Home Explore Help
Register Sign In
OWEALs
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
2
0
Fork 0
Files Issues 8 Wiki
Branch: master
Branches Tags
wolfssl
/
src
/
quic.c

quic.c 41 KB
Permalink History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382 
  1. /* quic.c
    2. 

  2.  *
    3. 

  3.  * Copyright (C) 2006-2023 wolfSSL Inc.
    4. 

  4.  *
    5. 

  5.  * This file is part of wolfSSL.
    6. 

  6.  *
    7. 

  7.  * wolfSSL is free software; you can redistribute it and/or modify
    8. 

  8.  * it under the terms of the GNU General Public License as published by
    9. 

  9.  * the Free Software Foundation; either version 2 of the License, or
    10. 

  10.  * (at your option) any later version.
    11. 

  11.  *
    12. 

  12.  * wolfSSL is distributed in the hope that it will be useful,
    13. 

  13.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
    14. 

  14.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    15. 

  15.  * GNU General Public License for more details.
    16. 

  16.  *
    17. 

  17.  * You should have received a copy of the GNU General Public License
    18. 

  18.  * along with this program; if not, write to the Free Software
    19. 

  19.  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
    20. 

  20.  */
    21. 

  21. 

  22. 

  23.   /* Name change compatibility layer no longer needs to be included here */
    24. 

  24. 

  25. #ifdef HAVE_CONFIG_H
    26. 

  26.     #include <config.h>
    27. 

  27. #endif
    28. 

  28. 

  29. #include <wolfssl/wolfcrypt/settings.h>
    30. 

  30. #ifdef NO_INLINE
    31. 

  31.     #include <wolfssl/wolfcrypt/misc.h>
    32. 

  32. #else
    33. 

  33.     #define WOLFSSL_MISC_INCLUDED
    34. 

  34.     #include <wolfcrypt/src/misc.c>
    35. 

  35. #endif
    36. 

  36. 

  37. #ifndef WOLFCRYPT_ONLY
    38. 

  38. #ifdef WOLFSSL_QUIC
    39. 

  39. 

  40. #include <wolfssl/error-ssl.h>
    41. 

  41. #include <wolfssl/ssl.h>
    42. 

  42. #include <wolfssl/internal.h>
    43. 

  43. 

  44. #include <wolfssl/openssl/buffer.h>
    45. 

  45. #include <wolfssl/openssl/ecdsa.h>
    46. 

  46. #include <wolfssl/openssl/evp.h>
    47. 

  47. #include <wolfssl/openssl/kdf.h>
    48. 

  48. 

  49. 

  50. static int qr_length(const uint8_t *data, size_t len)
    51. 

  51. {
    52. 

  52.     word32 rlen;
    53. 

  53.     if (len < 4) {
    54. 

  54.         return 0;
    55. 

  55.     }
    56. 

  56.     c24to32(&data[1], &rlen);
    57. 

  57.     return (int)rlen + 4;
    58. 

  58. }
    59. 

  59. 

  60. static void quic_record_free(WOLFSSL *ssl, QuicRecord *r)
    61. 

  61. {
    62. 

  62.     (void)ssl;
    63. 

  63.     if (r->data) {
    64. 

  64.         ForceZero(r->data, r->capacity);
    65. 

  65.         XFREE(r->data, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
    66. 

  66.     }
    67. 

  67.     XFREE(r, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
    68. 

  68. }
    69. 

  69. 

  70. 

  71. static QuicRecord *quic_record_make(WOLFSSL *ssl,
    72. 

  72.                                     WOLFSSL_ENCRYPTION_LEVEL level,
    73. 

  73.                                     const uint8_t *data, size_t len)
    74. 

  74. {
    75. 

  75.     QuicRecord *qr;
    76. 

  76. 

  77.     qr = (QuicRecord*)XMALLOC(sizeof(*qr), ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
    78. 

  78.     if (qr) {
    79. 

  79.         memset(qr, 0, sizeof(*qr));
    80. 

  80.         qr->level = level;
    81. 

  81.         if (level == wolfssl_encryption_early_data) {
    82. 

  82.             qr->capacity = qr->len = (word32)len;
    83. 

  83.         }
    84. 

  84.         else {
    85. 

  85.             qr->capacity = qr->len = qr_length(data, len);
    86. 

  86.             if (qr->capacity > WOLFSSL_QUIC_MAX_RECORD_CAPACITY) {
    87. 

  87.                 WOLFSSL_MSG("QUIC length read larger than expected");
    88. 

  88.                 quic_record_free(ssl, qr);
    89. 

  89.                 return NULL;
    90. 

  90.             }
    91. 

  91.         }
    92. 

  92.         if (qr->capacity == 0) {
    93. 

  93.             qr->capacity = 2*1024;
    94. 

  94.         }
    95. 

  95.         qr->data = (uint8_t*)XMALLOC(qr->capacity, ssl->heap,
    96. 

  96.                                      DYNAMIC_TYPE_TMP_BUFFER);
    97. 

  97.         if (!qr->data) {
    98. 

  98.             quic_record_free(ssl, qr);
    99. 

  99.             return NULL;
    100. 

  100.         }
    101. 

  101.     }
    102. 

  102.     return qr;
    103. 

  103. }
    104. 

  104. 

  105. static int quic_record_complete(QuicRecord *r)
    106. 

  106. {
    107. 

  107.     return r->len && r->end >= r->len;
    108. 

  108. }
    109. 

  109. 

  110. static int quic_record_done(QuicRecord *r)
    111. 

  111. {
    112. 

  112.     return r->len && r->end >= r->len && r->start >= r->end;
    113. 

  113. }
    114. 

  114. 

  115. static int quic_record_append(WOLFSSL *ssl, QuicRecord *qr, const uint8_t *data,
    116. 

  116.                               size_t len, size_t *pconsumed)
    117. 

  117. {
    118. 

  118.     size_t missing, consumed = 0;
    119. 

  119.     int ret = WOLFSSL_SUCCESS;
    120. 

  120. 

  121.     (void)ssl;
    122. 

  122.     if (!qr->len && len) {
    123. 

  123.         missing = 4 - qr->end;
    124. 

  124.         if (len < missing) {
    125. 

  125.             XMEMCPY(qr->data + qr->end, data, len);
    126. 

  126.             qr->end += len;
    127. 

  127.             consumed = len;
    128. 

  128.             goto cleanup; /* len consumed, but qr->len still unknown */
    129. 

  129.         }
    130. 

  130.         XMEMCPY(qr->data + qr->end, data, missing);
    131. 

  131.         qr->end += missing;
    132. 

  132.         len -= missing;
    133. 

  133.         data += missing;
    134. 

  134.         consumed = missing;
    135. 

  135. 

  136.         qr->len = qr_length(qr->data, qr->end);
    137. 

  137. 

  138.         /* sanity check on length read from wire before use */
    139. 

  139.         if (qr->len > WOLFSSL_QUIC_MAX_RECORD_CAPACITY) {
    140. 

  140.             WOLFSSL_MSG("Length read for quic is larger than expected");
    141. 

  141.             ret = BUFFER_E;
    142. 

  142.             goto cleanup;
    143. 

  143.         }
    144. 

  144. 

  145.         if (qr->len > qr->capacity) {
    146. 

  146.             uint8_t *ndata = (uint8_t*)XREALLOC(qr->data, qr->len, ssl->heap,
    147. 

  147.                                                 DYNAMIC_TYPE_TMP_BUFFER);
    148. 

  148.             if (!ndata) {
    149. 

  149.                 ret = WOLFSSL_FAILURE;
    150. 

  150.                 goto cleanup;
    151. 

  151.             }
    152. 

  152.             qr->data = ndata;
    153. 

  153.             qr->capacity = qr->len;
    154. 

  154.         }
    155. 

  155.     }
    156. 

  156. 

  157.     if (quic_record_complete(qr) || len == 0) {
    158. 

  158.         return 0;
    159. 

  159.     }
    160. 

  160. 

  161.     missing = qr->len - qr->end;
    162. 

  162.     if (len > missing) {
    163. 

  163.         len = missing;
    164. 

  164.     }
    165. 

  165.     XMEMCPY(qr->data + qr->end, data, len);
    166. 

  166.     qr->end += len;
    167. 

  167.     consumed += len;
    168. 

  168. 

  169. cleanup:
    170. 

  170.     *pconsumed = (ret == WOLFSSL_SUCCESS) ? consumed : 0;
    171. 

  171.     return ret;
    172. 

  172. }
    173. 

  173. 

  174. 

  175. static word32 add_rec_header(byte* output, word32 length, int type)
    176. 

  176. {
    177. 

  177.     RecordLayerHeader* rl;
    178. 

  178. 

  179.     /* record layer header */
    180. 

  180.     rl = (RecordLayerHeader*)output;
    181. 

  181.     if (rl == NULL) {
    182. 

  182.         return 0;
    183. 

  183.     }
    184. 

  184.     rl->type    = type;
    185. 

  185.     rl->pvMajor = SSLv3_MAJOR;
    186. 

  186.     rl->pvMinor = TLSv1_2_MINOR;
    187. 

  187.     c16toa((word16)length, rl->length);
    188. 

  188.     return RECORD_HEADER_SZ;
    189. 

  189. }
    190. 

  190. 

  191. static word32 quic_record_transfer(QuicRecord* qr, byte* buf, word32 sz)
    192. 

  192. {
    193. 

  193.     word32 len = qr->end - qr->start;
    194. 

  194.     word32 offset = 0;
    195. 

  195.     word16 rlen;
    196. 

  196. 

  197.     if (len <= 0) {
    198. 

  198.         return 0;
    199. 

  199.     }
    200. 

