Home Explore Help
Sign In
OWEALs
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
2
0
Fork 0
Files Issues 8 Wiki
Tree: 6b6ad38e4f
Branches Tags
wolfssl
/
src
/
quic.c

quic.c 40 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348 
  1. /* quic.c
    2. 

  2.  *
    3. 

  3.  * Copyright (C) 2006-2023 wolfSSL Inc.
    4. 

  4.  *
    5. 

  5.  * This file is part of wolfSSL.
    6. 

  6.  *
    7. 

  7.  * wolfSSL is free software; you can redistribute it and/or modify
    8. 

  8.  * it under the terms of the GNU General Public License as published by
    9. 

  9.  * the Free Software Foundation; either version 2 of the License, or
    10. 

  10.  * (at your option) any later version.
    11. 

  11.  *
    12. 

  12.  * wolfSSL is distributed in the hope that it will be useful,
    13. 

  13.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
    14. 

  14.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    15. 

  15.  * GNU General Public License for more details.
    16. 

  16.  *
    17. 

  17.  * You should have received a copy of the GNU General Public License
    18. 

  18.  * along with this program; if not, write to the Free Software
    19. 

  19.  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
    20. 

  20.  */
    21. 

  21. 

  22. 

  23.   /* Name change compatibility layer no longer needs to be included here */
    24. 

  24. 

  25. #ifdef HAVE_CONFIG_H
    26. 

  26.     #include <config.h>
    27. 

  27. #endif
    28. 

  28. 

  29. #include <wolfssl/wolfcrypt/settings.h>
    30. 

  30. #ifdef NO_INLINE
    31. 

  31.     #include <wolfssl/wolfcrypt/misc.h>
    32. 

  32. #else
    33. 

  33.     #define WOLFSSL_MISC_INCLUDED
    34. 

  34.     #include <wolfcrypt/src/misc.c>
    35. 

  35. #endif
    36. 

  36. 

  37. #ifndef WOLFCRYPT_ONLY
    38. 

  38. #ifdef WOLFSSL_QUIC
    39. 

  39. 

  40. #include <wolfssl/error-ssl.h>
    41. 

  41. #include <wolfssl/ssl.h>
    42. 

  42. #include <wolfssl/internal.h>
    43. 

  43. 

  44. #include <wolfssl/openssl/buffer.h>
    45. 

  45. #include <wolfssl/openssl/ecdsa.h>
    46. 

  46. #include <wolfssl/openssl/evp.h>
    47. 

  47. #include <wolfssl/openssl/kdf.h>
    48. 

  48. 

  49. 

  50. static int qr_length(const uint8_t *data, size_t len)
    51. 

  51. {
    52. 

  52.     word32 rlen;
    53. 

  53.     if (len < 4) {
    54. 

  54.         return 0;
    55. 

  55.     }
    56. 

  56.     c24to32(&data[1], &rlen);
    57. 

  57.     return (int)rlen + 4;
    58. 

  58. }
    59. 

  59. 

  60. static void quic_record_free(WOLFSSL *ssl, QuicRecord *r)
    61. 

  61. {
    62. 

  62.     (void)ssl;
    63. 

  63.     if (r->data) {
    64. 

  64.         ForceZero(r->data, r->capacity);
    65. 

  65.         XFREE(r->data, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
    66. 

  66.     }
    67. 

  67.     XFREE(r, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
    68. 

  68. }
    69. 

  69. 

  70. 

  71. static QuicRecord *quic_record_make(WOLFSSL *ssl,
    72. 

  72.                                     WOLFSSL_ENCRYPTION_LEVEL level,
    73. 

  73.                                     const uint8_t *data, size_t len)
    74. 

  74. {
    75. 

  75.     QuicRecord *qr;
    76. 

  76. 

  77.     qr = (QuicRecord*)XMALLOC(sizeof(*qr), ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
    78. 

  78.     if (qr) {
    79. 

  79.         memset(qr, 0, sizeof(*qr));
    80. 

  80.         qr->level = level;
    81. 

  81.         if (level == wolfssl_encryption_early_data) {
    82. 

  82.             qr->capacity = qr->len = (word32)len;
    83. 

  83.         }
    84. 

  84.         else {
    85. 

  85.             qr->capacity = qr->len = qr_length(data, len);
    86. 

  86.         }
    87. 

  87.         if (qr->capacity == 0) {
    88. 

  88.             qr->capacity = 2*1024;
    89. 

  89.         }
    90. 

  90.         qr->data = (uint8_t*)XMALLOC(qr->capacity, ssl->heap,
    91. 

  91.                                      DYNAMIC_TYPE_TMP_BUFFER);
    92. 

  92.         if (!qr->data) {
    93. 

  93.             quic_record_free(ssl, qr);
    94. 

  94.             return NULL;
    95. 

  95.         }
    96. 

  96.     }
    97. 

  97.     return qr;
    98. 

  98. }
    99. 

  99. 

  100. static int quic_record_complete(QuicRecord *r)
    101. 

  101. {
    102. 

  102.     return r->len && r->end >= r->len;
    103. 

  103. }
    104. 

  104. 

  105. static int quic_record_done(QuicRecord *r)
    106. 

  106. {
    107. 

  107.     return r->len && r->end >= r->len && r->start >= r->end;
    108. 

  108. }
    109. 

  109. 

  110. static int quic_record_append(WOLFSSL *ssl, QuicRecord *qr, const uint8_t *data,
    111. 

  111.                               size_t len, size_t *pconsumed)
    112. 

  112. {
    113. 

  113.     size_t missing, consumed = 0;
    114. 

  114.     int ret = WOLFSSL_SUCCESS;
    115. 

  115. 

  116.     (void)ssl;
    117. 

  117.     if (!qr->len && len) {
    118. 

  118.         missing = 4 - qr->end;
    119. 

  119.         if (len < missing) {
    120. 

  120.             XMEMCPY(qr->data + qr->end, data, len);
    121. 

  121.             qr->end += len;
    122. 

  122.             consumed = len;
    123. 

  123.             goto cleanup; /* len consumed, but qr->len still unkown */
    124. 

  124.         }
    125. 

  125.         XMEMCPY(qr->data + qr->end, data, missing);
    126. 

  126.         qr->end += missing;
    127. 

  127.         len -= missing;
    128. 

  128.         data += missing;
    129. 

  129.         consumed = missing;
    130. 

  130. 

  131.         qr->len = qr_length(qr->data, qr->end);
    132. 

  132.         if (qr->len > qr->capacity) {
    133. 

  133.             uint8_t *ndata = (uint8_t*)XREALLOC(qr->data, qr->len, ssl->head,
    134. 

  134.                                                 DYNAMIC_TYPE_TMP_BUFFER);
    135. 

  135.             if (!ndata) {
    136. 

  136.                 ret = WOLFSSL_FAILURE;
    137. 

  137.                 goto cleanup;
    138. 

  138.             }
    139. 

  139.             qr->data = ndata;
    140. 

  140.             qr->capacity = qr->len;
    141. 

  141.         }
    142. 

  142.     }
    143. 

  143. 

  144.     if (quic_record_complete(qr) || len == 0) {
    145. 

  145.         return 0;
    146. 

  146.     }
    147. 

  147. 

  148.     missing = qr->len - qr->end;
    149. 

  149.     if (len > missing) {
    150. 

  150.         len = missing;
    151. 

  151.     }
    152. 

  152.     XMEMCPY(qr->data + qr->end, data, len);
    153. 

  153.     qr->end += len;
    154. 

  154.     consumed += len;
    155. 

  155. 

  156. cleanup:
    157. 

  157.     *pconsumed = (ret == WOLFSSL_SUCCESS) ? consumed : 0;
    158. 

  158.     return ret;
    159. 

  159. }
    160. 

  160. 

  161. 

  162. static word32 add_rec_header(byte* output, word32 length, int type)
    163. 

  163. {
    164. 

  164.     RecordLayerHeader* rl;
    165. 

  165. 

  166.     /* record layer header */
    167. 

  167.     rl = (RecordLayerHeader*)output;
    168. 

  168.     if (rl == NULL) {
    169. 

  169.         return 0;
    170. 

  170.     }
    171. 

  171.     rl->type    = type;
    172. 

  172.     rl->pvMajor = SSLv3_MAJOR;
    173. 

  173.     rl->pvMinor = TLSv1_2_MINOR;
    174. 

  174.     c16toa((word16)length, rl->length);
    175. 

  175.     return RECORD_HEADER_SZ;
    176. 

  176. }
    177. 

  177. 

  178. static word32 quic_record_transfer(QuicRecord* qr, byte* buf, word32 sz)
    179. 

  179. {
    180. 

  180.     word32 len = qr->end - qr->start;
    181. 

  181.     word32 offset = 0;
    182. 

  182.     word16 rlen;
    183. 

  183. 

  184.     if (len <= 0) {
    185. 

  185.         return 0;
    186. 

  186.     }
    187. 

  187.     if (qr->rec_hdr_remain == 0) {
    188. 

  188.         /* start a new TLS record */
    189. 

  189.         rlen = (qr->len <= (word32)MAX_RECORD_SIZE) ?
    190. 

  190.                 qr->len : (word32)MAX_RECORD_SIZE;
    191. 

  191.         offset += add_rec_header(buf, rlen,
    192. 

  192.                                  (qr->level == wolfssl_encryption_early_data) ?
    193. 

  193.                                   application_data : handshake);
    194. 

