2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include "internal/quic_record_rx.h"
11 #include "quic_record_shared.h"
12 #include "internal/common.h"
13 #include "internal/list.h"
14 #include "../ssl_local.h"
17 * Mark a packet in a bitfield.
19 * pkt_idx: index of packet within datagram.
21 static ossl_inline void pkt_mark(uint64_t *bitf, size_t pkt_idx)
23 assert(pkt_idx < QUIC_MAX_PKT_PER_URXE);
24 *bitf |= ((uint64_t)1) << pkt_idx;
27 /* Returns 1 if a packet is in the bitfield. */
28 static ossl_inline int pkt_is_marked(const uint64_t *bitf, size_t pkt_idx)
30 assert(pkt_idx < QUIC_MAX_PKT_PER_URXE);
31 return (*bitf & (((uint64_t)1) << pkt_idx)) != 0;
38 * RX Entries (RXEs) store processed (i.e., decrypted) data received from the
39 * network. One RXE is used per received QUIC packet.
41 typedef struct rxe_st RXE;
44 OSSL_LIST_MEMBER(rxe, RXE);
45 size_t data_len, alloc_len;
47 /* Extra fields for per-packet information. */
48 QUIC_PKT_HDR hdr; /* data/len are decrypted payload */
50 /* Decoded packet number. */
53 /* Addresses copied from URXE. */
56 /* Time we received the packet (not when we processed it). */
59 /* Total length of the datagram which contained this packet. */
63 * alloc_len allocated bytes (of which data_len bytes are valid) follow this
68 DEFINE_LIST_OF(rxe, RXE);
69 typedef OSSL_LIST(rxe) RXE_LIST;
71 static ossl_inline unsigned char *rxe_data(const RXE *e)
73 return (unsigned char *)(e + 1);
84 /* Demux to receive datagrams from. */
87 /* Length of connection IDs used in short-header packets in bytes. */
88 size_t short_conn_id_len;
90 /* Maximum number of deferred datagrams buffered at any one time. */
93 /* Current count of deferred datagrams. */
97 * List of URXEs which are filled with received encrypted data.
98 * These are returned to the DEMUX's free list as they are processed.
100 QUIC_URXE_LIST urx_pending;
103 * List of URXEs which we could not decrypt immediately and which are being
104 * kept in case they can be decrypted later.
106 QUIC_URXE_LIST urx_deferred;
109 * List of RXEs which are not currently in use. These are moved
110 * to the pending list as they are filled.
115 * List of RXEs which are filled with decrypted packets ready to be passed
116 * to the user. A RXE is removed from all lists inside the QRL when passed
117 * to the user, then returned to the free list when the user returns it.
121 /* Largest PN we have received and processed in a given PN space. */
122 QUIC_PN largest_pn[QUIC_PN_SPACE_NUM];
124 /* Per encryption-level state. */
125 OSSL_QRL_ENC_LEVEL_SET el_set;
127 /* Bytes we have received since this counter was last cleared. */
128 uint64_t bytes_received;
131 * Number of forged packets we have received since the QRX was instantiated.
132 * Note that as per RFC 9001, this is connection-level state; it is not per
133 * EL and is not reset by a key update.