  200.     if (qr->rec_hdr_remain == 0) {
    201. 

  201.         /* start a new TLS record */
    202. 

  202.         rlen = (qr->len <= (word32)MAX_RECORD_SIZE) ?
    203. 

  203.                 qr->len : (word32)MAX_RECORD_SIZE;
    204. 

  204.         offset += add_rec_header(buf, rlen,
    205. 

  205.                                  (qr->level == wolfssl_encryption_early_data) ?
    206. 

  206.                                   application_data : handshake);
    207. 

  207.         qr->rec_hdr_remain = rlen;
    208. 

  208.         sz -= offset;
    209. 

  209.     }
    210. 

  210.     if (len > qr->rec_hdr_remain) {
    211. 

  211.         len = qr->rec_hdr_remain;
    212. 

  212.     }
    213. 

  213.     if (len > sz) {
    214. 

  214.         len = sz;
    215. 

  215.     }
    216. 

  216.     if (len > 0) {
    217. 

  217.         XMEMCPY(buf + offset, qr->data + qr->start, len);
    218. 

  218.         qr->start += len;
    219. 

  219.         qr->rec_hdr_remain -= len;
    220. 

  220.     }
    221. 

  221.     return len + offset;
    222. 

  222. }
    223. 

  223. 

  224. 

  225. const QuicTransportParam* QuicTransportParam_new(const uint8_t* data,
    226. 

  226.                                                  size_t len, void* heap)
    227. 

  227. {
    228. 

  228.     QuicTransportParam* tp;
    229. 

  229. 

  230.     if (len > 65353) return NULL;
    231. 

  231.     tp = (QuicTransportParam*)XMALLOC(sizeof(*tp), heap, DYNAMIC_TYPE_TLSX);
    232. 

  232.     if (!tp) return NULL;
    233. 

  233.     tp->data = (uint8_t*)XMALLOC(len, heap, DYNAMIC_TYPE_TLSX);
    234. 

  234.     if (!tp->data) {
    235. 

  235.         XFREE(tp, heap, DYNAMIC_TYPE_TLSX);
    236. 

  236.         return NULL;
    237. 

  237.     }
    238. 

  238.     XMEMCPY((uint8_t*)tp->data, data, len);
    239. 

  239.     tp->len = len;
    240. 

  240.     return tp;
    241. 

  241. }
    242. 

  242. 

  243. const QuicTransportParam* QuicTransportParam_dup(const QuicTransportParam* tp,
    244. 

  244.                                                  void* heap)
    245. 

  245. {
    246. 

  246.     QuicTransportParam* tp2;
    247. 

  247.     tp2 = (QuicTransportParam*)XMALLOC(sizeof(*tp2), heap, DYNAMIC_TYPE_TLSX);
    248. 

  248.     if (!tp2) return NULL;
    249. 

  249.     tp2->data = (uint8_t*)XMALLOC(tp->len, heap, DYNAMIC_TYPE_TLSX);
    250. 

  250.     if (!tp2->data) {
    251. 

  251.         XFREE(tp2, heap, DYNAMIC_TYPE_TLSX);
    252. 

  252.         return NULL;
    253. 

  253.     }
    254. 

  254.     XMEMCPY((uint8_t*)tp2->data, tp->data, tp->len);
    255. 

  255.     tp2->len = tp->len;
    256. 

  256.     return tp2;
    257. 

  257. }
    258. 

  258. 

  259. void QuicTransportParam_free(const QuicTransportParam* tp, void* heap)
    260. 

  260. {
    261. 

  261.     (void)heap;
    262. 

  262.     if (tp) {
    263. 

  263.         if (tp->data) XFREE((uint8_t*)tp->data, heap, DYNAMIC_TYPE_TLSX);
    264. 

  264.         XFREE((void*)tp, heap, DYNAMIC_TYPE_TLSX);
    265. 

  265.     }
    266. 

  266. }
    267. 

  267. 

  268. 

  269. void wolfSSL_quic_clear(WOLFSSL* ssl)
    270. 

  270. {
    271. 

  271.     QuicEncData* qd;
    272. 

  272. 

  273.     /* keep
    274. 

  274.      * - ssl->quic.transport_local
    275. 

  275.      * - ssl->quic.method
    276. 

  276.      * - ssl->quic.transport_version
    277. 

  277.      * reset/free everything else
    278. 

  278.      */
    279. 

  279.     if (ssl->quic.transport_peer) {
    280. 

  280.         QTP_FREE(ssl->quic.transport_peer, ssl->heap);
    281. 

  281.         ssl->quic.transport_peer = NULL;
    282. 

  282.     }
    283. 

  283.     if (ssl->quic.transport_peer_draft) {
    284. 

  284.         QTP_FREE(ssl->quic.transport_peer_draft, ssl->heap);
    285. 

  285.         ssl->quic.transport_peer_draft = NULL;
    286. 

  286.     }
    287. 

  287.     ssl->quic.enc_level_write = wolfssl_encryption_initial;
    288. 

  288.     ssl->quic.enc_level_latest_recvd = wolfssl_encryption_initial;
    289. 

  289. 

  290.     while ((qd = ssl->quic.input_head)) {
    291. 

  291.         ssl->quic.input_head = qd->next;
    292. 

  292.         quic_record_free(ssl, qd);
    293. 

  293.     }
    294. 

  294.     ssl->quic.input_tail = NULL;
    295. 

  295.     ssl->quic.output_rec_remain = 0;
    296. 

  296. 

  297.     if (ssl->quic.scratch) {
    298. 

  298.         quic_record_free(ssl, ssl->quic.scratch);
    299. 

  299.         ssl->quic.scratch = NULL;
    300. 

  300.     }
    301. 

  301. }
    302. 

  302. 

  303. 

  304. void wolfSSL_quic_free(WOLFSSL* ssl)
    305. 

  305. {
    306. 

  306.     wolfSSL_quic_clear(ssl);
    307. 

  307.     if (ssl->quic.transport_local) {
    308. 

  308.         QTP_FREE(ssl->quic.transport_local, ssl->heap);
    309. 

  309.         ssl->quic.transport_local = NULL;
    310. 

  310.     }
    311. 

  311. 

  312.     ssl->quic.method = NULL;
    313. 

  313. }
    314. 

  314. 

  315. 

  316. static int ctx_check_quic_compat(const WOLFSSL_CTX* ctx)
    317. 

  317. {
    318. 

  318.     WOLFSSL_ENTER("ctx_check_quic_compat");
    319. 

  319.     if (ctx->method->version.major != SSLv3_MAJOR
    320. 

  320.         || ctx->method->version.minor != TLSv1_3_MINOR
    321. 

  321.         || (ctx->method->downgrade && ctx->minDowngrade < TLSv1_3_MINOR)) {
    322. 

  322.         WOLFSSL_MSG_EX("ctx not quic compatible: vmajor=%d, vminor=%d, downgrade=%d",
    323. 

  323.                        ctx->method->version.major,
    324. 

  324.                        ctx->method->version.minor,
    325. 

  325.                        ctx->method->downgrade
    326. 

  326.                       );
    327. 

  327.         return WOLFSSL_FAILURE;
    328. 

  328.     }
    329. 

  329.     return WOLFSSL_SUCCESS;
    330. 

  330. }
    331. 

  331. 

  332. static int check_method_sanity(const WOLFSSL_QUIC_METHOD* m)
    333. 

  333. {
    334. 

  334.     WOLFSSL_ENTER("check_method_sanity");
    335. 

  335.     if (m && m->set_encryption_secrets
    336. 

  336.         && m->add_handshake_data
    337. 

  337.         && m->flush_flight
    338. 

  338.         && m->send_alert) {
    339. 

  339.         return WOLFSSL_SUCCESS;
    340. 

  340.     }
    341. 

  341.     return WOLFSSL_FAILURE;
    342. 

  342. }
    343. 

  343. 

  344. int wolfSSL_CTX_set_quic_method(WOLFSSL_CTX* ctx,
    345. 

  345.                                 const WOLFSSL_QUIC_METHOD* quic_method)
    346. 

  346. {
    347. 

  347.     WOLFSSL_ENTER("wolfSSL_CTX_set_quic_method");
    348. 

  348.     if (ctx_check_quic_compat(ctx) != WOLFSSL_SUCCESS
    349. 

  349.         || check_method_sanity(quic_method) != WOLFSSL_SUCCESS) {
    350. 

  350.         return WOLFSSL_FAILURE;
    351. 

  351.     }
    352. 

  352.     ctx->quic.method = quic_method;
    353. 

  353.     return WOLFSSL_SUCCESS;
    354. 

  354. }
    355. 

  355. 

  356. 

  357. int wolfSSL_set_quic_method(WOLFSSL* ssl,
    358. 

  358.                             const WOLFSSL_QUIC_METHOD* quic_method)
    359. 

  359. {
    360. 

  360.     WOLFSSL_ENTER("wolfSSL_set_quic_method");
    361. 

  361.     if (ctx_check_quic_compat(ssl->ctx) != WOLFSSL_SUCCESS
    362. 

  362.         || check_method_sanity(quic_method) != WOLFSSL_SUCCESS) {
    363. 

  363.         return WOLFSSL_FAILURE;
    364. 

  364.     }
    365. 

  365.     ssl->quic.method = quic_method;
    366. 

  366.     return WOLFSSL_SUCCESS;
    367. 

  367. }
    368. 

  368. 

  369. 

  370. int wolfSSL_is_quic(WOLFSSL* ssl)
    371. 

  371. {
    372. 

  372.     return WOLFSSL_IS_QUIC(ssl);
    373. 

  373. }
    374. 

  374. 

  375. 

