xref: /freebsd/crypto/openssl/ssl/quic/quic_tls.c (revision e7be843b4a162e68651d3911f0357ed464915629)
1 /*
2  * Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 #include <openssl/ssl.h>
10 #include "internal/recordmethod.h"
11 #include "internal/quic_tls.h"
12 #include "../ssl_local.h"
13 #include "internal/quic_record_util.h"
14 #include "internal/quic_error.h"
15 #include "internal/quic_types.h"
16 #include "internal/ssl_unwrap.h"
17 
18 #define QUIC_TLS_FATAL(rl, ad, err) \
19     do { \
20         if ((rl) != NULL) (rl)->alert = (ad); \
21         ERR_raise(ERR_LIB_SSL, (err)); \
22         if ((rl) != NULL) (rl)->qtls->inerror = 1; \
23     } while(0)
24 
25 struct quic_tls_st {
26     QUIC_TLS_ARGS args;
27 
28     /*
29      * Transport parameters which client should send. Buffer lifetime must
30      * exceed the lifetime of the QUIC_TLS object.
31      */
32     const unsigned char *local_transport_params;
33     size_t local_transport_params_len;
34 
35     ERR_STATE *error_state;
36 
37     /*
38      * QUIC error code (usually in the TLS Alert-mapped CRYPTO_ERR range). Valid
39      * only if inerror is 1.
40      */
41     uint64_t error_code;
42 
43     /*
44      * Error message with static storage duration. Valid only if inerror is 1.
45      * Should be suitable for encapsulation in a CONNECTION_CLOSE frame.
46      */
47     const char *error_msg;
48 
49     /* Whether our SSL object for TLS has been configured for use in QUIC */
50     unsigned int configured : 1;
51 
52     /* Set if we have hit any error state */
53     unsigned int inerror : 1;
54 
55     /* Set if the handshake has completed */
56     unsigned int complete : 1;
57 
58     /* Set if we have consumed the local transport parameters yet. */
59     unsigned int local_transport_params_consumed : 1;
60 };
61 
62 struct ossl_record_layer_st {
63     QUIC_TLS *qtls;
64 
65     /* Protection level */
66     int level;
67 
68     /* Only used for retry flags */
69     BIO *dummybio;
70 
71     /* Number of bytes written so far if we are part way through a write */
72     size_t written;
73 
74     /* If we are part way through a write, a copy of the template */
75     OSSL_RECORD_TEMPLATE template;
76 
77     /*
78      * If we hit an error, what alert code should be used
79      */
80     int alert;
81 
82     /* Amount of crypto stream data we read in the last call to quic_read_record */
83     size_t recread;
84 
85     /* Amount of crypto stream data read but not yet released */
86     size_t recunreleased;
87 
88     /* Callbacks */
89     OSSL_FUNC_rlayer_msg_callback_fn *msg_callback;
90     void *cbarg;
91 };
92 
93 static int quic_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio);
94 static int quic_free(OSSL_RECORD_LAYER *r);
95 
96 static int
quic_new_record_layer(OSSL_LIB_CTX * libctx,const char * propq,int vers,int role,int direction,int level,uint16_t epoch,unsigned char * secret,size_t secretlen,unsigned char * key,size_t keylen,unsigned char * iv,size_t ivlen,unsigned char * mackey,size_t mackeylen,const EVP_CIPHER * ciph,size_t taglen,int mactype,const EVP_MD * md,COMP_METHOD * comp,const EVP_MD * kdfdigest,BIO * prev,BIO * transport,BIO * next,BIO_ADDR * local,BIO_ADDR * peer,const OSSL_PARAM * settings,const OSSL_PARAM * options,const OSSL_DISPATCH * fns,void * cbarg,void * rlarg,OSSL_RECORD_LAYER ** retrl)97 quic_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
98                       int role, int direction, int level, uint16_t epoch,
99                       unsigned char *secret, size_t secretlen,
100                       unsigned char *key, size_t keylen, unsigned char *iv,
101                       size_t ivlen, unsigned char *mackey, size_t mackeylen,
102                       const EVP_CIPHER *ciph, size_t taglen,
103                       int mactype,
104                       const EVP_MD *md, COMP_METHOD *comp,
105                       const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
106                       BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
107                       const OSSL_PARAM *settings, const OSSL_PARAM *options,
108                       const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
109                       OSSL_RECORD_LAYER **retrl)
110 {
