1QUIC Fault Injector 2=================== 3 4The OpenSSL QUIC implementation receives QUIC packets from the network layer and 5processes them accordingly. It will need to behave appropriately in the event of 6a misbehaving peer, i.e. one which is sending protocol elements (e.g. datagrams, 7packets, frames, etc) that are not in accordance with the specifications or 8OpenSSL's expectations. 9 10The QUIC Fault Injector is a component within the OpenSSL test framework that 11can be used to simulate misbehaving peers and confirm that OpenSSL QUIC 12implementation behaves in the expected manner in the event of such misbehaviour. 13 14Typically an individual test will inject one particular misbehaviour (i.e. a 15fault) into an otherwise normal QUIC connection. Therefore the fault injector 16will have to be capable of creating fully normal QUIC protocol elements, but 17also offer the flexibility for a test to modify those normal protocol elements 18as required for the specific test circumstances. The OpenSSL QUIC implementation 19in libssl does not offer the capability to send faults since it is designed to 20be RFC compliant. 21 22The QUIC Fault Injector will be external to libssl (it will be in the test 23framework) but it will reuse the standards compliant QUIC implementation in 24libssl and will make use of 3 integration points to inject faults. 2 of these 25integration points will use new callbacks added to libssl. The final integration 26point does not require any changes to libssl to work. 27 28QUIC Integration Points 29----------------------- 30 31### TLS Handshake 32 33Fault Injector based tests may need to inject faults directly into the TLS 34handshake data (i.e. the contents of CRYPTO frames). However such faults may 35need to be done in handshake messages that would normally be encrypted. 36Additionally the contents of handshake messages are hashed and each peer 37confirms that the other peer has the same calculated hash value as part of the 38"Finished" message exchange - so any modifications would be rejected and the 39handshake would fail. 40 41An example test might be to confirm that an OpenSSL QUIC client behaves 42correctly in the case that the server provides incorrectly formatted transport 43parameters. These transport parameters are sent from the server in the 44EncryptedExtensions message. That message is encrypted and so cannot be 45modified by a "man-in-the-middle". 46 47To support this integration point two new callbacks will be introduced to libssl 48that enables modification of handshake data prior to it being encrypted and 49hashed. These callbacks will be internal only (i.e. not part of the public API) 50and so only usable by the Fault Injector. 51 52The new libssl callbacks will be as follows: 53 54```` C 55typedef int (*ossl_statem_mutate_handshake_cb)(const unsigned char *msgin, 56 size_t inlen, 57 unsigned char **msgout, 58 size_t *outlen, 59 void *arg); 60 61typedef void (*ossl_statem_finish_mutate_handshake_cb)(void *arg); 62 63int ossl_statem_set_mutator(SSL *s, 64 ossl_statem_mutate_handshake_cb mutate_handshake_cb, 65 ossl_statem_finish_mutate_handshake_cb finish_mutate_handshake_cb, 66 void *mutatearg); 67```` 68 69The two callbacks are set via a single internal function call 70`ossl_statem_set_mutator`. The mutator callback `mutate_handshake_cb` will be 71called after each handshake message has been constructed and is ready to send, but 72before it has been passed through the handshake hashing code. It will be passed 73a pointer to the constructed handshake message in `msgin` along with its 74associated length in `inlen`. The mutator will construct a replacement handshake 75message (typically by copying the input message and modifying it) and store it 76in a newly allocated buffer. A pointer to the new buffer will be passed back 77in `*msgout` and its length will be stored in `*outlen`. Optionally the mutator 78can choose to not mutate by simply creating a new buffer with a copy of the data 79in it. A return value of 1 indicates that the callback completed successfully. A 80return value of 0 indicates a fatal error. 81 82Once libssl has finished using the mutated buffer it will call the 83`finish_mutate_handshake_cb` callback which can then release the buffer and 84perform any other cleanup as required. 