  376. WOLFSSL_ENCRYPTION_LEVEL wolfSSL_quic_read_level(const WOLFSSL* ssl)
    377. 

  377. {
    378. 

  378.     return ssl->quic.enc_level_read;
    379. 

  379. }
    380. 

  380. 

  381. 

  382. WOLFSSL_ENCRYPTION_LEVEL wolfSSL_quic_write_level(const WOLFSSL* ssl)
    383. 

  383. {
    384. 

  384.     return ssl->quic.enc_level_write;
    385. 

  385. }
    386. 

  386. 

  387. 

  388. int wolfSSL_set_quic_transport_params(WOLFSSL* ssl,
    389. 

  389.                                       const uint8_t* params,
    390. 

  390.                                       size_t params_len)
    391. 

  391. {
    392. 

  392.     const QuicTransportParam* tp;
    393. 

  393.     int ret = WOLFSSL_SUCCESS;
    394. 

  394. 

  395.     WOLFSSL_ENTER("wolfSSL_set_quic_transport_params");
    396. 

  396. 

  397.     if (!params || params_len == 0) {
    398. 

  398.         tp = NULL;
    399. 

  399.     }
    400. 

  400.     else {
    401. 

  401.         tp = QuicTransportParam_new(params, params_len, ssl->heap);
    402. 

  402.         if (!tp) {
    403. 

  403.             ret = WOLFSSL_FAILURE;
    404. 

  404.             goto cleanup;
    405. 

  405.         }
    406. 

  406.     }
    407. 

  407.     if (ssl->quic.transport_local)
    408. 

  408.         QTP_FREE(ssl->quic.transport_local, ssl->heap);
    409. 

  409.     ssl->quic.transport_local = tp;
    410. 

  410. 

  411. cleanup:
    412. 

  412.     WOLFSSL_LEAVE("wolfSSL_set_quic_transport_params", ret);
    413. 

  413.     return ret;
    414. 

  414. }
    415. 

  415. 

  416. 

  417. void wolfSSL_get_peer_quic_transport_params(const WOLFSSL* ssl,
    418. 

  418.                                             const uint8_t** out_params,
    419. 

  419.                                             size_t* out_params_len)
    420. 

  420. {
    421. 

  421.     const QuicTransportParam* tp = ssl->quic.transport_peer ?
    422. 

  422.         ssl->quic.transport_peer : ssl->quic.transport_peer_draft;
    423. 

  423. 

  424.     *out_params = tp ? tp->data : NULL;
    425. 

  425.     *out_params_len = tp ? tp->len : 0;
    426. 

  426. }
    427. 

  427. 

  428. 

  429. int wolfSSL_get_peer_quic_transport_version(const WOLFSSL* ssl)
    430. 

  430. {
    431. 

  431.     return ssl->quic.transport_peer ?
    432. 

  432.         TLSX_KEY_QUIC_TP_PARAMS : (ssl->quic.transport_peer_draft ?
    433. 

  433.         TLSX_KEY_QUIC_TP_PARAMS : -1);
    434. 

  434. }
    435. 

  435. 

  436. 

  437. void wolfSSL_set_quic_use_legacy_codepoint(WOLFSSL* ssl, int use_legacy)
    438. 

  438. {
    439. 

  439.     ssl->quic.transport_version = use_legacy ? TLSX_KEY_QUIC_TP_PARAMS_DRAFT
    440. 

  440.         : TLSX_KEY_QUIC_TP_PARAMS;
    441. 

  441. }
    442. 

  442. 

  443. void wolfSSL_set_quic_transport_version(WOLFSSL* ssl, int version)
    444. 

  444. {
    445. 

  445.     if (version == TLSX_KEY_QUIC_TP_PARAMS
    446. 

  446.         || version == TLSX_KEY_QUIC_TP_PARAMS_DRAFT
    447. 

  447.         || !version) {
    448. 

  448.         ssl->quic.transport_version = version;
    449. 

  449.     }
    450. 

  450.     else {
    451. 

  451.         WOLFSSL_MSG("wolfSSL_set_quic_transport_version: invalid version");
    452. 

  452.     }
    453. 

  453. }
    454. 

  454. 

  455. 

  456. int wolfSSL_get_quic_transport_version(const WOLFSSL* ssl)
    457. 

  457. {
    458. 

  458.     return ssl->quic.transport_version;
    459. 

  459. }
    460. 

  460. 

  461. 

  462. int wolfSSL_quic_add_transport_extensions(WOLFSSL* ssl, int msg_type)
    463. 

  463. {
    464. 

  464.     /* RFC 9001, ch. 8.2: "The quic_transport_parameters extension is carried
    465. 

  465.      * in the ClientHello and the EncryptedExtensions messages during the
    466. 

  466.      * handshake. Endpoints MUST send the quic_transport_parameters extension;"
    467. 

  467.      * Which means, at least one. There can be more to signal compatibility to
    468. 

  468.      * older/newer versions.
    469. 

  469.      */
    470. 

  470.     int ret = 0, is_resp = (msg_type == encrypted_extensions);
    471. 

  471. 

  472.     if (ssl->quic.transport_local == NULL) {
    473. 

  473.         return QUIC_TP_MISSING_E;
    474. 

  474.     }
    475. 

  475. 

  476.     if (is_resp) {
    477. 

  477.         /* server response: time to decide which version to use */
    478. 

  478.         if (ssl->quic.transport_peer && ssl->quic.transport_peer_draft) {
    479. 

  479.             if (ssl->quic.transport_version == TLSX_KEY_QUIC_TP_PARAMS_DRAFT) {
    480. 

  480.                 ret = TLSX_QuicTP_Use(ssl,
    481. 

  481.                                       TLSX_KEY_QUIC_TP_PARAMS_DRAFT, is_resp);
    482. 

  482.                 QTP_FREE(ssl->quic.transport_peer, ssl->heap);
    483. 

  483.                 ssl->quic.transport_peer = NULL;
    484. 

  484.             }
    485. 

  485.             else {
    486. 

  486.                 ret = TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS, is_resp);
    487. 

  487.                 QTP_FREE(ssl->quic.transport_peer_draft,
    488. 

  488.                                         ssl->heap);
    489. 

  489.                 ssl->quic.transport_peer_draft = NULL;
    490. 

  490.             }
    491. 

  491.         }
    492. 

  492.         else {
    493. 

  493.             if (ssl->quic.transport_version == TLSX_KEY_QUIC_TP_PARAMS_DRAFT
    494. 

  494.                 && ssl->quic.transport_peer_draft) {
    495. 

  495.                 ret = TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS_DRAFT,
    496. 

  496.                                       is_resp);
    497. 

  497.             }
    498. 

  498.             else if (ssl->quic.transport_peer) {
    499. 

  499.                 ret = TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS, is_resp);
    500. 

  500.             }
    501. 

  501.             else {
    502. 

  502.                 /* no match, send none, will let the client fail */
    503. 

  503.             }
    504. 

  504.         }
    505. 

  505.     }
    506. 

  506.     else {
    507. 

  507.         /* client hello */
    508. 

  508.         if (ssl->quic.transport_version == 0) {
    509. 

  509.             /* not being set to a particular id, we send both draft+v1 */
    510. 

  510.             ret = TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS, is_resp)
    511. 

  511.                 || TLSX_QuicTP_Use(ssl, TLSX_KEY_QUIC_TP_PARAMS_DRAFT, is_resp);
    512. 

  512.         }
    513. 

  513.         else {
    514. 

  514.             /* otherwise, send the version configured */
    515. 

  515.             ret = TLSX_QuicTP_Use(ssl, (TLSX_Type)ssl->quic.transport_version,
    516. 

  516.                                   is_resp);
    517. 

  517.         }
    518. 

  518.     }
    519. 

  519.     return ret;
    520. 

  520. }
    521. 

  521. 

  522. 

  523. #define QUIC_HS_FLIGHT_LIMIT_DEFAULT      (16*  1024)
    524. 

  524. 

  525. size_t wolfSSL_quic_max_handshake_flight_len(const WOLFSSL* ssl,
    526. 

  526.                                              WOLFSSL_ENCRYPTION_LEVEL level)
    527. 

  527. {
    528. 

  528.     switch (level) {
    529. 

  529.         case wolfssl_encryption_initial:
    530. 

  530.         case wolfssl_encryption_application:
    531. 

  531.                 return QUIC_HS_FLIGHT_LIMIT_DEFAULT;
    532. 

  532.         case wolfssl_encryption_early_data:
    533. 

  533.             return 0; /* QUIC does not send at this level */
    534. 

  534.         case wolfssl_encryption_handshake:
    535. 

  535.             /* during handshake itself, certificates may be exchanged which
    536. 

  536.              * exceed our default limit, advise a higher limit one.
    537. 

  537.              */
    538. 

  538.             if (ssl->options.side == WOLFSSL_SERVER_END) {
    539. 

  539.                 if (ssl->options.verifyPeer
    540. 

  540.                     && MAX_CERTIFICATE_SZ > QUIC_HS_FLIGHT_LIMIT_DEFAULT)
    541. 

  541.                     return MAX_CERTIFICATE_SZ;
    542. 

  542.             }
    543. 

  543.             else {
    544. 

  544.                 /* clients may receive the server cert chain
    545. 

  545.                  */
    546. 

  546.                 if (2*MAX_CERTIFICATE_SZ > QUIC_HS_FLIGHT_LIMIT_DEFAULT)
    547. 

  547.                     return 2*MAX_CERTIFICATE_SZ;
    548. 

  548.             }
    549. 

  549.             return QUIC_HS_FLIGHT_LIMIT_DEFAULT;
    550. 

  550.     }
    551. 

  551.     return 0;
    552. 

