* The QUIC connection demuxer is the entity responsible for receiving datagrams
* from the network via a datagram BIO. It parses packet headers to determine
* each packet's destination connection ID (DCID) and hands off processing of
- * the packet to the correct QUIC Record Layer (QRL)'s RX side.
+ * the packet to the correct QUIC Record Layer (QRL)'s RX side (known as the
+ * QRX).
*
- * A QRL is instantiated per QUIC connection and contains the cryptographic
+ * A QRX is instantiated per QUIC connection and contains the cryptographic
* resources needed to decrypt QUIC packets for that connection. Received
- * datagrams are passed from the demuxer to the QRL via a callback registered
- * for a specific DCID by the QRL; thus the demuxer has no specific knowledge of
- * the QRL and is not coupled to it.
+ * datagrams are passed from the demuxer to the QRX via a callback registered
+ * for a specific DCID by the QRX; thus the demuxer has no specific knowledge of
+ * the QRX and is not coupled to it.
*
- * A connection may have multiple connection IDs associated with it; a QRL
+ * A connection may have multiple connection IDs associated with it; a QRX
* handles this simply by registering multiple connection IDs with the demuxer
* via multiple register calls.
*
* packets, however, this is not the demuxer's concern. QUIC prohibits different
* packets in the same datagram from containing different DCIDs; the demuxer
* only considers the DCID of the first packet in a datagram when deciding how
- * to route a received datagram, and it is the responsibility of the QRL to
+ * to route a received datagram, and it is the responsibility of the QRX to
* enforce this rule. Packets other than the first packet in a datagram are not
* examined by the demuxer, and the demuxer does not perform validation of
* packet headers other than to the minimum extent necessary to extract the
* DCID; further parsing and validation of packet headers is the responsibility
- * of the QRL.
+ * of the QRX.
*
* Rather than defining an opaque interface, the URXE structure internals
* are exposed. Since the demuxer is only exposed to other parts of the QUIC
* advantages:
*
* - Fields in the URXE can be allocated to support requirements in other
- * components, like the QRL, which would otherwise have to allocate extra
+ * components, like the QRX, which would otherwise have to allocate extra
* memory corresponding to each URXE.
*
- * - Other components, like the QRL, can keep the URXE in queues of its own
+ * - Other components, like the QRX, can keep the URXE in queues of its own
* when it is not being managed by the demuxer.
*
* URX Queue Structure
/*
* Bitfields per packet. processed indicates the packet has been processed
* and must not be processed again, hpr_removed indicates header protection
- * has already been removed. Used by QRL only; not used by the demuxer.
+ * has already been removed. Used by QRX only; not used by the demuxer.
*/
uint64_t processed, hpr_removed;
+++ /dev/null
-/*
- * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef OSSL_QUIC_RECORD_H
-# define OSSL_QUIC_RECORD_H
-
-# include <openssl/ssl.h>
-# include "internal/quic_wire_pkt.h"
-# include "internal/quic_types.h"
-# include "internal/quic_record_util.h"
-# include "internal/quic_demux.h"
-
-/*
- * QUIC Record Layer
- * =================
- */
-typedef struct ossl_qrl_st OSSL_QRL;
-
-typedef struct ossl_qrl_args_st {
- OSSL_LIB_CTX *libctx;
- const char *propq;
-
- /* Demux to receive datagrams from. */
- QUIC_DEMUX *rx_demux;
-
- /* Length of connection IDs used in short-header packets in bytes. */
- size_t short_conn_id_len;
-
- /* Initial reference PN used for RX. */
- QUIC_PN rx_init_largest_pn[QUIC_PN_SPACE_NUM];
-} OSSL_QRL_ARGS;
-
-/* Instantiates a new QRL. */
-OSSL_QRL *ossl_qrl_new(const OSSL_QRL_ARGS *args);
-
-/*
- * Frees the QRL. All packets obtained using ossl_qrl_read_pkt must already
- * have been released by calling ossl_qrl_release_pkt.
- *
- * You do not need to call ossl_qrl_remove_dst_conn_id first; this function will
- * unregister the QRL from the demuxer for all registered destination connection
- * IDs (DCIDs) automatically.
- */
-void ossl_qrl_free(OSSL_QRL *qrl);
-
-/*
- * DCID Management
- * ===============
- */
-
-/*
- * Adds a given DCID to the QRL. The QRL will register the DCID with the demuxer
- * so that incoming packets with that DCID are passed to the given QRL. Multiple
- * DCIDs may be associated with a QRL at any one time. You will need to add at
- * least one DCID after instantiating the QRL. A zero-length DCID is a valid
- * input to this function. This function fails if the DCID is already
- * registered.
- *
- * Returns 1 on success or 0 on error.
- */
-int ossl_qrl_add_dst_conn_id(OSSL_QRL *qrl,
- const QUIC_CONN_ID *dst_conn_id);
-
-/*
- * Remove a DCID previously registered with ossl_qrl_add_dst_conn_id. The DCID
- * is unregistered from the demuxer. Fails if the DCID is not registered with
- * the demuxer.
- *
- * Returns 1 on success or 0 on error.
- */
-int ossl_qrl_remove_dst_conn_id(OSSL_QRL *qrl,
- const QUIC_CONN_ID *dst_conn_id);
-
-/*
- * Secret Management
- * =================
- *
- * A QRL has several encryption levels (Initial, Handshake, 0-RTT, 1-RTT) and
- * two directions (RX, TX). At any given time, key material is managed for each
- * (EL, RX/TX) combination.
- *
- * Broadly, for a given (EL, RX/TX), the following state machine is applicable:
- *
- * WAITING_FOR_KEYS --[Provide]--> HAVE_KEYS --[Discard]--> | DISCARDED |
- * \-------------------------------------[Discard]--> | |
- *
- * To transition the RX side of an EL from WAITING_FOR_KEYS to HAVE_KEYS, call
- * ossl_qrl_provide_rx_secret (or for the INITIAL EL,
- * ossl_qrl_provide_rx_secret_initial).
- *
- * Once keys have been provisioned for an EL, you call
- * ossl_qrl_discard_enc_level to transition the EL to the DISCARDED state. You
- * can also call this function to transition directly to the DISCARDED state
- * even before any keys have been provisioned for that EL.
- *
- * The DISCARDED state is terminal for a given EL; you cannot provide a secret
- * again for that EL after reaching it.
- *
- * Incoming packets cannot be processed and decrypted if they target an EL
- * not in the HAVE_KEYS state. However, there is a distinction between
- * the WAITING_FOR_KEYS and DISCARDED states:
- *
- * - In the WAITING_FOR_KEYS state, the QRL assumes keys for the given
- * EL will eventually arrive. Therefore, if it receives any packet
- * for an EL in this state, it buffers it and tries to process it
- * again once the EL reaches HAVE_KEYS.
- *
- * - In the DISCARDED state, the QRL assumes no keys for the given
- * EL will ever arrive again. If it receives any packet for an EL
- * in this state, it is simply discarded.
- *
- * If the user wishes to instantiate a new QRL to replace an old one for
- * whatever reason, for example to take over for an already established QUIC
- * connection, it is important that all ELs no longer being used (i.e., INITIAL,
- * 0-RTT, 1-RTT) are transitioned to the DISCARDED state. Otherwise, the QRL
- * will assume that keys for these ELs will arrive in future, and will buffer
- * any received packets for those ELs perpetually. This can be done by calling
- * ossl_qrl_discard_enc_level for all non-1-RTT ELs immediately after
- * instantiating the QRL.
- *
- * The INITIAL EL is not setup automatically when the QRL is instantiated. This
- * allows the caller to instead discard it immediately after instantiation of
- * the QRL if it is not needed, for example if the QRL is being instantiated to
- * take over handling of an existing connection which has already passed the
- * INITIAL phase. This avoids the unnecessary derivation of INITIAL keys where
- * they are not needed. In the ordinary case, ossl_qrl_provide_rx_secret_initial
- * should be called immediately after instantiation.
- */
-
-/*
- * A QUIC client sends its first INITIAL packet with a random DCID, which is
- * used to compute the secret used for INITIAL packet encryption. This function
- * must be called to provide the DCID used for INITIAL packet secret computation
- * before the QRL can process any INITIAL response packets.
- *
- * It is possible to use the QRL without ever calling this, for example if there
- * is no desire to handle INITIAL packets (e.g. if the QRL is instantiated to
- * succeed a previous QRL and handle a connection which is already established.)
- * However, in this case you should make sure you call
- * ossl_qrl_discard_enc_level (see above).
- *
- * Returns 1 on success or 0 on error.
- */
-int ossl_qrl_provide_rx_secret_initial(OSSL_QRL *qrl,
- const QUIC_CONN_ID *dst_conn_id);
-
-/*
- * Provides a secret to the QRL, which arises due to an encryption level change.
- * enc_level is a QUIC_ENC_LEVEL_* value. This function cannot be used to
- * initialise the INITIAL encryption level; see
- * ossl_qrl_provide_rx_secret_initial instead.
- *
- * You should seek to call this function for a given EL before packets of that
- * EL arrive and are processed by the QRL. However, if packets have already
- * arrived for a given EL, the QRL will defer processing of them and perform
- * processing of them when this function is eventually called for the EL in
- * question.
- *
- * suite_id is a QRL_SUITE_* value which determines the AEAD function used for
- * the QRL.
- *
- * The secret passed is used directly to derive the "quic key", "quic iv" and
- * "quic hp" values.
- *
- * secret_len is the length of the secret buffer in bytes. The buffer must be
- * sized correctly to the chosen suite, else the function fails.
- *
- * This function can only be called once for a given EL. Subsequent calls fail,
- * as do calls made after a corresponding call to ossl_qrl_discard_enc_level for
- * that EL. The secret for a EL cannot be changed after it is set because QUIC
- * has no facility for introducing additional key material after an EL is setup.
- * QUIC key updates are managed automatically by the QRL and do not require user
- * intervention.
- *
- * Returns 1 on success or 0 on failure.
- */
-int ossl_qrl_provide_rx_secret(OSSL_QRL *qrl,
- uint32_t enc_level,
- uint32_t suite_id,
- const unsigned char *secret,
- size_t secret_len);
-
-/*
- * Informs the QRL that it can now discard key material for a given EL. The QRL
- * will no longer be able to process incoming packets received at that
- * encryption level. This function is idempotent and succeeds if the EL has
- * already been discarded.
- *
- * Returns 1 on success and 0 on failure.
