1 /*
2 * Copyright 2023-2025 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include "internal/quic_port.h"
11 #include "internal/quic_channel.h"
12 #include "internal/quic_lcidm.h"
13 #include "internal/quic_srtm.h"
14 #include "internal/quic_txp.h"
15 #include "internal/ssl_unwrap.h"
16 #include "quic_port_local.h"
17 #include "quic_channel_local.h"
18 #include "quic_engine_local.h"
19 #include "quic_local.h"
20 #include "../ssl_local.h"
21 #include <openssl/rand.h>
22
23 /*
24 * QUIC Port Structure
25 * ===================
26 */
27 #define INIT_DCID_LEN 8
28
29 static int port_init(QUIC_PORT *port);
30 static void port_cleanup(QUIC_PORT *port);
31 static OSSL_TIME get_time(void *arg);
32 static void port_default_packet_handler(QUIC_URXE *e, void *arg,
33 const QUIC_CONN_ID *dcid);
34 static void port_rx_pre(QUIC_PORT *port);
35
36 /**
37 * @struct validation_token
38 * @brief Represents a validation token for secure connection handling.
39 *
40 * This struct is used to store information related to a validation token.
41 *
42 * @var validation_token::is_retry
43 * True iff this validation token is for a token sent in a RETRY packet.
44 * Otherwise, this token is from a NEW_TOKEN_packet. Iff this value is true,
45 * then ODCID and RSCID are set.
46 *
47 * @var validation_token::timestamp
48 * Time that the validation token was minted.
49 *
50 * @var validation_token::odcid
51 * An original connection ID (`QUIC_CONN_ID`) used to identify the QUIC
52 * connection. This ID helps associate the token with a specific connection.
53 * This will only be valid for validation tokens from RETRY packets.
54 *
55 * @var validation_token::rscid
56 * DCID that the client will use as the DCID of the subsequent initial packet
57 * i.e the "new" DCID.
58 * This will only be valid for validation tokens from RETRY packets.
59 *
60 * @var validation_token::remote_addr_len
61 * Length of the following character array.
62 *
63 * @var validation_token::remote_addr
64 * A character array holding the raw address of the client requesting the
65 * connection.
66 */
67 typedef struct validation_token {
68 OSSL_TIME timestamp;
69 QUIC_CONN_ID odcid;
70 QUIC_CONN_ID rscid;
71 size_t remote_addr_len;
72 unsigned char *remote_addr;
73 unsigned char is_retry;
74 } QUIC_VALIDATION_TOKEN;
75
76 /*
77 * Maximum length of a marshalled validation token.
78 *
79 * - timestamp is 8 bytes
80 * - odcid and rscid are maximally 42 bytes in total
81 * - remote_addr_len is a size_t (8 bytes)
82 * - remote_addr is in the worst case 110 bytes (in the case of using a
83 * maximally sized AF_UNIX socket)
84 * - is_retry is a single byte
85 */
86 #define MARSHALLED_TOKEN_MAX_LEN 169
87
88 /*
89 * Maximum length of an encrypted marshalled validation token.
90 *
91 * This will include the size of the marshalled validation token plus a 16 byte
92 * tag and a 12 byte IV, so in total 197 bytes.
93 */
94 #define ENCRYPTED_TOKEN_MAX_LEN (MARSHALLED_TOKEN_MAX_LEN + 16 + 12)
95
96 DEFINE_LIST_OF_IMPL(ch, QUIC_CHANNEL);
97 DEFINE_LIST_OF_IMPL(incoming_ch, QUIC_CHANNEL);
98 DEFINE_LIST_OF_IMPL(port, QUIC_PORT);
99
ossl_quic_port_new(const QUIC_PORT_ARGS * args)100 QUIC_PORT *ossl_quic_port_new(const QUIC_PORT_ARGS *args)
101 {
102 QUIC_PORT *port;
103
104 if ((port = OPENSSL_zalloc(sizeof(QUIC_PORT))) == NULL)
105 return NULL;
106
107 port->engine = args->engine;
108 port->channel_ctx = args->channel_ctx;
109 port->is_multi_conn = args->is_multi_conn;
110 port->validate_addr = args->do_addr_validation;
111 port->get_conn_user_ssl = args->get_conn_user_ssl;
112 port->user_ssl_arg = args->user_ssl_arg;
113
114 if (!port_init(port)) {
115 OPENSSL_free(port);
116 return NULL;
117 }
118
119 return port;
120 }
121
ossl_quic_port_free(QUIC_PORT * port)122 void ossl_quic_port_free(QUIC_PORT *port)
123 {
124 if (port == NULL)
125 return;
126
127 port_cleanup(port);
128 OPENSSL_free(port);
129 }
130
port_init(QUIC_PORT * port)131 static int port_init(QUIC_PORT *port)
132 {
133 size_t rx_short_dcid_len = (port->is_multi_conn ? INIT_DCID_LEN : 0);
134 int key_len;
135 EVP_CIPHER *cipher = NULL;
136 unsigned char *token_key = NULL;
137 int ret = 0;
138
139 if (port->engine == NULL || port->channel_ctx == NULL)
140 goto err;
141
142 if ((port->err_state = OSSL_ERR_STATE_new()) == NULL)
143 goto err;
144
145 if ((port->demux = ossl_quic_demux_new(/*BIO=*/NULL,
146 /*Short CID Len=*/rx_short_dcid_len,
147 get_time, port)) == NULL)
148 goto err;
149
150 ossl_quic_demux_set_default_handler(port->demux,
151 port_default_packet_handler,
152 port);
153
154 if ((port->srtm = ossl_quic_srtm_new(port->engine->libctx,
155 port->engine->propq)) == NULL)
156 goto err;
157
158 if ((port->lcidm = ossl_quic_lcidm_new(port->engine->libctx,
159 rx_short_dcid_len)) == NULL)
160 goto err;
161
162 port->rx_short_dcid_len = (unsigned char)rx_short_dcid_len;
163 port->tx_init_dcid_len = INIT_DCID_LEN;
164 port->state = QUIC_PORT_STATE_RUNNING;
165
166 ossl_list_port_insert_tail(&port->engine->port_list, port);
167 port->on_engine_list = 1;
168 port->bio_changed = 1;
169
170 /* Generate random key for token encryption */
171 if ((port->token_ctx = EVP_CIPHER_CTX_new()) == NULL
172 || (cipher = EVP_CIPHER_fetch(port->engine->libctx,
173 "AES-256-GCM", NULL)) == NULL
174 || !EVP_EncryptInit_ex(port->token_ctx, cipher, NULL, NULL, NULL)
175 || (key_len = EVP_CIPHER_CTX_get_key_length(port->token_ctx)) <= 0
176 || (token_key = OPENSSL_malloc(key_len)) == NULL
177 || !RAND_bytes_ex(port->engine->libctx, token_key, key_len, 0)
178 || !EVP_EncryptInit_ex(port->token_ctx, NULL, NULL, token_key, NULL))
179 goto err;
180
181 ret = 1;
182 err:
183 EVP_CIPHER_free(cipher);
184 OPENSSL_free(token_key);
185 if (!ret)
186 port_cleanup(port);
187 return ret;
188 }
189
port_cleanup(QUIC_PORT * port)190 static void port_cleanup(QUIC_PORT *port)
191 {
192 assert(ossl_list_ch_num(&port->channel_list) == 0);
193
194 ossl_quic_demux_free(port->demux);
195 port->demux = NULL;
196
197 ossl_quic_srtm_free(port->srtm);
198 port->srtm = NULL;
199
200 ossl_quic_lcidm_free(port->lcidm);
201 port->lcidm = NULL;
202
203 OSSL_ERR_STATE_free(port->err_state);
204 port->err_state = NULL;
205
206 if (port->on_engine_list) {
207 ossl_list_port_remove(&port->engine->port_list, port);
208 port->on_engine_list = 0;
209 }
210
211 EVP_CIPHER_CTX_free(port->token_ctx);
212 port->token_ctx = NULL;
213 }
214
port_transition_failed(QUIC_PORT * port)215 static void port_transition_failed(QUIC_PORT *port)
216 {
217 if (port->state == QUIC_PORT_STATE_FAILED)
218 return;
219
220 port->state = QUIC_PORT_STATE_FAILED;
221 }
222
ossl_quic_port_is_running(const QUIC_PORT * port)223 int ossl_quic_port_is_running(const QUIC_PORT *port)
224 {
225 return port->state == QUIC_PORT_STATE_RUNNING;
226 }
227
ossl_quic_port_get0_engine(QUIC_PORT * port)228 QUIC_ENGINE *ossl_quic_port_get0_engine(QUIC_PORT *port)
229 {
230 return port->engine;
231 }
232
ossl_quic_port_get0_reactor(QUIC_PORT * port)233 QUIC_REACTOR *ossl_quic_port_get0_reactor(QUIC_PORT *port)
234 {
235 return ossl_quic_engine_get0_reactor(port->engine);
236 }
237
ossl_quic_port_get0_demux(QUIC_PORT * port)238 QUIC_DEMUX *ossl_quic_port_get0_demux(QUIC_PORT *port)
239 {
240 return port->demux;
241 }
242
ossl_quic_port_get0_mutex(QUIC_PORT * port)243 CRYPTO_MUTEX *ossl_quic_port_get0_mutex(QUIC_PORT *port)
244 {
245 return ossl_quic_engine_get0_mutex(port->engine);
246 }
247
ossl_quic_port_get_time(QUIC_PORT * port)248 OSSL_TIME ossl_quic_port_get_time(QUIC_PORT *port)
249 {
250 return ossl_quic_engine_get_time(port->engine);