  552. }
    553. 

  553. 

  554. 

  555. #ifdef WOLFSSL_EARLY_DATA
    556. 

  556. void wolfSSL_set_quic_early_data_enabled(WOLFSSL* ssl, int enabled)
    557. 

  557. {
    558. 

  558.     /* This only has effect on server and when the handshake has
    559. 

  559.      * not started yet.
    560. 

  560.      * This function is part of the quictls/openssl API and does
    561. 

  561.      * not return any error, sadly. So we just ignore any
    562. 

  562.      * unsuccessful use. But we can produce some warnings.
    563. 

  563.      */
    564. 

  564.     if (!WOLFSSL_IS_QUIC(ssl)) {
    565. 

  565.         WOLFSSL_MSG("wolfSSL_set_quic_early_data_enabled: not a QUIC SSL");
    566. 

  566.     }
    567. 

  567.     else if (ssl->options.handShakeState != NULL_STATE) {
    568. 

  568.         WOLFSSL_MSG("wolfSSL_set_quic_early_data_enabled: handshake started");
    569. 

  569.     }
    570. 

  570.     else {
    571. 

  571.         wolfSSL_set_max_early_data(ssl, enabled ? UINT32_MAX : 0);
    572. 

  572.     }
    573. 

  573. }
    574. 

  574. #endif /* WOLFSSL_EARLY_DATA */
    575. 

  575. 

  576. int wolfSSL_quic_do_handshake(WOLFSSL* ssl)
    577. 

  577. {
    578. 

  578.     int ret = WOLFSSL_SUCCESS;
    579. 

  579. 

  580.     WOLFSSL_ENTER("wolfSSL_quic_do_handshake");
    581. 

  581. 

  582.     if (!wolfSSL_is_quic(ssl)) {
    583. 

  583.         WOLFSSL_MSG("WOLFSSL_QUIC_DO_HANDSHAKE not a QUIC SSL");
    584. 

  584.         ret = WOLFSSL_FAILURE;
    585. 

  585.         goto cleanup;
    586. 

  586.     }
    587. 

  587. 

  588.     while (ssl->options.handShakeState != HANDSHAKE_DONE) {
    589. 

  589.         /* Peculiar: do_handshake() is successful, but the state
    590. 

  590.          * indicates that we are not DONE. This seems to happen
    591. 

  591.          * when resuming sessions and an EARLY_DATA indicator
    592. 

  592.          * is presented by the client.
    593. 

  593.          * Theory: wolfSSL expects the APP to read the early data
    594. 

  594.          * and silently continues the handshake when the EndOfEarlyData
    595. 

  595.          * and the client Finished arrives.
    596. 

  596.          * This confuses the QUIC state handling.
    597. 

  597.          */
    598. 

  598. #ifdef WOLFSSL_EARLY_DATA
    599. 

  599.         if (ssl->options.maxEarlyDataSz) {
    600. 

  600.             byte tmpbuffer[256];
    601. 

  601.             int len;
    602. 

  602. 

  603.             if (ssl->options.side == WOLFSSL_CLIENT_END) {
    604. 

  604.                 if (ssl->options.resuming) {
    605. 

  605.                     ret = wolfSSL_write_early_data(ssl, tmpbuffer, 0, &len);
    606. 

  606.                 }
    607. 

  607.             }
    608. 

  608.             else {
    609. 

  609.                 ret = wolfSSL_read_early_data(ssl, tmpbuffer,
    610. 

  610.                                               sizeof(tmpbuffer), &len);
    611. 

  611.                 if (ret < 0 && ssl->error == ZERO_RETURN) {
    612. 

  612.                     /* this is expected, since QUIC handles the actual early
    613. 

  613.                      * data separately. */
    614. 

  614.                     ret = WOLFSSL_SUCCESS;
    615. 

  615.                 }
    616. 

  616.             }
    617. 

  617.             if (ret < 0) {
    618. 

  618.                 goto cleanup;
    619. 

  619.             }
    620. 

  620.         }
    621. 

  621. #endif /* WOLFSSL_EARLY_DATA */
    622. 

  622. 

  623.         ret = wolfSSL_SSL_do_handshake_internal(ssl);
    624. 

  624.         if (ret <= 0)
    625. 

  625.             goto cleanup;
    626. 

  626.     }
    627. 

  627. 

  628. cleanup:
    629. 

  629.     if (ret <= 0
    630. 

  630.         && ssl->options.handShakeState == HANDSHAKE_DONE
    631. 

  631.         && (ssl->error == ZERO_RETURN || ssl->error == WANT_READ)) {
    632. 

  632.         ret = WOLFSSL_SUCCESS;
    633. 

  633.     }
    634. 

  634.     if (ret == WOLFSSL_SUCCESS) {
    635. 

  635.         ssl->error = WOLFSSL_ERROR_NONE;
    636. 

  636.     }
    637. 

  637.     WOLFSSL_LEAVE("wolfSSL_quic_do_handshake", ret);
    638. 

  638.     return ret;
    639. 

  639. }
    640. 

  640. 

  641. int wolfSSL_quic_read_write(WOLFSSL* ssl)
    642. 

  642. {
    643. 

  643.     int ret = WOLFSSL_SUCCESS;
    644. 

  644. 

  645.     WOLFSSL_ENTER("wolfSSL_quic_read_write");
    646. 

  646. 

  647.     if (!wolfSSL_is_quic(ssl)) {
    648. 

  648.         WOLFSSL_MSG("WOLFSSL_QUIC_READ_WRITE not a QUIC SSL");
    649. 

  649.         ret = WOLFSSL_FAILURE;
    650. 

  650.         goto cleanup;
    651. 

  651.     }
    652. 

  652. 

  653.     if (ssl->options.handShakeState != HANDSHAKE_DONE) {
    654. 

  654.         ret = wolfSSL_quic_do_handshake(ssl);
    655. 

  655.         if (ret != WOLFSSL_SUCCESS)
    656. 

  656.             goto cleanup;
    657. 

  657.     }
    658. 

  658. 

  659.     ret = wolfSSL_process_quic_post_handshake(ssl);
    660. 

  660. 

  661. cleanup:
    662. 

  662.     WOLFSSL_LEAVE("wolfSSL_quic_read_write", ret);
    663. 

  663.     return ret;
    664. 

  664. }
    665. 

  665. 

  666. int wolfSSL_process_quic_post_handshake(WOLFSSL* ssl)
    667. 

  667. {
    668. 

  668.     int ret = WOLFSSL_SUCCESS, nret;
    669. 

  669. 

  670.     WOLFSSL_ENTER("wolfSSL_process_quic_post_handshake");
    671. 

  671. 

  672.     if (!wolfSSL_is_quic(ssl)) {
    673. 

  673.         WOLFSSL_MSG("WOLFSSL_QUIC_POST_HS not a QUIC SSL");
    674. 

  674.         ret = WOLFSSL_FAILURE;
    675. 

  675.         goto cleanup;
    676. 

  676.     }
    677. 

  677. 

  678.     if (ssl->options.handShakeState != HANDSHAKE_DONE) {
    679. 

  679.         WOLFSSL_MSG("WOLFSSL_QUIC_POST_HS handshake is not done yet");
    680. 

  680.         ret = WOLFSSL_FAILURE;
    681. 

  681.         goto cleanup;
    682. 

  682.     }
    683. 

  683. 

  684.     while (ssl->quic.input_head != NULL
    685. 

  685.            || ssl->buffers.inputBuffer.length > 0) {
    686. 

  686.         if ((nret = ProcessReply(ssl)) < 0) {
    687. 

  687.             ret = nret;
    688. 

  688.             break;
    689. 

  689.         }
    690. 

  690.     }
    691. 

  691.     while (ssl->buffers.outputBuffer.length > 0) {
    692. 

  692.         SendBuffered(ssl);
    693. 

  693.     }
    694. 

  694. 

  695. cleanup:
    696. 

  696.     WOLFSSL_LEAVE("wolfSSL_process_quic_post_handshake", ret);
    697. 

  697.     return ret;
    698. 

  698. }
    699. 

  699. 

  700. 

  701. int wolfSSL_provide_quic_data(WOLFSSL* ssl, WOLFSSL_ENCRYPTION_LEVEL level,
    702. 

  702.                               const uint8_t* data, size_t len)
    703. 

  703. {
    704. 

  704.     int ret = WOLFSSL_SUCCESS;
    705. 

  705.     size_t l;
    706. 

  706. 

  707.     WOLFSSL_ENTER("wolfSSL_provide_quic_data");
    708. 

  708.     if (!wolfSSL_is_quic(ssl)) {
    709. 

  709.         WOLFSSL_MSG("WOLFSSL_QUIC_PROVIDE_DATA not a QUIC SSL");
    710. 

  710.         ret = WOLFSSL_FAILURE;
    711. 

  711.         goto cleanup;
    712. 

  712.     }
    713. 

  713. 

  714.     if (level < wolfSSL_quic_read_level(ssl)
    715. 

  715.         || (ssl->quic.input_tail && level < ssl->quic.input_tail->level)
    716. 

  716.         || level < ssl->quic.enc_level_latest_recvd) {
    717. 

  717.         WOLFSSL_MSG("WOLFSSL_QUIC_PROVIDE_DATA wrong encryption level");
    718. 

  718.         ret = WOLFSSL_FAILURE;
    719. 

  719.         goto cleanup;
    720. 

  720.     }
    721. 

  721. 

  722.     while (len > 0) {
    723. 

  723.         if (ssl->quic.scratch) {
    724. 

  724.             if (ssl->quic.scratch->level != level) {
    725. 