85 86### QUIC Pre-Encryption Packets 87 88QUIC Packets are the primary mechanism for exchanging protocol data within QUIC. 89Multiple packets may be held within a single datagram, and each packet may 90itself contain multiple frames. A packet gets protected via an AEAD encryption 91algorithm prior to it being sent. Fault Injector based tests may need to inject 92faults into these packets prior to them being encrypted. 93 94An example test might insert an unrecognised frame type into a QUIC packet to 95confirm that an OpenSSL QUIC client handles it appropriately (e.g. by raising a 96protocol error). 97 98The above functionality will be supported by the following two new callbacks 99which will provide the ability to mutate packets before they are encrypted and 100sent. As for the TLS callbacks these will be internal only and not part of the 101public API. 102 103```` C 104typedef int (*ossl_mutate_packet_cb)(const QUIC_PKT_HDR *hdrin, 105 const OSSL_QTX_IOVEC *iovecin, size_t numin, 106 QUIC_PKT_HDR **hdrout, 107 const OSSL_QTX_IOVEC **iovecout, 108 size_t *numout, 109 void *arg); 110 111typedef void (*ossl_finish_mutate_cb)(void *arg); 112 113void ossl_qtx_set_mutator(OSSL_QTX *qtx, ossl_mutate_packet_cb mutatecb, 114 ossl_finish_mutate_cb finishmutatecb, void *mutatearg); 115```` 116 117A single new function call will set both callbacks. The `mutatecb` callback will 118be invoked after each packet has been constructed but before protection has 119been applied to it. The header for the packet will be pointed to by `hdrin` and 120the payload will be in an iovec array pointed to by `iovecin` and containing 121`numin` iovecs. The `mutatecb` callback is expected to allocate a new header 122structure and return it in `*hdrout` and a new set of iovecs to be stored in 123`*iovecout`. The number of iovecs need not be the same as the input. The number 124of iovecs in the output array is stored in `*numout`. Optionally the callback 125can choose to not mutate by simply creating new iovecs/headers with a copy of the 126data in it. A return value of 1 indicates that the callback completed 127successfully. A return value of 0 indicates a fatal error. 128 129Once the OpenSSL QUIC implementation has finished using the mutated buffers the 130`finishmutatecb` callback is called. This is expected to free any resources and 131buffers that were allocated as part of the `mutatecb` call. 132 133### QUIC Datagrams 134 135Encrypted QUIC packets are sent in datagrams. There may be more than one QUIC 136packet in a single datagram. Fault Injector based tests may need to inject 137faults directly into these datagrams. 138 139An example test might modify an encrypted packet to confirm that the AEAD 140decryption process rejects it. 141 142In order to provide this functionality the QUIC Fault Injector will insert 143itself as a man-in-the-middle between the client and server. A BIO_s_dgram_pair() 144will be used with one of the pair being used on the client end and the other 145being associated with the Fault Injector. Similarly a second BIO_s_dgram_pair() 146will be created with one used on the server and other used with the Fault 147Injector. 148 149With this setup the Fault Injector will act as a proxy and simply pass 150datagrams sent from the client on to the server, and vice versa. Where a test 151requires a modification to be made, that will occur prior to the datagram being 152sent on. 153 154This will all be implemented using public BIO APIs without requiring any 155additional internal libssl callbacks. 156 157Fault Injector API 158------------------ 159 160The Fault Injector will utilise the callbacks described above in order to supply 161a more test friendly API to test authors. 162 163This API will primarily take the form of a set of event listener callbacks. A 164test will be able to "listen" for a specific event occurring and be informed about 165it when it does. Examples of events might include: 166 167- An EncryptedExtensions handshake message being sent 168- An ACK frame being sent 169- A Datagram being sent 170 171Each listener will be provided with additional data about the specific event. 172For example a listener that is listening for an EncryptedExtensions message will 173be provided with the parsed contents of that message in an easy to use 174structure. Additional helper functions will be provided to make changes to the 175message (such as to resize it). 