1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348 |
- /* quic.c
- *
- * Copyright (C) 2006-2023 wolfSSL Inc.
- *
- * This file is part of wolfSSL.
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
- */
- /* Name change compatibility layer no longer needs to be included here */
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
- #include <wolfssl/wolfcrypt/settings.h>
- #ifdef NO_INLINE
- #include <wolfssl/wolfcrypt/misc.h>
- #else
- #define WOLFSSL_MISC_INCLUDED
- #include <wolfcrypt/src/misc.c>
- #endif
- #ifndef WOLFCRYPT_ONLY
- #ifdef WOLFSSL_QUIC
- #include <wolfssl/error-ssl.h>
- #include <wolfssl/ssl.h>
- #include <wolfssl/internal.h>
- #include <wolfssl/openssl/buffer.h>
- #include <wolfssl/openssl/ecdsa.h>
- #include <wolfssl/openssl/evp.h>
- #include <wolfssl/openssl/kdf.h>
- static int qr_length(const uint8_t *data, size_t len)
- {
- word32 rlen;
- if (len < 4) {
- return 0;
- }
- c24to32(&data[1], &rlen);
- return (int)rlen + 4;
- }
- static void quic_record_free(WOLFSSL *ssl, QuicRecord *r)
- {
- (void)ssl;
- if (r->data) {
- ForceZero(r->data, r->capacity);
- XFREE(r->data, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
- }
- XFREE(r, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
- }
- static QuicRecord *quic_record_make(WOLFSSL *ssl,
- WOLFSSL_ENCRYPTION_LEVEL level,
- const uint8_t *data, size_t len)
- {
- QuicRecord *qr;
- qr = (QuicRecord*)XMALLOC(sizeof(*qr), ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
- if (qr) {
- memset(qr, 0, sizeof(*qr));
- qr->level = level;
- if (level == wolfssl_encryption_early_data) {
- qr->capacity = qr->len = (word32)len;
- }
- else {
- qr->capacity = qr->len = qr_length(data, len);
- }
- if (qr->capacity == 0) {
- qr->capacity = 2*1024;
- }
- qr->data = (uint8_t*)XMALLOC(qr->capacity, ssl->heap,
- DYNAMIC_TYPE_TMP_BUFFER);
- if (!qr->data) {
- quic_record_free(ssl, qr);
- return NULL;
- }
- }
- return qr;
- }
- static int quic_record_complete(QuicRecord *r)
- {
- return r->len && r->end >= r->len;
- }
- static int quic_record_done(QuicRecord *r)
- {
- return r->len && r->end >= r->len && r->start >= r->end;
- }
- static int quic_record_append(WOLFSSL *ssl, QuicRecord *qr, const uint8_t *data,
- size_t len, size_t *pconsumed)
- {
- size_t missing, consumed = 0;
- int ret = WOLFSSL_SUCCESS;
- (void)ssl;
- if (!qr->len && len) {
- missing = 4 - qr->end;
- if (len < missing) {
- XMEMCPY(qr->data + qr->end, data, len);
- qr->end += len;
- consumed = len;
- goto cleanup; /* len consumed, but qr->len still unkown */
- }
- XMEMCPY(qr->data + qr->end, data, missing);
- qr->end += missing;
- len -= missing;
- data += missing;
- consumed = missing;
- qr->len = qr_length(qr->data, qr->end);
- if (qr->len > qr->capacity) {
- uint8_t *ndata = (uint8_t*)XREALLOC(qr->data, qr->len, ssl->head,
- DYNAMIC_TYPE_TMP_BUFFER);
- if (!ndata) {
- ret = WOLFSSL_FAILURE;
- goto cleanup;
- }
- qr->data = ndata;
- qr->capacity = qr->len;
- }
- }
- if (quic_record_complete(qr) || len == 0) {
- return 0;
- }
- missing = qr->len - qr->end;
- if (len > missing) {
- len = missing;
- }
- XMEMCPY(qr->data + qr->end, data, len);
- qr->end += len;
- consumed += len;
- cleanup:
- *pconsumed = (ret == WOLFSSL_SUCCESS) ? consumed : 0;
- return ret;
- }
- static word32 add_rec_header(byte* output, word32 length, int type)
- {
- RecordLayerHeader* rl;
- /* record layer header */
- rl = (RecordLayerHeader*)output;
- if (rl == NULL) {
- return 0;
- }
- rl->type = type;
- rl->pvMajor = SSLv3_MAJOR;
- rl->pvMinor = TLSv1_2_MINOR;
- c16toa((word16)length, rl->length);
- return RECORD_HEADER_SZ;
- }
- static word32 quic_record_transfer(QuicRecord* qr, byte* buf, word32 sz)
- {
- word32 len = qr->end - qr->start;
- word32 offset = 0;
- word16 rlen;
- if (len <= 0) {
- return 0;
- }
- if (qr->rec_hdr_remain == 0) {
- /* start a new TLS record */
- rlen = (qr->len <= (word32)MAX_RECORD_SIZE) ?
- qr->len : (word32)MAX_RECORD_SIZE;
- offset += add_rec_header(buf, rlen,
- (qr->level == wolfssl_encryption_early_data) ?