  194.         qr->rec_hdr_remain = rlen;
    195. 

  195.         sz -= offset;
    196. 

  196.     }
    197. 

  197.     if (len > qr->rec_hdr_remain) {
    198. 

  198.         len = qr->rec_hdr_remain;
    199. 

  199.     }
    200. 

  200.     if (len > sz) {
    201. 

  201.         len = sz;
    202. 

  202.     }
    203. 

  203.     if (len > 0) {
    204. 

  204.         XMEMCPY(buf + offset, qr->data + qr->start, len);
    205. 

  205.         qr->start += len;
    206. 

  206.         qr->rec_hdr_remain -= len;
    207. 

  207.     }
    208. 

  208.     return len + offset;
    209. 

  209. }
    210. 

  210. 

  211. 

  212. const QuicTransportParam* QuicTransportParam_new(const uint8_t* data,
    213. 

  213.                                                  size_t len, void* heap)
    214. 

  214. {
    215. 

  215.     QuicTransportParam* tp;
    216. 

  216. 

  217.     if (len > 65353) return NULL;
    218. 

  218.     tp = (QuicTransportParam*)XMALLOC(sizeof(*tp), heap, DYNAMIC_TYPE_TLSX);
    219. 

  219.     if (!tp) return NULL;
    220. 

  220.     tp->data = (uint8_t*)XMALLOC(len, heap, DYNAMIC_TYPE_TLSX);
    221. 

  221.     if (!tp->data) {
    222. 

  222.         XFREE(tp, heap, DYNAMIC_TYPE_TLSX);
    223. 

  223.         return NULL;
    224. 

  224.     }
    225. 

  225.     XMEMCPY((uint8_t*)tp->data, data, len);
    226. 

  226.     tp->len = len;
    227. 

  227.     return tp;
    228. 

  228. }
    229. 

  229. 

  230. const QuicTransportParam* QuicTransportParam_dup(const QuicTransportParam* tp,
    231. 

  231.                                                  void* heap)
    232. 

  232. {
    233. 

  233.     QuicTransportParam* tp2;
    234. 

  234.     tp2 = (QuicTransportParam*)XMALLOC(sizeof(*tp2), heap, DYNAMIC_TYPE_TLSX);
    235. 

  235.     if (!tp2) return NULL;
    236. 

  236.     tp2->data = (uint8_t*)XMALLOC(tp->len, heap, DYNAMIC_TYPE_TLSX);
    237. 

  237.     if (!tp2->data) {
    238. 

  238.         XFREE(tp2, heap, DYNAMIC_TYPE_TLSX);
    239. 

  239.         return NULL;
    240. 

  240.     }
    241. 

  241.     XMEMCPY((uint8_t*)tp2->data, tp->data, tp->len);
    242. 

  242.     tp2->len = tp->len;
    243. 

  243.     return tp2;
    244. 

  244. }
    245. 

  245. 

  246. void QuicTransportParam_free(const QuicTransportParam* tp, void* heap)
    247. 

  247. {
    248. 

  248.     (void)heap;
    249. 

  249.     if (tp) {
    250. 

  250.         if (tp->data) XFREE((uint8_t*)tp->data, heap, DYNAMIC_TYPE_TLSX);
    251. 

  251.         XFREE((void*)tp, heap, DYNAMIC_TYPE_TLSX);
    252. 

  252.     }
    253. 

  253. }
    254. 

  254. 

  255. 

  256. void wolfSSL_quic_clear(WOLFSSL* ssl)
    257. 

  257. {
    258. 

  258.     QuicEncData* qd;
    259. 

  259. 

  260.     /* keep
    261. 

  261.      * - ssl->quic.transport_local
    262. 

  262.      * - ssl->quic.method
    263. 

  263.      * - ssl->quic.transport_version
    264. 

  264.      * reset/free everything else
    265. 

  265.      */
    266. 

  266.     if (ssl->quic.transport_peer) {
    267. 

  267.         QTP_FREE(ssl->quic.transport_peer, ssl->heap);
    268. 

  268.         ssl->quic.transport_peer = NULL;
    269. 

  269.     }
    270. 

  270.     if (ssl->quic.transport_peer_draft) {
    271. 

  271.         QTP_FREE(ssl->quic.transport_peer_draft, ssl->heap);
    272. 

  272.         ssl->quic.transport_peer_draft = NULL;
    273. 

  273.     }
    274. 

  274.     ssl->quic.enc_level_write = wolfssl_encryption_initial;
    275. 

  275.     ssl->quic.enc_level_latest_recvd = wolfssl_encryption_initial;
    276. 

  276. 

  277.     while ((qd = ssl->quic.input_head)) {
    278. 

  278.         ssl->quic.input_head = qd->next;
    279. 

  279.         quic_record_free(ssl, qd);
    280. 

  280.     }
    281. 

  281.     ssl->quic.input_tail = NULL;
    282. 

  282.     ssl->quic.output_rec_remain = 0;
    283. 

  283. 

  284.     if (ssl->quic.scratch) {
    285. 

  285.         quic_record_free(ssl, ssl->quic.scratch);
    286. 

  286.         ssl->quic.scratch = NULL;
    287. 

  287.     }
    288. 

  288. }
    289. 

  289. 

  290. 

  291. void wolfSSL_quic_free(WOLFSSL* ssl)
    292. 

  292. {
    293. 

  293.     wolfSSL_quic_clear(ssl);
    294. 

  294.     if (ssl->quic.transport_local) {
    295. 

  295.         QTP_FREE(ssl->quic.transport_local, ssl->heap);
    296. 

  296.         ssl->quic.transport_local = NULL;
    297. 

  297.     }
    298. 

  298. 

  299.     ssl->quic.method = NULL;
    300. 

  300. }
    301. 

  301. 

  302. 

  303. static int ctx_check_quic_compat(const WOLFSSL_CTX* ctx)
    304. 

  304. {
    305. 

  305.     WOLFSSL_ENTER("ctx_check_quic_compat");
    306. 

  306.     if (ctx->method->version.major != SSLv3_MAJOR
    307. 

  307.         || ctx->method->version.minor != TLSv1_3_MINOR
    308. 

  308.         || (ctx->method->downgrade && ctx->minDowngrade < TLSv1_3_MINOR)) {
    309. 

  309.         WOLFSSL_MSG_EX("ctx not quic compatible: vmajor=%d, vminor=%d, downgrade=%d",
    310. 

  310.                        ctx->method->version.major,
    311. 

  311.                        ctx->method->version.minor,
    312. 

  312.                        ctx->method->downgrade
    313. 

  313.                       );
    314. 

  314.         return WOLFSSL_FAILURE;
    315. 

  315.     }
    316. 

  316.     return WOLFSSL_SUCCESS;
    317. 

  317. }
    318. 

  318. 

  319. static int check_method_sanity(const WOLFSSL_QUIC_METHOD* m)
    320. 

  320. {
    321. 

  321.     WOLFSSL_ENTER("check_method_sanity");
    322. 

  322.     if (m && m->set_encryption_secrets
    323. 

  323.         && m->add_handshake_data
    324. 

  324.         && m->flush_flight
    325. 

  325.         && m->send_alert) {
    326. 

  326.         return WOLFSSL_SUCCESS;
    327. 

  327.     }
    328. 

  328.     return WOLFSSL_FAILURE;
    329. 

  329. }
    330. 

  330. 

  331. int wolfSSL_CTX_set_quic_method(WOLFSSL_CTX* ctx,
    332. 

  332.                                 const WOLFSSL_QUIC_METHOD* quic_method)
    333. 

  333. {
    334. 

  334.     WOLFSSL_ENTER("wolfSSL_CTX_set_quic_method");
    335. 

  335.     if (ctx_check_quic_compat(ctx) != WOLFSSL_SUCCESS
    336. 

  336.         || check_method_sanity(quic_method) != WOLFSSL_SUCCESS) {
    337. 

  337.         return WOLFSSL_FAILURE;
    338. 

  338.     }
    339. 

  339.     ctx->quic.method = quic_method;
    340. 

  340.     return WOLFSSL_SUCCESS;
    341. 

  341. }
    342. 

  342. 

  343. 

  344. int wolfSSL_set_quic_method(WOLFSSL* ssl,
    345. 

  345.                             const WOLFSSL_QUIC_METHOD* quic_method)
    346. 

  346. {
    347. 

  347.     WOLFSSL_ENTER("wolfSSL_set_quic_method");
    348. 

  348.     if (ctx_check_quic_compat(ssl->ctx) != WOLFSSL_SUCCESS
    349. 

  349.         || check_method_sanity(quic_method) != WOLFSSL_SUCCESS) {
    350. 

  350.         return WOLFSSL_FAILURE;
    351. 

  351.     }
    352. 

  352.     ssl->quic.method = quic_method;
    353. 

  353.     return WOLFSSL_SUCCESS;
    354. 

  354. }
    355. 

  355. 

  356. 

  357. int wolfSSL_is_quic(WOLFSSL* ssl)
    358. 

  358. {
    359. 

  359.     return WOLFSSL_IS_QUIC(ssl);
    360. 

  360. }
    361. 

  361. 

  362. 

  363. WOLFSSL_ENCRYPTION_LEVEL wolfSSL_quic_read_level(const WOLFSSL* ssl)
    364. 

  364. {
    365. 

  365.     return ssl->quic.enc_level_read;
    366. 

  366. }
    367. 

  367. 

  368. 

