2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
9 #include <openssl/ssl.h>
10 #include "internal/recordmethod.h"
11 #include "internal/quic_tls.h"
12 #include "../ssl_local.h"
14 #define QUIC_TLS_FATAL(rl, ad, err) \
17 ERR_raise(ERR_LIB_SSL, (err)); \
18 (rl)->qtls->inerror = 1; \
25 * Transport parameters which client should send. Buffer lifetime must
26 * exceed the lifetime of the QUIC_TLS object.
28 const unsigned char *local_transport_params;
29 size_t local_transport_params_len;
31 /* Whether our SSL object for TLS has been configured for use in QUIC */
32 unsigned int configured : 1;
34 /* Set if we have hit any error state */
35 unsigned int inerror : 1;
37 /* Set if the handshake has completed */
38 unsigned int complete : 1;
41 struct ossl_record_layer_st {
44 /* Protection level */
47 /* Only used for retry flags */
50 /* Number of bytes written so far if we are part way through a write */
53 /* If we are part way through a write, a copy of the template */
54 OSSL_RECORD_TEMPLATE template;
57 * Temp buffer for storing received data (copied from the stream receive
60 unsigned char recbuf[SSL3_RT_MAX_PLAIN_LENGTH];
63 * If we hit an error, what alert code should be used
67 /* Set if recbuf is populated with data */
68 unsigned int recread : 1;
71 OSSL_FUNC_rlayer_msg_callback_fn *msg_callback;
76 quic_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
77 int role, int direction, int level, uint16_t epoch,
78 unsigned char *secret, size_t secretlen,
79 unsigned char *key, size_t keylen, unsigned char *iv,
80 size_t ivlen, unsigned char *mackey, size_t mackeylen,
81 const EVP_CIPHER *ciph, size_t taglen,
83 const EVP_MD *md, COMP_METHOD *comp,
84 const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
85 BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
86 const OSSL_PARAM *settings, const OSSL_PARAM *options,
87 const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
88 OSSL_RECORD_LAYER **retrl)
90 OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
93 uint32_t suite_id = 0;
96 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
100 rl->qtls = (QUIC_TLS *)rlarg;
102 rl->dummybio = transport;
107 for (; fns->function_id != 0; fns++) {
108 switch (fns->function_id) {
110 case OSSL_FUNC_RLAYER_MSG_CALLBACK:
111 rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns);
114 /* Just ignore anything we don't understand */
121 case OSSL_RECORD_PROTECTION_LEVEL_NONE:
124 case OSSL_RECORD_PROTECTION_LEVEL_EARLY:
125 enc_level = QUIC_ENC_LEVEL_0RTT;
128 case OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE:
129 enc_level = QUIC_ENC_LEVEL_HANDSHAKE;
132 case OSSL_RECORD_PROTECTION_LEVEL_APPLICATION:
133 enc_level = QUIC_ENC_LEVEL_1RTT;
137 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
141 if (direction == OSSL_RECORD_DIRECTION_READ)
146 if (EVP_CIPHER_is_a(ciph, "AES-128-GCM")) {
147 suite_id = QRL_SUITE_AES128GCM;
148 } else if (EVP_CIPHER_is_a(ciph, "AES-256-GCM")) {
149 suite_id = QRL_SUITE_AES256GCM;
150 } else if (EVP_CIPHER_is_a(ciph, "CHACHA20-POLY1305")) {
151 suite_id = QRL_SUITE_CHACHA20POLY1305;
153 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE);
157 /* We pass a ref to the md in a successful yield_secret_cb call */
158 /* TODO(QUIC): This cast is horrible. We should try and remove it */
159 if (!EVP_MD_up_ref((EVP_MD *)kdfdigest)) {
160 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
164 if (!rl->qtls->args.yield_secret_cb(enc_level, qdir, suite_id,
165 (EVP_MD *)kdfdigest, secret, secretlen,
166 rl->qtls->args.yield_secret_cb_arg)) {
167 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
168 EVP_MD_free((EVP_MD *)kdfdigest);
179 static int quic_free(OSSL_RECORD_LAYER *rl)
188 static int quic_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
191 * Read ahead isn't really a thing for QUIC so we never have unprocessed
197 static int quic_processed_read_pending(OSSL_RECORD_LAYER *rl)
200 * This is currently only ever used by:
201 * - SSL_has_pending()
202 * - to check whether we have more records that we want to supply to the
205 * We only ever supply 1 record at a time to the upper layers, and
206 * SSL_has_pending() will go via the QUIC method not the TLS method so that
207 * use case doesn't apply here.
