diff options
| author | Hugo Landau <hlandau@openssl.org> | 2022-08-11 11:24:57 +0100 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2022-09-02 10:03:55 +0200 |
| commit | 1957148384c72ea7bc33a5c415d8f84526ed6480 (patch) | |
| tree | 358496fa2a0ea26cd439b59d53af939a656a298b /ssl | |
| parent | ec279ac21105a85d9f11eed984eb64405811425d (diff) | |
| download | openssl-1957148384c72ea7bc33a5c415d8f84526ed6480.tar.gz | |
QUIC Record Layer (Refactor and TX Side)
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18949)
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/quic/build.info | 2 | ||||
| -rw-r--r-- | ssl/quic/quic_record_rx.c (renamed from ssl/quic/quic_record.c) | 643 | ||||
| -rw-r--r-- | ssl/quic/quic_record_shared.c | 209 | ||||
| -rw-r--r-- | ssl/quic/quic_record_shared.h | 86 | ||||
| -rw-r--r-- | ssl/quic/quic_record_tx.c | 906 | ||||
| -rw-r--r-- | ssl/quic/quic_record_util.c | 142 | ||||
| -rw-r--r-- | ssl/quic/quic_wire_pkt.c | 70 |
7 files changed, 1588 insertions, 470 deletions
diff --git a/ssl/quic/build.info b/ssl/quic/build.info index 482338be95..82e4da71e4 100644 --- a/ssl/quic/build.info +++ b/ssl/quic/build.info @@ -1,3 +1,3 @@ $LIBSSL=../../libssl -SOURCE[$LIBSSL]=quic_method.c quic_impl.c quic_wire.c quic_ackm.c quic_statm.c cc_dummy.c quic_demux.c quic_record.c quic_record_util.c quic_wire_pkt.c +SOURCE[$LIBSSL]=quic_method.c quic_impl.c quic_wire.c quic_ackm.c quic_statm.c cc_dummy.c quic_demux.c quic_record_rx.c quic_record_tx.c quic_record_util.c quic_record_shared.c quic_wire_pkt.c diff --git a/ssl/quic/quic_record.c b/ssl/quic/quic_record_rx.c index 95044d2836..e1093f791b 100644 --- a/ssl/quic/quic_record.c +++ b/ssl/quic/quic_record_rx.c @@ -7,7 +7,8 @@ * https://www.openssl.org/source/license.html */ -#include "internal/quic_record.h" +#include "internal/quic_record_rx.h" +#include "quic_record_shared.h" #include "internal/common.h" #include "../ssl_local.h" @@ -53,9 +54,14 @@ struct rxe_st { /* Total length of the datagram which contained this packet. */ size_t datagram_len; + + /* + * alloc_len allocated bytes (of which data_len bytes are valid) follow this + * structure. + */ }; -typedef struct ossl_qrl_rxe_list_st { +typedef struct ossl_qrx_rxe_list_st { RXE *head, *tail; } RXE_LIST; @@ -97,34 +103,12 @@ static void rxe_insert_tail(RXE_LIST *l, RXE *e) * QRL * === */ - -/* (Encryption level, direction)-specific state. */ -typedef struct ossl_qrl_enc_level_st { - /* Hash function used for key derivation. */ - EVP_MD *md; - /* Context used for packet body ciphering. */ - EVP_CIPHER_CTX *cctx; - /* IV used to construct nonces used for AEAD packet body ciphering. */ - unsigned char iv[EVP_MAX_IV_LENGTH]; - /* Have we permanently discarded this encryption level? */ - unsigned char discarded; - /* QRL_SUITE_* value. */ - uint32_t suite_id; - /* Length of authentication tag. */ - uint32_t tag_len; - /* - * Cryptographic context used to apply and remove header protection from - * packet headers. - */ - QUIC_HDR_PROTECTOR hpr; -} OSSL_QRL_ENC_LEVEL; - -struct ossl_qrl_st { +struct ossl_qrx_st { OSSL_LIB_CTX *libctx; const char *propq; /* Demux to receive datagrams from. */ - QUIC_DEMUX *rx_demux; + QUIC_DEMUX *demux; /* Length of connection IDs used in short-header packets in bytes. */ size_t short_conn_id_len; @@ -155,252 +139,44 @@ struct ossl_qrl_st { RXE_LIST rx_pending; /* Largest PN we have received and processed in a given PN space. */ - QUIC_PN rx_largest_pn[QUIC_PN_SPACE_NUM]; + QUIC_PN largest_pn[QUIC_PN_SPACE_NUM]; /* Per encryption-level state. */ - OSSL_QRL_ENC_LEVEL rx_el[QUIC_ENC_LEVEL_NUM]; - OSSL_QRL_ENC_LEVEL tx_el[QUIC_ENC_LEVEL_NUM]; + OSSL_QRL_ENC_LEVEL_SET el_set; /* Bytes we have received since this counter was last cleared. */ uint64_t bytes_received; /* Validation callback. */ - ossl_qrl_early_rx_validation_cb *rx_validation_cb; - void *rx_validation_cb_arg; -}; - -static void qrl_on_rx(QUIC_URXE *urxe, void *arg); - -/* Constants used for key derivation in QUIC v1. */ -static const unsigned char quic_client_in_label[] = { - 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x69, 0x6e /* "client in" */ -}; -static const unsigned char quic_server_in_label[] = { - 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x69, 0x6e /* "server in" */ -}; -static const unsigned char quic_v1_iv_label[] = { - 0x71, 0x75, 0x69, 0x63, 0x20, 0x69, 0x76 /* "quic iv" */ + ossl_qrx_early_validation_cb *validation_cb; + void *validation_cb_arg; }; -static const unsigned char quic_v1_key_label[] = { - 0x71, 0x75, 0x69, 0x63, 0x20, 0x6b, 0x65, 0x79 /* "quic key" */ -}; -static const unsigned char quic_v1_hp_label[] = { - 0x71, 0x75, 0x69, 0x63, 0x20, 0x68, 0x70 /* "quic hp" */ -}; -/* Salt used to derive Initial packet protection keys (RFC 9001 Section 5.2). */ -static const unsigned char quic_v1_initial_salt[] = { - 0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, - 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a -}; - -static ossl_inline OSSL_QRL_ENC_LEVEL *qrl_get_el(OSSL_QRL *qrl, - uint32_t enc_level, - int is_tx) -{ - if (!ossl_assert(enc_level < QUIC_ENC_LEVEL_NUM)) - return NULL; - return is_tx ? &qrl->tx_el[enc_level] : &qrl->rx_el[enc_level]; -} - -/* - * Returns 1 if we have key material for a given encryption level, 0 if we do - * not yet have material and -1 if the EL is discarded. - */ -static int qrl_have_el(OSSL_QRL *qrl, uint32_t enc_level, int is_tx) -{ - OSSL_QRL_ENC_LEVEL *el = qrl_get_el(qrl, enc_level, is_tx); - - if (el->cctx != NULL) - return 1; - if (el->discarded) - return -1; - return 0; -} - -/* Drops keying material for a given encryption level. */ -static void qrl_el_discard(OSSL_QRL *qrl, uint32_t enc_level, - int is_tx, int final) -{ - OSSL_QRL_ENC_LEVEL *el = qrl_get_el(qrl, enc_level, is_tx); - - if (el->discarded) - return; - - if (el->cctx != NULL) { - ossl_quic_hdr_protector_destroy(&el->hpr); - - EVP_CIPHER_CTX_free(el->cctx); - el->cctx = NULL; - - EVP_MD_free(el->md); - el->md = NULL; - } - - /* Zeroise IV. */ - OPENSSL_cleanse(el->iv, sizeof(el->iv)); - - if (final) - el->discarded = 1; -} - -/* - * Sets up cryptographic state for a given encryption level and direction by - * deriving "quic iv", "quic key" and "quic hp" values from a given secret. - * - * md is a hash function used for key derivation. If it is NULL, this function - * fetches the necessary hash function itself. If it is non-NULL, this function - * can reuse the caller's reference to a suitable EVP_MD; the EVP_MD provided - * must match the suite. - * - * On success where md is non-NULL, takes ownership of the caller's reference to - * md. - */ -static int qrl_el_set_secret(OSSL_QRL *qrl, uint32_t enc_level, - uint32_t suite_id, EVP_MD *md, - int is_tx, - const unsigned char *secret, - size_t secret_len) -{ - OSSL_QRL_ENC_LEVEL *el = qrl_get_el(qrl, enc_level, is_tx); - unsigned char key[EVP_MAX_KEY_LENGTH], hpr_key[EVP_MAX_KEY_LENGTH]; - size_t key_len = 0, hpr_key_len = 0, iv_len = 0; - const char *cipher_name = NULL, *md_name = NULL; - EVP_CIPHER *cipher = NULL; - EVP_CIPHER_CTX *cctx = NULL; - int own_md = 0, have_hpr = 0; - - if (el->discarded) - /* Should not be trying to reinitialise an EL which was discarded. */ - return 0; - - cipher_name = ossl_qrl_get_suite_cipher_name(suite_id); - iv_len = ossl_qrl_get_suite_cipher_iv_len(suite_id); - key_len = ossl_qrl_get_suite_cipher_key_len(suite_id); - hpr_key_len = ossl_qrl_get_suite_hdr_prot_key_len(suite_id); - if (cipher_name == NULL) - return 0; - - if (secret_len != ossl_qrl_get_suite_secret_len(suite_id)) - return 0; - - if (md == NULL) { - md_name = ossl_qrl_get_suite_md_name(suite_id); - - if ((md = EVP_MD_fetch(qrl->libctx, - md_name, qrl->propq)) == NULL) - return 0; - - own_md = 1; - } - /* Derive "quic iv" key. */ - if (!tls13_hkdf_expand_ex(qrl->libctx, qrl->propq, - md, - secret, - quic_v1_iv_label, - sizeof(quic_v1_iv_label), - NULL, 0, - el->iv, iv_len, 0)) - goto err; - - /* Derive "quic key" key. */ - if (!tls13_hkdf_expand_ex(qrl->libctx, qrl->propq, - md, - secret, - quic_v1_key_label, - sizeof(quic_v1_key_label), - NULL, 0, - key, key_len, 0)) - goto err; - - /* Derive "quic hp" key. */ - if (!tls13_hkdf_expand_ex(qrl->libctx, qrl->propq, - md, - secret, - quic_v1_hp_label, - sizeof(quic_v1_hp_label), - NULL, 0, - hpr_key, hpr_key_len, 0)) - goto err; - - /* Free any old context which is using old keying material. */ - if (el->cctx != NULL) { - ossl_quic_hdr_protector_destroy(&el->hpr); - EVP_CIPHER_CTX_free(el->cctx); - el->cctx = NULL; - } - - /* Setup header protection context. */ - if (!ossl_quic_hdr_protector_init(&el->hpr, - qrl->libctx, - qrl->propq, - ossl_qrl_get_suite_hdr_prot_cipher_id(suite_id), - hpr_key, - hpr_key_len)) - goto err; - - have_hpr = 1; - - /* Create and initialise cipher context. */ - if ((cipher = EVP_CIPHER_fetch(qrl->libctx, cipher_name, - qrl->propq)) == NULL) - goto err; - - if (!ossl_assert(iv_len == (size_t)EVP_CIPHER_get_iv_length(cipher)) - || !ossl_assert(key_len == (size_t)EVP_CIPHER_get_key_length(cipher))) - goto err; - - if ((cctx = EVP_CIPHER_CTX_new()) == NULL) - goto err; - - /* IV will be changed on RX so we don't need to use a real value here. */ - if (!EVP_CipherInit_ex(cctx, cipher, NULL, key, el->iv, 0)) - goto err; - - el->suite_id = suite_id; - el->cctx = cctx; - el->md = md; - el->tag_len = ossl_qrl_get_suite_cipher_tag_len(suite_id); - - /* Zeroize intermediate keys. */ - OPENSSL_cleanse(key, sizeof(key)); - OPENSSL_cleanse(hpr_key, sizeof(hpr_key)); - EVP_CIPHER_free(cipher); - return 1; +static void qrx_on_rx(QUIC_URXE *urxe, void *arg); -err: - if (have_hpr) - ossl_quic_hdr_protector_destroy(&el->hpr); - EVP_CIPHER_CTX_free(cctx); - EVP_CIPHER_free(cipher); - if (own_md) - EVP_MD_free(md); - return 0; -} - -OSSL_QRL *ossl_qrl_new(const OSSL_QRL_ARGS *args) +OSSL_QRX *ossl_qrx_new(const OSSL_QRX_ARGS *args) { - OSSL_QRL *qrl; + OSSL_QRX *qrx; size_t i; - if (args->rx_demux == NULL) + if (args->demux == NULL) return 0; - qrl = OPENSSL_zalloc(sizeof(OSSL_QRL)); - if (qrl == NULL) + qrx = OPENSSL_zalloc(sizeof(OSSL_QRX)); + if (qrx == NULL) return 0; - for (i = 0; i < OSSL_NELEM(qrl->rx_largest_pn); ++i) - qrl->rx_largest_pn[i] = args->rx_init_largest_pn[i]; + for (i = 0; i < OSSL_NELEM(qrx->largest_pn); ++i) + qrx->largest_pn[i] = args->init_largest_pn[i]; - qrl->libctx = args->libctx; - qrl->propq = args->propq; - qrl->rx_demux = args->rx_demux; - qrl->short_conn_id_len = args->short_conn_id_len; - return qrl; + qrx->libctx = args->libctx; + qrx->propq = args->propq; + qrx->demux = args->demux; + qrx->short_conn_id_len = args->short_conn_id_len; + return qrx; } -static void qrl_cleanup_rxl(RXE_LIST *l) +static void qrx_cleanup_rxl(RXE_LIST *l) { RXE *e, *enext; for (e = l->head; e != NULL; e = enext) { @@ -410,82 +186,86 @@ static void qrl_cleanup_rxl(RXE_LIST *l) l->head = l->tail = NULL; } -static void qrl_cleanup_urxl(OSSL_QRL *qrl, QUIC_URXE_LIST *l) +static void qrx_cleanup_urxl(OSSL_QRX *qrx, QUIC_URXE_LIST *l) { QUIC_URXE *e, *enext; for (e = l->head; e != NULL; e = enext) { enext = e->next; - ossl_quic_demux_release_urxe(qrl->rx_demux, e); + ossl_quic_demux_release_urxe(qrx->demux, e); } l->head = l->tail = NULL; } -void ossl_qrl_free(OSSL_QRL *qrl) +void ossl_qrx_free(OSSL_QRX *qrx) { uint32_t i; /* Unregister from the RX DEMUX. */ - ossl_quic_demux_unregister_by_cb(qrl->rx_demux, qrl_on_rx, qrl); + ossl_quic_demux_unregister_by_cb(qrx->demux, qrx_on_rx, qrx); /* Free RXE queue data. */ - qrl_cleanup_rxl(&qrl->rx_free); - qrl_cleanup_rxl(&qrl->rx_pending); - qrl_cleanup_urxl(qrl, &qrl->urx_pending); - qrl_cleanup_urxl(qrl, &qrl->urx_deferred); + qrx_cleanup_rxl(&qrx->rx_free); + qrx_cleanup_rxl(&qrx->rx_pending); + qrx_cleanup_urxl(qrx, &qrx->urx_pending); + qrx_cleanup_urxl(qrx, &qrx->urx_deferred); /* Drop keying material and crypto resources. */ - for (i = 0; i < QUIC_ENC_LEVEL_NUM; ++i) { - qrl_el_discard(qrl, i, 0, 1); - qrl_el_discard(qrl, i, 1, 1); - } + for (i = 0; i < QUIC_ENC_LEVEL_NUM; ++i) + ossl_qrl_enc_level_set_discard(&qrx->el_set, i, 1); - OPENSSL_free(qrl); + OPENSSL_free(qrx); } -static void qrl_on_rx(QUIC_URXE *urxe, void *arg) +static void qrx_on_rx(QUIC_URXE *urxe, void *arg) { - OSSL_QRL *qrl = arg; + OSSL_QRX *qrx = arg; /* Initialize our own fields inside the URXE and add to the pending list. */ urxe->processed = 0; urxe->hpr_removed = 0; - ossl_quic_urxe_insert_tail(&qrl->urx_pending, urxe); + ossl_quic_urxe_insert_tail(&qrx->urx_pending, urxe); } -int ossl_qrl_add_dst_conn_id(OSSL_QRL *qrl, +int ossl_qrx_add_dst_conn_id(OSSL_QRX *qrx, const QUIC_CONN_ID *dst_conn_id) { - return ossl_quic_demux_register(qrl->rx_demux, + return ossl_quic_demux_register(qrx->demux, dst_conn_id, - qrl_on_rx, - qrl); + qrx_on_rx, + qrx); } -int ossl_qrl_remove_dst_conn_id(OSSL_QRL *qrl, +int ossl_qrx_remove_dst_conn_id(OSSL_QRX *qrx, const QUIC_CONN_ID *dst_conn_id) { - return ossl_quic_demux_unregister(qrl->rx_demux, dst_conn_id); + return ossl_quic_demux_unregister(qrx->demux, dst_conn_id); } -static void qrl_requeue_deferred(OSSL_QRL *qrl) +static void qrx_requeue_deferred(OSSL_QRX *qrx) { QUIC_URXE *e; - while ((e = qrl->urx_deferred.head) != NULL) { - ossl_quic_urxe_remove(&qrl->urx_deferred, e); - ossl_quic_urxe_insert_head(&qrl->urx_pending, e); + while ((e = qrx->urx_deferred.head) != NULL) { + ossl_quic_urxe_remove(&qrx->urx_deferred, e); + ossl_quic_urxe_insert_head(&qrx->urx_pending, e); } } -int ossl_qrl_provide_rx_secret(OSSL_QRL *qrl, uint32_t enc_level, - uint32_t suite_id, - const unsigned char *secret, size_t secret_len) +int ossl_qrx_provide_secret(OSSL_QRX *qrx, uint32_t enc_level, + uint32_t suite_id, EVP_MD *md, + const unsigned char *secret, size_t secret_len) { - if (enc_level == QUIC_ENC_LEVEL_INITIAL || enc_level >= QUIC_ENC_LEVEL_NUM) + if (enc_level >= QUIC_ENC_LEVEL_NUM) return 0; - if (!qrl_el_set_secret(qrl, enc_level, suite_id, NULL, - /*is_tx=*/0, secret, secret_len)) + if (!ossl_qrl_enc_level_set_provide_secret(&qrx->el_set, + qrx->libctx, + qrx->propq, + enc_level, + suite_id, + md, + secret, + secret_len)) return 0; /* @@ -493,137 +273,45 @@ int ossl_qrl_provide_rx_secret(OSSL_QRL *qrl, uint32_t enc_level, * decrypt, so move any datagrams containing deferred packets from the * deferred to the pending queue. */ - qrl_requeue_deferred(qrl); + qrx_requeue_deferred(qrx); return 1; } -/* Initialise key material for the INITIAL encryption level. */ -int ossl_qrl_provide_rx_secret_initial(OSSL_QRL *qrl, - const QUIC_CONN_ID *dst_conn_id) -{ - unsigned char initial_secret[32]; - unsigned char client_initial_secret[32], server_initial_secret[32]; - EVP_MD *sha256; - int have_rx = 0; - - /* Initial encryption always uses SHA-256. */ - if ((sha256 = EVP_MD_fetch(qrl->libctx, - "SHA256", qrl->propq)) == NULL) - return 0; - - /* Derive initial secret from destination connection ID. */ - if (!ossl_quic_hkdf_extract(qrl->libctx, qrl->propq, - sha256, - quic_v1_initial_salt, - sizeof(quic_v1_initial_salt), - dst_conn_id->id, - dst_conn_id->id_len, - initial_secret, - sizeof(initial_secret))) - goto err; - - /* Derive "client in" secret. */ - if (!tls13_hkdf_expand_ex(qrl->libctx, qrl->propq, - sha256, - initial_secret, - quic_client_in_label, - sizeof(quic_client_in_label), - NULL, 0, - client_initial_secret, - sizeof(client_initial_secret), 0)) - goto err; - - /* Derive "server in" secret. */ - if (!tls13_hkdf_expand_ex(qrl->libctx, qrl->propq, - sha256, - initial_secret, - quic_server_in_label, - sizeof(quic_server_in_label), - NULL, 0, - server_initial_secret, - sizeof(server_initial_secret), 0)) - goto err; - - /* Setup RX cipher. Initial encryption always uses AES-128-GCM. */ - if (!qrl_el_set_secret(qrl, QUIC_ENC_LEVEL_INITIAL, - QRL_SUITE_AES128GCM, - sha256, - /*is_tx=*/0, - server_initial_secret, - sizeof(server_initial_secret))) - goto err; - - have_rx = 1; - - /* - * qrl_el_set_secret takes ownership of our ref to SHA256, so get a new ref - * for the following call for the TX side. - */ - if (!EVP_MD_up_ref(sha256)) { - sha256 = NULL; - goto err; - } - - /* Setup TX cipher. */ - if (!qrl_el_set_secret(qrl, QUIC_ENC_LEVEL_INITIAL, - QRL_SUITE_AES128GCM, - sha256, - /*is_tx=*/1, - client_initial_secret, - sizeof(client_initial_secret))) - goto err; - - /* - * Any packets we previously could not decrypt, we may now be able to - * decrypt, so move any datagrams containing deferred packets from the - * deferred to the pending queue. - */ - qrl_requeue_deferred(qrl); - return 1; - -err: - if (have_rx) - qrl_el_discard(qrl, QUIC_ENC_LEVEL_INITIAL, /*is_tx=*/0, 0); - - EVP_MD_free(sha256); - return 0; -} - -int ossl_qrl_discard_enc_level(OSSL_QRL *qrl, uint32_t enc_level) +int ossl_qrx_discard_enc_level(OSSL_QRX *qrx, uint32_t enc_level) { if (enc_level >= QUIC_ENC_LEVEL_NUM) return 0; - qrl_el_discard(qrl, enc_level, 0, 1); + ossl_qrl_enc_level_set_discard(&qrx->el_set, enc_level, 1); return 1; } /* Returns 1 if there are one or more pending RXEs. */ -int ossl_qrl_processed_read_pending(OSSL_QRL *qrl) +int ossl_qrx_processed_read_pending(OSSL_QRX *qrx) { - return qrl->rx_pending.head != NULL; + return qrx->rx_pending.head != NULL; } /* Returns 1 if there are yet-unprocessed packets. */ -int ossl_qrl_unprocessed_read_pending(OSSL_QRL *qrl) +int ossl_qrx_unprocessed_read_pending(OSSL_QRX *qrx) { - return qrl->urx_pending.head != NULL || qrl->urx_deferred.head != NULL; + return qrx->urx_pending.head != NULL || qrx->urx_deferred.head != NULL; } /* Pop the next pending RXE. Returns NULL if no RXE is pending. */ -static RXE *qrl_pop_pending_rxe(OSSL_QRL *qrl) +static RXE *qrx_pop_pending_rxe(OSSL_QRX *qrx) { - RXE *rxe = qrl->rx_pending.head; + RXE *rxe = qrx->rx_pending.head; if (rxe == NULL) return NULL; - rxe_remove(&qrl->rx_pending, rxe); + rxe_remove(&qrx->rx_pending, rxe); return rxe; } /* Allocate a new RXE. */ -static RXE *qrl_alloc_rxe(size_t alloc_len) +static RXE *qrx_alloc_rxe(size_t alloc_len) { RXE *rxe; @@ -647,18 +335,18 @@ static RXE *qrl_alloc_rxe(size_t alloc_len) * alloc_len is a hint which may be used to determine the RXE size if allocation * is necessary. Returns NULL on allocation failure. */ -static RXE *qrl_ensure_free_rxe(OSSL_QRL *qrl, size_t alloc_len) +static RXE *qrx_ensure_free_rxe(OSSL_QRX *qrx, size_t alloc_len) { RXE *rxe; - if (qrl->rx_free.head != NULL) - return qrl->rx_free.head; + if (qrx->rx_free.head != NULL) + return qrx->rx_free.head; - rxe = qrl_alloc_rxe(alloc_len); + rxe = qrx_alloc_rxe(alloc_len); if (rxe == NULL) return NULL; - rxe_insert_tail(&qrl->rx_free, rxe); + rxe_insert_tail(&qrx->rx_free, rxe); return rxe; } @@ -667,7 +355,7 @@ static RXE *qrl_ensure_free_rxe(OSSL_QRL *qrl, size_t alloc_len) * of the RXE might change; the new address is returned, or NULL on failure, in * which case the original RXE remains valid. */ -static RXE *qrl_resize_rxe(RXE_LIST *rxl, RXE *rxe, size_t n) +static RXE *qrx_resize_rxe(RXE_LIST *rxl, RXE *rxe, size_t n) { RXE *rxe2; @@ -706,21 +394,21 @@ static RXE *qrl_resize_rxe(RXE_LIST *rxl, RXE *rxe, size_t n) * Ensure the data buffer attached to an RXE is at least n bytes in size. * Returns NULL on failure. */ -static RXE *qrl_reserve_rxe(RXE_LIST *rxl, +static RXE *qrx_reserve_rxe(RXE_LIST *rxl, RXE *rxe, size_t n) { if (rxe->alloc_len >= n) return rxe; - return qrl_resize_rxe(rxl, rxe, n); + return qrx_resize_rxe(rxl, rxe, n); } /* Return a RXE handed out to the user back to our freelist. */ -static void qrl_recycle_rxe(OSSL_QRL *qrl, RXE *rxe) +static void qrx_recycle_rxe(OSSL_QRX *qrx, RXE *rxe) { /* RXE should not be in any list */ assert(rxe->prev == NULL && rxe->next == NULL); - rxe_insert_tail(&qrl->rx_free, rxe); + rxe_insert_tail(&qrx->rx_free, rxe); } /* @@ -730,7 +418,7 @@ static void qrl_recycle_rxe(OSSL_QRL *qrl, RXE *rxe) * buffer to, and on success is updated to be the offset pointing after the * copied buffer. *pptr is updated to point to the new location of the buffer. */ -static int qrl_relocate_buffer(OSSL_QRL *qrl, RXE **prxe, size_t *pi, +static int qrx_relocate_buffer(OSSL_QRX *qrx, RXE **prxe, size_t *pi, const unsigned char **pptr, size_t buf_len) { RXE *rxe; @@ -739,7 +427,7 @@ static int qrl_relocate_buffer(OSSL_QRL *qrl, RXE **prxe, size_t *pi, if (!buf_len) return 1; - if ((rxe = qrl_reserve_rxe(&qrl->rx_free, *prxe, *pi + buf_len)) == NULL) + if ((rxe = qrx_reserve_rxe(&qrx->rx_free, *prxe, *pi + buf_len)) == NULL) return 0; *prxe = rxe; @@ -751,7 +439,7 @@ static int qrl_relocate_buffer(OSSL_QRL *qrl, RXE **prxe, size_t *pi, return 1; } -static uint32_t qrl_determine_enc_level(const QUIC_PKT_HDR *hdr) +static uint32_t qrx_determine_enc_level(const QUIC_PKT_HDR *hdr) { switch (hdr->type) { case QUIC_PKT_TYPE_INITIAL: @@ -775,11 +463,11 @@ static uint32_t rxe_determine_pn_space(RXE *rxe) { uint32_t enc_level; - enc_level = qrl_determine_enc_level(&rxe->hdr); + enc_level = qrx_determine_enc_level(&rxe->hdr); return ossl_quic_enc_level_to_pn_space(enc_level); } -static int qrl_validate_hdr_early(OSSL_QRL *qrl, RXE *rxe, +static int qrx_validate_hdr_early(OSSL_QRX *qrx, RXE *rxe, RXE *first_rxe) { /* Ensure version is what we want. */ @@ -809,12 +497,12 @@ static int qrl_validate_hdr_early(OSSL_QRL *qrl, RXE *rxe, } /* Validate header and decode PN. */ -static int qrl_validate_hdr(OSSL_QRL *qrl, RXE *rxe) +static int qrx_validate_hdr(OSSL_QRX *qrx, RXE *rxe) { int pn_space = rxe_determine_pn_space(rxe); if (!ossl_quic_wire_decode_pkt_hdr_pn(rxe->hdr.pn, rxe->hdr.pn_len, - qrl->rx_largest_pn[pn_space], + qrx->largest_pn[pn_space], &rxe->pn)) return 0; @@ -822,8 +510,8 @@ static int qrl_validate_hdr(OSSL_QRL *qrl, RXE *rxe) * Allow our user to decide whether to discard the packet before we try and * decrypt it. */ - if (qrl->rx_validation_cb != NULL - && !qrl->rx_validation_cb(rxe->pn, pn_space, qrl->rx_validation_cb_arg)) + if (qrx->validation_cb != NULL + && !qrx->validation_cb(rxe->pn, pn_space, qrx->validation_cb_arg)) return 0; return 1; @@ -838,7 +526,7 @@ static int qrl_validate_hdr(OSSL_QRL *qrl, RXE *rxe) * to *dec_len on success, which will always be equal to or less than (usually * less than) src_len. */ -static int qrl_decrypt_pkt_body(OSSL_QRL *qrl, unsigned char *dst, +static int qrx_decrypt_pkt_body(OSSL_QRX *qrx, unsigned char *dst, const unsigned char *src, size_t src_len, size_t *dec_len, const unsigned char *aad, size_t aad_len, @@ -847,13 +535,24 @@ static int qrl_decrypt_pkt_body(OSSL_QRL *qrl, unsigned char *dst, int l = 0, l2 = 0; unsigned char nonce[EVP_MAX_IV_LENGTH]; size_t nonce_len, i; - OSSL_QRL_ENC_LEVEL *el = &qrl->rx_el[enc_level]; + OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set, + enc_level, 1); - if (src_len > INT_MAX || aad_len > INT_MAX || el->tag_len >= src_len) + if (src_len > INT_MAX || aad_len > INT_MAX) return 0; /* We should not have been called if we do not have key material. */ - if (!ossl_assert(qrl_have_el(qrl, enc_level, /*is_tx=*/0) == 1)) + if (!ossl_assert(el != NULL)) + return 0; + + if (el->tag_len >= src_len) + return 0; + + /* + * If we have failed to authenticate a certain number of ciphertexts, refuse + * to decrypt any more ciphertexts. + */ + if (el->op_count >= ossl_qrl_get_suite_max_forged_pkt(el->suite_id)) return 0; /* Construct nonce (nonce=IV ^ PN). */ @@ -885,8 +584,11 @@ static int qrl_decrypt_pkt_body(OSSL_QRL *qrl, unsigned char *dst, return 0; /* Ensure authentication succeeded. */ - if (EVP_CipherFinal_ex(el->cctx, NULL, &l2) != 1) + if (EVP_CipherFinal_ex(el->cctx, NULL, &l2) != 1) { + /* Authentication failed, increment failed auth counter. */ + ++el->op_count; return 0; + } *dec_len = l; return 1; @@ -898,7 +600,7 @@ static ossl_inline void ignore_res(int x) } /* Process a single packet in a datagram. */ -static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, +static int qrx_process_pkt(OSSL_QRX *qrx, QUIC_URXE *urxe, PACKET *pkt, size_t pkt_idx, RXE **first_rxe, size_t datagram_len) @@ -917,7 +619,7 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, * Get a free RXE. If we need to allocate a new one, use the packet length * as a good ballpark figure. */ - rxe = qrl_ensure_free_rxe(qrl, PACKET_remaining(pkt)); + rxe = qrx_ensure_free_rxe(qrx, PACKET_remaining(pkt)); if (rxe == NULL) return 0; @@ -932,7 +634,7 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, */ need_second_decode = !pkt_is_marked(&urxe->hpr_removed, pkt_idx); if (!ossl_quic_wire_decode_pkt_hdr(pkt, - qrl->short_conn_id_len, + qrx->short_conn_id_len, need_second_decode, &rxe->hdr, &ptrs)) goto malformed; @@ -954,7 +656,7 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, * now skip over it if we already processed it. */ if (already_processed - || !qrl_validate_hdr_early(qrl, rxe, pkt_idx == 0 ? NULL : *first_rxe)) + || !qrx_validate_hdr_early(qrx, rxe, pkt_idx == 0 ? NULL : *first_rxe)) goto malformed; if (rxe->hdr.type == QUIC_PKT_TYPE_VERSION_NEG @@ -966,7 +668,7 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, */ /* Just copy the payload from the URXE to the RXE. */ - if ((rxe = qrl_reserve_rxe(&qrl->rx_free, rxe, rxe->hdr.len)) == NULL) + if ((rxe = qrx_reserve_rxe(&qrx->rx_free, rxe, rxe->hdr.len)) == NULL) /* * Allocation failure. EOP will be pointing to the end of the * datagram so processing of this datagram will end here. @@ -980,16 +682,16 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, rxe->hdr.data = rxe_data(rxe); /* Move RXE to pending. */ - rxe_remove(&qrl->rx_free, rxe); - rxe_insert_tail(&qrl->rx_pending, rxe); + rxe_remove(&qrx->rx_free, rxe); + rxe_insert_tail(&qrx->rx_pending, rxe); return 0; /* success, did not defer */ } /* Determine encryption level of packet. */ - enc_level = qrl_determine_enc_level(&rxe->hdr); + enc_level = qrx_determine_enc_level(&rxe->hdr); /* If we do not have keying material for this encryption level yet, defer. */ - switch (qrl_have_el(qrl, enc_level, /*is_tx=*/0)) { + switch (ossl_qrl_enc_level_set_have_el(&qrx->el_set, enc_level)) { case 1: /* We have keys. */ break; @@ -1019,7 +721,7 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, * Relocate token buffer and fix pointer. */ if (rxe->hdr.type == QUIC_PKT_TYPE_INITIAL - && !qrl_relocate_buffer(qrl, &rxe, &i, &rxe->hdr.token, + && !qrx_relocate_buffer(qrx, &rxe, &i, &rxe->hdr.token, rxe->hdr.token_len)) goto malformed; @@ -1027,7 +729,11 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, *pkt = orig_pkt; if (need_second_decode) { - if (!ossl_quic_hdr_protector_decrypt(&qrl->rx_el[enc_level].hpr, &ptrs)) + OSSL_QRL_ENC_LEVEL *el + = ossl_qrl_enc_level_set_get(&qrx->el_set, enc_level, 1); + + assert(el != NULL); /* Already checked above */ + if (!ossl_quic_hdr_protector_decrypt(&el->hpr, &ptrs)) goto malformed; /* @@ -1037,13 +743,13 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, pkt_mark(&urxe->hpr_removed, pkt_idx); /* Decode the now unprotected header. */ - if (ossl_quic_wire_decode_pkt_hdr(pkt, qrl->short_conn_id_len, + if (ossl_quic_wire_decode_pkt_hdr(pkt, qrx->short_conn_id_len, 0, &rxe->hdr, NULL) != 1) goto malformed; } /* Validate header and decode PN. */ - if (!qrl_validate_hdr(qrl, rxe)) + if (!qrx_validate_hdr(qrx, rxe)) goto malformed; /* @@ -1051,7 +757,7 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, * HANDSHAKE packet. */ if (enc_level == QUIC_ENC_LEVEL_HANDSHAKE) - qrl_el_discard(qrl, QUIC_ENC_LEVEL_INITIAL, 0, 1); + ossl_qrl_enc_level_set_discard(&qrx->el_set, QUIC_ENC_LEVEL_INITIAL, 1); /* * The AAD data is the entire (unprotected) packet header including the PN. @@ -1061,7 +767,7 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, aad_len = rxe->hdr.data - sop; /* Ensure the RXE buffer size is adequate for our payload. */ - if ((rxe = qrl_reserve_rxe(&qrl->rx_free, rxe, rxe->hdr.len + i)) == NULL) { + if ((rxe = qrx_reserve_rxe(&qrx->rx_free, rxe, rxe->hdr.len + i)) == NULL) { /* * Allocation failure, treat as malformed and do not bother processing * any further packets in the datagram as they are likely to also @@ -1085,7 +791,7 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, * corrupted. */ dst = (unsigned char *)rxe_data(rxe) + i; - if (!qrl_decrypt_pkt_body(qrl, dst, rxe->hdr.data, rxe->hdr.len, + if (!qrx_decrypt_pkt_body(qrx, dst, rxe->hdr.data, rxe->hdr.len, &dec_len, sop, aad_len, rxe->pn, enc_level)) goto malformed; @@ -1117,16 +823,16 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, /* We processed the PN successfully, so update largest processed PN. */ pn_space = rxe_determine_pn_space(rxe); - if (rxe->pn > qrl->rx_largest_pn[pn_space]) - qrl->rx_largest_pn[pn_space] = rxe->pn; + if (rxe->pn > qrx->largest_pn[pn_space]) + qrx->largest_pn[pn_space] = rxe->pn; /* Copy across network addresses from URXE to RXE. */ rxe->peer = urxe->peer; rxe->local = urxe->local; /* Move RXE to pending. */ - rxe_remove(&qrl->rx_free, rxe); - rxe_insert_tail(&qrl->rx_pending, rxe); + rxe_remove(&qrx->rx_free, rxe); + rxe_insert_tail(&qrx->rx_pending, rxe); return 0; /* success, did not defer; not distinguished from failure */ cannot_decrypt: @@ -1175,7 +881,7 @@ malformed: } /* Process a datagram which was received. */ -static int qrl_process_datagram(OSSL_QRL *qrl, QUIC_URXE *e, +static int qrx_process_datagram(OSSL_QRX *qrx, QUIC_URXE *e, const unsigned char *data, size_t data_len) { @@ -1184,7 +890,7 @@ static int qrl_process_datagram(OSSL_QRL *qrl, QUIC_URXE *e, size_t pkt_idx = 0; RXE *first_rxe = NULL; - qrl->bytes_received += data_len; + qrx->bytes_received += data_len; if (!PACKET_buf_init(&pkt, data, data_len)) return 0; @@ -1209,10 +915,10 @@ static int qrl_process_datagram(OSSL_QRL *qrl, QUIC_URXE *e, * we should still try to process any packets following it. * * In the case where the packet is so malformed we can't determine its - * lenngth, qrl_process_pkt will take care of advancing to the end of + * lenngth, qrx_process_pkt will take care of advancing to the end of * the packet, so we will exit the loop automatically in this case. */ - if (qrl_process_pkt(qrl, e, &pkt, pkt_idx, &first_rxe, data_len)) + if (qrx_process_pkt(qrx, e, &pkt, pkt_idx, &first_rxe, data_len)) have_deferred = 1; } @@ -1221,12 +927,12 @@ static int qrl_process_datagram(OSSL_QRL *qrl, QUIC_URXE *e, } /* Process a single pending URXE. */ -static int qrl_process_one_urxl(OSSL_QRL *qrl, QUIC_URXE *e) +static int qrx_process_one_urxl(OSSL_QRX *qrx, QUIC_URXE *e) { int was_deferred; /* The next URXE we process should be at the head of the pending list. */ - if (!ossl_assert(e == qrl->urx_pending.head)) + if (!ossl_assert(e == qrx->urx_pending.head)) return 0; /* @@ -1235,47 +941,47 @@ static int qrl_process_one_urxl(OSSL_QRL *qrl, QUIC_URXE *e) * datagram, we do not attempt to process it again and silently eat the * error. */ - was_deferred = qrl_process_datagram(qrl, e, ossl_quic_urxe_data(e), + was_deferred = qrx_process_datagram(qrx, e, ossl_quic_urxe_data(e), e->data_len); /* * Remove the URXE from the pending list and return it to * either the free or deferred list. */ - ossl_quic_urxe_remove(&qrl->urx_pending, e); + ossl_quic_urxe_remove(&qrx->urx_pending, e); if (was_deferred > 0) - ossl_quic_urxe_insert_tail(&qrl->urx_deferred, e); + ossl_quic_urxe_insert_tail(&qrx->urx_deferred, e); else - ossl_quic_demux_release_urxe(qrl->rx_demux, e); + ossl_quic_demux_release_urxe(qrx->demux, e); return 1; } /* Process any pending URXEs to generate pending RXEs. */ -static int qrl_process_urxl(OSSL_QRL *qrl) +static int qrx_process_urxl(OSSL_QRX *qrx) { QUIC_URXE *e; - while ((e = qrl->urx_pending.head) != NULL) - if (!qrl_process_one_urxl(qrl, e)) + while ((e = qrx->urx_pending.head) != NULL) + if (!qrx_process_one_urxl(qrx, e)) return 0; return 1; } -int ossl_qrl_read_pkt(OSSL_QRL *qrl, OSSL_QRL_RX_PKT *pkt) +int ossl_qrx_read_pkt(OSSL_QRX *qrx, OSSL_QRX_PKT *pkt) { RXE *rxe; - if (!ossl_qrl_processed_read_pending(qrl)) { - if (!qrl_process_urxl(qrl)) + if (!ossl_qrx_processed_read_pending(qrx)) { + if (!qrx_process_urxl(qrx)) return 0; - if (!ossl_qrl_processed_read_pending(qrl)) + if (!ossl_qrx_processed_read_pending(qrx)) return 0; } - rxe = qrl_pop_pending_rxe(qrl); + rxe = qrx_pop_pending_rxe(qrx); if (!ossl_assert(rxe != NULL)) return 0; @@ -1288,28 +994,47 @@ int ossl_qrl_read_pkt(OSSL_QRL *qrl, OSSL_QRL_RX_PKT *pkt) return 1; } -void ossl_qrl_release_pkt(OSSL_QRL *qrl, void *handle) +void ossl_qrx_release_pkt(OSSL_QRX *qrx, void *handle) { RXE *rxe = handle; - qrl_recycle_rxe(qrl, rxe); + qrx_recycle_rxe(qrx, rxe); } -uint64_t ossl_qrl_get_bytes_received(OSSL_QRL *qrl, int clear) +uint64_t ossl_qrx_get_bytes_received(OSSL_QRX *qrx, int clear) { - uint64_t v = qrl->bytes_received; + uint64_t v = qrx->bytes_received; if (clear) - qrl->bytes_received = 0; + qrx->bytes_received = 0; return v; } -int ossl_qrl_set_early_rx_validation_cb(OSSL_QRL *qrl, - ossl_qrl_early_rx_validation_cb *cb, - void *cb_arg) +int ossl_qrx_set_early_validation_cb(OSSL_QRX *qrx, + ossl_qrx_early_validation_cb *cb, + void *cb_arg) { - qrl->rx_validation_cb = cb; - qrl->rx_validation_cb_arg = cb_arg; + qrx->validation_cb = cb; + qrx->validation_cb_arg = cb_arg; return 1; } + +uint64_t ossl_qrx_get_cur_epoch_forged_pkt_count(OSSL_QRX *qrx, + uint32_t enc_level) +{ + OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set, + enc_level, 1); + + return el == NULL ? UINT64_MAX : el->op_count; +} + +uint64_t ossl_qrx_get_max_epoch_forged_pkt_count(OSSL_QRX *qrx, + uint32_t enc_level) +{ + OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set, + enc_level, 1); + + return el == NULL ? UINT64_MAX + : ossl_qrl_get_suite_max_forged_pkt(el->suite_id); +} diff --git a/ssl/quic/quic_record_shared.c b/ssl/quic/quic_record_shared.c new file mode 100644 index 0000000000..f5f06e26dd --- /dev/null +++ b/ssl/quic/quic_record_shared.c @@ -0,0 +1,209 @@ +#include "quic_record_shared.h" +#include "internal/quic_record_util.h" +#include "internal/common.h" +#include "../ssl_local.h" + +/* Constants used for key derivation in QUIC v1. */ +static const unsigned char quic_v1_iv_label[] = { + 0x71, 0x75, 0x69, 0x63, 0x20, 0x69, 0x76 /* "quic iv" */ +}; +static const unsigned char quic_v1_key_label[] = { + 0x71, 0x75, 0x69, 0x63, 0x20, 0x6b, 0x65, 0x79 /* "quic key" */ +}; +static const unsigned char quic_v1_hp_label[] = { + 0x71, 0x75, 0x69, 0x63, 0x20, 0x68, 0x70 /* "quic hp" */ +}; + +OSSL_QRL_ENC_LEVEL *ossl_qrl_enc_level_set_get(OSSL_QRL_ENC_LEVEL_SET *els, + uint32_t enc_level, + int require_valid) +{ + OSSL_QRL_ENC_LEVEL *el; + + if (!ossl_assert(enc_level < QUIC_ENC_LEVEL_NUM)) + return NULL; + + el = &els->el[enc_level]; + + if (require_valid && (el->cctx == NULL || el->discarded)) + return NULL; + + return el; +} + +int ossl_qrl_enc_level_set_have_el(OSSL_QRL_ENC_LEVEL_SET *els, + uint32_t enc_level) +{ + OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0); + + if (el == NULL) + return 0; + if (el->cctx != NULL) + return 1; + if (el->discarded) + return -1; + return 0; +} + +/* + * Sets up cryptographic state for a given encryption level and direction by + * deriving "quic iv", "quic key" and "quic hp" values from a given secret. + * + * md is a hash function used for key derivation. If it is NULL, this function + * fetches the necessary hash function itself. If it is non-NULL, this function + * can reuse the caller's reference to a suitable EVP_MD; the EVP_MD provided + * must match the suite. + * + * On success