1 /*
2 * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include "ssl_local.h"
11 #include "internal/cryptlib.h"
12 #include "internal/refcount.h"
13
SSL_set_quic_transport_params(SSL * ssl,const uint8_t * params,size_t params_len)14 int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params,
15 size_t params_len)
16 {
17 uint8_t *tmp;
18
19 if (params == NULL || params_len == 0) {
20 tmp = NULL;
21 params_len = 0;
22 } else {
23 tmp = OPENSSL_memdup(params, params_len);
24 if (tmp == NULL)
25 return 0;
26 }
27
28 OPENSSL_free(ssl->ext.quic_transport_params);
29 ssl->ext.quic_transport_params = tmp;
30 ssl->ext.quic_transport_params_len = params_len;
31 return 1;
32 }
33
SSL_get_peer_quic_transport_params(const SSL * ssl,const uint8_t ** out_params,size_t * out_params_len)34 void SSL_get_peer_quic_transport_params(const SSL *ssl,
35 const uint8_t **out_params,
36 size_t *out_params_len)
37 {
38 if (ssl->ext.peer_quic_transport_params_len) {
39 *out_params = ssl->ext.peer_quic_transport_params;
40 *out_params_len = ssl->ext.peer_quic_transport_params_len;
41 } else {
42 *out_params = ssl->ext.peer_quic_transport_params_draft;
43 *out_params_len = ssl->ext.peer_quic_transport_params_draft_len;
44 }
45 }
46
47 /* Returns the negotiated version, or -1 on error */
SSL_get_peer_quic_transport_version(const SSL * ssl)48 int SSL_get_peer_quic_transport_version(const SSL *ssl)
49 {
50 if (ssl->ext.peer_quic_transport_params_len != 0
51 && ssl->ext.peer_quic_transport_params_draft_len != 0)
52 return -1;
53 if (ssl->ext.peer_quic_transport_params_len != 0)
54 return TLSEXT_TYPE_quic_transport_parameters;
55 if (ssl->ext.peer_quic_transport_params_draft_len != 0)
56 return TLSEXT_TYPE_quic_transport_parameters_draft;
57
58 return -1;
59 }
60
SSL_set_quic_use_legacy_codepoint(SSL * ssl,int use_legacy)61 void SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy)
62 {
63 if (use_legacy)
64 ssl->quic_transport_version = TLSEXT_TYPE_quic_transport_parameters_draft;
65 else
66 ssl->quic_transport_version = TLSEXT_TYPE_quic_transport_parameters;
67 }
68
SSL_set_quic_transport_version(SSL * ssl,int version)69 void SSL_set_quic_transport_version(SSL *ssl, int version)
70 {
71 ssl->quic_transport_version = version;
72 }
73
SSL_get_quic_transport_version(const SSL * ssl)74 int SSL_get_quic_transport_version(const SSL *ssl)
75 {
76 return ssl->quic_transport_version;
77 }
78
SSL_quic_max_handshake_flight_len(const SSL * ssl,OSSL_ENCRYPTION_LEVEL level)79 size_t SSL_quic_max_handshake_flight_len(const SSL *ssl, OSSL_ENCRYPTION_LEVEL level)
80 {
81 /*
82 * Limits flights to 16K by default when there are no large
83 * (certificate-carrying) messages.
84 */
85 static const size_t DEFAULT_FLIGHT_LIMIT = 16384;
86
87 switch (level) {
88 case ssl_encryption_initial:
89 return DEFAULT_FLIGHT_LIMIT;
90 case ssl_encryption_early_data:
91 /* QUIC does not send EndOfEarlyData. */
92 return 0;
93 case ssl_encryption_handshake:
94 if (ssl->server) {
95 /*
96 * Servers may receive Certificate message if configured to request
97 * client certificates.
98 */
99 if ((ssl->verify_mode & SSL_VERIFY_PEER)
100 && ssl->max_cert_list > DEFAULT_FLIGHT_LIMIT)
101 return ssl->max_cert_list;
102 } else {
103 /*
104 * Clients may receive both Certificate message and a CertificateRequest
105 * message.
