Coverage Report

Created: 2024-07-27 06:37

/src/openssl/ssl/quic/quic_tls.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
#include <openssl/ssl.h>
10
#include "internal/recordmethod.h"
11
#include "internal/quic_tls.h"
12
#include "../ssl_local.h"
13
#include "internal/quic_error.h"
14
15
#define QUIC_TLS_FATAL(rl, ad, err) \
16
0
    do { \
17
0
        if ((rl) != NULL) (rl)->alert = (ad); \
18
0
        ERR_raise(ERR_LIB_SSL, (err)); \
19
0
        if ((rl) != NULL) (rl)->qtls->inerror = 1; \
20
0
    } while(0)
21
22
struct quic_tls_st {
23
    QUIC_TLS_ARGS args;
24
25
    /*
26
     * Transport parameters which client should send. Buffer lifetime must
27
     * exceed the lifetime of the QUIC_TLS object.
28
     */
29
    const unsigned char *local_transport_params;
30
    size_t local_transport_params_len;
31
32
    ERR_STATE *error_state;
33
34
    /*
35
     * QUIC error code (usually in the TLS Alert-mapped CRYPTO_ERR range). Valid
36
     * only if inerror is 1.
37
     */
38
    uint64_t error_code;
39
40
    /*
41
     * Error message with static storage duration. Valid only if inerror is 1.
42
     * Should be suitable for encapsulation in a CONNECTION_CLOSE frame.
43
     */
44
    const char *error_msg;
45
46
    /* Whether our SSL object for TLS has been configured for use in QUIC */
47
    unsigned int configured : 1;
48
49
    /* Set if we have hit any error state */
50
    unsigned int inerror : 1;
51
52
    /* Set if the handshake has completed */
53
    unsigned int complete : 1;
54
};
55
56
struct ossl_record_layer_st {
57
    QUIC_TLS *qtls;
58
59
    /* Protection level */
60
    int level;
61
62
    /* Only used for retry flags */
63
    BIO *dummybio;
64
65
    /* Number of bytes written so far if we are part way through a write */
66
    size_t written;
67
68
    /* If we are part way through a write, a copy of the template */
69
    OSSL_RECORD_TEMPLATE template;
70
71
    /*
72
     * If we hit an error, what alert code should be used
73
     */
74
    int alert;
75
76
    /* Amount of crypto stream data we read in the last call to quic_read_record */
77
    size_t recread;
78
79
    /* Amount of crypto stream data read but not yet released */
80
    size_t recunreleased;
81
82
    /* Callbacks */
83
    OSSL_FUNC_rlayer_msg_callback_fn *msg_callback;
84
    void *cbarg;
85
};
86
87
static int quic_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio);
88
static int quic_free(OSSL_RECORD_LAYER *r);
89
90
static int
91
quic_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
92
                      int role, int direction, int level, uint16_t epoch,
93
                      unsigned char *secret, size_t secretlen,
94
                      unsigned char *key, size_t keylen, unsigned char *iv,
95
                      size_t ivlen, unsigned char *mackey, size_t mackeylen,
96
                      const EVP_CIPHER *ciph, size_t taglen,
97
                      int mactype,
98
                      const EVP_MD *md, COMP_METHOD *comp,
99
                      const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
100
                      BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
101
                      const OSSL_PARAM *settings, const OSSL_PARAM *options,
102
                      const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
103
                      OSSL_RECORD_LAYER **retrl)
104
0
{
105
0
    OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
106
0
    uint32_t enc_level;
107
0
    int qdir;
108
0
    uint32_t suite_id = 0;
109
110
0
    if (rl == NULL) {
111
0
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
112
0
        return 0;
113
0
    }
114
115
0
    rl->qtls = (QUIC_TLS *)rlarg;
116
0
    rl->level = level;
117
0
    if (!quic_set1_bio(rl, transport)) {