where md is non-NULL, takes ownership of the caller's reference to + * md. + */ +int ossl_qrl_enc_level_set_provide_secret(OSSL_QRL_ENC_LEVEL_SET *els, + OSSL_LIB_CTX *libctx, + const char *propq, + uint32_t enc_level, + uint32_t suite_id, + EVP_MD *md, + const unsigned char *secret, + size_t secret_len) +{ + OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0); + unsigned char key[EVP_MAX_KEY_LENGTH], hpr_key[EVP_MAX_KEY_LENGTH]; + size_t key_len = 0, hpr_key_len = 0, iv_len = 0; + const char *cipher_name = NULL, *md_name = NULL; + EVP_CIPHER *cipher = NULL; + EVP_CIPHER_CTX *cctx = NULL; + int own_md = 0, have_hpr = 0; + + if (el == NULL || el->discarded) + /* Should not be trying to reinitialise an EL which was discarded. */ + return 0; + + cipher_name = ossl_qrl_get_suite_cipher_name(suite_id); + iv_len = ossl_qrl_get_suite_cipher_iv_len(suite_id); + key_len = ossl_qrl_get_suite_cipher_key_len(suite_id); + hpr_key_len = ossl_qrl_get_suite_hdr_prot_key_len(suite_id); + if (cipher_name == NULL) + return 0; + + if (secret_len != ossl_qrl_get_suite_secret_len(suite_id)) + return 0; + + if (md == NULL) { + md_name = ossl_qrl_get_suite_md_name(suite_id); + + if ((md = EVP_MD_fetch(libctx, md_name, propq)) == NULL) + return 0; + + own_md = 1; + } + + /* Derive "quic iv" key. */ + if (!tls13_hkdf_expand_ex(libctx, propq, + md, + secret, + quic_v1_iv_label, + sizeof(quic_v1_iv_label), + NULL, 0, + el->iv, iv_len, 0)) + goto err; + + /* Derive "quic key" key. */ + if (!tls13_hkdf_expand_ex(libctx, propq, + md, + secret, + quic_v1_key_label, + sizeof(quic_v1_key_label), + NULL, 0, + key, key_len, 0)) + goto err; + + /* Derive "quic hp" key. */ + if (!tls13_hkdf_expand_ex(libctx, propq, + md, + secret, + quic_v1_hp_label, + sizeof(quic_v1_hp_label), + NULL, 0, + hpr_key, hpr_key_len, 0)) + goto err; + + /* Free any old context which is using old keying material. */ + if (el->cctx != NULL) { + ossl_quic_hdr_protector_destroy(&el->hpr); + EVP_CIPHER_CTX_free(el->cctx); + el->cctx = NULL; + } + + /* Setup header protection context. */ + if (!ossl_quic_hdr_protector_init(&el->hpr, + libctx, + propq, + ossl_qrl_get_suite_hdr_prot_cipher_id(suite_id), + hpr_key, + hpr_key_len)) + goto err; + + have_hpr = 1; + + /* Create and initialise cipher context. */ + if ((cipher = EVP_CIPHER_fetch(libctx, cipher_name, propq)) == NULL) + goto err; + + if (!ossl_assert(iv_len == (size_t)EVP_CIPHER_get_iv_length(cipher)) + || !ossl_assert(key_len == (size_t)EVP_CIPHER_get_key_length(cipher))) + goto err; + + if ((cctx = EVP_CIPHER_CTX_new()) == NULL) + goto err; + + /* IV will be changed on RX/TX so we don't need to use a real value here. */ + if (!EVP_CipherInit_ex(cctx, cipher, NULL, key, el->iv, 0)) + goto err; + + el->suite_id = suite_id; + el->cctx = cctx; + el->md = md; + el->tag_len = ossl_qrl_get_suite_cipher_tag_len(suite_id); + el->op_count = 0; + + /* Zeroize intermediate keys. */ + OPENSSL_cleanse(key, sizeof(key)); + OPENSSL_cleanse(hpr_key, sizeof(hpr_key)); + EVP_CIPHER_free(cipher); + return 1; + +err: + if (have_hpr) + ossl_quic_hdr_protector_destroy(&el->hpr); + EVP_CIPHER_CTX_free(cctx); + EVP_CIPHER_free(cipher); + if (own_md) + EVP_MD_free(md); + return 0; +} + +/* Drops keying material for a given encryption level. */ +void ossl_qrl_enc_level_set_discard(OSSL_QRL_ENC_LEVEL_SET *els, + uint32_t enc_level, int is_final) +{ + OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0); + + if (el == NULL || el->discarded) + return; + + if (el->cctx != NULL) { + ossl_quic_hdr_protector_destroy(&el->hpr); + + EVP_CIPHER_CTX_free(el->cctx); + el->cctx = NULL; + + EVP_MD_free(el->md); + el->md = NULL; + } + + /* Zeroise IV. */ + OPENSSL_cleanse(el->iv, sizeof(el->iv)); + + if (is_final) + el->discarded = 1; +} diff --git a/ssl/quic/quic_record_shared.h b/ssl/quic/quic_record_shared.h new file mode 100644 index 0000000000..40f05997df --- /dev/null +++ b/ssl/quic/quic_record_shared.h @@ -0,0 +1,86 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef OSSL_QUIC_RECORD_SHARED_H +# define OSSL_QUIC_RECORD_SHARED_H + +# include <openssl/ssl.h> +# include "internal/quic_types.h" +# include "internal/quic_wire_pkt.h" + +/* + * QUIC Record Layer EL Management Utilities + * ========================================= + * + * This defines a structure for managing the cryptographic state at a given + * encryption level, as this functionality is shared between QRX and QTX. For + * QRL use only. + */ +typedef struct ossl_qrl_enc_level_st { + /* Hash function used for key derivation. */ + EVP_MD *md; + /* Context used for packet body ciphering. */ + EVP_CIPHER_CTX *cctx; + /* IV used to construct nonces used for AEAD packet body ciphering. */ + unsigned char iv[EVP_MAX_IV_LENGTH]; + /* Have we permanently discarded this encryption level? */ + unsigned char discarded; + /* QRL_SUITE_* value. */ + uint32_t suite_id; + /* Length of authentication tag. */ + uint32_t tag_len; + /* + * Cryptographic context used to apply and remove header protection from + * packet headers. + */ + QUIC_HDR_PROTECTOR hpr; + /* Usage counter. The caller maintains this. */ + uint64_t op_count; +} OSSL_QRL_ENC_LEVEL; + +typedef struct ossl_qrl_enc_level_set_st { + OSSL_QRL_ENC_LEVEL el[QUIC_ENC_LEVEL_NUM]; +} OSSL_QRL_ENC_LEVEL_SET; + +/* + * Returns 1 if we have key material for a given encryption level, 0 if we do + * not yet have material and -1 if the EL is discarded. + */ +int ossl_qrl_enc_level_set_have_el(OSSL_QRL_ENC_LEVEL_SET *els, + uint32_t enc_level); + +/* + * Returns EL in a set. If enc_level is not a valid QUIC_ENC_LEVEL_* value, + * returns NULL. If require_valid is 1, returns NULL if the EL is not + * provisioned or has been discarded; otherwise, the returned EL may be + * unprovisioned or discarded. + */ +OSSL_QRL_ENC_LEVEL *ossl_qrl_enc_level_set_get(OSSL_QRL_ENC_LEVEL_SET *els, + uint32_t enc_level, + int require_valid); + +/* Provide secret to an EL. md may be NULL. */ +int ossl_qrl_enc_level_set_provide_secret(OSSL_QRL_ENC_LEVEL_SET *els, + OSSL_LIB_CTX *libctx, + const char *propq, + uint32_t enc_level, + uint32_t suite_id, + EVP_MD *md, + const unsigned char *secret, + size_t secret_len); + +/* + * Discard an EL. If is_final is non-zero, no secret can be provided for the EL + * ever again. + */ +void ossl_qrl_enc_level_set_discard(OSSL_QRL_ENC_LEVEL_SET *els, + uint32_t enc_level, + int is_final); + +#endif diff --git a/ssl/quic/quic_record_tx.c b/ssl/quic/quic_record_tx.c new file mode 100644 index 0000000000..8bd5fffc53 --- /dev/null +++ b/ssl/quic/quic_record_tx.c @@ -0,0 +1,906 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "internal/quic_record_tx.h" +#include "internal/bio_addr.h" +#include "internal/common.h" +#include "quic_record_shared.h" +#include "../ssl_local.h" + +/* + * TXE + * === + * Encrypted packets awaiting transmission are kept in TX Entries (TXEs), which + * are queued in linked lists just like TXEs. + */ +typedef struct txe_st TXE; + +struct txe_st { + TXE *prev, *next; + size_t data_len, alloc_len; + + /* + * Destination and local addresses, as applicable. Both of these are only + * used if the family is not AF_UNSPEC. + */ + BIO_ADDR peer, local; + + /* + * alloc_len allocated bytes (of which data_len bytes are valid) follow this + * structure. + */ +}; + +static ossl_inline unsigned char *txe_data(const TXE *e) +{ + return (unsigned char *)(e + 1); +} + +typedef struct txe_list_st { + TXE *head, *tail; +} TXE_LIST; + +static void txe_remove(TXE_LIST *l, TXE *e) +{ + if (e->prev != NULL) + e->prev->next = e->next; + if (e->next != NULL) + e->next->prev = e->prev; + + if (e == l->head) + l->head = e->next; + if (e == l->tail) + l->tail = e->prev; + + e->next = e->prev = NULL; +} + +static void txe_insert_tail(TXE_LIST *l, TXE *e) +{ + if (l->tail == NULL) { + l->head = l->tail = e; + e->next = e->prev = NULL; + return; + } + + l->tail->next = e; + e->prev = l->tail; + e->next = NULL; + l->tail = e; +} + +/* + * QTX + * === + */ + +/* (Encryption level, direction)-specific state. */ +typedef struct ossl_qtx_enc_level_st { + /* Hash function used for key derivation. */ + EVP_MD *md; + /* Context used for packet body ciphering. */ + EVP_CIPHER_CTX *cctx; + /* IV used to construct nonces used for AEAD packet body ciphering. */ + unsigned char iv[EVP_MAX_IV_LENGTH]; + /* Have we permanently discarded this encryption level? */ + unsigned char discarded; + /* QTX_SUITE_* value. */ + uint32_t suite_id; + /* Length of authentication tag. */ + uint32_t tag_len; + /* + * Cryptographic context used to apply and remove header protection from + * packet headers. + */ + QUIC_HDR_PROTECTOR hpr; +} OSSL_QTX_ENC_LEVEL; + +struct ossl_qtx_st { + OSSL_LIB_CTX *libctx; + const char *propq; + + /* Per encryption-level state. */ + OSSL_QRL_ENC_LEVEL_SET el_set; + + /* TX BIO. */ + BIO *bio; + + /* TX maximum