2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
9 #include <openssl/ssl.h>
10 #include "internal/recordmethod.h"
11 #include "internal/quic_tls.h"
12 #include "../ssl_local.h"
14 #define QUIC_TLS_FATAL(rl, ad, err) \
17 ERR_raise(ERR_LIB_SSL, (err)); \
18 (rl)->qtls->inerror = 1; \
25 * Transport parameters which client should send. Buffer lifetime must
26 * exceed the lifetime of the QUIC_TLS object.
28 const unsigned char *local_transport_params;
29 size_t local_transport_params_len;
31 /* Whether our SSL object for TLS has been configured for use in QUIC */
32 unsigned int configured : 1;
34 /* Set if we have hit any error state */
35 unsigned int inerror : 1;
37 /* Set if the handshake has completed */
38 unsigned int complete : 1;
41 struct ossl_record_layer_st {
43 /* Only used for retry flags */
46 /* Number of bytes written so far if we are part way through a write */
49 /* If we are part way through a write, a copy of the template */
50 OSSL_RECORD_TEMPLATE template;
53 * Temp buffer for storing received data (copied from the stream receive
56 unsigned char recbuf[SSL3_RT_MAX_PLAIN_LENGTH];
59 * If we hit an error, what alert code should be used
63 /* Set if recbuf is populated with data */
64 unsigned int recread : 1;
68 quic_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
69 int role, int direction, int level, uint16_t epoch,
70 unsigned char *secret, size_t secretlen,
71 unsigned char *key, size_t keylen, unsigned char *iv,
72 size_t ivlen, unsigned char *mackey, size_t mackeylen,
73 const EVP_CIPHER *ciph, size_t taglen,
75 const EVP_MD *md, COMP_METHOD *comp,
76 const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
77 BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
78 const OSSL_PARAM *settings, const OSSL_PARAM *options,
79 const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
80 OSSL_RECORD_LAYER **retrl)
82 OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
85 uint32_t suite_id = 0;
88 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
92 rl->qtls = (QUIC_TLS *)rlarg;
93 rl->dummybio = transport;
97 case OSSL_RECORD_PROTECTION_LEVEL_NONE:
100 case OSSL_RECORD_PROTECTION_LEVEL_EARLY:
101 enc_level = QUIC_ENC_LEVEL_0RTT;
104 case OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE:
105 enc_level = QUIC_ENC_LEVEL_HANDSHAKE;
108 case OSSL_RECORD_PROTECTION_LEVEL_APPLICATION:
109 enc_level = QUIC_ENC_LEVEL_1RTT;
113 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
117 if (direction == OSSL_RECORD_DIRECTION_READ)
122 if (EVP_CIPHER_is_a(ciph, "AES-128-GCM")) {
123 suite_id = QRL_SUITE_AES128GCM;
124 } else if (EVP_CIPHER_is_a(ciph, "AES-256-GCM")) {
125 suite_id = QRL_SUITE_AES256GCM;
126 } else if (EVP_CIPHER_is_a(ciph, "CHACHA20-POLY1305")) {
127 suite_id = QRL_SUITE_CHACHA20POLY1305;
129 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE);
133 /* We pass a ref to the md in a successful yield_secret_cb call */
134 /* TODO(QUIC): This cast is horrible. We should try and remove it */
135 if (!EVP_MD_up_ref((EVP_MD *)kdfdigest)) {
136 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
140 if (!rl->qtls->args.yield_secret_cb(enc_level, qdir, suite_id,
141 (EVP_MD *)kdfdigest, secret, secretlen,
142 rl->qtls->args.yield_secret_cb_arg)) {
143 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
144 EVP_MD_free((EVP_MD *)kdfdigest);
155 static int quic_free(OSSL_RECORD_LAYER *rl)
164 static int quic_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
167 * Read ahead isn't really a thing for QUIC so we never have unprocessed
173 static int quic_processed_read_pending(OSSL_RECORD_LAYER *rl)
176 * This is currently only ever used by:
177 * - SSL_has_pending()
178 * - to check whether we have more records that we want to supply to the
181 * We only ever supply 1 record at a time to the upper layers, and
182 * SSL_has_pending() will go via the QUIC method not the TLS method so that
183 * use case doesn't apply here.
184 * Therefore we can ignore this for now and always return 0. We might
185 * eventually want to change this to check in the receive buffers to see if
186 * we have any more data pending.
191 static size_t quic_get_max_records(OSSL_RECORD_LAYER *rl, int type, size_t len,
192 size_t maxfrag, size_t *preffrag)
197 static int quic_write_records(OSSL_RECORD_LAYER *rl,
198 OSSL_RECORD_TEMPLATE *template,
204 if (!ossl_assert(numtempl == 1)) {
205 /* How could this be? quic_get_max_records() always returns 1 */
206 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
207 return OSSL_RECORD_RETURN_FATAL;
210 BIO_clear_retry_flags(rl->dummybio);
212 switch (template->type) {
214 if (template->buflen != 2) {
216 * We assume that libssl always sends both bytes of an alert to
217 * us in one go, and never fragments it. If we ever get more
218 * or less bytes than exactly 2 then this is very unexpected.
