xref: /openssl/ssl/quic/quic_tls.c (revision b6461792)
1 /*
2  * Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 #include <openssl/ssl.h>
10 #include "internal/recordmethod.h"
11 #include "internal/quic_tls.h"
12 #include "../ssl_local.h"
13 #include "internal/quic_error.h"
14 
15 #define QUIC_TLS_FATAL(rl, ad, err) \
16     do { \
17         if ((rl) != NULL) (rl)->alert = (ad); \
18         ERR_raise(ERR_LIB_SSL, (err)); \
19         if ((rl) != NULL) (rl)->qtls->inerror = 1; \
20     } while(0)
21 
22 struct quic_tls_st {
23     QUIC_TLS_ARGS args;
24 
25     /*
26      * Transport parameters which client should send. Buffer lifetime must
27      * exceed the lifetime of the QUIC_TLS object.
28      */
29     const unsigned char *local_transport_params;
30     size_t local_transport_params_len;
31 
32     ERR_STATE *error_state;
33 
34     /*
35      * QUIC error code (usually in the TLS Alert-mapped CRYPTO_ERR range). Valid
36      * only if inerror is 1.
37      */
38     uint64_t error_code;
39 
40     /*
41      * Error message with static storage duration. Valid only if inerror is 1.
42      * Should be suitable for encapsulation in a CONNECTION_CLOSE frame.
43      */
44     const char *error_msg;
45 
46     /* Whether our SSL object for TLS has been configured for use in QUIC */
47     unsigned int configured : 1;
48 
49     /* Set if we have hit any error state */
50     unsigned int inerror : 1;
51 
52     /* Set if the handshake has completed */
53     unsigned int complete : 1;
54 };
55 
56 struct ossl_record_layer_st {
57     QUIC_TLS *qtls;
58 
59     /* Protection level */
60     int level;
61 
62     /* Only used for retry flags */
63     BIO *dummybio;
64 
65     /* Number of bytes written so far if we are part way through a write */
66     size_t written;
67 
68     /* If we are part way through a write, a copy of the template */
69     OSSL_RECORD_TEMPLATE template;
70 
71     /*
72      * If we hit an error, what alert code should be used
73      */
74     int alert;
75 
76     /* Amount of crypto stream data we read in the last call to quic_read_record */
77     size_t recread;
78 
79     /* Amount of crypto stream data read but not yet released */
80     size_t recunreleased;
81 
82     /* Callbacks */
83     OSSL_FUNC_rlayer_msg_callback_fn *msg_callback;
84     void *cbarg;
85 };
86 
87 static int quic_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio);
88 static int quic_free(OSSL_RECORD_LAYER *r);
89 
90 static int
quic_new_record_layer(OSSL_LIB_CTX * libctx,const char * propq,int vers,int role,int direction,int level,uint16_t epoch,unsigned char * secret,size_t secretlen,unsigned char * key,size_t keylen,unsigned char * iv,size_t ivlen,unsigned char * mackey,size_t mackeylen,const EVP_CIPHER * ciph,size_t taglen,int mactype,const EVP_MD * md,COMP_METHOD * comp,const EVP_MD * kdfdigest,BIO * prev,BIO * transport,BIO * next,BIO_ADDR * local,BIO_ADDR * peer,const OSSL_PARAM * settings,const OSSL_PARAM * options,const OSSL_DISPATCH * fns,void * cbarg,void * rlarg,OSSL_RECORD_LAYER ** retrl)91 quic_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
92                       int role, int direction, int level, uint16_t epoch,
93                       unsigned char *secret, size_t secretlen,
94                       unsigned char *key, size_t keylen, unsigned char *iv,
95                       size_t ivlen, unsigned char *mackey, size_t mackeylen,
96                       const EVP_CIPHER *ciph, size_t taglen,
97                       int mactype,
98                       const EVP_MD *md, COMP_METHOD *comp,
99                       const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
100                       BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
101                       const OSSL_PARAM *settings, const OSSL_PARAM *options,
102                       const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
103                       OSSL_RECORD_LAYER **retrl)
104 {
105     OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
106     uint32_t enc_level;
107     int qdir;
