quic.h 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606
  1. /*!
  2. \ingroup QUIC
  3. \brief Callback invoked when secrets are generated during a handshake.
  4. Since QUIC protocol handlers perform the en-/decryption of packets, they
  5. need the negotiated secrets for the levels early_data/handshake/application.
  6. The callback will be invoked several times during a handshake. Either both
  7. or only the read or write secret might be provided. This does not mean the
  8. given encryption level is already in effect.
  9. \return 1 on success, 0 on failure.
  10. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  11. \param level - the encryption level the secrets are for
  12. \param read_secret - the secret used in decryption at the given level, may be NULL.
  13. \param write_secret - the secret used in encryption at the given level, may be NULL.
  14. \param secret_len - the length of the secret
  15. \sa wolfSSL_set_quic_method
  16. */
  17. int (*set_encryption_secrets)(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  18. const uint8_t *read_secret,
  19. const uint8_t *write_secret, size_t secret_len);
  20. /*!
  21. \ingroup QUIC
  22. \brief Callback invoked for forwarding handshake CRYPTO data to peer.
  23. The data forwarded this way is not encrypted. It is the job of the QUIC
  24. protocol implementation to do this. Which secrets are to be used
  25. is determined by the encryption level specified.
  26. This callback may be invoked several times during handshake or post handshake
  27. processing. The data may cover a complete CRYPTO record, but may also
  28. be partial. However, the callback will have received all records data before
  29. using another encryption level.
  30. \return 1 on success, 0 on failure.
  31. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  32. \param level - the encryption level to use for encrypting the data
  33. \param data - the data itself
  34. \param len - the length of the data
  35. \sa wolfSSL_set_quic_method
  36. */
  37. int (*add_handshake_data)(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level,
  38. const uint8_t *data, size_t len);
  39. /*!
  40. \ingroup QUIC
  41. \brief Callback invoked for advisory flushing of the data to send.
  42. \return 1 on success, 0 on failure.
  43. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  44. \sa wolfSSL_set_quic_method
  45. */
  46. int (*flush_flight)(WOLFSSL *ssl);
  47. /*!
  48. \ingroup QUIC
  49. \brief Callback invoked when an SSL alert happened during processing.
  50. \return 1 on success, 0 on failure.
  51. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  52. \param level - the encryption level in effect when the alert happened
  53. \param alert - the error
  54. \sa wolfSSL_set_quic_method
  55. */
  56. int (*send_alert)(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level, uint8_t alert);
  57. /*!
  58. \ingroup QUIC
  59. \brief Activate QUIC protocol for a WOLFSSL_CTX and all derived WOLFSSL instances
  60. by providing the four callbacks required. The CTX needs to be a TLSv1.3 one.
  61. The passed quic_method needs to have a lifetime outlasting the SSL instances.
  62. It is not copied. All callbacks need to be provided.
  63. \return WOLFSSL_SUCCESS If successful.
  64. \param ctx - a pointer to a WOLFSSL_CTX structure, created using wolfSSL_CTX_new().
  65. \param quic_method - the callback structure
  66. \sa wolfSSL_is_quic
  67. \sa wolfSSL_set_quic_method
  68. */
  69. int wolfSSL_CTX_set_quic_method(WOLFSSL_CTX *ctx, const WOLFSSL_QUIC_METHOD *quic_method);
  70. /*!
  71. \ingroup QUIC
  72. \brief Activate QUIC protocol for a WOLFSSL instance by providing the
  73. four callbacks required. The WOLFSSL needs to be a TLSv1.3 one.
  74. The passed quic_method needs to have a lifetime outlasting the SSL instance.
  75. It is not copied. All callbacks need to be provided.
  76. \return WOLFSSL_SUCCESS If successful.
  77. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  78. \param quic_method - the callback structure
  79. \sa wolfSSL_is_quic
  80. \sa wolfSSL_CTX_set_quic_method
  81. */
  82. int wolfSSL_set_quic_method(WOLFSSL *ssl, const WOLFSSL_QUIC_METHOD *quic_method);
  83. /*!
  84. \ingroup QUIC
  85. \brief Check if QUIC has been activated in a WOLFSSL instance.
  86. \return 1 if WOLFSSL is using QUIC.