220 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_VALUE);
221 return OSSL_RECORD_RETURN_FATAL;
224 * Byte 0 is the alert level (we ignore it) and byte 1 is the alert
225 * description that we are actually interested in.
227 alert = template->buf[1];
229 if (!rl->qtls->args.alert_cb(rl->qtls->args.alert_cb_arg, alert)) {
230 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
231 return OSSL_RECORD_RETURN_FATAL;
235 case SSL3_RT_HANDSHAKE:
237 * We expect this to only fail on some fatal error (e.g. malloc
240 if (!rl->qtls->args.crypto_send_cb(template->buf + rl->written,
241 template->buflen - rl->written,
243 rl->qtls->args.crypto_send_cb_arg)) {
244 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
245 return OSSL_RECORD_RETURN_FATAL;
248 * We might have written less than we wanted to if we have filled the
249 * send stream buffer.
251 if (consumed + rl->written != template->buflen) {
252 if (!ossl_assert(consumed + rl->written < template->buflen)) {
253 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
254 return OSSL_RECORD_RETURN_FATAL;
258 * We've not written everything we wanted to. Take a copy of the
259 * template, remember how much we wrote so far and signal a retry.
260 * The buffer supplied in the template is guaranteed to be the same
261 * on a retry for handshake data
263 rl->written += consumed;
264 rl->template = *template;
265 BIO_set_retry_write(rl->dummybio);
267 return OSSL_RECORD_RETURN_RETRY;
273 /* Anything else is unexpected and an error */
274 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
275 return OSSL_RECORD_RETURN_FATAL;
278 return OSSL_RECORD_RETURN_SUCCESS;
281 static int quic_retry_write_records(OSSL_RECORD_LAYER *rl)
283 return quic_write_records(rl, &rl->template, 1);
286 static int quic_read_record(OSSL_RECORD_LAYER *rl, void **rechandle,
287 int *rversion, int *type, unsigned char **data,
288 size_t *datalen, uint16_t *epoch,
289 unsigned char *seq_num)
291 if (rl->recread != 0)
292 return OSSL_RECORD_RETURN_FATAL;
294 BIO_clear_retry_flags(rl->dummybio);
297 * TODO(QUIC): There seems to be an unnecessary copy here. It would be
298 * better to send back a ref direct to the underlying buffer
300 if (!rl->qtls->args.crypto_recv_cb(rl->recbuf, sizeof(rl->recbuf), datalen,
301 rl->qtls->args.crypto_recv_cb_arg)) {
302 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
303 return OSSL_RECORD_RETURN_FATAL;
307 BIO_set_retry_read(rl->dummybio);
308 return OSSL_RECORD_RETURN_RETRY;
312 *rversion = TLS1_3_VERSION;
313 *type = SSL3_RT_HANDSHAKE;
316 /* epoch/seq_num are not relevant for TLS */
318 return OSSL_RECORD_RETURN_SUCCESS;
321 static int quic_release_record(OSSL_RECORD_LAYER *rl, void *rechandle)
323 if (!ossl_assert(rl->recread == 1) || !ossl_assert(rl == rechandle)) {
324 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
332 static int quic_get_alert_code(OSSL_RECORD_LAYER *rl)
337 static int quic_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
339 /* We only support TLSv1.3, so its bad if we negotiate anything else */
340 if (!ossl_assert(version == TLS1_3_VERSION)) {
341 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
348 static void quic_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow)
353 static void quic_set_first_handshake(OSSL_RECORD_LAYER *rl, int first)
358 static void quic_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines)
363 static void quic_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr,
364 const char **longstr)
367 * According to the docs, valid read state strings are: "RH"/"read header",
368 * "RB"/"read body", "RD"/"read done" and "unknown"/"unknown". We don't
369 * read records in quite that way, so we report every "normal" state as
370 * "read done". In the event of error then we report "unknown".
373 if (rl->qtls->inerror) {
374 if (shortstr != NULL)
375 *shortstr = "unknown";
377 *longstr = "unknown";
379 if (shortstr != NULL)
382 *longstr = "read done";
386 static int quic_set_options(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options)
389 * We don't support any options yet - but we might do at some point so
390 * this could be useful.
395 static const COMP_METHOD *quic_get_compression(OSSL_RECORD_LAYER *rl)
397 /* We only support TLSv1.3 which doesn't have compression */
401 static void quic_set_max_frag_len(OSSL_RECORD_LAYER *rl, size_t max_frag_len)
403 /* This really doesn't make any sense for QUIC. Ignore it */
406 static int quic_alloc_buffers(OSSL_RECORD_LAYER *rl)
409 * This is a hint only. We don't support it (yet), so just ignore the
415 static int quic_free_buffers(OSSL_RECORD_LAYER *rl)
418 * This is a hint only. We don't support it (yet), so just ignore the
424 static int quic_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
427 * Can be called to set the buffering BIO - which is then never used by us.
