1 /* 2 * Copyright 2023-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include "internal/quic_port.h" 11 #include "internal/quic_channel.h" 12 #include "internal/quic_lcidm.h" 13 #include "internal/quic_srtm.h" 14 #include "internal/quic_txp.h" 15 #include "internal/ssl_unwrap.h" 16 #include "quic_port_local.h" 17 #include "quic_channel_local.h" 18 #include "quic_engine_local.h" 19 #include "quic_local.h" 20 #include "../ssl_local.h" 21 #include <openssl/rand.h> 22 23 /* 24 * QUIC Port Structure 25 * =================== 26 */ 27 #define INIT_DCID_LEN 8 28 29 static int port_init(QUIC_PORT *port); 30 static void port_cleanup(QUIC_PORT *port); 31 static OSSL_TIME get_time(void *arg); 32 static void port_default_packet_handler(QUIC_URXE *e, void *arg, 33 const QUIC_CONN_ID *dcid); 34 static void port_rx_pre(QUIC_PORT *port); 35 36 /** 37 * @struct validation_token 38 * @brief Represents a validation token for secure connection handling. 39 * 40 * This struct is used to store information related to a validation token. 41 * 42 * @var validation_token::is_retry 43 * True iff this validation token is for a token sent in a RETRY packet. 44 * Otherwise, this token is from a NEW_TOKEN_packet. Iff this value is true, 45 * then ODCID and RSCID are set. 46 * 47 * @var validation_token::timestamp 48 * Time that the validation token was minted. 49 * 50 * @var validation_token::odcid 51 * An original connection ID (`QUIC_CONN_ID`) used to identify the QUIC 52 * connection. This ID helps associate the token with a specific connection. 53 * This will only be valid for validation tokens from RETRY packets. 54 * 55 * @var validation_token::rscid 56 * DCID that the client will use as the DCID of the subsequent initial packet 57 * i.e the "new" DCID. 58 * This will only be valid for validation tokens from RETRY packets. 59 * 60 * @var validation_token::remote_addr_len 61 * Length of the following character array. 62 * 63 * @var validation_token::remote_addr 64 * A character array holding the raw address of the client requesting the 65 * connection. 66 */ 67 typedef struct validation_token { 68 OSSL_TIME timestamp; 69 QUIC_CONN_ID odcid; 70 QUIC_CONN_ID rscid; 71 size_t remote_addr_len; 72 unsigned char *remote_addr; 73 unsigned char is_retry; 74 } QUIC_VALIDATION_TOKEN; 75 76 /* 77 * Maximum length of a marshalled validation token. 78 * 79 * - timestamp is 8 bytes 80 * - odcid and rscid are maximally 42 bytes in total 81 * - remote_addr_len is a size_t (8 bytes) 82 * - remote_addr is in the worst case 110 bytes (in the case of using a 83 * maximally sized AF_UNIX socket) 84 * - is_retry is a single byte 85 */ 86 #define MARSHALLED_TOKEN_MAX_LEN 169 87 88 /* 89 * Maximum length of an encrypted marshalled validation token. 90 * 91 * This will include the size of the marshalled validation token plus a 16 byte 92 * tag and a 12 byte IV, so in total 197 bytes. 93 */ 94 #define ENCRYPTED_TOKEN_MAX_LEN (MARSHALLED_TOKEN_MAX_LEN + 16 + 12) 95 96 DEFINE_LIST_OF_IMPL(ch, QUIC_CHANNEL); 97 DEFINE_LIST_OF_IMPL(incoming_ch, QUIC_CHANNEL); 98 DEFINE_LIST_OF_IMPL(port, QUIC_PORT); 99 100 QUIC_PORT *ossl_quic_port_new(const QUIC_PORT_ARGS *args) 101 { 102 QUIC_PORT *port; 103 104 if ((port = OPENSSL_zalloc(sizeof(QUIC_PORT))) == NULL) 105 return NULL; 106 107 port->engine = args->engine; 108 port->channel_ctx = args->channel_ctx; 109 port->is_multi_conn = args->is_multi_conn; 110 port->validate_addr = args->do_addr_validation; 111 port->get_conn_user_ssl = args->get_conn_user_ssl; 112 port->user_ssl_arg = args->user_ssl_arg; 113 114 if (!port_init(port)) { 115 OPENSSL_free(port); 116 return NULL; 117 } 118 119 return port; 120 } 121 122 void ossl_quic_port_free(QUIC_PORT *port) 123 { 124 if (port == NULL) 125 return; 126 127 port_cleanup(port); 128 OPENSSL_free(port); 129 } 130 131 static int port_init(QUIC_PORT *port) 132 { 133 size_t rx_short_dcid_len = (port->is_multi_conn ? INIT_DCID_LEN : 0); 134 int key_len; 135 EVP_CIPHER *cipher = NULL; 136 unsigned char *token_key = NULL; 137 int ret = 0; 138 139 if (port->engine == NULL || port->channel_ctx == NULL) 140 goto err; 141 142 if ((port->err_state = OSSL_ERR_STATE_new()) == NULL) 143 goto err; 144 145 if ((port->demux = ossl_quic_demux_new(/*BIO=*/NULL, 146 /*Short CID Len=*/rx_short_dcid_len, 147 get_time, port)) == NULL) 148 goto err; 149 150 ossl_quic_demux_set_default_handler(port->demux, 151 port_default_packet_handler, 152 port); 153 154 if ((port->srtm = ossl_quic_srtm_new(port->engine->libctx, 155 port->engine->propq)) == NULL) 156 goto err; 157 158 if ((port->lcidm = ossl_quic_lcidm_new(port->engine->libctx, 159 rx_short_dcid_len)) == NULL) 160 goto err; 161 162 port->rx_short_dcid_len = (unsigned char)rx_short_dcid_len; 163 port->tx_init_dcid_len = INIT_DCID_LEN; 164 port->state = QUIC_PORT_STATE_RUNNING; 165 166 ossl_list_port_insert_tail(&port->engine->port_list, port); 167 port->on_engine_list = 1; 168 port->bio_changed = 1; 169 170 /* Generate random key for token encryption */ 171 if ((port->token_ctx = EVP_CIPHER_CTX_new()) == NULL 172 || (cipher = EVP_CIPHER_fetch(port->engine->libctx, 173 "AES-256-GCM", NULL)) == NULL 174 || !EVP_EncryptInit_ex(port->token_ctx, cipher, NULL, NULL, NULL) 175 || (key_len = EVP_CIPHER_CTX_get_key_length(port->token_ctx)) <= 0 176 || (token_key = OPENSSL_malloc(key_len)) == NULL 177 || !RAND_bytes_ex(port->engine->libctx, token_key, key_len, 0) 178 || !EVP_EncryptInit_ex(port->token_ctx, NULL, NULL, token_key, NULL)) 179 goto err; 180 181 ret = 1; 182 err: 183 EVP_CIPHER_free(cipher); 184 OPENSSL_free(token_key); 185 if (!ret) 186 port_cleanup(port); 187 return ret; 188 } 189 190 static void port_cleanup(QUIC_PORT *port) 191 { 192 assert(ossl_list_ch_num(&port->channel_list) == 0); 193 194 ossl_quic_demux_free(port->demux); 195 port->demux = NULL; 196 197 ossl_quic_srtm_free(port->srtm); 198 port->srtm = NULL; 199 200 ossl_quic_lcidm_free(port->lcidm); 201 port->lcidm = NULL; 202 203 OSSL_ERR_STATE_free(port->err_state); 204 port->err_state = NULL; 205 206 if (port->on_engine_list) { 207 ossl_list_port_remove(&port->engine->port_list, port); 208 port->on_engine_list = 0; 209 } 210 211 EVP_CIPHER_CTX_free(port->token_ctx); 212 port->token_ctx = NULL; 213 } 214 215 static void port_transition_failed(QUIC_PORT *port) 216 { 217 if (port->state == QUIC_PORT_STATE_FAILED) 218 return; 219 220 port->state = QUIC_PORT_STATE_FAILED; 221 } 222 223 int ossl_quic_port_is_running(const QUIC_PORT *port) 224 { 225 return port->state == QUIC_PORT_STATE_RUNNING; 226 } 227 228 QUIC_ENGINE *ossl_quic_port_get0_engine(QUIC_PORT *port) 229 { 230 return port->engine; 231 } 232 233 QUIC_REACTOR *ossl_quic_port_get0_reactor(QUIC_PORT *port) 234 { 235 return ossl_quic_engine_get0_reactor(port->engine); 236 } 237 238 QUIC_DEMUX *ossl_quic_port_get0_demux(QUIC_PORT *port) 239 { 240 return port->demux; 241 } 242 243 CRYPTO_MUTEX *ossl_quic_port_get0_mutex(QUIC_PORT *port) 244 { 245 return