xref: /freebsd/crypto/openssl/ssl/quic/quic_record_rx.c (revision e7be843b4a162e68651d3911f0357ed464915629)
1 /*
2  * Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <openssl/ssl.h>
11 #include "internal/quic_record_rx.h"
12 #include "quic_record_shared.h"
13 #include "internal/common.h"
14 #include "internal/list.h"
15 #include "../ssl_local.h"
16 
17 /*
18  * Mark a packet in a bitfield.
19  *
20  * pkt_idx: index of packet within datagram.
21  */
pkt_mark(uint64_t * bitf,size_t pkt_idx)22 static ossl_inline void pkt_mark(uint64_t *bitf, size_t pkt_idx)
23 {
24     assert(pkt_idx < QUIC_MAX_PKT_PER_URXE);
25     *bitf |= ((uint64_t)1) << pkt_idx;
26 }
27 
28 /* Returns 1 if a packet is in the bitfield. */
pkt_is_marked(const uint64_t * bitf,size_t pkt_idx)29 static ossl_inline int pkt_is_marked(const uint64_t *bitf, size_t pkt_idx)
30 {
31     assert(pkt_idx < QUIC_MAX_PKT_PER_URXE);
32     return (*bitf & (((uint64_t)1) << pkt_idx)) != 0;
33 }
34 
35 /*
36  * RXE
37  * ===
38  *
39  * RX Entries (RXEs) store processed (i.e., decrypted) data received from the
40  * network. One RXE is used per received QUIC packet.
41  */
42 typedef struct rxe_st RXE;
43 
44 struct rxe_st {
45     OSSL_QRX_PKT        pkt;
46     OSSL_LIST_MEMBER(rxe, RXE);
47     size_t              data_len, alloc_len, refcount;
48 
49     /* Extra fields for per-packet information. */
50     QUIC_PKT_HDR        hdr; /* data/len are decrypted payload */
51 
52     /* Decoded packet number. */
53     QUIC_PN             pn;
54 
55     /* Addresses copied from URXE. */
56     BIO_ADDR            peer, local;
57 
58     /* Time we received the packet (not when we processed it). */
59     OSSL_TIME           time;
60 
61     /* Total length of the datagram which contained this packet. */
62     size_t              datagram_len;
63 
64     /*
65      * The key epoch the packet was received with. Always 0 for non-1-RTT
66      * packets.
67      */
68     uint64_t            key_epoch;
69 
70     /*
71      * Monotonically increases with each datagram received.
72      * For diagnostic use only.
73      */
74     uint64_t            datagram_id;
75 
76     /*
77      * alloc_len allocated bytes (of which data_len bytes are valid) follow this
78      * structure.
79      */
80 };
81 
82 DEFINE_LIST_OF(rxe, RXE);
83 typedef OSSL_LIST(rxe) RXE_LIST;
84 
rxe_data(const RXE * e)85 static ossl_inline unsigned char *rxe_data(const RXE *e)
86 {
87     return (unsigned char *)(e + 1);
88 }
89 
90 /*
91  * QRL
92  * ===
93  */
94 struct ossl_qrx_st {
95     OSSL_LIB_CTX               *libctx;
96     const char                 *propq;
97 
98     /* Demux to receive datagrams from. */
99     QUIC_DEMUX                 *demux;
100 
101     /* Length of connection IDs used in short-header packets in bytes. */
102     size_t                      short_conn_id_len;
103 
104     /* Maximum number of deferred datagrams buffered at any one time. */
105     size_t                      max_deferred;
106 
107     /* Current count of deferred datagrams. */
108     size_t                      num_deferred;
109 
110     /*
111      * List of URXEs which are filled with received encrypted data.
112      * These are returned to the DEMUX's free list as they are processed.
113      */
114     QUIC_URXE_LIST              urx_pending;
115 
116     /*
117      * List of URXEs which we could not decrypt immediately and which are being
118      * kept in case they can be decrypted later.
119      */
120     QUIC_URXE_LIST              urx_deferred;
121 
122     /*
123      * List of RXEs which are not currently in use. These are moved
124      * to the pending list as they are filled.
125      */
126     RXE_LIST                    rx_free;
127 
128     /*
129      * List of RXEs which are filled with decrypted packets ready to be passed
130      * to the user. A RXE is removed from all lists inside the QRL when passed
131      * to the user, then returned to the free list when the user returns it.
132      */
133     RXE_LIST                    rx_pending;
134 
135     /* Largest PN we have received and processed in a given PN space. */
136     QUIC_PN                     largest_pn[QUIC_PN_SPACE_NUM];
137 
138     /* Per encryption-level state. */
139     OSSL_QRL_ENC_LEVEL_SET      el_set;
140 
141     /* Bytes we have received since this counter was last cleared. */
142     uint64_t                    bytes_received;
143 
144     /*
145      * Number of forged packets we have received since the QRX was instantiated.
146      * Note that as per RFC 9001, this is connection-level state; it is not per
147      * EL and is not reset by a key update.
148      */
149     uint64_t                    forged_pkt_count;
150 
151     /*
152      * The PN the current key epoch started at, inclusive.
153      */
154     uint64_t                    cur_epoch_start_pn;
155 
156     /* Validation callback. */
157     ossl_qrx_late_validation_cb    *validation_cb;
158     void                           *validation_cb_arg;
159 
160     /* Key update callback. */
161     ossl_qrx_key_update_cb         *key_update_cb;
162     void                           *key_update_cb_arg;
163 
164     /* Initial key phase. For debugging use only; always 0 in real use. */
165     unsigned char                   init_key_phase_bit;
166 
167     /* Are we allowed to process 1-RTT packets yet? */
168     unsigned char                   allow_1rtt;
169 
170     /* Message callback related arguments */
171     ossl_msg_cb msg_callback;
172     void *msg_callback_arg;
173     SSL *msg_callback_ssl;
174 };
175 
176 static RXE *qrx_ensure_free_rxe(OSSL_QRX *qrx, size_t alloc_len);
177 static int qrx_validate_hdr_early(OSSL_QRX *qrx, RXE *rxe,
178                                   const QUIC_CONN_ID *first_dcid);
179 static int qrx_relocate_buffer(OSSL_QRX *qrx, RXE **prxe, size_t *pi,
180                                const unsigned char **pptr, size_t buf_len);
181 static int qrx_validate_hdr(OSSL_QRX *qrx, RXE *rxe);
182 static RXE *qrx_reserve_rxe(RXE_LIST *rxl, RXE *rxe, size_t n);
183 static int qrx_decrypt_pkt_body(OSSL_QRX *qrx, unsigned char *dst,
184                                 const unsigned char *src,
185                                 size_t src_len, size_t *dec_len,
186                                 const unsigned char *aad, size_t aad_len,
187                                 QUIC_PN pn, uint32_t enc_level,
188                                 unsigned char key_phase_bit,
189                                 uint64_t *rx_key_epoch);
190 static int qrx_validate_hdr_late(OSSL_QRX *qrx, RXE *rxe);
191 static uint32_t rxe_determine_pn_space(RXE *rxe);
192 static void ignore_res(int x);
193 
ossl_qrx_new(const OSSL_QRX_ARGS * args)194 OSSL_QRX *ossl_qrx_new(const OSSL_QRX_ARGS *args)
195 {
196     OSSL_QRX *qrx;
197     size_t i;
198 
199     if (args->demux == NULL || args->max_deferred == 0)
200         return NULL;
201 
202     qrx = OPENSSL_zalloc(sizeof(OSSL_QRX));
203     if (qrx == NULL)
204         return NULL;
205 
206     for (i = 0; i < OSSL_NELEM(qrx->largest_pn); ++i)
207         qrx->largest_pn[i] = args->init_largest_pn[i];
208 
209     qrx->libctx                 = args->libctx;
210     qrx->propq                  = args->propq;
211     qrx->demux                  = args->demux;
212     qrx->short_conn_id_len      = args->short_conn_id_len;
213     qrx->init_key_phase_bit     = args->init_key_phase_bit;
214     qrx->max_deferred           = args->max_deferred;
215     return qrx;
216 }
217 
qrx_cleanup_rxl(RXE_LIST * l)218 static void qrx_cleanup_rxl(RXE_LIST *l)