111     OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
112     int qdir;
113     uint32_t suite_id = 0;
114 
115     if (rl == NULL) {
116         QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
117         return 0;
118     }
119 
120     rl->qtls = (QUIC_TLS *)rlarg;
121     rl->level = level;
122     if (!quic_set1_bio(rl, transport)) {
123         QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
124         goto err;
125     }
126     rl->cbarg = cbarg;
127     *retrl = rl;
128 
129     if (fns != NULL) {
130         for (; fns->function_id != 0; fns++) {
131             switch (fns->function_id) {
132                 break;
133             case OSSL_FUNC_RLAYER_MSG_CALLBACK:
134                 rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns);
135                 break;
136             default:
137                 /* Just ignore anything we don't understand */
138                 break;
139             }
140         }
141     }
142 
143     if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
144         return 1;
145 
146     if (direction == OSSL_RECORD_DIRECTION_READ)
147         qdir = 0;
148     else
149         qdir = 1;
150 
151     if (rl->qtls->args.ossl_quic) {
152 #ifndef OPENSSL_NO_QUIC
153         /*
154          * We only look up the suite_id/MD for internal callers. Not used in the
155          * public API. We assume that a 3rd party QUIC stack will want to
156          * figure this out by itself (e.g. so that they could add new
157          * ciphersuites at a different pace to us)
158          */
159         if (EVP_CIPHER_is_a(ciph, "AES-128-GCM")) {
160             suite_id = QRL_SUITE_AES128GCM;
161         } else if (EVP_CIPHER_is_a(ciph, "AES-256-GCM")) {
162             suite_id = QRL_SUITE_AES256GCM;
163         } else if (EVP_CIPHER_is_a(ciph, "CHACHA20-POLY1305")) {
164             suite_id = QRL_SUITE_CHACHA20POLY1305;
165         } else {
166             QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE);
167             goto err;
168         }
169 
170         /* We pass a ref to the md in a successful yield_secret_cb call */
171         /* TODO(QUIC FUTURE): This cast is horrible. We should try and remove it */
172         if (!EVP_MD_up_ref((EVP_MD *)kdfdigest)) {
173             QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
174             goto err;
175         }
176 #else
177         if (!ossl_assert("Should not happen" == NULL))
178             goto err;
179 #endif
180     } else {
181         kdfdigest = NULL;
182     }
183 
184     if (!rl->qtls->args.yield_secret_cb(level, qdir, suite_id,
185                                         (EVP_MD *)kdfdigest, secret, secretlen,
186                                         rl->qtls->args.yield_secret_cb_arg)) {
187         QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
188         EVP_MD_free((EVP_MD *)kdfdigest);
189         goto err;
190     }
191 
192     return 1;
193  err:
194     *retrl = NULL;
195     quic_free(rl);
196     return 0;
197 }
198 
quic_free(OSSL_RECORD_LAYER * rl)199 static int quic_free(OSSL_RECORD_LAYER *rl)
200 {
201     if (rl == NULL)
202         return 1;
203 
204     BIO_free(rl->dummybio);
205     OPENSSL_free(rl);
206     return 1;
207 }
208 
quic_unprocessed_read_pending(OSSL_RECORD_LAYER * rl)209 static int quic_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
210 {
211     /*
212      * Read ahead isn't really a thing for QUIC so we never have unprocessed
213      * data pending
214      */
215     return 0;
216 }
217 
quic_processed_read_pending(OSSL_RECORD_LAYER * rl)218 static int quic_processed_read_pending(OSSL_RECORD_LAYER *rl)
219 {
220     /*
221      * This is currently only ever used by:
222      * - SSL_has_pending()
223      * - to check whether we have more records that we want to supply to the
224      *   upper layers
225      *
226      * We only ever supply 1 record at a time to the upper layers, and
227      * SSL_has_pending() will go via the QUIC method not the TLS method so that
228      * use case doesn't apply here.
229      * Therefore we can ignore this for now and always return 0. We might
230      * eventually want to change this to check in the receive buffers to see if
231      * we have any more data pending.