  369. WOLFSSL_ENCRYPTION_LEVEL wolfSSL_quic_write_level(const WOLFSSL* ssl)
    370. 

  370. {
    371. 

  371.     return ssl->quic.enc_level_write;
    372. 

  372. }
    373. 

  373. 

  374. 

  375. int wolfSSL_set_quic_transport_params(WOLFSSL* ssl,
    376. 

  376.                                       const uint8_t* params,
    377. 

  377.                                       size_t params_len)
    378. 

  378. {
    379. 

  379.     const QuicTransportParam* tp;
    380. 

  380.     int ret = WOLFSSL_SUCCESS;
    381. 

  381. 

  382.     WOLFSSL_ENTER("SSL_set_quic_transport_params");
    383. 

  383. 

  384.     if (!params || params_len == 0) {
    385. 

  385.         tp = NULL;
    386. 

  386.     }
    387. 

  387.     else {
    388. 

  388.         tp = QuicTransportParam_new(params, params_len, ssl->heap);
    389. 

  389.         if (!tp) {
    390. 

  390.             ret = WOLFSSL_FAILURE;
    391. 

  391.             goto cleanup;
    392. 

  392.         }
    393. 

  393.     }
    394. 

  394.     if (ssl->quic.transport_local)
    395. 

  395.         QTP_FREE(ssl->quic.transport_local, ssl->heap);
    396. 

  396.     ssl->quic.transport_local = tp;
    397. 

  397. 

  398. cleanup:
    399. 

  399.     WOLFSSL_LEAVE("SSL_set_quic_transport_params", ret);
    400. 

  400.     return ret;
    401. 

  401. }
    402. 

  402. 

  403. 

  404. void wolfSSL_get_peer_quic_transport_params(const WOLFSSL* ssl,
    405. 

  405.                                             const uint8_t** out_params,
    406. 

  406.                                             size_t* out_params_len)
    407. 

  407. {
    408. 

  408.     const QuicTransportParam* tp = ssl->quic.transport_peer ?
    409. 

  409.         ssl->quic.transport_peer : ssl->quic.transport_peer_draft;
    410. 

  410. 

  411.     *out_params = tp ? tp->data : NULL;
    412. 

  412.     *out_params_len = tp ? tp->len : 0;
    413. 

  413. }
    414. 

  414. 

  415. 

  416. int wolfSSL_get_peer_quic_transport_version(const WOLFSSL* ssl)
    417. 

  417. {
    418. 

  418.     return ssl->quic.transport_peer ?
    419. 

  419.         TLSX_KEY_QUIC_TP_PARAMS : (ssl->quic.transport_peer_draft ?
    420. 

  420.         TLSX_KEY_QUIC_TP_PARAMS : -1);
    421. 

  421. }
    422. 

  422. 

  423. 

  424. void wolfSSL_set_quic_use_legacy_codepoint(WOLFSSL* ssl, int use_legacy)
    425. 

  425. {
    426. 

  426.     ssl->quic.transport_version = use_legacy ? TLSX_KEY_QUIC_TP_PARAMS_DRAFT
    427. 

  427.         : TLSX_KEY_QUIC_TP_PARAMS;
    428. 

  428. }
    429. 

  429. 

  430. void wolfSSL_set_quic_transport_version(WOLFSSL* ssl, int version)
    431. 

  431. {
    432. 

  432.     if (version == TLSX_KEY_QUIC_TP_PARAMS
    433. 

  433.         || version == TLSX_KEY_QUIC_TP_PARAMS_DRAFT
    434. 

  434.         || !version) {
    435. 

  435.         ssl->quic.transport_version = version;
    436. 

  436.     }
    437. 

  437.     else {
    438. 

  438.         WOLFSSL_MSG("wolfSSL_set_quic_transport_version: invalid version");
    439. 

  439.     }
    440. 

  440. }
    441. 

  441. 

  442. 

  443. int wolfSSL_get_quic_transport_version(const WOLFSSL* ssl)
    444. 

  444. {
    445. 

  445.     return ssl->quic.transport_version;
    446. 

  446. }
    447. 

  447. 

  448. 

  449. int wolfSSL_quic_add_transport_extensions(WOLFSSL* ssl, int msg_type)
    450. 

  450. {
    451. 

  451.     /* RFC 9001, ch. 8.2: "The quic_transport_parameters extension is carried
    452. 

  452.      * in the ClientHello and the EncryptedExtensions messages during the
    453. 

  453.      * handshake. Endpoints MUST send the quic_transport_parameters extension;"
    454. 

  454.      * Which means, at least one. There can be more to signal compatibility to
    455. 

  455.      * older/newer versions.
    456. 

  456.      */
    457. 

  457.     int ret = 0, is_resp = (msg_type == encrypted_extensions);
    458. 

  458. 

  459.     if (ssl->quic.transport_local == NULL) {
    460. 

  460.         return QUIC_TP_MISSING_E;
    461. 

  461.     }
    462. 

  462. 

  463.     if (is_resp) {
    464. 

  464.         /* server response: time to decide which version to use */
    465. 

  465.         if (ssl->quic.transport_peer && ssl->quic.transport_peer_draft) {
    466. 

  466.             if (ssl->quic.transport_version == TLSX_KEY_QUIC_TP_PARAMS_DRAFT) {
    467. 

  467.                 ret = TLSX_QuicTP_Use(ssl,
    468. 

  468.                                       TLSX_KEY_QUIC_TP_PARAMS_DRAFT, is_resp);
    469. 

  469.                 QTP_FREE(ssl->quic.transport_peer, ssl->heap);
    470. 

  470.                 ssl->quic.transport_peer = NULL;
    471. 

  471.             }
    472. 

  472.             else {
    473. 

  473.                 ret = TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS, is_resp);
    474. 

  474.                 QTP_FREE(ssl->quic.transport_peer_draft,
    475. 

  475.                                         ssl->heap);
    476. 

  476.                 ssl->quic.transport_peer_draft = NULL;
    477. 

  477.             }
    478. 

  478.         }
    479. 

  479.         else {
    480. 

  480.             if (ssl->quic.transport_version == TLSX_KEY_QUIC_TP_PARAMS_DRAFT
    481. 

  481.                 && ssl->quic.transport_peer_draft) {
    482. 

  482.                 ret = TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS_DRAFT,
    483. 

  483.                                       is_resp);
    484. 

  484.             }
    485. 

  485.             else if (ssl->quic.transport_peer) {
    486. 

  486.                 ret = TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS, is_resp);
    487. 

  487.             }
    488. 

  488.             else {
    489. 

  489.                 /* no match, send none, will let the client fail */
    490. 

  490.             }
    491. 

  491.         }
    492. 

  492.     }
    493. 

  493.     else {
    494. 

  494.         /* client hello */
    495. 

  495.         if (ssl->quic.transport_version == 0) {
    496. 

  496.             /* not being set to a particular id, we send both draft+v1 */
    497. 

  497.             ret = TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS, is_resp)
    498. 

  498.                 || TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS_DRAFT, is_resp);
    499. 

  499.         }
    500. 

  500.         else {
    501. 

  501.             /* otherwise, send the version configured */
    502. 

  502.             ret = TLSX_QuicTP_Use(ssl, (TLSX_Type)ssl->quic.transport_version,
    503. 

  503.                                   is_resp);
    504. 

  504.         }
    505. 

  505.     }
    506. 

  506.     return ret;
    507. 

  507. }
    508. 

  508. 

  509. 

  510. #define QUIC_HS_FLIGHT_LIMIT_DEFAULT      (16*  1024)
    511. 

  511. 

  512. size_t wolfSSL_quic_max_handshake_flight_len(const WOLFSSL* ssl,
    513. 

  513.                                              WOLFSSL_ENCRYPTION_LEVEL level)
    514. 

  514. {
    515. 

  515.     switch (level) {
    516. 

  516.         case wolfssl_encryption_initial:
    517. 

  517.         case wolfssl_encryption_application:
    518. 

  518.                 return QUIC_HS_FLIGHT_LIMIT_DEFAULT;
    519. 

  519.         case wolfssl_encryption_early_data:
    520. 

  520.             return 0; /* QUIC does not send at this level */
    521. 

  521.         case wolfssl_encryption_handshake:
    522. 

  522.             /* during handshake itself, certificates may be exchanged which
    523. 

  523.              * exceed our default limit, advise a higher limit one.
    524. 

  524.              */
    525. 

  525.             if (ssl->options.side == WOLFSSL_SERVER_END) {
    526. 

  526.                 if (ssl->options.verifyPeer
    527. 

  527.                     && MAX_CERTIFICATE_SZ > QUIC_HS_FLIGHT_LIMIT_DEFAULT)
    528. 

  528.                     return MAX_CERTIFICATE_SZ;
    529. 

  529.             }
    530. 

  530.             else {
    531. 

  531.                 /* clients may receive the server cert chain
    532. 

  532.                  */
    533. 

  533.                 if (2*MAX_CERTIFICATE_SZ > QUIC_HS_FLIGHT_LIMIT_DEFAULT)
    534. 

  534.                     return 2*MAX_CERTIFICATE_SZ;
    535. 

  535.             }
    536. 

  536.             return QUIC_HS_FLIGHT_LIMIT_DEFAULT;
    537. 

  537.     }
    538. 

  538.     return 0;
    539. 

  539. }
    540. 

  540. 

  541. 

  542. #ifdef WOLFSSL_EARLY_DATA
    543. 

  543. void wolfSSL_set_quic_early_data_enabled(WOLFSSL* ssl, int enabled)
    544. 