219 {
220     RXE *e, *enext;
221 
222     for (e = ossl_list_rxe_head(l); e != NULL; e = enext) {
223         enext = ossl_list_rxe_next(e);
224         ossl_list_rxe_remove(l, e);
225         OPENSSL_free(e);
226     }
227 }
228 
qrx_cleanup_urxl(OSSL_QRX * qrx,QUIC_URXE_LIST * l)229 static void qrx_cleanup_urxl(OSSL_QRX *qrx, QUIC_URXE_LIST *l)
230 {
231     QUIC_URXE *e, *enext;
232 
233     for (e = ossl_list_urxe_head(l); e != NULL; e = enext) {
234         enext = ossl_list_urxe_next(e);
235         ossl_list_urxe_remove(l, e);
236         ossl_quic_demux_release_urxe(qrx->demux, e);
237     }
238 }
239 
ossl_qrx_free(OSSL_QRX * qrx)240 void ossl_qrx_free(OSSL_QRX *qrx)
241 {
242     uint32_t i;
243 
244     if (qrx == NULL)
245         return;
246 
247     /* Free RXE queue data. */
248     qrx_cleanup_rxl(&qrx->rx_free);
249     qrx_cleanup_rxl(&qrx->rx_pending);
250     qrx_cleanup_urxl(qrx, &qrx->urx_pending);
251     qrx_cleanup_urxl(qrx, &qrx->urx_deferred);
252 
253     /* Drop keying material and crypto resources. */
254     for (i = 0; i < QUIC_ENC_LEVEL_NUM; ++i)
255         ossl_qrl_enc_level_set_discard(&qrx->el_set, i);
256 
257     OPENSSL_free(qrx);
258 }
259 
ossl_qrx_inject_urxe(OSSL_QRX * qrx,QUIC_URXE * urxe)260 void ossl_qrx_inject_urxe(OSSL_QRX *qrx, QUIC_URXE *urxe)
261 {
262     /* Initialize our own fields inside the URXE and add to the pending list. */
263     urxe->processed     = 0;
264     urxe->hpr_removed   = 0;
265     urxe->deferred      = 0;
266     ossl_list_urxe_insert_tail(&qrx->urx_pending, urxe);
267 
268     if (qrx->msg_callback != NULL)
269         qrx->msg_callback(0, OSSL_QUIC1_VERSION, SSL3_RT_QUIC_DATAGRAM, urxe + 1,
270                           urxe->data_len, qrx->msg_callback_ssl,
271                           qrx->msg_callback_arg);
272 }
273 
ossl_qrx_inject_pkt(OSSL_QRX * qrx,OSSL_QRX_PKT * pkt)274 void ossl_qrx_inject_pkt(OSSL_QRX *qrx, OSSL_QRX_PKT *pkt)
275 {
276     RXE *rxe = (RXE *)pkt;
277 
278     /*
279      * port_default_packet_handler() uses ossl_qrx_read_pkt()
280      * to get pkt. Such packet has refcount 1.
281      */
282     ossl_qrx_pkt_orphan(pkt);
283     if (ossl_assert(rxe->refcount == 0))
284         ossl_list_rxe_insert_tail(&qrx->rx_pending, rxe);
285 }
286 
287 /*
288  * qrx_validate_initial_pkt() is derived from qrx_process_pkt(). Unlike
289  * qrx_process_pkt() the qrx_validate_initial_pkt() function can process
290  * initial packet only. All other packets should be discarded. This allows
291  * port_default_packet_handler() to validate incoming packet. If packet
292  * is not valid, then port_default_packet_handler() must discard the
293  * packet instead of creating a new channel for it.
294  */
qrx_validate_initial_pkt(OSSL_QRX * qrx,QUIC_URXE * urxe,const QUIC_CONN_ID * first_dcid,size_t datagram_len)295 static int qrx_validate_initial_pkt(OSSL_QRX *qrx, QUIC_URXE *urxe,
296                                     const QUIC_CONN_ID *first_dcid,
297                                     size_t datagram_len)
298 {
299     PACKET pkt, orig_pkt;
300     RXE *rxe;
301     size_t i = 0, aad_len = 0, dec_len = 0;
302     const unsigned char *sop;
303     unsigned char *dst;
304     QUIC_PKT_HDR_PTRS ptrs;
305     uint32_t pn_space;
306     OSSL_QRL_ENC_LEVEL *el = NULL;
307     uint64_t rx_key_epoch = UINT64_MAX;
308 
309     if (!PACKET_buf_init(&pkt, ossl_quic_urxe_data(urxe), urxe->data_len))
310         return 0;
311 
312     orig_pkt = pkt;
313     sop = PACKET_data(&pkt);
314 
315     /*
316      * Get a free RXE. If we need to allocate a new one, use the packet length
317      * as a good ballpark figure.
318      */
319     rxe = qrx_ensure_free_rxe(qrx, PACKET_remaining(&pkt));
320     if (rxe == NULL)
321         return 0;
322 
323     /*
324      * we expect INITIAL packet only, therefore it is OK to pass
325      * short_conn_id_len as 0.
326      */
327     if (!ossl_quic_wire_decode_pkt_hdr(&pkt,
328                                        0, /* short_conn_id_len */
329                                        1, /* need second decode */
330                                        0, /* nodata -> want to read data */
331                                        &rxe->hdr, &ptrs,
332                                        NULL))
333         goto malformed;
334 
335     if (rxe->hdr.type != QUIC_PKT_TYPE_INITIAL)
336         goto malformed;
337 
338     if (!qrx_validate_hdr_early(qrx, rxe, NULL))
339         goto malformed;
340 
341     if (ossl_qrl_enc_level_set_have_el(&qrx->el_set, QUIC_ENC_LEVEL_INITIAL) != 1)
342         goto malformed;
343 
344     if (rxe->hdr.type == QUIC_PKT_TYPE_INITIAL) {
345         const unsigned char *token = rxe->hdr.token;
346 
347         /*
348          * This may change the value of rxe and change the value of the token
349          * pointer as well. So we must make a temporary copy of the pointer to
350          * the token, and then copy it back into the new location of the rxe
351          */
352         if (!qrx_relocate_buffer(qrx, &rxe, &i, &token, rxe->hdr.token_len))
353             goto malformed;
354 
355         rxe->hdr.token = token;
356     }
357 
358     pkt = orig_pkt;
359 
360     el = ossl_qrl_enc_level_set_get(&qrx->el_set, QUIC_ENC_LEVEL_INITIAL, 1);
361     assert(el != NULL); /* Already checked above */
362 
363     if (!ossl_quic_hdr_protector_decrypt(&el->hpr, &ptrs))
364         goto malformed;
365 
366     /*
367      * We have removed header protection, so don't attempt to do it again if
368      * the packet gets deferred and processed again.
369      */
370     pkt_mark(&urxe->hpr_removed, 0);
371 
372     /* Decode the now unprotected header. */
373     if (ossl_quic_wire_decode_pkt_hdr(&pkt, 0,
374                                       0, 0, &rxe->hdr, NULL, NULL) != 1)
375         goto malformed;
376 
377     /* Validate header and decode PN. */
378     if (!qrx_validate_hdr(qrx, rxe))
379         goto malformed;
380 
381     /*
382      * The AAD data is the entire (unprotected) packet header including the PN.
383      * The packet header has been unprotected in place, so we can just reuse the
384      * PACKET buffer. The header ends where the payload begins.
385      */
386     aad_len = rxe->hdr.data - sop;
387 
388     /* Ensure the RXE buffer size is adequate for our payload. */
389     if ((rxe = qrx_reserve_rxe(&qrx->rx_free, rxe, rxe->hdr.len + i)) == NULL)
390         goto malformed;
391 
392     /*
393      * We decrypt the packet body to immediately after the token at the start of
394      * the RXE buffer (where present).
395      *
396      * Do the decryption from the PACKET (which points into URXE memory) to our
397      * RXE payload (single-copy decryption), then fixup the pointers in the
398      * header to point to our new buffer.
399      *
400      * If decryption fails this is considered a permanent error; we defer
401      * packets we don't yet have decryption keys for above, so if this fails,
402      * something has gone wrong with the handshake process or a packet has been
403      * corrupted.
404      */
405     dst = (unsigned char *)rxe_data(rxe) + i;
406     if (!qrx_decrypt_pkt_body(qrx, dst, rxe->hdr.data, rxe->hdr.len,
407                               &dec_len, sop, aad_len, rxe->pn, QUIC_ENC_LEVEL_INITIAL,
408                               rxe->hdr.key_phase, &rx_key_epoch))
409         goto malformed;
410 
411     /*
412      * -----------------------------------------------------
413      *   IMPORTANT: ANYTHING ABOVE THIS LINE IS UNVERIFIED
414      *              AND MUST BE TIMING-CHANNEL SAFE.