  87. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  88. \sa wolfSSL_CTX_quic_method
  89. \sa wolfSSL_CTX_set_quic_method
  90. */
  91. int wolfSSL_is_quic(WOLFSSL *ssl);
  92. /*!
  93. \ingroup QUIC
  94. \brief Determine the encryption level for reads currently in use. Meaningful only when
  95. the WOLFSSL instance is using QUIC.
  96. Note that the effective level is always a parameter when passing data back and
  97. forth. Data from a peer might arrive at other levels than reported via this
  98. function.
  99. \return encryption level.
  100. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  101. \sa wolfSSL_quic_write_level
  102. */
  103. WOLFSSL_ENCRYPTION_LEVEL wolfSSL_quic_read_level(const WOLFSSL *ssl);
  104. /*!
  105. \ingroup QUIC
  106. \brief Determine the encryption level for writes currently in use. Meaningful only when
  107. the WOLFSSL instance is using QUIC.
  108. Note that the effective level is always a parameter when passing data back and
  109. forth. Data from a peer might arrive at other levels than reported via this
  110. function.
  111. \return encryption level.
  112. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  113. \sa wolfSSL_quic_read_level
  114. */
  115. WOLFSSL_ENCRYPTION_LEVEL wolfSSL_quic_write_level(const WOLFSSL *ssl);
  116. /*!
  117. \ingroup QUIC
  118. \brief Configure which QUIC version shall be used. Without calling this,
  119. the WOLFSSL will offer both (draft-27 and v1) to a server, resp. accept
  120. both from a client and negotiate the most recent one.
  121. \return WOLFSSL_SUCCESS If successful.
  122. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  123. \param use_legacy - true if draft-27 shall be used, 0 if only QUICv1 is used.
  124. \sa wolfSSL_set_quic_transport_version
  125. */
  126. void wolfSSL_set_quic_use_legacy_codepoint(WOLFSSL *ssl, int use_legacy);
  127. /*!
  128. \ingroup QUIC
  129. \brief Configure which QUIC version shall be used.
  130. \return WOLFSSL_SUCCESS If successful.
  131. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  132. \param version - the TLS Extension defined for the QUIC version.
  133. \sa wolfSSL_set_quic_use_legacy_codepoint
  134. */
  135. void wolfSSL_set_quic_transport_version(WOLFSSL *ssl, int version);
  136. /*!
  137. \ingroup QUIC
  138. \brief Get the configured QUIC version.
  139. \return TLS Extension of configured version.
  140. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  141. \sa wolfSSL_set_quic_use_legacy_codepoint
  142. \sa wolfSSL_set_quic_transport_version
  143. */
  144. int wolfSSL_get_quic_transport_version(const WOLFSSL *ssl);
  145. /*!
  146. \ingroup QUIC
  147. \brief Set the QUIC transport parameters to use.
  148. \return WOLFSSL_SUCCESS If successful.
  149. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  150. \param params - the parameter bytes to use
  151. ·param params_len - the length of the parameters
  152. \sa wolfSSL_set_quic_use_legacy_codepoint
  153. \sa wolfSSL_set_quic_transport_version
  154. */
  155. int wolfSSL_set_quic_transport_params(WOLFSSL *ssl, const uint8_t *params, size_t params_len);
  156. /*!
  157. \ingroup QUIC
  158. \brief Get the negotiated QUIC transport version. This will only give
  159. meaningful results when called after the respective TLS extensions have
  160. been seen from the peer.
  161. \return the negotiated version or -1.
  162. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  163. \sa wolfSSL_set_quic_use_legacy_codepoint
  164. \sa wolfSSL_set_quic_transport_version
  165. */
  166. int wolfSSL_get_peer_quic_transport_version(const WOLFSSL *ssl);
  167. /*!
  168. \ingroup QUIC
  169. \brief Get the negotiated QUIC transport parameters. This will only give
  170. meaningful results when called after the respective TLS extensions have
  171. been seen from the peer.
  172. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  173. \param out_params - the parameters sent be the peer, set to NULL if not available.
  174. \param out_params_len - the length of the parameters sent be the peer, set to 0 if not available
  175. \sa wolfSSL_get_peer_quic_transport_version
  176. */
  177. void wolfSSL_get_peer_quic_transport_params(const WOLFSSL *ssl, const uint8_t **out_params, size_t *out_params_len);
  178. /*!