  544. {
    545. 

  545.     /* This only has effect on server and when the handshake has
    546. 

  546.      * not started yet.
    547. 

  547.      * This function is part of the quictls/openssl API and does
    548. 

  548.      * not return any error, sadly. So we just ignore any
    549. 

  549.      * unsuccessful use. But we can produce some warnings.
    550. 

  550.      */
    551. 

  551.     if (!WOLFSSL_IS_QUIC(ssl)) {
    552. 

  552.         WOLFSSL_MSG("wolfSSL_set_quic_early_data_enabled: not a QUIC SSL");
    553. 

  553.     }
    554. 

  554.     else if (ssl->options.handShakeState != NULL_STATE) {
    555. 

  555.         WOLFSSL_MSG("wolfSSL_set_quic_early_data_enabled: handshake started");
    556. 

  556.     }
    557. 

  557.     else {
    558. 

  558.         wolfSSL_set_max_early_data(ssl, enabled ? UINT32_MAX : 0);
    559. 

  559.     }
    560. 

  560. }
    561. 

  561. #endif /* WOLFSSL_EARLY_DATA */
    562. 

  562. 

  563. int wolfSSL_quic_do_handshake(WOLFSSL* ssl)
    564. 

  564. {
    565. 

  565.     int ret = WOLFSSL_SUCCESS;
    566. 

  566. 

  567.     WOLFSSL_ENTER("wolfSSL_quic_do_handshake");
    568. 

  568. 

  569.     if (!wolfSSL_is_quic(ssl)) {
    570. 

  570.         WOLFSSL_MSG("WOLFSSL_QUIC_DO_HANDSHAKE not a QUIC SSL");
    571. 

  571.         ret = WOLFSSL_FAILURE;
    572. 

  572.         goto cleanup;
    573. 

  573.     }
    574. 

  574. 

  575.     while (ssl->options.handShakeState != HANDSHAKE_DONE) {
    576. 

  576.         /* Peculiar: do_handshake() is successful, but the state
    577. 

  577.          * indicates that we are not DONE. This seems to happen
    578. 

  578.          * when resuming sessions and an EARLY_DATA indicator
    579. 

  579.          * is presented by the client.
    580. 

  580.          * Theory: wolfSSL expects the APP to read the early data
    581. 

  581.          * and silently continues the handshake when the EndOfEarlyData
    582. 

  582.          * and the client Finished arrives.
    583. 

  583.          * This confuses the QUIC state handling.
    584. 

  584.          */
    585. 

  585. #ifdef WOLFSSL_EARLY_DATA
    586. 

  586.         if (ssl->options.maxEarlyDataSz) {
    587. 

  587.             byte tmpbuffer[256];
    588. 

  588.             int len;
    589. 

  589. 

  590.             if (ssl->options.side == WOLFSSL_CLIENT_END) {
    591. 

  591.                 if (ssl->options.resuming) {
    592. 

  592.                     ret = wolfSSL_write_early_data(ssl, tmpbuffer, 0, &len);
    593. 

  593.                 }
    594. 

  594.             }
    595. 

  595.             else {
    596. 

  596.                 ret = wolfSSL_read_early_data(ssl, tmpbuffer,
    597. 

  597.                                               sizeof(tmpbuffer), &len);
    598. 

  598.                 if (ret < 0 && ssl->error == ZERO_RETURN) {
    599. 

  599.                     /* this is expected, since QUIC handles the actual early
    600. 

  600.                      * data separately. */
    601. 

  601.                     ret = WOLFSSL_SUCCESS;
    602. 

  602.                 }
    603. 

  603.             }
    604. 

  604.             if (ret < 0) {
    605. 

  605.                 goto cleanup;
    606. 

  606.             }
    607. 

  607.         }
    608. 

  608. #endif /* WOLFSSL_EARLY_DATA */
    609. 

  609. 

  610.         ret = wolfSSL_SSL_do_handshake_internal(ssl);
    611. 

  611.         if (ret <= 0)
    612. 

  612.             goto cleanup;
    613. 

  613.     }
    614. 

  614. 

  615. cleanup:
    616. 

  616.     if (ret <= 0
    617. 

  617.         && ssl->options.handShakeState == HANDSHAKE_DONE
    618. 

  618.         && (ssl->error == ZERO_RETURN || ssl->error == WANT_READ)) {
    619. 

  619.         ret = WOLFSSL_SUCCESS;
    620. 

  620.     }
    621. 

  621.     if (ret == WOLFSSL_SUCCESS) {
    622. 

  622.         ssl->error = WOLFSSL_ERROR_NONE;
    623. 

  623.     }
    624. 

  624.     WOLFSSL_LEAVE("wolfSSL_quic_do_handshake", ret);
    625. 

  625.     return ret;
    626. 

  626. }
    627. 

  627. 

  628. int wolfSSL_quic_read_write(WOLFSSL* ssl)
    629. 

  629. {
    630. 

  630.     int ret = WOLFSSL_SUCCESS;
    631. 

  631. 

  632.     WOLFSSL_ENTER("wolfSSL_quic_read_write");
    633. 

  633. 

  634.     if (!wolfSSL_is_quic(ssl)) {
    635. 

  635.         WOLFSSL_MSG("WOLFSSL_QUIC_READ_WRITE not a QUIC SSL");
    636. 

  636.         ret = WOLFSSL_FAILURE;
    637. 

  637.         goto cleanup;
    638. 

  638.     }
    639. 

  639. 

  640.     if (ssl->options.handShakeState != HANDSHAKE_DONE) {
    641. 

  641.         ret = wolfSSL_quic_do_handshake(ssl);
    642. 

  642.         if (ret != WOLFSSL_SUCCESS)
    643. 

  643.             goto cleanup;
    644. 

  644.     }
    645. 

  645. 

  646.     ret = wolfSSL_process_quic_post_handshake(ssl);
    647. 

  647. 

  648. cleanup:
    649. 

  649.     WOLFSSL_LEAVE("wolfSSL_quic_read_write", ret);
    650. 

  650.     return ret;
    651. 

  651. }
    652. 

  652. 

  653. int wolfSSL_process_quic_post_handshake(WOLFSSL* ssl)
    654. 

  654. {
    655. 

  655.     int ret = WOLFSSL_SUCCESS, nret;
    656. 

  656. 

  657.     WOLFSSL_ENTER("wolfSSL_process_quic_post_handshake");
    658. 

  658. 

  659.     if (!wolfSSL_is_quic(ssl)) {
    660. 

  660.         WOLFSSL_MSG("WOLFSSL_QUIC_POST_HS not a QUIC SSL");
    661. 

  661.         ret = WOLFSSL_FAILURE;
    662. 

  662.         goto cleanup;
    663. 

  663.     }
    664. 

  664. 

  665.     if (ssl->options.handShakeState != HANDSHAKE_DONE) {
    666. 

  666.         WOLFSSL_MSG("WOLFSSL_QUIC_POST_HS handshake is not done yet");
    667. 

  667.         ret = WOLFSSL_FAILURE;
    668. 

  668.         goto cleanup;
    669. 

  669.     }
    670. 

  670. 

  671.     while (ssl->quic.input_head != NULL
    672. 

  672.            || ssl->buffers.inputBuffer.length > 0) {
    673. 

  673.         if ((nret = ProcessReply(ssl)) < 0) {
    674. 

  674.             ret = nret;
    675. 

  675.             break;
    676. 

  676.         }
    677. 

  677.     }
    678. 

  678.     while (ssl->buffers.outputBuffer.length > 0) {
    679. 

  679.         SendBuffered(ssl);
    680. 

  680.     }
    681. 

  681. 

  682. cleanup:
    683. 

  683.     WOLFSSL_LEAVE("wolfSSL_process_quic_post_handshake", ret);
    684. 

  684.     return ret;
    685. 

  685. }
    686. 

  686. 

  687. 

  688. int wolfSSL_provide_quic_data(WOLFSSL* ssl, WOLFSSL_ENCRYPTION_LEVEL level,
    689. 

  689.                               const uint8_t* data, size_t len)
    690. 

  690. {
    691. 

  691.     int ret = WOLFSSL_SUCCESS;
    692. 

  692.     size_t l;
    693. 

  693. 

  694.     WOLFSSL_ENTER("wolfSSL_provide_quic_data");
    695. 

  695.     if (!wolfSSL_is_quic(ssl)) {
    696. 

  696.         WOLFSSL_MSG("WOLFSSL_QUIC_PROVIDE_DATA not a QUIC SSL");
    697. 

  697.         ret = WOLFSSL_FAILURE;
    698. 

  698.         goto cleanup;
    699. 

  699.     }
    700. 

  700. 

  701.     if (level < wolfSSL_quic_read_level(ssl)
    702. 

  702.         || (ssl->quic.input_tail && level < ssl->quic.input_tail->level)
    703. 

  703.         || level < ssl->quic.enc_level_latest_recvd) {
    704. 

  704.         WOLFSSL_MSG("WOLFSSL_QUIC_PROVIDE_DATA wrong encryption level");
    705. 

  705.         ret = WOLFSSL_FAILURE;
    706. 

  706.         goto cleanup;
    707. 

  707.     }
    708. 

  708. 

  709.     while (len > 0) {
    710. 

  710.         if (ssl->quic.scratch) {
    711. 

  711.             if (ssl->quic.scratch->level != level) {
    712. 

