/src/msquic/submodules/quictls/ssl/ssl_quic.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include "ssl_local.h" |
11 | | #include "internal/cryptlib.h" |
12 | | #include "internal/refcount.h" |
13 | | |
14 | | int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params, |
15 | | size_t params_len) |
16 | 47.0k | { |
17 | 47.0k | uint8_t *tmp; |
18 | | |
19 | 47.0k | if (params == NULL || params_len == 0) { |
20 | 0 | tmp = NULL; |
21 | 0 | params_len = 0; |
22 | 47.0k | } else { |
23 | 47.0k | tmp = OPENSSL_memdup(params, params_len); |
24 | 47.0k | if (tmp == NULL) |
25 | 0 | return 0; |
26 | 47.0k | } |
27 | | |
28 | 47.0k | OPENSSL_free(ssl->ext.quic_transport_params); |
29 | 47.0k | ssl->ext.quic_transport_params = tmp; |
30 | 47.0k | ssl->ext.quic_transport_params_len = params_len; |
31 | 47.0k | return 1; |
32 | 47.0k | } |
33 | | |
34 | | void SSL_get_peer_quic_transport_params(const SSL *ssl, |
35 | | const uint8_t **out_params, |
36 | | size_t *out_params_len) |
37 | 49.1k | { |
38 | 49.1k | if (ssl->ext.peer_quic_transport_params_len) { |
39 | 2.30k | *out_params = ssl->ext.peer_quic_transport_params; |
40 | 2.30k | *out_params_len = ssl->ext.peer_quic_transport_params_len; |
41 | 46.8k | } else { |
42 | 46.8k | *out_params = ssl->ext.peer_quic_transport_params_draft; |
43 | 46.8k | *out_params_len = ssl->ext.peer_quic_transport_params_draft_len; |
44 | 46.8k | } |
45 | 49.1k | } |
46 | | |
47 | | /* Returns the negotiated version, or -1 on error */ |
48 | | int SSL_get_peer_quic_transport_version(const SSL *ssl) |
49 | 0 | { |
50 | 0 | if (ssl->ext.peer_quic_transport_params_len != 0 |
51 | 0 | && ssl->ext.peer_quic_transport_params_draft_len != 0) |
52 | 0 | return -1; |
53 | 0 | if (ssl->ext.peer_quic_transport_params_len != 0) |
54 | 0 | return TLSEXT_TYPE_quic_transport_parameters; |
55 | 0 | if (ssl->ext.peer_quic_transport_params_draft_len != 0) |
56 | 0 | return TLSEXT_TYPE_quic_transport_parameters_draft; |
57 | | |
58 | 0 | return -1; |
59 | 0 | } |
60 | | |
61 | | void SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy) |
62 | 47.0k | { |
63 | 47.0k | if (use_legacy) |
64 | 0 | ssl->quic_transport_version = TLSEXT_TYPE_quic_transport_parameters_draft; |
65 | 47.0k | else |
66 | 47.0k | ssl->quic_transport_version = TLSEXT_TYPE_quic_transport_parameters; |
67 | 47.0k | } |
68 | | |
69 | | void SSL_set_quic_transport_version(SSL *ssl, int version) |
70 | 0 | { |
71 | 0 | ssl->quic_transport_version = version; |
72 | 0 | } |
73 | | |
74 | | int SSL_get_quic_transport_version(const SSL *ssl) |
75 | 0 | { |
76 | 0 | return ssl->quic_transport_version; |
77 | 0 | } |
78 | | |
79 | | size_t SSL_quic_max_handshake_flight_len(const SSL *ssl, OSSL_ENCRYPTION_LEVEL level) |
80 | 0 | { |
81 | | /* |
82 | | * Limits flights to 16K by default when there are no large |
83 | | * (certificate-carrying) messages. |
84 | | */ |
85 | 0 | static const size_t DEFAULT_FLIGHT_LIMIT = 16384; |
86 | |
|
87 | 0 | switch (level) { |
88 | 0 | case ssl_encryption_initial: |
89 | 0 | return DEFAULT_FLIGHT_LIMIT; |
90 | 0 | case ssl_encryption_early_data: |
91 | | /* QUIC does not send EndOfEarlyData. */ |
92 | 0 | return 0; |
93 | 0 | case ssl_encryption_handshake: |
94 | 0 | if (ssl->server) { |
95 | | /* |
96 | | * Servers may receive Certificate message if configured to request |
97 | | * client certificates. |