232      */
233     return 0;
234 }
235 
quic_get_max_records(OSSL_RECORD_LAYER * rl,uint8_t type,size_t len,size_t maxfrag,size_t * preffrag)236 static size_t quic_get_max_records(OSSL_RECORD_LAYER *rl, uint8_t type,
237                                    size_t len,
238                                    size_t maxfrag, size_t *preffrag)
239 {
240     return 1;
241 }
242 
quic_write_records(OSSL_RECORD_LAYER * rl,OSSL_RECORD_TEMPLATE * template,size_t numtempl)243 static int quic_write_records(OSSL_RECORD_LAYER *rl,
244                               OSSL_RECORD_TEMPLATE *template,
245                               size_t numtempl)
246 {
247     size_t consumed;
248     unsigned char alert;
249 
250     if (!ossl_assert(numtempl == 1)) {
251         /* How could this be? quic_get_max_records() always returns 1 */
252         QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
253         return OSSL_RECORD_RETURN_FATAL;
254     }
255 
256     BIO_clear_retry_flags(rl->dummybio);
257 
258     if (rl->msg_callback != NULL) {
259         unsigned char dummyrec[SSL3_RT_HEADER_LENGTH];
260 
261         /*
262          * For the purposes of the callback we "pretend" to be normal TLS,
263          * and manufacture a dummy record header
264          */
265         dummyrec[0] = (rl->level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
266                         ? template->type
267                         : SSL3_RT_APPLICATION_DATA;
268         dummyrec[1] = (unsigned char)((template->version >> 8) & 0xff);
269         dummyrec[2] = (unsigned char)(template->version & 0xff);
270         /*
271          * We assume that buflen is always <= UINT16_MAX. Since this is
272          * generated by libssl itself we actually expect it to never
273          * exceed SSL3_RT_MAX_PLAIN_LENGTH - so it should be a safe
274          * assumption
275          */
276         dummyrec[3] = (unsigned char)((template->buflen >> 8) & 0xff);
277         dummyrec[4] = (unsigned char)(template->buflen & 0xff);
278 
279         rl->msg_callback(1, TLS1_3_VERSION, SSL3_RT_HEADER, dummyrec,
280                             SSL3_RT_HEADER_LENGTH, rl->cbarg);
281 
282         if (rl->level != OSSL_RECORD_PROTECTION_LEVEL_NONE) {
283             rl->msg_callback(1, TLS1_3_VERSION, SSL3_RT_INNER_CONTENT_TYPE,
284                              &template->type, 1, rl->cbarg);
285         }
286     }
287 
288     switch (template->type) {
289     case SSL3_RT_ALERT:
290         if (template->buflen != 2) {
291             /*
292              * We assume that libssl always sends both bytes of an alert to
293              * us in one go, and never fragments it. If we ever get more
294              * or less bytes than exactly 2 then this is very unexpected.
295              */
296             QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_VALUE);
297             return OSSL_RECORD_RETURN_FATAL;
298         }
299         /*
300          * Byte 0 is the alert level (we ignore it) and byte 1 is the alert
301          * description that we are actually interested in.
302          */
303         alert = template->buf[1];
304 
305         if (!rl->qtls->args.alert_cb(rl->qtls->args.alert_cb_arg, alert)) {
306             QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
307             return OSSL_RECORD_RETURN_FATAL;
308         }
309         break;
310 
311     case SSL3_RT_HANDSHAKE:
312         /*
313          * We expect this to only fail on some fatal error (e.g. malloc
314          * failure)
315          */
316         if (!rl->qtls->args.crypto_send_cb(template->buf + rl->written,
317                                            template->buflen - rl->written,
318                                            &consumed,
319                                            rl->qtls->args.crypto_send_cb_arg)) {
320             QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
321             return OSSL_RECORD_RETURN_FATAL;
322         }
323         /*
324          * We might have written less than we wanted to if we have filled the
325          * send stream buffer.
326          */
327         if (consumed + rl->written != template->buflen) {
328             if (!ossl_assert(consumed + rl->written < template->buflen)) {
329                 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
330                 return OSSL_RECORD_RETURN_FATAL;
331             }
332 
333             /*
334              * We've not written everything we wanted to. Take a copy of the
335              * template, remember how much we wrote so far and signal a retry.