251 }
252
get_time(void * port)253 static OSSL_TIME get_time(void *port)
254 {
255 return ossl_quic_port_get_time((QUIC_PORT *)port);
256 }
257
ossl_quic_port_get_rx_short_dcid_len(const QUIC_PORT * port)258 int ossl_quic_port_get_rx_short_dcid_len(const QUIC_PORT *port)
259 {
260 return port->rx_short_dcid_len;
261 }
262
ossl_quic_port_get_tx_init_dcid_len(const QUIC_PORT * port)263 int ossl_quic_port_get_tx_init_dcid_len(const QUIC_PORT *port)
264 {
265 return port->tx_init_dcid_len;
266 }
267
ossl_quic_port_get_num_incoming_channels(const QUIC_PORT * port)268 size_t ossl_quic_port_get_num_incoming_channels(const QUIC_PORT *port)
269 {
270 return ossl_list_incoming_ch_num(&port->incoming_channel_list);
271 }
272
273 /*
274 * QUIC Port: Network BIO Configuration
275 * ====================================
276 */
277
278 /* Determines whether we can support a given poll descriptor. */
validate_poll_descriptor(const BIO_POLL_DESCRIPTOR * d)279 static int validate_poll_descriptor(const BIO_POLL_DESCRIPTOR *d)
280 {
281 if (d->type == BIO_POLL_DESCRIPTOR_TYPE_SOCK_FD && d->value.fd < 0) {
282 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
283 return 0;
284 }
285
286 return 1;
287 }
288
ossl_quic_port_get_net_rbio(QUIC_PORT * port)289 BIO *ossl_quic_port_get_net_rbio(QUIC_PORT *port)
290 {
291 return port->net_rbio;
292 }
293
ossl_quic_port_get_net_wbio(QUIC_PORT * port)294 BIO *ossl_quic_port_get_net_wbio(QUIC_PORT *port)
295 {
296 return port->net_wbio;
297 }
298
port_update_poll_desc(QUIC_PORT * port,BIO * net_bio,int for_write)299 static int port_update_poll_desc(QUIC_PORT *port, BIO *net_bio, int for_write)
300 {
301 BIO_POLL_DESCRIPTOR d = {0};
302
303 if (net_bio == NULL
304 || (!for_write && !BIO_get_rpoll_descriptor(net_bio, &d))
305 || (for_write && !BIO_get_wpoll_descriptor(net_bio, &d)))
306 /* Non-pollable BIO */
307 d.type = BIO_POLL_DESCRIPTOR_TYPE_NONE;
308
309 if (!validate_poll_descriptor(&d))
310 return 0;
311
312 /*
313 * TODO(QUIC MULTIPORT): We currently only support one port per
314 * engine/domain. This is necessitated because QUIC_REACTOR only supports a
315 * single pollable currently. In the future, once complete polling
316 * infrastructure has been implemented, this limitation can be removed.
317 *
318 * For now, just update the descriptor on the engine's reactor as we are
319 * guaranteed to be the only port under it.
320 */
321 if (for_write)
322 ossl_quic_reactor_set_poll_w(&port->engine->rtor, &d);
323 else
324 ossl_quic_reactor_set_poll_r(&port->engine->rtor, &d);
325
326 return 1;
327 }
328
ossl_quic_port_update_poll_descriptors(QUIC_PORT * port,int force)329 int ossl_quic_port_update_poll_descriptors(QUIC_PORT *port, int force)
330 {
331 int ok = 1;
332
333 if (!force && !port->bio_changed)
334 return 0;
335
336 if (!port_update_poll_desc(port, port->net_rbio, /*for_write=*/0))
337 ok = 0;
338
339 if (!port_update_poll_desc(port, port->net_wbio, /*for_write=*/1))
340 ok = 0;
341
342 port->bio_changed = 0;
343 return ok;
344 }
345
346 /*
347 * We need to determine our addressing mode. There are basically two ways we can
348 * use L4 addresses:
349 *
350 * - Addressed mode, in which our BIO_sendmmsg calls have destination
351 * addresses attached to them which we expect the underlying network BIO to
352 * handle;
353 *
354 * - Unaddressed mode, in which the BIO provided to us on the network side
355 * neither provides us with L4 addresses nor is capable of honouring ones we
356 * provide. We don't know where the QUIC traffic we send ends up exactly and
357 * trust the application to know what it is doing.
358 *
359 * Addressed mode is preferred because it enables support for connection
360 * migration, multipath, etc. in the future. Addressed mode is automatically
361 * enabled if we are using e.g. BIO_s_datagram, with or without BIO_s_connect.
362 *
363 * If we are passed a BIO_s_dgram_pair (or some custom BIO) we may have to use
364 * unaddressed mode unless that BIO supports capability flags indicating it can
365 * provide and honour L4 addresses.
366 *
367 * Our strategy for determining address mode is simple: we probe the underlying
368 * network BIOs for their capabilities. If the network BIOs support what we
369 * need, we use addressed mode. Otherwise, we use unaddressed mode.
370 *
371 * If addressed mode is chosen, we require an initial peer address to be set. If
372 * this is not set, we fail. If unaddressed mode is used, we do not require
373 * this, as such an address is superfluous, though it can be set if desired.
374 */
port_update_addressing_mode(QUIC_PORT * port)375 static void port_update_addressing_mode(QUIC_PORT *port)
376 {
377 long rcaps = 0, wcaps = 0;
378
379 if (port->net_rbio != NULL)
380 rcaps = BIO_dgram_get_effective_caps(port->net_rbio);
381
382 if (port->net_wbio != NULL)
383 wcaps = BIO_dgram_get_effective_caps(port->net_wbio);
384
385 port->addressed_mode_r = ((rcaps & BIO_DGRAM_CAP_PROVIDES_SRC_ADDR) != 0);
386 port->addressed_mode_w = ((wcaps & BIO_DGRAM_CAP_HANDLES_DST_ADDR) != 0);
387 port->bio_changed = 1;
388 }
389
ossl_quic_port_is_addressed_r(const QUIC_PORT * port)390 int ossl_quic_port_is_addressed_r(const QUIC_PORT *port)
391 {
392 return port->addressed_mode_r;
393 }
394
ossl_quic_port_is_addressed_w(const QUIC_PORT * port)395 int ossl_quic_port_is_addressed_w(const QUIC_PORT *port)
396 {
397 return port->addressed_mode_w;
398 }
399
ossl_quic_port_is_addressed(const QUIC_PORT * port)400 int ossl_quic_port_is_addressed(const QUIC_PORT *port)
401 {
402 return ossl_quic_port_is_addressed_r(port) && ossl_quic_port_is_addressed_w(port);
403 }
404
405 /*
406 * QUIC_PORT does not ref any BIO it is provided with, nor is any ref
407 * transferred to it. The caller (e.g., QUIC_CONNECTION) is responsible for
408 * ensuring the BIO lasts until the channel is freed or the BIO is switched out
409 * for another BIO by a subsequent successful call to this function.
410 */
ossl_quic_port_set_net_rbio(QUIC_PORT * port,BIO * net_rbio)411 int ossl_quic_port_set_net_rbio(QUIC_PORT *port, BIO *net_rbio)
412 {
413 if (port->net_rbio == net_rbio)
414 return 1;
415
416 if (!port_update_poll_desc(port, net_rbio, /*for_write=*/0))
417 return 0;
418
419 ossl_quic_demux_set_bio(port->demux, net_rbio);
420 port->net_rbio = net_rbio;
421 port_update_addressing_mode(port);
422 return 1;
423 }
424
ossl_quic_port_set_net_wbio(QUIC_PORT * port,BIO * net_wbio)425 int ossl_quic_port_set_net_wbio(QUIC_PORT *port, BIO *net_wbio)
426 {
427 QUIC_CHANNEL *ch;
428
429 if (port->net_wbio == net_wbio)
430 return 1;
431
432 if (!port_update_poll_desc(port, net_wbio, /*for_write=*/1))
433 return 0;
434
435 OSSL_LIST_FOREACH(ch, ch, &port->channel_list)
436 ossl_qtx_set_bio(ch->qtx, net_wbio);
437
438 port->net_wbio = net_wbio;
439 port_update_addressing_mode(port);
440 return 1;
441 }
442
ossl_quic_port_get_channel_ctx(QUIC_PORT * port)443 SSL_CTX *ossl_quic_port_get_channel_ctx(QUIC_PORT *port)
444 {
445 return port->channel_ctx;
446 }
447
448 /*
449 * QUIC Port: Channel Lifecycle
450 * ============================
451 */
452
port_new_handshake_layer(QUIC_PORT * port,QUIC_CHANNEL * ch)453 static SSL *port_new_handshake_layer(QUIC_PORT *port, QUIC_CHANNEL *ch)
454 {
455 SSL *tls = NULL;
456 SSL_CONNECTION *tls_conn = NULL;
457 SSL *user_ssl = NULL;
458 QUIC_CONNECTION *qc = NULL;
459 QUIC_LISTENER *ql = NULL;
460
461 /*
462 * It only makes sense to call this function if we know how to associate
463 * the handshake layer we are about to create with some user_ssl object.