  179. \ingroup QUIC
  180. \brief Configure if Early Data is enabled. Intended for servers to signal
  181. this to clients.
  182. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  183. \param enabled - != 0 iff early data is enabled
  184. */
  185. void wolfSSL_set_quic_early_data_enabled(WOLFSSL *ssl, int enabled);
  186. /*!
  187. \ingroup QUIC
  188. \brief Get advice on the amount of data that shall be "in flight", e.g. unacknowledged
  189. at the given encryption level. This is the amount of data the WOLFSSL instance
  190. is prepared to buffer.
  191. \return the recommend max data in flight
  192. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  193. \param level - the encryption level to inquire about
  194. */
  195. size_t wolfSSL_quic_max_handshake_flight_len(const WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level);
  196. /*!
  197. \ingroup QUIC
  198. \brief Pass decrypted CRYPTO data to the WOLFSSL instance for further processing.
  199. The encryption level between calls is only every allowed to increase and it is
  200. also checked that data records are complete before a change in encryption
  201. level is accepted.
  202. \return WOLFSSL_SUCCESS If successful.
  203. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  204. \param level - the level the data was encrypted at
  205. \param data - the data itself
  206. \param len - the length of the data
  207. \sa wolfSSL_process_quic_post_handshake
  208. \sa wolfSSL_quic_read_write
  209. \sa wolfSSL_accept
  210. \sa wolfSSL_connect
  211. */
  212. int wolfSSL_provide_quic_data(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level, const uint8_t *data, size_t len);
  213. /*!
  214. \ingroup QUIC
  215. \brief Process any CRYPTO records that have been provided after the handshake
  216. has completed. Will fail if called before that.
  217. \return WOLFSSL_SUCCESS If successful.
  218. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  219. \sa wolfSSL_provide_quic_data
  220. \sa wolfSSL_quic_read_write
  221. \sa wolfSSL_accept
  222. \sa wolfSSL_connect
  223. */
  224. WOLFSSL_API int wolfSSL_process_quic_post_handshake(WOLFSSL *ssl);
  225. /*!
  226. \ingroup QUIC
  227. \brief Process any CRYPTO records that have been provided during or after the handshake.
  228. Will progress the handshake if not already complete and otherwise work like
  229. wolfSSL_process_quic_post_handshake().
  230. \return WOLFSSL_SUCCESS If successful.
  231. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  232. \sa wolfSSL_provide_quic_data
  233. \sa wolfSSL_quic_read_write
  234. \sa wolfSSL_accept
  235. \sa wolfSSL_connect
  236. */
  237. int wolfSSL_quic_read_write(WOLFSSL *ssl);
  238. /*!
  239. \ingroup QUIC
  240. \brief Get the AEAD cipher negotiated in the TLS handshake.
  241. \return negotiated cipher or NULL if not determined.
  242. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  243. \sa wolfSSL_quic_aead_is_gcm
  244. \sa wolfSSL_quic_aead_is_ccm
  245. \sa wolfSSL_quic_aead_is_chacha20
  246. \sa wolfSSL_quic_get_aead_tag_len
  247. \sa wolfSSL_quic_get_md
  248. \sa wolfSSL_quic_get_hp
  249. \sa wolfSSL_quic_crypt_new
  250. \sa wolfSSL_quic_aead_encrypt
  251. \sa wolfSSL_quic_aead_decrypt
  252. */
  253. const WOLFSSL_EVP_CIPHER *wolfSSL_quic_get_aead(WOLFSSL *ssl);
  254. /*!
  255. \ingroup QUIC
  256. \brief Check if the AEAD cipher is GCM.
  257. \return != 0 iff the AEAD cipher is GCM.
  258. \param cipher - the cipher
  259. \sa wolfSSL_quic_get_aead
  260. \sa wolfSSL_quic_aead_is_ccm
  261. \sa wolfSSL_quic_aead_is_chacha20
  262. \sa wolfSSL_quic_get_aead_tag_len
  263. \sa wolfSSL_quic_get_md
  264. \sa wolfSSL_quic_get_hp
  265. \sa wolfSSL_quic_crypt_new
  266. \sa wolfSSL_quic_aead_encrypt
  267. \sa wolfSSL_quic_aead_decrypt
  268. */
  269. int wolfSSL_quic_aead_is_gcm(const WOLFSSL_EVP_CIPHER *aead_cipher);
  270. /*!