106 */
107 if (2*ssl->max_cert_list > DEFAULT_FLIGHT_LIMIT)
108 return 2 * ssl->max_cert_list;
109 }
110 return DEFAULT_FLIGHT_LIMIT;
111 case ssl_encryption_application:
112 return DEFAULT_FLIGHT_LIMIT;
113 }
114
115 return 0;
116 }
117
SSL_quic_read_level(const SSL * ssl)118 OSSL_ENCRYPTION_LEVEL SSL_quic_read_level(const SSL *ssl)
119 {
120 return ssl->quic_read_level;
121 }
122
SSL_quic_write_level(const SSL * ssl)123 OSSL_ENCRYPTION_LEVEL SSL_quic_write_level(const SSL *ssl)
124 {
125 return ssl->quic_write_level;
126 }
127
SSL_provide_quic_data(SSL * ssl,OSSL_ENCRYPTION_LEVEL level,const uint8_t * data,size_t len)128 int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
129 const uint8_t *data, size_t len)
130 {
131 size_t l, offset;
132
133 if (!SSL_IS_QUIC(ssl)) {
134 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
135 return 0;
136 }
137
138 /* Level can be different than the current read, but not less */
139 if (level < ssl->quic_read_level
140 || (ssl->quic_input_data_tail != NULL && level < ssl->quic_input_data_tail->level)
141 || level < ssl->quic_latest_level_received) {
142 ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED);
143 return 0;
144 }
145
146 if (len == 0)
147 return 1;
148
149 if (ssl->quic_buf == NULL) {
150 BUF_MEM *buf;
151 if ((buf = BUF_MEM_new()) == NULL) {
152 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
153 return 0;
154 }
155 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
156 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
157 BUF_MEM_free(buf);
158 return 0;
159 }
160 ssl->quic_buf = buf;
161 /* We preallocated storage, but there's still no *data*. */
162 ssl->quic_buf->length = 0;
163 buf = NULL;
164 }
165
166 /* A TLS message must not cross an encryption level boundary */
167 if (ssl->quic_buf->length != ssl->quic_next_record_start
168 && level != ssl->quic_latest_level_received) {
169 ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED);
170 return 0;
171 }
172 ssl->quic_latest_level_received = level;
173
174 offset = ssl->quic_buf->length;
175 if (!BUF_MEM_grow(ssl->quic_buf, offset + len)) {
176 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
177 return 0;
178 }
179 memcpy(ssl->quic_buf->data + offset, data, len);
180
181 /* Split on handshake message boundaries */
182 while (ssl->quic_buf->length > ssl->quic_next_record_start
183 + SSL3_HM_HEADER_LENGTH) {
184 QUIC_DATA *qd;
185 const uint8_t *p;
186
187 /* TLS Handshake message header has 1-byte type and 3-byte length */
188 p = (const uint8_t *)ssl->quic_buf->data
189 + ssl->quic_next_record_start + 1;
190 n2l3(p, l);
191 l += SSL3_HM_HEADER_LENGTH;
192 /* Don't allocate a QUIC_DATA if we don't have a full record */
193 if (l > ssl->quic_buf->length - ssl->quic_next_record_start)
194 break;
195
196 qd = OPENSSL_zalloc(sizeof(*qd));
197 if (qd == NULL) {
198 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
199 return 0;
200 }
201
202 qd->next = NULL;
203 qd->length = l;
204 qd->start = ssl->quic_next_record_start;
205 qd->level = level;
206
207 if (ssl->quic_input_data_tail != NULL)
208 ssl->quic_input_data_tail->next = qd;
209 else
210 ssl->quic_input_data_head = qd;
211 ssl->quic_input_data_tail = qd;
212 ssl->quic_next_record_start += l;
213 }
214
215 return 1;
216 }
217
SSL_CTX_set_quic_method(SSL_CTX * ctx,const SSL_QUIC_METHOD * quic_method)218 int SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method)
219 {
220 if (ctx->method->version != TLS_ANY_VERSION)
221 return 0;
222 ctx->quic_method = quic_method;
223 ctx->options &= ~SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
224 return 1;
225 }
226
SSL_set_quic_method(SSL * ssl,const SSL_QUIC_METHOD * quic_method)227 int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method)
228 {
229 if (ssl->method->version != TLS_ANY_VERSION)
230 return 0;
231 ssl->quic_method = quic_method;
232 ssl->options &= ~SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
233 return 1;
234 }
235