336              * The buffer supplied in the template is guaranteed to be the same
337              * on a retry for handshake data
338              */
339             rl->written += consumed;
340             rl->template = *template;
341             BIO_set_retry_write(rl->dummybio);
342 
343             return OSSL_RECORD_RETURN_RETRY;
344         }
345         rl->written = 0;
346         break;
347 
348     default:
349         /* Anything else is unexpected and an error */
350         QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
351         return OSSL_RECORD_RETURN_FATAL;
352     }
353 
354     return OSSL_RECORD_RETURN_SUCCESS;
355 }
356 
quic_retry_write_records(OSSL_RECORD_LAYER * rl)357 static int quic_retry_write_records(OSSL_RECORD_LAYER *rl)
358 {
359     return quic_write_records(rl, &rl->template, 1);
360 }
361 
quic_read_record(OSSL_RECORD_LAYER * rl,void ** rechandle,int * rversion,uint8_t * type,const unsigned char ** data,size_t * datalen,uint16_t * epoch,unsigned char * seq_num)362 static int quic_read_record(OSSL_RECORD_LAYER *rl, void **rechandle,
363                             int *rversion, uint8_t *type, const unsigned char **data,
364                             size_t *datalen, uint16_t *epoch,
365                             unsigned char *seq_num)
366 {
367     if (rl->recread != 0 || rl->recunreleased != 0)
368         return OSSL_RECORD_RETURN_FATAL;
369 
370     BIO_clear_retry_flags(rl->dummybio);
371 
372     if (!rl->qtls->args.crypto_recv_rcd_cb(data, datalen,
373                                            rl->qtls->args.crypto_recv_rcd_cb_arg)) {
374         QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
375         return OSSL_RECORD_RETURN_FATAL;
376     }
377 
378     if (*datalen == 0) {
379         BIO_set_retry_read(rl->dummybio);
380         return OSSL_RECORD_RETURN_RETRY;
381     }
382 
383     *rechandle = rl;
384     *rversion = TLS1_3_VERSION;
385     *type = SSL3_RT_HANDSHAKE;
386     rl->recread = rl->recunreleased = *datalen;
387     /* epoch/seq_num are not relevant for TLS */
388 
389     if (rl->msg_callback != NULL) {
390         unsigned char dummyrec[SSL3_RT_HEADER_LENGTH];
391 
392         /*
393          * For the purposes of the callback we "pretend" to be normal TLS,
394          * and manufacture a dummy record header
395          */
396         dummyrec[0] = (rl->level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
397                       ? SSL3_RT_HANDSHAKE
398                       : SSL3_RT_APPLICATION_DATA;
399         dummyrec[1] = (unsigned char)((TLS1_2_VERSION >> 8) & 0xff);
400         dummyrec[2] = (unsigned char)(TLS1_2_VERSION & 0xff);
401         /*
402          * *datalen will always fit into 2 bytes because our original buffer
403          * size is less than that.
404          */
405         dummyrec[3] = (unsigned char)((*datalen >> 8) & 0xff);
406         dummyrec[4] = (unsigned char)(*datalen & 0xff);
407 
408         rl->msg_callback(0, TLS1_3_VERSION, SSL3_RT_HEADER, dummyrec,
409                          SSL3_RT_HEADER_LENGTH, rl->cbarg);
410         rl->msg_callback(0, TLS1_3_VERSION, SSL3_RT_INNER_CONTENT_TYPE, type, 1,
411                          rl->cbarg);
412     }
413 
414     return OSSL_RECORD_RETURN_SUCCESS;
415 }
416 
quic_release_record(OSSL_RECORD_LAYER * rl,void * rechandle,size_t length)417 static int quic_release_record(OSSL_RECORD_LAYER *rl, void *rechandle,
418                                size_t length)
419 {
420     if (!ossl_assert(rl->recread > 0)
421             || !ossl_assert(rl->recunreleased <= rl->recread)
422             || !ossl_assert(rl == rechandle)
423             || !ossl_assert(length <= rl->recunreleased)) {
424         QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
425         return OSSL_RECORD_RETURN_FATAL;
426     }
427 
428     if (rl->recunreleased == length) {
429         if (!rl->qtls->args.crypto_release_rcd_cb(rl->recread,
430                                                   rl->qtls->args.crypto_release_rcd_cb_arg)) {
431             QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
432             return OSSL_RECORD_RETURN_FATAL;
433         }
434         rl->recread = 0;
435     }
436     rl->recunreleased -= length;
437     return OSSL_RECORD_RETURN_SUCCESS;
438 }
439 
quic_get_alert_code(OSSL_RECORD_LAYER * rl)440 static int quic_get_alert_code(OSSL_RECORD_LAYER *rl)
441 {
442     return rl->alert;
443 }
444 
quic_set_protocol_version(OSSL_RECORD_LAYER * rl,int version)445 static int quic_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
446 {
447     /* We only support TLSv1.3, so its bad if we negotiate anything else */
448     if (!ossl_assert(version == TLS1_3_VERSION)) {
449         QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
450         return 0;
451     }
452 
453     return 1;
454 }
455 
quic_set_plain_alerts(OSSL_RECORD_LAYER * rl,int allow)456 static void quic_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow)
457 {
458     /* We don't care */
459 }
460 
quic_set_first_handshake(OSSL_RECORD_LAYER * rl,int first)461 static void quic_set_first_handshake(OSSL_RECORD_LAYER *rl, int first)
462 {
463     /* We don't care */
464 }
465 
quic_set_max_pipelines(OSSL_RECORD_LAYER * rl,size_t max_pipelines)466 static void quic_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines)
467 {
468     /* We don't care */
469 }
470 
quic_get_state(OSSL_RECORD_LAYER * rl,const char ** shortstr,const char ** longstr)471 static void quic_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr,
472                     const char **longstr)
473 {
474     /*
475      * According to the docs, valid read state strings are: "RH"/"read header",
476      * "RB"/"read body", and "unknown"/"unknown". We don't read records in quite
477      * that way, so we report every "normal" state as "read header". In the
478      * event of error then we report "unknown".