135 uint64_t forged_pkt_count;
137 /* Validation callback. */
138 ossl_qrx_early_validation_cb *validation_cb;
139 void *validation_cb_arg;
141 /* Key update callback. */
142 ossl_qrx_key_update_cb *key_update_cb;
143 void *key_update_cb_arg;
145 /* Initial key phase. For debugging use only; always 0 in real use. */
146 unsigned char init_key_phase_bit;
149 static void qrx_on_rx(QUIC_URXE *urxe, void *arg);
151 OSSL_QRX *ossl_qrx_new(const OSSL_QRX_ARGS *args)
156 if (args->demux == NULL || args->max_deferred == 0)
159 qrx = OPENSSL_zalloc(sizeof(OSSL_QRX));
163 for (i = 0; i < OSSL_NELEM(qrx->largest_pn); ++i)
164 qrx->largest_pn[i] = args->init_largest_pn[i];
166 qrx->libctx = args->libctx;
167 qrx->propq = args->propq;
168 qrx->demux = args->demux;
169 qrx->short_conn_id_len = args->short_conn_id_len;
170 qrx->init_key_phase_bit = args->init_key_phase_bit;
171 qrx->max_deferred = args->max_deferred;
175 static void qrx_cleanup_rxl(RXE_LIST *l)
179 for (e = ossl_list_rxe_head(l); e != NULL; e = enext) {
180 enext = ossl_list_rxe_next(e);
181 ossl_list_rxe_remove(l, e);
186 static void qrx_cleanup_urxl(OSSL_QRX *qrx, QUIC_URXE_LIST *l)
188 QUIC_URXE *e, *enext;
190 for (e = ossl_list_urxe_head(l); e != NULL; e = enext) {
191 enext = ossl_list_urxe_next(e);
192 ossl_quic_demux_release_urxe(qrx->demux, e);
196 void ossl_qrx_free(OSSL_QRX *qrx)
200 /* Unregister from the RX DEMUX. */
201 ossl_quic_demux_unregister_by_cb(qrx->demux, qrx_on_rx, qrx);
203 /* Free RXE queue data. */
204 qrx_cleanup_rxl(&qrx->rx_free);
205 qrx_cleanup_rxl(&qrx->rx_pending);
206 qrx_cleanup_urxl(qrx, &qrx->urx_pending);
207 qrx_cleanup_urxl(qrx, &qrx->urx_deferred);
209 /* Drop keying material and crypto resources. */
210 for (i = 0; i < QUIC_ENC_LEVEL_NUM; ++i)
211 ossl_qrl_enc_level_set_discard(&qrx->el_set, i);
216 static void qrx_on_rx(QUIC_URXE *urxe, void *arg)
220 /* Initialize our own fields inside the URXE and add to the pending list. */
222 urxe->hpr_removed = 0;
224 ossl_list_urxe_insert_tail(&qrx->urx_pending, urxe);
227 int ossl_qrx_add_dst_conn_id(OSSL_QRX *qrx,
228 const QUIC_CONN_ID *dst_conn_id)
230 return ossl_quic_demux_register(qrx->demux,
236 int ossl_qrx_remove_dst_conn_id(OSSL_QRX *qrx,
237 const QUIC_CONN_ID *dst_conn_id)
239 return ossl_quic_demux_unregister(qrx->demux, dst_conn_id);
242 static void qrx_requeue_deferred(OSSL_QRX *qrx)
246 while ((e = ossl_list_urxe_head(&qrx->urx_deferred)) != NULL) {
247 ossl_list_urxe_remove(&qrx->urx_deferred, e);
248 ossl_list_urxe_insert_head(&qrx->urx_pending, e);
252 int ossl_qrx_provide_secret(OSSL_QRX *qrx, uint32_t enc_level,
253 uint32_t suite_id, EVP_MD *md,
254 const unsigned char *secret, size_t secret_len)
256 if (enc_level >= QUIC_ENC_LEVEL_NUM)
259 if (!ossl_qrl_enc_level_set_provide_secret(&qrx->el_set,
267 qrx->init_key_phase_bit,
272 * Any packets we previously could not decrypt, we may now be able to
273 * decrypt, so move any datagrams containing deferred packets from the
274 * deferred to the pending queue.
276 qrx_requeue_deferred(qrx);
280 int ossl_qrx_discard_enc_level(OSSL_QRX *qrx, uint32_t enc_level)
282 if (enc_level >= QUIC_ENC_LEVEL_NUM)
285 ossl_qrl_enc_level_set_discard(&qrx->el_set, enc_level);
289 /* Returns 1 if there are one or more pending RXEs. */
290 int ossl_qrx_processed_read_pending(OSSL_QRX *qrx)
292 return !ossl_list_rxe_is_empty(&qrx->rx_pending);
295 /* Returns 1 if there are yet-unprocessed packets. */
296 int ossl_qrx_unprocessed_read_pending(OSSL_QRX *qrx)
298 return !ossl_list_urxe_is_empty(&qrx->urx_pending)
299 || !ossl_list_urxe_is_empty(&qrx->urx_deferred);
302 /* Pop the next pending RXE. Returns NULL if no RXE is pending. */
303 static RXE *qrx_pop_pending_rxe(OSSL_QRX *qrx)
305 RXE *rxe = ossl_list_rxe_head(&qrx->rx_pending);
310 ossl_list_rxe_remove(&qrx->rx_pending, rxe);
314 /* Allocate a new RXE. */
315 static RXE *qrx_alloc_rxe(size_t alloc_len)
319 if (alloc_len >= SIZE_MAX - sizeof(RXE))
322 rxe = OPENSSL_malloc(sizeof(RXE) + alloc_len);
326 ossl_list_rxe_init_elem(rxe);
327 rxe->alloc_len = alloc_len;
333 * Ensures there is at least one RXE in the RX free list, allocating a new entry
334 * if necessary. The returned RXE is in the RX free list; it is not popped.