464 */
465 if (!ossl_assert(port->get_conn_user_ssl != NULL))
466 return NULL;
467 user_ssl = port->get_conn_user_ssl(ch, port->user_ssl_arg);
468 if (user_ssl == NULL)
469 return NULL;
470 qc = (QUIC_CONNECTION *)user_ssl;
471 ql = (QUIC_LISTENER *)port->user_ssl_arg;
472
473 /*
474 * We expect the user_ssl to be newly created so it must not have an
475 * existing qc->tls
476 */
477 if (!ossl_assert(qc->tls == NULL)) {
478 SSL_free(user_ssl);
479 return NULL;
480 }
481
482 tls = ossl_ssl_connection_new_int(port->channel_ctx, user_ssl, TLS_method());
483 qc->tls = tls;
484 if (tls == NULL || (tls_conn = SSL_CONNECTION_FROM_SSL(tls)) == NULL) {
485 SSL_free(user_ssl);
486 return NULL;
487 }
488
489 if (ql != NULL && ql->obj.ssl.ctx->new_pending_conn_cb != NULL)
490 if (!ql->obj.ssl.ctx->new_pending_conn_cb(ql->obj.ssl.ctx, user_ssl,
491 ql->obj.ssl.ctx->new_pending_conn_arg)) {
492 SSL_free(user_ssl);
493 return NULL;
494 }
495
496 /* Override the user_ssl of the inner connection. */
497 tls_conn->s3.flags |= TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL;
498
499 /* Restrict options derived from the SSL_CTX. */
500 tls_conn->options &= OSSL_QUIC_PERMITTED_OPTIONS_CONN;
501 tls_conn->pha_enabled = 0;
502 return tls;
503 }
504
port_make_channel(QUIC_PORT * port,SSL * tls,OSSL_QRX * qrx,int is_server,int is_tserver)505 static QUIC_CHANNEL *port_make_channel(QUIC_PORT *port, SSL *tls, OSSL_QRX *qrx,
506 int is_server, int is_tserver)
507 {
508 QUIC_CHANNEL_ARGS args = {0};
509 QUIC_CHANNEL *ch;
510
511 args.port = port;
512 args.is_server = is_server;
513 args.lcidm = port->lcidm;
514 args.srtm = port->srtm;
515 args.qrx = qrx;
516 args.is_tserver_ch = is_tserver;
517
518 /*
519 * Creating a a new channel is made a bit tricky here as there is a
520 * bit of a circular dependency. Initalizing a channel requires that
521 * the ch->tls and optionally the qlog_title be configured prior to
522 * initalization, but we need the channel at least partially configured
523 * to create the new handshake layer, so we have to do this in a few steps.
524 */
525
526 /*
527 * start by allocation and provisioning as much of the channel as we can
528 */
529 ch = ossl_quic_channel_alloc(&args);
530 if (ch == NULL)
531 return NULL;
532
533 /*
534 * Fixup the channel tls connection here before we init the channel
535 */
536 ch->tls = (tls != NULL) ? tls : port_new_handshake_layer(port, ch);
537
538 if (ch->tls == NULL) {
539 OPENSSL_free(ch);
540 return NULL;
541 }
542
543 #ifndef OPENSSL_NO_QLOG
544 /*
545 * If we're using qlog, make sure the tls get further configured properly
546 */
547 ch->use_qlog = 1;
548 if (ch->tls->ctx->qlog_title != NULL) {
549 if ((ch->qlog_title = OPENSSL_strdup(ch->tls->ctx->qlog_title)) == NULL) {
550 OPENSSL_free(ch);
551 return NULL;
552 }
553 }
554 #endif
555
556 /*
557 * And finally init the channel struct
558 */
559 if (!ossl_quic_channel_init(ch)) {
560 OPENSSL_free(ch);
561 return NULL;
562 }
563
564 ossl_qtx_set_bio(ch->qtx, port->net_wbio);
565 return ch;
566 }
567
ossl_quic_port_create_outgoing(QUIC_PORT * port,SSL * tls)568 QUIC_CHANNEL *ossl_quic_port_create_outgoing(QUIC_PORT *port, SSL *tls)
569 {
570 return port_make_channel(port, tls, NULL, /* is_server= */ 0,
571 /* is_tserver= */ 0);
572 }
573
ossl_quic_port_create_incoming(QUIC_PORT * port,SSL * tls)574 QUIC_CHANNEL *ossl_quic_port_create_incoming(QUIC_PORT *port, SSL *tls)
575 {
576 QUIC_CHANNEL *ch;
577
578 assert(port->tserver_ch == NULL);
579
580 /*
581 * pass -1 for qrx to indicate port will create qrx
582 * later in port_default_packet_handler() when calling port_bind_channel().
583 */
584 ch = port_make_channel(port, tls, NULL, /* is_server= */ 1,
585 /* is_tserver_ch */ 1);
586 port->tserver_ch = ch;
587 port->allow_incoming = 1;
588 return ch;
589 }
590
ossl_quic_port_pop_incoming(QUIC_PORT * port)591 QUIC_CHANNEL *ossl_quic_port_pop_incoming(QUIC_PORT *port)
592 {
593 QUIC_CHANNEL *ch;
594
595 ch = ossl_list_incoming_ch_head(&port->incoming_channel_list);
596 if (ch == NULL)
597 return NULL;
598
599 ossl_list_incoming_ch_remove(&port->incoming_channel_list, ch);
600 return ch;
601 }
602
ossl_quic_port_have_incoming(QUIC_PORT * port)603 int ossl_quic_port_have_incoming(QUIC_PORT *port)
604 {
605 return ossl_list_incoming_ch_head(&port->incoming_channel_list) != NULL;
606 }
607
ossl_quic_port_drop_incoming(QUIC_PORT * port)608 void ossl_quic_port_drop_incoming(QUIC_PORT *port)
609 {
610 QUIC_CHANNEL *ch;
611 SSL *tls;
612 SSL *user_ssl;
613 SSL_CONNECTION *sc;
614
615 for (;;) {
616 ch = ossl_quic_port_pop_incoming(port);
617 if (ch == NULL)
618 break;
619
620 tls = ossl_quic_channel_get0_tls(ch);
621 /*
622 * The user ssl may or may not have been created via the
623 * get_conn_user_ssl callback in the QUIC stack. The
624 * differentiation being if the user_ssl pointer and tls pointer
625 * are different. If they are, then the user_ssl needs freeing here
626 * which sends us through ossl_quic_free, which then drops the actual
627 * ch->tls ref and frees the channel
628 */
629 sc = SSL_CONNECTION_FROM_SSL(tls);
630 if (sc == NULL)
631 break;
632
633 user_ssl = SSL_CONNECTION_GET_USER_SSL(sc);
634 if (user_ssl == tls) {
635 ossl_quic_channel_free(ch);
636 SSL_free(tls);
637 } else {
638 SSL_free(user_ssl);
639 }
640 }
641 }
642
ossl_quic_port_set_allow_incoming(QUIC_PORT * port,int allow_incoming)643 void ossl_quic_port_set_allow_incoming(QUIC_PORT *port, int allow_incoming)
644 {
645 port->allow_incoming = allow_incoming;
646 }
647
648 /*
649 * QUIC Port: Ticker-Mutator
650 * =========================
651 */
652
653 /*
654 * Tick function for this port. This does everything related to network I/O for
655 * this port's network BIOs, and services child channels.
656 */
ossl_quic_port_subtick(QUIC_PORT * port,QUIC_TICK_RESULT * res,uint32_t flags)657 void ossl_quic_port_subtick(QUIC_PORT *port, QUIC_TICK_RESULT *res,
658 uint32_t flags)
659 {
660 QUIC_CHANNEL *ch;
661
662 res->net_read_desired = ossl_quic_port_is_running(port);
663 res->net_write_desired = 0;
664 res->notify_other_threads = 0;
665 res->tick_deadline = ossl_time_infinite();
666
667 if (!port->engine->inhibit_tick) {
668 /* Handle any incoming data from network. */
669 if (ossl_quic_port_is_running(port))
670 port_rx_pre(port);
671
672 /* Iterate through all channels and service them. */
673 OSSL_LIST_FOREACH(ch, ch, &port->channel_list) {
674 QUIC_TICK_RESULT subr = {0};
675
676 ossl_quic_channel_subtick(ch, &subr, flags);
677 ossl_quic_tick_result_merge_into(res, &subr);
678 }
679 }
680 }
681
682 /* Process incoming datagrams, if any. */
port_rx_pre(QUIC_PORT * port)683 static void port_rx_pre(QUIC_PORT *port)
684 {
685 int ret;
686
687 /*
688 * Originally, this check (don't RX before we have sent anything if we are
689 * not a server, because there can't be anything) was just intended as a
690 * minor optimisation. However, it is actually required on Windows, and
691 * removing this check will cause Windows to break.