108     uint32_t suite_id = 0;
109 
110     if (rl == NULL) {
111         QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
112         return 0;
113     }
114 
115     rl->qtls = (QUIC_TLS *)rlarg;
116     rl->level = level;
117     if (!quic_set1_bio(rl, transport)) {
118         QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
119         goto err;
120     }
121     rl->cbarg = cbarg;
122     *retrl = rl;
123 
124     if (fns != NULL) {
125         for (; fns->function_id != 0; fns++) {
126             switch (fns->function_id) {
127                 break;
128             case OSSL_FUNC_RLAYER_MSG_CALLBACK:
129                 rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns);
130                 break;
131             default:
132                 /* Just ignore anything we don't understand */
133                 break;
134             }
135         }
136     }
137 
138     switch (level) {
139     case OSSL_RECORD_PROTECTION_LEVEL_NONE:
140         return 1;
141 
142     case OSSL_RECORD_PROTECTION_LEVEL_EARLY:
143         enc_level = QUIC_ENC_LEVEL_0RTT;
144         break;
145 
146     case OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE:
147         enc_level = QUIC_ENC_LEVEL_HANDSHAKE;
148         break;
149 
150     case OSSL_RECORD_PROTECTION_LEVEL_APPLICATION:
151         enc_level = QUIC_ENC_LEVEL_1RTT;
152         break;
153 
154     default:
155         QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
156         goto err;
157     }
158 
159     if (direction == OSSL_RECORD_DIRECTION_READ)
160         qdir = 0;
161     else
162         qdir = 1;
163 
164     if (EVP_CIPHER_is_a(ciph, "AES-128-GCM")) {
165         suite_id = QRL_SUITE_AES128GCM;
166     } else if (EVP_CIPHER_is_a(ciph, "AES-256-GCM")) {
167         suite_id = QRL_SUITE_AES256GCM;
168     } else if (EVP_CIPHER_is_a(ciph, "CHACHA20-POLY1305")) {
169         suite_id = QRL_SUITE_CHACHA20POLY1305;
170     } else {
171         QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE);
172         goto err;
173     }
174 
175     /* We pass a ref to the md in a successful yield_secret_cb call */
176     /* TODO(QUIC FUTURE): This cast is horrible. We should try and remove it */
177     if (!EVP_MD_up_ref((EVP_MD *)kdfdigest)) {
178         QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
179         goto err;
180     }
181 
182     if (!rl->qtls->args.yield_secret_cb(enc_level, qdir, suite_id,
183                                         (EVP_MD *)kdfdigest, secret, secretlen,
184                                         rl->qtls->args.yield_secret_cb_arg)) {
185         QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
186         EVP_MD_free((EVP_MD *)kdfdigest);
187         goto err;
188     }
189 
190     return 1;
191  err:
192     *retrl = NULL;
193     quic_free(rl);
194     return 0;
195 }
196 
quic_free(OSSL_RECORD_LAYER * rl)197 static int quic_free(OSSL_RECORD_LAYER *rl)
198 {
199     if (rl == NULL)
200         return 1;
201 
202     BIO_free(rl->dummybio);
203     OPENSSL_free(rl);
204     return 1;
205 }
206 
quic_unprocessed_read_pending(OSSL_RECORD_LAYER * rl)207 static int quic_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
208 {
209     /*
210      * Read ahead isn't really a thing for QUIC so we never have unprocessed
211      * data pending
212      */
213     return 0;
214 }
215 
quic_processed_read_pending(OSSL_RECORD_LAYER * rl)216 static int quic_processed_read_pending(OSSL_RECORD_LAYER *rl)
217 {
218     /*
219      * This is currently only ever used by:
220      * - SSL_has_pending()
221      * - to check whether we have more records that we want to supply to the
222      *   upper layers
223      *
224      * We only ever supply 1 record at a time to the upper layers, and
225      * SSL_has_pending() will go via the QUIC method not the TLS method so that
226      * use case doesn't apply here.
227      * Therefore we can ignore this for now and always return 0. We might
228      * eventually want to change this to check in the receive buffers to see if
229      * we have any more data pending.