- application_data : handshake);
- qr->rec_hdr_remain = rlen;
- sz -= offset;
- }
- if (len > qr->rec_hdr_remain) {
- len = qr->rec_hdr_remain;
- }
- if (len > sz) {
- len = sz;
- }
- if (len > 0) {
- XMEMCPY(buf + offset, qr->data + qr->start, len);
- qr->start += len;
- qr->rec_hdr_remain -= len;
- }
- return len + offset;
- }
- const QuicTransportParam* QuicTransportParam_new(const uint8_t* data,
- size_t len, void* heap)
- {
- QuicTransportParam* tp;
- if (len > 65353) return NULL;
- tp = (QuicTransportParam*)XMALLOC(sizeof(*tp), heap, DYNAMIC_TYPE_TLSX);
- if (!tp) return NULL;
- tp->data = (uint8_t*)XMALLOC(len, heap, DYNAMIC_TYPE_TLSX);
- if (!tp->data) {
- XFREE(tp, heap, DYNAMIC_TYPE_TLSX);
- return NULL;
- }
- XMEMCPY((uint8_t*)tp->data, data, len);
- tp->len = len;
- return tp;
- }
- const QuicTransportParam* QuicTransportParam_dup(const QuicTransportParam* tp,
- void* heap)
- {
- QuicTransportParam* tp2;
- tp2 = (QuicTransportParam*)XMALLOC(sizeof(*tp2), heap, DYNAMIC_TYPE_TLSX);
- if (!tp2) return NULL;
- tp2->data = (uint8_t*)XMALLOC(tp->len, heap, DYNAMIC_TYPE_TLSX);
- if (!tp2->data) {
- XFREE(tp2, heap, DYNAMIC_TYPE_TLSX);
- return NULL;
- }
- XMEMCPY((uint8_t*)tp2->data, tp->data, tp->len);
- tp2->len = tp->len;
- return tp2;
- }
- void QuicTransportParam_free(const QuicTransportParam* tp, void* heap)
- {
- (void)heap;
- if (tp) {
- if (tp->data) XFREE((uint8_t*)tp->data, heap, DYNAMIC_TYPE_TLSX);
- XFREE((void*)tp, heap, DYNAMIC_TYPE_TLSX);
- }
- }
- void wolfSSL_quic_clear(WOLFSSL* ssl)
- {
- QuicEncData* qd;
- /* keep
- * - ssl->quic.transport_local
- * - ssl->quic.method
- * - ssl->quic.transport_version
- * reset/free everything else
- */
- if (ssl->quic.transport_peer) {
- QTP_FREE(ssl->quic.transport_peer, ssl->heap);
- ssl->quic.transport_peer = NULL;
- }
- if (ssl->quic.transport_peer_draft) {
- QTP_FREE(ssl->quic.transport_peer_draft, ssl->heap);
- ssl->quic.transport_peer_draft = NULL;
- }
- ssl->quic.enc_level_write = wolfssl_encryption_initial;
- ssl->quic.enc_level_latest_recvd = wolfssl_encryption_initial;
- while ((qd = ssl->quic.input_head)) {
- ssl->quic.input_head = qd->next;
- quic_record_free(ssl, qd);
- }
- ssl->quic.input_tail = NULL;
- ssl->quic.output_rec_remain = 0;
- if (ssl->quic.scratch) {
- quic_record_free(ssl, ssl->quic.scratch);
- ssl->quic.scratch = NULL;
- }
- }
- void wolfSSL_quic_free(WOLFSSL* ssl)
- {
- wolfSSL_quic_clear(ssl);
- if (ssl->quic.transport_local) {
- QTP_FREE(ssl->quic.transport_local, ssl->heap);
- ssl->quic.transport_local = NULL;
- }
- ssl->quic.method = NULL;
- }
- static int ctx_check_quic_compat(const WOLFSSL_CTX* ctx)
- {
- WOLFSSL_ENTER("ctx_check_quic_compat");
- if (ctx->method->version.major != SSLv3_MAJOR
- || ctx->method->version.minor != TLSv1_3_MINOR
- || (ctx->method->downgrade && ctx->minDowngrade < TLSv1_3_MINOR)) {
- WOLFSSL_MSG_EX("ctx not quic compatible: vmajor=%d, vminor=%d, downgrade=%d",
- ctx->method->version.major,
- ctx->method->version.minor,
- ctx->method->downgrade
- );
- return WOLFSSL_FAILURE;
- }
- return WOLFSSL_SUCCESS;
- }
- static int check_method_sanity(const WOLFSSL_QUIC_METHOD* m)
- {
- WOLFSSL_ENTER("check_method_sanity");
- if (m && m->set_encryption_secrets
- && m->add_handshake_data
- && m->flush_flight
- && m->send_alert) {
- return WOLFSSL_SUCCESS;
- }
- return WOLFSSL_FAILURE;
- }
- int wolfSSL_CTX_set_quic_method(WOLFSSL_CTX* ctx,
- const WOLFSSL_QUIC_METHOD* quic_method)
- {
- WOLFSSL_ENTER("wolfSSL_CTX_set_quic_method");
- if (ctx_check_quic_compat(ctx) != WOLFSSL_SUCCESS
- || check_method_sanity(quic_method) != WOLFSSL_SUCCESS) {
- return WOLFSSL_FAILURE;
- }
- ctx->quic.method = quic_method;
- return WOLFSSL_SUCCESS;
- }
- int wolfSSL_set_quic_method(WOLFSSL* ssl,
- const WOLFSSL_QUIC_METHOD* quic_method)
- {
- WOLFSSL_ENTER("wolfSSL_set_quic_method");
- if (ctx_check_quic_compat(ssl->ctx) != WOLFSSL_SUCCESS
- || check_method_sanity(quic_method) != WOLFSSL_SUCCESS) {
- return WOLFSSL_FAILURE;
- }
- ssl->quic.method = quic_method;
- return WOLFSSL_SUCCESS;
- }
- int wolfSSL_is_quic(WOLFSSL* ssl)
- {
- return WOLFSSL_IS_QUIC(ssl);
- }
- WOLFSSL_ENCRYPTION_LEVEL wolfSSL_quic_read_level(const WOLFSSL* ssl)
- {
- return ssl->quic.enc_level_read;
- }
- WOLFSSL_ENCRYPTION_LEVEL wolfSSL_quic_write_level(const WOLFSSL* ssl)
- {
- return ssl->quic.enc_level_write;
- }
- int wolfSSL_set_quic_transport_params(WOLFSSL* ssl,
- const uint8_t* params,
- size_t params_len)
- {
- const QuicTransportParam* tp;
- int ret = WOLFSSL_SUCCESS;
- WOLFSSL_ENTER("SSL_set_quic_transport_params");
- if (!params || params_len == 0) {
- tp = NULL;
- }
- else {
- tp = QuicTransportParam_new(params, params_len, ssl->heap);
- if (!tp) {
- ret = WOLFSSL_FAILURE;
- goto cleanup;
- }
- }
- if (ssl->quic.transport_local)
- QTP_FREE(ssl->quic.transport_local, ssl->heap);
- ssl->quic.transport_local = tp;
- cleanup:
- WOLFSSL_LEAVE("SSL_set_quic_transport_params", ret);
- return ret;
- }
- void wolfSSL_get_peer_quic_transport_params(const WOLFSSL* ssl,
- const uint8_t** out_params,
- size_t* out_params_len)
- {
- const QuicTransportParam* tp = ssl->quic.transport_peer ?