176 177Initially listeners will only be able to listen for events on the server side. 178This is because, in MVP, it will be the client side that is under test - so the 179faults need to be injected into protocol elements sent from the server. Post 180MVP this will be extended in order to be able to test the server. It may be that 181we need to do this during MVP in order to be able to observe protocol elements 182sent from the client without modifying them (i.e. in order to confirm that the 183client is behaving as we expect). This will be added if required as we develop 184the tests. 185 186It is expected that the Fault Injector API will expand over time as new 187listeners and helper functions are added to support specific test scenarios. The 188initial API will provide a basic set of listeners and helper functions in order 189to provide the basis for future work. 190 191The following outlines an illustrative set of functions that will initially be 192provided. A number of `TODO(QUIC TESTING)` comments are inserted to explain how 193we might expand the API over time: 194 195```` C 196/* Type to represent the Fault Injector */ 197typedef struct ossl_quic_fault OSSL_QUIC_FAULT; 198 199/* 200 * Structure representing a parsed EncryptedExtension message. Listeners can 201 * make changes to the contents of structure objects as required and the fault 202 * injector will reconstruct the message to be sent on 203 */ 204typedef struct ossl_qf_encrypted_extensions { 205 /* EncryptedExtension messages just have an extensions block */ 206 unsigned char *extensions; 207 size_t extensionslen; 208} OSSL_QF_ENCRYPTED_EXTENSIONS; 209 210/* 211 * Given an SSL_CTX for the client and filenames for the server certificate and 212 * keyfile, create a server and client instances as well as a fault injector 213 * instance. |block| indicates whether we are using blocking mode or not. 214 */ 215int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, 216 SSL_CTX *serverctx, char *certfile, char *keyfile, 217 int block, QUIC_TSERVER **qtserv, SSL **cssl, 218 OSSL_QUIC_FAULT **fault, BIO **tracebio); 219 220/* 221 * Free up a Fault Injector instance 222 */ 223void ossl_quic_fault_free(OSSL_QUIC_FAULT *fault); 224 225/* 226 * Run the TLS handshake to create a QUIC connection between the client and 227 * server. 228 */ 229int qtest_create_quic_connection(QUIC_TSERVER *qtserv, SSL *clientssl); 230 231/* 232 * Same as qtest_create_quic_connection but will stop (successfully) if the 233 * clientssl indicates SSL_ERROR_WANT_XXX as specified by |wanterr| 234 */ 235int qtest_create_quic_connection_ex(QUIC_TSERVER *qtserv, SSL *clientssl, 236 int wanterr); 237 238/* 239 * Confirm that the server has received the given transport error code. 240 */ 241int qtest_check_server_transport_err(QUIC_TSERVER *qtserv, uint64_t code); 242 243/* 244 * Confirm the server has received a protocol error. Equivalent to calling 245 * qtest_check_server_transport_err with a code of QUIC_ERR_PROTOCOL_VIOLATION 246 */ 247int qtest_check_server_protocol_err(QUIC_TSERVER *qtserv); 248 249/* 250 * Enable tests to listen for pre-encryption QUIC packets being sent 251 */ 252typedef int (*ossl_quic_fault_on_packet_plain_cb)(OSSL_QUIC_FAULT *fault, 253 QUIC_PKT_HDR *hdr, 254 unsigned char *buf, 255 size_t len, 256 void *cbarg); 257 258int ossl_quic_fault_set_packet_plain_listener(OSSL_QUIC_FAULT *fault, 259 ossl_quic_fault_on_packet_plain_cb pplaincb, 260 void *pplaincbarg); 261 262 263/* 264 * Helper function to be called from a packet_plain_listener callback if it 265 * wants to resize the packet (either to add new data to it, or to truncate it). 266 * The buf provided to packet_plain_listener is over allocated, so this just 267 * changes the logical size and never changes the actual address of the buf. 268 * This will fail if a large resize is attempted that exceeds the over 269 * allocation. 