ossl_quic_engine_get0_mutex(port->engine); 246 } 247 248 OSSL_TIME ossl_quic_port_get_time(QUIC_PORT *port) 249 { 250 return ossl_quic_engine_get_time(port->engine); 251 } 252 253 static OSSL_TIME get_time(void *port) 254 { 255 return ossl_quic_port_get_time((QUIC_PORT *)port); 256 } 257 258 int ossl_quic_port_get_rx_short_dcid_len(const QUIC_PORT *port) 259 { 260 return port->rx_short_dcid_len; 261 } 262 263 int ossl_quic_port_get_tx_init_dcid_len(const QUIC_PORT *port) 264 { 265 return port->tx_init_dcid_len; 266 } 267 268 size_t ossl_quic_port_get_num_incoming_channels(const QUIC_PORT *port) 269 { 270 return ossl_list_incoming_ch_num(&port->incoming_channel_list); 271 } 272 273 /* 274 * QUIC Port: Network BIO Configuration 275 * ==================================== 276 */ 277 278 /* Determines whether we can support a given poll descriptor. */ 279 static int validate_poll_descriptor(const BIO_POLL_DESCRIPTOR *d) 280 { 281 if (d->type == BIO_POLL_DESCRIPTOR_TYPE_SOCK_FD && d->value.fd < 0) { 282 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 283 return 0; 284 } 285 286 return 1; 287 } 288 289 BIO *ossl_quic_port_get_net_rbio(QUIC_PORT *port) 290 { 291 return port->net_rbio; 292 } 293 294 BIO *ossl_quic_port_get_net_wbio(QUIC_PORT *port) 295 { 296 return port->net_wbio; 297 } 298 299 static int port_update_poll_desc(QUIC_PORT *port, BIO *net_bio, int for_write) 300 { 301 BIO_POLL_DESCRIPTOR d = {0}; 302 303 if (net_bio == NULL 304 || (!for_write && !BIO_get_rpoll_descriptor(net_bio, &d)) 305 || (for_write && !BIO_get_wpoll_descriptor(net_bio, &d))) 306 /* Non-pollable BIO */ 307 d.type = BIO_POLL_DESCRIPTOR_TYPE_NONE; 308 309 if (!validate_poll_descriptor(&d)) 310 return 0; 311 312 /* 313 * TODO(QUIC MULTIPORT): We currently only support one port per 314 * engine/domain. This is necessitated because QUIC_REACTOR only supports a 315 * single pollable currently. In the future, once complete polling 316 * infrastructure has been implemented, this limitation can be removed. 317 * 318 * For now, just update the descriptor on the engine's reactor as we are 319 * guaranteed to be the only port under it. 320 */ 321 if (for_write) 322 ossl_quic_reactor_set_poll_w(&port->engine->rtor, &d); 323 else 324 ossl_quic_reactor_set_poll_r(&port->engine->rtor, &d); 325 326 return 1; 327 } 328 329 int ossl_quic_port_update_poll_descriptors(QUIC_PORT *port, int force) 330 { 331 int ok = 1; 332 333 if (!force && !port->bio_changed) 334 return 0; 335 336 if (!port_update_poll_desc(port, port->net_rbio, /*for_write=*/0)) 337 ok = 0; 338 339 if (!port_update_poll_desc(port, port->net_wbio, /*for_write=*/1)) 340 ok = 0; 341 342 port->bio_changed = 0; 343 return ok; 344 } 345 346 /* 347 * We need to determine our addressing mode. There are basically two ways we can 348 * use L4 addresses: 349 * 350 * - Addressed mode, in which our BIO_sendmmsg calls have destination 351 * addresses attached to them which we expect the underlying network BIO to 352 * handle; 353 * 354 * - Unaddressed mode, in which the BIO provided to us on the network side 355 * neither provides us with L4 addresses nor is capable of honouring ones we 356 * provide. We don't know where the QUIC traffic we send ends up exactly and 357 * trust the application to know what it is doing. 358 * 359 * Addressed mode is preferred because it enables support for connection 360 * migration, multipath, etc. in the future. Addressed mode is automatically 361 * enabled if we are using e.g. BIO_s_datagram, with or without BIO_s_connect. 362 * 363 * If we are passed a BIO_s_dgram_pair (or some custom BIO) we may have to use 364 * unaddressed mode unless that BIO supports capability flags indicating it can 365 * provide and honour L4 addresses. 366 * 367 * Our strategy for determining address mode is simple: we probe the underlying 368 * network BIOs for their capabilities. If the network BIOs support what we 369 * need, we use addressed mode. Otherwise, we use unaddressed mode. 370 * 371 * If addressed mode is chosen, we require an initial peer address to be set. If 372 * this is not set, we fail. If unaddressed mode is used, we do not require 373 * this, as such an address is superfluous, though it can be set if desired. 374 */ 375 static void port_update_addressing_mode(QUIC_PORT *port) 376 { 377 long rcaps = 0, wcaps = 0; 378 379 if (port->net_rbio != NULL) 380 rcaps = BIO_dgram_get_effective_caps(port->net_rbio); 381 382 if (port->net_wbio != NULL) 383 wcaps = BIO_dgram_get_effective_caps(port->net_wbio); 384 385 port->addressed_mode_r = ((rcaps & BIO_DGRAM_CAP_PROVIDES_SRC_ADDR) != 0); 386 port->addressed_mode_w = ((wcaps & BIO_DGRAM_CAP_HANDLES_DST_ADDR) != 0); 387 port->bio_changed = 1; 388 } 389 390 int ossl_quic_port_is_addressed_r(const QUIC_PORT *port) 391 { 392 return port->addressed_mode_r; 393 } 394 395 int ossl_quic_port_is_addressed_w(const QUIC_PORT *port) 396 { 397 return port->addressed_mode_w; 398 } 399 400 int ossl_quic_port_is_addressed(const QUIC_PORT *port) 401 { 402 return ossl_quic_port_is_addressed_r(port) && ossl_quic_port_is_addressed_w(port); 403 } 404 405 /* 406 * QUIC_PORT does not ref any BIO it is provided with, nor is any ref 407 * transferred to it. The caller (e.g., QUIC_CONNECTION) is responsible for 408 * ensuring the BIO lasts until the channel is freed or the BIO is switched out 409 * for another BIO by a subsequent successful call to this function. 410 */ 411 int ossl_quic_port_set_net_rbio(QUIC_PORT *port, BIO *net_rbio) 412 { 413 if (port->net_rbio == net_rbio) 414 return 1; 415 416 if (!port_update_poll_desc(port, net_rbio, /*for_write=*/0)) 417 return 0; 418 419 ossl_quic_demux_set_bio(port->demux, net_rbio); 420 port->net_rbio = net_rbio; 421 port_update_addressing_mode(port); 422 return 1; 423 } 424 425 int ossl_quic_port_set_net_wbio(QUIC_PORT *port, BIO *net_wbio) 426 { 427 QUIC_CHANNEL *ch; 428 429 if (port->net_wbio == net_wbio) 430 return 1; 431 432 if (!port_update_poll_desc(port, net_wbio, /*for_write=*/1)) 433 return 0; 434 435 OSSL_LIST_FOREACH(ch, ch, &port->channel_list) 436 ossl_qtx_set_bio(ch->qtx, net_wbio); 437 438 port->net_wbio = net_wbio; 439 port_update_addressing_mode(port); 440 return 1; 441 } 442 443 SSL_CTX *ossl_quic_port_get_channel_ctx(QUIC_PORT *port) 444 { 445 return port->channel_ctx; 446 } 447 448 /* 449 * QUIC Port: Channel Lifecycle 450 * ============================ 451 */ 452 453 static SSL *port_new_handshake_layer(QUIC_PORT *port, QUIC_CHANNEL *ch) 454 { 455 SSL *tls = NULL; 456 SSL_CONNECTION *tls_conn = NULL; 457 SSL *user_ssl = NULL; 458 QUIC_CONNECTION *qc = NULL; 459 QUIC_LISTENER *ql = NULL; 460 461 /* 462 * It only makes sense to call this function if we know how to associate 463 * the handshake layer we are about to create with some user_ssl object. 