- */
-int ossl_qrl_discard_enc_level(OSSL_QRL *qrl, uint32_t enc_level);
-
-/*
- * Packet Reception
- * ================
- */
-
-/* Information about a received packet. */
-typedef struct ossl_qrl_rx_pkt_st {
- /* Opaque handle to be passed to ossl_qrl_release_pkt. */
- void *handle;
-
- /*
- * Points to a logical representation of the decoded QUIC packet header. The
- * data and len fields point to the decrypted QUIC payload (i.e., to a
- * sequence of zero or more (potentially malformed) frames to be decoded).
- */
- QUIC_PKT_HDR *hdr;
-
- /*
- * Address the packet was received from. If this is not available for this
- * packet, this field is NULL (but this can only occur for manually injected
- * packets).
- */
- const BIO_ADDR *peer;
-
- /*
- * Local address the packet was sent to. If this is not available for this
- * packet, this field is NULL.
- */
- const BIO_ADDR *local;
-
- /*
- * This is the length of the datagram which contained this packet. Note that
- * the datagram may have contained other packets than this. The intended use
- * for this is so that the user can enforce minimum datagram sizes (e.g. for
- * datagrams containing INITIAL packets), as required by RFC 9000.
- */
- size_t datagram_len;
-} OSSL_QRL_RX_PKT;
-
-/*
- * Tries to read a new decrypted packet from the QRL.
- *
- * On success, all fields of *pkt are filled and 1 is returned.
- * Else, returns 0.
- *
- * The resources referenced by pkt->hdr, pkt->data and pkt->peer will remain
- * allocated at least until the user frees them by calling ossl_qrl_release_pkt,
- * which must be called once you are done with the packet.
- */
-int ossl_qrl_read_pkt(OSSL_QRL *qrl, OSSL_QRL_RX_PKT *pkt);
-
-/*
- * Release the resources pointed to by an OSSL_QRL_RX_PKT returned by
- * ossl_qrl_read_pkt. Pass the opaque value pkt->handle returned in the
- * structure.
- */
-void ossl_qrl_release_pkt(OSSL_QRL *qrl, void *handle);
-
-/*
- * Returns 1 if there are any already processed (i.e. decrypted) packets waiting
- * to be read from the QRL.
- */
-int ossl_qrl_processed_read_pending(OSSL_QRL *qrl);
-
-/*
- * Returns 1 if there arre any unprocessed (i.e. not yet decrypted) packets
- * waiting to be processed by the QRL. These may or may not result in
- * successfully decrypted packets once processed. This indicates whether
- * unprocessed data is buffered by the QRL, not whether any data is available in
- * a kernel socket buffer.
- */
-int ossl_qrl_unprocessed_read_pending(OSSL_QRL *qrl);
-
-/*
- * Returns the number of UDP payload bytes received from the network so far
- * since the last time this counter was cleared. If clear is 1, clears the
- * counter and returns the old value.
- *
- * The intended use of this is to allow callers to determine how much credit to
- * add to their anti-amplification budgets. This is reported separately instead
- * of in the OSSL_QRL_RX_PKT structure so that a caller can apply
- * anti-amplification credit as soon as a datagram is received, before it has
- * necessarily read all processed packets contained within that datagram from
- * the QRL.
- */
-uint64_t ossl_qrl_get_bytes_received(OSSL_QRL *qrl, int clear);
-
-/*
- * Sets a callback which is called when a packet is received and being
- * validated before being queued in the read queue. This is called before packet
- * body decryption. pn_space is a QUIC_PN_SPACE_* value denoting which PN space
- * the PN belongs to.
- *
- * If this callback returns 1, processing continues normally.
- * If this callback returns 0, the packet is discarded.
- *
- * Other packets in the same datagram will still be processed where possible.
- *
- * The intended use for this function is to allow early validation of whether
- * a PN is a potential duplicate before spending CPU time decrypting the
- * packet payload.
- *
- * The callback is optional and can be unset by passing NULL for cb.
- * cb_arg is an opaque value passed to cb.
- */
-typedef int (ossl_qrl_early_rx_validation_cb)(QUIC_PN pn, int pn_space,
- void *arg);
-
-int ossl_qrl_set_early_rx_validation_cb(OSSL_QRL *qrl,
- ossl_qrl_early_rx_validation_cb *cb,
- void *cb_arg);
-
-#endif
--- /dev/null
+/*
+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_QUIC_RECORD_RX_H
+# define OSSL_QUIC_RECORD_RX_H
+
+# include <openssl/ssl.h>
+# include "internal/quic_wire_pkt.h"
+# include "internal/quic_types.h"
+# include "internal/quic_record_util.h"
+# include "internal/quic_demux.h"
+
+/*
+ * QUIC Record Layer - RX
+ * ======================
+ */
+typedef struct ossl_qrx_st OSSL_QRX;
+
+typedef struct ossl_qrx_args_st {
+ OSSL_LIB_CTX *libctx;
+ const char *propq;
+
+ /* Demux to receive datagrams from. */
+ QUIC_DEMUX *demux;
+
+ /* Length of connection IDs used in short-header packets in bytes. */
+ size_t short_conn_id_len;
+
+ /* Initial reference PN used for RX. */
+ QUIC_PN init_largest_pn[QUIC_PN_SPACE_NUM];
+} OSSL_QRX_ARGS;
+
+/* Instantiates a new QRX. */
+OSSL_QRX *ossl_qrx_new(const OSSL_QRX_ARGS *args);
+
+/*
+ * Frees the QRX. All packets obtained using ossl_qrx_read_pkt must already
+ * have been released by calling ossl_qrx_release_pkt.
+ *
+ * You do not need to call ossl_qrx_remove_dst_conn_id first; this function will
+ * unregister the QRX from the demuxer for all registered destination connection
+ * IDs (DCIDs) automatically.
+ */
+void ossl_qrx_free(OSSL_QRX *qrx);
+
+/*
+ * DCID Management
+ * ===============
+ */
+
+/*
+ * Adds a given DCID to the QRX. The QRX will register the DCID with the demuxer
+ * so that incoming packets with that DCID are passed to the given QRX. Multiple
+ * DCIDs may be associated with a QRX at any one time. You will need to add at
+ * least one DCID after instantiating the QRX. A zero-length DCID is a valid
+ * input to this function. This function fails if the DCID is already
+ * registered.
+ *
+ * Returns 1 on success or 0 on error.
+ */
+int ossl_qrx_add_dst_conn_id(OSSL_QRX *qrx,
+ const QUIC_CONN_ID *dst_conn_id);
+
+/*
+ * Remove a DCID previously registered with ossl_qrx_add_dst_conn_id. The DCID
+ * is unregistered from the demuxer. Fails if the DCID is not registered with
+ * the demuxer.
+ *
+ * Returns 1 on success or 0 on error.
+ */
+int ossl_qrx_remove_dst_conn_id(OSSL_QRX *qrx,
+ const QUIC_CONN_ID *dst_conn_id);
+
+/*
+ * Secret Management
+ * =================
+ *
+ * A QRX has several encryption levels (Initial, Handshake, 0-RTT, 1-RTT) and
+ * two directions (RX, TX). At any given time, key material is managed for each
+ * (EL, RX/TX) combination.
+ *
+ * Broadly, for a given (EL, RX/TX), the following state machine is applicable:
+ *
+ * WAITING_FOR_KEYS --[Provide]--> HAVE_KEYS --[Discard]--> | DISCARDED |
+ * \-------------------------------------[Discard]--> | |
+ *
+ * To transition the RX side of an EL from WAITING_FOR_KEYS to HAVE_KEYS, call
+ * ossl_qrx_provide_secret (for the INITIAL EL, use of
+ * ossl_qrl_provide_initial_secret is recommended).
+ *
+ * Once keys have been provisioned for an EL, you call
+ * ossl_qrx_discard_enc_level to transition the EL to the DISCARDED state. You
+ * can also call this function to transition directly to the DISCARDED state
+ * even before any keys have been provisioned for that EL.
+ *
+ * The DISCARDED state is terminal for a given EL; you cannot provide a secret
+ * again for that EL after reaching it.
+ *
+ * Incoming packets cannot be processed and decrypted if they target an EL
+ * not in the HAVE_KEYS state. However, there is a distinction between
+ * the WAITING_FOR_KEYS and DISCARDED states:
+ *
+ * - In the WAITING_FOR_KEYS state, the QRX assumes keys for the given
+ * EL will eventually arrive. Therefore, if it receives any packet
+ * for an EL in this state, it buffers it and tries to process it
+ * again once the EL reaches HAVE_KEYS.
+ *
+ * - In the DISCARDED state, the QRX assumes no keys for the given
+ * EL will ever arrive again. If it receives any packet for an EL
+ * in this state, it is simply discarded.
+ *
+ * If the user wishes to instantiate a new QRX to replace an old one for
+ * whatever reason, for example to take over for an already established QUIC
+ * connection, it is important that all ELs no longer being used (i.e., INITIAL,
+ * 0-RTT, 1-RTT) are transitioned to the DISCARDED state. Otherwise, the QRX
+ * will assume that keys for these ELs will arrive in future, and will buffer
+ * any received packets for those ELs perpetually. This can be done by calling
+ * ossl_qrx_discard_enc_level for all non-1-RTT ELs immediately after
+ * instantiating the QRX.
+ *
+ * The INITIAL EL is not setup automatically when the QRX is instantiated. This
+ * allows the caller to instead discard it immediately after instantiation of
+ * the QRX if it is not needed, for example if the QRX is being instantiated to
+ * take over handling of an existing connection which has already passed the
+ * INITIAL phase. This avoids the unnecessary derivation of INITIAL keys where
+ * they are not needed. In the ordinary case, ossl_qrx_provide_secret_initial
+ * should be called immediately after instantiation.
+ */
+
+/*
+ * Provides a secret to the QRX, which arises due to an encryption level change.
+ * enc_level is a QUIC_ENC_LEVEL_* value. To initialise the INITIAL encryption
+ * level, it is recommended to use ossl_qrl_provide_initial_secret instead.
+ *
+ * You should seek to call this function for a given EL before packets of that
+ * EL arrive and are processed by the QRX. However, if packets have already
+ * arrived for a given EL, the QRX will defer processing of them and perform
+ * processing of them when this function is eventually called for the EL in
+ * question.
+ *
+ * suite_id is a QRX_SUITE_* value which determines the AEAD function used for
+ * the QRX.
