2 * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #ifndef OSSL_QUIC_RECORD_TX_H
11 # define OSSL_QUIC_RECORD_TX_H
13 # include <openssl/ssl.h>
14 # include "internal/quic_wire_pkt.h"
15 # include "internal/quic_types.h"
16 # include "internal/quic_predef.h"
17 # include "internal/quic_record_util.h"
18 # include "internal/qlog.h"
20 # ifndef OPENSSL_NO_QUIC
23 * QUIC Record Layer - TX
24 * ======================
26 typedef struct ossl_qtx_iovec_st {
27 const unsigned char *buf;
31 typedef struct ossl_qtx_st OSSL_QTX;
33 typedef int (*ossl_mutate_packet_cb)(const QUIC_PKT_HDR *hdrin,
34 const OSSL_QTX_IOVEC *iovecin, size_t numin,
35 QUIC_PKT_HDR **hdrout,
36 const OSSL_QTX_IOVEC **iovecout,
40 typedef void (*ossl_finish_mutate_cb)(void *arg);
42 typedef struct ossl_qtx_args_st {
46 /* BIO to transmit to. */
49 /* Maximum datagram payload length (MDPL) for TX purposes. */
52 /* QLOG instance to use, or NULL. */
56 /* Instantiates a new QTX. */
57 OSSL_QTX *ossl_qtx_new(const OSSL_QTX_ARGS *args);
60 void ossl_qtx_free(OSSL_QTX *qtx);
62 /* Set mutator callbacks for test framework support */
63 void ossl_qtx_set_mutator(OSSL_QTX *qtx, ossl_mutate_packet_cb mutatecb,
64 ossl_finish_mutate_cb finishmutatecb, void *mutatearg);
66 /* Setters for the msg_callback and the msg_callback_arg */
67 void ossl_qtx_set_msg_callback(OSSL_QTX *qtx, ossl_msg_cb msg_callback,
68 SSL *msg_callback_ssl);
69 void ossl_qtx_set_msg_callback_arg(OSSL_QTX *qtx, void *msg_callback_arg);
71 /* Change QLOG instance in use after instantiation. */
72 void ossl_qtx_set0_qlog(OSSL_QTX *qtx, QLOG *qlog);
80 * Provides a secret to the QTX, which arises due to an encryption level change.
81 * enc_level is a QUIC_ENC_LEVEL_* value.
83 * This function can be used to initialise the INITIAL encryption level, but you
84 * should not do so directly; see the utility function
85 * ossl_qrl_provide_initial_secret() instead, which can initialise the INITIAL
86 * encryption level of a QRX and QTX simultaneously without duplicating certain
87 * key derivation steps.
89 * You must call this function for a given EL before transmitting packets at
90 * that EL using this QTX, otherwise ossl_qtx_write_pkt will fail.
92 * suite_id is a QRL_SUITE_* value which determines the AEAD function used for
95 * The secret passed is used directly to derive the "quic key", "quic iv" and
98 * secret_len is the length of the secret buffer in bytes. The buffer must be
99 * sized correctly to the chosen suite, else the function fails.
101 * This function can only be called once for a given EL, except for the INITIAL
102 * EL, as the INITIAL EL can need to be rekeyed if connection retry occurs.
103 * Subsequent calls for non-INITIAL ELs fail. Calls made after a corresponding
104 * call to ossl_qtx_discard_enc_level for a given EL also fail, including for
105 * the INITIAL EL. The secret for a non-INITIAL EL cannot be changed after it is
106 * set because QUIC has no facility for introducing additional key material
107 * after an EL is setup. (QUIC key updates generate new keys from existing key
108 * material and do not introduce new entropy into a connection's key material.)
110 * Returns 1 on success or 0 on failure.
112 int ossl_qtx_provide_secret(OSSL_QTX *qtx,
116 const unsigned char *secret,
120 * Informs the QTX that it can now discard key material for a given EL. The QTX
121 * will no longer be able to generate packets at that EL. This function is
122 * idempotent and succeeds if the EL has already been discarded.
124 * Returns 1 on success and 0 on failure.
126 int ossl_qtx_discard_enc_level(OSSL_QTX *qtx, uint32_t enc_level);
128 /* Returns 1 if the given encryption level is provisioned. */
129 int ossl_qtx_is_enc_level_provisioned(OSSL_QTX *qtx, uint32_t enc_level);
132 * Given the value ciphertext_len representing an encrypted packet payload
133 * length in bytes, determines how many plaintext bytes it will decrypt to.
134 * Returns 0 if the specified EL is not provisioned or ciphertext_len is too
135 * small. The result is written to *plaintext_len.
137 int ossl_qtx_calculate_plaintext_payload_len(OSSL_QTX *qtx, uint32_t enc_level,
138 size_t ciphertext_len,
139 size_t *plaintext_len);
142 * Given the value plaintext_len represented a plaintext packet payload length
143 * in bytes, determines how many ciphertext bytes it will encrypt to. The value
144 * output does not include packet headers. Returns 0 if the specified EL is not
145 * provisioned. The result is written to *ciphertext_len.