415      * -----------------------------------------------------
416      *
417      * At this point, we have successfully authenticated the AEAD tag and no
418      * longer need to worry about exposing the PN, PN length or Key Phase bit in
419      * timing channels. Invoke any configured validation callback to allow for
420      * rejection of duplicate PNs.
421      */
422     if (!qrx_validate_hdr_late(qrx, rxe))
423         goto malformed;
424 
425     pkt_mark(&urxe->processed, 0);
426 
427     /*
428      * Update header to point to the decrypted buffer, which may be shorter
429      * due to AEAD tags, block padding, etc.
430      */
431     rxe->hdr.data       = dst;
432     rxe->hdr.len        = dec_len;
433     rxe->data_len       = dec_len;
434     rxe->datagram_len   = datagram_len;
435     rxe->key_epoch      = rx_key_epoch;
436 
437     /* We processed the PN successfully, so update largest processed PN. */
438     pn_space = rxe_determine_pn_space(rxe);
439     if (rxe->pn > qrx->largest_pn[pn_space])
440         qrx->largest_pn[pn_space] = rxe->pn;
441 
442     /* Copy across network addresses and RX time from URXE to RXE. */
443     rxe->peer           = urxe->peer;
444     rxe->local          = urxe->local;
445     rxe->time           = urxe->time;
446     rxe->datagram_id    = urxe->datagram_id;
447 
448     /*
449      * The packet is decrypted, we are going to move it from
450      * rx_pending queue where it waits to be further processed
451      * by ch_rx().
452      */
453     ossl_list_rxe_remove(&qrx->rx_free, rxe);
454     ossl_list_rxe_insert_tail(&qrx->rx_pending, rxe);
455 
456     return 1;
457 
458 malformed:
459     /* caller (port_default_packet_handler()) should discard urxe */
460     return 0;
461 }
462 
ossl_qrx_validate_initial_packet(OSSL_QRX * qrx,QUIC_URXE * urxe,const QUIC_CONN_ID * dcid)463 int ossl_qrx_validate_initial_packet(OSSL_QRX *qrx, QUIC_URXE *urxe,
464                                      const QUIC_CONN_ID *dcid)
465 {
466     urxe->processed     = 0;
467     urxe->hpr_removed   = 0;
468     urxe->deferred      = 0;
469 
470     return qrx_validate_initial_pkt(qrx, urxe, dcid, urxe->data_len);
471 }
472 
qrx_requeue_deferred(OSSL_QRX * qrx)473 static void qrx_requeue_deferred(OSSL_QRX *qrx)
474 {
475     QUIC_URXE *e;
476 
477     while ((e = ossl_list_urxe_head(&qrx->urx_deferred)) != NULL) {
478         ossl_list_urxe_remove(&qrx->urx_deferred, e);
479         ossl_list_urxe_insert_tail(&qrx->urx_pending, e);
480     }
481 }
482 
ossl_qrx_provide_secret(OSSL_QRX * qrx,uint32_t enc_level,uint32_t suite_id,EVP_MD * md,const unsigned char * secret,size_t secret_len)483 int ossl_qrx_provide_secret(OSSL_QRX *qrx, uint32_t enc_level,
484                             uint32_t suite_id, EVP_MD *md,
485                             const unsigned char *secret, size_t secret_len)
486 {
487     if (enc_level >= QUIC_ENC_LEVEL_NUM)
488         return 0;
489 
490     if (!ossl_qrl_enc_level_set_provide_secret(&qrx->el_set,
491                                                qrx->libctx,
492                                                qrx->propq,
493                                                enc_level,
494                                                suite_id,
495                                                md,
496                                                secret,
497                                                secret_len,
498                                                qrx->init_key_phase_bit,
499                                                /*is_tx=*/0))
500         return 0;
501 
502     /*
503      * Any packets we previously could not decrypt, we may now be able to
504      * decrypt, so move any datagrams containing deferred packets from the
505      * deferred to the pending queue.
506      */
507     qrx_requeue_deferred(qrx);
508     return 1;
509 }
510 
ossl_qrx_discard_enc_level(OSSL_QRX * qrx,uint32_t enc_level)511 int ossl_qrx_discard_enc_level(OSSL_QRX *qrx, uint32_t enc_level)
512 {
513     if (enc_level >= QUIC_ENC_LEVEL_NUM)
514         return 0;
515 
516     ossl_qrl_enc_level_set_discard(&qrx->el_set, enc_level);
517     return 1;
518 }
519 
520 /* Returns 1 if there are one or more pending RXEs. */
ossl_qrx_processed_read_pending(OSSL_QRX * qrx)521 int ossl_qrx_processed_read_pending(OSSL_QRX *qrx)
522 {
523     return !ossl_list_rxe_is_empty(&qrx->rx_pending);
524 }
525 
526 /* Returns 1 if there are yet-unprocessed packets. */
ossl_qrx_unprocessed_read_pending(OSSL_QRX * qrx)527 int ossl_qrx_unprocessed_read_pending(OSSL_QRX *qrx)
528 {
529     return !ossl_list_urxe_is_empty(&qrx->urx_pending)
530            || !ossl_list_urxe_is_empty(&qrx->urx_deferred);
531 }
532 
533 /* Pop the next pending RXE. Returns NULL if no RXE is pending. */
qrx_pop_pending_rxe(OSSL_QRX * qrx)534 static RXE *qrx_pop_pending_rxe(OSSL_QRX *qrx)
535 {
536     RXE *rxe = ossl_list_rxe_head(&qrx->rx_pending);
537 
538     if (rxe == NULL)
539         return NULL;
540 
541     ossl_list_rxe_remove(&qrx->rx_pending, rxe);
542     return rxe;
543 }
544 
545 /* Allocate a new RXE. */
qrx_alloc_rxe(size_t alloc_len)546 static RXE *qrx_alloc_rxe(size_t alloc_len)
547 {
548     RXE *rxe;
549 
550     if (alloc_len >= SIZE_MAX - sizeof(RXE))
551         return NULL;
552 
553     rxe = OPENSSL_malloc(sizeof(RXE) + alloc_len);
554     if (rxe == NULL)
555         return NULL;
556 
557     ossl_list_rxe_init_elem(rxe);
558     rxe->alloc_len = alloc_len;
559     rxe->data_len  = 0;
560     rxe->refcount  = 0;
561     return rxe;
562 }
563 
564 /*
565  * Ensures there is at least one RXE in the RX free list, allocating a new entry
566  * if necessary. The returned RXE is in the RX free list; it is not popped.
567  *
568  * alloc_len is a hint which may be used to determine the RXE size if allocation
569  * is necessary. Returns NULL on allocation failure.
570  */
qrx_ensure_free_rxe(OSSL_QRX * qrx,size_t alloc_len)571 static RXE *qrx_ensure_free_rxe(OSSL_QRX *qrx, size_t alloc_len)
572 {
573     RXE *rxe;
574 
575     if (ossl_list_rxe_head(&qrx->rx_free) != NULL)
576         return ossl_list_rxe_head(&qrx->rx_free);
577 
578     rxe = qrx_alloc_rxe(alloc_len);
579     if (rxe == NULL)
580         return NULL;
581 
582     ossl_list_rxe_insert_tail(&qrx->rx_free, rxe);
583     return rxe;
584 }
585 
586 /*
587  * Resize the data buffer attached to an RXE to be n bytes in size. The address
588  * of the RXE might change; the new address is returned, or NULL on failure, in
589  * which case the original RXE remains valid.
590  */
qrx_resize_rxe(RXE_LIST * rxl,RXE * rxe,size_t n)591 static RXE *qrx_resize_rxe(RXE_LIST *rxl, RXE *rxe, size_t n)
592 {
593     RXE *rxe2, *p;
594 
595     /* Should never happen. */
596     if (rxe == NULL)
597         return NULL;
598 
599     if (n >= SIZE_MAX - sizeof(RXE))
600         return NULL;
601 
602     /* Remove the item from the list to avoid accessing freed memory */
603     p = ossl_list_rxe_prev(rxe);
604     ossl_list_rxe_remove(rxl, rxe);
605 
606     /* Should never resize an RXE which has been handed out. */
607     if (!ossl_assert(rxe->refcount == 0))
608         return NULL;
609 
610     /*
611      * NOTE: We do not clear old memory, although it does contain decrypted
612      * data.