464 */ 465 if (!ossl_assert(port->get_conn_user_ssl != NULL)) 466 return NULL; 467 user_ssl = port->get_conn_user_ssl(ch, port->user_ssl_arg); 468 if (user_ssl == NULL) 469 return NULL; 470 qc = (QUIC_CONNECTION *)user_ssl; 471 ql = (QUIC_LISTENER *)port->user_ssl_arg; 472 473 /* 474 * We expect the user_ssl to be newly created so it must not have an 475 * existing qc->tls 476 */ 477 if (!ossl_assert(qc->tls == NULL)) { 478 SSL_free(user_ssl); 479 return NULL; 480 } 481 482 tls = ossl_ssl_connection_new_int(port->channel_ctx, user_ssl, TLS_method()); 483 qc->tls = tls; 484 if (tls == NULL || (tls_conn = SSL_CONNECTION_FROM_SSL(tls)) == NULL) { 485 SSL_free(user_ssl); 486 return NULL; 487 } 488 489 if (ql != NULL && ql->obj.ssl.ctx->new_pending_conn_cb != NULL) 490 if (!ql->obj.ssl.ctx->new_pending_conn_cb(ql->obj.ssl.ctx, user_ssl, 491 ql->obj.ssl.ctx->new_pending_conn_arg)) { 492 SSL_free(user_ssl); 493 return NULL; 494 } 495 496 /* Override the user_ssl of the inner connection. */ 497 tls_conn->s3.flags |= TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL; 498 499 /* Restrict options derived from the SSL_CTX. */ 500 tls_conn->options &= OSSL_QUIC_PERMITTED_OPTIONS_CONN; 501 tls_conn->pha_enabled = 0; 502 return tls; 503 } 504 505 static QUIC_CHANNEL *port_make_channel(QUIC_PORT *port, SSL *tls, OSSL_QRX *qrx, 506 int is_server, int is_tserver) 507 { 508 QUIC_CHANNEL_ARGS args = {0}; 509 QUIC_CHANNEL *ch; 510 511 args.port = port; 512 args.is_server = is_server; 513 args.lcidm = port->lcidm; 514 args.srtm = port->srtm; 515 args.qrx = qrx; 516 args.is_tserver_ch = is_tserver; 517 518 /* 519 * Creating a a new channel is made a bit tricky here as there is a 520 * bit of a circular dependency. Initalizing a channel requires that 521 * the ch->tls and optionally the qlog_title be configured prior to 522 * initalization, but we need the channel at least partially configured 523 * to create the new handshake layer, so we have to do this in a few steps. 524 */ 525 526 /* 527 * start by allocation and provisioning as much of the channel as we can 528 */ 529 ch = ossl_quic_channel_alloc(&args); 530 if (ch == NULL) 531 return NULL; 532 533 /* 534 * Fixup the channel tls connection here before we init the channel 535 */ 536 ch->tls = (tls != NULL) ? tls : port_new_handshake_layer(port, ch); 537 538 if (ch->tls == NULL) { 539 OPENSSL_free(ch); 540 return NULL; 541 } 542 543 #ifndef OPENSSL_NO_QLOG 544 /* 545 * If we're using qlog, make sure the tls get further configured properly 546 */ 547 ch->use_qlog = 1; 548 if (ch->tls->ctx->qlog_title != NULL) { 549 if ((ch->qlog_title = OPENSSL_strdup(ch->tls->ctx->qlog_title)) == NULL) { 550 OPENSSL_free(ch); 551 return NULL; 552 } 553 } 554 #endif 555 556 /* 557 * And finally init the channel struct 558 */ 559 if (!ossl_quic_channel_init(ch)) { 560 OPENSSL_free(ch); 561 return NULL; 562 } 563 564 ossl_qtx_set_bio(ch->qtx, port->net_wbio); 565 return ch; 566 } 567 568 QUIC_CHANNEL *ossl_quic_port_create_outgoing(QUIC_PORT *port, SSL *tls) 569 { 570 return port_make_channel(port, tls, NULL, /* is_server= */ 0, 571 /* is_tserver= */ 0); 572 } 573 574 QUIC_CHANNEL *ossl_quic_port_create_incoming(QUIC_PORT *port, SSL *tls) 575 { 576 QUIC_CHANNEL *ch; 577 578 assert(port->tserver_ch == NULL); 579 580 /* 581 * pass -1 for qrx to indicate port will create qrx 582 * later in port_default_packet_handler() when calling port_bind_channel(). 583 */ 584 ch = port_make_channel(port, tls, NULL, /* is_server= */ 1, 585 /* is_tserver_ch */ 1); 586 port->tserver_ch = ch; 587 port->allow_incoming = 1; 588 return ch; 589 } 590 591 QUIC_CHANNEL *ossl_quic_port_pop_incoming(QUIC_PORT *port) 592 { 593 QUIC_CHANNEL *ch; 594 595 ch = ossl_list_incoming_ch_head(&port->incoming_channel_list); 596 if (ch == NULL) 597 return NULL; 598 599 ossl_list_incoming_ch_remove(&port->incoming_channel_list, ch); 600 return ch; 601 } 602 603 int ossl_quic_port_have_incoming(QUIC_PORT *port) 604 { 605 return ossl_list_incoming_ch_head(&port->incoming_channel_list) != NULL; 606 } 607 608 void ossl_quic_port_drop_incoming(QUIC_PORT *port) 609 { 610 QUIC_CHANNEL *ch; 611 SSL *tls; 612 SSL *user_ssl; 613 SSL_CONNECTION *sc; 614 615 for (;;) { 616 ch = ossl_quic_port_pop_incoming(port); 617 if (ch == NULL) 618 break; 619 620 tls = ossl_quic_channel_get0_tls(ch); 621 /* 622 * The user ssl may or may not have been created via the 623 * get_conn_user_ssl callback in the QUIC stack. The 624 * differentiation being if the user_ssl pointer and tls pointer 625 * are different. If they are, then the user_ssl needs freeing here 626 * which sends us through ossl_quic_free, which then drops the actual 627 * ch->tls ref and frees the channel 628 */ 629 sc = SSL_CONNECTION_FROM_SSL(tls); 630 if (sc == NULL) 631 break; 632 633 user_ssl = SSL_CONNECTION_GET_USER_SSL(sc); 634 if (user_ssl == tls) { 635 ossl_quic_channel_free(ch); 636 SSL_free(tls); 637 } else { 638 SSL_free(user_ssl); 639 } 640 } 641 } 642 643 void ossl_quic_port_set_allow_incoming(QUIC_PORT *port, int allow_incoming) 644 { 645 port->allow_incoming = allow_incoming; 646 } 647 648 /* 649 * QUIC Port: Ticker-Mutator 650 * ========================= 651 */ 652 653 /* 654 * Tick function for this port. This does everything related to network I/O for 655 * this port's network BIOs, and services child channels. 656 */ 657 void ossl_quic_port_subtick(QUIC_PORT *port, QUIC_TICK_RESULT *res, 658 uint32_t flags) 659 { 660 QUIC_CHANNEL *ch; 661 662 res->net_read_desired = ossl_quic_port_is_running(port); 663 res->net_write_desired = 0; 664 res->notify_other_threads = 0; 665 res->tick_deadline = ossl_time_infinite(); 666 667 if (!port->engine->inhibit_tick) { 668 /* Handle any incoming data from network. */ 669 if (ossl_quic_port_is_running(port)) 670 port_rx_pre(port); 671 672 /* Iterate through all channels and service them. */ 673 OSSL_LIST_FOREACH(ch, ch, &port->channel_list) { 674 QUIC_TICK_RESULT subr = {0}; 675 676 ossl_quic_channel_subtick(ch, &subr, flags); 677 ossl_quic_tick_result_merge_into(res, &subr); 678 } 679 } 680 } 681 682 /* Process incoming datagrams, if any. */ 683 static void port_rx_pre(QUIC_PORT *port) 684 { 685 int ret; 686 687 /* 688 * Originally, this check (don't RX before we have sent anything if we are 689 * not a server, because there can't be anything) was just intended as a 690 * minor optimisation. However, it is actually required on Windows, and 691 * removing this check will cause Windows to break. 692 * 693 * The reason is that under Win32, recvfrom() does not work on a UDP socket 694 * which has not had bind() called (???). However, calling sendto() will 695 * automatically bind an unbound UDP socket. Therefore, if we call a Winsock 696 * recv-type function before calling a Winsock send-type function, that call 697 * will fail with WSAEINVAL, which we will regard as a permanent network 698 * error. 699 * 700 * Therefore, this check is essential as we do not require our API users to 701 * bind a socket first when using the API in client mode. 702 */ 703 if (!port->allow_incoming && !port->have_sent_any_pkt) 704 return; 705 706 /* 707 * Get DEMUX to BIO_recvmmsg from the network and queue incoming datagrams 708 * to the appropriate QRX instances. 