434 * Never called functions
436 * Due to the way we are configured and used we never expect any of the next set
437 * of functions to be called. Therefore we set them to always fail.
440 static size_t quic_app_data_pending(OSSL_RECORD_LAYER *rl)
442 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
443 return (size_t)ossl_assert(0);
446 static size_t quic_get_max_record_overhead(OSSL_RECORD_LAYER *rl)
448 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
449 return (size_t)ossl_assert(0);
452 static int quic_increment_sequence_ctr(OSSL_RECORD_LAYER *rl)
454 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
455 return ossl_assert(0);
458 /* End of never called functions */
460 static const OSSL_RECORD_METHOD quic_tls_record_method = {
461 quic_new_record_layer,
463 quic_unprocessed_read_pending,
464 quic_processed_read_pending,
465 quic_app_data_pending, /* Never called */
466 quic_get_max_records,
468 quic_retry_write_records,
473 quic_set_protocol_version,
474 quic_set_plain_alerts,
475 quic_set_first_handshake,
476 quic_set_max_pipelines,
477 NULL, /* set_in_init: Optional - we don't need it */
480 quic_get_compression,
481 quic_set_max_frag_len,
482 quic_get_max_record_overhead, /* Never called */
483 quic_increment_sequence_ctr, /* Never called */
488 static int add_transport_params_cb(SSL *s, unsigned int ext_type,
489 unsigned int context,
490 const unsigned char **out, size_t *outlen,
491 X509 *x, size_t chainidx, int *al,
494 QUIC_TLS *qtls = add_arg;
496 *out = qtls->local_transport_params;
497 *outlen = qtls->local_transport_params_len;
501 static void free_transport_params_cb(SSL *s, unsigned int ext_type,
502 unsigned int context,
503 const unsigned char *out,
508 static int parse_transport_params_cb(SSL *s, unsigned int ext_type,
509 unsigned int context,
510 const unsigned char *in,
511 size_t inlen, X509 *x,
513 int *al, void *parse_arg)
515 QUIC_TLS *qtls = parse_arg;
517 return qtls->args.got_transport_params_cb(in, inlen,
518 qtls->args.got_transport_params_cb_arg);
521 QUIC_TLS *ossl_quic_tls_new(const QUIC_TLS_ARGS *args)
525 if (args->crypto_send_cb == NULL
526 || args->crypto_recv_cb == NULL) {
527 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
531 qtls = OPENSSL_zalloc(sizeof(*qtls));
539 void ossl_quic_tls_free(QUIC_TLS *qtls)
544 int ossl_quic_tls_tick(QUIC_TLS *qtls)
547 const unsigned char *alpn;
548 unsigned int alpnlen;
551 * TODO(QUIC): There are various calls here that could fail and ordinarily
552 * would result in an ERR_raise call - but "tick" calls aren't supposed to
553 * fail "loudly" - so its unclear how we will report these errors. The
554 * ERR_raise calls are omitted from this function for now.
563 if (!qtls->configured) {
564 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
568 * No matter how the user has configured us, there are certain
569 * requirements for QUIC-TLS that we enforce
572 /* ALPN is a requirement for QUIC and must be set */
573 if (sc->ext.alpn == NULL || sc->ext.alpn_len == 0) {
577 if (!SSL_set_min_proto_version(qtls->args.s, TLS1_3_VERSION)) {
581 SSL_clear_options(qtls->args.s, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
582 ossl_ssl_set_custom_record_layer(sc, &quic_tls_record_method, qtls);
584 if (!ossl_tls_add_custom_ext_intern(NULL, &sc->cert->custext,
586 TLSEXT_TYPE_quic_transport_parameters,
588 | SSL_EXT_CLIENT_HELLO
589 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
590 add_transport_params_cb,
591 free_transport_params_cb, qtls,
592 parse_transport_params_cb, qtls)) {
597 nullbio = BIO_new(BIO_s_null());
598 if (nullbio == NULL) {
604 * Our custom record layer doesn't use the BIO - but libssl generally
605 * expects one to be present.
607 SSL_set_bio(qtls->args.s, nullbio, nullbio);
609 qtls->configured = 1;
611 ret = SSL_connect(qtls->args.s);
613 switch (SSL_get_error(qtls->args.s, ret)) {
614 case SSL_ERROR_WANT_READ:
615 case SSL_ERROR_WANT_WRITE:
623 /* Validate that we have ALPN */
624 SSL_get0_alpn_selected(qtls->args.s, &alpn, &alpnlen);
625 if (alpn == NULL || alpnlen == 0) {
630 return qtls->args.handshake_complete_cb(qtls->args.handshake_complete_cb_arg);
633 int ossl_quic_tls_set_transport_params(QUIC_TLS *qtls,
634 const unsigned char *transport_params,
635 size_t transport_params_len)
637 if (!ossl_assert(!qtls->args.is_server)) {
638 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
643 qtls->local_transport_params = transport_params;
644 qtls->local_transport_params_len = transport_params_len;