208 * Therefore we can ignore this for now and always return 0. We might
209 * eventually want to change this to check in the receive buffers to see if
210 * we have any more data pending.
215 static size_t quic_get_max_records(OSSL_RECORD_LAYER *rl, int type, size_t len,
216 size_t maxfrag, size_t *preffrag)
221 static int quic_write_records(OSSL_RECORD_LAYER *rl,
222 OSSL_RECORD_TEMPLATE *template,
228 if (!ossl_assert(numtempl == 1)) {
229 /* How could this be? quic_get_max_records() always returns 1 */
230 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
231 return OSSL_RECORD_RETURN_FATAL;
234 BIO_clear_retry_flags(rl->dummybio);
236 if (rl->msg_callback != NULL) {
237 unsigned char dummyrec[SSL3_RT_HEADER_LENGTH];
240 * For the purposes of the callback we "pretend" to be normal TLS,
241 * and manufacture a dummy record header
243 dummyrec[0] = (rl->level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
245 : SSL3_RT_APPLICATION_DATA;
246 dummyrec[1] = (unsigned char)((template->version >> 8) & 0xff);
247 dummyrec[2] = (unsigned char)(template->version & 0xff);
249 * We assume that buflen is always <= UINT16_MAX. Since this is
250 * generated by libssl itself we actually expect it to never
251 * exceed SSL3_RT_MAX_PLAIN_LENGTH - so it should be a safe
254 dummyrec[3] = (unsigned char)((template->buflen >> 8) & 0xff);
255 dummyrec[4] = (unsigned char)(template->buflen & 0xff);
257 rl->msg_callback(1, TLS1_3_VERSION, SSL3_RT_HEADER, dummyrec,
258 SSL3_RT_HEADER_LENGTH, rl->cbarg);
260 if (rl->level != OSSL_RECORD_PROTECTION_LEVEL_NONE) {
261 rl->msg_callback(1, TLS1_3_VERSION, SSL3_RT_INNER_CONTENT_TYPE,
262 &template->type, 1, rl->cbarg);
266 switch (template->type) {
268 if (template->buflen != 2) {
270 * We assume that libssl always sends both bytes of an alert to
271 * us in one go, and never fragments it. If we ever get more
272 * or less bytes than exactly 2 then this is very unexpected.
274 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_VALUE);
275 return OSSL_RECORD_RETURN_FATAL;
278 * Byte 0 is the alert level (we ignore it) and byte 1 is the alert
279 * description that we are actually interested in.
281 alert = template->buf[1];
283 if (!rl->qtls->args.alert_cb(rl->qtls->args.alert_cb_arg, alert)) {
284 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
285 return OSSL_RECORD_RETURN_FATAL;
289 case SSL3_RT_HANDSHAKE:
291 * We expect this to only fail on some fatal error (e.g. malloc
294 if (!rl->qtls->args.crypto_send_cb(template->buf + rl->written,
295 template->buflen - rl->written,
297 rl->qtls->args.crypto_send_cb_arg)) {
298 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
299 return OSSL_RECORD_RETURN_FATAL;
302 * We might have written less than we wanted to if we have filled the
303 * send stream buffer.
305 if (consumed + rl->written != template->buflen) {
306 if (!ossl_assert(consumed + rl->written < template->buflen)) {
307 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
308 return OSSL_RECORD_RETURN_FATAL;
312 * We've not written everything we wanted to. Take a copy of the
313 * template, remember how much we wrote so far and signal a retry.