709 */ 710 ret = ossl_quic_demux_pump(port->demux); 711 if (ret == QUIC_DEMUX_PUMP_RES_PERMANENT_FAIL) 712 /* 713 * We don't care about transient failure, but permanent failure means we 714 * should tear down the port. All connections skip straight to the 715 * Terminated state as there is no point trying to send CONNECTION_CLOSE 716 * frames if the network BIO is not operating correctly. 717 */ 718 ossl_quic_port_raise_net_error(port, NULL); 719 } 720 721 /* 722 * Handles an incoming connection request and potentially decides to make a 723 * connection from it. If a new connection is made, the new channel is written 724 * to *new_ch. 725 */ 726 static void port_bind_channel(QUIC_PORT *port, const BIO_ADDR *peer, 727 const QUIC_CONN_ID *scid, const QUIC_CONN_ID *dcid, 728 const QUIC_CONN_ID *odcid, OSSL_QRX *qrx, 729 QUIC_CHANNEL **new_ch) 730 { 731 QUIC_CHANNEL *ch; 732 733 /* 734 * If we're running with a simulated tserver, it will already have 735 * a dummy channel created, use that instead 736 */ 737 if (port->tserver_ch != NULL) { 738 ch = port->tserver_ch; 739 port->tserver_ch = NULL; 740 ossl_quic_channel_bind_qrx(ch, qrx); 741 ossl_qrx_set_msg_callback(ch->qrx, ch->msg_callback, 742 ch->msg_callback_ssl); 743 ossl_qrx_set_msg_callback_arg(ch->qrx, ch->msg_callback_arg); 744 } else { 745 ch = port_make_channel(port, NULL, qrx, /* is_server= */ 1, 746 /* is_tserver */ 0); 747 } 748 749 if (ch == NULL) 750 return; 751 752 /* 753 * If we didn't provide a qrx here that means we need to set our initial 754 * secret here, since we just created a qrx 755 * Normally its not needed, as the initial secret gets added when we send 756 * our first server hello, but if we get a huge client hello, crossing 757 * multiple datagrams, we don't have a chance to do that, and datagrams 758 * after the first won't get decoded properly, for lack of secrets 759 */ 760 if (qrx == NULL) 761 if (!ossl_quic_provide_initial_secret(ch->port->engine->libctx, 762 ch->port->engine->propq, 763 dcid, /* is_server */ 1, 764 ch->qrx, NULL)) 765 return; 766 767 if (odcid->id_len != 0) { 768 /* 769 * If we have an odcid, then we went through server address validation 770 * and as such, this channel need not conform to the 3x validation cap 771 * See RFC 9000 s. 8.1 772 */ 773 ossl_quic_tx_packetiser_set_validated(ch->txp); 774 if (!ossl_quic_bind_channel(ch, peer, scid, dcid, odcid)) { 775 ossl_quic_channel_free(ch); 776 return; 777 } 778 } else { 779 /* 780 * No odcid means we didn't do server validation, so we need to 781 * generate a cid via ossl_quic_channel_on_new_conn 782 */ 783 if (!ossl_quic_channel_on_new_conn(ch, peer, scid, dcid)) { 784 ossl_quic_channel_free(ch); 785 return; 786 } 787 } 788 789 ossl_list_incoming_ch_insert_tail(&port->incoming_channel_list, ch); 790 *new_ch = ch; 791 } 792 793 static int port_try_handle_stateless_reset(QUIC_PORT *port, const QUIC_URXE *e) 794 { 795 size_t i; 796 const unsigned char *data = ossl_quic_urxe_data(e); 797 void *opaque = NULL; 798 799 /* 800 * Perform some fast and cheap checks for a packet not being a stateless 801 * reset token. RFC 9000 s. 10.3 specifies this layout for stateless 802 * reset packets: 803 * 804 * Stateless Reset { 805 * Fixed Bits (2) = 1, 806 * Unpredictable Bits (38..), 807 * Stateless Reset Token (128), 808 * } 809 * 810 * It also specifies: 811 * However, endpoints MUST treat any packet ending in a valid 812 * stateless reset token as a Stateless Reset, as other QUIC 813 * versions might allow the use of a long header. 814 * 815 * We can rapidly check for the minimum length and that the first pair 816 * of bits in the first byte are 01 or 11. 817 * 818 * The function returns 1 if it is a stateless reset packet, 0 if it isn't 819 * and -1 if an error was encountered. 820 */ 821 if (e->data_len < QUIC_STATELESS_RESET_TOKEN_LEN + 5 822 || (0100 & *data) != 0100) 823 return 0; 824 825 for (i = 0;; ++i) { 826 if (!ossl_quic_srtm_lookup(port->srtm, 827 (QUIC_STATELESS_RESET_TOKEN *)(data + e->data_len 828 - sizeof(QUIC_STATELESS_RESET_TOKEN)), 829 i, &opaque, NULL)) 830 break; 831 832 assert(opaque != NULL); 833 ossl_quic_channel_on_stateless_reset((QUIC_CHANNEL *)opaque); 834 } 835 836 return i > 0; 837 } 838 839 static void cleanup_validation_token(QUIC_VALIDATION_TOKEN *token) 840 { 841 OPENSSL_free(token->remote_addr); 842 } 843 844 /** 845 * @brief Generates a validation token for a RETRY/NEW_TOKEN packet. 846 * 847 * 848 * @param peer Address of the client peer receiving the packet. 849 * @param odcid DCID of the connection attempt. 850 * @param rscid Retry source connection ID of the connection attempt. 851 * @param token Address of token to fill data. 852 * 853 * @return 1 if validation token is filled successfully, 0 otherwise. 854 */ 855 static int generate_token(BIO_ADDR *peer, QUIC_CONN_ID odcid, 856 QUIC_CONN_ID rscid, QUIC_VALIDATION_TOKEN *token, 857 int is_retry) 858 { 859 token->is_retry = is_retry; 860 token->timestamp = ossl_time_now(); 861 token->remote_addr = NULL; 862 token->odcid = odcid; 863 token->rscid = rscid; 864 865 if (!BIO_ADDR_rawaddress(peer, NULL, &token->remote_addr_len) 866 || token->remote_addr_len == 0 867 || (token->remote_addr = OPENSSL_malloc(token->remote_addr_len)) == NULL 868 || !BIO_ADDR_rawaddress(peer, token->remote_addr, 869 &token->remote_addr_len)) { 870 cleanup_validation_token(token); 871 return 0; 872 } 873 874 return 1; 875 } 876 877 /** 878 * @brief Marshals a validation token into a new buffer. 879 * 880 * |buffer| should already be allocated and at least MARSHALLED_TOKEN_MAX_LEN 881 * bytes long. Stores the length of data stored in |buffer| in |buffer_len|. 882 * 883 * @param token Validation token. 884 * @param buffer Address to store the marshalled token. 885 * @param buffer_len Size of data stored in |buffer|. 886 */ 887 static int marshal_validation_token(QUIC_VALIDATION_TOKEN *token, 888 unsigned char *buffer, size_t *buffer_len) 889 { 890 WPACKET wpkt = {0}; 891 BUF_MEM *buf_mem = BUF_MEM_new(); 892 893 if (buffer == NULL || buf_mem == NULL 894 || (token->is_retry != 0 && token->is_retry != 1)) { 895 BUF_MEM_free(buf_mem); 896 return 0; 897 } 898 899 if (!WPACKET_init(&wpkt, buf_mem) 900 || !WPACKET_memset(&wpkt, token->is_retry, 1) 901 || !WPACKET_memcpy(&wpkt, &token->timestamp, 902 sizeof(token->timestamp)) 903 || (token->is_retry 904 && (!WPACKET_sub_memcpy_u8(&wpkt, &token->odcid.id, 905 token->odcid.id_len) 906 || !WPACKET_sub_memcpy_u8(&wpkt, &token->rscid.id, 907 token->rscid.id_len))) 908 || !WPACKET_sub_memcpy_u8(&wpkt, token->remote_addr, token->remote_addr_len) 909 || !WPACKET_get_total_written(&wpkt, buffer_len) 910 || *buffer_len > MARSHALLED_TOKEN_MAX_LEN 911 || !WPACKET_finish(&wpkt)) { 912 WPACKET_cleanup(&wpkt); 913 BUF_MEM_free(buf_mem); 914 return 0; 915 } 916 917 memcpy(buffer, buf_mem->data, *buffer_len); 918 BUF_MEM_free(buf_mem); 919 return 1; 920 } 921 922 /** 923 * @brief Encrypts a validation token using AES-256-GCM 924 * 925 * @param port The QUIC port containing the encryption key 926 * @param plaintext The data to encrypt 927 * @param pt_len Length of the plaintext 928 * @param ciphertext Buffer to receive encrypted data. If NULL, ct_len will be 929 * set to the required buffer size and function returns 930 * immediately. 