118
0
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
119
0
        goto err;
120
0
    }
121
0
    rl->cbarg = cbarg;
122
0
    *retrl = rl;
123
124
0
    if (fns != NULL) {
125
0
        for (; fns->function_id != 0; fns++) {
126
0
            switch (fns->function_id) {
127
0
                break;
128
0
            case OSSL_FUNC_RLAYER_MSG_CALLBACK:
129
0
                rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns);
130
0
                break;
131
0
            default:
132
                /* Just ignore anything we don't understand */
133
0
                break;
134
0
            }
135
0
        }
136
0
    }
137
138
0
    switch (level) {
139
0
    case OSSL_RECORD_PROTECTION_LEVEL_NONE:
140
0
        return 1;
141
142
0
    case OSSL_RECORD_PROTECTION_LEVEL_EARLY:
143
0
        enc_level = QUIC_ENC_LEVEL_0RTT;
144
0
        break;
145
146
0
    case OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE:
147
0
        enc_level = QUIC_ENC_LEVEL_HANDSHAKE;
148
0
        break;
149
150
0
    case OSSL_RECORD_PROTECTION_LEVEL_APPLICATION:
151
0
        enc_level = QUIC_ENC_LEVEL_1RTT;
152
0
        break;
153
154
0
    default:
155
0
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
156
0
        goto err;
157
0
    }
158
159
0
    if (direction == OSSL_RECORD_DIRECTION_READ)
160
0
        qdir = 0;
161
0
    else
162
0
        qdir = 1;
163
164
0
    if (EVP_CIPHER_is_a(ciph, "AES-128-GCM")) {
165
0
        suite_id = QRL_SUITE_AES128GCM;
166
0
    } else if (EVP_CIPHER_is_a(ciph, "AES-256-GCM")) {
167
0
        suite_id = QRL_SUITE_AES256GCM;
168
0
    } else if (EVP_CIPHER_is_a(ciph, "CHACHA20-POLY1305")) {
169
0
        suite_id = QRL_SUITE_CHACHA20POLY1305;
170
0
    } else {
171
0
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE);
172
0
        goto err;
173
0
    }
174
175
    /* We pass a ref to the md in a successful yield_secret_cb call */
176
    /* TODO(QUIC FUTURE): This cast is horrible. We should try and remove it */
177
0
    if (!EVP_MD_up_ref((EVP_MD *)kdfdigest)) {
178
0
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
179
0
        goto err;
180
0
    }
181
182
0
    if (!rl->qtls->args.yield_secret_cb(enc_level, qdir, suite_id,
183
0
                                        (EVP_MD *)kdfdigest, secret, secretlen,
184
0
                                        rl->qtls->args.yield_secret_cb_arg)) {
185
0
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
186
0
        EVP_MD_free((EVP_MD *)kdfdigest);
187
0
        goto err;
188
0
    }
189
190
0
    return 1;
191
0
 err:
192
0
    *retrl = NULL;
193
0
    quic_free(rl);
194
0
    return 0;
195
0
}
196
197
static int quic_free(OSSL_RECORD_LAYER *rl)
198
0
{
199
0
    if (rl == NULL)
200
0
        return 1;
201
202
0
    BIO_free(rl->dummybio);
203
0
    OPENSSL_free(rl);
204
0
    return 1;
205
0
}
206
207
static int quic_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
208
0
{
209
    /*
210
     * Read ahead isn't really a thing for QUIC so we never have unprocessed
211
     * data pending
212
     */
213
0
    return 0;
214
0
}
215
216
static int quic_processed_read_pending(OSSL_RECORD_LAYER *rl)
217
0
{
218
    /*
219
     * This is currently only ever used by:
220
     * - SSL_has_pending()
221
     * - to check whether we have more records that we want to supply to the
222
     *   upper layers
223
     *
224
     * We only ever supply 1 record at a time to the upper layers, and
225
     * SSL_has_pending() will go via the QUIC method not the TLS method so that
226
     * use case doesn't apply here.
227
     * Therefore we can ignore this for now and always return 0. We might
228
     * eventually want to change this to check in the receive buffers to see if
229
     * we have any more data pending.