- ssl->quic.transport_peer : ssl->quic.transport_peer_draft;
- *out_params = tp ? tp->data : NULL;
- *out_params_len = tp ? tp->len : 0;
- }
- int wolfSSL_get_peer_quic_transport_version(const WOLFSSL* ssl)
- {
- return ssl->quic.transport_peer ?
- TLSX_KEY_QUIC_TP_PARAMS : (ssl->quic.transport_peer_draft ?
- TLSX_KEY_QUIC_TP_PARAMS : -1);
- }
- void wolfSSL_set_quic_use_legacy_codepoint(WOLFSSL* ssl, int use_legacy)
- {
- ssl->quic.transport_version = use_legacy ? TLSX_KEY_QUIC_TP_PARAMS_DRAFT
- : TLSX_KEY_QUIC_TP_PARAMS;
- }
- void wolfSSL_set_quic_transport_version(WOLFSSL* ssl, int version)
- {
- if (version == TLSX_KEY_QUIC_TP_PARAMS
- || version == TLSX_KEY_QUIC_TP_PARAMS_DRAFT
- || !version) {
- ssl->quic.transport_version = version;
- }
- else {
- WOLFSSL_MSG("wolfSSL_set_quic_transport_version: invalid version");
- }
- }
- int wolfSSL_get_quic_transport_version(const WOLFSSL* ssl)
- {
- return ssl->quic.transport_version;
- }
- int wolfSSL_quic_add_transport_extensions(WOLFSSL* ssl, int msg_type)
- {
- /* RFC 9001, ch. 8.2: "The quic_transport_parameters extension is carried
- * in the ClientHello and the EncryptedExtensions messages during the
- * handshake. Endpoints MUST send the quic_transport_parameters extension;"
- * Which means, at least one. There can be more to signal compatibility to
- * older/newer versions.
- */
- int ret = 0, is_resp = (msg_type == encrypted_extensions);
- if (ssl->quic.transport_local == NULL) {
- return QUIC_TP_MISSING_E;
- }
- if (is_resp) {
- /* server response: time to decide which version to use */
- if (ssl->quic.transport_peer && ssl->quic.transport_peer_draft) {
- if (ssl->quic.transport_version == TLSX_KEY_QUIC_TP_PARAMS_DRAFT) {
- ret = TLSX_QuicTP_Use(ssl,
- TLSX_KEY_QUIC_TP_PARAMS_DRAFT, is_resp);
- QTP_FREE(ssl->quic.transport_peer, ssl->heap);
- ssl->quic.transport_peer = NULL;
- }
- else {
- ret = TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS, is_resp);
- QTP_FREE(ssl->quic.transport_peer_draft,
- ssl->heap);
- ssl->quic.transport_peer_draft = NULL;
- }
- }
- else {
- if (ssl->quic.transport_version == TLSX_KEY_QUIC_TP_PARAMS_DRAFT
- && ssl->quic.transport_peer_draft) {
- ret = TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS_DRAFT,
- is_resp);
- }
- else if (ssl->quic.transport_peer) {
- ret = TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS, is_resp);
- }
- else {
- /* no match, send none, will let the client fail */
- }
- }
- }
- else {
- /* client hello */
- if (ssl->quic.transport_version == 0) {
- /* not being set to a particular id, we send both draft+v1 */
- ret = TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS, is_resp)
- || TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS_DRAFT, is_resp);
- }
- else {
- /* otherwise, send the version configured */
- ret = TLSX_QuicTP_Use(ssl, (TLSX_Type)ssl->quic.transport_version,
- is_resp);
- }
- }
- return ret;
- }
- #define QUIC_HS_FLIGHT_LIMIT_DEFAULT (16* 1024)
- size_t wolfSSL_quic_max_handshake_flight_len(const WOLFSSL* ssl,
- WOLFSSL_ENCRYPTION_LEVEL level)
- {
- switch (level) {
- case wolfssl_encryption_initial:
- case wolfssl_encryption_application:
- return QUIC_HS_FLIGHT_LIMIT_DEFAULT;
- case wolfssl_encryption_early_data:
- return 0; /* QUIC does not send at this level */
- case wolfssl_encryption_handshake:
- /* during handshake itself, certificates may be exchanged which
- * exceed our default limit, advise a higher limit one.
- */
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- if (ssl->options.verifyPeer
- && MAX_CERTIFICATE_SZ > QUIC_HS_FLIGHT_LIMIT_DEFAULT)
- return MAX_CERTIFICATE_SZ;
- }
- else {
- /* clients may receive the server cert chain
- */
- if (2*MAX_CERTIFICATE_SZ > QUIC_HS_FLIGHT_LIMIT_DEFAULT)
- return 2*MAX_CERTIFICATE_SZ;
- }
- return QUIC_HS_FLIGHT_LIMIT_DEFAULT;
- }
- return 0;
- }
- #ifdef WOLFSSL_EARLY_DATA
- void wolfSSL_set_quic_early_data_enabled(WOLFSSL* ssl, int enabled)
- {
- /* This only has effect on server and when the handshake has
- * not started yet.