  712.                 WOLFSSL_MSG("WOLFSSL_QUIC_PROVIDE_DATA wrong encryption level");
    713. 

  713.                 ret = WOLFSSL_FAILURE;
    714. 

  714.                 goto cleanup;
    715. 

  715.             }
    716. 

  716. 

  717.             ret = quic_record_append(ssl, ssl->quic.scratch, data, len, &l);
    718. 

  718.             if (ret != WOLFSSL_SUCCESS) {
    719. 

  719.                 goto cleanup;
    720. 

  720.             }
    721. 

  721.             data += l;
    722. 

  722.             len -= l;
    723. 

  723.             if (quic_record_complete(ssl->quic.scratch)) {
    724. 

  724.                 if (ssl->quic.input_tail) {
    725. 

  725.                     ssl->quic.input_tail->next = ssl->quic.scratch;
    726. 

  726.                     ssl->quic.input_tail = ssl->quic.scratch;
    727. 

  727.                 }
    728. 

  728.                 else {
    729. 

  729.                     ssl->quic.input_head = ssl->quic.input_tail =
    730. 

  730.                         ssl->quic.scratch;
    731. 

  731.                 }
    732. 

  732.                 ssl->quic.scratch = NULL;
    733. 

  733.             }
    734. 

  734.         }
    735. 

  735.         else {
    736. 

  736.             /* start of next record with all bytes for the header */
    737. 

  737.             ssl->quic.scratch = quic_record_make(ssl, level, data, len);
    738. 

  738.             if (!ssl->quic.scratch) {
    739. 

  739.                 ret = WOLFSSL_FAILURE;
    740. 

  740.                 goto cleanup;
    741. 

  741.             }
    742. 

  742.         }
    743. 

  743.     }
    744. 

  744. 

  745.     ssl->quic.enc_level_latest_recvd = level;
    746. 

  746. 

  747. cleanup:
    748. 

  748.     WOLFSSL_LEAVE("wolfSSL_provide_quic_data", ret);
    749. 

  749.     return ret;
    750. 

  750. }
    751. 

  751. 

  752. 

  753. /* Called internally when SSL wants a certain amount of input. */
    754. 

  754. int wolfSSL_quic_receive(WOLFSSL* ssl, byte* buf, word32 sz)
    755. 

  755. {
    756. 

  756.     word32 n = 0;
    757. 

  757.     int transferred = 0;
    758. 

  758. 

  759.     WOLFSSL_ENTER("wolfSSL_quic_receive");
    760. 

  760.     while (sz > 0) {
    761. 

  761.         n = 0;
    762. 

  762.         if (ssl->quic.input_head) {
    763. 

  763.             n = quic_record_transfer(ssl->quic.input_head, buf, sz);
    764. 

  764.             if (quic_record_done(ssl->quic.input_head)) {
    765. 

  765.                 QuicRecord* qr = ssl->quic.input_head;
    766. 

  766.                 ssl->quic.input_head = qr->next;
    767. 

  767.                 if (!qr->next) {
    768. 

  768.                     ssl->quic.input_tail = NULL;
    769. 

  769.                 }
    770. 

  770.                 quic_record_free(ssl, qr);
    771. 

  771.             }
    772. 

  772.         }
    773. 

  773. 

  774.         if (n == 0) {
    775. 

  775.             if (transferred > 0) {
    776. 

  776.                 goto cleanup;
    777. 

  777.             }
    778. 

  778.             ssl->error = transferred = WANT_READ;
    779. 

  779.             goto cleanup;
    780. 

  780.         }
    781. 

  781.         sz -= n;
    782. 

  782.         buf += n;
    783. 

  783.         transferred += n;
    784. 

  784.     }
    785. 

  785. cleanup:
    786. 

  786.     WOLFSSL_LEAVE("wolfSSL_quic_receive", transferred);
    787. 

  787.     return transferred;
    788. 

  788. }
    789. 

  789. 

  790. /**
    791. 

  791.  * We need to forward the HANDSHAKE messages to the QUIC protocol stack
    792. 

  792.  * via ssl->quic.method->add_handshake_data().
    793. 

  793.  * The messages in the output buffer are unencrypted TLS records. We need
    794. 

  794.  * to forward the content of those records.
    795. 

  795.  */
    796. 

  796. static int wolfSSL_quic_send_internal(WOLFSSL* ssl)
    797. 

  797. {
    798. 

  798.     int ret = 0, aret;
    799. 

  799.     size_t len;
    800. 

  800.     RecordLayerHeader* rl;
    801. 

  801.     word16 rlen;
    802. 

  802.     word32 idx, length;
    803. 

  803.     byte* output;
    804. 

  804. 

  805.     WOLFSSL_ENTER("wolfSSL_quic_send");
    806. 

  806. 

  807.     idx = ssl->buffers.outputBuffer.idx;
    808. 

  808.     length = ssl->buffers.outputBuffer.length;
    809. 

  809.     output = ssl->buffers.outputBuffer.buffer + idx;
    810. 

  810.     while (length > 0) {
    811. 

  811.         if (ssl->quic.output_rec_remain > 0) {
    812. 

  812.             len = ssl->quic.output_rec_remain;
    813. 

  813.             if (len > length) {
    814. 

  814.                 len = length;
    815. 

  815.             }
    816. 

  816. 

  817.             aret = ssl->quic.method->add_handshake_data(ssl,
    818. 

  818.                 ssl->quic.output_rec_level, (const uint8_t*)output, len);
    819. 

  819.             if (aret != 1) {
    820. 

  820.                 /* The application has an error. General disaster. */
    821. 

  821.                 WOLFSSL_MSG("WOLFSSL_QUIC_SEND application failed");
    822. 

  822.                 ret = FWRITE_ERROR;
    823. 

  823.                 goto cleanup;
    824. 

  824.             }
    825. 

  825.             output += len;
    826. 

  826.             length -= len;
    827. 

  827.             ssl->quic.output_rec_remain -= len;
    828. 

  828.         }
    829. 

  829.         else {
    830. 

  830.             /* at start of a TLS Record */
    831. 

  831.             rl = (RecordLayerHeader*)output;
    832. 

  832.             ato16(rl->length, &rlen);
    833. 

  833.             output += RECORD_HEADER_SZ;
    834. 

  834.             length -= RECORD_HEADER_SZ;
    835. 

  835.             ssl->quic.output_rec_remain = rlen;
    836. 

  836.             ssl->quic.output_rec_level = ssl->quic.enc_level_write;
    837. 

  837.             if (rl->type == application_data) {
    838. 

  838.                 if (ssl->options.handShakeState != HANDSHAKE_DONE) {
    839. 

  839.                     ssl->quic.output_rec_level = wolfssl_encryption_early_data;
    840. 

  840.                 }
    841. 

  841.                 else {
    842. 

  842.                     WOLFSSL_MSG("WOLFSSL_QUIC_SEND app data after handshake");
    843. 

  843.                     ret = FWRITE_ERROR;
    844. 

  844.                     goto cleanup;
    845. 

  845.                 }
    846. 

  846.             }
    847. 

  847.         }
    848. 

  848.     }
    849. 

  849. 

  850.     ssl->buffers.outputBuffer.idx = 0;
    851. 

  851.     ssl->buffers.outputBuffer.length = 0;
    852. 

  852. 

  853. cleanup:
    854. 

  854.     WOLFSSL_LEAVE("wolfSSL_quic_send", ret);
    855. 

  855.     return ret;
    856. 

  856. }
    857. 

  857. 

  858. int wolfSSL_quic_send(WOLFSSL* ssl)
    859. 

  859. {
    860. 

  860.     return wolfSSL_quic_send_internal(ssl);
    861. 

  861. }
    862. 

  862. 

  863. int wolfSSL_quic_forward_secrets(WOLFSSL* ssl, int ktype, int side)
    864. 

  864. {
    865. 

  865.     const uint8_t* rx_secret = NULL, *tx_secret = NULL;
    866. 

  866.     WOLFSSL_ENCRYPTION_LEVEL level;
    867. 

  867.     int ret = 0;
    868. 

  868. 

  869.     WOLFSSL_ENTER("wolfSSL_quic_forward_secrets");
    870. 

  870.     switch (ktype) {
    871. 

  871.         case early_data_key:
    872. 

  872.             level = wolfssl_encryption_early_data;
    873. 

  873.             break;
    874. 

  874.         case handshake_key:
    875. 

  875.             level = wolfssl_encryption_handshake;
    876. 

  876.             break;
    877. 

  877.         case traffic_key:
    878. 

  878.             FALL_THROUGH;
    879. 

  879.         case update_traffic_key:
    880. 

  880.             level = wolfssl_encryption_application;
    881. 

  881.             break;
    882. 

  882.         case no_key:
    883. 

  883.             FALL_THROUGH;
    884. 

  884.         default:
    885. 

  885.             /* ignore */
    886. 

  886.             goto cleanup;
    887. 

  887.     }
    888. 

  888. 

  889.     if (side == ENCRYPT_AND_DECRYPT_SIDE || side == ENCRYPT_SIDE_ONLY) {
    890. 

  890.         tx_secret = (ssl->options.side == WOLFSSL_CLIENT_END) ?
    891. 

  891.             ssl->clientSecret : ssl->serverSecret;
    892. 

  892.     }
    893. 

  893.     if (side == ENCRYPT_AND_DECRYPT_SIDE || side == DECRYPT_SIDE_ONLY) {
    894. 