479      */
480 
481     if (rl->qtls->inerror) {
482         if (shortstr != NULL)
483             *shortstr = "unknown";
484         if (longstr != NULL)
485             *longstr = "unknown";
486     } else {
487         if (shortstr != NULL)
488             *shortstr = "RH";
489         if (longstr != NULL)
490             *longstr = "read header";
491     }
492 }
493 
quic_set_options(OSSL_RECORD_LAYER * rl,const OSSL_PARAM * options)494 static int quic_set_options(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options)
495 {
496     /*
497      * We don't support any options yet - but we might do at some point so
498      * this could be useful.
499      */
500     return 1;
501 }
502 
quic_get_compression(OSSL_RECORD_LAYER * rl)503 static const COMP_METHOD *quic_get_compression(OSSL_RECORD_LAYER *rl)
504 {
505     /* We only support TLSv1.3 which doesn't have compression */
506     return NULL;
507 }
508 
quic_set_max_frag_len(OSSL_RECORD_LAYER * rl,size_t max_frag_len)509 static void quic_set_max_frag_len(OSSL_RECORD_LAYER *rl, size_t max_frag_len)
510 {
511     /* This really doesn't make any sense for QUIC. Ignore it */
512 }
513 
quic_alloc_buffers(OSSL_RECORD_LAYER * rl)514 static int quic_alloc_buffers(OSSL_RECORD_LAYER *rl)
515 {
516     /*
517      * This is a hint only. We don't support it (yet), so just ignore the
518      * request
519      */
520     return 1;
521 }
522 
quic_free_buffers(OSSL_RECORD_LAYER * rl)523 static int quic_free_buffers(OSSL_RECORD_LAYER *rl)
524 {
525     /*
526      * This is a hint only. We don't support it (yet), so just ignore the
527      * request
528      */
529     return 1;
530 }
531 
quic_set1_bio(OSSL_RECORD_LAYER * rl,BIO * bio)532 static int quic_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
533 {
534     if (bio != NULL && !BIO_up_ref(bio))
535         return 0;
536     BIO_free(rl->dummybio);
537     rl->dummybio = bio;
538 
539     return 1;
540 }
541 
542 /*
543  * Never called functions
544  *
545  * Due to the way we are configured and used we never expect any of the next set
546  * of functions to be called. Therefore we set them to always fail.
547  */
548 
quic_app_data_pending(OSSL_RECORD_LAYER * rl)549 static size_t quic_app_data_pending(OSSL_RECORD_LAYER *rl)
550 {
551     QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
552     return (size_t)ossl_assert(0);
553 }
554 
quic_get_max_record_overhead(OSSL_RECORD_LAYER * rl)555 static size_t quic_get_max_record_overhead(OSSL_RECORD_LAYER *rl)
556 {
557     QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
558     return (size_t)ossl_assert(0);
559 }
560 
quic_increment_sequence_ctr(OSSL_RECORD_LAYER * rl)561 static int quic_increment_sequence_ctr(OSSL_RECORD_LAYER *rl)
562 {
563     QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
564     return ossl_assert(0);
565 }
566 
567 /* End of never called functions */
568 
569 static const OSSL_RECORD_METHOD quic_tls_record_method = {
570     quic_new_record_layer,
571     quic_free,
572     quic_unprocessed_read_pending,
573     quic_processed_read_pending,
574     quic_app_data_pending, /* Never called */
575     quic_get_max_records,
576     quic_write_records,
577     quic_retry_write_records,
578     quic_read_record,
579     quic_release_record,
580     quic_get_alert_code,
581     quic_set1_bio,
582     quic_set_protocol_version,
583     quic_set_plain_alerts,
584     quic_set_first_handshake,
585     quic_set_max_pipelines,
586     NULL, /* set_in_init: Optional - we don't need it */
587     quic_get_state,
588     quic_set_options,
589     quic_get_compression,
590     quic_set_max_frag_len,
591     quic_get_max_record_overhead, /* Never called */
592     quic_increment_sequence_ctr, /* Never called */
593     quic_alloc_buffers,
594     quic_free_buffers
595 };
596 
add_transport_params_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char ** out,size_t * outlen,X509 * x,size_t chainidx,int * al,void * add_arg)597 static int add_transport_params_cb(SSL *s, unsigned int ext_type,
598                                    unsigned int context,
599                                    const unsigned char **out, size_t *outlen,
600                                    X509 *x, size_t chainidx, int *al,
601                                    void *add_arg)
602 {
603     QUIC_TLS *qtls = add_arg;
604 
605     *out = qtls->local_transport_params;
606     *outlen = qtls->local_transport_params_len;
607     qtls->local_transport_params_consumed = 1;
608     return 1;
609 }
610 