692 *
693 * The reason is that under Win32, recvfrom() does not work on a UDP socket
694 * which has not had bind() called (???). However, calling sendto() will
695 * automatically bind an unbound UDP socket. Therefore, if we call a Winsock
696 * recv-type function before calling a Winsock send-type function, that call
697 * will fail with WSAEINVAL, which we will regard as a permanent network
698 * error.
699 *
700 * Therefore, this check is essential as we do not require our API users to
701 * bind a socket first when using the API in client mode.
702 */
703 if (!port->allow_incoming && !port->have_sent_any_pkt)
704 return;
705
706 /*
707 * Get DEMUX to BIO_recvmmsg from the network and queue incoming datagrams
708 * to the appropriate QRX instances.
709 */
710 ret = ossl_quic_demux_pump(port->demux);
711 if (ret == QUIC_DEMUX_PUMP_RES_PERMANENT_FAIL)
712 /*
713 * We don't care about transient failure, but permanent failure means we
714 * should tear down the port. All connections skip straight to the
715 * Terminated state as there is no point trying to send CONNECTION_CLOSE
716 * frames if the network BIO is not operating correctly.
717 */
718 ossl_quic_port_raise_net_error(port, NULL);
719 }
720
721 /*
722 * Handles an incoming connection request and potentially decides to make a
723 * connection from it. If a new connection is made, the new channel is written
724 * to *new_ch.
725 */
port_bind_channel(QUIC_PORT * port,const BIO_ADDR * peer,const QUIC_CONN_ID * scid,const QUIC_CONN_ID * dcid,const QUIC_CONN_ID * odcid,OSSL_QRX * qrx,QUIC_CHANNEL ** new_ch)726 static void port_bind_channel(QUIC_PORT *port, const BIO_ADDR *peer,
727 const QUIC_CONN_ID *scid, const QUIC_CONN_ID *dcid,
728 const QUIC_CONN_ID *odcid, OSSL_QRX *qrx,
729 QUIC_CHANNEL **new_ch)
730 {
731 QUIC_CHANNEL *ch;
732
733 /*
734 * If we're running with a simulated tserver, it will already have
735 * a dummy channel created, use that instead
736 */
737 if (port->tserver_ch != NULL) {
738 ch = port->tserver_ch;
739 port->tserver_ch = NULL;
740 ossl_quic_channel_bind_qrx(ch, qrx);
741 ossl_qrx_set_msg_callback(ch->qrx, ch->msg_callback,
742 ch->msg_callback_ssl);
743 ossl_qrx_set_msg_callback_arg(ch->qrx, ch->msg_callback_arg);
744 } else {
745 ch = port_make_channel(port, NULL, qrx, /* is_server= */ 1,
746 /* is_tserver */ 0);
747 }
748
749 if (ch == NULL)
750 return;
751
752 /*
753 * If we didn't provide a qrx here that means we need to set our initial
754 * secret here, since we just created a qrx
755 * Normally its not needed, as the initial secret gets added when we send
756 * our first server hello, but if we get a huge client hello, crossing
757 * multiple datagrams, we don't have a chance to do that, and datagrams
758 * after the first won't get decoded properly, for lack of secrets
759 */
760 if (qrx == NULL)
761 if (!ossl_quic_provide_initial_secret(ch->port->engine->libctx,
762 ch->port->engine->propq,
763 dcid, /* is_server */ 1,
764 ch->qrx, NULL))
765 return;
766
767 if (odcid->id_len != 0) {
768 /*
769 * If we have an odcid, then we went through server address validation
770 * and as such, this channel need not conform to the 3x validation cap
771 * See RFC 9000 s. 8.1
772 */
773 ossl_quic_tx_packetiser_set_validated(ch->txp);
774 if (!ossl_quic_bind_channel(ch, peer, scid, dcid, odcid)) {
775 ossl_quic_channel_free(ch);
776 return;
777 }
778 } else {
779 /*
780 * No odcid means we didn't do server validation, so we need to
781 * generate a cid via ossl_quic_channel_on_new_conn
782 */
783 if (!ossl_quic_channel_on_new_conn(ch, peer, scid, dcid)) {
784 ossl_quic_channel_free(ch);
785 return;
786 }
787 }
788
789 ossl_list_incoming_ch_insert_tail(&port->incoming_channel_list, ch);
790 *new_ch = ch;
791 }
792
port_try_handle_stateless_reset(QUIC_PORT * port,const QUIC_URXE * e)793 static int port_try_handle_stateless_reset(QUIC_PORT *port, const QUIC_URXE *e)
794 {
795 size_t i;
796 const unsigned char *data = ossl_quic_urxe_data(e);
797 void *opaque = NULL;
798
799 /*
800 * Perform some fast and cheap checks for a packet not being a stateless
801 * reset token. RFC 9000 s. 10.3 specifies this layout for stateless
802 * reset packets:
803 *
804 * Stateless Reset {
805 * Fixed Bits (2) = 1,
806 * Unpredictable Bits (38..),
807 * Stateless Reset Token (128),
808 * }
809 *
810 * It also specifies:
811 * However, endpoints MUST treat any packet ending in a valid
812 * stateless reset token as a Stateless Reset, as other QUIC
813 * versions might allow the use of a long header.
814 *
815 * We can rapidly check for the minimum length and that the first pair
816 * of bits in the first byte are 01 or 11.
817 *
818 * The function returns 1 if it is a stateless reset packet, 0 if it isn't
819 * and -1 if an error was encountered.
820 */
821 if (e->data_len < QUIC_STATELESS_RESET_TOKEN_LEN + 5
822 || (0100 & *data) != 0100)
823 return 0;
824
825 for (i = 0;; ++i) {
826 if (!ossl_quic_srtm_lookup(port->srtm,
827 (QUIC_STATELESS_RESET_TOKEN *)(data + e->data_len
828 - sizeof(QUIC_STATELESS_RESET_TOKEN)),
829 i, &opaque, NULL))
830 break;
831
832 assert(opaque != NULL);
833 ossl_quic_channel_on_stateless_reset((QUIC_CHANNEL *)opaque);
834 }
835
836 return i > 0;
837 }
838
cleanup_validation_token(QUIC_VALIDATION_TOKEN * token)839 static void cleanup_validation_token(QUIC_VALIDATION_TOKEN *token)
840 {
841 OPENSSL_free(token->remote_addr);
842 }
843
844 /**
845 * @brief Generates a validation token for a RETRY/NEW_TOKEN packet.
846 *
847 *
848 * @param peer Address of the client peer receiving the packet.
849 * @param odcid DCID of the connection attempt.
850 * @param rscid Retry source connection ID of the connection attempt.
851 * @param token Address of token to fill data.
852 *
853 * @return 1 if validation token is filled successfully, 0 otherwise.
854 */
generate_token(BIO_ADDR * peer,QUIC_CONN_ID odcid,QUIC_CONN_ID rscid,QUIC_VALIDATION_TOKEN * token,int is_retry)855 static int generate_token(BIO_ADDR *peer, QUIC_CONN_ID odcid,
856 QUIC_CONN_ID rscid, QUIC_VALIDATION_TOKEN *token,
857 int is_retry)
858 {
859 token->is_retry = is_retry;
860 token->timestamp = ossl_time_now();
861 token->remote_addr = NULL;
862 token->odcid = odcid;
863 token->rscid = rscid;
864
865 if (!BIO_ADDR_rawaddress(peer, NULL, &token->remote_addr_len)
866 || token->remote_addr_len == 0
867 || (token->remote_addr = OPENSSL_malloc(token->remote_addr_len)) == NULL
868 || !BIO_ADDR_rawaddress(peer, token->remote_addr,
869 &token->remote_addr_len)) {
870 cleanup_validation_token(token);
871 return 0;
872 }
873
874 return 1;
875 }
876
877 /**
878 * @brief Marshals a validation token into a new buffer.
879 *
880 * |buffer| should already be allocated and at least MARSHALLED_TOKEN_MAX_LEN
881 * bytes long. Stores the length of data stored in |buffer| in |buffer_len|.
882 *
883 * @param token Validation token.
884 * @param buffer Address to store the marshalled token.
885 * @param buffer_len Size of data stored in |buffer|.