  894.         rx_secret = (ssl->options.side == WOLFSSL_CLIENT_END) ?
    895. 

  895.             ssl->serverSecret : ssl->clientSecret;
    896. 

  896.     }
    897. 

  897. 

  898.     if (!tx_secret && !rx_secret) {
    899. 

  899.         WOLFSSL_MSG("WOLFSSL_QUIC_FORWARD_SECRETS neither "
    900. 

  900.                     "enc- nor decrypt specified");
    901. 

  901.         goto cleanup;
    902. 

  902.     }
    903. 

  903. 

  904.     ret = !ssl->quic.method->set_encryption_secrets(
    905. 

  905.         ssl, level, rx_secret, tx_secret, ssl->specs.hash_size);
    906. 

  906. 

  907.     /* Having installed the secrets, any future read/write will happen
    908. 

  908.      * at the level. Except early data, which is detected on the record
    909. 

  909.      * type and the handshake state. */
    910. 

  910.      if (ktype == early_data_key) {
    911. 

  911.         goto cleanup;
    912. 

  912.      }
    913. 

  913. 

  914.      if (tx_secret && ssl->quic.enc_level_write != level) {
    915. 

  915.         ssl->quic.enc_level_write_next = level;
    916. 

  916.      }
    917. 

  917.      if (rx_secret && ssl->quic.enc_level_read != level) {
    918. 

  918.         ssl->quic.enc_level_read_next = level;
    919. 

  919.      }
    920. 

  920. 

  921. cleanup:
    922. 

  922.     WOLFSSL_LEAVE("wolfSSL_quic_forward_secrets", ret);
    923. 

  923.     return ret;
    924. 

  924. }
    925. 

  925. 

  926. int wolfSSL_quic_keys_active(WOLFSSL* ssl, enum encrypt_side side)
    927. 

  927. {
    928. 

  928.     int ret = 0;
    929. 

  929. 

  930.     WOLFSSL_ENTER("wolfSSL_quic_keys_active");
    931. 

  931.     /* Keys derived from recent secrets have been activated */
    932. 

  932.     if (side == ENCRYPT_AND_DECRYPT_SIDE || side == ENCRYPT_SIDE_ONLY) {
    933. 

  933.         /* If there is data in the output buffers, it was supposed to be
    934. 

  934.          * encrypted at the previous level. We need to remember that when
    935. 

  935.          * forwarding this data to the QUIC protocol application. */
    936. 

  936.         if (ssl->buffers.outputBuffer.length > 0) {
    937. 

  937.             ret = wolfSSL_quic_send_internal(ssl);
    938. 

  938.             if (ret)
    939. 

  939.                 goto cleanup;
    940. 

  940.         }
    941. 

  941.         ssl->quic.enc_level_write = ssl->quic.enc_level_write_next;
    942. 

  942.     }
    943. 

  943.     if (side == ENCRYPT_AND_DECRYPT_SIDE || side == DECRYPT_SIDE_ONLY) {
    944. 

  944.         ssl->quic.enc_level_read = ssl->quic.enc_level_read_next;
    945. 

  945.     }
    946. 

  946. cleanup:
    947. 

  947.     WOLFSSL_LEAVE("wolfSSL_quic_keys_active", ret);
    948. 

  948.     return ret;
    949. 

  949. }
    950. 

  950. 

  951. const WOLFSSL_EVP_CIPHER* wolfSSL_quic_get_aead(WOLFSSL* ssl)
    952. 

  952. {
    953. 

  953.     WOLFSSL_CIPHER* cipher = wolfSSL_get_current_cipher(ssl);
    954. 

  954.     const WOLFSSL_EVP_CIPHER* evp_cipher;
    955. 

  955. 

  956.     switch (cipher->cipherSuite) {
    957. 

  957. #if !defined(NO_AES) && defined(HAVE_AESGCM)
    958. 

  958.         case TLS_AES_128_GCM_SHA256:
    959. 

  959.             evp_cipher = wolfSSL_EVP_aes_128_gcm();
    960. 

  960.             break;
    961. 

  961.         case TLS_AES_256_GCM_SHA384:
    962. 

  962.             evp_cipher = wolfSSL_EVP_aes_256_gcm();
    963. 

  963.             break;
    964. 

  964. #endif
    965. 

  965. #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
    966. 

  966.         case TLS_CHACHA20_POLY1305_SHA256:
    967. 

  967.             evp_cipher = wolfSSL_EVP_chacha20_poly1305();
    968. 

  968.             break;
    969. 

  969. #endif
    970. 

  970. #if defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_128)
    971. 

  971.         case TLS_AES_128_CCM_SHA256:
    972. 

  972.             FALL_THROUGH;
    973. 

  973.         case TLS_AES_128_CCM_8_SHA256:
    974. 

  974.             evp_cipher = wolfSSL_EVP_aes_128_ctr();
    975. 

  975.             break;
    976. 

  976. #endif
    977. 

  977. 

  978.         default:
    979. 

  979.             evp_cipher = NULL;
    980. 

  980.             break;
    981. 

  981.     }
    982. 

  982. 

  983.     if (!evp_cipher) {
    984. 

  984.         /* should not happen, as SSL* should not have negotiated it? */
    985. 

  985.         WOLFSSL_MSG("wolfSSL_quic_get_aead: current cipher not supported");
    986. 

  986.         return NULL;
    987. 

  987.     }
    988. 

  988.     return evp_cipher;
    989. 

  989. }
    990. 

  990. 

  991. static int evp_cipher_eq(const WOLFSSL_EVP_CIPHER* c1,
    992. 

  992.                          const WOLFSSL_EVP_CIPHER* c2)
    993. 

  993. {
    994. 

  994.     /* We could check on nid equality, but we seem to have singulars */
    995. 

  995.     return c1 == c2;
    996. 

  996. }
    997. 

  997. 

  998. const WOLFSSL_EVP_CIPHER* wolfSSL_quic_get_hp(WOLFSSL* ssl)
    999. 

  999. {
    1000. 

  1000.     WOLFSSL_CIPHER* cipher = wolfSSL_get_current_cipher(ssl);
    1001. 

  1001.     const WOLFSSL_EVP_CIPHER* evp_cipher;
    1002. 

  1002. 

  1003.     switch (cipher->cipherSuite) {
    1004. 

  1004. #if !defined(NO_AES) && defined(HAVE_AESGCM)
    1005. 

  1005.         case TLS_AES_128_GCM_SHA256:
    1006. 

  1006.             evp_cipher = wolfSSL_EVP_aes_128_ctr();
    1007. 

  1007.             break;
    1008. 

  1008.         case TLS_AES_256_GCM_SHA384:
    1009. 

  1009.             evp_cipher = wolfSSL_EVP_aes_256_ctr();
    1010. 

  1010.             break;
    1011. 

  1011. #endif
    1012. 

  1012. #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
    1013. 

  1013.         case TLS_CHACHA20_POLY1305_SHA256:
    1014. 

  1014.             evp_cipher = wolfSSL_EVP_chacha20();
    1015. 

  1015.             break;
    1016. 

  1016. #endif
    1017. 

  1017. #if defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_128)
    1018. 

  1018.         case TLS_AES_128_CCM_SHA256:
    1019. 

  1019.             FALL_THROUGH;
    1020. 

  1020.         case TLS_AES_128_CCM_8_SHA256:
    1021. 

  1021.             evp_cipher = wolfSSL_EVP_aes_128_ctr();
    1022. 

  1022.             break;
    1023. 

  1023. #endif
    1024. 

  1024. 

  1025.         default:
    1026. 

  1026.             evp_cipher = NULL;
    1027. 

  1027.             break;
    1028. 

  1028.     }
    1029. 

  1029. 

  1030.     if (!evp_cipher) {
    1031. 

  1031.         /* should not happen, as SSL* should not have negotiated it? */
    1032. 

  1032.         WOLFSSL_MSG("wolfSSL_quic_get_hp: current cipher not supported");
    1033. 

  1033.         return NULL;
    1034. 

  1034.     }
    1035. 

  1035.     return evp_cipher;
    1036. 

  1036. }
    1037. 

  1037. 

  1038. size_t wolfSSL_quic_get_aead_tag_len(const WOLFSSL_EVP_CIPHER* aead_cipher)
    1039. 

  1039. {
    1040. 

  1040.     size_t ret;
    1041. 

  1041. #ifdef WOLFSSL_SMALL_STACK
    1042. 

  1042.     WOLFSSL_EVP_CIPHER_CTX *ctx = (WOLFSSL_EVP_CIPHER_CTX *)XMALLOC(
    1043. 

  1043.         sizeof(*ctx), NULL, DYNAMIC_TYPE_TMP_BUFFER);
    1044. 

  1044.     if (ctx == NULL)
    1045. 

  1045.         return 0;
    1046. 

  1046. #else
    1047. 

  1047.     WOLFSSL_EVP_CIPHER_CTX ctx[1];
    1048. 

  1048. #endif
    1049. 

  1049. 

  1050.     XMEMSET(ctx, 0, sizeof(*ctx));
    1051. 

  1051.     if (wolfSSL_EVP_CipherInit(ctx, aead_cipher, NULL, NULL, 0)
    1052. 

  1052.         == WOLFSSL_SUCCESS) {
    1053. 

  1053.         ret = ctx->authTagSz;
    1054. 

  1054.     } else {
    1055. 

  1055.         ret = 0;
    1056. 

  1056.     }
    1057. 

  1057. 

  1058. #ifdef WOLFSSL_SMALL_STACK
    1059. 