336 * alloc_len is a hint which may be used to determine the RXE size if allocation
337 * is necessary. Returns NULL on allocation failure.
339 static RXE *qrx_ensure_free_rxe(OSSL_QRX *qrx, size_t alloc_len)
343 if (ossl_list_rxe_head(&qrx->rx_free) != NULL)
344 return ossl_list_rxe_head(&qrx->rx_free);
346 rxe = qrx_alloc_rxe(alloc_len);
350 ossl_list_rxe_insert_tail(&qrx->rx_free, rxe);
355 * Resize the data buffer attached to an RXE to be n bytes in size. The address
356 * of the RXE might change; the new address is returned, or NULL on failure, in
357 * which case the original RXE remains valid.
359 static RXE *qrx_resize_rxe(RXE_LIST *rxl, RXE *rxe, size_t n)
363 /* Should never happen. */
367 if (n >= SIZE_MAX - sizeof(RXE))
370 /* Remove the item from the list to avoid accessing freed memory */
371 p = ossl_list_rxe_prev(rxe);
372 ossl_list_rxe_remove(rxl, rxe);
375 * NOTE: We do not clear old memory, although it does contain decrypted
378 rxe2 = OPENSSL_realloc(rxe, sizeof(RXE) + n);
379 if (rxe2 == NULL || rxe == rxe2) {
381 ossl_list_rxe_insert_head(rxl, rxe);
383 ossl_list_rxe_insert_after(rxl, p, rxe);
388 ossl_list_rxe_insert_head(rxl, rxe2);
390 ossl_list_rxe_insert_after(rxl, p, rxe2);
397 * Ensure the data buffer attached to an RXE is at least n bytes in size.
398 * Returns NULL on failure.
400 static RXE *qrx_reserve_rxe(RXE_LIST *rxl,
403 if (rxe->alloc_len >= n)
406 return qrx_resize_rxe(rxl, rxe, n);
409 /* Return a RXE handed out to the user back to our freelist. */
410 static void qrx_recycle_rxe(OSSL_QRX *qrx, RXE *rxe)
412 /* RXE should not be in any list */
413 assert(ossl_list_rxe_prev(rxe) == NULL && ossl_list_rxe_next(rxe) == NULL);
414 ossl_list_rxe_insert_tail(&qrx->rx_free, rxe);
418 * Given a pointer to a pointer pointing to a buffer and the size of that
419 * buffer, copy the buffer into *prxe, expanding the RXE if necessary (its
420 * pointer may change due to realloc). *pi is the offset in bytes to copy the
421 * buffer to, and on success is updated to be the offset pointing after the
422 * copied buffer. *pptr is updated to point to the new location of the buffer.
424 static int qrx_relocate_buffer(OSSL_QRX *qrx, RXE **prxe, size_t *pi,
425 const unsigned char **pptr, size_t buf_len)
433 if ((rxe = qrx_reserve_rxe(&qrx->rx_free, *prxe, *pi + buf_len)) == NULL)
437 dst = (unsigned char *)rxe_data(rxe) + *pi;
439 memcpy(dst, *pptr, buf_len);
445 static uint32_t qrx_determine_enc_level(const QUIC_PKT_HDR *hdr)
448 case QUIC_PKT_TYPE_INITIAL:
449 return QUIC_ENC_LEVEL_INITIAL;
450 case QUIC_PKT_TYPE_HANDSHAKE:
451 return QUIC_ENC_LEVEL_HANDSHAKE;
452 case QUIC_PKT_TYPE_0RTT:
453 return QUIC_ENC_LEVEL_0RTT;
454 case QUIC_PKT_TYPE_1RTT:
455 return QUIC_ENC_LEVEL_1RTT;
459 case QUIC_PKT_TYPE_RETRY:
460 case QUIC_PKT_TYPE_VERSION_NEG:
461 return QUIC_ENC_LEVEL_INITIAL; /* not used */
465 static uint32_t rxe_determine_pn_space(RXE *rxe)
469 enc_level = qrx_determine_enc_level(&rxe->hdr);
470 return ossl_quic_enc_level_to_pn_space(enc_level);
473 static int qrx_validate_hdr_early(OSSL_QRX *qrx, RXE *rxe,
476 /* Ensure version is what we want. */
477 if (rxe->hdr.version != QUIC_VERSION_1
478 && rxe->hdr.version != QUIC_VERSION_NONE)
481 /* Clients should never receive 0-RTT packets. */
482 if (rxe->hdr.type == QUIC_PKT_TYPE_0RTT)
485 /* Version negotiation and retry packets must be the first packet. */
486 if (first_rxe != NULL && !ossl_quic_pkt_type_can_share_dgram(rxe->hdr.type))
490 * If this is not the first packet in a datagram, the destination connection
491 * ID must match the one in that packet.