613      */
614     rxe2 = OPENSSL_realloc(rxe, sizeof(RXE) + n);
615     if (rxe2 == NULL) {
616         /* Resize failed, restore old allocation. */
617         if (p == NULL)
618             ossl_list_rxe_insert_head(rxl, rxe);
619         else
620             ossl_list_rxe_insert_after(rxl, p, rxe);
621         return NULL;
622     }
623 
624     if (p == NULL)
625         ossl_list_rxe_insert_head(rxl, rxe2);
626     else
627         ossl_list_rxe_insert_after(rxl, p, rxe2);
628 
629     rxe2->alloc_len = n;
630     return rxe2;
631 }
632 
633 /*
634  * Ensure the data buffer attached to an RXE is at least n bytes in size.
635  * Returns NULL on failure.
636  */
qrx_reserve_rxe(RXE_LIST * rxl,RXE * rxe,size_t n)637 static RXE *qrx_reserve_rxe(RXE_LIST *rxl,
638                             RXE *rxe, size_t n)
639 {
640     if (rxe->alloc_len >= n)
641         return rxe;
642 
643     return qrx_resize_rxe(rxl, rxe, n);
644 }
645 
646 /* Return a RXE handed out to the user back to our freelist. */
qrx_recycle_rxe(OSSL_QRX * qrx,RXE * rxe)647 static void qrx_recycle_rxe(OSSL_QRX *qrx, RXE *rxe)
648 {
649     /* RXE should not be in any list */
650     assert(ossl_list_rxe_prev(rxe) == NULL && ossl_list_rxe_next(rxe) == NULL);
651     rxe->pkt.hdr    = NULL;
652     rxe->pkt.peer   = NULL;
653     rxe->pkt.local  = NULL;
654     ossl_list_rxe_insert_tail(&qrx->rx_free, rxe);
655 }
656 
657 /*
658  * Given a pointer to a pointer pointing to a buffer and the size of that
659  * buffer, copy the buffer into *prxe, expanding the RXE if necessary (its
660  * pointer may change due to realloc). *pi is the offset in bytes to copy the
661  * buffer to, and on success is updated to be the offset pointing after the
662  * copied buffer. *pptr is updated to point to the new location of the buffer.
663  */
qrx_relocate_buffer(OSSL_QRX * qrx,RXE ** prxe,size_t * pi,const unsigned char ** pptr,size_t buf_len)664 static int qrx_relocate_buffer(OSSL_QRX *qrx, RXE **prxe, size_t *pi,
665                                const unsigned char **pptr, size_t buf_len)
666 {
667     RXE *rxe;
668     unsigned char *dst;
669 
670     if (!buf_len)
671         return 1;
672 
673     if ((rxe = qrx_reserve_rxe(&qrx->rx_free, *prxe, *pi + buf_len)) == NULL)
674         return 0;
675 
676     *prxe = rxe;
677     dst = (unsigned char *)rxe_data(rxe) + *pi;
678 
679     memcpy(dst, *pptr, buf_len);
680     *pi += buf_len;
681     *pptr = dst;
682     return 1;
683 }
684 
qrx_determine_enc_level(const QUIC_PKT_HDR * hdr)685 static uint32_t qrx_determine_enc_level(const QUIC_PKT_HDR *hdr)
686 {
687     switch (hdr->type) {
688         case QUIC_PKT_TYPE_INITIAL:
689             return QUIC_ENC_LEVEL_INITIAL;
690         case QUIC_PKT_TYPE_HANDSHAKE:
691             return QUIC_ENC_LEVEL_HANDSHAKE;
692         case QUIC_PKT_TYPE_0RTT:
693             return QUIC_ENC_LEVEL_0RTT;
694         case QUIC_PKT_TYPE_1RTT:
695             return QUIC_ENC_LEVEL_1RTT;
696 
697         default:
698             assert(0);
699         case QUIC_PKT_TYPE_RETRY:
700         case QUIC_PKT_TYPE_VERSION_NEG:
701             return QUIC_ENC_LEVEL_INITIAL; /* not used */
702     }
703 }
704 
rxe_determine_pn_space(RXE * rxe)705 static uint32_t rxe_determine_pn_space(RXE *rxe)
706 {
707     uint32_t enc_level;
708 
709     enc_level = qrx_determine_enc_level(&rxe->hdr);
710     return ossl_quic_enc_level_to_pn_space(enc_level);
711 }
712 
qrx_validate_hdr_early(OSSL_QRX * qrx,RXE * rxe,const QUIC_CONN_ID * first_dcid)713 static int qrx_validate_hdr_early(OSSL_QRX *qrx, RXE *rxe,
714                                   const QUIC_CONN_ID *first_dcid)
715 {
716     /* Ensure version is what we want. */
717     if (rxe->hdr.version != QUIC_VERSION_1
718         && rxe->hdr.version != QUIC_VERSION_NONE)
719         return 0;
720 
721     /* Clients should never receive 0-RTT packets. */
722     if (rxe->hdr.type == QUIC_PKT_TYPE_0RTT)
723         return 0;
724 
725     /* Version negotiation and retry packets must be the first packet. */
726     if (first_dcid != NULL && !ossl_quic_pkt_type_can_share_dgram(rxe->hdr.type))
727         return 0;
728 
729     /*
730      * If this is not the first packet in a datagram, the destination connection
731      * ID must match the one in that packet.
732      */
733     if (first_dcid != NULL) {
734         if (!ossl_assert(first_dcid->id_len < QUIC_MAX_CONN_ID_LEN)
735             || !ossl_quic_conn_id_eq(first_dcid,
736                                      &rxe->hdr.dst_conn_id))
737         return 0;
738     }
739 
740     return 1;
741 }
742 
743 /* Validate header and decode PN. */
qrx_validate_hdr(OSSL_QRX * qrx,RXE * rxe)744 static int qrx_validate_hdr(OSSL_QRX *qrx, RXE *rxe)
745 {
746     int pn_space = rxe_determine_pn_space(rxe);
747 
748     if (!ossl_quic_wire_decode_pkt_hdr_pn(rxe->hdr.pn, rxe->hdr.pn_len,
749                                           qrx->largest_pn[pn_space],
750                                           &rxe->pn))
751         return 0;
752 
753     return 1;
754 }
755 
756 /* Late packet header validation. */
qrx_validate_hdr_late(OSSL_QRX * qrx,RXE * rxe)757 static int qrx_validate_hdr_late(OSSL_QRX *qrx, RXE *rxe)
758 {
759     int pn_space = rxe_determine_pn_space(rxe);
760 
761     /*
762      * Allow our user to decide whether to discard the packet before we try and
763      * decrypt it.
764      */
765     if (qrx->validation_cb != NULL
766         && !qrx->validation_cb(rxe->pn, pn_space, qrx->validation_cb_arg))
767         return 0;
768 
769     return 1;
770 }
771 
772 /*
773  * Retrieves the correct cipher context for an EL and key phase. Writes the key
774  * epoch number actually used for packet decryption to *rx_key_epoch.
775  */
qrx_get_cipher_ctx_idx(OSSL_QRX * qrx,OSSL_QRL_ENC_LEVEL * el,uint32_t enc_level,unsigned char key_phase_bit,uint64_t * rx_key_epoch,int * is_old_key)776 static size_t qrx_get_cipher_ctx_idx(OSSL_QRX *qrx, OSSL_QRL_ENC_LEVEL *el,
777                                      uint32_t enc_level,
778                                      unsigned char key_phase_bit,
779                                      uint64_t *rx_key_epoch,
780                                      int *is_old_key)
781 {
782     size_t idx;
783 
784     *is_old_key = 0;
785 
786     if (enc_level != QUIC_ENC_LEVEL_1RTT) {
787         *rx_key_epoch = 0;
788         return 0;
789     }
790 
791     if (!ossl_assert(key_phase_bit <= 1))
792         return SIZE_MAX;
793 
794     /*
795      * RFC 9001 requires that we not create timing channels which could reveal
796      * the decrypted value of the Key Phase bit. We usually handle this by
797      * keeping the cipher contexts for both the current and next key epochs
798      * around, so that we just select a cipher context blindly using the key
799      * phase bit, which is time-invariant.
800      *
801      * In the COOLDOWN state, we only have one keyslot/cipher context. RFC 9001
802      * suggests an implementation strategy to avoid creating a timing channel in
803      * this case:
804      *
805      *   Endpoints can use randomized packet protection keys in place of
806      *   discarded keys when key updates are not yet permitted.
807      *
808      * Rather than use a randomised key, we simply use our existing key as it
809      * will fail AEAD verification anyway. This avoids the need to keep around a
810      * dedicated garbage key.
811      *
812      * Note: Accessing different cipher contexts is technically not
813      * timing-channel safe due to microarchitectural side channels, but this is
814      * the best we can reasonably do and appears to be directly suggested by the
815      * RFC.