230
     */
231
0
    return 0;
232
0
}
233
234
static size_t quic_get_max_records(OSSL_RECORD_LAYER *rl, uint8_t type,
235
                                   size_t len,
236
                                   size_t maxfrag, size_t *preffrag)
237
0
{
238
0
    return 1;
239
0
}
240
241
static int quic_write_records(OSSL_RECORD_LAYER *rl,
242
                              OSSL_RECORD_TEMPLATE *template,
243
                              size_t numtempl)
244
0
{
245
0
    size_t consumed;
246
0
    unsigned char alert;
247
248
0
    if (!ossl_assert(numtempl == 1)) {
249
        /* How could this be? quic_get_max_records() always returns 1 */
250
0
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
251
0
        return OSSL_RECORD_RETURN_FATAL;
252
0
    }
253
254
0
    BIO_clear_retry_flags(rl->dummybio);
255
256
0
    if (rl->msg_callback != NULL) {
257
0
        unsigned char dummyrec[SSL3_RT_HEADER_LENGTH];
258
259
        /*
260
         * For the purposes of the callback we "pretend" to be normal TLS,
261
         * and manufacture a dummy record header
262
         */
263
0
        dummyrec[0] = (rl->level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
264
0
                        ? template->type
265
0
                        : SSL3_RT_APPLICATION_DATA;
266
0
        dummyrec[1] = (unsigned char)((template->version >> 8) & 0xff);
267
0
        dummyrec[2] = (unsigned char)(template->version & 0xff);
268
        /*
269
         * We assume that buflen is always <= UINT16_MAX. Since this is
270
         * generated by libssl itself we actually expect it to never
271
         * exceed SSL3_RT_MAX_PLAIN_LENGTH - so it should be a safe
272
         * assumption
273
         */
274
0
        dummyrec[3] = (unsigned char)((template->buflen >> 8) & 0xff);
275
0
        dummyrec[4] = (unsigned char)(template->buflen & 0xff);
276
277
0
        rl->msg_callback(1, TLS1_3_VERSION, SSL3_RT_HEADER, dummyrec,
278
0
                            SSL3_RT_HEADER_LENGTH, rl->cbarg);
279
280
0
        if (rl->level != OSSL_RECORD_PROTECTION_LEVEL_NONE) {
281
0
            rl->msg_callback(1, TLS1_3_VERSION, SSL3_RT_INNER_CONTENT_TYPE,
282
0
                             &template->type, 1, rl->cbarg);
283
0
        }
284
0
    }
285
286
0
    switch (template->type) {
287
0
    case SSL3_RT_ALERT:
288
0
        if (template->buflen != 2) {
289
            /*
290
             * We assume that libssl always sends both bytes of an alert to
291
             * us in one go, and never fragments it. If we ever get more
292
             * or less bytes than exactly 2 then this is very unexpected.
293
             */
294
0
            QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_VALUE);
295
0
            return OSSL_RECORD_RETURN_FATAL;
296
0
        }
297
        /*
298
         * Byte 0 is the alert level (we ignore it) and byte 1 is the alert
299
         * description that we are actually interested in.
300
         */
301
0
        alert = template->buf[1];
302
303
0
        if (!rl->qtls->args.alert_cb(rl->qtls->args.alert_cb_arg, alert)) {
304
0
            QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
305
0
            return OSSL_RECORD_RETURN_FATAL;
306
0
        }
307
0
        break;
308
309
0
    case SSL3_RT_HANDSHAKE:
310
        /*
311
         * We expect this to only fail on some fatal error (e.g. malloc
312
         * failure)
313
         */
314
0
        if (!rl->qtls->args.crypto_send_cb(template->buf + rl->written,
315
0
                                           template->buflen - rl->written,
316
0
                                           &consumed,
317
0
                                           rl->qtls->args.crypto_send_cb_arg)) {
318
0
            QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
319
0
            return OSSL_RECORD_RETURN_FATAL;
320
0
        }
321
        /*
322
         * We might have written less than we wanted to if we have filled the
323
         * send stream buffer.
324
         */
325
0
        if (consumed + rl->written != template->buflen) {
326
0
            if (!ossl_assert(consumed + rl->written < template->buflen)) {
327
0
                QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
328
0
                return OSSL_RECORD_RETURN_FATAL;
329
0
            }
330
331
            /*
332
             * We've not written everything we wanted to. Take a copy of the
333
             * template, remember how much we wrote so far and signal a retry.