270 */ 271int ossl_quic_fault_resize_plain_packet(OSSL_QUIC_FAULT *fault, size_t newlen); 272 273/* 274 * Prepend frame data into a packet. To be called from a packet_plain_listener 275 * callback 276 */ 277int ossl_quic_fault_prepend_frame(OSSL_QUIC_FAULT *fault, unsigned char *frame, 278 size_t frame_len); 279 280/* 281 * The general handshake message listener is sent the entire handshake message 282 * data block, including the handshake header itself 283 */ 284typedef int (*ossl_quic_fault_on_handshake_cb)(OSSL_QUIC_FAULT *fault, 285 unsigned char *msg, 286 size_t msglen, 287 void *handshakecbarg); 288 289int ossl_quic_fault_set_handshake_listener(OSSL_QUIC_FAULT *fault, 290 ossl_quic_fault_on_handshake_cb handshakecb, 291 void *handshakecbarg); 292 293/* 294 * Helper function to be called from a handshake_listener callback if it wants 295 * to resize the handshake message (either to add new data to it, or to truncate 296 * it). newlen must include the length of the handshake message header. The 297 * handshake message buffer is over allocated, so this just changes the logical 298 * size and never changes the actual address of the buf. 299 * This will fail if a large resize is attempted that exceeds the over 300 * allocation. 301 */ 302int ossl_quic_fault_resize_handshake(OSSL_QUIC_FAULT *fault, size_t newlen); 303 304/* 305 * TODO(QUIC TESTING): Add listeners for specific types of frame here. E.g. 306 * we might expect to see an "ACK" frame listener which will be passed 307 * pre-parsed ack data that can be modified as required. 308 */ 309 310/* 311 * Handshake message specific listeners. Unlike the general handshake message 312 * listener these messages are pre-parsed and supplied with message specific 313 * data and exclude the handshake header. 314 */ 315typedef int (*ossl_quic_fault_on_enc_ext_cb)(OSSL_QUIC_FAULT *fault, 316 OSSL_QF_ENCRYPTED_EXTENSIONS *ee, 317 size_t eelen, 318 void *encextcbarg); 319 320int ossl_quic_fault_set_hand_enc_ext_listener(OSSL_QUIC_FAULT *fault, 321 ossl_quic_fault_on_enc_ext_cb encextcb, 322 void *encextcbarg); 323 324/* TODO(QUIC TESTING): Add listeners for other types of handshake message here */ 325 326 327/* 328 * Helper function to be called from message specific listener callbacks. newlen 329 * is the new length of the specific message excluding the handshake message 330 * header. The buffers provided to the message specific listeners are over 331 * allocated, so this just changes the logical size and never changes the actual 332 * address of the buffer. This will fail if a large resize is attempted that 333 * exceeds the over allocation. 334 */ 335int ossl_quic_fault_resize_message(OSSL_QUIC_FAULT *fault, size_t newlen); 336 337/* 338 * Helper function to delete an extension from an extension block. |exttype| is 339 * the type of the extension to be deleted. |ext| points to the extension block. 340 * On entry |*extlen| contains the length of the extension block. It is updated 341 * with the new length on exit. 342 */ 343int ossl_quic_fault_delete_extension(OSSL_QUIC_FAULT *fault, 344 unsigned int exttype, unsigned char *ext, 345 size_t *extlen); 346 347/* 348 * TODO(QUIC TESTING): Add additional helper functions for querying extensions 349 * here (e.g. finding or adding them). We could also provide a "listener" API 350 * for listening for specific extension types. 351 */ 352 353/* 354 * Enable tests to listen for post-encryption QUIC packets being sent 355 */ 356typedef int (*ossl_quic_fault_on_packet_cipher_cb)(OSSL_QUIC_FAULT *fault, 357 /* The parsed packet header */ 358 QUIC_PKT_HDR *hdr, 359 /* The packet payload data */ 360 unsigned char *buf, 361 /* Length of the payload */ 362 size_t len, 363 void *cbarg); 364 365int ossl_quic_fault_set_packet_cipher_listener(OSSL_QUIC_FAULT *fault, 366 ossl_quic_fault_on_packet_cipher_cb pciphercb, 367 void *picphercbarg); 368 369/* 370 * Enable tests to listen for datagrams being sent 371 */ 372typedef int (*ossl_quic_fault_on_datagram_cb)(OSSL_QUIC_FAULT *fault, 373 BIO_MSG *m, 374 size_t stride, 375 void *cbarg); 376 377int ossl_quic_fault_set_datagram_listener(OSSL_QUIC_FAULT *fault, 378 ossl_quic_fault_on_datagram_cb datagramcb, 379 void *datagramcbarg); 380 381/* 382 * To be called from a datagram_listener callback. The datagram buffer is over 383 * allocated, so this just changes the logical size and never changes the actual 384 * address of the buffer. This will fail if a large resize is attempted that 385 * exceeds the over allocation. 