230      */
231     return 0;
232 }
233 
quic_get_max_records(OSSL_RECORD_LAYER * rl,uint8_t type,size_t len,size_t maxfrag,size_t * preffrag)234 static size_t quic_get_max_records(OSSL_RECORD_LAYER *rl, uint8_t type,
235                                    size_t len,
236                                    size_t maxfrag, size_t *preffrag)
237 {
238     return 1;
239 }
240 
quic_write_records(OSSL_RECORD_LAYER * rl,OSSL_RECORD_TEMPLATE * template,size_t numtempl)241 static int quic_write_records(OSSL_RECORD_LAYER *rl,
242                               OSSL_RECORD_TEMPLATE *template,
243                               size_t numtempl)
244 {
245     size_t consumed;
246     unsigned char alert;
247 
248     if (!ossl_assert(numtempl == 1)) {
249         /* How could this be? quic_get_max_records() always returns 1 */
250         QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
251         return OSSL_RECORD_RETURN_FATAL;
252     }
253 
254     BIO_clear_retry_flags(rl->dummybio);
255 
256     if (rl->msg_callback != NULL) {
257         unsigned char dummyrec[SSL3_RT_HEADER_LENGTH];
258 
259         /*
260          * For the purposes of the callback we "pretend" to be normal TLS,
261          * and manufacture a dummy record header
262          */
263         dummyrec[0] = (rl->level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
264                         ? template->type
265                         : SSL3_RT_APPLICATION_DATA;
266         dummyrec[1] = (unsigned char)((template->version >> 8) & 0xff);
267         dummyrec[2] = (unsigned char)(template->version & 0xff);
268         /*
269          * We assume that buflen is always <= UINT16_MAX. Since this is
270          * generated by libssl itself we actually expect it to never
271          * exceed SSL3_RT_MAX_PLAIN_LENGTH - so it should be a safe
272          * assumption
273          */
274         dummyrec[3] = (unsigned char)((template->buflen >> 8) & 0xff);
275         dummyrec[4] = (unsigned char)(template->buflen & 0xff);
276 
277         rl->msg_callback(1, TLS1_3_VERSION, SSL3_RT_HEADER, dummyrec,
278                             SSL3_RT_HEADER_LENGTH, rl->cbarg);
279 
280         if (rl->level != OSSL_RECORD_PROTECTION_LEVEL_NONE) {
281             rl->msg_callback(1, TLS1_3_VERSION, SSL3_RT_INNER_CONTENT_TYPE,
282                              &template->type, 1, rl->cbarg);
283         }
284     }
285 
286     switch (template->type) {
287     case SSL3_RT_ALERT:
288         if (template->buflen != 2) {
289             /*
290              * We assume that libssl always sends both bytes of an alert to
291              * us in one go, and never fragments it. If we ever get more
292              * or less bytes than exactly 2 then this is very unexpected.
293              */
294             QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_VALUE);
295             return OSSL_RECORD_RETURN_FATAL;
296         }
297         /*
298          * Byte 0 is the alert level (we ignore it) and byte 1 is the alert
299          * description that we are actually interested in.
300          */
301         alert = template->buf[1];
302 
303         if (!rl->qtls->args.alert_cb(rl->qtls->args.alert_cb_arg, alert)) {
304             QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
305             return OSSL_RECORD_RETURN_FATAL;
306         }
307         break;
308 
309     case SSL3_RT_HANDSHAKE:
310         /*
311          * We expect this to only fail on some fatal error (e.g. malloc
312          * failure)
313          */
314         if (!rl->qtls->args.crypto_send_cb(template->buf + rl->written,
315                                            template->buflen - rl->written,
316                                            &consumed,
317                                            rl->qtls->args.crypto_send_cb_arg)) {
318             QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
319             return OSSL_RECORD_RETURN_FATAL;
320         }
321         /*
322          * We might have written less than we wanted to if we have filled the
323          * send stream buffer.
324          */
325         if (consumed + rl->written != template->buflen) {
326             if (!ossl_assert(consumed + rl->written < template->buflen)) {
327                 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
328                 return OSSL_RECORD_RETURN_FATAL;
329             }
330 
331             /*
332              * We've not written everything we wanted to. Take a copy of the
333              * template, remember how much we wrote so far and signal a retry.
