  820. }
  821. cleanup:
  822. WOLFSSL_LEAVE("wolfSSL_quic_forward_secrets", ret);
  823. return ret;
  824. }
  825. int wolfSSL_quic_keys_active(WOLFSSL* ssl, enum encrypt_side side)
  826. {
  827. int ret = 0;
  828. WOLFSSL_ENTER("wolfSSL_quic_keys_active");
  829. /* Keys derived from recent secrets have been activated */
  830. if (side == ENCRYPT_AND_DECRYPT_SIDE || side == ENCRYPT_SIDE_ONLY) {
  831. /* If there is data in the output buffers, it was supposed to be
  832. * encrypted at the previous level. We need to remember that when
  833. * forwarding this data to the QUIC protocol application. */
  834. if (ssl->buffers.outputBuffer.length > 0) {
  835. ret = wolfSSL_quic_send_internal(ssl);
  836. if (ret)
  837. goto cleanup;
  838. }
  839. ssl->quic.enc_level_write = ssl->quic.enc_level_write_next;
  840. }
  841. if (side == ENCRYPT_AND_DECRYPT_SIDE || side == DECRYPT_SIDE_ONLY) {
  842. ssl->quic.enc_level_read = ssl->quic.enc_level_read_next;
  843. }
  844. cleanup:
  845. WOLFSSL_LEAVE("wolfSSL_quic_keys_active", ret);
  846. return ret;
  847. }
  848. const WOLFSSL_EVP_CIPHER* wolfSSL_quic_get_aead(WOLFSSL* ssl)
  849. {
  850. WOLFSSL_CIPHER* cipher = NULL;
  851. const WOLFSSL_EVP_CIPHER* evp_cipher = NULL;
  852. if (ssl == NULL) {
  853. return NULL;
  854. }
  855. cipher = wolfSSL_get_current_cipher(ssl);
  856. if (cipher == NULL) {
  857. return NULL;
  858. }
  859. switch (cipher->cipherSuite) {
  860. #if !defined(NO_AES) && defined(HAVE_AESGCM)
  861. case TLS_AES_128_GCM_SHA256:
  862. evp_cipher = wolfSSL_EVP_aes_128_gcm();
  863. break;
  864. case TLS_AES_256_GCM_SHA384:
  865. evp_cipher = wolfSSL_EVP_aes_256_gcm();
  866. break;
  867. #endif
  868. #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
  869. case TLS_CHACHA20_POLY1305_SHA256:
  870. evp_cipher = wolfSSL_EVP_chacha20_poly1305();
  871. break;
  872. #endif
  873. #if !defined(NO_AES) && defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128)
  874. case TLS_AES_128_CCM_SHA256:
  875. evp_cipher = wolfSSL_EVP_aes_128_ccm();
  876. break;
  877. case TLS_AES_128_CCM_8_SHA256:
  878. WOLFSSL_MSG("wolfSSL_quic_get_aead: no CCM-8 support in EVP layer");
  879. evp_cipher = NULL;
  880. break;
  881. #endif
  882. default:
  883. evp_cipher = NULL;
  884. break;
  885. }
  886. if (!evp_cipher) {
  887. /* should not happen, as SSL* should not have negotiated it? */
  888. WOLFSSL_MSG("wolfSSL_quic_get_aead: current cipher not supported");
  889. return NULL;
  890. }
  891. return evp_cipher;
  892. }
  893. /* currently only used if HAVE_CHACHA && HAVE_POLY1305. */
  894. WC_MAYBE_UNUSED static int evp_cipher_eq(const WOLFSSL_EVP_CIPHER* c1,
  895. const WOLFSSL_EVP_CIPHER* c2)
  896. {
  897. /* We could check on nid equality, but we seem to have singulars */
  898. return c1 == c2;
  899. }
  900. const WOLFSSL_EVP_CIPHER* wolfSSL_quic_get_hp(WOLFSSL* ssl)
  901. {
  902. WOLFSSL_CIPHER* cipher = NULL;
  903. const WOLFSSL_EVP_CIPHER* evp_cipher = NULL;
  904. if (ssl == NULL) {
  905. return NULL;
  906. }