free_transport_params_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * out,void * add_arg)611 static void free_transport_params_cb(SSL *s, unsigned int ext_type,
612                                      unsigned int context,
613                                      const unsigned char *out,
614                                      void *add_arg)
615 {
616 }
617 
parse_transport_params_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * in,size_t inlen,X509 * x,size_t chainidx,int * al,void * parse_arg)618 static int parse_transport_params_cb(SSL *s, unsigned int ext_type,
619                                      unsigned int context,
620                                      const unsigned char *in,
621                                      size_t inlen, X509 *x,
622                                      size_t chainidx,
623                                      int *al, void *parse_arg)
624 {
625     QUIC_TLS *qtls = parse_arg;
626 
627     return qtls->args.got_transport_params_cb(in, inlen,
628                                               qtls->args.got_transport_params_cb_arg);
629 }
630 
ossl_quic_tls_new(const QUIC_TLS_ARGS * args)631 QUIC_TLS *ossl_quic_tls_new(const QUIC_TLS_ARGS *args)
632 {
633     QUIC_TLS *qtls;
634 
635     if (args->crypto_send_cb == NULL
636         || args->crypto_recv_rcd_cb == NULL
637         || args->crypto_release_rcd_cb == NULL) {
638         ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
639         return NULL;
640     }
641 
642     qtls = OPENSSL_zalloc(sizeof(*qtls));
643     if (qtls == NULL)
644         return NULL;
645 
646     if (args->ossl_quic && (qtls->error_state = OSSL_ERR_STATE_new()) == NULL) {
647         OPENSSL_free(qtls);
648         return NULL;
649     }
650 
651     qtls->args = *args;
652     return qtls;
653 }
654 
ossl_quic_tls_free(QUIC_TLS * qtls)655 void ossl_quic_tls_free(QUIC_TLS *qtls)
656 {
657     if (qtls == NULL)
658         return;
659     OSSL_ERR_STATE_free(qtls->error_state);
660     OPENSSL_free(qtls);
661 }
662 
raise_error(QUIC_TLS * qtls,uint64_t error_code,const char * error_msg,const char * src_file,int src_line,const char * src_func)663 static int raise_error(QUIC_TLS *qtls, uint64_t error_code,
664                        const char *error_msg,
665                        const char *src_file,
666                        int src_line,
667                        const char *src_func)
668 {
669     /*
670      * When QTLS fails, add a "cover letter" error with information, potentially
671      * with any underlying libssl errors underneath it (but our cover error may
672      * be the only error in some cases). Then capture this into an ERR_STATE so
673      * we can report it later if need be when the QUIC_CHANNEL asks for it.
674      * For external QUIC TLS we just raise the error.
675      */
676     ERR_new();
677     ERR_set_debug(src_file, src_line, src_func);
678     ERR_set_error(ERR_LIB_SSL, SSL_R_QUIC_HANDSHAKE_LAYER_ERROR,
679                   "handshake layer error, error code %llu (0x%llx) (\"%s\")",
680                   error_code, error_code, error_msg);
681 
682     if (qtls->args.ossl_quic) {
683         OSSL_ERR_STATE_save_to_mark(qtls->error_state);
684 
685         /*
686          * We record the error information reported via the QUIC protocol
687          * separately.
688          */
689         qtls->error_code        = error_code;
690         qtls->error_msg         = error_msg;
691         qtls->inerror           = 1;
692 
693         ERR_pop_to_mark();
694     }
695     return 0;
696 }
697 
698 #define RAISE_ERROR(qtls, error_code, error_msg) \
699     raise_error((qtls), (error_code), (error_msg), \
700                 OPENSSL_FILE, OPENSSL_LINE, OPENSSL_FUNC)
701 
702 #ifndef OPENSSL_NO_QUIC
703 # define RAISE_INTERNAL_ERROR(qtls) \
704     RAISE_ERROR((qtls), OSSL_QUIC_ERR_INTERNAL_ERROR, "internal error")
705 #else
706 # define RAISE_INTERNAL_ERROR(qtls) \
707     RAISE_ERROR((qtls), 0x01, "internal error")
708 #endif
709 
ossl_quic_tls_configure(QUIC_TLS * qtls)710 int ossl_quic_tls_configure(QUIC_TLS *qtls)
711 {
712     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
713     BIO *nullbio;
714 
715     if (sc == NULL || !SSL_set_min_proto_version(qtls->args.s, TLS1_3_VERSION))
716         return RAISE_INTERNAL_ERROR(qtls);
717 
718     nullbio = BIO_new(BIO_s_null());
719     if (nullbio == NULL)
720         return RAISE_INTERNAL_ERROR(qtls);
721 
722     /*
723      * Our custom record layer doesn't use the BIO - but libssl generally
724      * expects one to be present.