334              * The buffer supplied in the template is guaranteed to be the same
335              * on a retry for handshake data
336              */
337             rl->written += consumed;
338             rl->template = *template;
339             BIO_set_retry_write(rl->dummybio);
340 
341             return OSSL_RECORD_RETURN_RETRY;
342         }
343         rl->written = 0;
344         break;
345 
346     default:
347         /* Anything else is unexpected and an error */
348         QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
349         return OSSL_RECORD_RETURN_FATAL;
350     }
351 
352     return OSSL_RECORD_RETURN_SUCCESS;
353 }
354 
quic_retry_write_records(OSSL_RECORD_LAYER * rl)355 static int quic_retry_write_records(OSSL_RECORD_LAYER *rl)
356 {
357     return quic_write_records(rl, &rl->template, 1);
358 }
359 
quic_read_record(OSSL_RECORD_LAYER * rl,void ** rechandle,int * rversion,uint8_t * type,const unsigned char ** data,size_t * datalen,uint16_t * epoch,unsigned char * seq_num)360 static int quic_read_record(OSSL_RECORD_LAYER *rl, void **rechandle,
361                             int *rversion, uint8_t *type, const unsigned char **data,
362                             size_t *datalen, uint16_t *epoch,
363                             unsigned char *seq_num)
364 {
365     if (rl->recread != 0 || rl->recunreleased != 0)
366         return OSSL_RECORD_RETURN_FATAL;
367 
368     BIO_clear_retry_flags(rl->dummybio);
369 
370     if (!rl->qtls->args.crypto_recv_rcd_cb(data, datalen,
371                                            rl->qtls->args.crypto_recv_rcd_cb_arg)) {
372         QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
373         return OSSL_RECORD_RETURN_FATAL;
374     }
375 
376     if (*datalen == 0) {
377         BIO_set_retry_read(rl->dummybio);
378         return OSSL_RECORD_RETURN_RETRY;
379     }
380 
381     *rechandle = rl;
382     *rversion = TLS1_3_VERSION;
383     *type = SSL3_RT_HANDSHAKE;
384     rl->recread = rl->recunreleased = *datalen;
385     /* epoch/seq_num are not relevant for TLS */
386 
387     if (rl->msg_callback != NULL) {
388         unsigned char dummyrec[SSL3_RT_HEADER_LENGTH];
389 
390         /*
391          * For the purposes of the callback we "pretend" to be normal TLS,
392          * and manufacture a dummy record header
393          */
394         dummyrec[0] = (rl->level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
395                       ? SSL3_RT_HANDSHAKE
396                       : SSL3_RT_APPLICATION_DATA;
397         dummyrec[1] = (unsigned char)((TLS1_2_VERSION >> 8) & 0xff);
398         dummyrec[2] = (unsigned char)(TLS1_2_VERSION & 0xff);
399         /*
400          * *datalen will always fit into 2 bytes because our original buffer
401          * size is less than that.
402          */
403         dummyrec[3] = (unsigned char)((*datalen >> 8) & 0xff);
404         dummyrec[4] = (unsigned char)(*datalen & 0xff);
405 
406         rl->msg_callback(0, TLS1_3_VERSION, SSL3_RT_HEADER, dummyrec,
407                          SSL3_RT_HEADER_LENGTH, rl->cbarg);
408         rl->msg_callback(0, TLS1_3_VERSION, SSL3_RT_INNER_CONTENT_TYPE, type, 1,
409                          rl->cbarg);
410     }
411 
412     return OSSL_RECORD_RETURN_SUCCESS;
413 }
414 
quic_release_record(OSSL_RECORD_LAYER * rl,void * rechandle,size_t length)415 static int quic_release_record(OSSL_RECORD_LAYER *rl, void *rechandle,
416                                size_t length)
417 {
418     if (!ossl_assert(rl->recread > 0)
419             || !ossl_assert(rl->recunreleased <= rl->recread)
420             || !ossl_assert(rl == rechandle)
421             || !ossl_assert(length <= rl->recunreleased)) {
422         QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
423         return OSSL_RECORD_RETURN_FATAL;
424     }
425 
426     rl->recunreleased -= length;
427 
428     if (rl->recunreleased > 0)
429         return OSSL_RECORD_RETURN_SUCCESS;
430 
431     if (!rl->qtls->args.crypto_release_rcd_cb(rl->recread,