  907. cipher = wolfSSL_get_current_cipher(ssl);
  908. if (cipher == NULL) {
  909. return NULL;
  910. }
  911. switch (cipher->cipherSuite) {
  912. #if !defined(NO_AES) && defined(HAVE_AESGCM) && defined(WOLFSSL_AES_COUNTER)
  913. /* This has to be CTR even though the spec says that ECB is used for
  914. * mask generation. ngtcp2_crypto_hp_mask uses a hack where they pass
  915. * in the "ECB" input as the IV for the CTR cipher and then the input
  916. * is just a cleared buffer. They do this so that the EVP
  917. * init-update-final cycle can be used without the padding that is added
  918. * for EVP_aes_(128|256)_ecb. */
  919. #if defined(WOLFSSL_AES_128)
  920. case TLS_AES_128_GCM_SHA256:
  921. evp_cipher = wolfSSL_EVP_aes_128_ctr();
  922. break;
  923. #endif
  924. #if defined(WOLFSSL_AES_256)
  925. case TLS_AES_256_GCM_SHA384:
  926. evp_cipher = wolfSSL_EVP_aes_256_ctr();
  927. break;
  928. #endif
  929. #endif
  930. #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
  931. case TLS_CHACHA20_POLY1305_SHA256:
  932. evp_cipher = wolfSSL_EVP_chacha20();
  933. break;
  934. #endif
  935. #if !defined(NO_AES) && defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128) && \
  936. defined(WOLFSSL_AES_COUNTER)
  937. /* This has to be CTR. See comment above. */
  938. case TLS_AES_128_CCM_SHA256:
  939. evp_cipher = wolfSSL_EVP_aes_128_ctr();
  940. break;
  941. case TLS_AES_128_CCM_8_SHA256:
  942. WOLFSSL_MSG("wolfSSL_quic_get_hp: no CCM-8 support in EVP layer");
  943. evp_cipher = NULL;
  944. break;
  945. #endif
  946. default:
  947. evp_cipher = NULL;
  948. break;
  949. }
  950. if (!evp_cipher) {
  951. /* should not happen, as SSL* should not have negotiated it? */
  952. WOLFSSL_MSG("wolfSSL_quic_get_hp: current cipher not supported");
  953. return NULL;
  954. }
  955. return evp_cipher;
  956. }
  957. size_t wolfSSL_quic_get_aead_tag_len(const WOLFSSL_EVP_CIPHER* aead_cipher)
  958. {
  959. size_t ret;
  960. #ifdef WOLFSSL_SMALL_STACK
  961. WOLFSSL_EVP_CIPHER_CTX *ctx = wolfSSL_EVP_CIPHER_CTX_new();
  962. if (ctx == NULL)
  963. return 0;
  964. #else
  965. WOLFSSL_EVP_CIPHER_CTX ctx[1];
  966. #endif
  967. XMEMSET(ctx, 0, sizeof(*ctx));
  968. if (wolfSSL_EVP_CipherInit(ctx, aead_cipher, NULL, NULL, 0)
  969. == WOLFSSL_SUCCESS) {
  970. ret = (size_t)ctx->authTagSz;
  971. } else {
  972. ret = 0;
  973. }
  974. (void)wolfSSL_EVP_CIPHER_CTX_cleanup(ctx);
  975. #ifdef WOLFSSL_SMALL_STACK
  976. XFREE(ctx, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  977. #endif
  978. return ret;
  979. }
  980. int wolfSSL_quic_aead_is_gcm(const WOLFSSL_EVP_CIPHER* aead_cipher)
  981. {
  982. return WOLFSSL_EVP_CIPHER_mode(aead_cipher) == WOLFSSL_EVP_CIPH_GCM_MODE;
  983. }
  984. int wolfSSL_quic_aead_is_ccm(const WOLFSSL_EVP_CIPHER* aead_cipher)
  985. {
  986. return WOLFSSL_EVP_CIPHER_mode(aead_cipher) == WOLFSSL_EVP_CIPH_CCM_MODE;
  987. }
  988. int wolfSSL_quic_aead_is_chacha20(const WOLFSSL_EVP_CIPHER* aead_cipher)
  989. {
  990. #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