  1059.     XFREE(ctx, NULL, DYNAMIC_TYPE_TMP_BUF);
    1060. 

  1060. #endif
    1061. 

  1061. 

  1062.     return ret;
    1063. 

  1063. }
    1064. 

  1064. 

  1065. int wolfSSL_quic_aead_is_gcm(const WOLFSSL_EVP_CIPHER* aead_cipher)
    1066. 

  1066. {
    1067. 

  1067. #if !defined(NO_AES) && defined(HAVE_AESGCM)
    1068. 

  1068.     if (evp_cipher_eq(aead_cipher, wolfSSL_EVP_aes_128_gcm())
    1069. 

  1069. #ifdef WOLFSSL_AES_256
    1070. 

  1070.         || evp_cipher_eq(aead_cipher, wolfSSL_EVP_aes_256_gcm())
    1071. 

  1071. #endif
    1072. 

  1072.     ) {
    1073. 

  1073.         return 1;
    1074. 

  1074.     }
    1075. 

  1075. #else
    1076. 

  1076.     (void)aead_cipher;
    1077. 

  1077. #endif
    1078. 

  1078.     return 0;
    1079. 

  1079. }
    1080. 

  1080. 

  1081. int wolfSSL_quic_aead_is_ccm(const WOLFSSL_EVP_CIPHER* aead_cipher)
    1082. 

  1082. {
    1083. 

  1083. #if defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_128)
    1084. 

  1084.     if (evp_cipher_eq(aead_cipher, wolfSSL_EVP_aes_128_ctr())) {
    1085. 

  1085.         return 1;
    1086. 

  1086.     }
    1087. 

  1087. #else
    1088. 

  1088.     (void)aead_cipher;
    1089. 

  1089. #endif
    1090. 

  1090.     return 0;
    1091. 

  1091. }
    1092. 

  1092. 

  1093. int wolfSSL_quic_aead_is_chacha20(const WOLFSSL_EVP_CIPHER* aead_cipher)
    1094. 

  1094. {
    1095. 

  1095. #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
    1096. 

  1096.     return evp_cipher_eq(aead_cipher, wolfSSL_EVP_chacha20_poly1305());
    1097. 

  1097. #else
    1098. 

  1098.     (void)aead_cipher;
    1099. 

  1099.     return 0;
    1100. 

  1100. #endif
    1101. 

  1101. }
    1102. 

  1102. 

  1103. const WOLFSSL_EVP_MD* wolfSSL_quic_get_md(WOLFSSL* ssl)
    1104. 

  1104. {
    1105. 

  1105.     /* a copy from the handshake md setup */
    1106. 

  1106.     switch(ssl->specs.mac_algorithm) {
    1107. 

  1107.         case no_mac:
    1108. 

  1108.     #ifndef NO_MD5
    1109. 

  1109.         case md5_mac:
    1110. 

  1110.             return wolfSSL_EVP_md5();
    1111. 

  1111.     #endif
    1112. 

  1112.     #ifndef NO_SHA
    1113. 

  1113.         case sha_mac:
    1114. 

  1114.             return wolfSSL_EVP_sha1();
    1115. 

  1115.     #endif
    1116. 

  1116.     #ifdef WOLFSSL_SHA224
    1117. 

  1117.         case sha224_mac:
    1118. 

  1118.             return wolfSSL_EVP_sha224();
    1119. 

  1119.     #endif
    1120. 

  1120.         case sha256_mac:
    1121. 

  1121.             return wolfSSL_EVP_sha256();
    1122. 

  1122.     #ifdef WOLFSSL_SHA384
    1123. 

  1123.         case sha384_mac:
    1124. 

  1124.             return wolfSSL_EVP_sha384();
    1125. 

  1125.     #endif
    1126. 

  1126.     #ifdef WOLFSSL_SHA512
    1127. 

  1127.         case sha512_mac:
    1128. 

  1128.             return wolfSSL_EVP_sha512();
    1129. 

  1129.     #endif
    1130. 

  1130.         case rmd_mac:
    1131. 

  1131.         case blake2b_mac:
    1132. 

  1132.             WOLFSSL_MSG("no suitable EVP_MD");
    1133. 

  1133.             return NULL;
    1134. 

  1134.         default:
    1135. 

  1135.             WOLFSSL_MSG("Unknown mac algorithm");
    1136. 

  1136.             return NULL;
    1137. 

  1137.     }
    1138. 

  1138. }
    1139. 

  1139. 

  1140. #ifdef OPENSSL_EXTRA
    1141. 

  1141. 

  1142. int wolfSSL_quic_hkdf_extract(uint8_t* dest, const WOLFSSL_EVP_MD* md,
    1143. 

  1143.                               const uint8_t* secret, size_t secretlen,
    1144. 

  1144.                               const uint8_t* salt, size_t saltlen)
    1145. 

  1145. {
    1146. 

  1146.     WOLFSSL_EVP_PKEY_CTX* pctx = NULL;
    1147. 

  1147.     size_t destlen = (size_t)wolfSSL_EVP_MD_size(md);
    1148. 

  1148.     int ret = WOLFSSL_SUCCESS;
    1149. 

  1149. 

  1150.     WOLFSSL_ENTER("wolfSSL_quic_hkdf_extract");
    1151. 

  1151. 

  1152.     pctx = wolfSSL_EVP_PKEY_CTX_new_id(NID_hkdf, NULL);
    1153. 

  1153.     if (pctx == NULL) {
    1154. 

  1154.         ret = WOLFSSL_FAILURE;
    1155. 

  1155.         goto cleanup;
    1156. 

  1156.     }
    1157. 

  1157. 

  1158.     if (wolfSSL_EVP_PKEY_derive_init(pctx) != WOLFSSL_SUCCESS
    1159. 

  1159.         || wolfSSL_EVP_PKEY_CTX_hkdf_mode(
    1160. 

  1160.                 pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) != WOLFSSL_SUCCESS
    1161. 

  1161.         || wolfSSL_EVP_PKEY_CTX_set_hkdf_md(pctx, md) != WOLFSSL_SUCCESS
    1162. 

  1162.         || wolfSSL_EVP_PKEY_CTX_set1_hkdf_salt(
    1163. 

  1163.                 pctx, (byte*)salt, (int)saltlen) != WOLFSSL_SUCCESS
    1164. 

  1164.         || wolfSSL_EVP_PKEY_CTX_set1_hkdf_key(
    1165. 

  1165.                 pctx, (byte*)secret, (int)secretlen) != WOLFSSL_SUCCESS
    1166. 

  1166.         || wolfSSL_EVP_PKEY_derive(pctx, dest, &destlen) != WOLFSSL_SUCCESS) {
    1167. 

  1167.         ret = WOLFSSL_FAILURE;
    1168. 

  1168.         goto cleanup;
    1169. 

  1169.     }
    1170. 

  1170. 

  1171. cleanup:
    1172. 

  1172.     if (pctx)
    1173. 

  1173.         wolfSSL_EVP_PKEY_CTX_free(pctx);
    1174. 

  1174.     WOLFSSL_LEAVE("wolfSSL_quic_hkdf_extract", ret);
    1175. 

  1175.     return ret;
    1176. 

  1176. }
    1177. 

  1177. 

  1178. 

  1179. int wolfSSL_quic_hkdf_expand(uint8_t* dest, size_t destlen,
    1180. 

  1180.                              const WOLFSSL_EVP_MD* md,
    1181. 

  1181.                              const uint8_t* secret, size_t secretlen,
    1182. 

  1182.                              const uint8_t* info, size_t infolen)
    1183. 

  1183. {
    1184. 

  1184.     WOLFSSL_EVP_PKEY_CTX* pctx = NULL;
    1185. 

  1185.     int ret = WOLFSSL_SUCCESS;
    1186. 

  1186. 

  1187.     WOLFSSL_ENTER("wolfSSL_quic_hkdf_expand");
    1188. 

  1188. 

  1189.     pctx = wolfSSL_EVP_PKEY_CTX_new_id(NID_hkdf, NULL);
    1190. 

  1190.     if (pctx == NULL) {
    1191. 

  1191.         ret = WOLFSSL_FAILURE;
    1192. 

  1192.         goto cleanup;
    1193. 

  1193.     }
    1194. 

  1194. 

  1195.     if (wolfSSL_EVP_PKEY_derive_init(pctx) != WOLFSSL_SUCCESS
    1196. 

  1196.         || wolfSSL_EVP_PKEY_CTX_hkdf_mode(
    1197. 

  1197.                 pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) != WOLFSSL_SUCCESS
    1198. 

  1198.         || wolfSSL_EVP_PKEY_CTX_set_hkdf_md(pctx, md) != WOLFSSL_SUCCESS
    1199. 

  1199.         || wolfSSL_EVP_PKEY_CTX_set1_hkdf_salt(
    1200. 

  1200.                 pctx, (byte*)"", 0) != WOLFSSL_SUCCESS
    1201. 

  1201.         || wolfSSL_EVP_PKEY_CTX_set1_hkdf_key(
    1202. 

  1202.                 pctx, (byte*)secret, (int)secretlen) != WOLFSSL_SUCCESS
    1203. 

  1203.         || wolfSSL_EVP_PKEY_CTX_add1_hkdf_info(
    1204. 

  1204.                 pctx, (byte*)info, (int)infolen) != WOLFSSL_SUCCESS
    1205. 