931 * @param ct_len Pointer to size_t that will receive the ciphertext length. 932 * This also includes bytes for QUIC_RETRY_INTEGRITY_TAG_LEN. 933 * 934 * @return 1 on success, 0 on failure 935 * 936 * The ciphertext format is: 937 * [EVP_GCM_IV_LEN bytes IV][encrypted data][EVP_GCM_TAG_LEN bytes tag] 938 */ 939 static int encrypt_validation_token(const QUIC_PORT *port, 940 const unsigned char *plaintext, 941 size_t pt_len, 942 unsigned char *ciphertext, 943 size_t *ct_len) 944 { 945 int iv_len, len, ret = 0; 946 size_t tag_len; 947 unsigned char *iv = ciphertext, *data, *tag; 948 949 if ((tag_len = EVP_CIPHER_CTX_get_tag_length(port->token_ctx)) == 0 950 || (iv_len = EVP_CIPHER_CTX_get_iv_length(port->token_ctx)) <= 0) 951 goto err; 952 953 *ct_len = iv_len + pt_len + tag_len + QUIC_RETRY_INTEGRITY_TAG_LEN; 954 if (ciphertext == NULL) { 955 ret = 1; 956 goto err; 957 } 958 959 data = ciphertext + iv_len; 960 tag = data + pt_len; 961 962 if (!RAND_bytes_ex(port->engine->libctx, ciphertext, iv_len, 0) 963 || !EVP_EncryptInit_ex(port->token_ctx, NULL, NULL, NULL, iv) 964 || !EVP_EncryptUpdate(port->token_ctx, data, &len, plaintext, pt_len) 965 || !EVP_EncryptFinal_ex(port->token_ctx, data + pt_len, &len) 966 || !EVP_CIPHER_CTX_ctrl(port->token_ctx, EVP_CTRL_GCM_GET_TAG, tag_len, tag)) 967 goto err; 968 969 ret = 1; 970 err: 971 return ret; 972 } 973 974 /** 975 * @brief Decrypts a validation token using AES-256-GCM 976 * 977 * @param port The QUIC port containing the decryption key 978 * @param ciphertext The encrypted data (including IV and tag) 979 * @param ct_len Length of the ciphertext 980 * @param plaintext Buffer to receive decrypted data. If NULL, pt_len will be 981 * set to the required buffer size. 982 * @param pt_len Pointer to size_t that will receive the plaintext length 983 * 984 * @return 1 on success, 0 on failure 985 * 986 * Expected ciphertext format: 987 * [EVP_GCM_IV_LEN bytes IV][encrypted data][EVP_GCM_TAG_LEN bytes tag] 988 */ 989 static int decrypt_validation_token(const QUIC_PORT *port, 990 const unsigned char *ciphertext, 991 size_t ct_len, 992 unsigned char *plaintext, 993 size_t *pt_len) 994 { 995 int iv_len, len = 0, ret = 0; 996 size_t tag_len; 997 const unsigned char *iv = ciphertext, *data, *tag; 998 999 if ((tag_len = EVP_CIPHER_CTX_get_tag_length(port->token_ctx)) == 0 1000 || (iv_len = EVP_CIPHER_CTX_get_iv_length(port->token_ctx)) <= 0) 1001 goto err; 1002 1003 /* Prevent decryption of a buffer that is not within reasonable bounds */ 1004 if (ct_len < (iv_len + tag_len) || ct_len > ENCRYPTED_TOKEN_MAX_LEN) 1005 goto err; 1006 1007 *pt_len = ct_len - iv_len - tag_len; 1008 if (plaintext == NULL) { 1009 ret = 1; 1010 goto err; 1011 } 1012 1013 data = ciphertext + iv_len; 1014 tag = ciphertext + ct_len - tag_len; 1015 1016 if (!EVP_DecryptInit_ex(port->token_ctx, NULL, NULL, NULL, iv) 1017 || !EVP_DecryptUpdate(port->token_ctx, plaintext, &len, data, 1018 ct_len - iv_len - tag_len) 1019 || !EVP_CIPHER_CTX_ctrl(port->token_ctx, EVP_CTRL_GCM_SET_TAG, tag_len, 1020 (void *)tag) 1021 || !EVP_DecryptFinal_ex(port->token_ctx, plaintext + len, &len)) 1022 goto err; 1023 1024 ret = 1; 1025 1026 err: 1027 return ret; 1028 } 1029 1030 /** 1031 * @brief Parses contents of a buffer into a validation token. 1032 * 1033 * VALIDATION_TOKEN should already be initalized. Does some basic sanity checks. 1034 * 1035 * @param token Validation token to fill data in. 1036 * @param buf Buffer of previously marshaled validation token. 1037 * @param buf_len Length of |buf|. 1038 */ 1039 static int parse_validation_token(QUIC_VALIDATION_TOKEN *token, 1040 const unsigned char *buf, size_t buf_len) 1041 { 1042 PACKET pkt, subpkt; 1043 1044 if (buf == NULL || token == NULL) 1045 return 0; 1046 1047 token->remote_addr = NULL; 1048 1049 if (!PACKET_buf_init(&pkt, buf, buf_len) 1050 || !PACKET_copy_bytes(&pkt, &token->is_retry, sizeof(token->is_retry)) 1051 || !(token->is_retry == 0 || token->is_retry == 1) 1052 || !PACKET_copy_bytes(&pkt, (unsigned char *)&token->timestamp, 1053 sizeof(token->timestamp)) 1054 || (token->is_retry 1055 && (!PACKET_get_length_prefixed_1(&pkt, &subpkt) 1056 || (token->odcid.id_len = (unsigned char)PACKET_remaining(&subpkt)) 1057 > QUIC_MAX_CONN_ID_LEN 1058 || !PACKET_copy_bytes(&subpkt, 1059 (unsigned char *)&token->odcid.id, 1060 token->odcid.id_len) 1061 || !PACKET_get_length_prefixed_1(&pkt, &subpkt) 1062 || (token->rscid.id_len = (unsigned char)PACKET_remaining(&subpkt)) 1063 > QUIC_MAX_CONN_ID_LEN 1064 || !PACKET_copy_bytes(&subpkt, (unsigned char *)&token->rscid.id, 1065 token->rscid.id_len))) 1066 || !PACKET_get_length_prefixed_1(&pkt, &subpkt) 1067 || (token->remote_addr_len = PACKET_remaining(&subpkt)) == 0 1068 || (token->remote_addr = OPENSSL_malloc(token->remote_addr_len)) == NULL 1069 || !PACKET_copy_bytes(&subpkt, token->remote_addr, token->remote_addr_len) 1070 || PACKET_remaining(&pkt) != 0) { 1071 cleanup_validation_token(token); 1072 return 0; 1073 } 1074 1075 return 1; 1076 } 1077 1078 /** 1079 * @brief Sends a QUIC Retry packet to a client. 1080 * 1081 * This function constructs and sends a Retry packet to the specified client 1082 * using the provided connection header information. The Retry packet 1083 * includes a generated validation token and a new connection ID, following 1084 * the QUIC protocol specifications for connection establishment. 1085 * 1086 * @param port Pointer to the QUIC port from which to send the packet. 1087 * @param peer Address of the client peer receiving the packet. 1088 * @param client_hdr Header of the client's initial packet, containing 1089 * connection IDs and other relevant information. 1090 * 1091 * This function performs the following steps: 1092 * - Generates a validation token for the client. 1093 * - Sets the destination and source connection IDs. 1094 * - Calculates the integrity tag and sets the token length. 1095 * - Encodes and sends the packet via the BIO network interface. 