  271. \ingroup QUIC
  272. \brief Check if the AEAD cipher is CCM.
  273. \return != 0 iff the AEAD cipher is CCM.
  274. \param cipher - the cipher
  275. \sa wolfSSL_quic_get_aead
  276. \sa wolfSSL_quic_aead_is_gcm
  277. \sa wolfSSL_quic_aead_is_chacha20
  278. \sa wolfSSL_quic_get_aead_tag_len
  279. \sa wolfSSL_quic_get_md
  280. \sa wolfSSL_quic_get_hp
  281. \sa wolfSSL_quic_crypt_new
  282. \sa wolfSSL_quic_aead_encrypt
  283. \sa wolfSSL_quic_aead_decrypt
  284. */
  285. int wolfSSL_quic_aead_is_ccm(const WOLFSSL_EVP_CIPHER *aead_cipher);
  286. /*!
  287. \ingroup QUIC
  288. \brief Check if the AEAD cipher is CHACHA20.
  289. \return != 0 iff the AEAD cipher is CHACHA20.
  290. \param cipher - the cipher
  291. \sa wolfSSL_quic_get_aead
  292. \sa wolfSSL_quic_aead_is_ccm
  293. \sa wolfSSL_quic_aead_is_gcm
  294. \sa wolfSSL_quic_get_aead_tag_len
  295. \sa wolfSSL_quic_get_md
  296. \sa wolfSSL_quic_get_hp
  297. \sa wolfSSL_quic_crypt_new
  298. \sa wolfSSL_quic_aead_encrypt
  299. \sa wolfSSL_quic_aead_decrypt
  300. */
  301. int wolfSSL_quic_aead_is_chacha20(const WOLFSSL_EVP_CIPHER *aead_cipher);
  302. /*!
  303. \ingroup QUIC
  304. \brief Determine the tag length for the AEAD cipher.
  305. \return tag length of AEAD cipher.
  306. \param cipher - the cipher
  307. \sa wolfSSL_quic_get_aead
  308. */
  309. WOLFSSL_API size_t wolfSSL_quic_get_aead_tag_len(const WOLFSSL_EVP_CIPHER *aead_cipher);
  310. /*!
  311. \ingroup QUIC
  312. \brief Determine the message digest negotiated in the TLS handshake.
  313. \return the message digest negotiated in the TLS handshake
  314. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  315. \sa wolfSSL_quic_get_aead
  316. \sa wolfSSL_quic_get_hp
  317. */
  318. WOLFSSL_API const WOLFSSL_EVP_MD *wolfSSL_quic_get_md(WOLFSSL *ssl);
  319. /*!
  320. \ingroup QUIC
  321. \brief Determine the header protection cipher negotiated in the TLS handshake.
  322. \return the header protection cipher negotiated in the TLS handshake
  323. \param ssl - a pointer to a WOLFSSL structure, created using wolfSSL_new().
  324. \sa wolfSSL_quic_get_aead
  325. \sa wolfSSL_quic_get_md
  326. */
  327. const WOLFSSL_EVP_CIPHER *wolfSSL_quic_get_hp(WOLFSSL *ssl);
  328. /*!
  329. \ingroup QUIC
  330. \brief Create a cipher context for en-/decryption.
  331. \return the created context or NULL in case of errors.
  332. \param cipher - the cipher to use in the context.
  333. \param key - the key to use in the context.
  334. \param iv - the iv to use in the context.
  335. \param encrypt - != 0 if for encryption, otherwise decryption
  336. \sa wolfSSL_quic_get_aead
  337. \sa wolfSSL_quic_get_hp
  338. \sa wolfSSL_quic_aead_encrypt
  339. \sa wolfSSL_quic_aead_decrypt
  340. */
  341. WOLFSSL_EVP_CIPHER_CTX *wolfSSL_quic_crypt_new(const WOLFSSL_EVP_CIPHER *cipher,
  342. const uint8_t *key, const uint8_t *iv, int encrypt);
  343. /*!
  344. \ingroup QUIC
  345. \brief Encrypt the plain text in the given context.
  346. \return WOLFSSL_SUCCESS If successful.