  725.                 WOLFSSL_MSG("WOLFSSL_QUIC_PROVIDE_DATA wrong encryption level");
    726. 

  726.                 ret = WOLFSSL_FAILURE;
    727. 

  727.                 goto cleanup;
    728. 

  728.             }
    729. 

  729. 

  730.             ret = quic_record_append(ssl, ssl->quic.scratch, data, len, &l);
    731. 

  731.             if (ret != WOLFSSL_SUCCESS) {
    732. 

  732.                 goto cleanup;
    733. 

  733.             }
    734. 

  734.             data += l;
    735. 

  735.             len -= l;
    736. 

  736.             if (quic_record_complete(ssl->quic.scratch)) {
    737. 

  737.                 if (ssl->quic.input_tail) {
    738. 

  738.                     ssl->quic.input_tail->next = ssl->quic.scratch;
    739. 

  739.                     ssl->quic.input_tail = ssl->quic.scratch;
    740. 

  740.                 }
    741. 

  741.                 else {
    742. 

  742.                     ssl->quic.input_head = ssl->quic.input_tail =
    743. 

  743.                         ssl->quic.scratch;
    744. 

  744.                 }
    745. 

  745.                 ssl->quic.scratch = NULL;
    746. 

  746.             }
    747. 

  747.         }
    748. 

  748.         else {
    749. 

  749.             /* start of next record with all bytes for the header */
    750. 

  750.             ssl->quic.scratch = quic_record_make(ssl, level, data, len);
    751. 

  751.             if (!ssl->quic.scratch) {
    752. 

  752.                 ret = WOLFSSL_FAILURE;
    753. 

  753.                 goto cleanup;
    754. 

  754.             }
    755. 

  755.         }
    756. 

  756.     }
    757. 

  757. 

  758.     ssl->quic.enc_level_latest_recvd = level;
    759. 

  759. 

  760. cleanup:
    761. 

  761.     WOLFSSL_LEAVE("wolfSSL_provide_quic_data", ret);
    762. 

  762.     return ret;
    763. 

  763. }
    764. 

  764. 

  765. 

  766. /* Called internally when SSL wants a certain amount of input. */
    767. 

  767. int wolfSSL_quic_receive(WOLFSSL* ssl, byte* buf, word32 sz)
    768. 

  768. {
    769. 

  769.     word32 n = 0;
    770. 

  770.     int transferred = 0;
    771. 

  771. 

  772.     WOLFSSL_ENTER("wolfSSL_quic_receive");
    773. 

  773.     while (sz > 0) {
    774. 

  774.         n = 0;
    775. 

  775.         if (ssl->quic.input_head) {
    776. 

  776.             n = quic_record_transfer(ssl->quic.input_head, buf, sz);
    777. 

  777.             if (quic_record_done(ssl->quic.input_head)) {
    778. 

  778.                 QuicRecord* qr = ssl->quic.input_head;
    779. 

  779.                 ssl->quic.input_head = qr->next;
    780. 

  780.                 if (!qr->next) {
    781. 

  781.                     ssl->quic.input_tail = NULL;
    782. 

  782.                 }
    783. 

  783.                 quic_record_free(ssl, qr);
    784. 

  784.             }
    785. 

  785.         }
    786. 

  786. 

  787.         if (n == 0) {
    788. 

  788.             if (transferred > 0) {
    789. 

  789.                 goto cleanup;
    790. 

  790.             }
    791. 

  791.             ssl->error = transferred = WANT_READ;
    792. 

  792.             goto cleanup;
    793. 

  793.         }
    794. 

  794.         sz -= n;
    795. 

  795.         buf += n;
    796. 

  796.         transferred += n;
    797. 

  797.     }
    798. 

  798. cleanup:
    799. 

  799.     WOLFSSL_LEAVE("wolfSSL_quic_receive", transferred);
    800. 

  800.     return transferred;
    801. 

  801. }
    802. 

  802. 

  803. /**
    804. 

  804.  * We need to forward the HANDSHAKE messages to the QUIC protocol stack
    805. 

  805.  * via ssl->quic.method->add_handshake_data().
    806. 

  806.  * The messages in the output buffer are unencrypted TLS records. We need
    807. 

  807.  * to forward the content of those records.
    808. 

  808.  */
    809. 

  809. static int wolfSSL_quic_send_internal(WOLFSSL* ssl)
    810. 

  810. {
    811. 

  811.     int ret = 0, aret;
    812. 

  812.     size_t len;
    813. 

  813.     RecordLayerHeader* rl;
    814. 

  814.     word16 rlen;
    815. 

  815.     word32 idx, length;
    816. 

  816.     byte* output;
    817. 

  817. 

  818.     WOLFSSL_ENTER("wolfSSL_quic_send");
    819. 

  819. 

  820.     idx = ssl->buffers.outputBuffer.idx;
    821. 

  821.     length = ssl->buffers.outputBuffer.length;
    822. 

  822.     output = ssl->buffers.outputBuffer.buffer + idx;
    823. 

  823.     while (length > 0) {
    824. 

  824.         if (ssl->quic.output_rec_remain > 0) {
    825. 

  825.             len = ssl->quic.output_rec_remain;
    826. 

  826.             if (len > length) {
    827. 

  827.                 len = length;
    828. 

  828.             }
    829. 

  829. 

  830.             aret = ssl->quic.method->add_handshake_data(ssl,
    831. 

  831.                 ssl->quic.output_rec_level, (const uint8_t*)output, len);
    832. 

  832.             if (aret != 1) {
    833. 

  833.                 /* The application has an error. General disaster. */
    834. 

  834.                 WOLFSSL_MSG("WOLFSSL_QUIC_SEND application failed");
    835. 

  835.                 ret = FWRITE_ERROR;
    836. 

  836.                 goto cleanup;
    837. 

  837.             }
    838. 

  838.             output += len;
    839. 

  839.             length -= len;
    840. 

  840.             ssl->quic.output_rec_remain -= len;
    841. 

  841.         }
    842. 

  842.         else {
    843. 

  843.             /* at start of a TLS Record */
    844. 

  844.             rl = (RecordLayerHeader*)output;
    845. 

  845.             ato16(rl->length, &rlen);
    846. 

  846.             output += RECORD_HEADER_SZ;
    847. 

  847.             length -= RECORD_HEADER_SZ;
    848. 

  848.             ssl->quic.output_rec_remain = rlen;
    849. 

  849.             ssl->quic.output_rec_level = ssl->quic.enc_level_write;
    850. 

  850.             if (rl->type == application_data) {
    851. 

  851.                 if (ssl->options.handShakeState != HANDSHAKE_DONE) {
    852. 

  852.                     ssl->quic.output_rec_level = wolfssl_encryption_early_data;
    853. 

  853.                 }
    854. 

  854.                 else {
    855. 

  855.                     WOLFSSL_MSG("WOLFSSL_QUIC_SEND app data after handshake");
    856. 

  856.                     ret = FWRITE_ERROR;
    857. 

  857.                     goto cleanup;
    858. 

  858.                 }
    859. 

  859.             }
    860. 

  860.         }
    861. 

  861.     }
    862. 

  862. 

  863.     ssl->buffers.outputBuffer.idx = 0;
    864. 

  864.     ssl->buffers.outputBuffer.length = 0;
    865. 

  865. 

  866. cleanup:
    867. 

  867.     WOLFSSL_LEAVE("wolfSSL_quic_send", ret);
    868. 

  868.     return ret;
    869. 

  869. }
    870. 

  870. 

  871. int wolfSSL_quic_send(WOLFSSL* ssl)
    872. 

  872. {
    873. 

  873.     return wolfSSL_quic_send_internal(ssl);
    874. 

  874. }
    875. 

  875. 

  876. int wolfSSL_quic_forward_secrets(WOLFSSL* ssl, int ktype, int side)
    877. 

  877. {
    878. 

  878.     const uint8_t* rx_secret = NULL, *tx_secret = NULL;
    879. 

  879.     WOLFSSL_ENCRYPTION_LEVEL level;
    880. 

  880.     int ret = 0;
    881. 

  881. 

  882.     WOLFSSL_ENTER("wolfSSL_quic_forward_secrets");
    883. 

  883.     switch (ktype) {
    884. 

  884.         case early_data_key:
    885. 

  885.             level = wolfssl_encryption_early_data;
    886. 

  886.             break;
    887. 

  887.         case handshake_key:
    888. 

  888.             level = wolfssl_encryption_handshake;
    889. 

  889.             break;
    890. 

  890.         case traffic_key:
    891. 

  891.             FALL_THROUGH;
    892. 

  892.         case update_traffic_key:
    893. 

  893.             level = wolfssl_encryption_application;
    894. 

  894.             break;
    895. 

  895.         case no_key:
    896. 

  896.             FALL_THROUGH;
    897. 

  897.         default:
    898. 

  898.             /* ignore */
    899. 

  899.             goto cleanup;
    900. 

  900.     }
    901. 

  901. 

  902.     if (side == ENCRYPT_AND_DECRYPT_SIDE || side == ENCRYPT_SIDE_ONLY) {
    903. 

  903.         tx_secret = (ssl->options.side == WOLFSSL_CLIENT_END) ?
    904. 

  904.             ssl->clientSecret : ssl->serverSecret;
    905. 

  905.     }
    906. 

  906.     if (side == ENCRYPT_AND_DECRYPT_SIDE || side == DECRYPT_SIDE_ONLY) {
    907. 

  907.         rx_secret = (ssl->options.side == WOLFSSL_CLIENT_END) ?
    908. 

  908.             ssl->serverSecret : ssl->clientSecret;
    909. 

  909.     }
    910. 

  910. 

  911.     if (!tx_secret && !rx_secret) {
    912. 