+ *
+ * The secret passed is used directly to derive the "quic key", "quic iv" and
+ * "quic hp" values.
+ *
+ * secret_len is the length of the secret buffer in bytes. The buffer must be
+ * sized correctly to the chosen suite, else the function fails.
+ *
+ * This function can only be called once for a given EL. Subsequent calls fail,
+ * as do calls made after a corresponding call to ossl_qrx_discard_enc_level for
+ * that EL. The secret for a EL cannot be changed after it is set because QUIC
+ * has no facility for introducing additional key material after an EL is setup.
+ * QUIC key updates are managed automatically by the QRX and do not require user
+ * intervention.
+ *
+ * md is for internal use and should be NULL.
+ *
+ * Returns 1 on success or 0 on failure.
+ */
+int ossl_qrx_provide_secret(OSSL_QRX *qrx,
+ uint32_t enc_level,
+ uint32_t suite_id,
+ EVP_MD *md,
+ const unsigned char *secret,
+ size_t secret_len);
+
+/*
+ * Informs the QRX that it can now discard key material for a given EL. The QRX
+ * will no longer be able to process incoming packets received at that
+ * encryption level. This function is idempotent and succeeds if the EL has
+ * already been discarded.
+ *
+ * Returns 1 on success and 0 on failure.
+ */
+int ossl_qrx_discard_enc_level(OSSL_QRX *qrx, uint32_t enc_level);
+
+/*
+ * Packet Reception
+ * ================
+ */
+
+/* Information about a received packet. */
+typedef struct ossl_qrx_pkt_st {
+ /* Opaque handle to be passed to ossl_qrx_release_pkt. */
+ void *handle;
+
+ /*
+ * Points to a logical representation of the decoded QUIC packet header. The
+ * data and len fields point to the decrypted QUIC payload (i.e., to a
+ * sequence of zero or more (potentially malformed) frames to be decoded).
+ */
+ QUIC_PKT_HDR *hdr;
+
+ /*
+ * Address the packet was received from. If this is not available for this
+ * packet, this field is NULL (but this can only occur for manually injected
+ * packets).
+ */
+ const BIO_ADDR *peer;
+
+ /*
+ * Local address the packet was sent to. If this is not available for this
+ * packet, this field is NULL.
+ */
+ const BIO_ADDR *local;
+
+ /*
+ * This is the length of the datagram which contained this packet. Note that
+ * the datagram may have contained other packets than this. The intended use
+ * for this is so that the user can enforce minimum datagram sizes (e.g. for
+ * datagrams containing INITIAL packets), as required by RFC 9000.
+ */
+ size_t datagram_len;
+} OSSL_QRX_PKT;
+
+/*
+ * Tries to read a new decrypted packet from the QRX.
+ *
+ * On success, all fields of *pkt are filled and 1 is returned.
+ * Else, returns 0.
+ *
+ * The resources referenced by pkt->hdr, pkt->data and pkt->peer will remain
+ * allocated at least until the user frees them by calling ossl_qrx_release_pkt,
+ * which must be called once you are done with the packet.
+ */
+int ossl_qrx_read_pkt(OSSL_QRX *qrx, OSSL_QRX_PKT *pkt);
+
+/*
+ * Release the resources pointed to by an OSSL_QRX_PKT returned by
+ * ossl_qrx_read_pkt. Pass the opaque value pkt->handle returned in the
+ * structure.
+ */
+void ossl_qrx_release_pkt(OSSL_QRX *qrx, void *handle);
+
+/*
+ * Returns 1 if there are any already processed (i.e. decrypted) packets waiting
+ * to be read from the QRX.
+ */
+int ossl_qrx_processed_read_pending(OSSL_QRX *qrx);
+
+/*
+ * Returns 1 if there arre any unprocessed (i.e. not yet decrypted) packets
+ * waiting to be processed by the QRX. These may or may not result in
+ * successfully decrypted packets once processed. This indicates whether
+ * unprocessed data is buffered by the QRX, not whether any data is available in
+ * a kernel socket buffer.
+ */
+int ossl_qrx_unprocessed_read_pending(OSSL_QRX *qrx);
+
+/*
+ * Returns the number of UDP payload bytes received from the network so far
+ * since the last time this counter was cleared. If clear is 1, clears the
+ * counter and returns the old value.
+ *
+ * The intended use of this is to allow callers to determine how much credit to
+ * add to their anti-amplification budgets. This is reported separately instead
+ * of in the OSSL_QRX_PKT structure so that a caller can apply
+ * anti-amplification credit as soon as a datagram is received, before it has
+ * necessarily read all processed packets contained within that datagram from
+ * the QRX.
+ */
+uint64_t ossl_qrx_get_bytes_received(OSSL_QRX *qrx, int clear);
+
+/*
+ * Sets a callback which is called when a packet is received and being
+ * validated before being queued in the read queue. This is called before packet
+ * body decryption. pn_space is a QUIC_PN_SPACE_* value denoting which PN space
+ * the PN belongs to.
+ *
+ * If this callback returns 1, processing continues normally.
+ * If this callback returns 0, the packet is discarded.
+ *
+ * Other packets in the same datagram will still be processed where possible.
+ *
+ * The intended use for this function is to allow early validation of whether
+ * a PN is a potential duplicate before spending CPU time decrypting the
+ * packet payload.
+ *
+ * The callback is optional and can be unset by passing NULL for cb.
+ * cb_arg is an opaque value passed to cb.
+ */
+typedef int (ossl_qrx_early_validation_cb)(QUIC_PN pn, int pn_space,
+ void *arg);
+
+int ossl_qrx_set_early_validation_cb(OSSL_QRX *qrx,
+ ossl_qrx_early_validation_cb *cb,
+ void *cb_arg);
+
+/*
+ * Key Update (RX)
+ * ===============
+ *
+ * Key update on the RX side is a largely but not entirely automatic process.
+ *
+ * Key update is initially triggered by receiving a 1-RTT packet with a
+ * different Key Phase value. This could be caused by an attacker in the network
+ * flipping random bits, therefore such a key update is tentative until the
+ * packet payload is successfully decrypted and authenticated by the AEAD with
+ * the 'next' keys. These 'next' keys then become the 'current' keys and the
+ * 'current' keys then become the 'previous' keys. The 'previous' keys must be
+ * kept around temporarily as some packets may still be in flight in the network
+ * encrypted with the old keys. If the old Key Phase value is X and the new Key
+ * Phase Value is Y (where obviously X != Y), this creates an ambiguity as any
+ * new packet received with a KP of X could either be an attempt to initiate yet
+ * another key update right after the last one, or an old packet encrypted
+ * before the key update.
+ *
+ * RFC 9001 provides some guidance on handling this issue:
+ *
+ * Strategy 1:
+ * Three keys, disambiguation using packet numbers
+ *
+ * "A recovered PN that is lower than any PN from the current KP uses the
+ * previous packet protection keys; a recovered PN that is higher than any
+ * PN from the current KP requires use of the next packet protection
+ * keys."
+ *
+ * Strategy 2:
+ * Two keys and a timer
+ *
+ * "Alternatively, endpoints can retain only two sets of packet protection
+ * neys, swapping previous keys for next after enough time has passed to
+ * allow for reordering in the network. In this case, the KP bit alone can
+ * be used to select keys."
+ *
+ * Strategy 2 is more efficient (we can keep fewer cipher contexts around) and
+ * should cover all actually possible network conditions. It also allows a delay
+ * after we make the 'next' keys our 'current' keys before we generate new
+ * 'next' keys, which allows us to mitigate against malicious peers who try to
+ * initiate an excessive number of key updates.
+ *
+ * We therefore model the following state machine:
+ *
+ *
+ * PROVISIONED
+ * _______________________________
+ * | |
+ * UNPROVISIONED --|----> NORMAL <----------\ |------> DROPPED
+ * | | | |
+ * | | | |
+ * | v | |
+ * | UPDATE_CONFIRMED | |
+ * | | | |
+ * | | | |
+ * | v | |
+ * | COOLDOWN | |
+ * | | | |
+ * | | | |
+ * | \---------------| |
+ * |_______________________________|
+ *
+ *
+ * The RX starts (once a secret has been provisioned) in the NORMAL state. In
+ * the NORMAL state, the current expected value of the Key Phase bit is
+ * recorded. When a flipped Key Phase bit is detected, the RX attempts to
+ * decrypt and authenticate the received packet with the 'next' keys rather than
+ * the 'current' keys. If (and only if) this authentication is successful, we
+ * move to the UPDATE_CONFIRMED state. (An attacker in the network could flip
+ * the Key Phase bit randomly, so it is essential we do nothing until AEAD
+ * authentication is complete.)
+ *
+ * In the UPDATE_CONFIRMED state, we know a key update is occurring and record
+ * the new Key Phase bit value as the newly current value, but we still keep the
+ * old keys around so that we can still process any packets which were still in
+ * flight when the key update was initiated. In the UPDATE_CONFIRMED state, a
+ * Key Phase bit value different to the current expected value is treated not as
+* the initiation of another key update, but a reference to our old keys.
+ *
+ * Eventually we will be reasonably sure we are not going to receive any more
+ * packets with the old keys. At this point, we can transition to the COOLDOWN
+ * state. This transition occurs automatically after a certain amount of time;
+ * RFC 9001 recommends it be the PTO interval, which relates to our RTT to the
+ * peer. The duration also SHOULD NOT exceed three times the PTO to assist with
+ * maintaining PFS.
+ *
+ * In the COOLDOWN phase, the old keys have been securely erased and only one
+ * set of keys can be used: the current keys. If a packet is received with a Key
+ * Phase bit value different to the current Key Phase Bit value, this is treated
+ * as a request for a Key Update, but this request is ignored and the packet is
+ * treated as malformed. We do this to allow mitigation against malicious peers
+ * trying to initiate an excessive number of Key Updates. The timeout for the
+ * transition from UPDATE_CONFIRMED to COOLDOWN is recommended as adequate for
+ * this purpose in itself by the RFC, so the normal additional timeout value for
+ * the transition from COOLDOWN to normal is zero (immediate transition).