- * This function is part of the quictls/openssl API and does
- * not return any error, sadly. So we just ignore any
- * unsuccessful use. But we can produce some warnings.
- */
- if (!WOLFSSL_IS_QUIC(ssl)) {
- WOLFSSL_MSG("wolfSSL_set_quic_early_data_enabled: not a QUIC SSL");
- }
- else if (ssl->options.handShakeState != NULL_STATE) {
- WOLFSSL_MSG("wolfSSL_set_quic_early_data_enabled: handshake started");
- }
- else {
- wolfSSL_set_max_early_data(ssl, enabled ? UINT32_MAX : 0);
- }
- }
- #endif /* WOLFSSL_EARLY_DATA */
- int wolfSSL_quic_do_handshake(WOLFSSL* ssl)
- {
- int ret = WOLFSSL_SUCCESS;
- WOLFSSL_ENTER("wolfSSL_quic_do_handshake");
- if (!wolfSSL_is_quic(ssl)) {
- WOLFSSL_MSG("WOLFSSL_QUIC_DO_HANDSHAKE not a QUIC SSL");
- ret = WOLFSSL_FAILURE;
- goto cleanup;
- }
- while (ssl->options.handShakeState != HANDSHAKE_DONE) {
- /* Peculiar: do_handshake() is successful, but the state
- * indicates that we are not DONE. This seems to happen
- * when resuming sessions and an EARLY_DATA indicator
- * is presented by the client.
- * Theory: wolfSSL expects the APP to read the early data
- * and silently continues the handshake when the EndOfEarlyData
- * and the client Finished arrives.
- * This confuses the QUIC state handling.
- */
- #ifdef WOLFSSL_EARLY_DATA
- if (ssl->options.maxEarlyDataSz) {
- byte tmpbuffer[256];
- int len;
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- if (ssl->options.resuming) {
- ret = wolfSSL_write_early_data(ssl, tmpbuffer, 0, &len);
- }
- }
- else {
- ret = wolfSSL_read_early_data(ssl, tmpbuffer,
- sizeof(tmpbuffer), &len);
- if (ret < 0 && ssl->error == ZERO_RETURN) {
- /* this is expected, since QUIC handles the actual early
- * data separately. */
- ret = WOLFSSL_SUCCESS;
- }
- }
- if (ret < 0) {
- goto cleanup;
- }
- }
- #endif /* WOLFSSL_EARLY_DATA */
- ret = wolfSSL_SSL_do_handshake_internal(ssl);
- if (ret <= 0)
- goto cleanup;
- }
- cleanup:
- if (ret <= 0
- && ssl->options.handShakeState == HANDSHAKE_DONE
- && (ssl->error == ZERO_RETURN || ssl->error == WANT_READ)) {
- ret = WOLFSSL_SUCCESS;
- }
- if (ret == WOLFSSL_SUCCESS) {
- ssl->error = WOLFSSL_ERROR_NONE;
- }
- WOLFSSL_LEAVE("wolfSSL_quic_do_handshake", ret);
- return ret;
- }
- int wolfSSL_quic_read_write(WOLFSSL* ssl)
- {
- int ret = WOLFSSL_SUCCESS;
- WOLFSSL_ENTER("wolfSSL_quic_read_write");
- if (!wolfSSL_is_quic(ssl)) {
- WOLFSSL_MSG("WOLFSSL_QUIC_READ_WRITE not a QUIC SSL");
- ret = WOLFSSL_FAILURE;
- goto cleanup;
- }
- if (ssl->options.handShakeState != HANDSHAKE_DONE) {
- ret = wolfSSL_quic_do_handshake(ssl);
- if (ret != WOLFSSL_SUCCESS)
- goto cleanup;
- }
- ret = wolfSSL_process_quic_post_handshake(ssl);
- cleanup:
- WOLFSSL_LEAVE("wolfSSL_quic_read_write", ret);
- return ret;
- }
- int wolfSSL_process_quic_post_handshake(WOLFSSL* ssl)
- {
- int ret = WOLFSSL_SUCCESS, nret;
- WOLFSSL_ENTER("wolfSSL_process_quic_post_handshake");
- if (!wolfSSL_is_quic(ssl)) {
- WOLFSSL_MSG("WOLFSSL_QUIC_POST_HS not a QUIC SSL");
- ret = WOLFSSL_FAILURE;
- goto cleanup;
- }
- if (ssl->options.handShakeState != HANDSHAKE_DONE) {
- WOLFSSL_MSG("WOLFSSL_QUIC_POST_HS handshake is not done yet");
- ret = WOLFSSL_FAILURE;
- goto cleanup;
- }
- while (ssl->quic.input_head != NULL
- || ssl->buffers.inputBuffer.length > 0) {
- if ((nret = ProcessReply(ssl)) < 0) {
- ret = nret;
- break;
- }
- }
- while (ssl->buffers.outputBuffer.length > 0) {
- SendBuffered(ssl);
- }
- cleanup:
- WOLFSSL_LEAVE("wolfSSL_process_quic_post_handshake", ret);
- return ret;
- }
- int wolfSSL_provide_quic_data(WOLFSSL* ssl, WOLFSSL_ENCRYPTION_LEVEL level,
- const uint8_t* data, size_t len)
- {
- int ret = WOLFSSL_SUCCESS;
- size_t l;
- WOLFSSL_ENTER("wolfSSL_provide_quic_data");
- if (!wolfSSL_is_quic(ssl)) {
- WOLFSSL_MSG("WOLFSSL_QUIC_PROVIDE_DATA not a QUIC SSL");
- ret = WOLFSSL_FAILURE;
- goto cleanup;
- }
- if (level < wolfSSL_quic_read_level(ssl)
- || (ssl->quic.input_tail && level < ssl->quic.input_tail->level)
- || level < ssl->quic.enc_level_latest_recvd) {
- WOLFSSL_MSG("WOLFSSL_QUIC_PROVIDE_DATA wrong encryption level");
- ret = WOLFSSL_FAILURE;
- goto cleanup;
- }
- while (len > 0) {
- if (ssl->quic.scratch) {
- if (ssl->quic.scratch->level != level) {
- WOLFSSL_MSG("WOLFSSL_QUIC_PROVIDE_DATA wrong encryption level");