816      */
817     idx = (el->state == QRL_EL_STATE_PROV_COOLDOWN ? el->key_epoch & 1
818                                                    : key_phase_bit);
819 
820     /*
821      * We also need to determine the key epoch number which this index
822      * corresponds to. This is so we can report the key epoch number in the
823      * OSSL_QRX_PKT structure, which callers need to validate whether it was OK
824      * for a packet to be sent using a given key epoch's keys.
825      */
826     switch (el->state) {
827     case QRL_EL_STATE_PROV_NORMAL:
828         /*
829          * If we are in the NORMAL state, usually the KP bit will match the LSB
830          * of our key epoch, meaning no new key update is being signalled. If it
831          * does not match, this means the packet (purports to) belong to
832          * the next key epoch.
833          *
834          * IMPORTANT: The AEAD tag has not been verified yet when this function
835          * is called, so this code must be timing-channel safe, hence use of
836          * XOR. Moreover, the value output below is not yet authenticated.
837          */
838         *rx_key_epoch
839             = el->key_epoch + ((el->key_epoch & 1) ^ (uint64_t)key_phase_bit);
840         break;
841 
842     case QRL_EL_STATE_PROV_UPDATING:
843         /*
844          * If we are in the UPDATING state, usually the KP bit will match the
845          * LSB of our key epoch. If it does not match, this means that the
846          * packet (purports to) belong to the previous key epoch.
847          *
848          * As above, must be timing-channel safe.
849          */
850         *is_old_key = (el->key_epoch & 1) ^ (uint64_t)key_phase_bit;
851         *rx_key_epoch = el->key_epoch - (uint64_t)*is_old_key;
852         break;
853 
854     case QRL_EL_STATE_PROV_COOLDOWN:
855         /*
856          * If we are in COOLDOWN, there is only one key epoch we can possibly
857          * decrypt with, so just try that. If AEAD decryption fails, the
858          * value we output here isn't used anyway.
859          */
860         *rx_key_epoch = el->key_epoch;
861         break;
862     }
863 
864     return idx;
865 }
866 
867 /*
868  * Tries to decrypt a packet payload.
869  *
870  * Returns 1 on success or 0 on failure (which is permanent). The payload is
871  * decrypted from src and written to dst. The buffer dst must be of at least
872  * src_len bytes in length. The actual length of the output in bytes is written
873  * to *dec_len on success, which will always be equal to or less than (usually
874  * less than) src_len.
875  */
qrx_decrypt_pkt_body(OSSL_QRX * qrx,unsigned char * dst,const unsigned char * src,size_t src_len,size_t * dec_len,const unsigned char * aad,size_t aad_len,QUIC_PN pn,uint32_t enc_level,unsigned char key_phase_bit,uint64_t * rx_key_epoch)876 static int qrx_decrypt_pkt_body(OSSL_QRX *qrx, unsigned char *dst,
877                                 const unsigned char *src,
878                                 size_t src_len, size_t *dec_len,
879                                 const unsigned char *aad, size_t aad_len,
880                                 QUIC_PN pn, uint32_t enc_level,
881                                 unsigned char key_phase_bit,
882                                 uint64_t *rx_key_epoch)
883 {
884     int l = 0, l2 = 0, is_old_key, nonce_len;
885     unsigned char nonce[EVP_MAX_IV_LENGTH];
886     size_t i, cctx_idx;
887     OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set,
888                                                         enc_level, 1);
889     EVP_CIPHER_CTX *cctx;
890 
891     if (src_len > INT_MAX || aad_len > INT_MAX)
892         return 0;
893 
894     /* We should not have been called if we do not have key material. */
895     if (!ossl_assert(el != NULL))
896         return 0;
897 
898     if (el->tag_len >= src_len)
899         return 0;
900 
901     /*
902      * If we have failed to authenticate a certain number of ciphertexts, refuse
903      * to decrypt any more ciphertexts.
904      */
905     if (qrx->forged_pkt_count >= ossl_qrl_get_suite_max_forged_pkt(el->suite_id))
906         return 0;
907 
908     cctx_idx = qrx_get_cipher_ctx_idx(qrx, el, enc_level, key_phase_bit,
909                                       rx_key_epoch, &is_old_key);
910     if (!ossl_assert(cctx_idx < OSSL_NELEM(el->cctx)))
911         return 0;
912 
913     if (is_old_key && pn >= qrx->cur_epoch_start_pn)
914         /*
915          * RFC 9001 s. 5.5: Once an endpoint successfully receives a packet with
916          * a given PN, it MUST discard all packets in the same PN space with
917          * higher PNs if they cannot be successfully unprotected with the same
918          * key, or -- if there is a key update -- a subsequent packet protection
919          * key.
920          *
921          * In other words, once a PN x triggers a KU, it is invalid for us to
922          * receive a packet with a newer PN y (y > x) using the old keys.
923          */
924         return 0;
925 
926     cctx = el->cctx[cctx_idx];
927 
928     /* Construct nonce (nonce=IV ^ PN). */
929     nonce_len = EVP_CIPHER_CTX_get_iv_length(cctx);
930     if (!ossl_assert(nonce_len >= (int)sizeof(QUIC_PN)))
931         return 0;
932 
933     memcpy(nonce, el->iv[cctx_idx], nonce_len);
934     for (i = 0; i < sizeof(QUIC_PN); ++i)
935         nonce[nonce_len - i - 1] ^= (unsigned char)(pn >> (i * 8));
936 
937     /* type and key will already have been setup; feed the IV. */
938     if (EVP_CipherInit_ex(cctx, NULL,
939                           NULL, NULL, nonce, /*enc=*/0) != 1)
940         return 0;
941 
942     /* Feed the AEAD tag we got so the cipher can validate it. */
943     if (EVP_CIPHER_CTX_ctrl(cctx, EVP_CTRL_AEAD_SET_TAG,
944                             el->tag_len,
945                             (unsigned char *)src + src_len - el->tag_len) != 1)
946         return 0;
947 
948     /* Feed AAD data. */
949     if (EVP_CipherUpdate(cctx, NULL, &l, aad, aad_len) != 1)
950         return 0;
951 
952     /* Feed encrypted packet body. */
953     if (EVP_CipherUpdate(cctx, dst, &l, src, src_len - el->tag_len) != 1)
954         return 0;
955 
956 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
957     /*
958      * Throw away what we just decrypted and just use the ciphertext instead
959      * (which should be unencrypted)
960      */
961     memcpy(dst, src, l);
962 
963     /* Pretend to authenticate the tag but ignore it */
964     if (EVP_CipherFinal_ex(cctx, NULL, &l2) != 1) {
965         /* We don't care */
966     }
967 #else
968     /* Ensure authentication succeeded. */
969     if (EVP_CipherFinal_ex(cctx, NULL, &l2) != 1) {
970         /* Authentication failed, increment failed auth counter. */
971         ++qrx->forged_pkt_count;
972         return 0;
973     }
974 #endif
975 
976     *dec_len = l;
977     return 1;
978 }
979 
ignore_res(int x)980 static ossl_inline void ignore_res(int x)
981 {
982     /* No-op. */
983 }
984 
qrx_key_update_initiated(OSSL_QRX * qrx,QUIC_PN pn)985 static void qrx_key_update_initiated(OSSL_QRX *qrx, QUIC_PN pn)
986 {
987     if (!ossl_qrl_enc_level_set_key_update(&qrx->el_set, QUIC_ENC_LEVEL_1RTT))
988         /* We are already in RXKU, so we don't call the callback again. */
989         return;
990 
991     qrx->cur_epoch_start_pn = pn;
992 
993     if (qrx->key_update_cb != NULL)
994         qrx->key_update_cb(pn, qrx->key_update_cb_arg);
995 }
996 
997 /* Process a single packet in a datagram. */
qrx_process_pkt(OSSL_QRX * qrx,QUIC_URXE * urxe,PACKET * pkt,size_t pkt_idx,QUIC_CONN_ID * first_dcid,size_t datagram_len)998 static int qrx_process_pkt(OSSL_QRX *qrx, QUIC_URXE *urxe,
999                            PACKET *pkt, size_t pkt_idx,
1000                            QUIC_CONN_ID *first_dcid,
1001                            size_t datagram_len)
1002 {
1003     RXE *rxe;
1004     const unsigned char *eop = NULL;
1005     size_t i, aad_len = 0, dec_len = 0;
1006     PACKET orig_pkt = *pkt;
1007     const unsigned char *sop = PACKET_data(pkt);
1008     unsigned char *dst;
1009     char need_second_decode = 0, already_processed = 0;
1010     QUIC_PKT_HDR_PTRS ptrs;
1011     uint32_t pn_space, enc_level;
1012     OSSL_QRL_ENC_LEVEL *el = NULL;
1013     uint64_t rx_key_epoch = UINT64_MAX;
1014 
1015     /*
1016      * Get a free RXE. If we need to allocate a new one, use the packet length
1017      * as a good ballpark figure.