98 | | */ |
99 | 0 | if ((ssl->verify_mode & SSL_VERIFY_PEER) |
100 | 0 | && ssl->max_cert_list > DEFAULT_FLIGHT_LIMIT) |
101 | 0 | return ssl->max_cert_list; |
102 | 0 | } else { |
103 | | /* |
104 | | * Clients may receive both Certificate message and a CertificateRequest |
105 | | * message. |
106 | | */ |
107 | 0 | if (2*ssl->max_cert_list > DEFAULT_FLIGHT_LIMIT) |
108 | 0 | return 2 * ssl->max_cert_list; |
109 | 0 | } |
110 | 0 | return DEFAULT_FLIGHT_LIMIT; |
111 | 0 | case ssl_encryption_application: |
112 | 0 | return DEFAULT_FLIGHT_LIMIT; |
113 | 0 | } |
114 | | |
115 | 0 | return 0; |
116 | 0 | } |
117 | | |
118 | | OSSL_ENCRYPTION_LEVEL SSL_quic_read_level(const SSL *ssl) |
119 | 0 | { |
120 | 0 | return ssl->quic_read_level; |
121 | 0 | } |
122 | | |
123 | | OSSL_ENCRYPTION_LEVEL SSL_quic_write_level(const SSL *ssl) |
124 | 0 | { |
125 | 0 | return ssl->quic_write_level; |
126 | 0 | } |
127 | | |
128 | | int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level, |
129 | | const uint8_t *data, size_t len) |
130 | 11.6k | { |
131 | 11.6k | size_t l, offset; |
132 | | |
133 | 11.6k | if (!SSL_IS_QUIC(ssl)) { |
134 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
135 | 0 | return 0; |
136 | 0 | } |
137 | | |
138 | | /* Level can be different than the current read, but not less */ |
139 | 11.6k | if (level < ssl->quic_read_level |
140 | 11.6k | || (ssl->quic_input_data_tail != NULL && level < ssl->quic_input_data_tail->level) |
141 | 11.6k | || level < ssl->quic_latest_level_received) { |
142 | 0 | ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED); |
143 | 0 | return 0; |
144 | 0 | } |
145 | | |
146 | 11.6k | if (len == 0) |
147 | 0 | return 1; |
148 | | |
149 | 11.6k | if (ssl->quic_buf == NULL) { |
150 | 4.86k | BUF_MEM *buf; |
151 | 4.86k | if ((buf = BUF_MEM_new()) == NULL) { |
152 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
153 | 0 | return 0; |
154 | 0 | } |
155 | 4.86k | if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { |
156 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
157 | 0 | BUF_MEM_free(buf); |
158 | 0 | return 0; |
159 | 0 | } |
160 | 4.86k | ssl->quic_buf = buf; |
161 | | /* We preallocated storage, but there's still no *data*. */ |
162 | 4.86k | ssl->quic_buf->length = 0; |
163 | 4.86k | buf = NULL; |
164 | 4.86k | } |
165 | | |
166 | | /* A TLS message must not cross an encryption level boundary */ |
167 | 11.6k | if (ssl->quic_buf->length != ssl->quic_next_record_start |
168 | 11.6k | && level != ssl->quic_latest_level_received) { |
169 | 0 | ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED); |
170 | 0 | return 0; |
171 | 0 | } |
172 | 11.6k | ssl->quic_latest_level_received = level; |
173 | | |
174 | 11.6k | offset = ssl->quic_buf->length; |
175 | 11.6k | if (!BUF_MEM_grow(ssl->quic_buf, offset + len)) { |
176 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
177 | 0 | return 0; |
178 | 0 | } |
179 | 11.6k | memcpy(ssl->quic_buf->data + offset, data, len); |
180 | | |
181 | | /* Split on handshake message boundaries */ |
182 | 27.8k | while (ssl->quic_buf->length > ssl->quic_next_record_start |
183 | 27.8k | + SSL3_HM_HEADER_LENGTH) { |
184 | 16.2k | QUIC_DATA *qd; |
185 | 16.2k | const uint8_t *p; |
186 | | |
187 | | /* TLS Handshake message header has 1-byte type and 3-byte length */ |
188 | 16.2k | p = (const uint8_t *)ssl->quic_buf->data |