datagram payload length. */ + size_t mdpl; + + /* + * List of TXEs which are not currently in use. These are moved to the + * pending list (possibly via tx_cons first) as they are filled. + */ + TXE_LIST free; + + /* + * List of TXEs which are filled with completed datagrams ready to be + * transmitted. + */ + TXE_LIST pending; + size_t pending_count; /* items in list */ + size_t pending_bytes; /* sum(txe->data_len) in pending */ + + /* + * TXE which is under construction for coalescing purposes, if any. + * This TXE is neither on the free nor pending list. Once the datagram + * is completed, it is moved to the pending list. + */ + TXE *cons; + size_t cons_count; /* num packets */ +}; + +/* Instantiates a new QTX. */ +OSSL_QTX *ossl_qtx_new(const OSSL_QTX_ARGS *args) +{ + OSSL_QTX *qtx; + + qtx = OPENSSL_zalloc(sizeof(OSSL_QTX)); + if (qtx == NULL) + return 0; + + if (args->bio != NULL && !BIO_up_ref(args->bio)) { + OPENSSL_free(qtx); + return 0; + } + + qtx->libctx = args->libctx; + qtx->propq = args->propq; + qtx->bio = args->bio; + qtx->mdpl = args->mdpl; + return qtx; +} + +static void qtx_cleanup_txl(TXE_LIST *l) +{ + TXE *e, *enext; + for (e = l->head; e != NULL; e = enext) { + enext = e->next; + OPENSSL_free(e); + } + l->head = l->tail = NULL; +} + +/* Frees the QTX. */ +void ossl_qtx_free(OSSL_QTX *qtx) +{ + uint32_t i; + + /* Free TXE queue data. */ + qtx_cleanup_txl(&qtx->pending); + qtx_cleanup_txl(&qtx->free); + + /* Drop keying material and crypto resources. */ + for (i = 0; i < QUIC_ENC_LEVEL_NUM; ++i) + ossl_qrl_enc_level_set_discard(&qtx->el_set, i, 1); + + OPENSSL_free(qtx); +} + +int ossl_qtx_provide_secret(OSSL_QTX *qtx, + uint32_t enc_level, + uint32_t suite_id, + EVP_MD *md, + const unsigned char *secret, + size_t secret_len) +{ + if (enc_level >= QUIC_ENC_LEVEL_NUM) + return 0; + + return ossl_qrl_enc_level_set_provide_secret(&qtx->el_set, + qtx->libctx, + qtx->propq, + enc_level, + suite_id, + md, + secret, + secret_len); +} + +int ossl_qtx_discard_enc_level(OSSL_QTX *qtx, uint32_t enc_level) +{ + if (enc_level >= QUIC_ENC_LEVEL_NUM) + return 0; + + ossl_qrl_enc_level_set_discard(&qtx->el_set, enc_level, 1); + return 1; +} + +/* Allocate a new TXE. */ +static TXE *qtx_alloc_txe(size_t alloc_len) +{ + TXE *txe; + + if (alloc_len >= SIZE_MAX - sizeof(TXE)) + return NULL; + + txe = OPENSSL_malloc(sizeof(TXE) + alloc_len); + if (txe == NULL) + return NULL; + + txe->prev = txe->next = NULL; + txe->alloc_len = alloc_len; + txe->data_len = 0; + return txe; +} + +/* + * Ensures there is at least one TXE in the free list, allocating a new entry + * if necessary. The returned TXE is in the free list; it is not popped. + * + * alloc_len is a hint which may be used to determine the TXE size if allocation + * is necessary. Returns NULL on allocation failure. + */ +static TXE *qtx_ensure_free_txe(OSSL_QTX *qtx, size_t alloc_len) +{ + TXE *txe; + + if (qtx->free.head != NULL) + return qtx->free.head; + + txe = qtx_alloc_txe(alloc_len); + if (txe == NULL) + return NULL; + + txe_insert_tail(&qtx->free, txe); + return txe; +} + +/* + * Resize the data buffer attached to an TXE to be n bytes in size. The address + * of the TXE might change; the new address is returned, or NULL on failure, in + * which case the original TXE remains valid. + */ +static TXE *qtx_resize_txe(OSSL_QTX *qtx, TXE_LIST *txl, TXE *txe, size_t n) +{ + TXE *txe2; + + /* Should never happen. */ + if (txe == NULL) + return NULL; + + if (n >= SIZE_MAX - sizeof(TXE)) + return NULL; + + /* + * NOTE: We do not clear old memory, although it does contain decrypted + * data. + */ + txe2 = OPENSSL_realloc(txe, sizeof(TXE) + n); + if (txe2 == NULL) + /* original TXE is still in tact unchanged */ + return NULL; + + if (txl != NULL && txe != txe2) { + if (txl->head == txe) + txl->head = txe2; + if (txl->tail == txe) + txl->tail = txe2; + if (txe->prev != NULL) + txe->prev->next = txe2; + if (txe->next != NULL) + txe->next->prev = txe2; + } + + if (qtx->cons == txe) + qtx->cons = txe2; + + txe2->alloc_len = n; + return txe2; +} + +/* + * Ensure the data buffer attached to an TXE is at least n bytes in size. + * Returns NULL on failure. + */ +static TXE *qtx_reserve_txe(OSSL_QTX *qtx, TXE_LIST *txl, + TXE *txe, size_t n) +{ + if (txe->alloc_len >= n) + return txe; + + return qtx_resize_txe(qtx, txl, txe, n); +} + +/* Move a TXE from pending to free. */ +static void qtx_pending_to_free(OSSL_QTX *qtx) +{ + TXE *txe = qtx->pending.head; + + assert(txe != NULL); + txe_remove(&qtx->pending, txe); + --qtx->pending_count; + qtx->pending_bytes -= txe->data_len; + txe_insert_tail(&qtx->free, txe); +} + +/* Add a TXE not currently in any list to the pending list. */ +static void qtx_add_to_pending(OSSL_QTX *qtx, TXE *txe) +{ + txe_insert_tail(&qtx->pending, txe); + ++qtx->pending_count; + qtx->pending_bytes += txe->data_len; +} + +struct iovec_cur { + const OSSL_QTX_IOVEC *iovec; + size_t num_iovec, idx, byte_off, bytes_remaining; +}; + +static size_t iovec_total_bytes(const OSSL_QTX_IOVEC *iovec, + size_t num_iovec) +{ + size_t i, l = 0; + + for (i = 0; i < num_iovec; ++i) + l += iovec[i].buf_len; + + return l; +} + +static void iovec_cur_init(struct iovec_cur *cur, + const OSSL_QTX_IOVEC *iovec, + size_t num_iovec) +{ + cur->iovec = iovec; + cur->num_iovec = num_iovec; + cur->idx = 0; + cur->byte_off = 0; + cur->bytes_remaining = iovec_total_bytes(iovec, num_iovec); +} + +/* + * Get an extent of bytes from the iovec cursor. *buf is set to point to the + * buffer and the number of bytes in length of the buffer is returned. This + * value may be less than the max_buf_len argument. If no more data is + * available, returns 0. + */ +static size_t iovec_cur_get_buffer(struct iovec_cur *cur, + const unsigned char **buf, + size_t max_buf_len) +{ + size_t l; + + if (max_buf_len == 0) { + *buf = NULL; + return 0; + } + + for (;;) { + if (cur->idx >= cur->num_iovec) + return 0; + + l = cur->iovec[cur->idx].buf_len - cur->byte_off; + if (l > max_buf_len) + l = max_buf_len; + + if (l > 0) { + *buf = cur->iovec[cur->idx].buf + cur->byte_off; + cur->byte_off += l; + cur->bytes_remaining -= l; + return l; + } + + /* + * Zero-length iovec entry or we already consumed all of it, try the + * next iovec. + */ + ++cur->idx; + cur->byte_off = 0; + } +} + +/* Determines the size of the AEAD output given the input size. */ +static size_t qtx_inflate_payload_len(OSSL_QTX *qtx, uint32_t enc_level, + size_t plaintext_len) +{ + OSSL_QRL_ENC_LEVEL *el + = ossl_qrl_enc_level_set_get(&qtx->el_set, enc_level, 1); + + assert(el != NULL); /* Already checked by caller. */ + + /* + * We currently only support ciphers with a 1:1 mapping between plaintext + * and ciphertext size, save for authentication tag. + */ + return plaintext_len + ossl_qrl_get_suite_cipher_tag_len(el->suite_id); +} + +/* Any other error (including packet being too big for MDPL). */ +#define QTX_FAIL_GENERIC (-1) + +/* + * Returned where there is insufficient room in the datagram to write the + * packet. + */ +#define QTX_FAIL_INSUFFICIENT_LEN (-2) + +static int qtx_write_hdr(OSSL_QTX *qtx, const OSSL_QTX_PKT *pkt, TXE *txe, + QUIC_PKT_HDR_PTRS *ptrs) +{ + WPACKET wpkt; + size_t l = 0; + + if (!WPACKET_init_static_len(&wpkt, txe_data(txe) + txe->data_len, + txe->alloc_len - txe->data_len, 0)) + return 0; + + if (!ossl_quic_wire_encode_pkt_hdr(&wpkt, pkt->hdr->src_conn_id.id_len, + pkt->hdr, ptrs) + || !WPACKET_get_total_written(&wpkt, &l)) { + WPACKET_finish(&wpkt); + return 0; + } + + txe->data_len += l; + WPACKET_finish(&wpkt); + return 1; +} + +static int qtx_encrypt_into_txe(OSSL_QTX *qtx, struct iovec_cur *cur, TXE *txe, + uint32_t enc_level, QUIC_PN pn, + const unsigned char *hdr, size_t hdr_len, + QUIC_PKT_HDR_PTRS *ptrs) +{ + int l = 0, l2 = 0; + OSSL_QRL_ENC_LEVEL *el + = ossl_qrl_enc_level_set_get(&qtx->el_set, enc_level, 1); + unsigned char nonce[EVP_MAX_IV_LENGTH]; + size_t nonce_len, i; + + /* We should not have been called if we do not have key material. */ + if (!ossl_assert(el != NULL)) + return 0; + + /* + * Have we already encrypted the maximum number of packets using the current + * key? + */ + if (el->op_count >= ossl_qrl_get_suite_max_pkt(el->suite_id)) + return 0; + + /* Construct nonce (nonce=IV ^ PN). */ + nonce_len = EVP_CIPHER_CTX_get_iv_length(el->cctx); + if (!ossl_assert(nonce_len >= sizeof(QUIC_PN))) + return 0; + + memcpy(nonce, el->iv, nonce_len); + for (i = 0; i < sizeof(QUIC_PN); ++i) + nonce[nonce_len - i - 1] ^= (unsigned char)(pn >> (i * 8)); + + /* type and key will already have been setup; feed the IV. */ + if (EVP_CipherInit_ex(el->cctx, NULL, NULL, NULL, nonce, /*enc=*/1) != 1) + return 0; + + /* Feed AAD data. */ + if (EVP_CipherUpdate(el->cctx, NULL, &l, hdr, hdr_len) != 1) + return 0; + + /* Encrypt plaintext directly into TXE. */ + for (;;) { + const