1096 * 1097 * Error handling is included for failures in CID generation, encoding, and 1098 * network transmiss 1099 */ 1100 static void port_send_retry(QUIC_PORT *port, 1101 BIO_ADDR *peer, 1102 QUIC_PKT_HDR *client_hdr) 1103 { 1104 BIO_MSG msg[1]; 1105 /* 1106 * Buffer is used for both marshalling the token as well as for the RETRY 1107 * packet. The size of buffer should not be less than 1108 * MARSHALLED_TOKEN_MAX_LEN. 1109 */ 1110 unsigned char buffer[512]; 1111 unsigned char ct_buf[ENCRYPTED_TOKEN_MAX_LEN]; 1112 WPACKET wpkt; 1113 size_t written, token_buf_len, ct_len; 1114 QUIC_PKT_HDR hdr = {0}; 1115 QUIC_VALIDATION_TOKEN token = {0}; 1116 int ok; 1117 1118 if (!ossl_assert(sizeof(buffer) >= MARSHALLED_TOKEN_MAX_LEN)) 1119 return; 1120 /* 1121 * 17.2.5.1 Sending a Retry packet 1122 * dst ConnId is src ConnId we got from client 1123 * src ConnId comes from local conn ID manager 1124 */ 1125 memset(&hdr, 0, sizeof(QUIC_PKT_HDR)); 1126 hdr.dst_conn_id = client_hdr->src_conn_id; 1127 /* 1128 * this is the random connection ID, we expect client is 1129 * going to send the ID with next INITIAL packet which 1130 * will also come with token we generate here. 1131 */ 1132 ok = ossl_quic_lcidm_get_unused_cid(port->lcidm, &hdr.src_conn_id); 1133 if (ok == 0) 1134 goto err; 1135 1136 memset(&token, 0, sizeof(QUIC_VALIDATION_TOKEN)); 1137 1138 /* Generate retry validation token */ 1139 if (!generate_token(peer, client_hdr->dst_conn_id, 1140 hdr.src_conn_id, &token, 1) 1141 || !marshal_validation_token(&token, buffer, &token_buf_len) 1142 || !encrypt_validation_token(port, buffer, token_buf_len, NULL, 1143 &ct_len) 1144 || ct_len > ENCRYPTED_TOKEN_MAX_LEN 1145 || !encrypt_validation_token(port, buffer, token_buf_len, ct_buf, 1146 &ct_len) 1147 || !ossl_assert(ct_len >= QUIC_RETRY_INTEGRITY_TAG_LEN)) 1148 goto err; 1149 1150 hdr.dst_conn_id = client_hdr->src_conn_id; 1151 hdr.type = QUIC_PKT_TYPE_RETRY; 1152 hdr.fixed = 1; 1153 hdr.version = 1; 1154 hdr.len = ct_len; 1155 hdr.data = ct_buf; 1156 ok = ossl_quic_calculate_retry_integrity_tag(port->engine->libctx, 1157 port->engine->propq, &hdr, 1158 &client_hdr->dst_conn_id, 1159 ct_buf + ct_len 1160 - QUIC_RETRY_INTEGRITY_TAG_LEN); 1161 if (ok == 0) 1162 goto err; 1163 1164 hdr.token = hdr.data; 1165 hdr.token_len = hdr.len; 1166 1167 msg[0].data = buffer; 1168 msg[0].peer = peer; 1169 msg[0].local = NULL; 1170 msg[0].flags = 0; 1171 1172 ok = WPACKET_init_static_len(&wpkt, buffer, sizeof(buffer), 0); 1173 if (ok == 0) 1174 goto err; 1175 1176 ok = ossl_quic_wire_encode_pkt_hdr(&wpkt, client_hdr->dst_conn_id.id_len, 1177 &hdr, NULL); 1178 if (ok == 0) 1179 goto err; 1180 1181 ok = WPACKET_get_total_written(&wpkt, &msg[0].data_len); 1182 if (ok == 0) 1183 goto err; 1184 1185 ok = WPACKET_finish(&wpkt); 1186 if (ok == 0) 1187 goto err; 1188 1189 /* 1190 * TODO(QUIC FUTURE) need to retry this in the event it return EAGAIN 1191 * on a non-blocking BIO 1192 */ 1193 if (!BIO_sendmmsg(port->net_wbio, msg, sizeof(BIO_MSG), 1, 0, &written)) 1194 ERR_raise_data(ERR_LIB_SSL, SSL_R_QUIC_NETWORK_ERROR, 1195 "port retry send failed due to network BIO I/O error"); 1196 1197 err: 1198 cleanup_validation_token(&token); 1199 } 1200 1201 /** 1202 * @brief Sends a QUIC Version Negotiation packet to the specified peer. 1203 * 1204 * This function constructs and sends a Version Negotiation packet using 1205 * the connection IDs from the client's initial packet header. The 1206 * Version Negotiation packet indicates support for QUIC version 1. 1207 * 1208 * @param port Pointer to the QUIC_PORT structure representing the port 1209 * context used for network communication. 1210 * @param peer Pointer to the BIO_ADDR structure specifying the address 1211 * of the peer to which the Version Negotiation packet 1212 * will be sent. 1213 * @param client_hdr Pointer to the QUIC_PKT_HDR structure containing the 1214 * client's packet header used to extract connection IDs. 1215 * 1216 * @note The function will raise an error if sending the message fails. 1217 */ 1218 static void port_send_version_negotiation(QUIC_PORT *port, BIO_ADDR *peer, 1219 QUIC_PKT_HDR *client_hdr) 1220 { 1221 BIO_MSG msg[1]; 1222 unsigned char buffer[1024]; 1223 QUIC_PKT_HDR hdr; 1224 WPACKET wpkt; 1225 uint32_t supported_versions[1]; 1226 size_t written; 1227 size_t i; 1228 1229 memset(&hdr, 0, sizeof(QUIC_PKT_HDR)); 1230 /* 1231 * Reverse the source and dst conn ids 1232 */ 1233 hdr.dst_conn_id = client_hdr->src_conn_id; 1234 hdr.src_conn_id = client_hdr->dst_conn_id; 1235 1236 /* 1237 * This is our list of supported protocol versions 1238 * Currently only QUIC_VERSION_1 1239 */ 1240 supported_versions[0] = QUIC_VERSION_1; 1241 1242 /* 1243 * Fill out the header fields 1244 * Note: Version negotiation packets, must, unlike 1245 * other packet types have a version of 0 1246 */ 1247 hdr.type = QUIC_PKT_TYPE_VERSION_NEG; 1248 hdr.version = 0; 1249 hdr.token = 0; 1250 hdr.token_len = 0; 1251 hdr.len = sizeof(supported_versions); 1252 hdr.data = (unsigned char *)supported_versions; 1253 1254 msg[0].data = buffer; 1255 msg[0].peer = peer; 1256 msg[0].local = NULL; 1257 msg[0].flags = 0; 1258 1259 if (!WPACKET_init_static_len(&wpkt, buffer, sizeof(buffer), 0)) 1260 return; 1261 1262 if (!ossl_quic_wire_encode_pkt_hdr(&wpkt, client_hdr->dst_conn_id.id_len, 1263 &hdr, NULL)) 1264 return; 1265 1266 /* 1267 * Add the array of supported versions to the end of the packet 1268 */ 1269 for (i = 0; i < OSSL_NELEM(supported_versions); i++) { 1270 if (!WPACKET_put_bytes_u32(&wpkt, supported_versions[i])) 1271 return; 1272 } 1273 1274 if (!WPACKET_get_total_written(&wpkt, &msg[0].data_len)) 1275 return; 1276 1277 if (!WPACKET_finish(&wpkt)) 1278 return; 1279 1280 /* 1281 * Send it back to the client attempting to connect 1282 * TODO(QUIC FUTURE): Need to handle the EAGAIN case here, if the 1283 * BIO_sendmmsg call falls in a retryable manner 1284 */ 1285 if (!BIO_sendmmsg(port->net_wbio, msg, sizeof(BIO_MSG), 1, 0, &written)) 1286 ERR_raise_data(ERR_LIB_SSL, SSL_R_QUIC_NETWORK_ERROR, 1287 "port version negotiation send failed"); 1288 } 1289 1290 /** 1291 * @brief defintions of token lifetimes 1292 * 1293 * RETRY tokens are only valid for 10 seconds 1294 * NEW_TOKEN tokens have a lifetime of 3600 sec (1 hour) 1295 */ 1296 1297 #define RETRY_LIFETIME 10 1298 #define NEW_TOKEN_LIFETIME 3600 1299 /** 1300 * @brief Validates a received token in a QUIC packet header. 1301 * 1302 * This function checks the validity of a token contained in the provided 1303 * QUIC packet header (`QUIC_PKT_HDR *hdr`). The validation process involves 1304 * verifying that the token matches an expected format and value. If the 1305 * token is from a RETRY packet, the function extracts the original connection 1306 * ID (ODCID)/original source connection ID (SCID) and stores it in the provided 1307 * parameters. If the token is from a NEW_TOKEN packet, the values will be 1308 * derived instead. 1309 * 1310 * @param hdr Pointer to the QUIC packet header containing the token. 1311 * @param port Pointer to the QUIC port from which to send the packet. 1312 * @param peer Address of the client peer receiving the packet. 1313 * @param odcid Pointer to the connection ID structure to store the ODCID if the 1314 * token is valid. 1315 * @param scid Pointer to the connection ID structure to store the SCID if the 1316 * token is valid. 1317 * 1318 * @return 1 if the token is valid and ODCID/SCID are successfully set. 1319 * 0 otherwise. 1320 * 1321 * The function performs the following checks: 1322 * - Token length meets the required minimum. 