quic_set_encryption_secrets(SSL * ssl,OSSL_ENCRYPTION_LEVEL level)236 int quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level)
237 {
238 uint8_t *c2s_secret = NULL;
239 uint8_t *s2c_secret = NULL;
240 size_t len;
241 const EVP_MD *md;
242
243 if (!SSL_IS_QUIC(ssl))
244 return 1;
245
246 /* secrets from the POV of the client */
247 switch (level) {
248 case ssl_encryption_early_data:
249 c2s_secret = ssl->client_early_traffic_secret;
250 break;
251 case ssl_encryption_handshake:
252 c2s_secret = ssl->client_hand_traffic_secret;
253 s2c_secret = ssl->server_hand_traffic_secret;
254 break;
255 case ssl_encryption_application:
256 c2s_secret = ssl->client_app_traffic_secret;
257 s2c_secret = ssl->server_app_traffic_secret;
258 break;
259 default:
260 return 1;
261 }
262
263 if (level == ssl_encryption_early_data) {
264 const SSL_CIPHER *c = SSL_SESSION_get0_cipher(ssl->session);
265 if (ssl->early_data_state == SSL_EARLY_DATA_CONNECTING
266 && ssl->max_early_data > 0
267 && ssl->session->ext.max_early_data == 0) {
268 if (!ossl_assert(ssl->psksession != NULL
269 && ssl->max_early_data ==
270 ssl->psksession->ext.max_early_data)) {
271 SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
272 return 0;
273 }
274 c = SSL_SESSION_get0_cipher(ssl->psksession);
275 }
276
277 if (c == NULL) {
278 SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
279 return 0;
280 }
281
282 md = ssl_md(ssl->ctx, c->algorithm2);
283 } else {
284 md = ssl_handshake_md(ssl);
285 if (md == NULL) {
286 /* May not have selected cipher, yet */
287 const SSL_CIPHER *c = NULL;
288
289 /*
290 * It probably doesn't make sense to use an (external) PSK session,
291 * but in theory some kinds of external session caches could be
292 * implemented using it, so allow psksession to be used as well as
293 * the regular session.
294 */
295 if (ssl->session != NULL)
296 c = SSL_SESSION_get0_cipher(ssl->session);
297 else if (ssl->psksession != NULL)
298 c = SSL_SESSION_get0_cipher(ssl->psksession);
299
300 if (c != NULL)
301 md = SSL_CIPHER_get_handshake_digest(c);
302 }
303 }
304
305 if ((len = EVP_MD_size(md)) <= 0) {
306 SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
307 return 0;
308 }
309
310 if (ssl->server) {
311 if (!ssl->quic_method->set_encryption_secrets(ssl, level, c2s_secret,
312 s2c_secret, len)) {
313 SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
314 return 0;
315 }
316 } else {
317 if (!ssl->quic_method->set_encryption_secrets(ssl, level, s2c_secret,
318 c2s_secret, len)) {
319 SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
320 return 0;
321 }
322 }
323
324 return 1;
325 }
326
SSL_process_quic_post_handshake(SSL * ssl)327 int SSL_process_quic_post_handshake(SSL *ssl)
328 {
329 int ret;
330
331 if (SSL_in_init(ssl) || !SSL_IS_QUIC(ssl)) {
332 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
333 return 0;
334 }
335
336 /* if there is no data, return success as BoringSSL */
337 while (ssl->quic_input_data_head != NULL) {
338 /*
339 * This is always safe (we are sure to be at a record boundary) because
340 * SSL_read()/SSL_write() are never used for QUIC connections -- the
341 * application data is handled at the QUIC layer instead.
342 */
343 ossl_statem_set_in_init(ssl, 1);
344 ret = ssl->handshake_func(ssl);
345 ossl_statem_set_in_init(ssl, 0);
346
347 if (ret <= 0)
348 return 0;
349 }
350 return 1;
351 }
352
SSL_is_quic(SSL * ssl)353 int SSL_is_quic(SSL* ssl)
354 {
355 return SSL_IS_QUIC(ssl);
356 }
357
SSL_set_quic_early_data_enabled(SSL * ssl,int enabled)358 void SSL_set_quic_early_data_enabled(SSL *ssl, int enabled)
359 {
360 if (!SSL_is_quic(ssl) || !SSL_in_before(ssl))
361 return;
362
363 if (!enabled) {
364 ssl->early_data_state = SSL_EARLY_DATA_NONE;
365 return;
366 }
367
368 if (ssl->server) {
369 ssl->early_data_state = SSL_EARLY_DATA_ACCEPTING;
370 return;
371 }
372
373 if ((ssl->session == NULL || ssl->session->ext.max_early_data == 0)
374 && ssl->psk_use_session_cb == NULL)
375 return;
376
377 ssl->early_data_state = SSL_EARLY_DATA_CONNECTING;
378 }
379