886 */
marshal_validation_token(QUIC_VALIDATION_TOKEN * token,unsigned char * buffer,size_t * buffer_len)887 static int marshal_validation_token(QUIC_VALIDATION_TOKEN *token,
888 unsigned char *buffer, size_t *buffer_len)
889 {
890 WPACKET wpkt = {0};
891 BUF_MEM *buf_mem = BUF_MEM_new();
892
893 if (buffer == NULL || buf_mem == NULL
894 || (token->is_retry != 0 && token->is_retry != 1)) {
895 BUF_MEM_free(buf_mem);
896 return 0;
897 }
898
899 if (!WPACKET_init(&wpkt, buf_mem)
900 || !WPACKET_memset(&wpkt, token->is_retry, 1)
901 || !WPACKET_memcpy(&wpkt, &token->timestamp,
902 sizeof(token->timestamp))
903 || (token->is_retry
904 && (!WPACKET_sub_memcpy_u8(&wpkt, &token->odcid.id,
905 token->odcid.id_len)
906 || !WPACKET_sub_memcpy_u8(&wpkt, &token->rscid.id,
907 token->rscid.id_len)))
908 || !WPACKET_sub_memcpy_u8(&wpkt, token->remote_addr, token->remote_addr_len)
909 || !WPACKET_get_total_written(&wpkt, buffer_len)
910 || *buffer_len > MARSHALLED_TOKEN_MAX_LEN
911 || !WPACKET_finish(&wpkt)) {
912 WPACKET_cleanup(&wpkt);
913 BUF_MEM_free(buf_mem);
914 return 0;
915 }
916
917 memcpy(buffer, buf_mem->data, *buffer_len);
918 BUF_MEM_free(buf_mem);
919 return 1;
920 }
921
922 /**
923 * @brief Encrypts a validation token using AES-256-GCM
924 *
925 * @param port The QUIC port containing the encryption key
926 * @param plaintext The data to encrypt
927 * @param pt_len Length of the plaintext
928 * @param ciphertext Buffer to receive encrypted data. If NULL, ct_len will be
929 * set to the required buffer size and function returns
930 * immediately.
931 * @param ct_len Pointer to size_t that will receive the ciphertext length.
932 * This also includes bytes for QUIC_RETRY_INTEGRITY_TAG_LEN.
933 *
934 * @return 1 on success, 0 on failure
935 *
936 * The ciphertext format is:
937 * [EVP_GCM_IV_LEN bytes IV][encrypted data][EVP_GCM_TAG_LEN bytes tag]
938 */
encrypt_validation_token(const QUIC_PORT * port,const unsigned char * plaintext,size_t pt_len,unsigned char * ciphertext,size_t * ct_len)939 static int encrypt_validation_token(const QUIC_PORT *port,
940 const unsigned char *plaintext,
941 size_t pt_len,
942 unsigned char *ciphertext,
943 size_t *ct_len)
944 {
945 int iv_len, len, ret = 0;
946 size_t tag_len;
947 unsigned char *iv = ciphertext, *data, *tag;
948
949 if ((tag_len = EVP_CIPHER_CTX_get_tag_length(port->token_ctx)) == 0
950 || (iv_len = EVP_CIPHER_CTX_get_iv_length(port->token_ctx)) <= 0)
951 goto err;
952
953 *ct_len = iv_len + pt_len + tag_len + QUIC_RETRY_INTEGRITY_TAG_LEN;
954 if (ciphertext == NULL) {
955 ret = 1;
956 goto err;
957 }
958
959 data = ciphertext + iv_len;
960 tag = data + pt_len;
961
962 if (!RAND_bytes_ex(port->engine->libctx, ciphertext, iv_len, 0)
963 || !EVP_EncryptInit_ex(port->token_ctx, NULL, NULL, NULL, iv)
964 || !EVP_EncryptUpdate(port->token_ctx, data, &len, plaintext, pt_len)
965 || !EVP_EncryptFinal_ex(port->token_ctx, data + pt_len, &len)
966 || !EVP_CIPHER_CTX_ctrl(port->token_ctx, EVP_CTRL_GCM_GET_TAG, tag_len, tag))
967 goto err;
968
969 ret = 1;
970 err:
971 return ret;
972 }
973
974 /**
975 * @brief Decrypts a validation token using AES-256-GCM
976 *
977 * @param port The QUIC port containing the decryption key
978 * @param ciphertext The encrypted data (including IV and tag)
979 * @param ct_len Length of the ciphertext
980 * @param plaintext Buffer to receive decrypted data. If NULL, pt_len will be
981 * set to the required buffer size.
982 * @param pt_len Pointer to size_t that will receive the plaintext length
983 *
984 * @return 1 on success, 0 on failure
985 *
986 * Expected ciphertext format:
987 * [EVP_GCM_IV_LEN bytes IV][encrypted data][EVP_GCM_TAG_LEN bytes tag]
988 */
decrypt_validation_token(const QUIC_PORT * port,const unsigned char * ciphertext,size_t ct_len,unsigned char * plaintext,size_t * pt_len)989 static int decrypt_validation_token(const QUIC_PORT *port,
990 const unsigned char *ciphertext,
991 size_t ct_len,
992 unsigned char *plaintext,
993 size_t *pt_len)
994 {
995 int iv_len, len = 0, ret = 0;
996 size_t tag_len;
997 const unsigned char *iv = ciphertext, *data, *tag;
998
999 if ((tag_len = EVP_CIPHER_CTX_get_tag_length(port->token_ctx)) == 0
1000 || (iv_len = EVP_CIPHER_CTX_get_iv_length(port->token_ctx)) <= 0)
1001 goto err;
1002
1003 /* Prevent decryption of a buffer that is not within reasonable bounds */
1004 if (ct_len < (iv_len + tag_len) || ct_len > ENCRYPTED_TOKEN_MAX_LEN)
1005 goto err;
1006
1007 *pt_len = ct_len - iv_len - tag_len;
1008 if (plaintext == NULL) {
1009 ret = 1;
1010 goto err;
1011 }
1012
1013 data = ciphertext + iv_len;
1014 tag = ciphertext + ct_len - tag_len;
1015
1016 if (!EVP_DecryptInit_ex(port->token_ctx, NULL, NULL, NULL, iv)
1017 || !EVP_DecryptUpdate(port->token_ctx, plaintext, &len, data,
1018 ct_len - iv_len - tag_len)
1019 || !EVP_CIPHER_CTX_ctrl(port->token_ctx, EVP_CTRL_GCM_SET_TAG, tag_len,
1020 (void *)tag)
1021 || !EVP_DecryptFinal_ex(port->token_ctx, plaintext + len, &len))
1022 goto err;
1023
1024 ret = 1;
1025
1026 err:
1027 return ret;
1028 }
1029
1030 /**
1031 * @brief Parses contents of a buffer into a validation token.
1032 *
1033 * VALIDATION_TOKEN should already be initalized. Does some basic sanity checks.
1034 *
1035 * @param token Validation token to fill data in.
1036 * @param buf Buffer of previously marshaled validation token.
1037 * @param buf_len Length of |buf|.
1038 */
parse_validation_token(QUIC_VALIDATION_TOKEN * token,const unsigned char * buf,size_t buf_len)1039 static int parse_validation_token(QUIC_VALIDATION_TOKEN *token,
1040 const unsigned char *buf, size_t buf_len)
1041 {
1042 PACKET pkt, subpkt;
1043
1044 if (buf == NULL || token == NULL)
1045 return 0;
1046
1047 token->remote_addr = NULL;
1048
1049 if (!PACKET_buf_init(&pkt, buf, buf_len)
1050 || !PACKET_copy_bytes(&pkt, &token->is_retry, sizeof(token->is_retry))
1051 || !(token->is_retry == 0 || token->is_retry == 1)
1052 || !PACKET_copy_bytes(&pkt, (unsigned char *)&token->timestamp,
1053 sizeof(token->timestamp))
1054 || (token->is_retry
1055 && (!PACKET_get_length_prefixed_1(&pkt, &subpkt)
1056 || (token->odcid.id_len = (unsigned char)PACKET_remaining(&subpkt))
1057 > QUIC_MAX_CONN_ID_LEN
1058 || !PACKET_copy_bytes(&subpkt,
1059 (unsigned char *)&token->odcid.id,
1060 token->odcid.id_len)
1061 || !PACKET_get_length_prefixed_1(&pkt, &subpkt)
1062 || (token->rscid.id_len = (unsigned char)PACKET_remaining(&subpkt))
1063 > QUIC_MAX_CONN_ID_LEN
1064 || !PACKET_copy_bytes(&subpkt, (unsigned char *)&token->rscid.id,
1065 token->rscid.id_len)))
1066 || !PACKET_get_length_prefixed_1(&pkt, &subpkt)
1067 || (token->remote_addr_len = PACKET_remaining(&subpkt)) == 0
1068 || (token->remote_addr = OPENSSL_malloc(token->remote_addr_len)) == NULL
1069 || !PACKET_copy_bytes(&subpkt, token->remote_addr, token->remote_addr_len)
1070 || PACKET_remaining(&pkt) != 0) {
1071 cleanup_validation_token(token);
1072 return 0;
1073 }
1074
1075 return 1;
1076 }
1077
1078 /**
1079 * @brief Sends a QUIC Retry packet to a client.
1080 *
1081 * This function constructs and sends a Retry packet to the specified client
1082 * using the provided connection header information. The Retry packet
1083 * includes a generated validation token and a new connection ID, following
1084 * the QUIC protocol specifications for connection establishment.
1085 *
1086 * @param port Pointer to the QUIC port from which to send the packet.
1087 * @param peer Address of the client peer receiving the packet.
1088 * @param client_hdr Header of the client's initial packet, containing
1089 * connection IDs and other relevant information.
1090 *
1091 * This function performs the following steps:
1092 * - Generates a validation token for the client.
1093 * - Sets the destination and source connection IDs.
1094 * - Calculates the integrity tag and sets the token length.
1095 * - Encodes and sends the packet via the BIO network interface.