386 */ 387int ossl_quic_fault_resize_datagram(OSSL_QUIC_FAULT *fault, size_t newlen); 388 389```` 390 391Example Tests 392------------- 393 394This section provides some example tests to illustrate how the Fault Injector 395might be used to create tests. 396 397### Unknown Frame Test 398 399An example test showing a server sending a frame of an unknown type to the 400client: 401 402```` C 403/* 404 * Test that adding an unknown frame type is handled correctly 405 */ 406static int add_unknown_frame_cb(OSSL_QUIC_FAULT *fault, QUIC_PKT_HDR *hdr, 407 unsigned char *buf, size_t len, void *cbarg) 408{ 409 static size_t done = 0; 410 /* 411 * There are no "reserved" frame types which are definitately safe for us 412 * to use for testing purposes - but we just use the highest possible 413 * value (8 byte length integer) and with no payload bytes 414 */ 415 unsigned char unknown_frame[] = { 416 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff 417 }; 418 419 /* We only ever add the unknown frame to one packet */ 420 if (done++) 421 return 1; 422 423 return ossl_quic_fault_prepend_frame(fault, unknown_frame, 424 sizeof(unknown_frame)); 425} 426 427static int test_unknown_frame(void) 428{ 429 int testresult = 0, ret; 430 SSL_CTX *cctx = SSL_CTX_new(OSSL_QUIC_client_method()); 431 QUIC_TSERVER *qtserv = NULL; 432 SSL *cssl = NULL; 433 char *msg = "Hello World!"; 434 size_t msglen = strlen(msg); 435 unsigned char buf[80]; 436 size_t byteswritten; 437 OSSL_QUIC_FAULT *fault = NULL; 438 439 if (!TEST_ptr(cctx)) 440 goto err; 441 442 if (!TEST_true(qtest_create_quic_objects(NULL, cctx, NULL, cert, privkey, 0, 443 &qtserv, &cssl, &fault, NULL))) 444 goto err; 445 446 if (!TEST_true(qtest_create_quic_connection(qtserv, cssl))) 447 goto err; 448 449 /* 450 * Write a message from the server to the client and add an unknown frame 451 * type 452 */ 453 if (!TEST_true(ossl_quic_fault_set_packet_plain_listener(fault, 454 add_unknown_frame_cb, 455 NULL))) 456 goto err; 457 458 if (!TEST_true(ossl_quic_tserver_write(qtserv, (unsigned char *)msg, msglen, 459 &byteswritten))) 460 goto err; 461 462 if (!TEST_size_t_eq(msglen, byteswritten)) 463 goto err; 464 465 ossl_quic_tserver_tick(qtserv); 466 if (!TEST_true(SSL_tick(cssl))) 467 goto err; 468 469 if (!TEST_int_le(ret = SSL_read(cssl, buf, sizeof(buf)), 0)) 470 goto err; 471 472 if (!TEST_int_eq(SSL_get_error(cssl, ret), SSL_ERROR_SSL)) 473 goto err; 474 475 if (!TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), 476 SSL_R_UNKNOWN_FRAME_TYPE_RECEIVED)) 477 goto err; 478 479 if (!TEST_true(qtest_check_server_protocol_err(qtserv))) 480 goto err; 481 482 testresult = 1; 483 err: 484 ossl_quic_fault_free(fault); 485 SSL_free(cssl); 486 ossl_quic_tserver_free(qtserv); 487 SSL_CTX_free(cctx); 488 return testresult; 489} 490```` 491 492### No Transport Parameters test 493 494An example test showing the case where a server does not supply any transport 495parameters in the TLS handshake: 496 497```` C 498/* 499 * Test that a server that fails to provide transport params cannot be 500 * connected to. 501 */ 502static int drop_transport_params_cb(OSSL_QUIC_FAULT *fault, 503 OSSL_QF_ENCRYPTED_EXTENSIONS *ee, 504 size_t eelen, void *encextcbarg) 505{ 506 if (!ossl_quic_fault_delete_extension(fault, 507 TLSEXT_TYPE_quic_transport_parameters, 508 ee->extensions, &ee->extensionslen)) 509 return 0; 510 511 return 1; 512} 513 514static int test_no_transport_params(void) 515{ 516 int testresult = 0; 517 SSL_CTX *cctx = SSL_CTX_new(OSSL_QUIC_client_method()); 518 QUIC_TSERVER *qtserv = NULL; 519 SSL *cssl = NULL; 520 OSSL_QUIC_FAULT *fault = NULL; 521 522 if (!TEST_ptr(cctx)) 523 goto err; 524 525 if (!TEST_true(qtest_create_quic_objects(NULL, cctx, NULL, cert, privkey, 0, 526 &qtserv, &cssl, &fault, NULL))) 527 goto err; 528 529 if (!TEST_true(ossl_quic_fault_set_hand_enc_ext_listener(fault, 530 drop_transport_params_cb, 531 NULL))) 532 goto err; 533 534 /* 535 * We expect the connection to fail because the server failed to provide 536 * transport parameters 537 */ 538 if (!TEST_false(qtest_create_quic_connection(qtserv, cssl))) 539 goto err; 540 541 if (!TEST_true(qtest_check_server_protocol_err(qtserv))) 542 goto err; 543 544 testresult = 1; 545 err: 546 ossl_quic_fault_free(fault); 547 SSL_free(cssl); 548 ossl_quic_tserver_free(qtserv); 549 SSL_CTX_free(cctx); 550 return testresult; 551 552} 553```` 554