+ *
+ * A summary of each state:
+ *
+ * Exp KP Uses Keys KS0 KS1 If Non-Expected KP Bit
+ * ------ --------- ------ ----- ----------------------
+ * NORMAL 0 Keyset 0 Gen 0 Gen 1 → UPDATE_CONFIRMED
+ * UPDATE_CONFIRMED 1 Keyset 1 Gen 0 Gen 1 Use Keyset 0
+ * COOLDOWN 1 Keyset 1 Erased Gen 1 Ignore Packet
+ *
+ * NORMAL 1 Keyset 1 Gen 2 Gen 1 → UPDATE_CONFIRMED
+ * UPDATE_CONFIRMED 0 Keyset 0 Gen 2 Gen 1 Use Keyset 1
+ * COOLDOWN 0 Keyset 0 Gen 2 Erased Ignore Packet
+ *
+ * Note that the key material for the next key generation ("key epoch") is
+ * always kept in the NORMAL state (necessary to avoid side-channel attacks).
+ * This material is derived during the transition from COOLDOWN to NORMAL.
+ *
+ * Note that when a peer initiates a Key Update, we MUST also initiate a Key
+ * Update as per the RFC. The caller is responsible for detecting this condition
+ * and making the necessary calls to the TX side by detecting changes to the
+ * return value of ossl_qrx_get_key_epoch().
+ *
+ * The above states (NORMAL, UPDATE_CONFIRMED, COOLDOWN) can themselves be
+ * considered substates of the PROVISIONED state. Providing a secret to the QRX
+ * for an EL transitions from UNPROVISIONED, the initial state, to PROVISIONED
+ * (NORMAL). Dropping key material for an EL transitions from whatever the
+ * current substate of the PROVISIONED state is to the DROPPED state, which is
+ * the terminal state.
+ *
+ * Note that non-1RTT ELs cannot undergo key update, therefore a non-1RT EL is
+ * always in the NORMAL substate if it is in the PROVISIONED state.
+ */
+
+/*
+ * Return the current RX key epoch. This is initially zero and is incremented by
+ * one for every Key Update successfully signalled by the peer.
+ *
+ * A necessary implication of this API is that the least significant bit of the
+ * returned value corresponds to the currently expected Key Phase bit, though
+ * callers are not anticipated to have any need of this information.
+ *
+ * It is not possible for the returned value to overflow, as a QUIC connection
+ * cannot support more than 2**62 packet numbers, and a connection must be
+ * terminated if this limit is reached.
+ *
+ * The caller should use this function to detect when the key epoch has changed
+ * and use it to initiate a key update on the TX side.
+ *
+ * The value returned by this function increments specifically at the transition
+ * from the NORMAL to the UPDATE_CONFIRMED state discussed above.
+ */
+uint64_t ossl_qrx_get_key_epoch(OSSL_QRX *qrx);
+
+/*
+ * The caller should call this after the UPDATE_CONFIRMED state is reached,
+ * after a timeout to be determined by the caller.
+ *
+ * This transitions from the UPDATE_CONFIRMED state to the COOLDOWN state (if
+ * still in the UPDATE_CONFIRMED state). If normal is 1, then transitions from
+ * the COOLDOWN state to the NORMAL state. Both transitions can be performed at
+ * once if desired.
+ *
+ * If in the normal state, or if in the COOLDOWN state and normal is 0, this is
+ * a no-op and returns 1.
+ *
+ * It is essential that the caller call this within a few PTO intervals of a key
+ * update occurring (as detected by the caller in a call to
+ * ossl_qrx_key_get_key_epoch()), as otherwise the peer will not be able to
+ * perform a Key Update ever again.
+ */
+int ossl_qrx_key_update_timeout(OSSL_QRX *qrx, int normal);
+
+
+/*
+ * Key Expiration
+ * ==============
+ */
+
+/*
+ * Returns the number of seemingly forged packets which have been received by
+ * the QRX. If this value reaches the value returned by
+ * ossl_qrx_get_max_epoch_forged_pkt_count(), all further received encrypted
+ * packets will be discarded without processing; thus, callers should trigger a
+ * key update on the TX side (which will cause the peer to trigger a key update
+ * on our RX side) well before this occurs.
+ */
+uint64_t ossl_qrx_get_cur_epoch_forged_pkt_count(OSSL_QRX *qrx,
+ uint32_t enc_level);
+
+/*
+ * Returns the maximum number of forged packets which the record layer
+ * will permit to be verified using the current set of RX keys.
+ */
+uint64_t ossl_qrx_get_max_epoch_forged_pkt_count(OSSL_QRX *qrx,
+ uint32_t enc_level);
+
+#endif
--- /dev/null
+/*
+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_QUIC_RECORD_TX_H
+# define OSSL_QUIC_RECORD_TX_H
+
+# include <openssl/ssl.h>
+# include "internal/quic_wire_pkt.h"
+# include "internal/quic_types.h"
+# include "internal/quic_record_util.h"
+
+/*
+ * QUIC Record Layer - TX
+ * ======================
+ */
+typedef struct ossl_qtx_st OSSL_QTX;
+
+typedef struct ossl_qtx_args_st {
+ OSSL_LIB_CTX *libctx;
+ const char *propq;
+
+ /* BIO to transmit to. */
+ BIO *bio;
+
+ /* Maximum datagram payload length (MDPL) for TX purposes. */
+ size_t mdpl;
+} OSSL_QTX_ARGS;
+
+/* Instantiates a new QTX. */
+OSSL_QTX *ossl_qtx_new(const OSSL_QTX_ARGS *args);
+
+/* Frees the QTX. */
+void ossl_qtx_free(OSSL_QTX *qtx);
+
+/*
+ * Secret Management
+ * -----------------
+ */
+
+/*
+ * Provides a secret to the QTX, which arises due to an encryption level change.
+ * enc_level is a QUIC_ENC_LEVEL_* value.
+ *
+ * This function can be used to initialise the INITIAL encryption level, but you
+ * should not do so directly; see the utility function
+ * ossl_qrl_provide_initial_secret() instead, which can initialise the INITIAL
+ * encryption level of a QRX and QTX simultaneously without duplicating certain
+ * key derivation steps.
+ *
+ * You must call this function for a given EL before transmitting packets at
+ * that EL using this QTX, otherwise ossl_qtx_write_pkt will fail.
+ *
+ * suite_id is a QRL_SUITE_* value which determines the AEAD function used for
+ * the QTX.
+ *
+ * The secret passed is used directly to derive the "quic key", "quic iv" and
+ * "quic hp" values.
+ *
+ * secret_len is the length of the secret buffer in bytes. The buffer must be
+ * sized correctly to the chosen suite, else the function fails.
+ *
+ * This function can only be called once for a given EL. Subsequent calls fail,
+ * as do calls made after a corresponding call to ossl_qtx_discard_enc_level for
+ * that EL. The secret for a EL cannot be changed after it is set because QUIC
+ * has no facility for introducing additional key material after an EL is setup.
+ * (QUIC key updates generate new keys from existing key material and do not
+ * introduce new entropy into a connection's key material.)
+ *
+ * Returns 1 on success or 0 on failure.
+ */
+int ossl_qtx_provide_secret(OSSL_QTX *qtx,
+ uint32_t enc_level,
+ uint32_t suite_id,
+ EVP_MD *md,
+ const unsigned char *secret,
+ size_t secret_len);
+
+/*
+ * Informs the QTX that it can now discard key material for a given EL. The QTX
+ * will no longer be able to generate packets at that EL. This function is
+ * idempotent and succeeds if the EL has already been discarded.
+ *
+ * Returns 1 on success and 0 on failure.
+ */
+int ossl_qtx_discard_enc_level(OSSL_QTX *qtx, uint32_t enc_level);
+
+
+/*
+ * Packet Transmission
+ * -------------------
+ */
+typedef struct ossl_qtx_iovec_st {
+ const unsigned char *buf;
+ size_t buf_len;
+} OSSL_QTX_IOVEC;
+
+typedef struct ossl_qtx_pkt_st {
+ /* Logical packet header to be serialized. */
+ QUIC_PKT_HDR *hdr;
+
+ /*
+ * iovecs expressing the logical packet payload buffer. Zero-length entries
+ * are permitted.
+ */
+ const OSSL_QTX_IOVEC *iovec;
+ size_t num_iovec;
+
+ /* Destination address. Will be passed through to the BIO if non-NULL. */
+ const BIO_ADDR *peer;
+
+ /*
+ * Local address (optional). Specify as non-NULL only if TX BIO
+ * has local address support enabled.
+ */
+ const BIO_ADDR *local;
+
+ /*
+ * Logical PN. Used for encryption. This will automatically be encoded to
+ * hdr->pn, which need not be initialized.
+ */
+ QUIC_PN pn;
+
+ /* Packet flags. Zero or more OSSL_QTX_PKT_FLAG_* values. */
+ uint32_t flags;
+} OSSL_QTX_PKT;
+
+/*
+ * More packets will be written which should be coalesced into a single
+ * datagram; do not send this packet yet. To use this, set this flag for all
+ * packets but the final packet in a datagram, then send the final packet
+ * without this flag set.
+ *
+ * This flag is not a guarantee and the QTX may transmit immediately anyway if
+ * it is not possible to fit any more packets in the current datagram.
+ *
+ * If the caller change its mind and needs to cause a packet queued with
+ * COALESCE after having passed it to this function but without writing another
+ * packet, it should call ossl_qtx_flush_pkt().
+ */
+#define OSSL_QTX_PKT_FLAG_COALESCE (1U << 0)
+
+/*
+ * Writes a packet.
+ *
+ * *pkt need be valid only for the duration of the call to this function.
+ *
+ * pkt->hdr->data and pkt->hdr->len are unused. The payload buffer is specified
+ * via an array of OSSL_QTX_IOVEC structures. The API is designed to support
+ * single-copy transmission; data is copied from the iovecs as it is encrypted
+ * into an internal staging buffer for transmission.
+ *
+ * The function may modify and clobber pkt->hdr->data, pkt->hdr->len,
+ * pkt->hdr->key_phase and pkt->hdr->pn for its own internal use. No other
+ * fields of pkt or pkt->hdr will be modified.
+ *
+ * It is the callers responsibility to determine how long the PN field in the
+ * encoded packet should be by setting pkt->hdr->pn_len. This function takes
+ * care of the PN encoding. Set pkt->pn to the desired PN.
+ *
+ * The packet is queued regardless of whether it is able to be sent immediately.
+ * Returns 1 on success or 0 on failure.
+ */
+int ossl_qtx_write_pkt(OSSL_QTX *qtx, const OSSL_QTX_PKT *pkt);
+
+/*
+ * Finish any incomplete datagrams for transmission which were flagged for
+ * coalescing. If there is no current coalescing datagram, this is a no-op.