unsigned char *src; + size_t src_len; + + src_len = iovec_cur_get_buffer(cur, &src, SIZE_MAX); + if (src_len == 0) + break; + + if (EVP_CipherUpdate(el->cctx, txe_data(txe) + txe->data_len, + &l, src, src_len) != 1) + return 0; + + assert(l > 0 && src_len == (size_t)l); + txe->data_len += src_len; + } + + /* Finalise and get tag. */ + if (EVP_CipherFinal_ex(el->cctx, NULL, &l2) != 1) + return 0; + + if (EVP_CIPHER_CTX_ctrl(el->cctx, EVP_CTRL_AEAD_GET_TAG, + el->tag_len, txe_data(txe) + txe->data_len) != 1) + return 0; + + txe->data_len += el->tag_len; + + /* Apply header protection. */ + if (!ossl_quic_hdr_protector_encrypt(&el->hpr, ptrs)) + return 0; + + ++el->op_count; + return 1; +} + +/* + * Append a packet to the TXE buffer, serializing and encrypting it in the + * process. + */ +static int qtx_write(OSSL_QTX *qtx, const OSSL_QTX_PKT *pkt, TXE *txe, + uint32_t enc_level) +{ + int ret, needs_encrypt; + size_t hdr_len, pred_hdr_len, payload_len, pkt_len, space_left; + size_t min_len, orig_data_len; + struct iovec_cur cur; + QUIC_PKT_HDR_PTRS ptrs; + unsigned char *hdr_start; + + /* + * Determine if the packet needs encryption and the minimum conceivable + * serialization length. + */ + if (pkt->hdr->type == QUIC_PKT_TYPE_RETRY + || pkt->hdr->type == QUIC_PKT_TYPE_VERSION_NEG) { + needs_encrypt = 0; + min_len = QUIC_MIN_VALID_PKT_LEN; + } else { + needs_encrypt = 1; + min_len = QUIC_MIN_VALID_PKT_LEN_CRYPTO; + } + + orig_data_len = txe->data_len; + space_left = txe->alloc_len - txe->data_len; + if (space_left < min_len) { + /* Not even a possibility of it fitting. */ + ret = QTX_FAIL_INSUFFICIENT_LEN; + goto err; + } + + /* Walk the iovecs to determine actual input payload length. */ + iovec_cur_init(&cur, pkt->iovec, pkt->num_iovec); + + /* Determine encrypted payload length. */ + payload_len = needs_encrypt ? qtx_inflate_payload_len(qtx, enc_level, + cur.bytes_remaining) + : cur.bytes_remaining; + + /* Determine header length. */ + pkt->hdr->data = NULL; + pkt->hdr->len = payload_len; + pred_hdr_len = ossl_quic_wire_get_encoded_pkt_hdr_len(pkt->hdr->src_conn_id.id_len, + pkt->hdr); + if (pred_hdr_len == 0) { + ret = QTX_FAIL_GENERIC; + goto err; + } + + /* We now definitively know our packet length. */ + pkt_len = pred_hdr_len + payload_len; + + if (pkt_len > space_left) { + ret = QTX_FAIL_INSUFFICIENT_LEN; + goto err; + } + + /* Set some fields in the header we are responsible for. */ + pkt->hdr->key_phase = 0; /* TODO */ + if (!ossl_quic_wire_encode_pkt_hdr_pn(pkt->pn, + pkt->hdr->pn, + pkt->hdr->pn_len)) { + ret = QTX_FAIL_GENERIC; + goto err; + } + + /* Append the header to the TXE. */ + hdr_start = txe_data(txe) + txe->data_len; + if (!qtx_write_hdr(qtx, pkt, txe, &ptrs)) { + ret = QTX_FAIL_GENERIC; + goto err; + } + + hdr_len = (txe_data(txe) + txe->data_len) - hdr_start; + assert(hdr_len == pred_hdr_len); + + if (!needs_encrypt) { + /* Just copy the payload across. */ + const unsigned char *src; + size_t src_len; + + for (;;) { + /* Buffer length has already been checked above. */ + src_len = iovec_cur_get_buffer(&cur, &src, SIZE_MAX); + if (src_len == 0) + break; + + memcpy(txe_data(txe) + txe->data_len, src, src_len); + txe->data_len += src_len; + } + } else { + /* Encrypt into TXE. */ + if (!qtx_encrypt_into_txe(qtx, &cur, txe, enc_level, pkt->pn, + hdr_start, hdr_len, &ptrs)) { + ret = QTX_FAIL_GENERIC; + goto err; + } + + assert(txe->data_len - orig_data_len == pkt_len); + } + + return 1; + +err: + /* + * Restore original length so we don't leave a half-written packet in the + * TXE. + */ + txe->data_len = orig_data_len; + return ret; +} + +static TXE *qtx_ensure_cons(OSSL_QTX *qtx) +{ + TXE *txe = qtx->cons; + + if (txe != NULL) + return txe; + + txe = qtx_ensure_free_txe(qtx, qtx->mdpl); + if (txe == NULL) + return NULL; + + txe_remove(&qtx->free, txe); + qtx->cons = txe; + qtx->cons_count = 0; + txe->data_len = 0; + return txe; +} + +static int addr_eq(const BIO_ADDR *a, const BIO_ADDR *b) +{ + return ((a == NULL || BIO_ADDR_family(a) == AF_UNSPEC) + && (b == NULL || BIO_ADDR_family(b) == AF_UNSPEC)) + || (a != NULL && b != NULL && memcmp(a, b, sizeof(*a)) == 0); +} + +int ossl_qtx_write_pkt(OSSL_QTX *qtx, const OSSL_QTX_PKT *pkt) +{ + int ret; + int coalescing = (pkt->flags & OSSL_QTX_PKT_FLAG_COALESCE) != 0; + int was_coalescing; + TXE *txe; + uint32_t enc_level; + + /* Must have EL configured, must have header. */ + if (pkt->hdr == NULL) + return 0; + + enc_level = ossl_quic_pkt_type_to_enc_level(pkt->hdr->type); + + /* Some packet types must be in a packet all by themselves. */ + if (pkt->hdr->type == QUIC_PKT_TYPE_RETRY + || pkt->hdr->type == QUIC_PKT_TYPE_VERSION_NEG) + ossl_qtx_finish_dgram(qtx); + else if (enc_level >= QUIC_ENC_LEVEL_NUM + || ossl_qrl_enc_level_set_have_el(&qtx->el_set, enc_level) != 1) + /* All other packet types are encrypted. */ + return 0; + + was_coalescing = (qtx->cons != NULL && qtx->cons->data_len > 0); + if (was_coalescing) + if (!addr_eq(&qtx->cons->peer, pkt->peer) + || !addr_eq(&qtx->cons->local, pkt->local)) { + /* Must stop coalescing if addresses have changed */ + ossl_qtx_finish_dgram(qtx); + was_coalescing = 0; + } + + for (;;) { + /* + * Start a new coalescing session or continue using the existing one and + * serialize/encrypt the packet. We always encrypt packets as soon as + * our caller gives them to us, which relieves the caller of any need to + * keep the plaintext around. + */ + txe = qtx_ensure_cons(qtx); + if (txe == NULL) + return 0; /* allocation failure */ + + /* + * Ensure TXE has at least MDPL bytes allocated. This should only be + * possible if the MDPL has increased. + */ + if (!qtx_reserve_txe(qtx, NULL, txe, qtx->mdpl)) + return 0; + + if (!was_coalescing) { + /* Set addresses in TXE. */ + if (pkt->peer != NULL) + txe->peer = *pkt->peer; + else + BIO_ADDR_clear(&txe->peer); + + if (pkt->local != NULL) + txe->local = *pkt->local; + else + BIO_ADDR_clear(&txe->local); + } + + ret = qtx_write(qtx, pkt, txe, enc_level); + if (ret == 1) { + break; + } else if (ret == QTX_FAIL_INSUFFICIENT_LEN) { + if (was_coalescing) { + /* + * We failed due to insufficient length, so end the current + * datagram and try again. + */ + ossl_qtx_finish_dgram(qtx); + was_coalescing = 0; + } else { + /* + * We failed due to insufficient length, but we were not + * coalescing/started with an empty datagram, so any future + * attempt to write this packet must also fail. + */ + return 0; + } + } else { + return 0; /* other error */ + } + } + + ++qtx->cons_count; + + /* + * Some packet types cannot have another packet come after them. + */ + if (pkt->hdr->type == QUIC_PKT_TYPE_RETRY + || pkt->hdr->type == QUIC_PKT_TYPE_VERSION_NEG + || pkt->hdr->type == QUIC_PKT_TYPE_1RTT) + coalescing = 0; + + if (!coalescing) + ossl_qtx_finish_dgram(qtx); + + return 1; +} + +/* + * Finish any incomplete datagrams for transmission which were flagged for + * coalescing. If there is no current coalescing datagram, this is a no-op. + */ +void ossl_qtx_finish_dgram(OSSL_QTX *qtx) +{ + TXE *txe = qtx->cons; + + if (txe == NULL) + return; + + if (txe->data_len == 0) + /* + * If we did not put anything in the datagram, just move it back to the + * free list. + */ + txe_insert_tail(&qtx->free, txe); + else + qtx_add_to_pending(qtx, txe); + + qtx->cons = NULL; + qtx->cons_count = 0; +} + +static void txe_to_msg(TXE *txe, BIO_MSG *msg) +{ + msg->data = txe_data(txe); + msg->data_len = txe->data_len; + msg->flags = 0; + msg->peer + = BIO_ADDR_family(&txe->peer) != AF_UNSPEC ? &txe->peer : NULL; + msg->local + = BIO_ADDR_family(&txe->local) != AF_UNSPEC ? &txe->local : NULL; +} + +#define MAX_MSGS_PER_SEND 32 + +void ossl_qtx_flush_net(OSSL_QTX *qtx) +{ + BIO_MSG msg[MAX_MSGS_PER_SEND]; + size_t i; + TXE *txe; + ossl_ssize_t wr; + + if (qtx->bio == NULL) + return; + + for (;;) { + for (txe = qtx->pending.head, i = 0; + txe != NULL && i < OSSL_NELEM(msg); + txe = txe->next, ++i) + txe_to_msg(txe, &msg[i]); + + if (!i) + /* Nothing to send. */ + return; + + wr = BIO_sendmmsg(qtx->bio, msg, sizeof(BIO_MSG), i, 0); + if (wr <= 0) + /* + * We did not get anything, so further calls will probably not + * succeed either. + */ + break; + + /* + * Remove everything which was successfully sent from the pending queue. + */ + for (i = 0; i < (size_t)wr; ++i) + qtx_pending_to_free(qtx); + } +} + +int ossl_qtx_pop_net(OSSL_QTX *qtx, BIO_MSG *msg) +{ + TXE *txe = qtx->pending.head; + + if (txe == NULL) + return 0; + + txe_to_msg(txe, msg); + qtx_pending_to_free(qtx); + return 1; +} + +int ossl_qtx_set1_bio(OSSL_QTX *qtx, BIO *bio) +{ + if (bio != NULL && !BIO_up_ref(bio)) + return 0; + + BIO_free(qtx->bio); + qtx->bio = bio; + return 1; +} + +int ossl_qtx_set_mdpl(OSSL_QTX *qtx, size_t mdpl) +{ + qtx->mdpl = mdpl; + return 1; +} + +size_t ossl_qtx_get_queue_len_datagrams(OSSL_QTX *qtx) +{ + return qtx->pending_count; +} + +size_t ossl_qtx_get_queue_len_bytes(OSSL_QTX *qtx) +{ + return qtx->pending_bytes; +} + +size_t ossl_qtx_get_cur_dgram_len_bytes(OSSL_QTX *qtx) +{ + return qtx->cons != NULL ? qtx->cons->data_len : 0; +} + +size_t ossl_qtx_get_unflushed_pkt_count(OSSL_QTX *qtx) +{ + return qtx->cons_count; +} + +uint64_t ossl_qtx_get_cur_epoch_pkt_count(OSSL_QTX *qtx, uint32_t enc_level) +{ + OSSL_QRL_ENC_LEVEL *el; + + el = ossl_qrl_enc_level_set_get(&qtx->el_set, enc_level, 1); + if (el == NULL) + return UINT64_MAX; + + return el->op_count; +} + +uint64_t ossl_qtx_get_max_epoch_pkt_count(OSSL_QTX *qtx, uint32_t enc_level) +{ + OSSL_QRL_ENC_LEVEL *el; + + el = ossl_qrl_enc_level_set_get(&qtx->el_set, enc_level, 1); + if (el == NULL) + return UINT64_MAX; + + return ossl_qrl_get_suite_max_pkt(el->suite_id); +} diff --git a/ssl/quic/quic_record_util.c b/ssl/quic/quic_record_util.c index 6d0eeb5759..1b26a61ec7 100644 --- a/ssl/quic/quic_record_util.c +++ b/ssl/quic/quic_record_util.c @@ -8,7 +8,10 @@ */ #include "internal/quic_record_util.h" +#include "internal/quic_record_rx.h" +#include "internal/quic_record_tx.h" #include "internal/quic_wire_pkt.h" +#include "../ssl_local.h" #include <openssl/kdf.h> #include <openssl/core_names.h> @@ -52,6 +55,119 @@ err: return ret; } +/* Constants used for key derivation in QUIC v1. */ +static const unsigned char quic_client_in_label[] = { + 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x69, 0x6e /* "client in" */ +}; +static const unsigned char quic_server_in_label[] = { + 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x69, 0x6e /* "server in" */ +}; + +/* Salt used to derive Initial packet protection keys (RFC 9001 Section 5.2). */ +static const unsigned char quic_v1_initial_salt[] = { + 0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, + 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a +}; + +int ossl_quic_provide_initial_secret(OSSL_LIB_CTX *libctx, + const char *propq, + const QUIC_CONN_ID *dst_conn_id, + int is_server, + struct ossl_qrx_st *qrx, + struct ossl_qtx_st *qtx) +{ + unsigned char initial_secret[32]; + unsigned char client_initial_secret[32], server_initial_secret[32]; + unsigned char *rx_secret, *tx_secret; + EVP_MD *sha256; + + if (qrx == NULL && qtx == NULL) + return 1; + + /* Initial encryption always uses SHA-256. */ + if ((sha256 = EVP_MD_fetch(libctx, "SHA256", propq)) == NULL) + return 0; + + if (is_server) { + rx_secret = client_initial_secret; + tx_secret = server_initial_secret; + } else { + rx_secret = server_initial_secret; + tx_secret = client_initial_secret; + } + + /* Derive initial secret from destination connection ID. */ + if (!ossl_quic_hkdf_extract(libctx, propq, + sha256, + quic_v1_initial_salt, + sizeof(quic_v1_initial_salt), + dst_conn_id->id, + dst_conn_id->id_len, + initial_secret, + sizeof(initial_secret))) + goto err; + + /* Derive "client in" secret. */ + if (((qtx != NULL && tx_secret == client_initial_secret) + || (qrx != NULL && rx_secret == client_initial_secret)) + && !tls13_hkdf_expand_ex(libctx, propq, + sha256, + initial_secret, + quic_client_in_label, + sizeof(quic_client_in_label), + NULL, 0, + client_initial_secret, + sizeof(client_initial_secret), 0)) + goto err; + + /* Derive "server in" secret. */ + if (((qtx != NULL && tx_secret == server_initial_secret) + || (qrx != NULL && rx_secret == server_initial_secret)) + && !tls13_hkdf_expand_ex(libctx, propq, + sha256, + initial_secret, + quic_server_in_label, + sizeof(quic_server_in_label), + NULL, 0, + server_initial_secret, + sizeof(server_initial_secret), 0)) + goto err; + + /* Setup RX EL. Initial encryption always uses AES-128-GCM. */ + if (qrx != NULL + && !ossl_qrx_provide_secret(qrx, QUIC_ENC_LEVEL_INITIAL, + QRL_SUITE_AES128GCM, + sha256, + rx_secret, + sizeof(server_initial_secret))) + goto err; + + /* + * ossl_qrx_provide_secret takes ownership of our ref to SHA256, so if we + * are initialising both sides, get a new ref for the following call for the + * TX side. + */ + if (qrx != NULL && qtx != NULL && !EVP_MD_up_ref(sha256)) { + sha256 = NULL; + goto err; + } + + /* Setup TX cipher. */ + if (qtx != NULL + && !ossl_qtx_provide_secret(qtx, QUIC_ENC_LEVEL_INITIAL, + QRL_SUITE_AES128GCM, + sha256, + tx_secret, + sizeof(server_initial_secret))) + goto err; + + return 1; + +err: + EVP_MD_free(sha256); + return 0; +} + /* * QUIC Record Layer Ciphersuite Info * ================================== @@ -61,21 +177,29 @@ struct suite_info { const char *cipher_name, *md_name; uint32_t secret_len, cipher_key_len, cipher_iv_len, cipher_tag_len; uint32_t hdr_prot_key_len, hdr_prot_cipher_id; + uint64_t max_pkt, max_forged_pkt; }; static const struct suite_info suite_aes128gcm = { "AES-128-GCM", "SHA256", 32, 16, 12, 16, 16, - QUIC_HDR_PROT_CIPHER_AES_128 + QUIC_HDR_PROT_CIPHER_AES_128, + ((uint64_t)1) << 23, /* Limits as prescribed by RFC 9001 */ + ((uint64_t)1) << 52, }; static const struct suite_info suite_aes256gcm = { "AES-256-GCM", "SHA384", 48, 32, 12, 16, 32, - QUIC_HDR_PROT_CIPHER_AES_256 + QUIC_HDR_PROT_CIPHER_AES_256, + ((uint64_t)1) << 23, /* Limits as prescribed by RFC 9001 */ + ((uint64_t)1) << 52, }; static const struct suite_info suite_chacha20poly1305 = { "ChaCha20-Poly1305", "SHA256", 32, 32, 12, 16, 32, - QUIC_HDR_PROT_CIPHER_CHACHA + QUIC_HDR_PROT_CIPHER_CHACHA, + /* Do not use UINT64_MAX here as this represents an invalid value */ + UINT64_MAX - 1, /* No applicable limit for this suite (RFC 9001) */ + ((uint64_t)1) << 36, /* Limit as prescribed by RFC 9001 */ }; static const struct suite_info *get_suite(uint32_t suite_id) @@ -139,3 +263,15 @@ uint32_t ossl_qrl_get_suite_hdr_prot_key_len(uint32_t suite_id) const struct suite_info *c = get_suite(suite_id); return c != NULL ? c->hdr_prot_key_len : 0; } + +uint64_t ossl_qrl_get_suite_max_pkt(uint32_t suite_id) +{ + const struct suite_info *c = get_suite(suite_id); + return c != NULL ? c->max_pkt : UINT64_MAX; +} + +uint64_t ossl_qrl_get_suite_max_forged_pkt(uint32_t suite_id) +{ + const struct suite_info *c = get_suite(suite_id); + return c != NULL ? c->max_forged_pkt : UINT64_MAX; +} diff --git a/ssl/quic/quic_wire_pkt.c b/ssl/quic/quic_wire_pkt.c index 5d90d70c15..2d62cb4b7d 100644 --- a/ssl/quic/quic_wire_pkt.c +++ b/ssl/quic/quic_wire_pkt.c @@ -406,7 +406,8 @@ int ossl_quic_wire_encode_pkt_hdr(WPACKET *pkt, QUIC_PKT_HDR_PTRS *ptrs) { unsigned char b0; - size_t off_start, off_sample, off_sample_end, off_pn; + size_t off_start, off_sample, off_pn; + unsigned char *start = WPACKET_get_curr(pkt); if (!WPACKET_get_total_written(pkt, &off_start)) return 0; @@ -517,19 +518,74 @@ int ossl_quic_wire_encode_pkt_hdr(WPACKET *pkt, return 0; off_sample = off_pn + 4; - if (!WPACKET_get_total_written(pkt, &off_sample_end)) - return 0; if (ptrs != NULL) { - ptrs->raw_start = (unsigned char *)pkt->buf->data + off_start; - ptrs->raw_sample = (unsigned char *)pkt->buf->data + off_sample; - ptrs->raw_sample_len = off_sample_end - off_sample; - ptrs->raw_pn = (unsigned char *)pkt->buf->data + off_pn; + ptrs->raw_start = start; + ptrs->raw_sample = start + (off_sample - off_start); + ptrs->raw_sample_len + = WPACKET_get_curr(pkt) + hdr->len - ptrs->raw_sample; + ptrs->raw_pn = start + (off_pn - off_start); } return 1; } +int ossl_quic_wire_get_encoded_pkt_hdr_len(size_t short_conn_id_len, + const QUIC_PKT_HDR *hdr) +{ + size_t len = 0, enclen; + + /* Cannot serialize a partial header, or one whose DCID length is wrong. */ + if (hdr->partial + || (hdr->type == QUIC_PKT_TYPE_1RTT + && hdr->dst_conn_id.id_len != short_conn_id_len)) + return 0; + + if (hdr->type == QUIC_PKT_TYPE_1RTT) { + /* Short header. */ + + /* + * Cannot serialize a header whose DCID length is wrong, or with an + * invalid PN length. + */ + if (hdr->dst_conn_id.id_len != short_conn_id_len + || short_conn_id_len > QUIC_MAX_CONN_ID_LEN + || hdr->pn_len < 1 || hdr->pn_len > 4) + return 0; + + return 1 + short_conn_id_len + hdr->pn_len; + } else { + /* Long header. */ + if (hdr->dst_conn_id.id_len > QUIC_MAX_CONN_ID_LEN + || hdr->src_conn_id.id_len > QUIC_MAX_CONN_ID_LEN) + return 0; + + if (hdr->type != QUIC_PKT_TYPE_VERSION_NEG + && hdr->type != QUIC_PKT_TYPE_RETRY + && (hdr->pn_len < 1 || hdr->pn_len > 4)) + return 0; + + len += 1 /* Initial byte */ + 4 /* Version */ + + 1 + hdr->dst_conn_id.id_len /* DCID Len, DCID */ + + 1 + hdr->src_conn_id.id_len /* SCID Len, SCID */ + + hdr->pn_len; /* PN */ + + if (hdr->type == QUIC_PKT_TYPE_INITIAL) { + enclen = ossl_quic_vlint_encode_len(hdr->token_len); + if (!enclen) + return 0; + len += enclen; + } + + enclen = ossl_quic_vlint_encode_len(hdr->len); + if (!enclen) + return 0; + + len += enclen; + return len; + } +} + int ossl_quic_wire_get_pkt_hdr_dst_conn_id(const unsigned char *buf, size_t buf_len, size_t short_conn_id_len, |