432                                               rl->qtls->args.crypto_release_rcd_cb_arg)) {
433         QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
434         return OSSL_RECORD_RETURN_FATAL;
435     }
436 
437     rl->recread = 0;
438     return OSSL_RECORD_RETURN_SUCCESS;
439 }
440 
quic_get_alert_code(OSSL_RECORD_LAYER * rl)441 static int quic_get_alert_code(OSSL_RECORD_LAYER *rl)
442 {
443     return rl->alert;
444 }
445 
quic_set_protocol_version(OSSL_RECORD_LAYER * rl,int version)446 static int quic_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
447 {
448     /* We only support TLSv1.3, so its bad if we negotiate anything else */
449     if (!ossl_assert(version == TLS1_3_VERSION)) {
450         QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
451         return 0;
452     }
453 
454     return 1;
455 }
456 
quic_set_plain_alerts(OSSL_RECORD_LAYER * rl,int allow)457 static void quic_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow)
458 {
459     /* We don't care */
460 }
461 
quic_set_first_handshake(OSSL_RECORD_LAYER * rl,int first)462 static void quic_set_first_handshake(OSSL_RECORD_LAYER *rl, int first)
463 {
464     /* We don't care */
465 }
466 
quic_set_max_pipelines(OSSL_RECORD_LAYER * rl,size_t max_pipelines)467 static void quic_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines)
468 {
469     /* We don't care */
470 }
471 
quic_get_state(OSSL_RECORD_LAYER * rl,const char ** shortstr,const char ** longstr)472 static void quic_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr,
473                     const char **longstr)
474 {
475     /*
476      * According to the docs, valid read state strings are: "RH"/"read header",
477      * "RB"/"read body", and "unknown"/"unknown". We don't read records in quite
478      * that way, so we report every "normal" state as "read header". In the
479      * event of error then we report "unknown".
480      */
481 
482     if (rl->qtls->inerror) {
483         if (shortstr != NULL)
484             *shortstr = "unknown";
485         if (longstr != NULL)
486             *longstr = "unknown";
487     } else {
488         if (shortstr != NULL)
489             *shortstr = "RH";
490         if (longstr != NULL)
491             *longstr = "read header";
492     }
493 }
494 
quic_set_options(OSSL_RECORD_LAYER * rl,const OSSL_PARAM * options)495 static int quic_set_options(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options)
496 {
497     /*
498      * We don't support any options yet - but we might do at some point so
499      * this could be useful.
500      */
501     return 1;
502 }
503 
quic_get_compression(OSSL_RECORD_LAYER * rl)504 static const COMP_METHOD *quic_get_compression(OSSL_RECORD_LAYER *rl)
505 {
506     /* We only support TLSv1.3 which doesn't have compression */
507     return NULL;
508 }
509 
quic_set_max_frag_len(OSSL_RECORD_LAYER * rl,size_t max_frag_len)510 static void quic_set_max_frag_len(OSSL_RECORD_LAYER *rl, size_t max_frag_len)
511 {
512     /* This really doesn't make any sense for QUIC. Ignore it */
513 }
514 
quic_alloc_buffers(OSSL_RECORD_LAYER * rl)515 static int quic_alloc_buffers(OSSL_RECORD_LAYER *rl)
516 {
517     /*
518      * This is a hint only. We don't support it (yet), so just ignore the
519      * request
520      */
521     return 1;
522 }
523 
quic_free_buffers(OSSL_RECORD_LAYER * rl)524 static int quic_free_buffers(OSSL_RECORD_LAYER *rl)
525 {
526     /*
527      * This is a hint only. We don't support it (yet), so just ignore the
528      * request
529      */
530     return 1;
531 }
532 
quic_set1_bio(OSSL_RECORD_LAYER * rl,BIO * bio)533 static int quic_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
534 {
535     if (bio != NULL && !BIO_up_ref(bio))
536         return 0;
537     BIO_free(rl->dummybio);
538     rl->dummybio = bio;
539 
540     return 1;
541 }
542 
543 /*
544  * Never called functions
545  *
546  * Due to the way we are configured and used we never expect any of the next set
547  * of functions to be called. Therefore we set them to always fail.