  912.         WOLFSSL_MSG("WOLFSSL_QUIC_FORWARD_SECRETS neither "
    913. 

  913.                     "enc- nor decrypt specified");
    914. 

  914.         goto cleanup;
    915. 

  915.     }
    916. 

  916. 

  917.     ret = !ssl->quic.method->set_encryption_secrets(
    918. 

  918.         ssl, level, rx_secret, tx_secret, ssl->specs.hash_size);
    919. 

  919. 

  920.     /* Having installed the secrets, any future read/write will happen
    921. 

  921.      * at the level. Except early data, which is detected on the record
    922. 

  922.      * type and the handshake state. */
    923. 

  923.      if (ktype == early_data_key) {
    924. 

  924.         goto cleanup;
    925. 

  925.      }
    926. 

  926. 

  927.      if (tx_secret && ssl->quic.enc_level_write != level) {
    928. 

  928.         ssl->quic.enc_level_write_next = level;
    929. 

  929.      }
    930. 

  930.      if (rx_secret && ssl->quic.enc_level_read != level) {
    931. 

  931.         ssl->quic.enc_level_read_next = level;
    932. 

  932.      }
    933. 

  933. 

  934. cleanup:
    935. 

  935.     WOLFSSL_LEAVE("wolfSSL_quic_forward_secrets", ret);
    936. 

  936.     return ret;
    937. 

  937. }
    938. 

  938. 

  939. int wolfSSL_quic_keys_active(WOLFSSL* ssl, enum encrypt_side side)
    940. 

  940. {
    941. 

  941.     int ret = 0;
    942. 

  942. 

  943.     WOLFSSL_ENTER("wolfSSL_quic_keys_active");
    944. 

  944.     /* Keys derived from recent secrets have been activated */
    945. 

  945.     if (side == ENCRYPT_AND_DECRYPT_SIDE || side == ENCRYPT_SIDE_ONLY) {
    946. 

  946.         /* If there is data in the output buffers, it was supposed to be
    947. 

  947.          * encrypted at the previous level. We need to remember that when
    948. 

  948.          * forwarding this data to the QUIC protocol application. */
    949. 

  949.         if (ssl->buffers.outputBuffer.length > 0) {
    950. 

  950.             ret = wolfSSL_quic_send_internal(ssl);
    951. 

  951.             if (ret)
    952. 

  952.                 goto cleanup;
    953. 

  953.         }
    954. 

  954.         ssl->quic.enc_level_write = ssl->quic.enc_level_write_next;
    955. 

  955.     }
    956. 

  956.     if (side == ENCRYPT_AND_DECRYPT_SIDE || side == DECRYPT_SIDE_ONLY) {
    957. 

  957.         ssl->quic.enc_level_read = ssl->quic.enc_level_read_next;
    958. 

  958.     }
    959. 

  959. cleanup:
    960. 

  960.     WOLFSSL_LEAVE("wolfSSL_quic_keys_active", ret);
    961. 

  961.     return ret;
    962. 

  962. }
    963. 

  963. 

  964. const WOLFSSL_EVP_CIPHER* wolfSSL_quic_get_aead(WOLFSSL* ssl)
    965. 

  965. {
    966. 

  966.     WOLFSSL_CIPHER* cipher = NULL;
    967. 

  967.     const WOLFSSL_EVP_CIPHER* evp_cipher = NULL;
    968. 

  968. 

  969.     if (ssl == NULL) {
    970. 

  970.         return NULL;
    971. 

  971.     }
    972. 

  972. 

  973.     cipher = wolfSSL_get_current_cipher(ssl);
    974. 

  974. 

  975.     if (cipher == NULL) {
    976. 

  976.         return NULL;
    977. 

  977.     }
    978. 

  978. 

  979.     switch (cipher->cipherSuite) {
    980. 

  980. #if !defined(NO_AES) && defined(HAVE_AESGCM)
    981. 

  981.         case TLS_AES_128_GCM_SHA256:
    982. 

  982.             evp_cipher = wolfSSL_EVP_aes_128_gcm();
    983. 

  983.             break;
    984. 

  984.         case TLS_AES_256_GCM_SHA384:
    985. 

  985.             evp_cipher = wolfSSL_EVP_aes_256_gcm();
    986. 

  986.             break;
    987. 

  987. #endif
    988. 

  988. #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
    989. 

  989.         case TLS_CHACHA20_POLY1305_SHA256:
    990. 

  990.             evp_cipher = wolfSSL_EVP_chacha20_poly1305();
    991. 

  991.             break;
    992. 

  992. #endif
    993. 

  993. #if defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_128)
    994. 

  994.         case TLS_AES_128_CCM_SHA256:
    995. 

  995.             FALL_THROUGH;
    996. 

  996.         case TLS_AES_128_CCM_8_SHA256:
    997. 

  997.             evp_cipher = wolfSSL_EVP_aes_128_ctr();
    998. 

  998.             break;
    999. 

  999. #endif
    1000. 

  1000. 

  1001.         default:
    1002. 

  1002.             evp_cipher = NULL;
    1003. 

  1003.             break;
    1004. 

  1004.     }
    1005. 

  1005. 

  1006.     if (!evp_cipher) {
    1007. 

  1007.         /* should not happen, as SSL* should not have negotiated it? */
    1008. 

  1008.         WOLFSSL_MSG("wolfSSL_quic_get_aead: current cipher not supported");
    1009. 

  1009.         return NULL;
    1010. 

  1010.     }
    1011. 

  1011.     return evp_cipher;
    1012. 

  1012. }
    1013. 

  1013. 

  1014. static int evp_cipher_eq(const WOLFSSL_EVP_CIPHER* c1,
    1015. 

  1015.                          const WOLFSSL_EVP_CIPHER* c2)
    1016. 

  1016. {
    1017. 

  1017.     /* We could check on nid equality, but we seem to have singulars */
    1018. 

  1018.     return c1 == c2;
    1019. 

  1019. }
    1020. 

  1020. 

  1021. const WOLFSSL_EVP_CIPHER* wolfSSL_quic_get_hp(WOLFSSL* ssl)
    1022. 

  1022. {
    1023. 

  1023.     WOLFSSL_CIPHER* cipher = NULL;
    1024. 

  1024.     const WOLFSSL_EVP_CIPHER* evp_cipher = NULL;
    1025. 

  1025. 

  1026.     if (ssl == NULL) {
    1027. 

  1027.         return NULL;
    1028. 

  1028.     }
    1029. 

  1029. 

  1030.     cipher = wolfSSL_get_current_cipher(ssl);
    1031. 

  1031. 

  1032.     if (cipher == NULL) {
    1033. 

  1033.         return NULL;
    1034. 

  1034.     }
    1035. 

  1035. 

  1036.     switch (cipher->cipherSuite) {
    1037. 

  1037. #if !defined(NO_AES) && defined(HAVE_AESGCM)
    1038. 

  1038.         case TLS_AES_128_GCM_SHA256:
    1039. 

  1039.             evp_cipher = wolfSSL_EVP_aes_128_ctr();
    1040. 

  1040.             break;
    1041. 

  1041.         case TLS_AES_256_GCM_SHA384:
    1042. 

  1042.             evp_cipher = wolfSSL_EVP_aes_256_ctr();
    1043. 

  1043.             break;
    1044. 

  1044. #endif
    1045. 

  1045. #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
    1046. 

  1046.         case TLS_CHACHA20_POLY1305_SHA256:
    1047. 

  1047.             evp_cipher = wolfSSL_EVP_chacha20();
    1048. 

  1048.             break;
    1049. 

  1049. #endif
    1050. 

  1050. #if defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_128)
    1051. 

  1051.         case TLS_AES_128_CCM_SHA256:
    1052. 

  1052.             FALL_THROUGH;
    1053. 

  1053.         case TLS_AES_128_CCM_8_SHA256:
    1054. 

  1054.             evp_cipher = wolfSSL_EVP_aes_128_ctr();
    1055. 

  1055.             break;
    1056. 

  1056. #endif
    1057. 

  1057. 

  1058.         default:
    1059. 

  1059.             evp_cipher = NULL;
    1060. 

  1060.             break;
    1061. 

  1061.     }
    1062. 

  1062. 

  1063.     if (!evp_cipher) {
    1064. 

  1064.         /* should not happen, as SSL* should not have negotiated it? */
    1065. 

  1065.         WOLFSSL_MSG("wolfSSL_quic_get_hp: current cipher not supported");
    1066. 

  1066.         return NULL;
    1067. 

  1067.     }
    1068. 

  1068.     return evp_cipher;
    1069. 

  1069. }
    1070. 

  1070. 

  1071. size_t wolfSSL_quic_get_aead_tag_len(const WOLFSSL_EVP_CIPHER* aead_cipher)
    1072. 

  1072. {
    1073. 

  1073.     size_t ret;
    1074. 

  1074. #ifdef WOLFSSL_SMALL_STACK
    1075. 

  1075.     WOLFSSL_EVP_CIPHER_CTX *ctx = (WOLFSSL_EVP_CIPHER_CTX *)XMALLOC(
    1076. 

  1076.         sizeof(*ctx), NULL, DYNAMIC_TYPE_TMP_BUFFER);
    1077. 

  1077.     if (ctx == NULL)
    1078. 

  1078.         return 0;
    1079. 

  1079. #else
    1080. 

  1080.     WOLFSSL_EVP_CIPHER_CTX ctx[1];
    1081. 

  1081. #endif
    1082. 

  1082. 

  1083.     XMEMSET(ctx, 0, sizeof(*ctx));
    1084. 

  1084.     if (wolfSSL_EVP_CipherInit(ctx, aead_cipher, NULL, NULL, 0)
    1085. 