1018      */
1019     rxe = qrx_ensure_free_rxe(qrx, PACKET_remaining(pkt));
1020     if (rxe == NULL)
1021         return 0;
1022 
1023     /* Have we already processed this packet? */
1024     if (pkt_is_marked(&urxe->processed, pkt_idx))
1025         already_processed = 1;
1026 
1027     /*
1028      * Decode the header into the RXE structure. We first decrypt and read the
1029      * unprotected part of the packet header (unless we already removed header
1030      * protection, in which case we decode all of it).
1031      */
1032     need_second_decode = !pkt_is_marked(&urxe->hpr_removed, pkt_idx);
1033     if (!ossl_quic_wire_decode_pkt_hdr(pkt,
1034                                        qrx->short_conn_id_len,
1035                                        need_second_decode, 0, &rxe->hdr, &ptrs,
1036                                        NULL))
1037         goto malformed;
1038 
1039     /*
1040      * Our successful decode above included an intelligible length and the
1041      * PACKET is now pointing to the end of the QUIC packet.
1042      */
1043     eop = PACKET_data(pkt);
1044 
1045     /*
1046      * Make a note of the first packet's DCID so we can later ensure the
1047      * destination connection IDs of all packets in a datagram match.
1048      */
1049     if (pkt_idx == 0)
1050         *first_dcid = rxe->hdr.dst_conn_id;
1051 
1052     /*
1053      * Early header validation. Since we now know the packet length, we can also
1054      * now skip over it if we already processed it.
1055      */
1056     if (already_processed
1057         || !qrx_validate_hdr_early(qrx, rxe, pkt_idx == 0 ? NULL : first_dcid))
1058         /*
1059          * Already processed packets are handled identically to malformed
1060          * packets; i.e., they are ignored.
1061          */
1062         goto malformed;
1063 
1064     if (!ossl_quic_pkt_type_is_encrypted(rxe->hdr.type)) {
1065         /*
1066          * Version negotiation and retry packets are a special case. They do not
1067          * contain a payload which needs decrypting and have no header
1068          * protection.
1069          */
1070 
1071         /* Just copy the payload from the URXE to the RXE. */
1072         if ((rxe = qrx_reserve_rxe(&qrx->rx_free, rxe, rxe->hdr.len)) == NULL)
1073             /*
1074              * Allocation failure. EOP will be pointing to the end of the
1075              * datagram so processing of this datagram will end here.
1076              */
1077             goto malformed;
1078 
1079         /* We are now committed to returning the packet. */
1080         memcpy(rxe_data(rxe), rxe->hdr.data, rxe->hdr.len);
1081         pkt_mark(&urxe->processed, pkt_idx);
1082 
1083         rxe->hdr.data   = rxe_data(rxe);
1084         rxe->pn         = QUIC_PN_INVALID;
1085 
1086         rxe->data_len       = rxe->hdr.len;
1087         rxe->datagram_len   = datagram_len;
1088         rxe->key_epoch      = 0;
1089         rxe->peer           = urxe->peer;
1090         rxe->local          = urxe->local;
1091         rxe->time           = urxe->time;
1092         rxe->datagram_id    = urxe->datagram_id;
1093 
1094         /* Move RXE to pending. */
1095         ossl_list_rxe_remove(&qrx->rx_free, rxe);
1096         ossl_list_rxe_insert_tail(&qrx->rx_pending, rxe);
1097         return 0; /* success, did not defer */
1098     }
1099 
1100     /* Determine encryption level of packet. */
1101     enc_level = qrx_determine_enc_level(&rxe->hdr);
1102 
1103     /* If we do not have keying material for this encryption level yet, defer. */
1104     switch (ossl_qrl_enc_level_set_have_el(&qrx->el_set, enc_level)) {
1105         case 1:
1106             /* We have keys. */
1107             if (enc_level == QUIC_ENC_LEVEL_1RTT && !qrx->allow_1rtt)
1108                 /*
1109                  * But we cannot process 1-RTT packets until the handshake is
1110                  * completed (RFC 9000 s. 5.7).
1111                  */
1112                 goto cannot_decrypt;
1113 
1114             break;
1115         case 0:
1116             /* No keys yet. */
1117             goto cannot_decrypt;
1118         default:
1119             /* We already discarded keys for this EL, we will never process this.*/
1120             goto malformed;
1121     }
1122 
1123     /*
1124      * We will copy any token included in the packet to the start of our RXE
1125      * data buffer (so that we don't reference the URXE buffer any more and can
1126      * recycle it). Track our position in the RXE buffer by index instead of
1127      * pointer as the pointer may change as reallocs occur.
1128      */
1129     i = 0;
1130 
1131     /*
1132      * rxe->hdr.data is now pointing at the (encrypted) packet payload. rxe->hdr
1133      * also has fields pointing into the PACKET buffer which will be going away
1134      * soon (the URXE will be reused for another incoming packet).
1135      *
1136      * Firstly, relocate some of these fields into the RXE as needed.
1137      *
1138      * Relocate token buffer and fix pointer.
1139      */
1140     if (rxe->hdr.type == QUIC_PKT_TYPE_INITIAL) {
1141         const unsigned char *token = rxe->hdr.token;
1142 
1143         /*
1144          * This may change the value of rxe and change the value of the token
1145          * pointer as well. So we must make a temporary copy of the pointer to
1146          * the token, and then copy it back into the new location of the rxe
1147          */
1148         if (!qrx_relocate_buffer(qrx, &rxe, &i, &token, rxe->hdr.token_len))
1149             goto malformed;
1150 
1151         rxe->hdr.token = token;
1152     }
1153 
1154     /* Now remove header protection. */
1155     *pkt = orig_pkt;
1156 
1157     el = ossl_qrl_enc_level_set_get(&qrx->el_set, enc_level, 1);
1158     assert(el != NULL); /* Already checked above */
1159 
1160     if (need_second_decode) {
1161         if (!ossl_quic_hdr_protector_decrypt(&el->hpr, &ptrs))
1162             goto malformed;
1163 
1164         /*
1165          * We have removed header protection, so don't attempt to do it again if
1166          * the packet gets deferred and processed again.
1167          */
1168         pkt_mark(&urxe->hpr_removed, pkt_idx);
1169 
1170         /* Decode the now unprotected header. */
1171         if (ossl_quic_wire_decode_pkt_hdr(pkt, qrx->short_conn_id_len,
1172                                           0, 0, &rxe->hdr, NULL, NULL) != 1)
1173             goto malformed;
1174     }
1175 
1176     /* Validate header and decode PN. */
1177     if (!qrx_validate_hdr(qrx, rxe))
1178         goto malformed;
1179 
1180     if (qrx->msg_callback != NULL)
1181         qrx->msg_callback(0, OSSL_QUIC1_VERSION, SSL3_RT_QUIC_PACKET, sop,
1182                           eop - sop - rxe->hdr.len, qrx->msg_callback_ssl,
1183                           qrx->msg_callback_arg);
1184 
1185     /*
1186      * The AAD data is the entire (unprotected) packet header including the PN.
1187      * The packet header has been unprotected in place, so we can just reuse the
1188      * PACKET buffer. The header ends where the payload begins.
1189      */
1190     aad_len = rxe->hdr.data - sop;
1191 
1192     /* Ensure the RXE buffer size is adequate for our payload. */
1193     if ((rxe = qrx_reserve_rxe(&qrx->rx_free, rxe, rxe->hdr.len + i)) == NULL) {
1194         /*
1195          * Allocation failure, treat as malformed and do not bother processing
1196          * any further packets in the datagram as they are likely to also
1197          * encounter allocation failures.
1198          */
1199         eop = NULL;
1200         goto malformed;
1201     }
1202 
1203     /*
1204      * We decrypt the packet body to immediately after the token at the start of
1205      * the RXE buffer (where present).
1206      *
1207      * Do the decryption from the PACKET (which points into URXE memory) to our
1208      * RXE payload (single-copy decryption), then fixup the pointers in the
1209      * header to point to our new buffer.
1210      *
1211      * If decryption fails this is considered a permanent error; we defer
1212      * packets we don't yet have decryption keys for above, so if this fails,
1213      * something has gone wrong with the handshake process or a packet has been
1214      * corrupted.