548  */
549 
quic_app_data_pending(OSSL_RECORD_LAYER * rl)550 static size_t quic_app_data_pending(OSSL_RECORD_LAYER *rl)
551 {
552     QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
553     return (size_t)ossl_assert(0);
554 }
555 
quic_get_max_record_overhead(OSSL_RECORD_LAYER * rl)556 static size_t quic_get_max_record_overhead(OSSL_RECORD_LAYER *rl)
557 {
558     QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
559     return (size_t)ossl_assert(0);
560 }
561 
quic_increment_sequence_ctr(OSSL_RECORD_LAYER * rl)562 static int quic_increment_sequence_ctr(OSSL_RECORD_LAYER *rl)
563 {
564     QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
565     return ossl_assert(0);
566 }
567 
568 /* End of never called functions */
569 
570 static const OSSL_RECORD_METHOD quic_tls_record_method = {
571     quic_new_record_layer,
572     quic_free,
573     quic_unprocessed_read_pending,
574     quic_processed_read_pending,
575     quic_app_data_pending, /* Never called */
576     quic_get_max_records,
577     quic_write_records,
578     quic_retry_write_records,
579     quic_read_record,
580     quic_release_record,
581     quic_get_alert_code,
582     quic_set1_bio,
583     quic_set_protocol_version,
584     quic_set_plain_alerts,
585     quic_set_first_handshake,
586     quic_set_max_pipelines,
587     NULL, /* set_in_init: Optional - we don't need it */
588     quic_get_state,
589     quic_set_options,
590     quic_get_compression,
591     quic_set_max_frag_len,
592     quic_get_max_record_overhead, /* Never called */
593     quic_increment_sequence_ctr, /* Never called */
594     quic_alloc_buffers,
595     quic_free_buffers
596 };
597 
add_transport_params_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char ** out,size_t * outlen,X509 * x,size_t chainidx,int * al,void * add_arg)598 static int add_transport_params_cb(SSL *s, unsigned int ext_type,
599                                    unsigned int context,
600                                    const unsigned char **out, size_t *outlen,
601                                    X509 *x, size_t chainidx, int *al,
602                                    void *add_arg)
603 {
604     QUIC_TLS *qtls = add_arg;
605 
606     *out = qtls->local_transport_params;
607     *outlen = qtls->local_transport_params_len;
608     return 1;
609 }
610 
free_transport_params_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * out,void * add_arg)611 static void free_transport_params_cb(SSL *s, unsigned int ext_type,
612                                      unsigned int context,
613                                      const unsigned char *out,
614                                      void *add_arg)
615 {
616 }
617 
parse_transport_params_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * in,size_t inlen,X509 * x,size_t chainidx,int * al,void * parse_arg)618 static int parse_transport_params_cb(SSL *s, unsigned int ext_type,
619                                      unsigned int context,
620                                      const unsigned char *in,
621                                      size_t inlen, X509 *x,
622                                      size_t chainidx,
623                                      int *al, void *parse_arg)
624 {
625     QUIC_TLS *qtls = parse_arg;
626 
627     return qtls->args.got_transport_params_cb(in, inlen,
628                                               qtls->args.got_transport_params_cb_arg);
629 }
630 
ossl_quic_tls_new(const QUIC_TLS_ARGS * args)631 QUIC_TLS *ossl_quic_tls_new(const QUIC_TLS_ARGS *args)
632 {
633     QUIC_TLS *qtls;
634 
635     if (args->crypto_send_cb == NULL
636         || args->crypto_recv_rcd_cb == NULL
637         || args->crypto_release_rcd_cb == NULL) {
638         ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
639         return NULL;
640     }
641 
642     qtls = OPENSSL_zalloc(sizeof(*qtls));
643     if (qtls == NULL)
644         return NULL;
645 
646     if ((qtls->error_state = OSSL_ERR_STATE_new()) == NULL) {
647         OPENSSL_free(qtls);
648         return NULL;
649     }
650 
651     qtls->args = *args;
652     return qtls;
653 }
654 
ossl_quic_tls_free(QUIC_TLS * qtls)655 void ossl_quic_tls_free(QUIC_TLS *qtls)
656 {
657     if (qtls == NULL)
658         return;
659     OSSL_ERR_STATE_free(qtls->error_state);
660     OPENSSL_free(qtls);
661 }
662 
raise_error(QUIC_TLS * qtls,uint64_t error_code,const char * error_msg,const char * src_file,int src_line,const char * src_func)663 static int raise_error(QUIC_TLS *qtls, uint64_t error_code,
664                        const char *error_msg,
665                        const char *src_file,
666                        int src_line,
667                        const char *src_func)
668 {
669     /*
670      * When QTLS fails, add a "cover letter" error with information, potentially
671      * with any underlying libssl errors underneath it (but our cover error may
672      * be the only error in some cases). Then capture this into an ERR_STATE so
673      * we can report it later if need be when the QUIC_CHANNEL asks for it.