334
             * The buffer supplied in the template is guaranteed to be the same
335
             * on a retry for handshake data
336
             */
337
0
            rl->written += consumed;
338
0
            rl->template = *template;
339
0
            BIO_set_retry_write(rl->dummybio);
340
341
0
            return OSSL_RECORD_RETURN_RETRY;
342
0
        }
343
0
        rl->written = 0;
344
0
        break;
345
346
0
    default:
347
        /* Anything else is unexpected and an error */
348
0
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
349
0
        return OSSL_RECORD_RETURN_FATAL;
350
0
    }
351
352
0
    return OSSL_RECORD_RETURN_SUCCESS;
353
0
}
354
355
static int quic_retry_write_records(OSSL_RECORD_LAYER *rl)
356
0
{
357
0
    return quic_write_records(rl, &rl->template, 1);
358
0
}
359
360
static int quic_read_record(OSSL_RECORD_LAYER *rl, void **rechandle,
361
                            int *rversion, uint8_t *type, const unsigned char **data,
362
                            size_t *datalen, uint16_t *epoch,
363
                            unsigned char *seq_num)
364
0
{
365
0
    if (rl->recread != 0 || rl->recunreleased != 0)
366
0
        return OSSL_RECORD_RETURN_FATAL;
367
368
0
    BIO_clear_retry_flags(rl->dummybio);
369
370
0
    if (!rl->qtls->args.crypto_recv_rcd_cb(data, datalen,
371
0
                                           rl->qtls->args.crypto_recv_rcd_cb_arg)) {
372
0
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
373
0
        return OSSL_RECORD_RETURN_FATAL;
374
0
    }
375
376
0
    if (*datalen == 0) {
377
0
        BIO_set_retry_read(rl->dummybio);
378
0
        return OSSL_RECORD_RETURN_RETRY;
379
0
    }
380
381
0
    *rechandle = rl;
382
0
    *rversion = TLS1_3_VERSION;
383
0
    *type = SSL3_RT_HANDSHAKE;
384
0
    rl->recread = rl->recunreleased = *datalen;
385
    /* epoch/seq_num are not relevant for TLS */
386
387
0
    if (rl->msg_callback != NULL) {
388
0
        unsigned char dummyrec[SSL3_RT_HEADER_LENGTH];
389
390
        /*
391
         * For the purposes of the callback we "pretend" to be normal TLS,
392
         * and manufacture a dummy record header
393
         */
394
0
        dummyrec[0] = (rl->level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
395
0
                      ? SSL3_RT_HANDSHAKE
396
0
                      : SSL3_RT_APPLICATION_DATA;
397
0
        dummyrec[1] = (unsigned char)((TLS1_2_VERSION >> 8) & 0xff);
398
0
        dummyrec[2] = (unsigned char)(TLS1_2_VERSION & 0xff);
399
        /*
400
         * *datalen will always fit into 2 bytes because our original buffer
401
         * size is less than that.
402
         */
403
0
        dummyrec[3] = (unsigned char)((*datalen >> 8) & 0xff);
404
0
        dummyrec[4] = (unsigned char)(*datalen & 0xff);
405
406
0
        rl->msg_callback(0, TLS1_3_VERSION, SSL3_RT_HEADER, dummyrec,
407
0
                         SSL3_RT_HEADER_LENGTH, rl->cbarg);
408
0
        rl->msg_callback(0, TLS1_3_VERSION, SSL3_RT_INNER_CONTENT_TYPE, type, 1,
409
0
                         rl->cbarg);
410
0
    }
411
412
0
    return OSSL_RECORD_RETURN_SUCCESS;
413
0
}
414
415
static int quic_release_record(OSSL_RECORD_LAYER *rl, void *rechandle,
416
                               size_t length)
417
0
{
418
0
    if (!ossl_assert(rl->recread > 0)
419
0
            || !ossl_assert(rl->recunreleased <= rl->recread)
420
0
            || !ossl_assert(rl == rechandle)
421
0
            || !ossl_assert(length <= rl->recunreleased)) {
422
0
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
423
0
        return OSSL_RECORD_RETURN_FATAL;
424
0
    }
425
426
0
    rl->recunreleased -= length;
427
428
0
    if (rl->recunreleased > 0)
429
0
        return OSSL_RECORD_RETURN_SUCCESS;
430
431
0
    if (!rl->qtls->args.crypto_release_rcd_cb(rl->recread,
432
0
                                              rl->qtls->args.crypto_release_rcd_cb_arg)) {
433
0
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
434
0
        return OSSL_RECORD_RETURN_FATAL;
435
0
    }
436
437
0
    rl->recread = 0;
438
0
    return OSSL_RECORD_RETURN_SUCCESS;
439
0
}
440
441
static int quic_get_alert_code(OSSL_RECORD_LAYER *rl)
442
0
{
443
0
    return rl->alert;
444
0
}
445
446
static int quic_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
447
0
{
448
    /* We only support TLSv1.3, so its bad if we negotiate anything else */
449
0
    if (!ossl_assert(version == TLS1_3_VERSION)) {
450
0
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
451
0
        return 0;
452
0
    }
453
454
0
    return 1;
455
0
}
456
457
static void quic_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow)
458
0
{
459
    /* We don't care */
460
0
}
461
462
static void quic_set_first_handshake(OSSL_RECORD_LAYER *rl, int first)
463
0
{
464
    /* We don't care */
465
0
}
466
467
static void quic_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines)
468
0
{
469
    /* We don't care */
470
0
}
471
472
static void quic_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr,
473
                    const char **longstr)
474
0
{
475
    /*
476
     * According to the docs, valid read state strings are: "RH"/"read header",
477
     * "RB"/"read body", and "unknown"/"unknown". We don't read records in quite
478
     * that way, so we report every "normal" state as "read header". In the
479
     * event of error then we report "unknown".