314 * The buffer supplied in the template is guaranteed to be the same
315 * on a retry for handshake data
317 rl->written += consumed;
318 rl->template = *template;
319 BIO_set_retry_write(rl->dummybio);
321 return OSSL_RECORD_RETURN_RETRY;
327 /* Anything else is unexpected and an error */
328 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
329 return OSSL_RECORD_RETURN_FATAL;
332 return OSSL_RECORD_RETURN_SUCCESS;
335 static int quic_retry_write_records(OSSL_RECORD_LAYER *rl)
337 return quic_write_records(rl, &rl->template, 1);
340 static int quic_read_record(OSSL_RECORD_LAYER *rl, void **rechandle,
341 int *rversion, int *type, unsigned char **data,
342 size_t *datalen, uint16_t *epoch,
343 unsigned char *seq_num)
345 if (rl->recread != 0)
346 return OSSL_RECORD_RETURN_FATAL;
348 BIO_clear_retry_flags(rl->dummybio);
351 * TODO(QUIC): There seems to be an unnecessary copy here. It would be
352 * better to send back a ref direct to the underlying buffer
354 if (!rl->qtls->args.crypto_recv_cb(rl->recbuf, sizeof(rl->recbuf), datalen,
355 rl->qtls->args.crypto_recv_cb_arg)) {
356 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
357 return OSSL_RECORD_RETURN_FATAL;
361 BIO_set_retry_read(rl->dummybio);
362 return OSSL_RECORD_RETURN_RETRY;
366 *rversion = TLS1_3_VERSION;
367 *type = SSL3_RT_HANDSHAKE;
370 /* epoch/seq_num are not relevant for TLS */
372 if (rl->msg_callback != NULL) {
373 unsigned char dummyrec[SSL3_RT_HEADER_LENGTH];
376 * For the purposes of the callback we "pretend" to be normal TLS,
377 * and manufacture a dummy record header
379 dummyrec[0] = (rl->level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
381 : SSL3_RT_APPLICATION_DATA;
382 dummyrec[1] = (unsigned char)((TLS1_2_VERSION >> 8) & 0xff);
383 dummyrec[2] = (unsigned char)(TLS1_2_VERSION & 0xff);
385 * *datalen will always fit into 2 bytes because our original buffer
386 * size is less than that.
388 dummyrec[3] = (unsigned char)((*datalen >> 8) & 0xff);
389 dummyrec[4] = (unsigned char)(*datalen & 0xff);
391 rl->msg_callback(0, TLS1_3_VERSION, SSL3_RT_HEADER, dummyrec,
392 SSL3_RT_HEADER_LENGTH, rl->cbarg);
393 rl->msg_callback(0, TLS1_3_VERSION, SSL3_RT_INNER_CONTENT_TYPE, type, 1,
397 return OSSL_RECORD_RETURN_SUCCESS;
400 static int quic_release_record(OSSL_RECORD_LAYER *rl, void *rechandle)
402 if (!ossl_assert(rl->recread == 1) || !ossl_assert(rl == rechandle)) {
403 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
411 static int quic_get_alert_code(OSSL_RECORD_LAYER *rl)
416 static int quic_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
418 /* We only support TLSv1.3, so its bad if we negotiate anything else */
419 if (!ossl_assert(version == TLS1_3_VERSION)) {
420 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
427 static void quic_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow)
432 static void quic_set_first_handshake(OSSL_RECORD_LAYER *rl, int first)
437 static void quic_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines)
442 static void quic_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr,
443 const char **longstr)
446 * According to the docs, valid read state strings are: "RH"/"read header",
447 * "RB"/"read body", "RD"/"read done" and "unknown"/"unknown". We don't
448 * read records in quite that way, so we report every "normal" state as
449 * "read done". In the event of error then we report "unknown".
452 if (rl->qtls->inerror) {
453 if (shortstr != NULL)
454 *shortstr = "unknown";
456 *longstr = "unknown";
458 if (shortstr != NULL)
461 *longstr = "read done";
465 static int quic_set_options(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options)
468 * We don't support any options yet - but we might do at some point so
469 * this could be useful.
474 static const COMP_METHOD *quic_get_compression(OSSL_RECORD_LAYER *rl)
476 /* We only support TLSv1.3 which doesn't have compression */
480 static void quic_set_max_frag_len(OSSL_RECORD_LAYER *rl, size_t max_frag_len)
482 /* This really doesn't make any sense for QUIC. Ignore it */
485 static int quic_alloc_buffers(OSSL_RECORD_LAYER *rl)
488 * This is a hint only. We don't support it (yet), so just ignore the
494 static int quic_free_buffers(OSSL_RECORD_LAYER *rl)
497 * This is a hint only. We don't support it (yet), so just ignore the
503 static int quic_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
506 * Can be called to set the buffering BIO - which is then never used by us.
513 * Never called functions
515 * Due to the way we are configured and used we never expect any of the next set
516 * of functions to be called. Therefore we set them to always fail.