493 if (first_rxe != NULL &&
494 !ossl_quic_conn_id_eq(&first_rxe->hdr.dst_conn_id,
495 &rxe->hdr.dst_conn_id))
501 /* Validate header and decode PN. */
502 static int qrx_validate_hdr(OSSL_QRX *qrx, RXE *rxe)
504 int pn_space = rxe_determine_pn_space(rxe);
506 if (!ossl_quic_wire_decode_pkt_hdr_pn(rxe->hdr.pn, rxe->hdr.pn_len,
507 qrx->largest_pn[pn_space],
512 * Allow our user to decide whether to discard the packet before we try and
515 if (qrx->validation_cb != NULL
516 && !qrx->validation_cb(rxe->pn, pn_space, qrx->validation_cb_arg))
522 /* Retrieves the correct cipher context for an EL and key phase. */
523 static size_t qrx_get_cipher_ctx_idx(OSSL_QRX *qrx, OSSL_QRL_ENC_LEVEL *el,
525 unsigned char key_phase_bit)
527 if (enc_level != QUIC_ENC_LEVEL_1RTT)
530 if (!ossl_assert(key_phase_bit <= 1))
534 * RFC 9001 requires that we not create timing channels which could reveal
535 * the decrypted value of the Key Phase bit. We usually handle this by
536 * keeping the cipher contexts for both the current and next key epochs
537 * around, so that we just select a cipher context blindly using the key
538 * phase bit, which is time-invariant.
540 * In the COOLDOWN state, we only have one keyslot/cipher context. RFC 9001
541 * suggests an implementation strategy to avoid creating a timing channel in
544 * Endpoints can use randomized packet protection keys in place of
545 * discarded keys when key updates are not yet permitted.
547 * Rather than use a randomised key, we simply use our existing key as it
548 * will fail AEAD verification anyway. This avoids the need to keep around a
549 * dedicated garbage key.
551 * Note: Accessing different cipher contexts is technically not
552 * timing-channel safe due to microarchitectural side channels, but this is
553 * the best we can reasonably do and appears to be directly suggested by the
556 return el->state == QRL_EL_STATE_PROV_COOLDOWN ? el->key_epoch & 1
561 * Tries to decrypt a packet payload.
563 * Returns 1 on success or 0 on failure (which is permanent). The payload is
564 * decrypted from src and written to dst. The buffer dst must be of at least
565 * src_len bytes in length. The actual length of the output in bytes is written
566 * to *dec_len on success, which will always be equal to or less than (usually
567 * less than) src_len.
569 static int qrx_decrypt_pkt_body(OSSL_QRX *qrx, unsigned char *dst,
570 const unsigned char *src,
571 size_t src_len, size_t *dec_len,
572 const unsigned char *aad, size_t aad_len,
573 QUIC_PN pn, uint32_t enc_level,
574 unsigned char key_phase_bit)
577 unsigned char nonce[EVP_MAX_IV_LENGTH];
578 size_t nonce_len, i, cctx_idx;
579 OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set,
581 EVP_CIPHER_CTX *cctx;
583 if (src_len > INT_MAX || aad_len > INT_MAX)
586 /* We should not have been called if we do not have key material. */
587 if (!ossl_assert(el != NULL))
590 if (el->tag_len >= src_len)
594 * If we have failed to authenticate a certain number of ciphertexts, refuse
595 * to decrypt any more ciphertexts.