480
     */
481
482
0
    if (rl->qtls->inerror) {
483
0
        if (shortstr != NULL)
484
0
            *shortstr = "unknown";
485
0
        if (longstr != NULL)
486
0
            *longstr = "unknown";
487
0
    } else {
488
0
        if (shortstr != NULL)
489
0
            *shortstr = "RH";
490
0
        if (longstr != NULL)
491
0
            *longstr = "read header";
492
0
    }
493
0
}
494
495
static int quic_set_options(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options)
496
0
{
497
    /*
498
     * We don't support any options yet - but we might do at some point so
499
     * this could be useful.
500
     */
501
0
    return 1;
502
0
}
503
504
static const COMP_METHOD *quic_get_compression(OSSL_RECORD_LAYER *rl)
505
0
{
506
    /* We only support TLSv1.3 which doesn't have compression */
507
0
    return NULL;
508
0
}
509
510
static void quic_set_max_frag_len(OSSL_RECORD_LAYER *rl, size_t max_frag_len)
511
0
{
512
    /* This really doesn't make any sense for QUIC. Ignore it */
513
0
}
514
515
static int quic_alloc_buffers(OSSL_RECORD_LAYER *rl)
516
0
{
517
    /*
518
     * This is a hint only. We don't support it (yet), so just ignore the
519
     * request
520
     */
521
0
    return 1;
522
0
}
523
524
static int quic_free_buffers(OSSL_RECORD_LAYER *rl)
525
0
{
526
    /*
527
     * This is a hint only. We don't support it (yet), so just ignore the
528
     * request
529
     */
530
0
    return 1;
531
0
}
532
533
static int quic_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
534
0
{
535
0
    if (bio != NULL && !BIO_up_ref(bio))
536
0
        return 0;
537
0
    BIO_free(rl->dummybio);
538
0
    rl->dummybio = bio;
539
540
0
    return 1;
541
0
}
542
543
/*
544
 * Never called functions
545
 *
546
 * Due to the way we are configured and used we never expect any of the next set
547
 * of functions to be called. Therefore we set them to always fail.