1215      */
1216     dst = (unsigned char *)rxe_data(rxe) + i;
1217     if (!qrx_decrypt_pkt_body(qrx, dst, rxe->hdr.data, rxe->hdr.len,
1218                               &dec_len, sop, aad_len, rxe->pn, enc_level,
1219                               rxe->hdr.key_phase, &rx_key_epoch))
1220         goto malformed;
1221 
1222     /*
1223      * -----------------------------------------------------
1224      *   IMPORTANT: ANYTHING ABOVE THIS LINE IS UNVERIFIED
1225      *              AND MUST BE TIMING-CHANNEL SAFE.
1226      * -----------------------------------------------------
1227      *
1228      * At this point, we have successfully authenticated the AEAD tag and no
1229      * longer need to worry about exposing the PN, PN length or Key Phase bit in
1230      * timing channels. Invoke any configured validation callback to allow for
1231      * rejection of duplicate PNs.
1232      */
1233     if (!qrx_validate_hdr_late(qrx, rxe))
1234         goto malformed;
1235 
1236     /* Check for a Key Phase bit differing from our expectation. */
1237     if (rxe->hdr.type == QUIC_PKT_TYPE_1RTT
1238         && rxe->hdr.key_phase != (el->key_epoch & 1))
1239         qrx_key_update_initiated(qrx, rxe->pn);
1240 
1241     /*
1242      * We have now successfully decrypted the packet payload. If there are
1243      * additional packets in the datagram, it is possible we will fail to
1244      * decrypt them and need to defer them until we have some key material we
1245      * don't currently possess. If this happens, the URXE will be moved to the
1246      * deferred queue. Since a URXE corresponds to one datagram, which may
1247      * contain multiple packets, we must ensure any packets we have already
1248      * processed in the URXE are not processed again (this is an RFC
1249      * requirement). We do this by marking the nth packet in the datagram as
1250      * processed.
1251      *
1252      * We are now committed to returning this decrypted packet to the user,
1253      * meaning we now consider the packet processed and must mark it
1254      * accordingly.
1255      */
1256     pkt_mark(&urxe->processed, pkt_idx);
1257 
1258     /*
1259      * Update header to point to the decrypted buffer, which may be shorter
1260      * due to AEAD tags, block padding, etc.
1261      */
1262     rxe->hdr.data       = dst;
1263     rxe->hdr.len        = dec_len;
1264     rxe->data_len       = dec_len;
1265     rxe->datagram_len   = datagram_len;
1266     rxe->key_epoch      = rx_key_epoch;
1267 
1268     /* We processed the PN successfully, so update largest processed PN. */
1269     pn_space = rxe_determine_pn_space(rxe);
1270     if (rxe->pn > qrx->largest_pn[pn_space])
1271         qrx->largest_pn[pn_space] = rxe->pn;
1272 
1273     /* Copy across network addresses and RX time from URXE to RXE. */
1274     rxe->peer           = urxe->peer;
1275     rxe->local          = urxe->local;
1276     rxe->time           = urxe->time;
1277     rxe->datagram_id    = urxe->datagram_id;
1278 
1279     /* Move RXE to pending. */
1280     ossl_list_rxe_remove(&qrx->rx_free, rxe);
1281     ossl_list_rxe_insert_tail(&qrx->rx_pending, rxe);
1282     return 0; /* success, did not defer; not distinguished from failure */
1283 
1284 cannot_decrypt:
1285     /*
1286      * We cannot process this packet right now (but might be able to later). We
1287      * MUST attempt to process any other packets in the datagram, so defer it
1288      * and skip over it.
1289      */
1290     assert(eop != NULL && eop >= PACKET_data(pkt));
1291     /*
1292      * We don't care if this fails as it will just result in the packet being at
1293      * the end of the datagram buffer.
1294      */
1295     ignore_res(PACKET_forward(pkt, eop - PACKET_data(pkt)));
1296     return 1; /* deferred */
1297 
1298 malformed:
1299     if (eop != NULL) {
1300         /*
1301          * This packet cannot be processed and will never be processable. We
1302          * were at least able to decode its header and determine its length, so
1303          * we can skip over it and try to process any subsequent packets in the
1304          * datagram.
1305          *
1306          * Mark as processed as an optimization.
1307          */
1308         assert(eop >= PACKET_data(pkt));
1309         pkt_mark(&urxe->processed, pkt_idx);
1310         /* We don't care if this fails (see above) */
1311         ignore_res(PACKET_forward(pkt, eop - PACKET_data(pkt)));
1312     } else {
1313         /*
1314          * This packet cannot be processed and will never be processable.
1315          * Because even its header is not intelligible, we cannot examine any
1316          * further packets in the datagram because its length cannot be
1317          * discerned.
1318          *
1319          * Advance over the entire remainder of the datagram, and mark it as
1320          * processed as an optimization.
1321          */
1322         pkt_mark(&urxe->processed, pkt_idx);
1323         /* We don't care if this fails (see above) */
1324         ignore_res(PACKET_forward(pkt, PACKET_remaining(pkt)));
1325     }
1326     return 0; /* failure, did not defer; not distinguished from success */
1327 }
1328 
1329 /* Process a datagram which was received. */
qrx_process_datagram(OSSL_QRX * qrx,QUIC_URXE * e,const unsigned char * data,size_t data_len)1330 static int qrx_process_datagram(OSSL_QRX *qrx, QUIC_URXE *e,
1331                                 const unsigned char *data,
1332                                 size_t data_len)
1333 {
1334     int have_deferred = 0;
1335     PACKET pkt;
1336     size_t pkt_idx = 0;
1337     QUIC_CONN_ID first_dcid = { 255 };
1338 
1339     qrx->bytes_received += data_len;
1340 
1341     if (!PACKET_buf_init(&pkt, data, data_len))
1342         return 0;
1343 
1344     for (; PACKET_remaining(&pkt) > 0; ++pkt_idx) {
1345         /*
1346          * A packet smaller than the minimum possible QUIC packet size is not
1347          * considered valid. We also ignore more than a certain number of
1348          * packets within the same datagram.
1349          */
1350         if (PACKET_remaining(&pkt) < QUIC_MIN_VALID_PKT_LEN
1351             || pkt_idx >= QUIC_MAX_PKT_PER_URXE)
1352             break;
1353 
1354         /*
1355          * We note whether packet processing resulted in a deferral since
1356          * this means we need to move the URXE to the deferred list rather
1357          * than the free list after we're finished dealing with it for now.
1358          *
1359          * However, we don't otherwise care here whether processing succeeded or
1360          * failed, as the RFC says even if a packet in a datagram is malformed,
1361          * we should still try to process any packets following it.
1362          *
1363          * In the case where the packet is so malformed we can't determine its
1364          * length, qrx_process_pkt will take care of advancing to the end of
1365          * the packet, so we will exit the loop automatically in this case.
1366          */
1367         if (qrx_process_pkt(qrx, e, &pkt, pkt_idx, &first_dcid, data_len))
1368             have_deferred = 1;
1369     }
1370 
1371     /* Only report whether there were any deferrals. */
1372     return have_deferred;
1373 }
1374 
1375 /* Process a single pending URXE. */
qrx_process_one_urxe(OSSL_QRX * qrx,QUIC_URXE * e)1376 static int qrx_process_one_urxe(OSSL_QRX *qrx, QUIC_URXE *e)
1377 {
1378     int was_deferred;
1379 
1380     /* The next URXE we process should be at the head of the pending list. */
1381     if (!ossl_assert(e == ossl_list_urxe_head(&qrx->urx_pending)))
1382         return 0;
1383 
1384     /*
1385      * Attempt to process the datagram. The return value indicates only if
1386      * processing of the datagram was deferred. If we failed to process the
1387      * datagram, we do not attempt to process it again and silently eat the
1388      * error.
1389      */
1390     was_deferred = qrx_process_datagram(qrx, e, ossl_quic_urxe_data(e),
1391                                         e->data_len);
1392 
1393     /*
1394      * Remove the URXE from the pending list and return it to
1395      * either the free or deferred list.