147 int ossl_qtx_calculate_ciphertext_payload_len(OSSL_QTX *qtx, uint32_t enc_level,
148 size_t plaintext_len,
149 size_t *ciphertext_len);
151 uint32_t ossl_qrl_get_suite_cipher_tag_len(uint32_t suite_id);
155 * Packet Transmission
156 * -------------------
159 struct ossl_qtx_pkt_st {
160 /* Logical packet header to be serialized. */
164 * iovecs expressing the logical packet payload buffer. Zero-length entries
167 const OSSL_QTX_IOVEC *iovec;
170 /* Destination address. Will be passed through to the BIO if non-NULL. */
171 const BIO_ADDR *peer;
174 * Local address (optional). Specify as non-NULL only if TX BIO
175 * has local address support enabled.
177 const BIO_ADDR *local;
180 * Logical PN. Used for encryption. This will automatically be encoded to
181 * hdr->pn, which need not be initialized.
185 /* Packet flags. Zero or more OSSL_QTX_PKT_FLAG_* values. */
190 * More packets will be written which should be coalesced into a single
191 * datagram; do not send this packet yet. To use this, set this flag for all
192 * packets but the final packet in a datagram, then send the final packet
193 * without this flag set.
195 * This flag is not a guarantee and the QTX may transmit immediately anyway if
196 * it is not possible to fit any more packets in the current datagram.
198 * If the caller change its mind and needs to cause a packet queued with
199 * COALESCE after having passed it to this function but without writing another
200 * packet, it should call ossl_qtx_flush_pkt().
202 #define OSSL_QTX_PKT_FLAG_COALESCE (1U << 0)
207 * *pkt need be valid only for the duration of the call to this function.
209 * pkt->hdr->data and pkt->hdr->len are unused. The payload buffer is specified
210 * via an array of OSSL_QTX_IOVEC structures. The API is designed to support
211 * single-copy transmission; data is copied from the iovecs as it is encrypted
212 * into an internal staging buffer for transmission.
214 * The function may modify and clobber pkt->hdr->data, pkt->hdr->len,
215 * pkt->hdr->key_phase and pkt->hdr->pn for its own internal use. No other
216 * fields of pkt or pkt->hdr will be modified.
218 * It is the callers responsibility to determine how long the PN field in the
219 * encoded packet should be by setting pkt->hdr->pn_len. This function takes
220 * care of the PN encoding. Set pkt->pn to the desired PN.
222 * Note that 1-RTT packets do not have a DCID Length field, therefore the DCID
223 * length must be understood contextually. This function assumes the caller
224 * knows what it is doing and will serialize a DCID of whatever length is given.
225 * It is the caller's responsibility to ensure it uses a consistent DCID length
226 * for communication with any given set of remote peers.
228 * The packet is queued regardless of whether it is able to be sent immediately.
229 * This enables packets to be batched and sent at once on systems which support
230 * system calls to send multiple datagrams in a single system call (see
231 * BIO_sendmmsg). To flush queued datagrams to the network, see
232 * ossl_qtx_flush_net().
234 * Returns 1 on success or 0 on failure.
236 int ossl_qtx_write_pkt(OSSL_QTX *qtx, const OSSL_QTX_PKT *pkt);
239 * Finish any incomplete datagrams for transmission which were flagged for
240 * coalescing. If there is no current coalescing datagram, this is a no-op.
242 void ossl_qtx_finish_dgram(OSSL_QTX *qtx);
245 * (Attempt to) flush any datagrams which are queued for transmission. Note that
246 * this does not cancel coalescing; call ossl_qtx_finish_dgram() first if that
247 * is desired. The queue is drained into the OS's sockets as much as possible.
248 * To determine if there is still data to be sent after calling this function,
249 * use ossl_qtx_get_queue_len_bytes().
251 * Returns one of the following values:
253 * QTX_FLUSH_NET_RES_OK
254 * Either no packets are currently queued for transmission,
255 * or at least one packet was successfully submitted.
257 * QTX_FLUSH_NET_RES_TRANSIENT_FAIL
258 * The underlying network write BIO indicated a transient error
259 * (e.g. buffers full).
261 * QTX_FLUSH_NET_RES_PERMANENT_FAIL
262 * Internal error (e.g. assertion or allocation error)
263 * or the underlying network write BIO indicated a non-transient
266 #define QTX_FLUSH_NET_RES_OK 1
267 #define QTX_FLUSH_NET_RES_TRANSIENT_FAIL (-1)
268 #define QTX_FLUSH_NET_RES_PERMANENT_FAIL (-2)
270 int ossl_qtx_flush_net(OSSL_QTX *qtx);
273 * Diagnostic function. If there is any datagram pending transmission, pops it
274 * and writes the details of the datagram as they would have been passed to
275 * *msg. Returns 1, or 0 if there are no datagrams pending. For test use only.