548
 */
549
550
static size_t quic_app_data_pending(OSSL_RECORD_LAYER *rl)
551
0
{
552
0
    QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
553
0
    return (size_t)ossl_assert(0);
554
0
}
555
556
static size_t quic_get_max_record_overhead(OSSL_RECORD_LAYER *rl)
557
0
{
558
0
    QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
559
0
    return (size_t)ossl_assert(0);
560
0
}
561
562
static int quic_increment_sequence_ctr(OSSL_RECORD_LAYER *rl)
563
0
{
564
0
    QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
565
0
    return ossl_assert(0);
566
0
}
567
568
/* End of never called functions */
569
570
static const OSSL_RECORD_METHOD quic_tls_record_method = {
571
    quic_new_record_layer,
572
    quic_free,
573
    quic_unprocessed_read_pending,
574
    quic_processed_read_pending,
575
    quic_app_data_pending, /* Never called */
576
    quic_get_max_records,
577
    quic_write_records,
578
    quic_retry_write_records,
579
    quic_read_record,
580
    quic_release_record,
581
    quic_get_alert_code,
582
    quic_set1_bio,
583
    quic_set_protocol_version,
584
    quic_set_plain_alerts,
585
    quic_set_first_handshake,
586
    quic_set_max_pipelines,
587
    NULL, /* set_in_init: Optional - we don't need it */
588
    quic_get_state,
589
    quic_set_options,
590
    quic_get_compression,
591
    quic_set_max_frag_len,
592
    quic_get_max_record_overhead, /* Never called */
593
    quic_increment_sequence_ctr, /* Never called */
594
    quic_alloc_buffers,
595
    quic_free_buffers
596
};
597
598
static int add_transport_params_cb(SSL *s, unsigned int ext_type,
599
                                   unsigned int context,
600
                                   const unsigned char **out, size_t *outlen,
601
                                   X509 *x, size_t chainidx, int *al,
602
                                   void *add_arg)
603
0
{
604
0
    QUIC_TLS *qtls = add_arg;
605
606
0
    *out = qtls->local_transport_params;
607
0
    *outlen = qtls->local_transport_params_len;
608
0
    return 1;
609
0
}
610
611
static void free_transport_params_cb(SSL *s, unsigned int ext_type,
612
                                     unsigned int context,
613
                                     const unsigned char *out,
614
                                     void *add_arg)
615
0
{
616
0
}
617
618
static int parse_transport_params_cb(SSL *s, unsigned int ext_type,
619
                                     unsigned int context,
620
                                     const unsigned char *in,
621
                                     size_t inlen, X509 *x,
622
                                     size_t chainidx,
623
                                     int *al, void *parse_arg)
624
0
{
625
0
    QUIC_TLS *qtls = parse_arg;
626
627
0
    return qtls->args.got_transport_params_cb(in, inlen,
628
0
                                              qtls->args.got_transport_params_cb_arg);
629
0
}
630
631
QUIC_TLS *ossl_quic_tls_new(const QUIC_TLS_ARGS *args)
632
0
{
633
0
    QUIC_TLS *qtls;
634
635
0
    if (args->crypto_send_cb == NULL
636
0
        || args->crypto_recv_rcd_cb == NULL
637
0
        || args->crypto_release_rcd_cb == NULL) {
638
0
        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
639
0
        return NULL;
640
0
    }
641
642
0
    qtls = OPENSSL_zalloc(sizeof(*qtls));
643
0
    if (qtls == NULL)
644
0
        return NULL;
645
646
0
    if ((qtls->error_state = OSSL_ERR_STATE_new()) == NULL) {
647
0
        OPENSSL_free(qtls);
648
0
        return NULL;
649
0
    }
650
651
0
    qtls->args = *args;
652
0
    return qtls;
653
0
}
654
655
void ossl_quic_tls_free(QUIC_TLS *qtls)
656
0
{
657
0
    if (qtls == NULL)
658
0
        return;
659
0
    OSSL_ERR_STATE_free(qtls->error_state);
660
0
    OPENSSL_free(qtls);
661
0
}
662
663
static int raise_error(QUIC_TLS *qtls, uint64_t error_code,
664
                       const char *error_msg,
665
                       const char *src_file,
666
                       int src_line,
667
                       const char *src_func)
668
0
{
669
    /*
670
     * When QTLS fails, add a "cover letter" error with information, potentially
671
     * with any underlying libssl errors underneath it (but our cover error may
672
     * be the only error in some cases). Then capture this into an ERR_STATE so
673
     * we can report it later if need be when the QUIC_CHANNEL asks for it.
674
     */
675
0
    ERR_new();
676
0
    ERR_set_debug(src_file, src_line, src_func);
677
0
    ERR_set_error(ERR_LIB_SSL, SSL_R_QUIC_HANDSHAKE_LAYER_ERROR,
678
0
                  "handshake layer error, error code %llu (0x%llx) (\"%s\")",
679
0
                  error_code, error_code, error_msg);
680
0
    OSSL_ERR_STATE_save_to_mark(qtls->error_state);
681
682
    /*
683
     * We record the error information reported via the QUIC protocol
684
     * separately.