  347. \param dest - destination where encrypted data is to be written
  348. \param aead_ctx - the cipher context to use
  349. \param plain - the plain data to encrypt
  350. \param plainlen - the length of the plain data
  351. \param iv - the iv to use
  352. \param aad - the add to use
  353. \param aadlen - the length of the aad
  354. \sa wolfSSL_quic_get_aead
  355. \sa wolfSSL_quic_get_hp
  356. \sa wolfSSL_quic_crypt_new
  357. \sa wolfSSL_quic_aead_decrypt
  358. */
  359. int wolfSSL_quic_aead_encrypt(uint8_t *dest, WOLFSSL_EVP_CIPHER_CTX *aead_ctx,
  360. const uint8_t *plain, size_t plainlen,
  361. const uint8_t *iv, const uint8_t *aad, size_t aadlen);
  362. /*!
  363. \ingroup QUIC
  364. \brief Decrypt the cipher text in the given context.
  365. \return WOLFSSL_SUCCESS If successful.
  366. \param dest - destination where plain text is to be written
  367. \param ctx - the cipher context to use
  368. \param enc - the encrypted data to decrypt
  369. \param envlen - the length of the encrypted data
  370. \param iv - the iv to use
  371. \param aad - the add to use
  372. \param aadlen - the length of the aad
  373. \sa wolfSSL_quic_get_aead
  374. \sa wolfSSL_quic_get_hp
  375. \sa wolfSSL_quic_crypt_new
  376. \sa wolfSSL_quic_aead_encrypt
  377. */
  378. int wolfSSL_quic_aead_decrypt(uint8_t *dest, WOLFSSL_EVP_CIPHER_CTX *ctx,
  379. const uint8_t *enc, size_t enclen,
  380. const uint8_t *iv, const uint8_t *aad, size_t aadlen);
  381. /*!
  382. \ingroup QUIC
  383. \brief Extract a pseudo random key.
  384. \return WOLFSSL_SUCCESS If successful.
  385. \param dest - destination where key is to be written
  386. \param md - message digest to use
  387. \param secret - the secret to use
  388. \param secretlen - the length of the secret
  389. \param salt - the salt to use
  390. \param saltlen - the length of the salt
  391. \sa wolfSSL_quic_hkdf_expand
  392. \sa wolfSSL_quic_hkdf
  393. */
  394. int wolfSSL_quic_hkdf_extract(uint8_t *dest, const WOLFSSL_EVP_MD *md,
  395. const uint8_t *secret, size_t secretlen,
  396. const uint8_t *salt, size_t saltlen);
  397. /*!
  398. \ingroup QUIC
  399. \brief Expand a pseudo random key into a new key.
  400. \return WOLFSSL_SUCCESS If successful.
  401. \param dest - destination where key is to be written
  402. \param destlen - length of the key to expand
  403. \param md - message digest to use
  404. \param secret - the secret to use
  405. \param secretlen - the length of the secret
  406. \param info - the info to use
  407. \param infolen - the length of the info
  408. \sa wolfSSL_quic_hkdf_extract
  409. \sa wolfSSL_quic_hkdf
  410. */
  411. int wolfSSL_quic_hkdf_expand(uint8_t *dest, size_t destlen,
  412. const WOLFSSL_EVP_MD *md,
  413. const uint8_t *secret, size_t secretlen,
  414. const uint8_t *info, size_t infolen);
  415. /*!
  416. \ingroup QUIC
  417. \brief Expand and Extract a pseudo random key.
  418. \return WOLFSSL_SUCCESS If successful.
  419. \param dest - destination where key is to be written
  420. \param destlen - length of the key
  421. \param md - message digest to use
  422. \param secret - the secret to use
  423. \param secretlen - the length of the secret
  424. \param salt - the salt to use
  425. \param saltlen - the length of the salt
  426. \param info - the info to use
  427. \param infolen - the length of the info
  428. \sa wolfSSL_quic_hkdf_extract
  429. \sa wolfSSL_quic_hkdf_expand
  430. */
  431. int wolfSSL_quic_hkdf(uint8_t *dest, size_t destlen,
  432. const WOLFSSL_EVP_MD *md,
  433. const uint8_t *secret, size_t secretlen,
  434. const uint8_t *salt, size_t saltlen,
  435. const uint8_t *info, size_t infolen);