1396      */
1397     ossl_list_urxe_remove(&qrx->urx_pending, e);
1398     if (was_deferred > 0 &&
1399             (e->deferred || qrx->num_deferred < qrx->max_deferred)) {
1400         ossl_list_urxe_insert_tail(&qrx->urx_deferred, e);
1401         if (!e->deferred) {
1402             e->deferred = 1;
1403             ++qrx->num_deferred;
1404         }
1405     } else {
1406         if (e->deferred) {
1407             e->deferred = 0;
1408             --qrx->num_deferred;
1409         }
1410         ossl_quic_demux_release_urxe(qrx->demux, e);
1411     }
1412 
1413     return 1;
1414 }
1415 
1416 /* Process any pending URXEs to generate pending RXEs. */
qrx_process_pending_urxl(OSSL_QRX * qrx)1417 static int qrx_process_pending_urxl(OSSL_QRX *qrx)
1418 {
1419     QUIC_URXE *e;
1420 
1421     while ((e = ossl_list_urxe_head(&qrx->urx_pending)) != NULL)
1422         if (!qrx_process_one_urxe(qrx, e))
1423             return 0;
1424 
1425     return 1;
1426 }
1427 
ossl_qrx_read_pkt(OSSL_QRX * qrx,OSSL_QRX_PKT ** ppkt)1428 int ossl_qrx_read_pkt(OSSL_QRX *qrx, OSSL_QRX_PKT **ppkt)
1429 {
1430     RXE *rxe;
1431 
1432     if (!ossl_qrx_processed_read_pending(qrx)) {
1433         if (!qrx_process_pending_urxl(qrx))
1434             return 0;
1435 
1436         if (!ossl_qrx_processed_read_pending(qrx))
1437             return 0;
1438     }
1439 
1440     rxe = qrx_pop_pending_rxe(qrx);
1441     if (!ossl_assert(rxe != NULL))
1442         return 0;
1443 
1444     assert(rxe->refcount == 0);
1445     rxe->refcount = 1;
1446 
1447     rxe->pkt.hdr            = &rxe->hdr;
1448     rxe->pkt.pn             = rxe->pn;
1449     rxe->pkt.time           = rxe->time;
1450     rxe->pkt.datagram_len   = rxe->datagram_len;
1451     rxe->pkt.peer
1452         = BIO_ADDR_family(&rxe->peer) != AF_UNSPEC ? &rxe->peer : NULL;
1453     rxe->pkt.local
1454         = BIO_ADDR_family(&rxe->local) != AF_UNSPEC ? &rxe->local : NULL;
1455     rxe->pkt.key_epoch      = rxe->key_epoch;
1456     rxe->pkt.datagram_id    = rxe->datagram_id;
1457     rxe->pkt.qrx            = qrx;
1458     *ppkt = &rxe->pkt;
1459 
1460     return 1;
1461 }
1462 
ossl_qrx_pkt_release(OSSL_QRX_PKT * pkt)1463 void ossl_qrx_pkt_release(OSSL_QRX_PKT *pkt)
1464 {
1465     RXE *rxe;
1466 
1467     if (pkt == NULL)
1468         return;
1469 
1470     rxe = (RXE *)pkt;
1471     assert(rxe->refcount > 0);
1472     if (--rxe->refcount == 0)
1473         qrx_recycle_rxe(pkt->qrx, rxe);
1474 }
1475 
ossl_qrx_pkt_orphan(OSSL_QRX_PKT * pkt)1476 void ossl_qrx_pkt_orphan(OSSL_QRX_PKT *pkt)
1477 {
1478     RXE *rxe;
1479 
1480     if (pkt == NULL)
1481         return;
1482     rxe = (RXE *)pkt;
1483     assert(rxe->refcount > 0);
1484     rxe->refcount--;
1485     assert(ossl_list_rxe_prev(rxe) == NULL && ossl_list_rxe_next(rxe) == NULL);
1486     return;
1487 }
1488 
ossl_qrx_pkt_up_ref(OSSL_QRX_PKT * pkt)1489 void ossl_qrx_pkt_up_ref(OSSL_QRX_PKT *pkt)
1490 {
1491     RXE *rxe = (RXE *)pkt;
1492 
1493     assert(rxe->refcount > 0);
1494     ++rxe->refcount;
1495 }
1496 
ossl_qrx_get_bytes_received(OSSL_QRX * qrx,int clear)1497 uint64_t ossl_qrx_get_bytes_received(OSSL_QRX *qrx, int clear)
1498 {
1499     uint64_t v = qrx->bytes_received;
1500 
1501     if (clear)
1502         qrx->bytes_received = 0;
1503 
1504     return v;
1505 }
1506 
ossl_qrx_set_late_validation_cb(OSSL_QRX * qrx,ossl_qrx_late_validation_cb * cb,void * cb_arg)1507 int ossl_qrx_set_late_validation_cb(OSSL_QRX *qrx,
1508                                     ossl_qrx_late_validation_cb *cb,
1509                                     void *cb_arg)
1510 {
1511     qrx->validation_cb       = cb;
1512     qrx->validation_cb_arg   = cb_arg;
1513     return 1;
1514 }
1515 
ossl_qrx_set_key_update_cb(OSSL_QRX * qrx,ossl_qrx_key_update_cb * cb,void * cb_arg)1516 int ossl_qrx_set_key_update_cb(OSSL_QRX *qrx,
1517                                ossl_qrx_key_update_cb *cb,
1518                                void *cb_arg)
1519 {
1520     qrx->key_update_cb      = cb;
1521     qrx->key_update_cb_arg  = cb_arg;
1522     return 1;
1523 }
1524 
ossl_qrx_get_key_epoch(OSSL_QRX * qrx)1525 uint64_t ossl_qrx_get_key_epoch(OSSL_QRX *qrx)
1526 {
1527     OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set,
1528                                                         QUIC_ENC_LEVEL_1RTT, 1);
1529 
1530     return el == NULL ? UINT64_MAX : el->key_epoch;
1531 }
1532 
ossl_qrx_key_update_timeout(OSSL_QRX * qrx,int normal)1533 int ossl_qrx_key_update_timeout(OSSL_QRX *qrx, int normal)
1534 {
1535     OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set,
1536                                                         QUIC_ENC_LEVEL_1RTT, 1);
1537 
1538     if (el == NULL)
1539         return 0;
1540 
1541     if (el->state == QRL_EL_STATE_PROV_UPDATING
1542         && !ossl_qrl_enc_level_set_key_update_done(&qrx->el_set,
1543                                                    QUIC_ENC_LEVEL_1RTT))
1544         return 0;
1545 
1546     if (normal && el->state == QRL_EL_STATE_PROV_COOLDOWN
1547         && !ossl_qrl_enc_level_set_key_cooldown_done(&qrx->el_set,
1548                                                      QUIC_ENC_LEVEL_1RTT))
1549         return 0;
1550 
1551     return 1;
1552 }
1553 
ossl_qrx_get_cur_forged_pkt_count(OSSL_QRX * qrx)1554 uint64_t ossl_qrx_get_cur_forged_pkt_count(OSSL_QRX *qrx)
1555 {
1556     return qrx->forged_pkt_count;
1557 }
1558 
ossl_qrx_get_max_forged_pkt_count(OSSL_QRX * qrx,uint32_t enc_level)1559 uint64_t ossl_qrx_get_max_forged_pkt_count(OSSL_QRX *qrx,
1560                                            uint32_t enc_level)
1561 {
1562     OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set,
1563                                                         enc_level, 1);
1564 
1565     return el == NULL ? UINT64_MAX
1566         : ossl_qrl_get_suite_max_forged_pkt(el->suite_id);
1567 }
1568 
ossl_qrx_allow_1rtt_processing(OSSL_QRX * qrx)1569 void ossl_qrx_allow_1rtt_processing(OSSL_QRX *qrx)
1570 {
1571     if (qrx->allow_1rtt)
1572         return;
1573 
1574     qrx->allow_1rtt = 1;
1575     qrx_requeue_deferred(qrx);
1576 }
1577 
ossl_qrx_set_msg_callback(OSSL_QRX * qrx,ossl_msg_cb msg_callback,SSL * msg_callback_ssl)1578 void ossl_qrx_set_msg_callback(OSSL_QRX *qrx, ossl_msg_cb msg_callback,
1579                                SSL *msg_callback_ssl)
1580 {
1581     qrx->msg_callback = msg_callback;
1582     qrx->msg_callback_ssl = msg_callback_ssl;
1583 }
1584 
ossl_qrx_set_msg_callback_arg(OSSL_QRX * qrx,void * msg_callback_arg)1585 void ossl_qrx_set_msg_callback_arg(OSSL_QRX *qrx, void *msg_callback_arg)
1586 {
1587     qrx->msg_callback_arg = msg_callback_arg;
1588 }
1589 
ossl_qrx_get_short_hdr_conn_id_len(OSSL_QRX * qrx)1590 size_t ossl_qrx_get_short_hdr_conn_id_len(OSSL_QRX *qrx)
1591 {
1592     return qrx->short_conn_id_len;
1593 }
1594