685
     */
686
0
    qtls->error_code        = error_code;
687
0
    qtls->error_msg         = error_msg;
688
0
    qtls->inerror           = 1;
689
690
0
    ERR_pop_to_mark();
691
0
    return 0;
692
0
}
693
694
#define RAISE_ERROR(qtls, error_code, error_msg) \
695
0
    raise_error((qtls), (error_code), (error_msg), \
696
0
                OPENSSL_FILE, OPENSSL_LINE, OPENSSL_FUNC)
697
698
#define RAISE_INTERNAL_ERROR(qtls) \
699
0
    RAISE_ERROR((qtls), OSSL_QUIC_ERR_INTERNAL_ERROR, "internal error")
700
701
int ossl_quic_tls_tick(QUIC_TLS *qtls)
702
0
{
703
0
    int ret, err;
704
0
    const unsigned char *alpn;
705
0
    unsigned int alpnlen;
706
707
0
    if (qtls->inerror)
708
0
        return 0;
709
710
    /*
711
     * SSL_get_error does not truly know what the cause of an SSL_read failure
712
     * is and to some extent guesses based on contextual information. In
713
     * particular, if there is _any_ ERR on the error stack, SSL_ERROR_SSL or
714
     * SSL_ERROR_SYSCALL will be returned no matter what and there is no
715
     * possibility of SSL_ERROR_WANT_READ/WRITE being returned, even if that was
716
     * the actual cause of the SSL_read() failure.
717
     *
718
     * This means that ordinarily, the below code might not work right if the
719
     * application has any ERR on the error stack. In order to make this code
720
     * perform correctly regardless of prior ERR state, we use a variant of
721
     * SSL_get_error() which ignores the error stack. However, some ERRs are
722
     * raised by SSL_read() and actually indicate that something has gone wrong
723
     * during the call to SSL_read(). We therefore adopt a strategy of marking
724
     * the ERR stack and seeing if any errors get appended during the call to
725
     * SSL_read(). If they are, we assume SSL_read() has raised an error and
726
     * that we should use normal SSL_get_error() handling.
727
     *
728
     * NOTE: Ensure all escape paths from this function call
729
     * ERR_clear_to_mark(). The RAISE macros handle this in failure cases.
730
     */
731
0
    ERR_set_mark();
732
733
0
    if (!qtls->configured) {
734
0
        SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
735
0
        SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(sc);
736
0
        BIO *nullbio;
737
738
        /*
739
         * No matter how the user has configured us, there are certain
740
         * requirements for QUIC-TLS that we enforce
741
         */
742
743
        /* ALPN is a requirement for QUIC and must be set */
744
0
        if (qtls->args.is_server) {
745
0
            if (sctx->ext.alpn_select_cb == NULL)
746
0
                return RAISE_INTERNAL_ERROR(qtls);
747
0
        } else {
748
0
            if (sc->ext.alpn == NULL || sc->ext.alpn_len == 0)
749
0
                return RAISE_ERROR(qtls, OSSL_QUIC_ERR_CRYPTO_NO_APP_PROTO,
750
0
                                   "ALPN must be configured when using QUIC");
751
0
        }
752
0
        if (!SSL_set_min_proto_version(qtls->args.s, TLS1_3_VERSION))
753
0
            return RAISE_INTERNAL_ERROR(qtls);
754
755
0
        SSL_clear_options(qtls->args.s, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
756
0
        ossl_ssl_set_custom_record_layer(sc, &quic_tls_record_method, qtls);
757
758
0
        if (!ossl_tls_add_custom_ext_intern(NULL, &sc->cert->custext,
759
0
                                            qtls->args.is_server ? ENDPOINT_SERVER
760
0
                                                                 : ENDPOINT_CLIENT,
761
0
                                            TLSEXT_TYPE_quic_transport_parameters,
762
0
                                            SSL_EXT_TLS1_3_ONLY
763
0
                                            | SSL_EXT_CLIENT_HELLO
764
0
                                            | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
765
0
                                            add_transport_params_cb,
766
0
                                            free_transport_params_cb, qtls,
767
0
                                            parse_transport_params_cb, qtls))
768
0
            return RAISE_INTERNAL_ERROR(qtls);
769
770
0
        nullbio = BIO_new(BIO_s_null());
771
0
        if (nullbio == NULL)
772
0
            return RAISE_INTERNAL_ERROR(qtls);
773
774
        /*
775
         * Our custom record layer doesn't use the BIO - but libssl generally
776
         * expects one to be present.