+ */
+void ossl_qtx_finish_dgram(OSSL_QTX *qtx);
+
+/*
+ * (Attempt to) flush any datagrams which are queued for transmission. Note that
+ * this does not cancel coalescing; call ossl_qtx_finish_dgram() first if that
+ * is desired. The queue is drained into the OS's sockets as much as possible.
+ * To determine if there is still data to be sent after calling this function,
+ * use ossl_qtx_get_queue_len_bytes().
+ */
+void ossl_qtx_flush_net(OSSL_QTX *qtx);
+
+/*
+ * Diagnostic function. If there is any datagram pending transmission, pops it
+ * and writes the details of the datagram as they would have been passed to
+ * *msg. Returns 1, or 0 if there are no datagrams pending. For test use only.
+ */
+int ossl_qtx_pop_net(OSSL_QTX *qtx, BIO_MSG *msg);
+
+/* Returns number of datagrams which are fully-formed but not yet sent. */
+size_t ossl_qtx_get_queue_len_datagrams(OSSL_QTX *qtx);
+
+/*
+ * Returns number of payload bytes across all datagrams which are fully-formed
+ * but not yet sent. Does not count any incomplete coalescing datagram.
+ */
+size_t ossl_qtx_get_queue_len_bytes(OSSL_QTX *qtx);
+
+/*
+ * Returns number of bytes in the current coalescing datagram, or 0 if there is
+ * no current coalescing datagram. Returns 0 after a call to
+ * ossl_qtx_finish_dgram().
+ */
+size_t ossl_qtx_get_cur_dgram_len_bytes(OSSL_QTX *qtx);
+
+/*
+ * Returns number of queued coalesced packets which have not been put into a
+ * datagram yet. If this is non-zero, ossl_qtx_flush_pkt() needs to be called.
+ */
+size_t ossl_qtx_get_unflushed_pkt_count(OSSL_QTX *qtx);
+
+/*
+ * Change the BIO being used by the QTX. May be NULL if actual transmission is
+ * not currently required.
+ */
+int ossl_qtx_set1_bio(OSSL_QTX *qtx, BIO *bio);
+
+/* Changes the MDPL. */
+int ossl_qtx_set_mdpl(OSSL_QTX *qtx, size_t mdpl);
+
+
+/*
+ * Key Update
+ * ----------
+ *
+ * For additional discussion of key update considerations, see QRX header file.
+ */
+
+/*
+ * Triggers a key update. The key update will be started by inverting the Key
+ * Phase bit of the next packet transmitted; no key update occurs until the next
+ * packet is transmitted. Thus, this function should generally be called
+ * immediately before queueing the next packet.
+ *
+ * There are substantial requirements imposed by RFC 9001 on under what
+ * circumstances a key update can be initiated. The caller is responsible for
+ * meeting most of these requirements. For example, this function cannot be
+ * called too soon after a previous key update has occurred. Key updates also
+ * cannot be initiated until the 1-RTT encryption level is reached.
+ *
+ * As a sanity check, this function will fail and return 0 if the non-1RTT
+ * encryption levels have not yet been dropped.
+ *
+ * The caller may decide itself to initiate a key update, but it also MUST
+ * initiate a key update where it detects that the peer has initiated a key
+ * update. The caller is responsible for initiating a TX key update by calling
+ * this function in this circumstance; thus, the caller is responsible for
+ * coupling the RX and TX QUIC record layers in this way.
+ */
+int ossl_qtx_trigger_key_update(OSSL_QTX *qtx);
+
+
+/*
+ * Key Expiration
+ * --------------
+ */
+
+/*
+ * Returns the number of packets which have been encrypted for transmission with
+ * the current set of TX keys (the current "TX key epoch"). Reset to zero after
+ * a key update and incremented for each packet queued. If enc_level is not
+ * valid or relates to an EL which is not currently available, returns
+ * UINT64_MAX.
+ */
+uint64_t ossl_qtx_get_cur_epoch_pkt_count(OSSL_QTX *qtx, uint32_t enc_level);
+
+/*
+ * Returns the maximum number of packets which the record layer will permit to
+ * be encrypted using the current set of TX keys. If this limit is reached (that
+ * is, if the counter returned by ossl_qrx_tx_get_cur_epoch_pkt_count() reaches
+ * this value), as a safety measure, the QTX will not permit any further packets
+ * to be queued. All calls to ossl_qrx_write_pkt that try to send packets of a
+ * kind which need to be encrypted will fail. It is not possible to recover from
+ * this condition and the QTX must then be destroyed; therefore, callers should
+ * ensure they always trigger a key update well in advance of reaching this
+ * limit.
+ *
+ * The value returned by this function is based on the ciphersuite configured
+ * for the given encryption level. If keys have not been provisioned for the
+ * specified enc_level or the enc_level argument is invalid, this function
+ * returns UINT64_MAX, which is not a valid value. Note that it is not possible
+ * to perform a key update at any encryption level other than 1-RTT, therefore
+ * if this limit is reached at earlier encryption levels (which should not be
+ * possible) the connection must be terminated. Since this condition precludes
+ * the transmission of further packets, the only possible signalling of such an
+ * error condition to a peer is a Stateless Reset packet.
+ */
+uint64_t ossl_qtx_get_max_epoch_pkt_count(OSSL_QTX *qtx, uint32_t enc_level);
+
+#endif
# define OSSL_QUIC_RECORD_UTIL_H
# include <openssl/ssl.h>
+# include "internal/quic_types.h"
+
+struct ossl_qrx_st;
+struct ossl_qtx_st;
/*
* QUIC Key Derivation Utilities
const unsigned char *ikm, size_t ikm_len,
unsigned char *out, size_t out_len);
+/*
+ * A QUIC client sends its first INITIAL packet with a random DCID, which
+ * is used to compute the secrets used for INITIAL packet encryption in both
+ * directions (both client-to-server and server-to-client).
+ *
+ * This function performs the necessary DCID-based key derivation, and then
+ * provides the derived key material for the INITIAL encryption level to a QRX
+ * instance, a QTX instance, or both.
+ *
+ * This function derives the necessary key material and then:
+ * - if qrx is non-NULL, provides the appropriate secret to it;
+ * - if qtx is non-NULL, provides the appropriate secret to it.
+ *
+ * If both qrx and qtx are NULL, this is a no-op. This function is equivalent to
+ * making the appropriate calls to ossl_qrx_provide_secret() and
+ * ossl_qtx_provide_secret().
+ *
+ * It is possible to use a QRX or QTX without ever calling this, for example if
+ * there is no desire to handle INITIAL packets (e.g. if a QRX/QTX is
+ * instantiated to succeed a previous QRX/QTX and handle a connection which is
+ * already established). However in this case you should make sure you call
+ * ossl_qrx_discard_enc_level(); see the header for that function for more
+ * details. Calling ossl_qtx_discard_enc_level() is not essential but could
+ * protect against programming errors.
+ *
+ * Returns 1 on success or 0 on error.
+ */
+int ossl_quic_provide_initial_secret(OSSL_LIB_CTX *libctx,
+ const char *propq,
+ const QUIC_CONN_ID *dst_conn_id,
+ int is_server,
+ struct ossl_qrx_st *qrx,
+ struct ossl_qtx_st *qtx);
+
/*
* QUIC Record Layer Ciphersuite Info
* ==================================
/* Returns header protection key length in bytes or 0 if suite ID is invalid. */
uint32_t ossl_qrl_get_suite_hdr_prot_key_len(uint32_t suite_id);
+/*
+ * Returns maximum number of packets which may be safely encrypted with a suite
+ * or 0 if suite ID is invalid.
+ */
+uint64_t ossl_qrl_get_suite_max_pkt(uint32_t suite_id);
+
+/*
+ * Returns maximum number of RX'd packets which may safely fail AEAD decryption
+ * for a given suite or 0 if suite ID is invalid.
+ */
+uint64_t ossl_qrl_get_suite_max_forged_pkt(uint32_t suite_id);
+
#endif
# define QUIC_PKT_TYPE_1RTT 5
# define QUIC_PKT_TYPE_VERSION_NEG 6
+/*
+ * Determine encryption level from packet type. Returns QUIC_ENC_LEVEL_NUM if
+ * the packet is not of a type which is encrypted.
+ */
+static ossl_inline ossl_unused uint32_t
+ossl_quic_pkt_type_to_enc_level(uint32_t pkt_type)
+{
+ switch (pkt_type) {
+ case QUIC_PKT_TYPE_INITIAL:
+ return QUIC_ENC_LEVEL_INITIAL;
+ case QUIC_PKT_TYPE_HANDSHAKE:
+ return QUIC_ENC_LEVEL_HANDSHAKE;
+ case QUIC_PKT_TYPE_0RTT:
+ return QUIC_ENC_LEVEL_0RTT;
+ case QUIC_PKT_TYPE_1RTT:
+ return QUIC_ENC_LEVEL_1RTT;
+ default:
+ return QUIC_ENC_LEVEL_NUM;
+ }
+}
+
/*
* Smallest possible QUIC packet size as per RFC (aside from version negotiation
* packets).
size_t short_conn_id_len,
QUIC_CONN_ID *dst_conn_id);
+/*
+ * Precisely predicts the encoded length of a packet header structure.
+ *
+ * May return 0 if the packet header is not valid, but the fact that this
+ * function returns non-zero does not guarantee that
+ * ossl_quic_wire_encode_pkt_hdr() will succeed.
+ */
+int ossl_quic_wire_get_encoded_pkt_hdr_len(size_t short_conn_id_len,
+ const QUIC_PKT_HDR *hdr);
+
/*
* Packet Number Encoding
* ======================
$LIBSSL=../../libssl
-SOURCE[$LIBSSL]=quic_method.c quic_impl.c quic_wire.c quic_ackm.c quic_statm.c cc_dummy.c quic_demux.c quic_record.c quic_record_util.c quic_wire_pkt.c
+SOURCE[$LIBSSL]=quic_method.c quic_impl.c quic_wire.c quic_ackm.c quic_statm.c cc_dummy.c quic_demux.c quic_record_rx.c quic_record_tx.c quic_record_util.c quic_record_shared.c quic_wire_pkt.c
* https://www.openssl.org/source/license.html
*/
-#include "internal/quic_record.h"
+#include "internal/quic_record_rx.h"
+#include "quic_record_shared.h"
#include "internal/common.h"
#include "../ssl_local.h"
/* Total length of the datagram which contained this packet. */
size_t datagram_len;
+
+ /*
+ * alloc_len allocated bytes (of which data_len bytes are valid) follow this
+ * structure.