1096 *
1097 * Error handling is included for failures in CID generation, encoding, and
1098 * network transmiss
1099 */
port_send_retry(QUIC_PORT * port,BIO_ADDR * peer,QUIC_PKT_HDR * client_hdr)1100 static void port_send_retry(QUIC_PORT *port,
1101 BIO_ADDR *peer,
1102 QUIC_PKT_HDR *client_hdr)
1103 {
1104 BIO_MSG msg[1];
1105 /*
1106 * Buffer is used for both marshalling the token as well as for the RETRY
1107 * packet. The size of buffer should not be less than
1108 * MARSHALLED_TOKEN_MAX_LEN.
1109 */
1110 unsigned char buffer[512];
1111 unsigned char ct_buf[ENCRYPTED_TOKEN_MAX_LEN];
1112 WPACKET wpkt;
1113 size_t written, token_buf_len, ct_len;
1114 QUIC_PKT_HDR hdr = {0};
1115 QUIC_VALIDATION_TOKEN token = {0};
1116 int ok;
1117
1118 if (!ossl_assert(sizeof(buffer) >= MARSHALLED_TOKEN_MAX_LEN))
1119 return;
1120 /*
1121 * 17.2.5.1 Sending a Retry packet
1122 * dst ConnId is src ConnId we got from client
1123 * src ConnId comes from local conn ID manager
1124 */
1125 memset(&hdr, 0, sizeof(QUIC_PKT_HDR));
1126 hdr.dst_conn_id = client_hdr->src_conn_id;
1127 /*
1128 * this is the random connection ID, we expect client is
1129 * going to send the ID with next INITIAL packet which
1130 * will also come with token we generate here.
1131 */
1132 ok = ossl_quic_lcidm_get_unused_cid(port->lcidm, &hdr.src_conn_id);
1133 if (ok == 0)
1134 goto err;
1135
1136 memset(&token, 0, sizeof(QUIC_VALIDATION_TOKEN));
1137
1138 /* Generate retry validation token */
1139 if (!generate_token(peer, client_hdr->dst_conn_id,
1140 hdr.src_conn_id, &token, 1)
1141 || !marshal_validation_token(&token, buffer, &token_buf_len)
1142 || !encrypt_validation_token(port, buffer, token_buf_len, NULL,
1143 &ct_len)
1144 || ct_len > ENCRYPTED_TOKEN_MAX_LEN
1145 || !encrypt_validation_token(port, buffer, token_buf_len, ct_buf,
1146 &ct_len)
1147 || !ossl_assert(ct_len >= QUIC_RETRY_INTEGRITY_TAG_LEN))
1148 goto err;
1149
1150 hdr.dst_conn_id = client_hdr->src_conn_id;
1151 hdr.type = QUIC_PKT_TYPE_RETRY;
1152 hdr.fixed = 1;
1153 hdr.version = 1;
1154 hdr.len = ct_len;
1155 hdr.data = ct_buf;
1156 ok = ossl_quic_calculate_retry_integrity_tag(port->engine->libctx,
1157 port->engine->propq, &hdr,
1158 &client_hdr->dst_conn_id,
1159 ct_buf + ct_len
1160 - QUIC_RETRY_INTEGRITY_TAG_LEN);
1161 if (ok == 0)
1162 goto err;
1163
1164 hdr.token = hdr.data;
1165 hdr.token_len = hdr.len;
1166
1167 msg[0].data = buffer;
1168 msg[0].peer = peer;
1169 msg[0].local = NULL;
1170 msg[0].flags = 0;
1171
1172 ok = WPACKET_init_static_len(&wpkt, buffer, sizeof(buffer), 0);
1173 if (ok == 0)
1174 goto err;
1175
1176 ok = ossl_quic_wire_encode_pkt_hdr(&wpkt, client_hdr->dst_conn_id.id_len,
1177 &hdr, NULL);
1178 if (ok == 0)
1179 goto err;
1180
1181 ok = WPACKET_get_total_written(&wpkt, &msg[0].data_len);
1182 if (ok == 0)
1183 goto err;
1184
1185 ok = WPACKET_finish(&wpkt);
1186 if (ok == 0)
1187 goto err;
1188
1189 /*
1190 * TODO(QUIC FUTURE) need to retry this in the event it return EAGAIN
1191 * on a non-blocking BIO
1192 */
1193 if (!BIO_sendmmsg(port->net_wbio, msg, sizeof(BIO_MSG), 1, 0, &written))
1194 ERR_raise_data(ERR_LIB_SSL, SSL_R_QUIC_NETWORK_ERROR,
1195 "port retry send failed due to network BIO I/O error");
1196
1197 err:
1198 cleanup_validation_token(&token);
1199 }
1200
1201 /**
1202 * @brief Sends a QUIC Version Negotiation packet to the specified peer.
1203 *
1204 * This function constructs and sends a Version Negotiation packet using
1205 * the connection IDs from the client's initial packet header. The
1206 * Version Negotiation packet indicates support for QUIC version 1.
1207 *
1208 * @param port Pointer to the QUIC_PORT structure representing the port
1209 * context used for network communication.
1210 * @param peer Pointer to the BIO_ADDR structure specifying the address
1211 * of the peer to which the Version Negotiation packet
1212 * will be sent.
1213 * @param client_hdr Pointer to the QUIC_PKT_HDR structure containing the
1214 * client's packet header used to extract connection IDs.
1215 *
1216 * @note The function will raise an error if sending the message fails.
1217 */
port_send_version_negotiation(QUIC_PORT * port,BIO_ADDR * peer,QUIC_PKT_HDR * client_hdr)1218 static void port_send_version_negotiation(QUIC_PORT *port, BIO_ADDR *peer,
1219 QUIC_PKT_HDR *client_hdr)
1220 {
1221 BIO_MSG msg[1];
1222 unsigned char buffer[1024];
1223 QUIC_PKT_HDR hdr;
1224 WPACKET wpkt;
1225 uint32_t supported_versions[1];
1226 size_t written;
1227 size_t i;
1228
1229 memset(&hdr, 0, sizeof(QUIC_PKT_HDR));
1230 /*
1231 * Reverse the source and dst conn ids
1232 */
1233 hdr.dst_conn_id = client_hdr->src_conn_id;
1234 hdr.src_conn_id = client_hdr->dst_conn_id;
1235
1236 /*
1237 * This is our list of supported protocol versions
1238 * Currently only QUIC_VERSION_1
1239 */
1240 supported_versions[0] = QUIC_VERSION_1;
1241
1242 /*
1243 * Fill out the header fields
1244 * Note: Version negotiation packets, must, unlike
1245 * other packet types have a version of 0
1246 */
1247 hdr.type = QUIC_PKT_TYPE_VERSION_NEG;
1248 hdr.version = 0;
1249 hdr.token = 0;
1250 hdr.token_len = 0;
1251 hdr.len = sizeof(supported_versions);
1252 hdr.data = (unsigned char *)supported_versions;
1253
1254 msg[0].data = buffer;
1255 msg[0].peer = peer;
1256 msg[0].local = NULL;
1257 msg[0].flags = 0;
1258
1259 if (!WPACKET_init_static_len(&wpkt, buffer, sizeof(buffer), 0))
1260 return;
1261
1262 if (!ossl_quic_wire_encode_pkt_hdr(&wpkt, client_hdr->dst_conn_id.id_len,
1263 &hdr, NULL))
1264 return;
1265
1266 /*
1267 * Add the array of supported versions to the end of the packet
1268 */
1269 for (i = 0; i < OSSL_NELEM(supported_versions); i++) {
1270 if (!WPACKET_put_bytes_u32(&wpkt, htonl(supported_versions[i])))
1271 return;
1272 }
1273
1274 if (!WPACKET_get_total_written(&wpkt, &msg[0].data_len))
1275 return;
1276
1277 if (!WPACKET_finish(&wpkt))
1278 return;
1279
1280 /*
1281 * Send it back to the client attempting to connect
1282 * TODO(QUIC FUTURE): Need to handle the EAGAIN case here, if the
1283 * BIO_sendmmsg call falls in a retryable manner
1284 */
1285 if (!BIO_sendmmsg(port->net_wbio, msg, sizeof(BIO_MSG), 1, 0, &written))
1286 ERR_raise_data(ERR_LIB_SSL, SSL_R_QUIC_NETWORK_ERROR,
1287 "port version negotiation send failed");
1288 }
1289
1290 /**
1291 * @brief defintions of token lifetimes
1292 *
1293 * RETRY tokens are only valid for 10 seconds
1294 * NEW_TOKEN tokens have a lifetime of 3600 sec (1 hour)
1295 */
1296
1297 #define RETRY_LIFETIME 10
1298 #define NEW_TOKEN_LIFETIME 3600
1299 /**
1300 * @brief Validates a received token in a QUIC packet header.
1301 *
1302 * This function checks the validity of a token contained in the provided
1303 * QUIC packet header (`QUIC_PKT_HDR *hdr`). The validation process involves
1304 * verifying that the token matches an expected format and value. If the
1305 * token is from a RETRY packet, the function extracts the original connection
1306 * ID (ODCID)/original source connection ID (SCID) and stores it in the provided
1307 * parameters. If the token is from a NEW_TOKEN packet, the values will be
1308 * derived instead.