277 int ossl_qtx_pop_net(OSSL_QTX *qtx, BIO_MSG *msg);
279 /* Returns number of datagrams which are fully-formed but not yet sent. */
280 size_t ossl_qtx_get_queue_len_datagrams(OSSL_QTX *qtx);
283 * Returns number of payload bytes across all datagrams which are fully-formed
284 * but not yet sent. Does not count any incomplete coalescing datagram.
286 size_t ossl_qtx_get_queue_len_bytes(OSSL_QTX *qtx);
289 * Returns number of bytes in the current coalescing datagram, or 0 if there is
290 * no current coalescing datagram. Returns 0 after a call to
291 * ossl_qtx_finish_dgram().
293 size_t ossl_qtx_get_cur_dgram_len_bytes(OSSL_QTX *qtx);
296 * Returns number of queued coalesced packets which have not been put into a
297 * datagram yet. If this is non-zero, ossl_qtx_flush_pkt() needs to be called.
299 size_t ossl_qtx_get_unflushed_pkt_count(OSSL_QTX *qtx);
302 * Change the BIO being used by the QTX. May be NULL if actual transmission is
303 * not currently required. Does not up-ref the BIO; the caller is responsible
304 * for ensuring the lifetime of the BIO exceeds the lifetime of the QTX.
306 void ossl_qtx_set_bio(OSSL_QTX *qtx, BIO *bio);
308 /* Changes the MDPL. */
309 int ossl_qtx_set_mdpl(OSSL_QTX *qtx, size_t mdpl);
311 /* Retrieves the current MDPL. */
312 size_t ossl_qtx_get_mdpl(OSSL_QTX *qtx);
319 * For additional discussion of key update considerations, see QRX header file.
323 * Triggers a key update. The key update will be started by inverting the Key
324 * Phase bit of the next packet transmitted; no key update occurs until the next
325 * packet is transmitted. Thus, this function should generally be called
326 * immediately before queueing the next packet.
328 * There are substantial requirements imposed by RFC 9001 on under what
329 * circumstances a key update can be initiated. The caller is responsible for
330 * meeting most of these requirements. For example, this function cannot be
331 * called too soon after a previous key update has occurred. Key updates also
332 * cannot be initiated until the 1-RTT encryption level is reached.
334 * As a sanity check, this function will fail and return 0 if the non-1RTT
335 * encryption levels have not yet been dropped.
337 * The caller may decide itself to initiate a key update, but it also MUST
338 * initiate a key update where it detects that the peer has initiated a key
339 * update. The caller is responsible for initiating a TX key update by calling
340 * this function in this circumstance; thus, the caller is responsible for
341 * coupling the RX and TX QUIC record layers in this way.
343 int ossl_qtx_trigger_key_update(OSSL_QTX *qtx);
352 * Returns the number of packets which have been encrypted for transmission with
353 * the current set of TX keys (the current "TX key epoch"). Reset to zero after
354 * a key update and incremented for each packet queued. If enc_level is not
355 * valid or relates to an EL which is not currently available, returns
358 uint64_t ossl_qtx_get_cur_epoch_pkt_count(OSSL_QTX *qtx, uint32_t enc_level);
361 * Returns the maximum number of packets which the record layer will permit to
362 * be encrypted using the current set of TX keys. If this limit is reached (that
363 * is, if the counter returned by ossl_qrx_tx_get_cur_epoch_pkt_count() reaches
364 * this value), as a safety measure, the QTX will not permit any further packets
365 * to be queued. All calls to ossl_qrx_write_pkt that try to send packets of a
366 * kind which need to be encrypted will fail. It is not possible to recover from
367 * this condition and the QTX must then be destroyed; therefore, callers should
368 * ensure they always trigger a key update well in advance of reaching this
371 * The value returned by this function is based on the ciphersuite configured
372 * for the given encryption level. If keys have not been provisioned for the
373 * specified enc_level or the enc_level argument is invalid, this function
374 * returns UINT64_MAX, which is not a valid value. Note that it is not possible
375 * to perform a key update at any encryption level other than 1-RTT, therefore
376 * if this limit is reached at earlier encryption levels (which should not be
377 * possible) the connection must be terminated. Since this condition precludes
378 * the transmission of further packets, the only possible signalling of such an
379 * error condition to a peer is a Stateless Reset packet.
381 uint64_t ossl_qtx_get_max_epoch_pkt_count(OSSL_QTX *qtx, uint32_t enc_level);
384 * Get the 1-RTT EL key epoch number for the QTX. This is intended for
385 * diagnostic purposes. Returns 0 if 1-RTT EL is not provisioned yet.
387 uint64_t ossl_qtx_get_key_epoch(OSSL_QTX *qtx);