1323 * - Buffer matches expected format. 1324 * - Peer address matches previous connection address. 1325 * - Token has not expired. Currently set to 10 seconds for tokens from RETRY 1326 * packets and 60 minutes for tokens from NEW_TOKEN packets. This may be 1327 * configurable in the future. 1328 */ 1329 static int port_validate_token(QUIC_PKT_HDR *hdr, QUIC_PORT *port, 1330 BIO_ADDR *peer, QUIC_CONN_ID *odcid, 1331 QUIC_CONN_ID *scid, uint8_t *gen_new_token) 1332 { 1333 int ret = 0; 1334 QUIC_VALIDATION_TOKEN token = { 0 }; 1335 uint64_t time_diff; 1336 size_t remote_addr_len, dec_token_len; 1337 unsigned char *remote_addr = NULL, dec_token[MARSHALLED_TOKEN_MAX_LEN]; 1338 OSSL_TIME now = ossl_time_now(); 1339 1340 *gen_new_token = 0; 1341 1342 if (!decrypt_validation_token(port, hdr->token, hdr->token_len, NULL, 1343 &dec_token_len) 1344 || dec_token_len > MARSHALLED_TOKEN_MAX_LEN 1345 || !decrypt_validation_token(port, hdr->token, hdr->token_len, 1346 dec_token, &dec_token_len) 1347 || !parse_validation_token(&token, dec_token, dec_token_len)) 1348 goto err; 1349 1350 /* 1351 * Validate token timestamp. Current time should not be before the token 1352 * timestamp. 1353 */ 1354 if (ossl_time_compare(now, token.timestamp) < 0) 1355 goto err; 1356 time_diff = ossl_time2seconds(ossl_time_abs_difference(token.timestamp, 1357 now)); 1358 if ((token.is_retry && time_diff > RETRY_LIFETIME) 1359 || (!token.is_retry && time_diff > NEW_TOKEN_LIFETIME)) 1360 goto err; 1361 1362 /* Validate remote address */ 1363 if (!BIO_ADDR_rawaddress(peer, NULL, &remote_addr_len) 1364 || remote_addr_len != token.remote_addr_len 1365 || (remote_addr = OPENSSL_malloc(remote_addr_len)) == NULL 1366 || !BIO_ADDR_rawaddress(peer, remote_addr, &remote_addr_len) 1367 || memcmp(remote_addr, token.remote_addr, remote_addr_len) != 0) 1368 goto err; 1369 1370 /* 1371 * Set ODCID and SCID. If the token is from a RETRY packet, retrieve both 1372 * from the token. Otherwise, generate a new ODCID and use the header's 1373 * source connection ID for SCID. 1374 */ 1375 if (token.is_retry) { 1376 /* 1377 * We're parsing a packet header before its gone through AEAD validation 1378 * here, so there is a chance we are dealing with corrupted data. Make 1379 * Sure the dcid encoded in the token matches the headers dcid to 1380 * mitigate that. 1381 * TODO(QUIC FUTURE): Consider handling AEAD validation at the port 1382 * level rather than the QRX/channel level to eliminate the need for 1383 * this. 1384 */ 1385 if (token.rscid.id_len != hdr->dst_conn_id.id_len 1386 || memcmp(&token.rscid.id, &hdr->dst_conn_id.id, 1387 token.rscid.id_len) != 0) 1388 goto err; 1389 *odcid = token.odcid; 1390 *scid = token.rscid; 1391 } else { 1392 if (!ossl_quic_lcidm_get_unused_cid(port->lcidm, odcid)) 1393 goto err; 1394 *scid = hdr->src_conn_id; 1395 } 1396 1397 /* 1398 * Determine if we need to send a NEW_TOKEN frame 1399 * If we validated a retry token, we should always 1400 * send a NEW_TOKEN frame to the client 1401 * 1402 * If however, we validated a NEW_TOKEN, which may be 1403 * reused multiple times, only send a NEW_TOKEN frame 1404 * if the existing received token has less than 10% of its lifetime 1405 * remaining. This prevents us from constantly sending 1406 * NEW_TOKEN frames on every connection when not needed 1407 */ 1408 if (token.is_retry) { 1409 *gen_new_token = 1; 1410 } else { 1411 if (time_diff > ((NEW_TOKEN_LIFETIME * 9) / 10)) 1412 *gen_new_token = 1; 1413 } 1414 1415 ret = 1; 1416 err: 1417 cleanup_validation_token(&token); 1418 OPENSSL_free(remote_addr); 1419 return ret; 1420 } 1421 1422 static void generate_new_token(QUIC_CHANNEL *ch, BIO_ADDR *peer) 1423 { 1424 QUIC_CONN_ID rscid = { 0 }; 1425 QUIC_VALIDATION_TOKEN token; 1426 unsigned char buffer[ENCRYPTED_TOKEN_MAX_LEN]; 1427 unsigned char *ct_buf; 1428 size_t ct_len; 1429 size_t token_buf_len = 0; 1430 1431 /* Clients never send a NEW_TOKEN */ 1432 if (!ch->is_server) 1433 return; 1434 1435 ct_buf = OPENSSL_zalloc(ENCRYPTED_TOKEN_MAX_LEN); 1436 if (ct_buf == NULL) 1437 return; 1438 1439 /* 1440 * NEW_TOKEN tokens may be used for multiple subsequent connections 1441 * within their timeout period, so don't reserve an rscid here 1442 * like we do for retry tokens, instead, just fill it with random 1443 * data, as we won't use it anyway 1444 */ 1445 rscid.id_len = 8; 1446 if (!RAND_bytes_ex(ch->port->engine->libctx, rscid.id, 8, 0)) { 1447 OPENSSL_free(ct_buf); 1448 return; 1449 } 1450 1451 memset(&token, 0, sizeof(QUIC_VALIDATION_TOKEN)); 1452 1453 if (!generate_token(peer, ch->init_dcid, rscid, &token, 0) 1454 || !marshal_validation_token(&token, buffer, &token_buf_len) 1455 || !encrypt_validation_token(ch->port, buffer, token_buf_len, NULL, 1456 &ct_len) 1457 || ct_len > ENCRYPTED_TOKEN_MAX_LEN 1458 || !encrypt_validation_token(ch->port, buffer, token_buf_len, ct_buf, 1459 &ct_len) 1460 || !ossl_assert(ct_len >= QUIC_RETRY_INTEGRITY_TAG_LEN)) { 1461 OPENSSL_free(ct_buf); 1462 cleanup_validation_token(&token); 1463 return; 1464 } 1465 1466 ch->pending_new_token = ct_buf; 1467 ch->pending_new_token_len = ct_len; 1468 1469 cleanup_validation_token(&token); 1470 } 1471 1472 /* 1473 * This is called by the demux when we get a packet not destined for any known 1474 * DCID. 1475 */ 1476 static void port_default_packet_handler(QUIC_URXE *e, void *arg, 1477 const QUIC_CONN_ID *dcid) 1478 { 1479 QUIC_PORT *port = arg; 1480 PACKET pkt; 1481 QUIC_PKT_HDR hdr; 1482 QUIC_CHANNEL *ch = NULL, *new_ch = NULL; 1483 QUIC_CONN_ID odcid, scid; 1484 uint8_t gen_new_token = 0; 1485 OSSL_QRX *qrx = NULL; 1486 OSSL_QRX *qrx_src = NULL; 1487 OSSL_QRX_ARGS qrx_args = {0}; 1488 uint64_t cause_flags = 0; 1489 OSSL_QRX_PKT *qrx_pkt = NULL; 1490 1491 /* Don't handle anything if we are no longer running. */ 1492 if (!ossl_quic_port_is_running(port)) 1493 goto undesirable; 1494 1495 if (port_try_handle_stateless_reset(port, e)) 1496 goto undesirable; 1497 1498 if (dcid != NULL 1499 && ossl_quic_lcidm_lookup(port->lcidm, dcid, NULL, 1500 (void **)&ch)) { 1501 assert(ch != NULL); 1502 ossl_quic_channel_inject(ch, e); 1503 return; 1504 } 1505 1506 /* 1507 * If we have an incoming packet which doesn't match any existing connection 1508 * we assume this is an attempt to make a new connection. 1509 */ 1510 if (!port->allow_incoming) 1511 goto undesirable; 1512 1513 /* 1514 * We have got a packet for an unknown DCID. This might be an attempt to 1515 * open a new connection. 1516 */ 1517 if (e->data_len < QUIC_MIN_INITIAL_DGRAM_LEN) 1518 goto undesirable; 1519 1520 if (!PACKET_buf_init(&pkt, ossl_quic_urxe_data(e), e->data_len)) 1521 goto undesirable; 1522 1523 /* 1524 * We set short_conn_id_len to SIZE_MAX here which will cause the decode 1525 * operation to fail if we get a 1-RTT packet. This is fine since we only 1526 * care about Initial packets. 