674      */
675     ERR_new();
676     ERR_set_debug(src_file, src_line, src_func);
677     ERR_set_error(ERR_LIB_SSL, SSL_R_QUIC_HANDSHAKE_LAYER_ERROR,
678                   "handshake layer error, error code %llu (0x%llx) (\"%s\")",
679                   error_code, error_code, error_msg);
680     OSSL_ERR_STATE_save_to_mark(qtls->error_state);
681 
682     /*
683      * We record the error information reported via the QUIC protocol
684      * separately.
685      */
686     qtls->error_code        = error_code;
687     qtls->error_msg         = error_msg;
688     qtls->inerror           = 1;
689 
690     ERR_pop_to_mark();
691     return 0;
692 }
693 
694 #define RAISE_ERROR(qtls, error_code, error_msg) \
695     raise_error((qtls), (error_code), (error_msg), \
696                 OPENSSL_FILE, OPENSSL_LINE, OPENSSL_FUNC)
697 
698 #define RAISE_INTERNAL_ERROR(qtls) \
699     RAISE_ERROR((qtls), OSSL_QUIC_ERR_INTERNAL_ERROR, "internal error")
700 
ossl_quic_tls_tick(QUIC_TLS * qtls)701 int ossl_quic_tls_tick(QUIC_TLS *qtls)
702 {
703     int ret, err;
704     const unsigned char *alpn;
705     unsigned int alpnlen;
706 
707     if (qtls->inerror)
708         return 0;
709 
710     /*
711      * SSL_get_error does not truly know what the cause of an SSL_read failure
712      * is and to some extent guesses based on contextual information. In
713      * particular, if there is _any_ ERR on the error stack, SSL_ERROR_SSL or
714      * SSL_ERROR_SYSCALL will be returned no matter what and there is no
715      * possibility of SSL_ERROR_WANT_READ/WRITE being returned, even if that was
716      * the actual cause of the SSL_read() failure.
717      *
718      * This means that ordinarily, the below code might not work right if the
719      * application has any ERR on the error stack. In order to make this code
720      * perform correctly regardless of prior ERR state, we use a variant of
721      * SSL_get_error() which ignores the error stack. However, some ERRs are
722      * raised by SSL_read() and actually indicate that something has gone wrong
723      * during the call to SSL_read(). We therefore adopt a strategy of marking
724      * the ERR stack and seeing if any errors get appended during the call to
725      * SSL_read(). If they are, we assume SSL_read() has raised an error and
726      * that we should use normal SSL_get_error() handling.
727      *
728      * NOTE: Ensure all escape paths from this function call
729      * ERR_clear_to_mark(). The RAISE macros handle this in failure cases.
730      */
731     ERR_set_mark();
732 
733     if (!qtls->configured) {
734         SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
735         SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(sc);
736         BIO *nullbio;
737 
738         /*
739          * No matter how the user has configured us, there are certain
740          * requirements for QUIC-TLS that we enforce
741          */
742 
743         /* ALPN is a requirement for QUIC and must be set */
744         if (qtls->args.is_server) {
745             if (sctx->ext.alpn_select_cb == NULL)
746                 return RAISE_INTERNAL_ERROR(qtls);
747         } else {
748             if (sc->ext.alpn == NULL || sc->ext.alpn_len == 0)
749                 return RAISE_ERROR(qtls, OSSL_QUIC_ERR_CRYPTO_NO_APP_PROTO,
750                                    "ALPN must be configured when using QUIC");
751         }
752         if (!SSL_set_min_proto_version(qtls->args.s, TLS1_3_VERSION))
753             return RAISE_INTERNAL_ERROR(qtls);
754 
755         SSL_clear_options(qtls->args.s, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
756         ossl_ssl_set_custom_record_layer(sc, &quic_tls_record_method, qtls);
757 
758         if (!ossl_tls_add_custom_ext_intern(NULL, &sc->cert->custext,
759                                             qtls->args.is_server ? ENDPOINT_SERVER
760                                                                  : ENDPOINT_CLIENT,
761                                             TLSEXT_TYPE_quic_transport_parameters,
762                                             SSL_EXT_TLS1_3_ONLY
763                                             | SSL_EXT_CLIENT_HELLO
764                                             | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
765                                             add_transport_params_cb,
766                                             free_transport_params_cb, qtls,
767                                             parse_transport_params_cb, qtls))
768             return RAISE_INTERNAL_ERROR(qtls);
769 
770         nullbio = BIO_new(BIO_s_null());
771         if (nullbio == NULL)
772             return RAISE_INTERNAL_ERROR(qtls);
773 
774         /*
775          * Our custom record layer doesn't use the BIO - but libssl generally
776          * expects one to be present.