  991. return evp_cipher_eq(aead_cipher, wolfSSL_EVP_chacha20_poly1305());
  992. #else
  993. (void)aead_cipher;
  994. return 0;
  995. #endif
  996. }
  997. const WOLFSSL_EVP_MD* wolfSSL_quic_get_md(WOLFSSL* ssl)
  998. {
  999. /* a copy from the handshake md setup */
  1000. switch(ssl->specs.mac_algorithm) {
  1001. case no_mac:
  1002. #ifndef NO_MD5
  1003. case md5_mac:
  1004. return wolfSSL_EVP_md5();
  1005. #endif
  1006. #ifndef NO_SHA
  1007. case sha_mac:
  1008. return wolfSSL_EVP_sha1();
  1009. #endif
  1010. #ifdef WOLFSSL_SHA224
  1011. case sha224_mac:
  1012. return wolfSSL_EVP_sha224();
  1013. #endif
  1014. case sha256_mac:
  1015. return wolfSSL_EVP_sha256();
  1016. #ifdef WOLFSSL_SHA384
  1017. case sha384_mac:
  1018. return wolfSSL_EVP_sha384();
  1019. #endif
  1020. #ifdef WOLFSSL_SHA512
  1021. case sha512_mac:
  1022. return wolfSSL_EVP_sha512();
  1023. #endif
  1024. case rmd_mac:
  1025. case blake2b_mac:
  1026. WOLFSSL_MSG("no suitable EVP_MD");
  1027. return NULL;
  1028. default:
  1029. WOLFSSL_MSG("Unknown mac algorithm");
  1030. return NULL;
  1031. }
  1032. }
  1033. #ifdef OPENSSL_EXTRA
  1034. int wolfSSL_quic_hkdf_extract(uint8_t* dest, const WOLFSSL_EVP_MD* md,
  1035. const uint8_t* secret, size_t secretlen,
  1036. const uint8_t* salt, size_t saltlen)
  1037. {
  1038. WOLFSSL_EVP_PKEY_CTX* pctx = NULL;
  1039. size_t destlen = (size_t)wolfSSL_EVP_MD_size(md);
  1040. int ret = WOLFSSL_SUCCESS;
  1041. WOLFSSL_ENTER("wolfSSL_quic_hkdf_extract");
  1042. pctx = wolfSSL_EVP_PKEY_CTX_new_id(NID_hkdf, NULL);
  1043. if (pctx == NULL) {
  1044. ret = WOLFSSL_FAILURE;
  1045. goto cleanup;
  1046. }
  1047. if (wolfSSL_EVP_PKEY_derive_init(pctx) != WOLFSSL_SUCCESS
  1048. || wolfSSL_EVP_PKEY_CTX_hkdf_mode(
  1049. pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) != WOLFSSL_SUCCESS
  1050. || wolfSSL_EVP_PKEY_CTX_set_hkdf_md(pctx, md) != WOLFSSL_SUCCESS
  1051. || wolfSSL_EVP_PKEY_CTX_set1_hkdf_salt(
  1052. pctx, (byte*)salt, (int)saltlen) != WOLFSSL_SUCCESS
  1053. || wolfSSL_EVP_PKEY_CTX_set1_hkdf_key(
  1054. pctx, (byte*)secret, (int)secretlen) != WOLFSSL_SUCCESS
  1055. || wolfSSL_EVP_PKEY_derive(pctx, dest, &destlen) != WOLFSSL_SUCCESS) {
  1056. ret = WOLFSSL_FAILURE;
  1057. goto cleanup;
  1058. }
  1059. cleanup:
  1060. if (pctx)
  1061. wolfSSL_EVP_PKEY_CTX_free(pctx);
  1062. WOLFSSL_LEAVE("wolfSSL_quic_hkdf_extract", ret);
  1063. return ret;
  1064. }
  1065. int wolfSSL_quic_hkdf_expand(uint8_t* dest, size_t destlen,
  1066. const WOLFSSL_EVP_MD* md,
  1067. const uint8_t* secret, size_t secretlen,
  1068. const uint8_t* info, size_t infolen)
  1069. {
  1070. WOLFSSL_EVP_PKEY_CTX* pctx = NULL;
  1071. int ret = WOLFSSL_SUCCESS;
  1072. WOLFSSL_ENTER("wolfSSL_quic_hkdf_expand");
  1073. pctx = wolfSSL_EVP_PKEY_CTX_new_id(NID_hkdf, NULL);
  1074. if (pctx == NULL) {
  1075. ret = WOLFSSL_FAILURE;
  1076. goto cleanup;
  1077. }
  1078. if (wolfSSL_EVP_PKEY_derive_init(pctx) != WOLFSSL_SUCCESS
  1079. || wolfSSL_EVP_PKEY_CTX_hkdf_mode(