189 | 16.2k | + ssl->quic_next_record_start + 1; |
190 | 16.2k | n2l3(p, l); |
191 | 16.2k | l += SSL3_HM_HEADER_LENGTH; |
192 | | /* Don't allocate a QUIC_DATA if we don't have a full record */ |
193 | 16.2k | if (l > ssl->quic_buf->length - ssl->quic_next_record_start) |
194 | 0 | break; |
195 | | |
196 | 16.2k | qd = OPENSSL_zalloc(sizeof(*qd)); |
197 | 16.2k | if (qd == NULL) { |
198 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
199 | 0 | return 0; |
200 | 0 | } |
201 | | |
202 | 16.2k | qd->next = NULL; |
203 | 16.2k | qd->length = l; |
204 | 16.2k | qd->start = ssl->quic_next_record_start; |
205 | 16.2k | qd->level = level; |
206 | | |
207 | 16.2k | if (ssl->quic_input_data_tail != NULL) |
208 | 4.60k | ssl->quic_input_data_tail->next = qd; |
209 | 11.6k | else |
210 | 11.6k | ssl->quic_input_data_head = qd; |
211 | 16.2k | ssl->quic_input_data_tail = qd; |
212 | 16.2k | ssl->quic_next_record_start += l; |
213 | 16.2k | } |
214 | | |
215 | 11.6k | return 1; |
216 | 11.6k | } |
217 | | |
218 | | int SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method) |
219 | 5.52k | { |
220 | 5.52k | if (ctx->method->version != TLS_ANY_VERSION) |
221 | 0 | return 0; |
222 | 5.52k | ctx->quic_method = quic_method; |
223 | 5.52k | ctx->options &= ~SSL_OP_ENABLE_MIDDLEBOX_COMPAT; |
224 | 5.52k | return 1; |
225 | 5.52k | } |
226 | | |
227 | | int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method) |
228 | 0 | { |
229 | 0 | if (ssl->method->version != TLS_ANY_VERSION) |
230 | 0 | return 0; |
231 | 0 | ssl->quic_method = quic_method; |
232 | 0 | ssl->options &= ~SSL_OP_ENABLE_MIDDLEBOX_COMPAT; |
233 | 0 | return 1; |
234 | 0 | } |
235 | | |
236 | | int quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level) |
237 | 9.71k | { |
238 | 9.71k | uint8_t *c2s_secret = NULL; |
239 | 9.71k | uint8_t *s2c_secret = NULL; |
240 | 9.71k | size_t len; |
241 | 9.71k | const EVP_MD *md; |
242 | | |
243 | 9.71k | if (!SSL_IS_QUIC(ssl)) |
244 | 0 | return 1; |
245 | | |
246 | | /* secrets from the POV of the client */ |
247 | 9.71k | switch (level) { |
248 | 0 | case ssl_encryption_early_data: |
249 | 0 | c2s_secret = ssl->client_early_traffic_secret; |
250 | 0 | break; |
251 | 4.86k | case ssl_encryption_handshake: |
252 | 4.86k | c2s_secret = ssl->client_hand_traffic_secret; |
253 | 4.86k | s2c_secret = ssl->server_hand_traffic_secret; |
254 | 4.86k | break; |
255 | 4.84k | case ssl_encryption_application: |
256 | 4.84k | c2s_secret = ssl->client_app_traffic_secret; |
257 | 4.84k | s2c_secret = ssl->server_app_traffic_secret; |
258 | 4.84k | break; |
259 | 0 | default: |
260 | 0 | return 1; |
261 | 9.71k | } |
262 | | |
263 | 9.71k | if (level == ssl_encryption_early_data) { |
264 | 0 | const SSL_CIPHER *c = SSL_SESSION_get0_cipher(ssl->session); |
265 | 0 | if (ssl->early_data_state == SSL_EARLY_DATA_CONNECTING |
266 | 0 | && ssl->max_early_data > 0 |
267 | 0 | && ssl->session->ext.max_early_data == 0) { |
268 | 0 | if (!ossl_assert(ssl->psksession != NULL |
269 | 0 | && ssl->max_early_data == |
270 | 0 | ssl->psksession->ext.max_early_data)) { |
271 | 0 | SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
272 | 0 | return 0; |
273 | 0 | } |
274 | 0 | c = SSL_SESSION_get0_cipher(ssl->psksession); |
275 | 0 | } |
276 | | |
277 | 0 | if (c == NULL) { |