725      */
726     SSL_set_bio(qtls->args.s, nullbio, nullbio);
727 
728     SSL_clear_options(qtls->args.s, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
729     ossl_ssl_set_custom_record_layer(sc, &quic_tls_record_method, qtls);
730 
731     if (!ossl_tls_add_custom_ext_intern(NULL, &sc->cert->custext,
732                                         qtls->args.is_server ? ENDPOINT_SERVER
733                                                              : ENDPOINT_CLIENT,
734                                         TLSEXT_TYPE_quic_transport_parameters,
735                                         SSL_EXT_TLS1_3_ONLY
736                                         | SSL_EXT_CLIENT_HELLO
737                                         | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
738                                         add_transport_params_cb,
739                                         free_transport_params_cb, qtls,
740                                         parse_transport_params_cb, qtls))
741         return 0;
742 
743     sc->s3.flags |= TLS1_FLAGS_QUIC;
744 
745     return 1;
746 }
747 
748 #ifndef OPENSSL_NO_QUIC
ossl_quic_tls_tick(QUIC_TLS * qtls)749 int ossl_quic_tls_tick(QUIC_TLS *qtls)
750 {
751     int ret, err;
752     const unsigned char *alpn;
753     unsigned int alpnlen;
754 
755     if (qtls->inerror)
756         return 0;
757 
758     /*
759      * SSL_get_error does not truly know what the cause of an SSL_read failure
760      * is and to some extent guesses based on contextual information. In
761      * particular, if there is _any_ ERR on the error stack, SSL_ERROR_SSL or
762      * SSL_ERROR_SYSCALL will be returned no matter what and there is no
763      * possibility of SSL_ERROR_WANT_READ/WRITE being returned, even if that was
764      * the actual cause of the SSL_read() failure.
765      *
766      * This means that ordinarily, the below code might not work right if the
767      * application has any ERR on the error stack. In order to make this code
768      * perform correctly regardless of prior ERR state, we use a variant of
769      * SSL_get_error() which ignores the error stack. However, some ERRs are
770      * raised by SSL_read() and actually indicate that something has gone wrong
771      * during the call to SSL_read(). We therefore adopt a strategy of marking
772      * the ERR stack and seeing if any errors get appended during the call to
773      * SSL_read(). If they are, we assume SSL_read() has raised an error and
774      * that we should use normal SSL_get_error() handling.
775      *
776      * NOTE: Ensure all escape paths from this function call
777      * ERR_clear_to_mark(). The RAISE macros handle this in failure cases.
778      */
779     ERR_set_mark();
780 
781     if (!qtls->configured) {
782         SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
783         SSL_CTX *sctx;
784 
785         if (sc == NULL)
786             return RAISE_INTERNAL_ERROR(qtls);
787         sctx = SSL_CONNECTION_GET_CTX(sc);
788 
789         /*
790          * No matter how the user has configured us, there are certain
791          * requirements for QUIC-TLS that we enforce
792          */
793 
794         /* ALPN is a requirement for QUIC and must be set */
795         if (qtls->args.is_server) {
796             if (sctx->ext.alpn_select_cb == NULL)
797                 return RAISE_INTERNAL_ERROR(qtls);
798         } else {
799             if (sc->ext.alpn == NULL || sc->ext.alpn_len == 0)
800                 return RAISE_ERROR(qtls, OSSL_QUIC_ERR_CRYPTO_NO_APP_PROTO,
801                                    "ALPN must be configured when using QUIC");
802         }
803 
804         if (!ossl_quic_tls_configure(qtls))
805             return RAISE_INTERNAL_ERROR(qtls);
806 
807         sc->s3.flags |= TLS1_FLAGS_QUIC_INTERNAL;
808 
809         if (qtls->args.is_server)
810             SSL_set_accept_state(qtls->args.s);
811         else
812             SSL_set_connect_state(qtls->args.s);
813 
814         qtls->configured = 1;
815     }
816 
817     if (qtls->complete)
818         /*
819          * There should never be app data to read, but calling SSL_read() will
820          * ensure any post-handshake messages are processed.