+ */
};
-typedef struct ossl_qrl_rxe_list_st {
+typedef struct ossl_qrx_rxe_list_st {
RXE *head, *tail;
} RXE_LIST;
* QRL
* ===
*/
-
-/* (Encryption level, direction)-specific state. */
-typedef struct ossl_qrl_enc_level_st {
- /* Hash function used for key derivation. */
- EVP_MD *md;
- /* Context used for packet body ciphering. */
- EVP_CIPHER_CTX *cctx;
- /* IV used to construct nonces used for AEAD packet body ciphering. */
- unsigned char iv[EVP_MAX_IV_LENGTH];
- /* Have we permanently discarded this encryption level? */
- unsigned char discarded;
- /* QRL_SUITE_* value. */
- uint32_t suite_id;
- /* Length of authentication tag. */
- uint32_t tag_len;
- /*
- * Cryptographic context used to apply and remove header protection from
- * packet headers.
- */
- QUIC_HDR_PROTECTOR hpr;
-} OSSL_QRL_ENC_LEVEL;
-
-struct ossl_qrl_st {
+struct ossl_qrx_st {
OSSL_LIB_CTX *libctx;
const char *propq;
/* Demux to receive datagrams from. */
- QUIC_DEMUX *rx_demux;
+ QUIC_DEMUX *demux;
/* Length of connection IDs used in short-header packets in bytes. */
size_t short_conn_id_len;
RXE_LIST rx_pending;
/* Largest PN we have received and processed in a given PN space. */
- QUIC_PN rx_largest_pn[QUIC_PN_SPACE_NUM];
+ QUIC_PN largest_pn[QUIC_PN_SPACE_NUM];
/* Per encryption-level state. */
- OSSL_QRL_ENC_LEVEL rx_el[QUIC_ENC_LEVEL_NUM];
- OSSL_QRL_ENC_LEVEL tx_el[QUIC_ENC_LEVEL_NUM];
+ OSSL_QRL_ENC_LEVEL_SET el_set;
/* Bytes we have received since this counter was last cleared. */
uint64_t bytes_received;
/* Validation callback. */
- ossl_qrl_early_rx_validation_cb *rx_validation_cb;
- void *rx_validation_cb_arg;
-};
-
-static void qrl_on_rx(QUIC_URXE *urxe, void *arg);
-
-/* Constants used for key derivation in QUIC v1. */
-static const unsigned char quic_client_in_label[] = {
- 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x69, 0x6e /* "client in" */
-};
-static const unsigned char quic_server_in_label[] = {
- 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x69, 0x6e /* "server in" */
-};
-static const unsigned char quic_v1_iv_label[] = {
- 0x71, 0x75, 0x69, 0x63, 0x20, 0x69, 0x76 /* "quic iv" */
+ ossl_qrx_early_validation_cb *validation_cb;
+ void *validation_cb_arg;
};
-static const unsigned char quic_v1_key_label[] = {
- 0x71, 0x75, 0x69, 0x63, 0x20, 0x6b, 0x65, 0x79 /* "quic key" */
-};
-static const unsigned char quic_v1_hp_label[] = {
- 0x71, 0x75, 0x69, 0x63, 0x20, 0x68, 0x70 /* "quic hp" */
-};
-/* Salt used to derive Initial packet protection keys (RFC 9001 Section 5.2). */
-static const unsigned char quic_v1_initial_salt[] = {
- 0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17,
- 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a
-};
-
-static ossl_inline OSSL_QRL_ENC_LEVEL *qrl_get_el(OSSL_QRL *qrl,
- uint32_t enc_level,
- int is_tx)
-{
- if (!ossl_assert(enc_level < QUIC_ENC_LEVEL_NUM))
- return NULL;
- return is_tx ? &qrl->tx_el[enc_level] : &qrl->rx_el[enc_level];
-}
-
-/*
- * Returns 1 if we have key material for a given encryption level, 0 if we do
- * not yet have material and -1 if the EL is discarded.
- */
-static int qrl_have_el(OSSL_QRL *qrl, uint32_t enc_level, int is_tx)
-{
- OSSL_QRL_ENC_LEVEL *el = qrl_get_el(qrl, enc_level, is_tx);
-
- if (el->cctx != NULL)
- return 1;
- if (el->discarded)
- return -1;
- return 0;
-}
-
-/* Drops keying material for a given encryption level. */
-static void qrl_el_discard(OSSL_QRL *qrl, uint32_t enc_level,
- int is_tx, int final)
-{
- OSSL_QRL_ENC_LEVEL *el = qrl_get_el(qrl, enc_level, is_tx);
-
- if (el->discarded)
- return;
-
- if (el->cctx != NULL) {
- ossl_quic_hdr_protector_destroy(&el->hpr);
-
- EVP_CIPHER_CTX_free(el->cctx);
- el->cctx = NULL;
-
- EVP_MD_free(el->md);
- el->md = NULL;
- }
-
- /* Zeroise IV. */
- OPENSSL_cleanse(el->iv, sizeof(el->iv));
-
- if (final)
- el->discarded = 1;
-}
-
-/*
- * Sets up cryptographic state for a given encryption level and direction by
- * deriving "quic iv", "quic key" and "quic hp" values from a given secret.
- *
- * md is a hash function used for key derivation. If it is NULL, this function
- * fetches the necessary hash function itself. If it is non-NULL, this function
- * can reuse the caller's reference to a suitable EVP_MD; the EVP_MD provided
- * must match the suite.
- *
- * On success where md is non-NULL, takes ownership of the caller's reference to
- * md.
- */
-static int qrl_el_set_secret(OSSL_QRL *qrl, uint32_t enc_level,
- uint32_t suite_id, EVP_MD *md,
- int is_tx,
- const unsigned char *secret,
- size_t secret_len)
-{
- OSSL_QRL_ENC_LEVEL *el = qrl_get_el(qrl, enc_level, is_tx);
- unsigned char key[EVP_MAX_KEY_LENGTH], hpr_key[EVP_MAX_KEY_LENGTH];
- size_t key_len = 0, hpr_key_len = 0, iv_len = 0;
- const char *cipher_name = NULL, *md_name = NULL;
- EVP_CIPHER *cipher = NULL;
- EVP_CIPHER_CTX *cctx = NULL;
- int own_md = 0, have_hpr = 0;
-
- if (el->discarded)
- /* Should not be trying to reinitialise an EL which was discarded. */
- return 0;
-
- cipher_name = ossl_qrl_get_suite_cipher_name(suite_id);
- iv_len = ossl_qrl_get_suite_cipher_iv_len(suite_id);
- key_len = ossl_qrl_get_suite_cipher_key_len(suite_id);
- hpr_key_len = ossl_qrl_get_suite_hdr_prot_key_len(suite_id);
- if (cipher_name == NULL)
- return 0;
-
- if (secret_len != ossl_qrl_get_suite_secret_len(suite_id))
- return 0;
-
- if (md == NULL) {
- md_name = ossl_qrl_get_suite_md_name(suite_id);
-
- if ((md = EVP_MD_fetch(qrl->libctx,
- md_name, qrl->propq)) == NULL)
- return 0;
-
- own_md = 1;
- }
- /* Derive "quic iv" key. */
- if (!tls13_hkdf_expand_ex(qrl->libctx, qrl->propq,
- md,
- secret,
- quic_v1_iv_label,
- sizeof(quic_v1_iv_label),
- NULL, 0,
- el->iv, iv_len, 0))
- goto err;
-
- /* Derive "quic key" key. */
- if (!tls13_hkdf_expand_ex(qrl->libctx, qrl->propq,
- md,
- secret,
- quic_v1_key_label,
- sizeof(quic_v1_key_label),
- NULL, 0,
- key, key_len, 0))
- goto err;
-
- /* Derive "quic hp" key. */
- if (!tls13_hkdf_expand_ex(qrl->libctx, qrl->propq,
- md,
- secret,
- quic_v1_hp_label,
- sizeof(quic_v1_hp_label),
- NULL, 0,
- hpr_key, hpr_key_len, 0))
- goto err;
-
- /* Free any old context which is using old keying material. */
- if (el->cctx != NULL) {
- ossl_quic_hdr_protector_destroy(&el->hpr);
- EVP_CIPHER_CTX_free(el->cctx);
- el->cctx = NULL;
- }
-
- /* Setup header protection context. */
- if (!ossl_quic_hdr_protector_init(&el->hpr,
- qrl->libctx,
- qrl->propq,
- ossl_qrl_get_suite_hdr_prot_cipher_id(suite_id),
- hpr_key,
- hpr_key_len))
- goto err;
-
- have_hpr = 1;
-
- /* Create and initialise cipher context. */
- if ((cipher = EVP_CIPHER_fetch(qrl->libctx, cipher_name,
- qrl->propq)) == NULL)
- goto err;
-
- if (!ossl_assert(iv_len == (size_t)EVP_CIPHER_get_iv_length(cipher))
- || !ossl_assert(key_len == (size_t)EVP_CIPHER_get_key_length(cipher)))
- goto err;
-
- if ((cctx = EVP_CIPHER_CTX_new()) == NULL)
- goto err;
-
- /* IV will be changed on RX so we don't need to use a real value here. */
- if (!EVP_CipherInit_ex(cctx, cipher, NULL, key, el->iv, 0))
- goto err;
-
- el->suite_id = suite_id;
- el->cctx = cctx;
- el->md = md;
- el->tag_len = ossl_qrl_get_suite_cipher_tag_len(suite_id);
-
- /* Zeroize intermediate keys. */
- OPENSSL_cleanse(key, sizeof(key));
- OPENSSL_cleanse(hpr_key, sizeof(hpr_key));
- EVP_CIPHER_free(cipher);
- return 1;
+static void qrx_on_rx(QUIC_URXE *urxe, void *arg);
-err:
- if (have_hpr)
- ossl_quic_hdr_protector_destroy(&el->hpr);
- EVP_CIPHER_CTX_free(cctx);
- EVP_CIPHER_free(cipher);
- if (own_md)
- EVP_MD_free(md);
- return 0;
-}
-
-OSSL_QRL *ossl_qrl_new(const OSSL_QRL_ARGS *args)
+OSSL_QRX *ossl_qrx_new(const OSSL_QRX_ARGS *args)
{
- OSSL_QRL *qrl;
+ OSSL_QRX *qrx;
size_t i;
- if (args->rx_demux == NULL)
+ if (args->demux == NULL)
return 0;
- qrl = OPENSSL_zalloc(sizeof(OSSL_QRL));
- if (qrl == NULL)
+ qrx = OPENSSL_zalloc(sizeof(OSSL_QRX));
+ if (qrx == NULL)