777
         */
778
0
        SSL_set_bio(qtls->args.s, nullbio, nullbio);
779
780
0
        if (qtls->args.is_server)
781
0
            SSL_set_accept_state(qtls->args.s);
782
0
        else
783
0
            SSL_set_connect_state(qtls->args.s);
784
785
0
        qtls->configured = 1;
786
0
    }
787
788
0
    if (qtls->complete)
789
        /*
790
         * There should never be app data to read, but calling SSL_read() will
791
         * ensure any post-handshake messages are processed.
792
         */
793
0
        ret = SSL_read(qtls->args.s, NULL, 0);
794
0
    else
795
0
        ret = SSL_do_handshake(qtls->args.s);
796
797
0
    if (ret <= 0) {
798
0
        err = ossl_ssl_get_error(qtls->args.s, ret,
799
0
                                 /*check_err=*/ERR_count_to_mark() > 0);
800
801
0
        switch (err) {
802
0
        case SSL_ERROR_WANT_READ:
803
0
        case SSL_ERROR_WANT_WRITE:
804
0
        case SSL_ERROR_WANT_CLIENT_HELLO_CB:
805
0
        case SSL_ERROR_WANT_X509_LOOKUP:
806
0
        case SSL_ERROR_WANT_RETRY_VERIFY:
807
0
            ERR_pop_to_mark();
808
0
            return 1;
809
810
0
        default:
811
0
            return RAISE_INTERNAL_ERROR(qtls);
812
0
        }
813
0
    }
814
815
0
    if (!qtls->complete) {
816
        /* Validate that we have ALPN */
817
0
        SSL_get0_alpn_selected(qtls->args.s, &alpn, &alpnlen);
818
0
        if (alpn == NULL || alpnlen == 0)
819
0
            return RAISE_ERROR(qtls, OSSL_QUIC_ERR_CRYPTO_NO_APP_PROTO,
820
0
                               "no application protocol negotiated");
821
822
0
        qtls->complete = 1;
823
0
        ERR_pop_to_mark();
824
0
        return qtls->args.handshake_complete_cb(qtls->args.handshake_complete_cb_arg);
825
0
    }
826
827
0
    ERR_pop_to_mark();
828
0
    return 1;
829
0
}
830
831
int ossl_quic_tls_set_transport_params(QUIC_TLS *qtls,
832
                                       const unsigned char *transport_params,
833
                                       size_t transport_params_len)
834
0
{
835
0
    qtls->local_transport_params       = transport_params;
836
0
    qtls->local_transport_params_len   = transport_params_len;
837
0
    return 1;
838
0
}
839
840
int ossl_quic_tls_get_error(QUIC_TLS *qtls,
841
                            uint64_t *error_code,
842
                            const char **error_msg,
843
                            ERR_STATE **error_state)
844
0
{
845
0
    if (qtls->inerror) {
846
0
        *error_code     = qtls->error_code;
847
0
        *error_msg      = qtls->error_msg;
848
0
        *error_state    = qtls->error_state;
849
0
    }
850
851
0
    return qtls->inerror;
852
0
}
853
854
/*
855
 * Returns true if the last handshake record message we processed was a
856
 * CertificateRequest
857
 */
858
int ossl_quic_tls_is_cert_request(QUIC_TLS *qtls)
859
0
{
860
0
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
861
862
0
    return sc->s3.tmp.message_type == SSL3_MT_CERTIFICATE_REQUEST;
863
0
}
864
865
/*
866
 * Returns true if the last session associated with the connection has an
867
 * invalid max_early_data value for QUIC.
868
 */
869
int ossl_quic_tls_has_bad_max_early_data(QUIC_TLS *qtls)
870
0
{
871
0
    uint32_t max_early_data = SSL_get0_session(qtls->args.s)->ext.max_early_data;
872
873
    /*
874
     * If max_early_data was present we always ensure a non-zero value is
875
     * stored in the session for QUIC. Therefore if max_early_data == 0 here
876
     * we can be confident that it was not present in the NewSessionTicket
877
     */
878
0
    return max_early_data != 0xffffffff && max_early_data != 0;
879
0
}