519 static size_t quic_app_data_pending(OSSL_RECORD_LAYER *rl)
521 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
522 return (size_t)ossl_assert(0);
525 static size_t quic_get_max_record_overhead(OSSL_RECORD_LAYER *rl)
527 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
528 return (size_t)ossl_assert(0);
531 static int quic_increment_sequence_ctr(OSSL_RECORD_LAYER *rl)
533 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
534 return ossl_assert(0);
537 /* End of never called functions */
539 static const OSSL_RECORD_METHOD quic_tls_record_method = {
540 quic_new_record_layer,
542 quic_unprocessed_read_pending,
543 quic_processed_read_pending,
544 quic_app_data_pending, /* Never called */
545 quic_get_max_records,
547 quic_retry_write_records,
552 quic_set_protocol_version,
553 quic_set_plain_alerts,
554 quic_set_first_handshake,
555 quic_set_max_pipelines,
556 NULL, /* set_in_init: Optional - we don't need it */
559 quic_get_compression,
560 quic_set_max_frag_len,
561 quic_get_max_record_overhead, /* Never called */
562 quic_increment_sequence_ctr, /* Never called */
567 static int add_transport_params_cb(SSL *s, unsigned int ext_type,
568 unsigned int context,
569 const unsigned char **out, size_t *outlen,
570 X509 *x, size_t chainidx, int *al,
573 QUIC_TLS *qtls = add_arg;
575 *out = qtls->local_transport_params;
576 *outlen = qtls->local_transport_params_len;
580 static void free_transport_params_cb(SSL *s, unsigned int ext_type,
581 unsigned int context,
582 const unsigned char *out,
587 static int parse_transport_params_cb(SSL *s, unsigned int ext_type,
588 unsigned int context,
589 const unsigned char *in,
590 size_t inlen, X509 *x,
592 int *al, void *parse_arg)
594 QUIC_TLS *qtls = parse_arg;
596 return qtls->args.got_transport_params_cb(in, inlen,
597 qtls->args.got_transport_params_cb_arg);
600 QUIC_TLS *ossl_quic_tls_new(const QUIC_TLS_ARGS *args)
604 if (args->crypto_send_cb == NULL
605 || args->crypto_recv_cb == NULL) {
606 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
610 qtls = OPENSSL_zalloc(sizeof(*qtls));
618 void ossl_quic_tls_free(QUIC_TLS *qtls)
623 int ossl_quic_tls_tick(QUIC_TLS *qtls)
626 const unsigned char *alpn;
627 unsigned int alpnlen;
630 * TODO(QUIC): There are various calls here that could fail and ordinarily
631 * would result in an ERR_raise call - but "tick" calls aren't supposed to
632 * fail "loudly" - so its unclear how we will report these errors. The
633 * ERR_raise calls are omitted from this function for now.
642 if (!qtls->configured) {
643 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
647 * No matter how the user has configured us, there are certain
648 * requirements for QUIC-TLS that we enforce
651 /* ALPN is a requirement for QUIC and must be set */
652 if (sc->ext.alpn == NULL || sc->ext.alpn_len == 0) {
656 if (!SSL_set_min_proto_version(qtls->args.s, TLS1_3_VERSION)) {
660 SSL_clear_options(qtls->args.s, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
661 ossl_ssl_set_custom_record_layer(sc, &quic_tls_record_method, qtls);
663 if (!ossl_tls_add_custom_ext_intern(NULL, &sc->cert->custext,
665 TLSEXT_TYPE_quic_transport_parameters,
667 | SSL_EXT_CLIENT_HELLO
668 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
669 add_transport_params_cb,
670 free_transport_params_cb, qtls,
671 parse_transport_params_cb, qtls)) {
676 nullbio = BIO_new(BIO_s_null());
677 if (nullbio == NULL) {
683 * Our custom record layer doesn't use the BIO - but libssl generally
684 * expects one to be present.
686 SSL_set_bio(qtls->args.s, nullbio, nullbio);
688 qtls->configured = 1;
690 ret = SSL_connect(qtls->args.s);
692 switch (SSL_get_error(qtls->args.s, ret)) {
693 case SSL_ERROR_WANT_READ:
694 case SSL_ERROR_WANT_WRITE:
702 /* Validate that we have ALPN */
703 SSL_get0_alpn_selected(qtls->args.s, &alpn, &alpnlen);
704 if (alpn == NULL || alpnlen == 0) {
709 return qtls->args.handshake_complete_cb(qtls->args.handshake_complete_cb_arg);
712 int ossl_quic_tls_set_transport_params(QUIC_TLS *qtls,
713 const unsigned char *transport_params,
714 size_t transport_params_len)
716 if (!ossl_assert(!qtls->args.is_server)) {
717 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
722 qtls->local_transport_params = transport_params;
723 qtls->local_transport_params_len = transport_params_len;