777          */
778         SSL_set_bio(qtls->args.s, nullbio, nullbio);
779 
780         if (qtls->args.is_server)
781             SSL_set_accept_state(qtls->args.s);
782         else
783             SSL_set_connect_state(qtls->args.s);
784 
785         qtls->configured = 1;
786     }
787 
788     if (qtls->complete)
789         /*
790          * There should never be app data to read, but calling SSL_read() will
791          * ensure any post-handshake messages are processed.
792          */
793         ret = SSL_read(qtls->args.s, NULL, 0);
794     else
795         ret = SSL_do_handshake(qtls->args.s);
796 
797     if (ret <= 0) {
798         err = ossl_ssl_get_error(qtls->args.s, ret,
799                                  /*check_err=*/ERR_count_to_mark() > 0);
800 
801         switch (err) {
802         case SSL_ERROR_WANT_READ:
803         case SSL_ERROR_WANT_WRITE:
804         case SSL_ERROR_WANT_CLIENT_HELLO_CB:
805         case SSL_ERROR_WANT_X509_LOOKUP:
806         case SSL_ERROR_WANT_RETRY_VERIFY:
807             ERR_pop_to_mark();
808             return 1;
809 
810         default:
811             return RAISE_INTERNAL_ERROR(qtls);
812         }
813     }
814 
815     if (!qtls->complete) {
816         /* Validate that we have ALPN */
817         SSL_get0_alpn_selected(qtls->args.s, &alpn, &alpnlen);
818         if (alpn == NULL || alpnlen == 0)
819             return RAISE_ERROR(qtls, OSSL_QUIC_ERR_CRYPTO_NO_APP_PROTO,
820                                "no application protocol negotiated");
821 
822         qtls->complete = 1;
823         ERR_pop_to_mark();
824         return qtls->args.handshake_complete_cb(qtls->args.handshake_complete_cb_arg);
825     }
826 
827     ERR_pop_to_mark();
828     return 1;
829 }
830 
ossl_quic_tls_set_transport_params(QUIC_TLS * qtls,const unsigned char * transport_params,size_t transport_params_len)831 int ossl_quic_tls_set_transport_params(QUIC_TLS *qtls,
832                                        const unsigned char *transport_params,
833                                        size_t transport_params_len)
834 {
835     qtls->local_transport_params       = transport_params;
836     qtls->local_transport_params_len   = transport_params_len;
837     return 1;
838 }
839 
ossl_quic_tls_get_error(QUIC_TLS * qtls,uint64_t * error_code,const char ** error_msg,ERR_STATE ** error_state)840 int ossl_quic_tls_get_error(QUIC_TLS *qtls,
841                             uint64_t *error_code,
842                             const char **error_msg,
843                             ERR_STATE **error_state)
844 {
845     if (qtls->inerror) {
846         *error_code     = qtls->error_code;
847         *error_msg      = qtls->error_msg;
848         *error_state    = qtls->error_state;
849     }
850 
851     return qtls->inerror;
852 }
853 
854 /*
855  * Returns true if the last handshake record message we processed was a
856  * CertificateRequest
857  */
ossl_quic_tls_is_cert_request(QUIC_TLS * qtls)858 int ossl_quic_tls_is_cert_request(QUIC_TLS *qtls)
859 {
860     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
861 
862     return sc->s3.tmp.message_type == SSL3_MT_CERTIFICATE_REQUEST;
863 }
864 
865 /*
866  * Returns true if the last session associated with the connection has an
867  * invalid max_early_data value for QUIC.
868  */
ossl_quic_tls_has_bad_max_early_data(QUIC_TLS * qtls)869 int ossl_quic_tls_has_bad_max_early_data(QUIC_TLS *qtls)
870 {
871     uint32_t max_early_data = SSL_get0_session(qtls->args.s)->ext.max_early_data;
872 
873     /*
874      * If max_early_data was present we always ensure a non-zero value is
875      * stored in the session for QUIC. Therefore if max_early_data == 0 here
876      * we can be confident that it was not present in the NewSessionTicket
877      */
878     return max_early_data != 0xffffffff && max_early_data != 0;
879 }
880