- ret = WOLFSSL_FAILURE;
- goto cleanup;
- }
- ret = quic_record_append(ssl, ssl->quic.scratch, data, len, &l);
- if (ret != WOLFSSL_SUCCESS) {
- goto cleanup;
- }
- data += l;
- len -= l;
- if (quic_record_complete(ssl->quic.scratch)) {
- if (ssl->quic.input_tail) {
- ssl->quic.input_tail->next = ssl->quic.scratch;
- ssl->quic.input_tail = ssl->quic.scratch;
- }
- else {
- ssl->quic.input_head = ssl->quic.input_tail =
- ssl->quic.scratch;
- }
- ssl->quic.scratch = NULL;
- }
- }
- else {
- /* start of next record with all bytes for the header */
- ssl->quic.scratch = quic_record_make(ssl, level, data, len);
- if (!ssl->quic.scratch) {
- ret = WOLFSSL_FAILURE;
- goto cleanup;
- }
- }
- }
- ssl->quic.enc_level_latest_recvd = level;
- cleanup:
- WOLFSSL_LEAVE("wolfSSL_provide_quic_data", ret);
- return ret;
- }
- /* Called internally when SSL wants a certain amount of input. */
- int wolfSSL_quic_receive(WOLFSSL* ssl, byte* buf, word32 sz)
- {
- word32 n = 0;
- int transferred = 0;
- WOLFSSL_ENTER("wolfSSL_quic_receive");
- while (sz > 0) {
- n = 0;
- if (ssl->quic.input_head) {
- n = quic_record_transfer(ssl->quic.input_head, buf, sz);
- if (quic_record_done(ssl->quic.input_head)) {
- QuicRecord* qr = ssl->quic.input_head;
- ssl->quic.input_head = qr->next;
- if (!qr->next) {
- ssl->quic.input_tail = NULL;
- }
- quic_record_free(ssl, qr);
- }
- }
- if (n == 0) {
- if (transferred > 0) {
- goto cleanup;
- }
- ssl->error = transferred = WANT_READ;
- goto cleanup;
- }
- sz -= n;
- buf += n;
- transferred += n;
- }
- cleanup:
- WOLFSSL_LEAVE("wolfSSL_quic_receive", transferred);
- return transferred;
- }
- /**
- * We need to forward the HANDSHAKE messages to the QUIC protocol stack
- * via ssl->quic.method->add_handshake_data().
- * The messages in the output buffer are unencrypted TLS records. We need
- * to forward the content of those records.
- */
- static int wolfSSL_quic_send_internal(WOLFSSL* ssl)
- {
- int ret = 0, aret;
- size_t len;
- RecordLayerHeader* rl;
- word16 rlen;
- word32 idx, length;
- byte* output;
- WOLFSSL_ENTER("wolfSSL_quic_send");
- idx = ssl->buffers.outputBuffer.idx;
- length = ssl->buffers.outputBuffer.length;
- output = ssl->buffers.outputBuffer.buffer + idx;
- while (length > 0) {
- if (ssl->quic.output_rec_remain > 0) {
- len = ssl->quic.output_rec_remain;
- if (len > length) {
- len = length;
- }
- aret = ssl->quic.method->add_handshake_data(ssl,
- ssl->quic.output_rec_level, (const uint8_t*)output, len);
- if (aret != 1) {
- /* The application has an error. General disaster. */
- WOLFSSL_MSG("WOLFSSL_QUIC_SEND application failed");
- ret = FWRITE_ERROR;
- goto cleanup;
- }
- output += len;
- length -= len;
- ssl->quic.output_rec_remain -= len;
- }
- else {
- /* at start of a TLS Record */
- rl = (RecordLayerHeader*)output;
- ato16(rl->length, &rlen);
- output += RECORD_HEADER_SZ;
- length -= RECORD_HEADER_SZ;
- ssl->quic.output_rec_remain = rlen;
- ssl->quic.output_rec_level = ssl->quic.enc_level_write;
- if (rl->type == application_data) {
- if (ssl->options.handShakeState != HANDSHAKE_DONE) {
- ssl->quic.output_rec_level = wolfssl_encryption_early_data;
- }
- else {
- WOLFSSL_MSG("WOLFSSL_QUIC_SEND app data after handshake");
- ret = FWRITE_ERROR;
- goto cleanup;
- }
- }
- }
- }
- ssl->buffers.outputBuffer.idx = 0;
- ssl->buffers.outputBuffer.length = 0;
- cleanup:
- WOLFSSL_LEAVE("wolfSSL_quic_send", ret);
- return ret;
- }
- int wolfSSL_quic_send(WOLFSSL* ssl)
- {
- return wolfSSL_quic_send_internal(ssl);
- }
- int wolfSSL_quic_forward_secrets(WOLFSSL* ssl, int ktype, int side)
- {
- const uint8_t* rx_secret = NULL, *tx_secret = NULL;
- WOLFSSL_ENCRYPTION_LEVEL level;
- int ret = 0;
- WOLFSSL_ENTER("wolfSSL_quic_forward_secrets");
- switch (ktype) {
- case early_data_key:
- level = wolfssl_encryption_early_data;
- break;
- case handshake_key:
- level = wolfssl_encryption_handshake;
- break;
- case traffic_key:
- FALL_THROUGH;
- case update_traffic_key:
- level = wolfssl_encryption_application;
- break;
- case no_key:
- FALL_THROUGH;
- default:
- /* ignore */
- goto cleanup;
- }
- if (side == ENCRYPT_AND_DECRYPT_SIDE || side == ENCRYPT_SIDE_ONLY) {
- tx_secret = (ssl->options.side == WOLFSSL_CLIENT_END) ?