597 if (qrx->forged_pkt_count >= ossl_qrl_get_suite_max_forged_pkt(el->suite_id))
600 cctx_idx = qrx_get_cipher_ctx_idx(qrx, el, enc_level, key_phase_bit);
601 if (!ossl_assert(cctx_idx < OSSL_NELEM(el->cctx)))
604 cctx = el->cctx[cctx_idx];
606 /* Construct nonce (nonce=IV ^ PN). */
607 nonce_len = EVP_CIPHER_CTX_get_iv_length(cctx);
608 if (!ossl_assert(nonce_len >= sizeof(QUIC_PN)))
611 memcpy(nonce, el->iv[cctx_idx], nonce_len);
612 for (i = 0; i < sizeof(QUIC_PN); ++i)
613 nonce[nonce_len - i - 1] ^= (unsigned char)(pn >> (i * 8));
615 /* type and key will already have been setup; feed the IV. */
616 if (EVP_CipherInit_ex(cctx, NULL,
617 NULL, NULL, nonce, /*enc=*/0) != 1)
620 /* Feed the AEAD tag we got so the cipher can validate it. */
621 if (EVP_CIPHER_CTX_ctrl(cctx, EVP_CTRL_AEAD_SET_TAG,
623 (unsigned char *)src + src_len - el->tag_len) != 1)
627 if (EVP_CipherUpdate(cctx, NULL, &l, aad, aad_len) != 1)
630 /* Feed encrypted packet body. */
631 if (EVP_CipherUpdate(cctx, dst, &l, src, src_len - el->tag_len) != 1)
634 /* Ensure authentication succeeded. */
635 if (EVP_CipherFinal_ex(cctx, NULL, &l2) != 1) {
636 /* Authentication failed, increment failed auth counter. */
637 ++qrx->forged_pkt_count;
645 static ossl_inline void ignore_res(int x)
650 static void qrx_key_update_initiated(OSSL_QRX *qrx)
652 if (!ossl_qrl_enc_level_set_key_update(&qrx->el_set, QUIC_ENC_LEVEL_1RTT))
655 if (qrx->key_update_cb != NULL)
656 qrx->key_update_cb(qrx->key_update_cb_arg);
659 /* Process a single packet in a datagram. */
660 static int qrx_process_pkt(OSSL_QRX *qrx, QUIC_URXE *urxe,
661 PACKET *pkt, size_t pkt_idx,
666 const unsigned char *eop = NULL;
667 size_t i, aad_len = 0, dec_len = 0;
668 PACKET orig_pkt = *pkt;
669 const unsigned char *sop = PACKET_data(pkt);
671 char need_second_decode = 0, already_processed = 0;
672 QUIC_PKT_HDR_PTRS ptrs;
673 uint32_t pn_space, enc_level;
674 OSSL_QRL_ENC_LEVEL *el = NULL;
677 * Get a free RXE. If we need to allocate a new one, use the packet length
678 * as a good ballpark figure.
680 rxe = qrx_ensure_free_rxe(qrx, PACKET_remaining(pkt));
684 /* Have we already processed this packet? */
685 if (pkt_is_marked(&urxe->processed, pkt_idx))
686 already_processed = 1;
689 * Decode the header into the RXE structure. We first decrypt and read the
690 * unprotected part of the packet header (unless we already removed header
691 * protection, in which case we decode all of it).
693 need_second_decode = !pkt_is_marked(&urxe->hpr_removed, pkt_idx);
694 if (!ossl_quic_wire_decode_pkt_hdr(pkt,
695 qrx->short_conn_id_len,
696 need_second_decode, &rxe->hdr, &ptrs))
700 * Our successful decode above included an intelligible length and the
701 * PACKET is now pointing to the end of the QUIC packet.
703 eop = PACKET_data(pkt);
706 * Make a note of the first RXE so we can later ensure the destination
707 * connection IDs of all packets in a datagram match.
713 * Early header validation. Since we now know the packet length, we can also
714 * now skip over it if we already processed it.
716 if (already_processed
717 || !qrx_validate_hdr_early(qrx, rxe, pkt_idx == 0 ? NULL : *first_rxe))
719 * Already processed packets are handled identically to malformed
720 * packets; i.e., they are ignored.
724 if (!ossl_quic_pkt_type_is_encrypted(rxe->hdr.type)) {
726 * Version negotiation and retry packets are a special case. They do not
727 * contain a payload which needs decrypting and have no header
731 /* Just copy the payload from the URXE to the RXE. */
732 if ((rxe = qrx_reserve_rxe(&qrx->rx_free, rxe, rxe->hdr.len)) == NULL)
734 * Allocation failure. EOP will be pointing to the end of the
735 * datagram so processing of this datagram will end here.