821          */
822         ret = SSL_read(qtls->args.s, NULL, 0);
823     else
824         ret = SSL_do_handshake(qtls->args.s);
825 
826     if (ret <= 0) {
827         err = ossl_ssl_get_error(qtls->args.s, ret,
828                                  /*check_err=*/ERR_count_to_mark() > 0);
829 
830         switch (err) {
831         case SSL_ERROR_WANT_READ:
832         case SSL_ERROR_WANT_WRITE:
833         case SSL_ERROR_WANT_CLIENT_HELLO_CB:
834         case SSL_ERROR_WANT_X509_LOOKUP:
835         case SSL_ERROR_WANT_RETRY_VERIFY:
836             ERR_pop_to_mark();
837             return 1;
838 
839         default:
840             return RAISE_INTERNAL_ERROR(qtls);
841         }
842     }
843 
844     if (!qtls->complete) {
845         /* Validate that we have ALPN */
846         SSL_get0_alpn_selected(qtls->args.s, &alpn, &alpnlen);
847         if (alpn == NULL || alpnlen == 0)
848             return RAISE_ERROR(qtls, OSSL_QUIC_ERR_CRYPTO_NO_APP_PROTO,
849                                "no application protocol negotiated");
850 
851         qtls->complete = 1;
852         ERR_pop_to_mark();
853         return qtls->args.handshake_complete_cb(qtls->args.handshake_complete_cb_arg);
854     }
855 
856     ERR_pop_to_mark();
857     return 1;
858 }
859 #endif
860 
ossl_quic_tls_clear(QUIC_TLS * qtls)861 void ossl_quic_tls_clear(QUIC_TLS *qtls)
862 {
863     if (qtls == NULL)
864         return;
865     qtls->local_transport_params_consumed = 0;
866 }
867 
ossl_quic_tls_set_transport_params(QUIC_TLS * qtls,const unsigned char * transport_params,size_t transport_params_len)868 int ossl_quic_tls_set_transport_params(QUIC_TLS *qtls,
869                                        const unsigned char *transport_params,
870                                        size_t transport_params_len)
871 {
872     if (qtls->local_transport_params_consumed)
873         return 0;
874 
875     qtls->local_transport_params       = transport_params;
876     qtls->local_transport_params_len   = transport_params_len;
877     return 1;
878 }
879 
ossl_quic_tls_get_error(QUIC_TLS * qtls,uint64_t * error_code,const char ** error_msg,ERR_STATE ** error_state)880 int ossl_quic_tls_get_error(QUIC_TLS *qtls,
881                             uint64_t *error_code,
882                             const char **error_msg,
883                             ERR_STATE **error_state)
884 {
885     if (qtls->inerror) {
886         *error_code     = qtls->error_code;
887         *error_msg      = qtls->error_msg;
888         *error_state    = qtls->error_state;
889     }
890 
891     return qtls->inerror;
892 }
893 
894 /*
895  * Returns true if the last handshake record message we processed was a
896  * CertificateRequest
897  */
ossl_quic_tls_is_cert_request(QUIC_TLS * qtls)898 int ossl_quic_tls_is_cert_request(QUIC_TLS *qtls)
899 {
900     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
901 
902     if (sc == NULL)
903         return 0;
904 
905     return sc->s3.tmp.message_type == SSL3_MT_CERTIFICATE_REQUEST;
906 }
907 
908 /*
909  * Returns true if the last session associated with the connection has an
910  * invalid max_early_data value for QUIC.
911  */
ossl_quic_tls_has_bad_max_early_data(QUIC_TLS * qtls)912 int ossl_quic_tls_has_bad_max_early_data(QUIC_TLS *qtls)
913 {
914     uint32_t max_early_data = SSL_get0_session(qtls->args.s)->ext.max_early_data;
915 
916     /*
917      * If max_early_data was present we always ensure a non-zero value is
918      * stored in the session for QUIC. Therefore if max_early_data == 0 here
919      * we can be confident that it was not present in the NewSessionTicket
920      */
921     return max_early_data != 0xffffffff && max_early_data != 0;
922 }
923 
ossl_quic_tls_set_early_data_enabled(QUIC_TLS * qtls,int enabled)924 int ossl_quic_tls_set_early_data_enabled(QUIC_TLS *qtls, int enabled)
925 {
926     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
927 
928     if (sc == NULL || !SSL_IS_QUIC_HANDSHAKE(sc) || !SSL_in_before(qtls->args.s))
929         return 0;
930 
931     if (!enabled) {
932         sc->max_early_data = 0;
933         sc->early_data_state = SSL_EARLY_DATA_NONE;
934         return 1;
935     }
936 
937     if (sc->server) {
938         sc->max_early_data = 0xffffffff;
939         sc->early_data_state = SSL_EARLY_DATA_ACCEPTING;
940         return 1;
941     }
942 
943     if ((sc->session == NULL || sc->session->ext.max_early_data != 0xffffffff)
944         && sc->psk_use_session_cb == NULL)
945         return 0;
946 
947     sc->early_data_state = SSL_EARLY_DATA_CONNECTING;
948     return 1;
949 }
950