  1080. pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) != WOLFSSL_SUCCESS
  1081. || wolfSSL_EVP_PKEY_CTX_set_hkdf_md(pctx, md) != WOLFSSL_SUCCESS
  1082. || wolfSSL_EVP_PKEY_CTX_set1_hkdf_salt(
  1083. pctx, (byte*)"", 0) != WOLFSSL_SUCCESS
  1084. || wolfSSL_EVP_PKEY_CTX_set1_hkdf_key(
  1085. pctx, (byte*)secret, (int)secretlen) != WOLFSSL_SUCCESS
  1086. || wolfSSL_EVP_PKEY_CTX_add1_hkdf_info(
  1087. pctx, (byte*)info, (int)infolen) != WOLFSSL_SUCCESS
  1088. || wolfSSL_EVP_PKEY_derive(pctx, dest, &destlen) != WOLFSSL_SUCCESS) {
  1089. ret = WOLFSSL_FAILURE;
  1090. goto cleanup;
  1091. }
  1092. cleanup:
  1093. if (pctx)
  1094. EVP_PKEY_CTX_free(pctx);
  1095. WOLFSSL_LEAVE("wolfSSL_quic_hkdf_expand", ret);
  1096. return ret;
  1097. }
  1098. int wolfSSL_quic_hkdf(uint8_t* dest, size_t destlen,
  1099. const WOLFSSL_EVP_MD* md,
  1100. const uint8_t* secret, size_t secretlen,
  1101. const uint8_t* salt, size_t saltlen,
  1102. const uint8_t* info, size_t infolen)
  1103. {
  1104. WOLFSSL_EVP_PKEY_CTX* pctx = NULL;
  1105. int ret = WOLFSSL_SUCCESS;
  1106. WOLFSSL_ENTER("wolfSSL_quic_hkdf");
  1107. pctx = wolfSSL_EVP_PKEY_CTX_new_id(NID_hkdf, NULL);
  1108. if (pctx == NULL) {
  1109. ret = WOLFSSL_FAILURE;
  1110. goto cleanup;
  1111. }
  1112. if (wolfSSL_EVP_PKEY_derive_init(pctx) != WOLFSSL_SUCCESS
  1113. || wolfSSL_EVP_PKEY_CTX_hkdf_mode(
  1114. pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND) != WOLFSSL_SUCCESS
  1115. || wolfSSL_EVP_PKEY_CTX_set_hkdf_md(pctx, md) != WOLFSSL_SUCCESS
  1116. || wolfSSL_EVP_PKEY_CTX_set1_hkdf_salt(
  1117. pctx, (byte*)salt, (int)saltlen) != WOLFSSL_SUCCESS
  1118. || wolfSSL_EVP_PKEY_CTX_set1_hkdf_key(
  1119. pctx, (byte*)secret, (int)secretlen) != WOLFSSL_SUCCESS
  1120. || wolfSSL_EVP_PKEY_CTX_add1_hkdf_info(
  1121. pctx, (byte*)info, (int)infolen) != WOLFSSL_SUCCESS
  1122. || wolfSSL_EVP_PKEY_derive(pctx, dest, &destlen) != WOLFSSL_SUCCESS) {
  1123. ret = WOLFSSL_FAILURE;
  1124. goto cleanup;
  1125. }
  1126. cleanup:
  1127. if (pctx)
  1128. EVP_PKEY_CTX_free(pctx);
  1129. WOLFSSL_LEAVE("wolfSSL_quic_hkdf", ret);
  1130. return ret;
  1131. }
  1132. #endif /* OPENSSL_EXTRA */
  1133. WOLFSSL_EVP_CIPHER_CTX* wolfSSL_quic_crypt_new(const WOLFSSL_EVP_CIPHER* cipher,
  1134. const uint8_t* key,
  1135. const uint8_t* iv,
  1136. int encrypt)
  1137. {
  1138. WOLFSSL_EVP_CIPHER_CTX* ctx;
  1139. ctx = wolfSSL_EVP_CIPHER_CTX_new();
  1140. if (ctx == NULL) {
  1141. return NULL;
  1142. }
  1143. if (wolfSSL_EVP_CipherInit(ctx, cipher, key, iv, encrypt)
  1144. != WOLFSSL_SUCCESS) {
  1145. wolfSSL_EVP_CIPHER_CTX_free(ctx);
  1146. return NULL;
  1147. }
  1148. return ctx;
  1149. }
  1150. int wolfSSL_quic_aead_encrypt(uint8_t* dest, WOLFSSL_EVP_CIPHER_CTX* ctx,
  1151. const uint8_t* plain, size_t plainlen,
  1152. const uint8_t* iv, const uint8_t* aad,
  1153. size_t aadlen)
  1154. {
  1155. int len;
  1156. /* A case can be made if this really should be a function in wolfSSL, since
  1157. * the same should be doable from the API by a QUIC protocol stack.