return 0;
- for (i = 0; i < OSSL_NELEM(qrl->rx_largest_pn); ++i)
- qrl->rx_largest_pn[i] = args->rx_init_largest_pn[i];
+ for (i = 0; i < OSSL_NELEM(qrx->largest_pn); ++i)
+ qrx->largest_pn[i] = args->init_largest_pn[i];
- qrl->libctx = args->libctx;
- qrl->propq = args->propq;
- qrl->rx_demux = args->rx_demux;
- qrl->short_conn_id_len = args->short_conn_id_len;
- return qrl;
+ qrx->libctx = args->libctx;
+ qrx->propq = args->propq;
+ qrx->demux = args->demux;
+ qrx->short_conn_id_len = args->short_conn_id_len;
+ return qrx;
}
-static void qrl_cleanup_rxl(RXE_LIST *l)
+static void qrx_cleanup_rxl(RXE_LIST *l)
{
RXE *e, *enext;
for (e = l->head; e != NULL; e = enext) {
l->head = l->tail = NULL;
}
-static void qrl_cleanup_urxl(OSSL_QRL *qrl, QUIC_URXE_LIST *l)
+static void qrx_cleanup_urxl(OSSL_QRX *qrx, QUIC_URXE_LIST *l)
{
QUIC_URXE *e, *enext;
for (e = l->head; e != NULL; e = enext) {
enext = e->next;
- ossl_quic_demux_release_urxe(qrl->rx_demux, e);
+ ossl_quic_demux_release_urxe(qrx->demux, e);
}
l->head = l->tail = NULL;
}
-void ossl_qrl_free(OSSL_QRL *qrl)
+void ossl_qrx_free(OSSL_QRX *qrx)
{
uint32_t i;
/* Unregister from the RX DEMUX. */
- ossl_quic_demux_unregister_by_cb(qrl->rx_demux, qrl_on_rx, qrl);
+ ossl_quic_demux_unregister_by_cb(qrx->demux, qrx_on_rx, qrx);
/* Free RXE queue data. */
- qrl_cleanup_rxl(&qrl->rx_free);
- qrl_cleanup_rxl(&qrl->rx_pending);
- qrl_cleanup_urxl(qrl, &qrl->urx_pending);
- qrl_cleanup_urxl(qrl, &qrl->urx_deferred);
+ qrx_cleanup_rxl(&qrx->rx_free);
+ qrx_cleanup_rxl(&qrx->rx_pending);
+ qrx_cleanup_urxl(qrx, &qrx->urx_pending);
+ qrx_cleanup_urxl(qrx, &qrx->urx_deferred);
/* Drop keying material and crypto resources. */
- for (i = 0; i < QUIC_ENC_LEVEL_NUM; ++i) {
- qrl_el_discard(qrl, i, 0, 1);
- qrl_el_discard(qrl, i, 1, 1);
- }
+ for (i = 0; i < QUIC_ENC_LEVEL_NUM; ++i)
+ ossl_qrl_enc_level_set_discard(&qrx->el_set, i, 1);
- OPENSSL_free(qrl);
+ OPENSSL_free(qrx);
}
-static void qrl_on_rx(QUIC_URXE *urxe, void *arg)
+static void qrx_on_rx(QUIC_URXE *urxe, void *arg)
{
- OSSL_QRL *qrl = arg;
+ OSSL_QRX *qrx = arg;
/* Initialize our own fields inside the URXE and add to the pending list. */
urxe->processed = 0;
urxe->hpr_removed = 0;
- ossl_quic_urxe_insert_tail(&qrl->urx_pending, urxe);
+ ossl_quic_urxe_insert_tail(&qrx->urx_pending, urxe);
}
-int ossl_qrl_add_dst_conn_id(OSSL_QRL *qrl,
+int ossl_qrx_add_dst_conn_id(OSSL_QRX *qrx,
const QUIC_CONN_ID *dst_conn_id)
{
- return ossl_quic_demux_register(qrl->rx_demux,
+ return ossl_quic_demux_register(qrx->demux,
dst_conn_id,
- qrl_on_rx,
- qrl);
+ qrx_on_rx,
+ qrx);
}
-int ossl_qrl_remove_dst_conn_id(OSSL_QRL *qrl,
+int ossl_qrx_remove_dst_conn_id(OSSL_QRX *qrx,
const QUIC_CONN_ID *dst_conn_id)
{
- return ossl_quic_demux_unregister(qrl->rx_demux, dst_conn_id);
+ return ossl_quic_demux_unregister(qrx->demux, dst_conn_id);
}
-static void qrl_requeue_deferred(OSSL_QRL *qrl)
+static void qrx_requeue_deferred(OSSL_QRX *qrx)
{
QUIC_URXE *e;
- while ((e = qrl->urx_deferred.head) != NULL) {
- ossl_quic_urxe_remove(&qrl->urx_deferred, e);
- ossl_quic_urxe_insert_head(&qrl->urx_pending, e);
+ while ((e = qrx->urx_deferred.head) != NULL) {
+ ossl_quic_urxe_remove(&qrx->urx_deferred, e);
+ ossl_quic_urxe_insert_head(&qrx->urx_pending, e);
}
}
-int ossl_qrl_provide_rx_secret(OSSL_QRL *qrl, uint32_t enc_level,
- uint32_t suite_id,
- const unsigned char *secret, size_t secret_len)
+int ossl_qrx_provide_secret(OSSL_QRX *qrx, uint32_t enc_level,
+ uint32_t suite_id, EVP_MD *md,
+ const unsigned char *secret, size_t secret_len)
{
- if (enc_level == QUIC_ENC_LEVEL_INITIAL || enc_level >= QUIC_ENC_LEVEL_NUM)
+ if (enc_level >= QUIC_ENC_LEVEL_NUM)
return 0;
- if (!qrl_el_set_secret(qrl, enc_level, suite_id, NULL,
- /*is_tx=*/0, secret, secret_len))
+ if (!ossl_qrl_enc_level_set_provide_secret(&qrx->el_set,
+ qrx->libctx,
+ qrx->propq,
+ enc_level,
+ suite_id,
+ md,
+ secret,
+ secret_len))
return 0;
/*
* decrypt, so move any datagrams containing deferred packets from the
* deferred to the pending queue.
*/
- qrl_requeue_deferred(qrl);
+ qrx_requeue_deferred(qrx);
return 1;
}
-/* Initialise key material for the INITIAL encryption level. */
-int ossl_qrl_provide_rx_secret_initial(OSSL_QRL *qrl,
- const QUIC_CONN_ID *dst_conn_id)
-{
- unsigned char initial_secret[32];
- unsigned char client_initial_secret[32], server_initial_secret[32];
- EVP_MD *sha256;
- int have_rx = 0;
-
- /* Initial encryption always uses SHA-256. */
- if ((sha256 = EVP_MD_fetch(qrl->libctx,
- "SHA256", qrl->propq)) == NULL)
- return 0;
-
- /* Derive initial secret from destination connection ID. */
- if (!ossl_quic_hkdf_extract(qrl->libctx, qrl->propq,
- sha256,
- quic_v1_initial_salt,
- sizeof(quic_v1_initial_salt),
- dst_conn_id->id,
- dst_conn_id->id_len,
- initial_secret,
- sizeof(initial_secret)))
- goto err;
-
- /* Derive "client in" secret. */
- if (!tls13_hkdf_expand_ex(qrl->libctx, qrl->propq,
- sha256,
- initial_secret,
- quic_client_in_label,
- sizeof(quic_client_in_label),
- NULL, 0,
- client_initial_secret,
- sizeof(client_initial_secret), 0))
- goto err;
-
- /* Derive "server in" secret. */
- if (!tls13_hkdf_expand_ex(qrl->libctx, qrl->propq,
- sha256,
- initial_secret,
- quic_server_in_label,
- sizeof(quic_server_in_label),
- NULL, 0,
- server_initial_secret,
- sizeof(server_initial_secret), 0))
- goto err;
-
- /* Setup RX cipher. Initial encryption always uses AES-128-GCM. */
- if (!qrl_el_set_secret(qrl, QUIC_ENC_LEVEL_INITIAL,
- QRL_SUITE_AES128GCM,
- sha256,
- /*is_tx=*/0,
- server_initial_secret,
- sizeof(server_initial_secret)))
- goto err;
-
- have_rx = 1;
-
- /*
- * qrl_el_set_secret takes ownership of our ref to SHA256, so get a new ref
- * for the following call for the TX side.
- */
- if (!EVP_MD_up_ref(sha256)) {
- sha256 = NULL;
- goto err;
- }
-
- /* Setup TX cipher. */
- if (!qrl_el_set_secret(qrl, QUIC_ENC_LEVEL_INITIAL,
- QRL_SUITE_AES128GCM,
- sha256,
- /*is_tx=*/1,
- client_initial_secret,
- sizeof(client_initial_secret)))
- goto err;
-
- /*
- * Any packets we previously could not decrypt, we may now be able to
- * decrypt, so move any datagrams containing deferred packets from the
- * deferred to the pending queue.
- */
- qrl_requeue_deferred(qrl);
- return 1;
-
-err:
- if (have_rx)
- qrl_el_discard(qrl, QUIC_ENC_LEVEL_INITIAL, /*is_tx=*/0, 0);
-
- EVP_MD_free(sha256);
- return 0;
-}
-
-int ossl_qrl_discard_enc_level(OSSL_QRL *qrl, uint32_t enc_level)
+int ossl_qrx_discard_enc_level(OSSL_QRX *qrx, uint32_t enc_level)
{
if (enc_level >= QUIC_ENC_LEVEL_NUM)
return 0;
- qrl_el_discard(qrl, enc_level, 0, 1);
+ ossl_qrl_enc_level_set_discard(&qrx->el_set, enc_level, 1);
return 1;
}
/* Returns 1 if there are one or more pending RXEs. */
-int ossl_qrl_processed_read_pending(OSSL_QRL *qrl)
+int ossl_qrx_processed_read_pending(OSSL_QRX *qrx)
{
- return qrl->rx_pending.head != NULL;
+ return qrx->rx_pending.head != NULL;
}
/* Returns 1 if there are yet-unprocessed packets. */
-int ossl_qrl_unprocessed_read_pending(OSSL_QRL *qrl)
+int ossl_qrx_unprocessed_read_pending(OSSL_QRX *qrx)
{
- return qrl->urx_pending.head != NULL || qrl->urx_deferred.head != NULL;
+ return qrx->urx_pending.head != NULL || qrx->urx_deferred.head != NULL;
}
/* Pop the next pending RXE. Returns NULL if no RXE is pending. */
-static RXE *qrl_pop_pending_rxe(OSSL_QRL *qrl)
+static RXE *qrx_pop_pending_rxe(OSSL_QRX *qrx)
{
- RXE *rxe = qrl->rx_pending.head;
+ RXE *rxe = qrx->rx_pending.head;
if (rxe == NULL)
return NULL;
- rxe_remove(&qrl->rx_pending, rxe);
+ rxe_remove(&qrx->rx_pending, rxe);
return rxe;
}
/* Allocate a new RXE. */
-static RXE *qrl_alloc_rxe(size_t alloc_len)
+static RXE *qrx_alloc_rxe(size_t alloc_len)
{
RXE *rxe;
* alloc_len is a hint which may be used to determine the RXE size if allocation
* is necessary. Returns NULL on allocation failure.