739 /* We are now committed to returning the packet. */
740 memcpy(rxe_data(rxe), rxe->hdr.data, rxe->hdr.len);
741 pkt_mark(&urxe->processed, pkt_idx);
743 rxe->hdr.data = rxe_data(rxe);
744 rxe->pn = QUIC_PN_INVALID;
746 /* Move RXE to pending. */
747 ossl_list_rxe_remove(&qrx->rx_free, rxe);
748 ossl_list_rxe_insert_tail(&qrx->rx_pending, rxe);
749 return 0; /* success, did not defer */
752 /* Determine encryption level of packet. */
753 enc_level = qrx_determine_enc_level(&rxe->hdr);
755 /* If we do not have keying material for this encryption level yet, defer. */
756 switch (ossl_qrl_enc_level_set_have_el(&qrx->el_set, enc_level)) {
764 /* We already discarded keys for this EL, we will never process this.*/
769 * We will copy any token included in the packet to the start of our RXE
770 * data buffer (so that we don't reference the URXE buffer any more and can
771 * recycle it). Track our position in the RXE buffer by index instead of
772 * pointer as the pointer may change as reallocs occur.
777 * rxe->hdr.data is now pointing at the (encrypted) packet payload. rxe->hdr
778 * also has fields pointing into the PACKET buffer which will be going away
779 * soon (the URXE will be reused for another incoming packet).
781 * Firstly, relocate some of these fields into the RXE as needed.
783 * Relocate token buffer and fix pointer.
785 if (rxe->hdr.type == QUIC_PKT_TYPE_INITIAL
786 && !qrx_relocate_buffer(qrx, &rxe, &i, &rxe->hdr.token,
790 /* Now remove header protection. */
793 el = ossl_qrl_enc_level_set_get(&qrx->el_set, enc_level, 1);
794 assert(el != NULL); /* Already checked above */
796 if (need_second_decode) {
797 if (!ossl_quic_hdr_protector_decrypt(&el->hpr, &ptrs))
801 * We have removed header protection, so don't attempt to do it again if
802 * the packet gets deferred and processed again.
804 pkt_mark(&urxe->hpr_removed, pkt_idx);
806 /* Decode the now unprotected header. */
807 if (ossl_quic_wire_decode_pkt_hdr(pkt, qrx->short_conn_id_len,
808 0, &rxe->hdr, NULL) != 1)
812 /* Validate header and decode PN. */
813 if (!qrx_validate_hdr(qrx, rxe))
817 * The AAD data is the entire (unprotected) packet header including the PN.
818 * The packet header has been unprotected in place, so we can just reuse the
819 * PACKET buffer. The header ends where the payload begins.
821 aad_len = rxe->hdr.data - sop;
823 /* Ensure the RXE buffer size is adequate for our payload. */
824 if ((rxe = qrx_reserve_rxe(&qrx->rx_free, rxe, rxe->hdr.len + i)) == NULL) {
826 * Allocation failure, treat as malformed and do not bother processing
827 * any further packets in the datagram as they are likely to also
828 * encounter allocation failures.
835 * We decrypt the packet body to immediately after the token at the start of
836 * the RXE buffer (where present).
838 * Do the decryption from the PACKET (which points into URXE memory) to our
839 * RXE payload (single-copy decryption), then fixup the pointers in the
840 * header to point to our new buffer.
842 * If decryption fails this is considered a permanent error; we defer
843 * packets we don't yet have decryption keys for above, so if this fails,
844 * something has gone wrong with the handshake process or a packet has been
847 dst = (unsigned char *)rxe_data(rxe) + i;
848 if (!qrx_decrypt_pkt_body(qrx, dst, rxe->hdr.data, rxe->hdr.len,
849 &dec_len, sop, aad_len, rxe->pn, enc_level,
854 * We automatically discard INITIAL keys when successfully decrypting a
857 if (enc_level == QUIC_ENC_LEVEL_HANDSHAKE)
858 ossl_qrl_enc_level_set_discard(&qrx->el_set, QUIC_ENC_LEVEL_INITIAL);
861 * At this point, we have successfully authenticated the AEAD tag and no
862 * longer need to worry about exposing the Key Phase bit in timing channels.
863 * Check for a Key Phase bit differing from our expectation.