  1158. * What speaks for this:
  1159. * - it gives us a decent testing point
  1160. * - API users do not have to re-invent (it fits into ngtcp2 use).
  1161. * picotls offers a similar abstraction level for AEAD.
  1162. * TODO: there is some fiddling in OpenSSL+quic in regard to CCM ciphers
  1163. * which we need to check.
  1164. */
  1165. if (wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 1) != WOLFSSL_SUCCESS
  1166. || wolfSSL_EVP_CipherUpdate(
  1167. ctx, NULL, &len, aad, (int)aadlen) != WOLFSSL_SUCCESS
  1168. || wolfSSL_EVP_CipherUpdate(
  1169. ctx, dest, &len, plain, (int)plainlen) != WOLFSSL_SUCCESS
  1170. || wolfSSL_EVP_CipherFinal(ctx, dest + len, &len) != WOLFSSL_SUCCESS
  1171. || wolfSSL_EVP_CIPHER_CTX_ctrl(
  1172. ctx, EVP_CTRL_AEAD_GET_TAG, ctx->authTagSz, dest + plainlen)
  1173. != WOLFSSL_SUCCESS) {
  1174. return WOLFSSL_FAILURE;
  1175. }
  1176. return WOLFSSL_SUCCESS;
  1177. }
  1178. int wolfSSL_quic_aead_decrypt(uint8_t* dest, WOLFSSL_EVP_CIPHER_CTX* ctx,
  1179. const uint8_t* enc, size_t enclen,
  1180. const uint8_t* iv, const uint8_t* aad,
  1181. size_t aadlen)
  1182. {
  1183. int len;
  1184. const uint8_t* tag;
  1185. /* See rationale for wolfSSL_quic_aead_encrypt() on why this is here */
  1186. if (enclen > INT_MAX || ctx->authTagSz > (int)enclen) {
  1187. return WOLFSSL_FAILURE;
  1188. }
  1189. enclen -= (size_t)ctx->authTagSz;
  1190. tag = enc + enclen;
  1191. if (wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 0) != WOLFSSL_SUCCESS
  1192. || wolfSSL_EVP_CIPHER_CTX_ctrl(
  1193. ctx, EVP_CTRL_AEAD_SET_TAG, ctx->authTagSz, (uint8_t*)tag)
  1194. != WOLFSSL_SUCCESS
  1195. || wolfSSL_EVP_CipherUpdate(ctx, NULL, &len, aad, (int)aadlen)
  1196. != WOLFSSL_SUCCESS
  1197. || wolfSSL_EVP_CipherUpdate(ctx, dest, &len, enc, (int)enclen)
  1198. != WOLFSSL_SUCCESS
  1199. || wolfSSL_EVP_CipherFinal(ctx, dest, &len) != WOLFSSL_SUCCESS) {
  1200. return WOLFSSL_FAILURE;
  1201. }
  1202. return WOLFSSL_SUCCESS;
  1203. }
  1204. #endif /* WOLFSSL_QUIC */
  1205. #endif /* WOLFCRYPT_ONLY */