- ssl->clientSecret : ssl->serverSecret;
- }
- if (side == ENCRYPT_AND_DECRYPT_SIDE || side == DECRYPT_SIDE_ONLY) {
- rx_secret = (ssl->options.side == WOLFSSL_CLIENT_END) ?
- ssl->serverSecret : ssl->clientSecret;
- }
- if (!tx_secret && !rx_secret) {
- WOLFSSL_MSG("WOLFSSL_QUIC_FORWARD_SECRETS neither "
- "enc- nor decrypt specified");
- goto cleanup;
- }
- ret = !ssl->quic.method->set_encryption_secrets(
- ssl, level, rx_secret, tx_secret, ssl->specs.hash_size);
- /* Having installed the secrets, any future read/write will happen
- * at the level. Except early data, which is detected on the record
- * type and the handshake state. */
- if (ktype == early_data_key) {
- goto cleanup;
- }
- if (tx_secret && ssl->quic.enc_level_write != level) {
- ssl->quic.enc_level_write_next = level;
- }
- if (rx_secret && ssl->quic.enc_level_read != level) {
- ssl->quic.enc_level_read_next = level;
- }
- cleanup:
- WOLFSSL_LEAVE("wolfSSL_quic_forward_secrets", ret);
- return ret;
- }
- int wolfSSL_quic_keys_active(WOLFSSL* ssl, enum encrypt_side side)
- {
- int ret = 0;
- WOLFSSL_ENTER("wolfSSL_quic_keys_active");
- /* Keys derived from recent secrets have been activated */
- if (side == ENCRYPT_AND_DECRYPT_SIDE || side == ENCRYPT_SIDE_ONLY) {
- /* If there is data in the output buffers, it was supposed to be
- * encrypted at the previous level. We need to remember that when
- * forwarding this data to the QUIC protocol application. */
- if (ssl->buffers.outputBuffer.length > 0) {
- ret = wolfSSL_quic_send_internal(ssl);
- if (ret)
- goto cleanup;
- }
- ssl->quic.enc_level_write = ssl->quic.enc_level_write_next;
- }
- if (side == ENCRYPT_AND_DECRYPT_SIDE || side == DECRYPT_SIDE_ONLY) {
- ssl->quic.enc_level_read = ssl->quic.enc_level_read_next;
- }
- cleanup:
- WOLFSSL_LEAVE("wolfSSL_quic_keys_active", ret);
- return ret;
- }
- const WOLFSSL_EVP_CIPHER* wolfSSL_quic_get_aead(WOLFSSL* ssl)
- {
- WOLFSSL_CIPHER* cipher = wolfSSL_get_current_cipher(ssl);
- const WOLFSSL_EVP_CIPHER* evp_cipher;
- switch (cipher->cipherSuite) {
- #if !defined(NO_AES) && defined(HAVE_AESGCM)
- case TLS_AES_128_GCM_SHA256:
- evp_cipher = wolfSSL_EVP_aes_128_gcm();
- break;
- case TLS_AES_256_GCM_SHA384:
- evp_cipher = wolfSSL_EVP_aes_256_gcm();
- break;
- #endif
- #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
- case TLS_CHACHA20_POLY1305_SHA256:
- evp_cipher = wolfSSL_EVP_chacha20_poly1305();
- break;
- #endif
- #if defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_128)
- case TLS_AES_128_CCM_SHA256:
- FALL_THROUGH;
- case TLS_AES_128_CCM_8_SHA256:
- evp_cipher = wolfSSL_EVP_aes_128_ctr();
- break;
- #endif
- default:
- evp_cipher = NULL;
- break;
- }
- if (!evp_cipher) {
- /* should not happen, as SSL* should not have negotiated it? */
- WOLFSSL_MSG("wolfSSL_quic_get_aead: current cipher not supported");
- return NULL;
- }
- return evp_cipher;
- }
- static int evp_cipher_eq(const WOLFSSL_EVP_CIPHER* c1,
- const WOLFSSL_EVP_CIPHER* c2)
- {
- /* We could check on nid equality, but we seem to have singulars */
- return c1 == c2;
- }
- const WOLFSSL_EVP_CIPHER* wolfSSL_quic_get_hp(WOLFSSL* ssl)
- {
- WOLFSSL_CIPHER* cipher = wolfSSL_get_current_cipher(ssl);
- const WOLFSSL_EVP_CIPHER* evp_cipher;
- switch (cipher->cipherSuite) {
- #if !defined(NO_AES) && defined(HAVE_AESGCM)
- case TLS_AES_128_GCM_SHA256:
- evp_cipher = wolfSSL_EVP_aes_128_ctr();
- break;
- case TLS_AES_256_GCM_SHA384:
- evp_cipher = wolfSSL_EVP_aes_256_ctr();
- break;
- #endif
- #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
- case TLS_CHACHA20_POLY1305_SHA256:
- evp_cipher = wolfSSL_EVP_chacha20();
- break;
- #endif
- #if defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_128)
- case TLS_AES_128_CCM_SHA256:
- FALL_THROUGH;
- case TLS_AES_128_CCM_8_SHA256:
- evp_cipher = wolfSSL_EVP_aes_128_ctr();
- break;
- #endif
- default:
- evp_cipher = NULL;
- break;
- }
- if (!evp_cipher) {
- /* should not happen, as SSL* should not have negotiated it? */
- WOLFSSL_MSG("wolfSSL_quic_get_hp: current cipher not supported");
- return NULL;
- }
- return evp_cipher;
- }
- size_t wolfSSL_quic_get_aead_tag_len(const WOLFSSL_EVP_CIPHER* aead_cipher)
- {
- size_t ret;
- #ifdef WOLFSSL_SMALL_STACK