1309 *
1310 * @param hdr Pointer to the QUIC packet header containing the token.
1311 * @param port Pointer to the QUIC port from which to send the packet.
1312 * @param peer Address of the client peer receiving the packet.
1313 * @param odcid Pointer to the connection ID structure to store the ODCID if the
1314 * token is valid.
1315 * @param scid Pointer to the connection ID structure to store the SCID if the
1316 * token is valid.
1317 *
1318 * @return 1 if the token is valid and ODCID/SCID are successfully set.
1319 * 0 otherwise.
1320 *
1321 * The function performs the following checks:
1322 * - Token length meets the required minimum.
1323 * - Buffer matches expected format.
1324 * - Peer address matches previous connection address.
1325 * - Token has not expired. Currently set to 10 seconds for tokens from RETRY
1326 * packets and 60 minutes for tokens from NEW_TOKEN packets. This may be
1327 * configurable in the future.
1328 */
port_validate_token(QUIC_PKT_HDR * hdr,QUIC_PORT * port,BIO_ADDR * peer,QUIC_CONN_ID * odcid,QUIC_CONN_ID * scid,uint8_t * gen_new_token)1329 static int port_validate_token(QUIC_PKT_HDR *hdr, QUIC_PORT *port,
1330 BIO_ADDR *peer, QUIC_CONN_ID *odcid,
1331 QUIC_CONN_ID *scid, uint8_t *gen_new_token)
1332 {
1333 int ret = 0;
1334 QUIC_VALIDATION_TOKEN token = { 0 };
1335 uint64_t time_diff;
1336 size_t remote_addr_len, dec_token_len;
1337 unsigned char *remote_addr = NULL, dec_token[MARSHALLED_TOKEN_MAX_LEN];
1338 OSSL_TIME now = ossl_time_now();
1339
1340 *gen_new_token = 0;
1341
1342 if (!decrypt_validation_token(port, hdr->token, hdr->token_len, NULL,
1343 &dec_token_len)
1344 || dec_token_len > MARSHALLED_TOKEN_MAX_LEN
1345 || !decrypt_validation_token(port, hdr->token, hdr->token_len,
1346 dec_token, &dec_token_len)
1347 || !parse_validation_token(&token, dec_token, dec_token_len))
1348 goto err;
1349
1350 /*
1351 * Validate token timestamp. Current time should not be before the token
1352 * timestamp.
1353 */
1354 if (ossl_time_compare(now, token.timestamp) < 0)
1355 goto err;
1356 time_diff = ossl_time2seconds(ossl_time_abs_difference(token.timestamp,
1357 now));
1358 if ((token.is_retry && time_diff > RETRY_LIFETIME)
1359 || (!token.is_retry && time_diff > NEW_TOKEN_LIFETIME))
1360 goto err;
1361
1362 /* Validate remote address */
1363 if (!BIO_ADDR_rawaddress(peer, NULL, &remote_addr_len)
1364 || remote_addr_len != token.remote_addr_len
1365 || (remote_addr = OPENSSL_malloc(remote_addr_len)) == NULL
1366 || !BIO_ADDR_rawaddress(peer, remote_addr, &remote_addr_len)
1367 || memcmp(remote_addr, token.remote_addr, remote_addr_len) != 0)
1368 goto err;
1369
1370 /*
1371 * Set ODCID and SCID. If the token is from a RETRY packet, retrieve both
1372 * from the token. Otherwise, generate a new ODCID and use the header's
1373 * source connection ID for SCID.
1374 */
1375 if (token.is_retry) {
1376 /*
1377 * We're parsing a packet header before its gone through AEAD validation
1378 * here, so there is a chance we are dealing with corrupted data. Make
1379 * Sure the dcid encoded in the token matches the headers dcid to
1380 * mitigate that.
1381 * TODO(QUIC FUTURE): Consider handling AEAD validation at the port
1382 * level rather than the QRX/channel level to eliminate the need for
1383 * this.
1384 */
1385 if (token.rscid.id_len != hdr->dst_conn_id.id_len
1386 || memcmp(&token.rscid.id, &hdr->dst_conn_id.id,
1387 token.rscid.id_len) != 0)
1388 goto err;
1389 *odcid = token.odcid;
1390 *scid = token.rscid;
1391 } else {
1392 if (!ossl_quic_lcidm_get_unused_cid(port->lcidm, odcid))
1393 goto err;
1394 *scid = hdr->src_conn_id;
1395 }
1396
1397 /*
1398 * Determine if we need to send a NEW_TOKEN frame
1399 * If we validated a retry token, we should always
1400 * send a NEW_TOKEN frame to the client
1401 *
1402 * If however, we validated a NEW_TOKEN, which may be
1403 * reused multiple times, only send a NEW_TOKEN frame
1404 * if the existing received token has less than 10% of its lifetime
1405 * remaining. This prevents us from constantly sending
1406 * NEW_TOKEN frames on every connection when not needed
1407 */
1408 if (token.is_retry) {
1409 *gen_new_token = 1;
1410 } else {
1411 if (time_diff > ((NEW_TOKEN_LIFETIME * 9) / 10))
1412 *gen_new_token = 1;
1413 }
1414
1415 ret = 1;
1416 err:
1417 cleanup_validation_token(&token);
1418 OPENSSL_free(remote_addr);
1419 return ret;
1420 }
1421
generate_new_token(QUIC_CHANNEL * ch,BIO_ADDR * peer)1422 static void generate_new_token(QUIC_CHANNEL *ch, BIO_ADDR *peer)
1423 {
1424 QUIC_CONN_ID rscid = { 0 };
1425 QUIC_VALIDATION_TOKEN token;
1426 unsigned char buffer[ENCRYPTED_TOKEN_MAX_LEN];
1427 unsigned char *ct_buf;
1428 size_t ct_len;
1429 size_t token_buf_len = 0;
1430
1431 /* Clients never send a NEW_TOKEN */
1432 if (!ch->is_server)
1433 return;
1434
1435 ct_buf = OPENSSL_zalloc(ENCRYPTED_TOKEN_MAX_LEN);
1436 if (ct_buf == NULL)
1437 return;
1438
1439 /*
1440 * NEW_TOKEN tokens may be used for multiple subsequent connections
1441 * within their timeout period, so don't reserve an rscid here
1442 * like we do for retry tokens, instead, just fill it with random
1443 * data, as we won't use it anyway
1444 */
1445 rscid.id_len = 8;
1446 if (!RAND_bytes_ex(ch->port->engine->libctx, rscid.id, 8, 0)) {
1447 OPENSSL_free(ct_buf);
1448 return;
1449 }
1450
1451 memset(&token, 0, sizeof(QUIC_VALIDATION_TOKEN));
1452
1453 if (!generate_token(peer, ch->init_dcid, rscid, &token, 0)
1454 || !marshal_validation_token(&token, buffer, &token_buf_len)
1455 || !encrypt_validation_token(ch->port, buffer, token_buf_len, NULL,
1456 &ct_len)
1457 || ct_len > ENCRYPTED_TOKEN_MAX_LEN
1458 || !encrypt_validation_token(ch->port, buffer, token_buf_len, ct_buf,
1459 &ct_len)
1460 || !ossl_assert(ct_len >= QUIC_RETRY_INTEGRITY_TAG_LEN)) {
1461 OPENSSL_free(ct_buf);
1462 cleanup_validation_token(&token);
1463 return;
1464 }
1465
1466 ch->pending_new_token = ct_buf;
1467 ch->pending_new_token_len = ct_len;
1468
1469 cleanup_validation_token(&token);
1470 }
1471
1472 /*
1473 * This is called by the demux when we get a packet not destined for any known
1474 * DCID.
1475 */
port_default_packet_handler(QUIC_URXE * e,void * arg,const QUIC_CONN_ID * dcid)1476 static void port_default_packet_handler(QUIC_URXE *e, void *arg,
1477 const QUIC_CONN_ID *dcid)
1478 {
1479 QUIC_PORT *port = arg;
1480 PACKET pkt;
1481 QUIC_PKT_HDR hdr;
1482 QUIC_CHANNEL *ch = NULL, *new_ch = NULL;
1483 QUIC_CONN_ID odcid, scid;
1484 uint8_t gen_new_token = 0;
1485 OSSL_QRX *qrx = NULL;
1486 OSSL_QRX *qrx_src = NULL;
1487 OSSL_QRX_ARGS qrx_args = {0};
1488 uint64_t cause_flags = 0;
1489 OSSL_QRX_PKT *qrx_pkt = NULL;
1490
1491 /* Don't handle anything if we are no longer running. */
1492 if (!ossl_quic_port_is_running(port))
1493 goto undesirable;
1494
1495 if (port_try_handle_stateless_reset(port, e))
1496 goto undesirable;
1497
1498 if (dcid != NULL
1499 && ossl_quic_lcidm_lookup(port->lcidm, dcid, NULL,
1500 (void **)&ch)) {
1501 assert(ch != NULL);
1502 ossl_quic_channel_inject(ch, e);
1503 return;
1504 }
1505
1506 /*
1507 * If we have an incoming packet which doesn't match any existing connection
1508 * we assume this is an attempt to make a new connection.