865 if (rxe->hdr.type == QUIC_PKT_TYPE_1RTT
866 && rxe->hdr.key_phase != (el->key_epoch & 1))
867 qrx_key_update_initiated(qrx);
870 * We have now successfully decrypted the packet payload. If there are
871 * additional packets in the datagram, it is possible we will fail to
872 * decrypt them and need to defer them until we have some key material we
873 * don't currently possess. If this happens, the URXE will be moved to the
874 * deferred queue. Since a URXE corresponds to one datagram, which may
875 * contain multiple packets, we must ensure any packets we have already
876 * processed in the URXE are not processed again (this is an RFC
877 * requirement). We do this by marking the nth packet in the datagram as
880 * We are now committed to returning this decrypted packet to the user,
881 * meaning we now consider the packet processed and must mark it
884 pkt_mark(&urxe->processed, pkt_idx);
887 * Update header to point to the decrypted buffer, which may be shorter
888 * due to AEAD tags, block padding, etc.
891 rxe->hdr.len = dec_len;
892 rxe->data_len = dec_len;
893 rxe->datagram_len = datagram_len;
895 /* We processed the PN successfully, so update largest processed PN. */
896 pn_space = rxe_determine_pn_space(rxe);
897 if (rxe->pn > qrx->largest_pn[pn_space])
898 qrx->largest_pn[pn_space] = rxe->pn;
900 /* Copy across network addresses and RX time from URXE to RXE. */
901 rxe->peer = urxe->peer;
902 rxe->local = urxe->local;
903 rxe->time = urxe->time;
905 /* Move RXE to pending. */
906 ossl_list_rxe_remove(&qrx->rx_free, rxe);
907 ossl_list_rxe_insert_tail(&qrx->rx_pending, rxe);
908 return 0; /* success, did not defer; not distinguished from failure */
912 * We cannot process this packet right now (but might be able to later). We
913 * MUST attempt to process any other packets in the datagram, so defer it
916 assert(eop != NULL && eop >= PACKET_data(pkt));
918 * We don't care if this fails as it will just result in the packet being at
919 * the end of the datagram buffer.
921 ignore_res(PACKET_forward(pkt, eop - PACKET_data(pkt)));
922 return 1; /* deferred */
927 * This packet cannot be processed and will never be processable. We
928 * were at least able to decode its header and determine its length, so
929 * we can skip over it and try to process any subsequent packets in the
932 * Mark as processed as an optimization.
934 assert(eop >= PACKET_data(pkt));
935 pkt_mark(&urxe->processed, pkt_idx);
936 /* We don't care if this fails (see above) */
937 ignore_res(PACKET_forward(pkt, eop - PACKET_data(pkt)));
940 * This packet cannot be processed and will never be processable.
941 * Because even its header is not intelligible, we cannot examine any
942 * further packets in the datagram because its length cannot be
945 * Advance over the entire remainder of the datagram, and mark it as
946 * processed gap as an optimization.
948 pkt_mark(&urxe->processed, pkt_idx);
949 /* We don't care if this fails (see above) */
950 ignore_res(PACKET_forward(pkt, PACKET_remaining(pkt)));
952 return 0; /* failure, did not defer; not distinguished from success */
955 /* Process a datagram which was received. */
956 static int qrx_process_datagram(OSSL_QRX *qrx, QUIC_URXE *e,
957 const unsigned char *data,
960 int have_deferred = 0;
963 RXE *first_rxe = NULL;
965 qrx->bytes_received += data_len;
967 if (!PACKET_buf_init(&pkt, data, data_len))
970 for (; PACKET_remaining(&pkt) > 0; ++pkt_idx) {
972 * A packet smallest than the minimum possible QUIC packet size is not
973 * considered valid. We also ignore more than a certain number of
974 * packets within the same datagram.
976 if (PACKET_remaining(&pkt) < QUIC_MIN_VALID_PKT_LEN
977 || pkt_idx >= QUIC_MAX_PKT_PER_URXE)
981 * We note whether packet processing resulted in a deferral since
982 * this means we need to move the URXE to the deferred list rather
983 * than the free list after we're finished dealing with it for now.
985 * However, we don't otherwise care here whether processing succeeded or
986 * failed, as the RFC says even if a packet in a datagram is malformed,
987 * we should still try to process any packets following it.
989 * In the case where the packet is so malformed we can't determine its
990 * length, qrx_process_pkt will take care of advancing to the end of
991 * the packet, so we will exit the loop automatically in this case.