- WOLFSSL_EVP_CIPHER_CTX *ctx = (WOLFSSL_EVP_CIPHER_CTX *)XMALLOC(
- sizeof(*ctx), NULL, DYNAMIC_TYPE_TMP_BUFFER);
- if (ctx == NULL)
- return 0;
- #else
- WOLFSSL_EVP_CIPHER_CTX ctx[1];
- #endif
- XMEMSET(ctx, 0, sizeof(*ctx));
- if (wolfSSL_EVP_CipherInit(ctx, aead_cipher, NULL, NULL, 0)
- == WOLFSSL_SUCCESS) {
- ret = ctx->authTagSz;
- } else {
- ret = 0;
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(ctx, NULL, DYNAMIC_TYPE_TMP_BUF);
- #endif
- return ret;
- }
- int wolfSSL_quic_aead_is_gcm(const WOLFSSL_EVP_CIPHER* aead_cipher)
- {
- #if !defined(NO_AES) && defined(HAVE_AESGCM)
- if (evp_cipher_eq(aead_cipher, wolfSSL_EVP_aes_128_gcm())
- #ifdef WOLFSSL_AES_256
- || evp_cipher_eq(aead_cipher, wolfSSL_EVP_aes_256_gcm())
- #endif
- ) {
- return 1;
- }
- #else
- (void)aead_cipher;
- #endif
- return 0;
- }
- int wolfSSL_quic_aead_is_ccm(const WOLFSSL_EVP_CIPHER* aead_cipher)
- {
- #if defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_128)
- if (evp_cipher_eq(aead_cipher, wolfSSL_EVP_aes_128_ctr())) {
- return 1;
- }
- #else
- (void)aead_cipher;
- #endif
- return 0;
- }
- int wolfSSL_quic_aead_is_chacha20(const WOLFSSL_EVP_CIPHER* aead_cipher)
- {
- #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
- return evp_cipher_eq(aead_cipher, wolfSSL_EVP_chacha20_poly1305());
- #else
- (void)aead_cipher;
- return 0;
- #endif
- }
- const WOLFSSL_EVP_MD* wolfSSL_quic_get_md(WOLFSSL* ssl)
- {
- /* a copy from the handshake md setup */
- switch(ssl->specs.mac_algorithm) {
- case no_mac:
- #ifndef NO_MD5
- case md5_mac:
- return wolfSSL_EVP_md5();
- #endif
- #ifndef NO_SHA
- case sha_mac:
- return wolfSSL_EVP_sha1();
- #endif
- #ifdef WOLFSSL_SHA224
- case sha224_mac:
- return wolfSSL_EVP_sha224();
- #endif
- case sha256_mac:
- return wolfSSL_EVP_sha256();
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- return wolfSSL_EVP_sha384();
- #endif
- #ifdef WOLFSSL_SHA512
- case sha512_mac:
- return wolfSSL_EVP_sha512();
- #endif
- case rmd_mac:
- case blake2b_mac:
- WOLFSSL_MSG("no suitable EVP_MD");
- return NULL;
- default:
- WOLFSSL_MSG("Unknown mac algorithm");
- return NULL;
- }
- }
- #ifdef OPENSSL_EXTRA
- int wolfSSL_quic_hkdf_extract(uint8_t* dest, const WOLFSSL_EVP_MD* md,
- const uint8_t* secret, size_t secretlen,
- const uint8_t* salt, size_t saltlen)
- {
- WOLFSSL_EVP_PKEY_CTX* pctx = NULL;
- size_t destlen = (size_t)wolfSSL_EVP_MD_size(md);
- int ret = WOLFSSL_SUCCESS;
- WOLFSSL_ENTER("wolfSSL_quic_hkdf_extract");
- pctx = wolfSSL_EVP_PKEY_CTX_new_id(NID_hkdf, NULL);
- if (pctx == NULL) {
- ret = WOLFSSL_FAILURE;
- goto cleanup;
- }
- if (wolfSSL_EVP_PKEY_derive_init(pctx) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_PKEY_CTX_hkdf_mode(
- pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_PKEY_CTX_set_hkdf_md(pctx, md) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_PKEY_CTX_set1_hkdf_salt(
- pctx, (byte*)salt, (int)saltlen) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_PKEY_CTX_set1_hkdf_key(
- pctx, (byte*)secret, (int)secretlen) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_PKEY_derive(pctx, dest, &destlen) != WOLFSSL_SUCCESS) {
- ret = WOLFSSL_FAILURE;
- goto cleanup;
- }
- cleanup:
- if (pctx)
- wolfSSL_EVP_PKEY_CTX_free(pctx);
- WOLFSSL_LEAVE("wolfSSL_quic_hkdf_extract", ret);
- return ret;
- }
- int wolfSSL_quic_hkdf_expand(uint8_t* dest, size_t destlen,
- const WOLFSSL_EVP_MD* md,
- const uint8_t* secret, size_t secretlen,
- const uint8_t* info, size_t infolen)
- {
- WOLFSSL_EVP_PKEY_CTX* pctx = NULL;
- int ret = WOLFSSL_SUCCESS;
- WOLFSSL_ENTER("wolfSSL_quic_hkdf_expand");
- pctx = wolfSSL_EVP_PKEY_CTX_new_id(NID_hkdf, NULL);
- if (pctx == NULL) {
- ret = WOLFSSL_FAILURE;
- goto cleanup;
- }
- if (wolfSSL_EVP_PKEY_derive_init(pctx) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_PKEY_CTX_hkdf_mode(
- pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_PKEY_CTX_set_hkdf_md(pctx, md) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_PKEY_CTX_set1_hkdf_salt(
- pctx, (byte*)"", 0) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_PKEY_CTX_set1_hkdf_key(
- pctx, (byte*)secret, (int)secretlen) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_PKEY_CTX_add1_hkdf_info(