  1205.         || wolfSSL_EVP_PKEY_derive(pctx, dest, &destlen) != WOLFSSL_SUCCESS) {
    1206. 

  1206.         ret = WOLFSSL_FAILURE;
    1207. 

  1207.         goto cleanup;
    1208. 

  1208.     }
    1209. 

  1209. 

  1210. cleanup:
    1211. 

  1211.     if (pctx)
    1212. 

  1212.         EVP_PKEY_CTX_free(pctx);
    1213. 

  1213.     WOLFSSL_LEAVE("wolfSSL_quic_hkdf_expand", ret);
    1214. 

  1214.     return ret;
    1215. 

  1215. }
    1216. 

  1216. 

  1217. 

  1218. int wolfSSL_quic_hkdf(uint8_t* dest, size_t destlen,
    1219. 

  1219.                       const WOLFSSL_EVP_MD* md,
    1220. 

  1220.                       const uint8_t* secret, size_t secretlen,
    1221. 

  1221.                       const uint8_t* salt, size_t saltlen,
    1222. 

  1222.                       const uint8_t* info, size_t infolen)
    1223. 

  1223. {
    1224. 

  1224.     WOLFSSL_EVP_PKEY_CTX* pctx = NULL;
    1225. 

  1225.     int ret = WOLFSSL_SUCCESS;
    1226. 

  1226. 

  1227.     WOLFSSL_ENTER("wolfSSL_quic_hkdf");
    1228. 

  1228. 

  1229.     pctx = wolfSSL_EVP_PKEY_CTX_new_id(NID_hkdf, NULL);
    1230. 

  1230.     if (pctx == NULL) {
    1231. 

  1231.         ret = WOLFSSL_FAILURE;
    1232. 

  1232.         goto cleanup;
    1233. 

  1233.     }
    1234. 

  1234. 

  1235.     if (wolfSSL_EVP_PKEY_derive_init(pctx) != WOLFSSL_SUCCESS
    1236. 

  1236.         || wolfSSL_EVP_PKEY_CTX_hkdf_mode(
    1237. 

  1237.                 pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND) != WOLFSSL_SUCCESS
    1238. 

  1238.         || wolfSSL_EVP_PKEY_CTX_set_hkdf_md(pctx, md) != WOLFSSL_SUCCESS
    1239. 

  1239.         || wolfSSL_EVP_PKEY_CTX_set1_hkdf_salt(
    1240. 

  1240.                 pctx, (byte*)salt, (int)saltlen) != WOLFSSL_SUCCESS
    1241. 

  1241.         || wolfSSL_EVP_PKEY_CTX_set1_hkdf_key(
    1242. 

  1242.                 pctx, (byte*)secret, (int)secretlen) != WOLFSSL_SUCCESS
    1243. 

  1243.         || wolfSSL_EVP_PKEY_CTX_add1_hkdf_info(
    1244. 

  1244.                 pctx, (byte*)info, (int)infolen) != WOLFSSL_SUCCESS
    1245. 

  1245.         || wolfSSL_EVP_PKEY_derive(pctx, dest, &destlen) != WOLFSSL_SUCCESS) {
    1246. 

  1246.         ret = WOLFSSL_FAILURE;
    1247. 

  1247.         goto cleanup;
    1248. 

  1248.     }
    1249. 

  1249. 

  1250. cleanup:
    1251. 

  1251.     if (pctx)
    1252. 

  1252.         EVP_PKEY_CTX_free(pctx);
    1253. 

  1253.     WOLFSSL_LEAVE("wolfSSL_quic_hkdf", ret);
    1254. 

  1254.     return ret;
    1255. 

  1255. }
    1256. 

  1256. 

  1257. #endif /* OPENSSL_EXTRA */
    1258. 

  1258. 

  1259. 

  1260. WOLFSSL_EVP_CIPHER_CTX* wolfSSL_quic_crypt_new(const WOLFSSL_EVP_CIPHER* cipher,
    1261. 

  1261.                                                const uint8_t* key,
    1262. 

  1262.                                                const uint8_t* iv,
    1263. 

  1263.                                                int encrypt)
    1264. 

  1264. {
    1265. 

  1265.     WOLFSSL_EVP_CIPHER_CTX* ctx;
    1266. 

  1266. 

  1267.     ctx = wolfSSL_EVP_CIPHER_CTX_new();
    1268. 

  1268.     if (ctx == NULL) {
    1269. 

  1269.         return NULL;
    1270. 

  1270.     }
    1271. 

  1271. 

  1272.     if (wolfSSL_EVP_CipherInit(ctx, cipher, key, iv, encrypt)
    1273. 

  1273.             != WOLFSSL_SUCCESS) {
    1274. 

  1274.         wolfSSL_EVP_CIPHER_CTX_free(ctx);
    1275. 

  1275.         return NULL;
    1276. 

  1276.     }
    1277. 

  1277. 

  1278.     return ctx;
    1279. 

  1279. }
    1280. 

  1280. 

  1281. 

  1282. int wolfSSL_quic_aead_encrypt(uint8_t* dest, WOLFSSL_EVP_CIPHER_CTX* ctx,
    1283. 

  1283.                               const uint8_t* plain, size_t plainlen,
    1284. 

  1284.                               const uint8_t* iv, const uint8_t* aad,
    1285. 

  1285.                               size_t aadlen)
    1286. 

  1286. {
    1287. 

  1287.     int len;
    1288. 

  1288. 

  1289.     /* A case can be made if this really should be a function in wolfSSL, since
    1290. 

  1290.      * the same should be doable from the API by a QUIC protocol stack.
    1291. 

  1291.      * What speaks for this:
    1292. 

  1292.      * - it gives us a decent testing point
    1293. 

  1293.      * - API users do not have to re-invent (it fits into ngtcp2 use).
    1294. 

  1294.      *   picotls offers a similar abstraction level for AEAD.
    1295. 

  1295.      * TODO: there is some fiddling in OpenSSL+quic in regard to CCM ciphers
    1296. 

  1296.      *       which we need to check.
    1297. 

  1297.      */
    1298. 

  1298.     if (wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 1) != WOLFSSL_SUCCESS
    1299. 

  1299.         || wolfSSL_EVP_CipherUpdate(
    1300. 

  1300.                 ctx, NULL, &len, aad, (int)aadlen) != WOLFSSL_SUCCESS
    1301. 

  1301.         || wolfSSL_EVP_CipherUpdate(
    1302. 

  1302.                 ctx, dest, &len, plain, (int)plainlen) != WOLFSSL_SUCCESS
    1303. 

  1303.         || wolfSSL_EVP_CipherFinal(ctx, dest + len, &len) != WOLFSSL_SUCCESS
    1304. 

  1304.         || wolfSSL_EVP_CIPHER_CTX_ctrl(
    1305. 

  1305.                 ctx, EVP_CTRL_AEAD_GET_TAG, ctx->authTagSz, dest + plainlen)
    1306. 

  1306.            != WOLFSSL_SUCCESS) {
    1307. 

  1307.         return WOLFSSL_FAILURE;
    1308. 

  1308.     }
    1309. 

  1309. 

  1310.     return WOLFSSL_SUCCESS;
    1311. 

  1311. }
    1312. 

  1312. 

  1313. 

  1314. int wolfSSL_quic_aead_decrypt(uint8_t* dest, WOLFSSL_EVP_CIPHER_CTX* ctx,
    1315. 

  1315.                               const uint8_t* enc, size_t enclen,
    1316. 

  1316.                               const uint8_t* iv, const uint8_t* aad,
    1317. 

  1317.                               size_t aadlen)
    1318. 

  1318. {
    1319. 

  1319.     int len;
    1320. 

  1320.     const uint8_t* tag;
    1321. 

  1321. 

  1322.     /* See rationale for wolfSSL_quic_aead_encrypt() on why this is here */
    1323. 

  1323.     if (enclen > INT_MAX || ctx->authTagSz > (int)enclen) {
    1324. 

  1324.         return WOLFSSL_FAILURE;
    1325. 

  1325.     }
    1326. 

  1326. 

  1327.     enclen -= ctx->authTagSz;
    1328. 

  1328.     tag = enc + enclen;
    1329. 

  1329. 

  1330.     if (wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 0) != WOLFSSL_SUCCESS
    1331. 

  1331.         || wolfSSL_EVP_CIPHER_CTX_ctrl(
    1332. 

  1332.                 ctx, EVP_CTRL_AEAD_SET_TAG, ctx->authTagSz, (uint8_t*)tag)
    1333. 

  1333.             != WOLFSSL_SUCCESS
    1334. 

  1334.         || wolfSSL_EVP_CipherUpdate(ctx, NULL, &len, aad, (int)aadlen)
    1335. 

  1335.             != WOLFSSL_SUCCESS
    1336. 

  1336.         || wolfSSL_EVP_CipherUpdate(ctx, dest, &len, enc, (int)enclen)
    1337. 

  1337.             != WOLFSSL_SUCCESS
    1338. 

  1338.         || wolfSSL_EVP_CipherFinal(ctx, dest, &len) != WOLFSSL_SUCCESS) {
    1339. 

  1339.         return WOLFSSL_FAILURE;
    1340. 

  1340.     }
    1341. 

  1341. 

  1342.     return WOLFSSL_SUCCESS;
    1343. 

  1343. }
    1344. 

  1344. 

  1345. 

  1346. #endif /* WOLFSSL_QUIC */
    1347. 

  1347. #endif /* WOLFCRYPT_ONLY */
    1348. 

  1348.