  1085.         == WOLFSSL_SUCCESS) {
    1086. 

  1086.         ret = ctx->authTagSz;
    1087. 

  1087.     } else {
    1088. 

  1088.         ret = 0;
    1089. 

  1089.     }
    1090. 

  1090. 

  1091.     (void)wolfSSL_EVP_CIPHER_CTX_cleanup(ctx);
    1092. 

  1092. #ifdef WOLFSSL_SMALL_STACK
    1093. 

  1093.     XFREE(ctx, NULL, DYNAMIC_TYPE_TMP_BUFFER);
    1094. 

  1094. #endif
    1095. 

  1095. 

  1096.     return ret;
    1097. 

  1097. }
    1098. 

  1098. 

  1099. int wolfSSL_quic_aead_is_gcm(const WOLFSSL_EVP_CIPHER* aead_cipher)
    1100. 

  1100. {
    1101. 

  1101. #if !defined(NO_AES) && defined(HAVE_AESGCM)
    1102. 

  1102.     if (evp_cipher_eq(aead_cipher, wolfSSL_EVP_aes_128_gcm())
    1103. 

  1103. #ifdef WOLFSSL_AES_256
    1104. 

  1104.         || evp_cipher_eq(aead_cipher, wolfSSL_EVP_aes_256_gcm())
    1105. 

  1105. #endif
    1106. 

  1106.     ) {
    1107. 

  1107.         return 1;
    1108. 

  1108.     }
    1109. 

  1109. #else
    1110. 

  1110.     (void)aead_cipher;
    1111. 

  1111. #endif
    1112. 

  1112.     return 0;
    1113. 

  1113. }
    1114. 

  1114. 

  1115. int wolfSSL_quic_aead_is_ccm(const WOLFSSL_EVP_CIPHER* aead_cipher)
    1116. 

  1116. {
    1117. 

  1117. #if defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_128)
    1118. 

  1118.     if (evp_cipher_eq(aead_cipher, wolfSSL_EVP_aes_128_ctr())) {
    1119. 

  1119.         return 1;
    1120. 

  1120.     }
    1121. 

  1121. #else
    1122. 

  1122.     (void)aead_cipher;
    1123. 

  1123. #endif
    1124. 

  1124.     return 0;
    1125. 

  1125. }
    1126. 

  1126. 

  1127. int wolfSSL_quic_aead_is_chacha20(const WOLFSSL_EVP_CIPHER* aead_cipher)
    1128. 

  1128. {
    1129. 

  1129. #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
    1130. 

  1130.     return evp_cipher_eq(aead_cipher, wolfSSL_EVP_chacha20_poly1305());
    1131. 

  1131. #else
    1132. 

  1132.     (void)aead_cipher;
    1133. 

  1133.     return 0;
    1134. 

  1134. #endif
    1135. 

  1135. }
    1136. 

  1136. 

  1137. const WOLFSSL_EVP_MD* wolfSSL_quic_get_md(WOLFSSL* ssl)
    1138. 

  1138. {
    1139. 

  1139.     /* a copy from the handshake md setup */
    1140. 

  1140.     switch(ssl->specs.mac_algorithm) {
    1141. 

  1141.         case no_mac:
    1142. 

  1142.     #ifndef NO_MD5
    1143. 

  1143.         case md5_mac:
    1144. 

  1144.             return wolfSSL_EVP_md5();
    1145. 

  1145.     #endif
    1146. 

  1146.     #ifndef NO_SHA
    1147. 

  1147.         case sha_mac:
    1148. 

  1148.             return wolfSSL_EVP_sha1();
    1149. 

  1149.     #endif
    1150. 

  1150.     #ifdef WOLFSSL_SHA224
    1151. 

  1151.         case sha224_mac:
    1152. 

  1152.             return wolfSSL_EVP_sha224();
    1153. 

  1153.     #endif
    1154. 

  1154.         case sha256_mac:
    1155. 

  1155.             return wolfSSL_EVP_sha256();
    1156. 

  1156.     #ifdef WOLFSSL_SHA384
    1157. 

  1157.         case sha384_mac:
    1158. 

  1158.             return wolfSSL_EVP_sha384();
    1159. 

  1159.     #endif
    1160. 

  1160.     #ifdef WOLFSSL_SHA512
    1161. 

  1161.         case sha512_mac:
    1162. 

  1162.             return wolfSSL_EVP_sha512();
    1163. 

  1163.     #endif
    1164. 

  1164.         case rmd_mac:
    1165. 

  1165.         case blake2b_mac:
    1166. 

  1166.             WOLFSSL_MSG("no suitable EVP_MD");
    1167. 

  1167.             return NULL;
    1168. 

  1168.         default:
    1169. 

  1169.             WOLFSSL_MSG("Unknown mac algorithm");
    1170. 

  1170.             return NULL;
    1171. 

  1171.     }
    1172. 

  1172. }
    1173. 

  1173. 

  1174. #ifdef OPENSSL_EXTRA
    1175. 

  1175. 

  1176. int wolfSSL_quic_hkdf_extract(uint8_t* dest, const WOLFSSL_EVP_MD* md,
    1177. 

  1177.                               const uint8_t* secret, size_t secretlen,
    1178. 

  1178.                               const uint8_t* salt, size_t saltlen)
    1179. 

  1179. {
    1180. 

  1180.     WOLFSSL_EVP_PKEY_CTX* pctx = NULL;
    1181. 

  1181.     size_t destlen = (size_t)wolfSSL_EVP_MD_size(md);
    1182. 

  1182.     int ret = WOLFSSL_SUCCESS;
    1183. 

  1183. 

  1184.     WOLFSSL_ENTER("wolfSSL_quic_hkdf_extract");
    1185. 

  1185. 

  1186.     pctx = wolfSSL_EVP_PKEY_CTX_new_id(NID_hkdf, NULL);
    1187. 

  1187.     if (pctx == NULL) {
    1188. 

  1188.         ret = WOLFSSL_FAILURE;
    1189. 

  1189.         goto cleanup;
    1190. 

  1190.     }
    1191. 

  1191. 

  1192.     if (wolfSSL_EVP_PKEY_derive_init(pctx) != WOLFSSL_SUCCESS
    1193. 

  1193.         || wolfSSL_EVP_PKEY_CTX_hkdf_mode(
    1194. 

  1194.                 pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) != WOLFSSL_SUCCESS
    1195. 

  1195.         || wolfSSL_EVP_PKEY_CTX_set_hkdf_md(pctx, md) != WOLFSSL_SUCCESS
    1196. 

  1196.         || wolfSSL_EVP_PKEY_CTX_set1_hkdf_salt(
    1197. 

  1197.                 pctx, (byte*)salt, (int)saltlen) != WOLFSSL_SUCCESS
    1198. 

  1198.         || wolfSSL_EVP_PKEY_CTX_set1_hkdf_key(
    1199. 

  1199.                 pctx, (byte*)secret, (int)secretlen) != WOLFSSL_SUCCESS
    1200. 

  1200.         || wolfSSL_EVP_PKEY_derive(pctx, dest, &destlen) != WOLFSSL_SUCCESS) {
    1201. 

  1201.         ret = WOLFSSL_FAILURE;
    1202. 

  1202.         goto cleanup;
    1203. 

  1203.     }
    1204. 

  1204. 

  1205. cleanup:
    1206. 

  1206.     if (pctx)
    1207. 

  1207.         wolfSSL_EVP_PKEY_CTX_free(pctx);
    1208. 

  1208.     WOLFSSL_LEAVE("wolfSSL_quic_hkdf_extract", ret);
    1209. 

  1209.     return ret;
    1210. 

  1210. }
    1211. 

  1211. 

  1212. 

  1213. int wolfSSL_quic_hkdf_expand(uint8_t* dest, size_t destlen,
    1214. 

  1214.                              const WOLFSSL_EVP_MD* md,
    1215. 

  1215.                              const uint8_t* secret, size_t secretlen,
    1216. 

  1216.                              const uint8_t* info, size_t infolen)
    1217. 

  1217. {
    1218. 

  1218.     WOLFSSL_EVP_PKEY_CTX* pctx = NULL;
    1219. 

  1219.     int ret = WOLFSSL_SUCCESS;
    1220. 

  1220. 

  1221.     WOLFSSL_ENTER("wolfSSL_quic_hkdf_expand");
    1222. 

  1222. 

  1223.     pctx = wolfSSL_EVP_PKEY_CTX_new_id(NID_hkdf, NULL);
    1224. 

  1224.     if (pctx == NULL) {
    1225. 

  1225.         ret = WOLFSSL_FAILURE;
    1226. 

  1226.         goto cleanup;
    1227. 

  1227.     }
    1228. 

  1228. 

  1229.     if (wolfSSL_EVP_PKEY_derive_init(pctx) != WOLFSSL_SUCCESS
    1230. 

  1230.         || wolfSSL_EVP_PKEY_CTX_hkdf_mode(
    1231. 

  1231.                 pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) != WOLFSSL_SUCCESS
    1232. 

  1232.         || wolfSSL_EVP_PKEY_CTX_set_hkdf_md(pctx, md) != WOLFSSL_SUCCESS
    1233. 

  1233.         || wolfSSL_EVP_PKEY_CTX_set1_hkdf_salt(
    1234. 

  1234.                 pctx, (byte*)"", 0) != WOLFSSL_SUCCESS
    1235. 

  1235.         || wolfSSL_EVP_PKEY_CTX_set1_hkdf_key(
    1236. 

  1236.                 pctx, (byte*)secret, (int)secretlen) != WOLFSSL_SUCCESS
    1237. 

  1237.         || wolfSSL_EVP_PKEY_CTX_add1_hkdf_info(
    1238. 