- pctx, (byte*)info, (int)infolen) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_PKEY_derive(pctx, dest, &destlen) != WOLFSSL_SUCCESS) {
- ret = WOLFSSL_FAILURE;
- goto cleanup;
- }
- cleanup:
- if (pctx)
- EVP_PKEY_CTX_free(pctx);
- WOLFSSL_LEAVE("wolfSSL_quic_hkdf_expand", ret);
- return ret;
- }
- int wolfSSL_quic_hkdf(uint8_t* dest, size_t destlen,
- const WOLFSSL_EVP_MD* md,
- const uint8_t* secret, size_t secretlen,
- const uint8_t* salt, size_t saltlen,
- const uint8_t* info, size_t infolen)
- {
- WOLFSSL_EVP_PKEY_CTX* pctx = NULL;
- int ret = WOLFSSL_SUCCESS;
- WOLFSSL_ENTER("wolfSSL_quic_hkdf");
- pctx = wolfSSL_EVP_PKEY_CTX_new_id(NID_hkdf, NULL);
- if (pctx == NULL) {
- ret = WOLFSSL_FAILURE;
- goto cleanup;
- }
- if (wolfSSL_EVP_PKEY_derive_init(pctx) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_PKEY_CTX_hkdf_mode(
- pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_PKEY_CTX_set_hkdf_md(pctx, md) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_PKEY_CTX_set1_hkdf_salt(
- pctx, (byte*)salt, (int)saltlen) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_PKEY_CTX_set1_hkdf_key(
- pctx, (byte*)secret, (int)secretlen) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_PKEY_CTX_add1_hkdf_info(
- pctx, (byte*)info, (int)infolen) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_PKEY_derive(pctx, dest, &destlen) != WOLFSSL_SUCCESS) {
- ret = WOLFSSL_FAILURE;
- goto cleanup;
- }
- cleanup:
- if (pctx)
- EVP_PKEY_CTX_free(pctx);
- WOLFSSL_LEAVE("wolfSSL_quic_hkdf", ret);
- return ret;
- }
- #endif /* OPENSSL_EXTRA */
- WOLFSSL_EVP_CIPHER_CTX* wolfSSL_quic_crypt_new(const WOLFSSL_EVP_CIPHER* cipher,
- const uint8_t* key,
- const uint8_t* iv,
- int encrypt)
- {
- WOLFSSL_EVP_CIPHER_CTX* ctx;
- ctx = wolfSSL_EVP_CIPHER_CTX_new();
- if (ctx == NULL) {
- return NULL;
- }
- if (wolfSSL_EVP_CipherInit(ctx, cipher, key, iv, encrypt)
- != WOLFSSL_SUCCESS) {
- wolfSSL_EVP_CIPHER_CTX_free(ctx);
- return NULL;
- }
- return ctx;
- }
- int wolfSSL_quic_aead_encrypt(uint8_t* dest, WOLFSSL_EVP_CIPHER_CTX* ctx,
- const uint8_t* plain, size_t plainlen,
- const uint8_t* iv, const uint8_t* aad,
- size_t aadlen)
- {
- int len;
- /* A case can be made if this really should be a function in wolfSSL, since
- * the same should be doable from the API by a QUIC protocol stack.
- * What speaks for this:
- * - it gives us a decent testing point
- * - API users do not have to re-invent (it fits into ngtcp2 use).
- * picotls offers a similar abstraction level for AEAD.
- * TODO: there is some fiddling in OpenSSL+quic in regard to CCM ciphers
- * which we need to check.
- */
- if (wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 1) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_CipherUpdate(
- ctx, NULL, &len, aad, (int)aadlen) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_CipherUpdate(
- ctx, dest, &len, plain, (int)plainlen) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_CipherFinal(ctx, dest + len, &len) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_CIPHER_CTX_ctrl(
- ctx, EVP_CTRL_AEAD_GET_TAG, ctx->authTagSz, dest + plainlen)
- != WOLFSSL_SUCCESS) {
- return WOLFSSL_FAILURE;
- }
- return WOLFSSL_SUCCESS;
- }
- int wolfSSL_quic_aead_decrypt(uint8_t* dest, WOLFSSL_EVP_CIPHER_CTX* ctx,
- const uint8_t* enc, size_t enclen,
- const uint8_t* iv, const uint8_t* aad,
- size_t aadlen)
- {
- int len;
- const uint8_t* tag;
- /* See rationale for wolfSSL_quic_aead_encrypt() on why this is here */
- if (enclen > INT_MAX || ctx->authTagSz > (int)enclen) {
- return WOLFSSL_FAILURE;
- }
- enclen -= ctx->authTagSz;
- tag = enc + enclen;
- if (wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 0) != WOLFSSL_SUCCESS
- || wolfSSL_EVP_CIPHER_CTX_ctrl(
- ctx, EVP_CTRL_AEAD_SET_TAG, ctx->authTagSz, (uint8_t*)tag)
- != WOLFSSL_SUCCESS
- || wolfSSL_EVP_CipherUpdate(ctx, NULL, &len, aad, (int)aadlen)
- != WOLFSSL_SUCCESS
- || wolfSSL_EVP_CipherUpdate(ctx, dest, &len, enc, (int)enclen)
- != WOLFSSL_SUCCESS
- || wolfSSL_EVP_CipherFinal(ctx, dest, &len) != WOLFSSL_SUCCESS) {
- return WOLFSSL_FAILURE;
- }
- return WOLFSSL_SUCCESS;
- }
- #endif /* WOLFSSL_QUIC */
- #endif /* WOLFCRYPT_ONLY */
|