1527 */ 1528 if (!ossl_quic_wire_decode_pkt_hdr(&pkt, SIZE_MAX, 1, 0, &hdr, NULL, 1529 &cause_flags)) { 1530 /* 1531 * If we fail due to a bad version, we know the packet up to the version 1532 * number was decoded, and we use it below to send a version 1533 * negotiation packet 1534 */ 1535 if ((cause_flags & QUIC_PKT_HDR_DECODE_BAD_VERSION) == 0) 1536 goto undesirable; 1537 } 1538 1539 switch (hdr.version) { 1540 case QUIC_VERSION_1: 1541 break; 1542 1543 case QUIC_VERSION_NONE: 1544 default: 1545 1546 /* 1547 * If we get here, then we have a bogus version, and might need 1548 * to send a version negotiation packet. According to 1549 * RFC 9000 s. 6 and 14.1, we only do so however, if the UDP datagram 1550 * is a minimum of 1200 bytes in size 1551 */ 1552 if (e->data_len < 1200) 1553 goto undesirable; 1554 1555 /* 1556 * If we don't get a supported version, respond with a ver 1557 * negotiation packet, and discard 1558 * TODO(QUIC FUTURE): Rate limit the reception of these 1559 */ 1560 port_send_version_negotiation(port, &e->peer, &hdr); 1561 goto undesirable; 1562 } 1563 1564 /* 1565 * We only care about Initial packets which might be trying to establish a 1566 * connection. 1567 */ 1568 if (hdr.type != QUIC_PKT_TYPE_INITIAL) 1569 goto undesirable; 1570 1571 odcid.id_len = 0; 1572 1573 /* 1574 * Create qrx now so we can check integrity of packet 1575 * which does not belong to any channel. 1576 */ 1577 qrx_args.libctx = port->engine->libctx; 1578 qrx_args.demux = port->demux; 1579 qrx_args.short_conn_id_len = dcid->id_len; 1580 qrx_args.max_deferred = 32; 1581 qrx = ossl_qrx_new(&qrx_args); 1582 if (qrx == NULL) 1583 goto undesirable; 1584 1585 /* 1586 * Derive secrets for qrx only. 1587 */ 1588 if (!ossl_quic_provide_initial_secret(port->engine->libctx, 1589 port->engine->propq, 1590 &hdr.dst_conn_id, 1591 /* is_server */ 1, 1592 qrx, NULL)) 1593 goto undesirable; 1594 1595 if (ossl_qrx_validate_initial_packet(qrx, e, (const QUIC_CONN_ID *)dcid) == 0) 1596 goto undesirable; 1597 1598 if (port->validate_addr == 0) { 1599 /* 1600 * Forget qrx, because it becomes (almost) useless here. We must let 1601 * channel to create a new QRX for connection ID server chooses. The 1602 * validation keys for new DCID will be derived by 1603 * ossl_quic_channel_on_new_conn() when we will be creating channel. 1604 * See RFC 9000 section 7.2 negotiating connection id to better 1605 * understand what's going on here. 1606 * 1607 * Did we say qrx is almost useless? Why? Because qrx remembers packets 1608 * we just validated. Those packets must be injected to channel we are 1609 * going to create. We use qrx_src alias so we can read packets from 1610 * qrx and inject them to channel. 1611 */ 1612 qrx_src = qrx; 1613 qrx = NULL; 1614 } 1615 /* 1616 * TODO(QUIC FUTURE): there should be some logic similar to accounting half-open 1617 * states in TCP. If we reach certain threshold, then we want to 1618 * validate clients. 1619 */ 1620 if (port->validate_addr == 1 && hdr.token == NULL) { 1621 port_send_retry(port, &e->peer, &hdr); 1622 goto undesirable; 1623 } 1624 1625 /* 1626 * Note, even if we don't enforce the sending of retry frames for 1627 * server address validation, we may still get a token if we sent 1628 * a NEW_TOKEN frame during a prior connection, which we should still 1629 * validate here 1630 */ 1631 if (hdr.token != NULL 1632 && port_validate_token(&hdr, port, &e->peer, 1633 &odcid, &scid, 1634 &gen_new_token) == 0) { 1635 /* 1636 * RFC 9000 s 8.1.3 1637 * When a server receives an Initial packet with an address 1638 * validation token, it MUST attempt to validate the token, 1639 * unless it has already completed address validation. 1640 * If the token is invalid, then the server SHOULD proceed as 1641 * if the client did not have a validated address, 1642 * including potentially sending a Retry packet 1643 * Note: If address validation is disabled, just act like 1644 * the request is valid 1645 */ 1646 if (port->validate_addr == 1) { 1647 /* 1648 * Again: we should consider saving initial encryption level 1649 * secrets to token here to save some CPU cycles. 1650 */ 1651 port_send_retry(port, &e->peer, &hdr); 1652 goto undesirable; 1653 } 1654 1655 /* 1656 * client is under amplification limit, until it completes 1657 * handshake. 1658 * 1659 * forget qrx so channel can create a new one 1660 * with valid initial encryption level keys. 1661 */ 1662 qrx_src = qrx; 1663 qrx = NULL; 1664 } 1665 1666 port_bind_channel(port, &e->peer, &scid, &hdr.dst_conn_id, 1667 &odcid, qrx, &new_ch); 1668 1669 /* 1670 * if packet validates it gets moved to channel, we've just bound 1671 * to port. 1672 */ 1673 if (new_ch == NULL) 1674 goto undesirable; 1675 1676 /* 1677 * Generate a token for sending in a later NEW_TOKEN frame 1678 */ 1679 if (gen_new_token == 1) 1680 generate_new_token(new_ch, &e->peer); 1681 1682 if (qrx != NULL) { 1683 /* 1684 * The qrx belongs to channel now, so don't free it. 1685 */ 1686 qrx = NULL; 1687 } else { 1688 /* 1689 * We still need to salvage packets from almost forgotten qrx 1690 * and pass them to channel. 1691 */ 1692 while (ossl_qrx_read_pkt(qrx_src, &qrx_pkt) == 1) 1693 ossl_quic_channel_inject_pkt(new_ch, qrx_pkt); 1694 ossl_qrx_update_pn_space(qrx_src, new_ch->qrx); 1695 } 1696 1697 /* 1698 * If function reaches this place, then packet got validated in 1699 * ossl_qrx_validate_initial_packet(). Keep in mind the function 1700 * ossl_qrx_validate_initial_packet() decrypts the packet to validate it. 1701 * If packet validation was successful (and it was because we are here), 1702 * then the function puts the packet to qrx->rx_pending. We must not call 1703 * ossl_qrx_inject_urxe() here now, because we don't want to insert 1704 * the packet to qrx->urx_pending which keeps packet waiting for decryption. 1705 * 1706 * We are going to call ossl_quic_demux_release_urxe() to dispose buffer 1707 * which still holds encrypted data. 1708 */ 1709 1710 undesirable: 1711 ossl_qrx_free(qrx); 1712 ossl_qrx_free(qrx_src); 1713 ossl_quic_demux_release_urxe(port->demux, e); 1714 } 1715 1716 void ossl_quic_port_raise_net_error(QUIC_PORT *port, 1717 QUIC_CHANNEL *triggering_ch) 1718 { 1719 QUIC_CHANNEL *ch; 1720 1721 if (!ossl_quic_port_is_running(port)) 1722 return; 1723 1724 /* 1725 * Immediately capture any triggering error on the error stack, with a 1726 * cover error. 1727 */ 1728 ERR_raise_data(ERR_LIB_SSL, SSL_R_QUIC_NETWORK_ERROR, 1729 "port failed due to network BIO I/O error"); 1730 OSSL_ERR_STATE_save(port->err_state); 1731 1732 port_transition_failed(port); 1733 1734 /* Give the triggering channel (if any) the first notification. */ 1735 if (triggering_ch != NULL) 1736 ossl_quic_channel_raise_net_error(triggering_ch); 1737 1738 OSSL_LIST_FOREACH(ch, ch, &port->channel_list) 1739 if (ch != triggering_ch) 1740 ossl_quic_channel_raise_net_error(ch); 1741 } 1742 1743 void ossl_quic_port_restore_err_state(const QUIC_PORT *port) 1744 { 1745 ERR_clear_error(); 1746 OSSL_ERR_STATE_restore(port->err_state); 1747 } 1748