  1238.                 pctx, (byte*)info, (int)infolen) != WOLFSSL_SUCCESS
    1239. 

  1239.         || wolfSSL_EVP_PKEY_derive(pctx, dest, &destlen) != WOLFSSL_SUCCESS) {
    1240. 

  1240.         ret = WOLFSSL_FAILURE;
    1241. 

  1241.         goto cleanup;
    1242. 

  1242.     }
    1243. 

  1243. 

  1244. cleanup:
    1245. 

  1245.     if (pctx)
    1246. 

  1246.         EVP_PKEY_CTX_free(pctx);
    1247. 

  1247.     WOLFSSL_LEAVE("wolfSSL_quic_hkdf_expand", ret);
    1248. 

  1248.     return ret;
    1249. 

  1249. }
    1250. 

  1250. 

  1251. 

  1252. int wolfSSL_quic_hkdf(uint8_t* dest, size_t destlen,
    1253. 

  1253.                       const WOLFSSL_EVP_MD* md,
    1254. 

  1254.                       const uint8_t* secret, size_t secretlen,
    1255. 

  1255.                       const uint8_t* salt, size_t saltlen,
    1256. 

  1256.                       const uint8_t* info, size_t infolen)
    1257. 

  1257. {
    1258. 

  1258.     WOLFSSL_EVP_PKEY_CTX* pctx = NULL;
    1259. 

  1259.     int ret = WOLFSSL_SUCCESS;
    1260. 

  1260. 

  1261.     WOLFSSL_ENTER("wolfSSL_quic_hkdf");
    1262. 

  1262. 

  1263.     pctx = wolfSSL_EVP_PKEY_CTX_new_id(NID_hkdf, NULL);
    1264. 

  1264.     if (pctx == NULL) {
    1265. 

  1265.         ret = WOLFSSL_FAILURE;
    1266. 

  1266.         goto cleanup;
    1267. 

  1267.     }
    1268. 

  1268. 

  1269.     if (wolfSSL_EVP_PKEY_derive_init(pctx) != WOLFSSL_SUCCESS
    1270. 

  1270.         || wolfSSL_EVP_PKEY_CTX_hkdf_mode(
    1271. 

  1271.                 pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND) != WOLFSSL_SUCCESS
    1272. 

  1272.         || wolfSSL_EVP_PKEY_CTX_set_hkdf_md(pctx, md) != WOLFSSL_SUCCESS
    1273. 

  1273.         || wolfSSL_EVP_PKEY_CTX_set1_hkdf_salt(
    1274. 

  1274.                 pctx, (byte*)salt, (int)saltlen) != WOLFSSL_SUCCESS
    1275. 

  1275.         || wolfSSL_EVP_PKEY_CTX_set1_hkdf_key(
    1276. 

  1276.                 pctx, (byte*)secret, (int)secretlen) != WOLFSSL_SUCCESS
    1277. 

  1277.         || wolfSSL_EVP_PKEY_CTX_add1_hkdf_info(
    1278. 

  1278.                 pctx, (byte*)info, (int)infolen) != WOLFSSL_SUCCESS
    1279. 

  1279.         || wolfSSL_EVP_PKEY_derive(pctx, dest, &destlen) != WOLFSSL_SUCCESS) {
    1280. 

  1280.         ret = WOLFSSL_FAILURE;
    1281. 

  1281.         goto cleanup;
    1282. 

  1282.     }
    1283. 

  1283. 

  1284. cleanup:
    1285. 

  1285.     if (pctx)
    1286. 

  1286.         EVP_PKEY_CTX_free(pctx);
    1287. 

  1287.     WOLFSSL_LEAVE("wolfSSL_quic_hkdf", ret);
    1288. 

  1288.     return ret;
    1289. 

  1289. }
    1290. 

  1290. 

  1291. #endif /* OPENSSL_EXTRA */
    1292. 

  1292. 

  1293. 

  1294. WOLFSSL_EVP_CIPHER_CTX* wolfSSL_quic_crypt_new(const WOLFSSL_EVP_CIPHER* cipher,
    1295. 

  1295.                                                const uint8_t* key,
    1296. 

  1296.                                                const uint8_t* iv,
    1297. 

  1297.                                                int encrypt)
    1298. 

  1298. {
    1299. 

  1299.     WOLFSSL_EVP_CIPHER_CTX* ctx;
    1300. 

  1300. 

  1301.     ctx = wolfSSL_EVP_CIPHER_CTX_new();
    1302. 

  1302.     if (ctx == NULL) {
    1303. 

  1303.         return NULL;
    1304. 

  1304.     }
    1305. 

  1305. 

  1306.     if (wolfSSL_EVP_CipherInit(ctx, cipher, key, iv, encrypt)
    1307. 

  1307.             != WOLFSSL_SUCCESS) {
    1308. 

  1308.         wolfSSL_EVP_CIPHER_CTX_free(ctx);
    1309. 

  1309.         return NULL;
    1310. 

  1310.     }
    1311. 

  1311. 

  1312.     return ctx;
    1313. 

  1313. }
    1314. 

  1314. 

  1315. 

  1316. int wolfSSL_quic_aead_encrypt(uint8_t* dest, WOLFSSL_EVP_CIPHER_CTX* ctx,
    1317. 

  1317.                               const uint8_t* plain, size_t plainlen,
    1318. 

  1318.                               const uint8_t* iv, const uint8_t* aad,
    1319. 

  1319.                               size_t aadlen)
    1320. 

  1320. {
    1321. 

  1321.     int len;
    1322. 

  1322. 

  1323.     /* A case can be made if this really should be a function in wolfSSL, since
    1324. 

  1324.      * the same should be doable from the API by a QUIC protocol stack.
    1325. 

  1325.      * What speaks for this:
    1326. 

  1326.      * - it gives us a decent testing point
    1327. 

  1327.      * - API users do not have to re-invent (it fits into ngtcp2 use).
    1328. 

  1328.      *   picotls offers a similar abstraction level for AEAD.
    1329. 

  1329.      * TODO: there is some fiddling in OpenSSL+quic in regard to CCM ciphers
    1330. 

  1330.      *       which we need to check.
    1331. 

  1331.      */
    1332. 

  1332.     if (wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 1) != WOLFSSL_SUCCESS
    1333. 

  1333.         || wolfSSL_EVP_CipherUpdate(
    1334. 

  1334.                 ctx, NULL, &len, aad, (int)aadlen) != WOLFSSL_SUCCESS
    1335. 

  1335.         || wolfSSL_EVP_CipherUpdate(
    1336. 

  1336.                 ctx, dest, &len, plain, (int)plainlen) != WOLFSSL_SUCCESS
    1337. 

  1337.         || wolfSSL_EVP_CipherFinal(ctx, dest + len, &len) != WOLFSSL_SUCCESS
    1338. 

  1338.         || wolfSSL_EVP_CIPHER_CTX_ctrl(
    1339. 

  1339.                 ctx, EVP_CTRL_AEAD_GET_TAG, ctx->authTagSz, dest + plainlen)
    1340. 

  1340.            != WOLFSSL_SUCCESS) {
    1341. 

  1341.         return WOLFSSL_FAILURE;
    1342. 

  1342.     }
    1343. 

  1343. 

  1344.     return WOLFSSL_SUCCESS;
    1345. 

  1345. }
    1346. 

  1346. 

  1347. 

  1348. int wolfSSL_quic_aead_decrypt(uint8_t* dest, WOLFSSL_EVP_CIPHER_CTX* ctx,
    1349. 

  1349.                               const uint8_t* enc, size_t enclen,
    1350. 

  1350.                               const uint8_t* iv, const uint8_t* aad,
    1351. 

  1351.                               size_t aadlen)
    1352. 

  1352. {
    1353. 

  1353.     int len;
    1354. 

  1354.     const uint8_t* tag;
    1355. 

  1355. 

  1356.     /* See rationale for wolfSSL_quic_aead_encrypt() on why this is here */
    1357. 

  1357.     if (enclen > INT_MAX || ctx->authTagSz > (int)enclen) {
    1358. 

  1358.         return WOLFSSL_FAILURE;
    1359. 

  1359.     }
    1360. 

  1360. 

  1361.     enclen -= ctx->authTagSz;
    1362. 

  1362.     tag = enc + enclen;
    1363. 

  1363. 

  1364.     if (wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 0) != WOLFSSL_SUCCESS
    1365. 

  1365.         || wolfSSL_EVP_CIPHER_CTX_ctrl(
    1366. 

  1366.                 ctx, EVP_CTRL_AEAD_SET_TAG, ctx->authTagSz, (uint8_t*)tag)
    1367. 

  1367.             != WOLFSSL_SUCCESS
    1368. 

  1368.         || wolfSSL_EVP_CipherUpdate(ctx, NULL, &len, aad, (int)aadlen)
    1369. 

  1369.             != WOLFSSL_SUCCESS
    1370. 

  1370.         || wolfSSL_EVP_CipherUpdate(ctx, dest, &len, enc, (int)enclen)
    1371. 

  1371.             != WOLFSSL_SUCCESS
    1372. 

  1372.         || wolfSSL_EVP_CipherFinal(ctx, dest, &len) != WOLFSSL_SUCCESS) {
    1373. 

  1373.         return WOLFSSL_FAILURE;
    1374. 

  1374.     }
    1375. 

  1375. 

  1376.     return WOLFSSL_SUCCESS;
    1377. 

  1377. }
    1378. 

  1378. 

  1379. 

  1380. #endif /* WOLFSSL_QUIC */
    1381. 

  1381. #endif /* WOLFCRYPT_ONLY */
    1382. 

  1382.