1509 */
1510 if (!port->allow_incoming)
1511 goto undesirable;
1512
1513 /*
1514 * We have got a packet for an unknown DCID. This might be an attempt to
1515 * open a new connection.
1516 */
1517 if (e->data_len < QUIC_MIN_INITIAL_DGRAM_LEN)
1518 goto undesirable;
1519
1520 if (!PACKET_buf_init(&pkt, ossl_quic_urxe_data(e), e->data_len))
1521 goto undesirable;
1522
1523 /*
1524 * We set short_conn_id_len to SIZE_MAX here which will cause the decode
1525 * operation to fail if we get a 1-RTT packet. This is fine since we only
1526 * care about Initial packets.
1527 */
1528 if (!ossl_quic_wire_decode_pkt_hdr(&pkt, SIZE_MAX, 1, 0, &hdr, NULL,
1529 &cause_flags)) {
1530 /*
1531 * If we fail due to a bad version, we know the packet up to the version
1532 * number was decoded, and we use it below to send a version
1533 * negotiation packet
1534 */
1535 if ((cause_flags & QUIC_PKT_HDR_DECODE_BAD_VERSION) == 0)
1536 goto undesirable;
1537 }
1538
1539 switch (hdr.version) {
1540 case QUIC_VERSION_1:
1541 break;
1542
1543 case QUIC_VERSION_NONE:
1544 default:
1545
1546 /*
1547 * If we get here, then we have a bogus version, and might need
1548 * to send a version negotiation packet. According to
1549 * RFC 9000 s. 6 and 14.1, we only do so however, if the UDP datagram
1550 * is a minimum of 1200 bytes in size
1551 */
1552 if (e->data_len < 1200)
1553 goto undesirable;
1554
1555 /*
1556 * If we don't get a supported version, respond with a ver
1557 * negotiation packet, and discard
1558 * TODO(QUIC FUTURE): Rate limit the reception of these
1559 */
1560 port_send_version_negotiation(port, &e->peer, &hdr);
1561 goto undesirable;
1562 }
1563
1564 /*
1565 * We only care about Initial packets which might be trying to establish a
1566 * connection.
1567 */
1568 if (hdr.type != QUIC_PKT_TYPE_INITIAL)
1569 goto undesirable;
1570
1571 odcid.id_len = 0;
1572
1573 /*
1574 * Create qrx now so we can check integrity of packet
1575 * which does not belong to any channel.
1576 */
1577 qrx_args.libctx = port->engine->libctx;
1578 qrx_args.demux = port->demux;
1579 qrx_args.short_conn_id_len = dcid->id_len;
1580 qrx_args.max_deferred = 32;
1581 qrx = ossl_qrx_new(&qrx_args);
1582 if (qrx == NULL)
1583 goto undesirable;
1584
1585 /*
1586 * Derive secrets for qrx only.
1587 */
1588 if (!ossl_quic_provide_initial_secret(port->engine->libctx,
1589 port->engine->propq,
1590 &hdr.dst_conn_id,
1591 /* is_server */ 1,
1592 qrx, NULL))
1593 goto undesirable;
1594
1595 if (ossl_qrx_validate_initial_packet(qrx, e, (const QUIC_CONN_ID *)dcid) == 0)
1596 goto undesirable;
1597
1598 if (port->validate_addr == 0) {
1599 /*
1600 * Forget qrx, because it becomes (almost) useless here. We must let
1601 * channel to create a new QRX for connection ID server chooses. The
1602 * validation keys for new DCID will be derived by
1603 * ossl_quic_channel_on_new_conn() when we will be creating channel.
1604 * See RFC 9000 section 7.2 negotiating connection id to better
1605 * understand what's going on here.
1606 *
1607 * Did we say qrx is almost useless? Why? Because qrx remembers packets
1608 * we just validated. Those packets must be injected to channel we are
1609 * going to create. We use qrx_src alias so we can read packets from
1610 * qrx and inject them to channel.
1611 */
1612 qrx_src = qrx;
1613 qrx = NULL;
1614 }
1615 /*
1616 * TODO(QUIC FUTURE): there should be some logic similar to accounting half-open
1617 * states in TCP. If we reach certain threshold, then we want to
1618 * validate clients.
1619 */
1620 if (port->validate_addr == 1 && hdr.token == NULL) {
1621 port_send_retry(port, &e->peer, &hdr);
1622 goto undesirable;
1623 }
1624
1625 /*
1626 * Note, even if we don't enforce the sending of retry frames for
1627 * server address validation, we may still get a token if we sent
1628 * a NEW_TOKEN frame during a prior connection, which we should still
1629 * validate here
1630 */
1631 if (hdr.token != NULL
1632 && port_validate_token(&hdr, port, &e->peer,
1633 &odcid, &scid,
1634 &gen_new_token) == 0) {
1635 /*
1636 * RFC 9000 s 8.1.3
1637 * When a server receives an Initial packet with an address
1638 * validation token, it MUST attempt to validate the token,
1639 * unless it has already completed address validation.
1640 * If the token is invalid, then the server SHOULD proceed as
1641 * if the client did not have a validated address,
1642 * including potentially sending a Retry packet
1643 * Note: If address validation is disabled, just act like
1644 * the request is valid
1645 */
1646 if (port->validate_addr == 1) {
1647 /*
1648 * Again: we should consider saving initial encryption level
1649 * secrets to token here to save some CPU cycles.
1650 */
1651 port_send_retry(port, &e->peer, &hdr);
1652 goto undesirable;
1653 }
1654
1655 /*
1656 * client is under amplification limit, until it completes
1657 * handshake.
1658 *
1659 * forget qrx so channel can create a new one
1660 * with valid initial encryption level keys.
1661 */
1662 qrx_src = qrx;
1663 qrx = NULL;
1664 }
1665
1666 port_bind_channel(port, &e->peer, &scid, &hdr.dst_conn_id,
1667 &odcid, qrx, &new_ch);
1668
1669 /*
1670 * if packet validates it gets moved to channel, we've just bound
1671 * to port.
1672 */
1673 if (new_ch == NULL)
1674 goto undesirable;
1675
1676 /*
1677 * Generate a token for sending in a later NEW_TOKEN frame
1678 */
1679 if (gen_new_token == 1)
1680 generate_new_token(new_ch, &e->peer);
1681
1682 if (qrx != NULL) {
1683 /*
1684 * The qrx belongs to channel now, so don't free it.
1685 */
1686 qrx = NULL;
1687 } else {
1688 /*
1689 * We still need to salvage packets from almost forgotten qrx
1690 * and pass them to channel.
1691 */
1692 while (ossl_qrx_read_pkt(qrx_src, &qrx_pkt) == 1)
1693 ossl_quic_channel_inject_pkt(new_ch, qrx_pkt);
1694 }
1695
1696 /*
1697 * If function reaches this place, then packet got validated in
1698 * ossl_qrx_validate_initial_packet(). Keep in mind the function
1699 * ossl_qrx_validate_initial_packet() decrypts the packet to validate it.
1700 * If packet validation was successful (and it was because we are here),
1701 * then the function puts the packet to qrx->rx_pending. We must not call
1702 * ossl_qrx_inject_urxe() here now, because we don't want to insert
1703 * the packet to qrx->urx_pending which keeps packet waiting for decryption.
1704 *
1705 * We are going to call ossl_quic_demux_release_urxe() to dispose buffer
1706 * which still holds encrypted data.
1707 */
1708
1709 undesirable:
1710 ossl_qrx_free(qrx);
1711 ossl_qrx_free(qrx_src);
1712 ossl_quic_demux_release_urxe(port->demux, e);
1713 }
1714
ossl_quic_port_raise_net_error(QUIC_PORT * port,QUIC_CHANNEL * triggering_ch)1715 void ossl_quic_port_raise_net_error(QUIC_PORT *port,
1716 QUIC_CHANNEL *triggering_ch)
1717 {
1718 QUIC_CHANNEL *ch;
1719
1720 if (!ossl_quic_port_is_running(port))
1721 return;
1722
1723 /*
1724 * Immediately capture any triggering error on the error stack, with a
1725 * cover error.
1726 */
1727 ERR_raise_data(ERR_LIB_SSL, SSL_R_QUIC_NETWORK_ERROR,
1728 "port failed due to network BIO I/O error");
1729 OSSL_ERR_STATE_save(port->err_state);
1730
1731 port_transition_failed(port);
1732
1733 /* Give the triggering channel (if any) the first notification. */
1734 if (triggering_ch != NULL)
1735 ossl_quic_channel_raise_net_error(triggering_ch);
1736
1737 OSSL_LIST_FOREACH(ch, ch, &port->channel_list)
1738 if (ch != triggering_ch)
1739 ossl_quic_channel_raise_net_error(ch);
1740 }
1741
ossl_quic_port_restore_err_state(const QUIC_PORT * port)1742 void ossl_quic_port_restore_err_state(const QUIC_PORT *port)
1743 {
1744 ERR_clear_error();
1745 OSSL_ERR_STATE_restore(port->err_state);
1746 }
1747