993 if (qrx_process_pkt(qrx, e, &pkt, pkt_idx, &first_rxe, data_len))
997 /* Only report whether there were any deferrals. */
998 return have_deferred;
1001 /* Process a single pending URXE. */
1002 static int qrx_process_one_urxe(OSSL_QRX *qrx, QUIC_URXE *e)
1006 /* The next URXE we process should be at the head of the pending list. */
1007 if (!ossl_assert(e == ossl_list_urxe_head(&qrx->urx_pending)))
1011 * Attempt to process the datagram. The return value indicates only if
1012 * processing of the datagram was deferred. If we failed to process the
1013 * datagram, we do not attempt to process it again and silently eat the
1016 was_deferred = qrx_process_datagram(qrx, e, ossl_quic_urxe_data(e),
1020 * Remove the URXE from the pending list and return it to
1021 * either the free or deferred list.
1023 ossl_list_urxe_remove(&qrx->urx_pending, e);
1024 if (was_deferred > 0 &&
1025 (e->deferred || qrx->num_deferred < qrx->max_deferred)) {
1026 ossl_list_urxe_insert_tail(&qrx->urx_deferred, e);
1029 ++qrx->num_deferred;
1034 --qrx->num_deferred;
1036 ossl_quic_demux_release_urxe(qrx->demux, e);
1042 /* Process any pending URXEs to generate pending RXEs. */
1043 static int qrx_process_pending_urxl(OSSL_QRX *qrx)
1047 while ((e = ossl_list_urxe_head(&qrx->urx_pending)) != NULL)
1048 if (!qrx_process_one_urxe(qrx, e))
1054 int ossl_qrx_read_pkt(OSSL_QRX *qrx, OSSL_QRX_PKT *pkt)
1058 if (!ossl_qrx_processed_read_pending(qrx)) {
1059 if (!qrx_process_pending_urxl(qrx))
1062 if (!ossl_qrx_processed_read_pending(qrx))
1066 rxe = qrx_pop_pending_rxe(qrx);
1067 if (!ossl_assert(rxe != NULL))
1071 pkt->hdr = &rxe->hdr;
1073 pkt->time = rxe->time;
1075 = BIO_ADDR_family(&rxe->peer) != AF_UNSPEC ? &rxe->peer : NULL;
1077 = BIO_ADDR_family(&rxe->local) != AF_UNSPEC ? &rxe->local : NULL;
1081 void ossl_qrx_release_pkt(OSSL_QRX *qrx, void *handle)
1083 if (handle != NULL) {
1086 qrx_recycle_rxe(qrx, rxe);
1090 uint64_t ossl_qrx_get_bytes_received(OSSL_QRX *qrx, int clear)
1092 uint64_t v = qrx->bytes_received;
1095 qrx->bytes_received = 0;
1100 int ossl_qrx_set_early_validation_cb(OSSL_QRX *qrx,
1101 ossl_qrx_early_validation_cb *cb,
1104 qrx->validation_cb = cb;
1105 qrx->validation_cb_arg = cb_arg;
1109 int ossl_qrx_set_key_update_cb(OSSL_QRX *qrx,
1110 ossl_qrx_key_update_cb *cb,
1113 qrx->key_update_cb = cb;
1114 qrx->key_update_cb_arg = cb_arg;
1118 uint64_t ossl_qrx_get_key_epoch(OSSL_QRX *qrx)
1120 OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set,
1121 QUIC_ENC_LEVEL_1RTT, 1);
1123 return el == NULL ? UINT64_MAX : el->key_epoch;
1126 int ossl_qrx_key_update_timeout(OSSL_QRX *qrx, int normal)
1128 OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set,
1129 QUIC_ENC_LEVEL_1RTT, 1);
1134 if (el->state == QRL_EL_STATE_PROV_UPDATING
1135 && !ossl_qrl_enc_level_set_key_update_done(&qrx->el_set,
1136 QUIC_ENC_LEVEL_1RTT))
1139 if (normal && el->state == QRL_EL_STATE_PROV_COOLDOWN
1140 && !ossl_qrl_enc_level_set_key_cooldown_done(&qrx->el_set,
1141 QUIC_ENC_LEVEL_1RTT))
1147 uint64_t ossl_qrx_get_cur_forged_pkt_count(OSSL_QRX *qrx)
1149 return qrx->forged_pkt_count;
1152 uint64_t ossl_qrx_get_max_forged_pkt_count(OSSL_QRX *qrx,
1155 OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set,
1158 return el == NULL ? UINT64_MAX
1159 : ossl_qrl_get_suite_max_forged_pkt(el->suite_id);