278 | 0 | SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
279 | 0 | return 0; |
280 | 0 | } |
281 | | |
282 | 0 | md = ssl_md(ssl->ctx, c->algorithm2); |
283 | 9.71k | } else { |
284 | 9.71k | md = ssl_handshake_md(ssl); |
285 | 9.71k | if (md == NULL) { |
286 | | /* May not have selected cipher, yet */ |
287 | 0 | const SSL_CIPHER *c = NULL; |
288 | | |
289 | | /* |
290 | | * It probably doesn't make sense to use an (external) PSK session, |
291 | | * but in theory some kinds of external session caches could be |
292 | | * implemented using it, so allow psksession to be used as well as |
293 | | * the regular session. |
294 | | */ |
295 | 0 | if (ssl->session != NULL) |
296 | 0 | c = SSL_SESSION_get0_cipher(ssl->session); |
297 | 0 | else if (ssl->psksession != NULL) |
298 | 0 | c = SSL_SESSION_get0_cipher(ssl->psksession); |
299 | |
|
300 | 0 | if (c != NULL) |
301 | 0 | md = SSL_CIPHER_get_handshake_digest(c); |
302 | 0 | } |
303 | 9.71k | } |
304 | | |
305 | 9.71k | if ((len = EVP_MD_size(md)) <= 0) { |
306 | 0 | SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
307 | 0 | return 0; |
308 | 0 | } |
309 | | |
310 | 9.71k | if (ssl->server) { |
311 | 5.11k | if (!ssl->quic_method->set_encryption_secrets(ssl, level, c2s_secret, |
312 | 5.11k | s2c_secret, len)) { |
313 | 0 | SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
314 | 0 | return 0; |
315 | 0 | } |
316 | 5.11k | } else { |
317 | 4.60k | if (!ssl->quic_method->set_encryption_secrets(ssl, level, s2c_secret, |
318 | 4.60k | c2s_secret, len)) { |
319 | 0 | SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
320 | 0 | return 0; |
321 | 0 | } |
322 | 4.60k | } |
323 | | |
324 | 9.71k | return 1; |
325 | 9.71k | } |
326 | | |
327 | | int SSL_process_quic_post_handshake(SSL *ssl) |
328 | 0 | { |
329 | 0 | int ret; |
330 | |
|
331 | 0 | if (SSL_in_init(ssl) || !SSL_IS_QUIC(ssl)) { |
332 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
333 | 0 | return 0; |
334 | 0 | } |
335 | | |
336 | | /* if there is no data, return success as BoringSSL */ |
337 | 0 | while (ssl->quic_input_data_head != NULL) { |
338 | | /* |
339 | | * This is always safe (we are sure to be at a record boundary) because |
340 | | * SSL_read()/SSL_write() are never used for QUIC connections -- the |
341 | | * application data is handled at the QUIC layer instead. |
342 | | */ |
343 | 0 | ossl_statem_set_in_init(ssl, 1); |
344 | 0 | ret = ssl->handshake_func(ssl); |
345 | 0 | ossl_statem_set_in_init(ssl, 0); |
346 | |
|
347 | 0 | if (ret <= 0) |
348 | 0 | return 0; |
349 | 0 | } |
350 | 0 | return 1; |
351 | 0 | } |
352 | | |
353 | | int SSL_is_quic(SSL* ssl) |
354 | 0 | { |
355 | 0 | return SSL_IS_QUIC(ssl); |
356 | 0 | } |
357 | | |
358 | | void SSL_set_quic_early_data_enabled(SSL *ssl, int enabled) |
359 | 0 | { |
360 | 0 | if (!SSL_is_quic(ssl) || !SSL_in_before(ssl)) |
361 | 0 | return; |
362 | | |
363 | 0 | if (!enabled) { |
364 | 0 | ssl->early_data_state = SSL_EARLY_DATA_NONE; |
365 | 0 | return; |
366 | 0 | } |
367 | | |
368 | 0 | if (ssl->server) { |
369 | 0 | ssl->early_data_state = SSL_EARLY_DATA_ACCEPTING; |
370 | 0 | return; |
371 | 0 | } |
372 | | |
373 | 0 | if ((ssl->session == NULL || ssl->session->ext.max_early_data == 0) |
374 | 0 | && ssl->psk_use_session_cb == NULL) |
375 | 0 | return; |
376 | | |
377 | 0 | ssl->early_data_state = SSL_EARLY_DATA_CONNECTING; |
378 | 0 | } |