*/
-static RXE *qrl_ensure_free_rxe(OSSL_QRL *qrl, size_t alloc_len)
+static RXE *qrx_ensure_free_rxe(OSSL_QRX *qrx, size_t alloc_len)
{
RXE *rxe;
- if (qrl->rx_free.head != NULL)
- return qrl->rx_free.head;
+ if (qrx->rx_free.head != NULL)
+ return qrx->rx_free.head;
- rxe = qrl_alloc_rxe(alloc_len);
+ rxe = qrx_alloc_rxe(alloc_len);
if (rxe == NULL)
return NULL;
- rxe_insert_tail(&qrl->rx_free, rxe);
+ rxe_insert_tail(&qrx->rx_free, rxe);
return rxe;
}
* of the RXE might change; the new address is returned, or NULL on failure, in
* which case the original RXE remains valid.
*/
-static RXE *qrl_resize_rxe(RXE_LIST *rxl, RXE *rxe, size_t n)
+static RXE *qrx_resize_rxe(RXE_LIST *rxl, RXE *rxe, size_t n)
{
RXE *rxe2;
* Ensure the data buffer attached to an RXE is at least n bytes in size.
* Returns NULL on failure.
*/
-static RXE *qrl_reserve_rxe(RXE_LIST *rxl,
+static RXE *qrx_reserve_rxe(RXE_LIST *rxl,
RXE *rxe, size_t n)
{
if (rxe->alloc_len >= n)
return rxe;
- return qrl_resize_rxe(rxl, rxe, n);
+ return qrx_resize_rxe(rxl, rxe, n);
}
/* Return a RXE handed out to the user back to our freelist. */
-static void qrl_recycle_rxe(OSSL_QRL *qrl, RXE *rxe)
+static void qrx_recycle_rxe(OSSL_QRX *qrx, RXE *rxe)
{
/* RXE should not be in any list */
assert(rxe->prev == NULL && rxe->next == NULL);
- rxe_insert_tail(&qrl->rx_free, rxe);
+ rxe_insert_tail(&qrx->rx_free, rxe);
}
/*
* buffer to, and on success is updated to be the offset pointing after the
* copied buffer. *pptr is updated to point to the new location of the buffer.
*/
-static int qrl_relocate_buffer(OSSL_QRL *qrl, RXE **prxe, size_t *pi,
+static int qrx_relocate_buffer(OSSL_QRX *qrx, RXE **prxe, size_t *pi,
const unsigned char **pptr, size_t buf_len)
{
RXE *rxe;
if (!buf_len)
return 1;
- if ((rxe = qrl_reserve_rxe(&qrl->rx_free, *prxe, *pi + buf_len)) == NULL)
+ if ((rxe = qrx_reserve_rxe(&qrx->rx_free, *prxe, *pi + buf_len)) == NULL)
return 0;
*prxe = rxe;
return 1;
}
-static uint32_t qrl_determine_enc_level(const QUIC_PKT_HDR *hdr)
+static uint32_t qrx_determine_enc_level(const QUIC_PKT_HDR *hdr)
{
switch (hdr->type) {
case QUIC_PKT_TYPE_INITIAL:
{
uint32_t enc_level;
- enc_level = qrl_determine_enc_level(&rxe->hdr);
+ enc_level = qrx_determine_enc_level(&rxe->hdr);
return ossl_quic_enc_level_to_pn_space(enc_level);
}
-static int qrl_validate_hdr_early(OSSL_QRL *qrl, RXE *rxe,
+static int qrx_validate_hdr_early(OSSL_QRX *qrx, RXE *rxe,
RXE *first_rxe)
{
/* Ensure version is what we want. */
}
/* Validate header and decode PN. */
-static int qrl_validate_hdr(OSSL_QRL *qrl, RXE *rxe)
+static int qrx_validate_hdr(OSSL_QRX *qrx, RXE *rxe)
{
int pn_space = rxe_determine_pn_space(rxe);
if (!ossl_quic_wire_decode_pkt_hdr_pn(rxe->hdr.pn, rxe->hdr.pn_len,
- qrl->rx_largest_pn[pn_space],
+ qrx->largest_pn[pn_space],
&rxe->pn))
return 0;
* Allow our user to decide whether to discard the packet before we try and
* decrypt it.
*/
- if (qrl->rx_validation_cb != NULL
- && !qrl->rx_validation_cb(rxe->pn, pn_space, qrl->rx_validation_cb_arg))
+ if (qrx->validation_cb != NULL
+ && !qrx->validation_cb(rxe->pn, pn_space, qrx->validation_cb_arg))
return 0;
return 1;
* to *dec_len on success, which will always be equal to or less than (usually
* less than) src_len.
*/
-static int qrl_decrypt_pkt_body(OSSL_QRL *qrl, unsigned char *dst,
+static int qrx_decrypt_pkt_body(OSSL_QRX *qrx, unsigned char *dst,
const unsigned char *src,
size_t src_len, size_t *dec_len,
const unsigned char *aad, size_t aad_len,
int l = 0, l2 = 0;
unsigned char nonce[EVP_MAX_IV_LENGTH];
size_t nonce_len, i;
- OSSL_QRL_ENC_LEVEL *el = &qrl->rx_el[enc_level];
+ OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set,
+ enc_level, 1);
- if (src_len > INT_MAX || aad_len > INT_MAX || el->tag_len >= src_len)
+ if (src_len > INT_MAX || aad_len > INT_MAX)
return 0;
/* We should not have been called if we do not have key material. */
- if (!ossl_assert(qrl_have_el(qrl, enc_level, /*is_tx=*/0) == 1))
+ if (!ossl_assert(el != NULL))
+ return 0;
+
+ if (el->tag_len >= src_len)
+ return 0;
+
+ /*
+ * If we have failed to authenticate a certain number of ciphertexts, refuse
+ * to decrypt any more ciphertexts.
+ */
+ if (el->op_count >= ossl_qrl_get_suite_max_forged_pkt(el->suite_id))
return 0;
/* Construct nonce (nonce=IV ^ PN). */
return 0;
/* Ensure authentication succeeded. */
- if (EVP_CipherFinal_ex(el->cctx, NULL, &l2) != 1)
+ if (EVP_CipherFinal_ex(el->cctx, NULL, &l2) != 1) {
+ /* Authentication failed, increment failed auth counter. */
+ ++el->op_count;
return 0;
+ }
*dec_len = l;
return 1;
}
/* Process a single packet in a datagram. */
-static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe,
+static int qrx_process_pkt(OSSL_QRX *qrx, QUIC_URXE *urxe,
PACKET *pkt, size_t pkt_idx,
RXE **first_rxe,
size_t datagram_len)
* Get a free RXE. If we need to allocate a new one, use the packet length
* as a good ballpark figure.
*/
- rxe = qrl_ensure_free_rxe(qrl, PACKET_remaining(pkt));
+ rxe = qrx_ensure_free_rxe(qrx, PACKET_remaining(pkt));
if (rxe == NULL)
return 0;
*/
need_second_decode = !pkt_is_marked(&urxe->hpr_removed, pkt_idx);
if (!ossl_quic_wire_decode_pkt_hdr(pkt,
- qrl->short_conn_id_len,
+ qrx->short_conn_id_len,
need_second_decode, &rxe->hdr, &ptrs))
goto malformed;
* now skip over it if we already processed it.
*/
if (already_processed
- || !qrl_validate_hdr_early(qrl, rxe, pkt_idx == 0 ? NULL : *first_rxe))
+ || !qrx_validate_hdr_early(qrx, rxe, pkt_idx == 0 ? NULL : *first_rxe))
goto malformed;
if (rxe->hdr.type == QUIC_PKT_TYPE_VERSION_NEG
*/
/* Just copy the payload from the URXE to the RXE. */
- if ((rxe = qrl_reserve_rxe(&qrl->rx_free, rxe, rxe->hdr.len)) == NULL)
+ if ((rxe = qrx_reserve_rxe(&qrx->rx_free, rxe, rxe->hdr.len)) == NULL)
/*
* Allocation failure. EOP will be pointing to the end of the
* datagram so processing of this datagram will end here.
rxe->hdr.data = rxe_data(rxe);
/* Move RXE to pending. */
- rxe_remove(&qrl->rx_free, rxe);
- rxe_insert_tail(&qrl->rx_pending, rxe);
+ rxe_remove(&qrx->rx_free, rxe);
+ rxe_insert_tail(&qrx->rx_pending, rxe);
return 0; /* success, did not defer */
}
/* Determine encryption level of packet. */
- enc_level = qrl_determine_enc_level(&rxe->hdr);
+ enc_level = qrx_determine_enc_level(&rxe->hdr);
/* If we do not have keying material for this encryption level yet, defer. */
- switch (qrl_have_el(qrl, enc_level, /*is_tx=*/0)) {
+ switch (ossl_qrl_enc_level_set_have_el(&qrx->el_set, enc_level)) {
case 1:
/* We have keys. */
break;
* Relocate token buffer and fix pointer.
*/
if (rxe->hdr.type == QUIC_PKT_TYPE_INITIAL
- && !qrl_relocate_buffer(qrl, &rxe, &i, &rxe->hdr.token,
+ && !qrx_relocate_buffer(qrx, &rxe, &i, &rxe->hdr.token,
rxe->hdr.token_len))
goto malformed;
*pkt = orig_pkt;
if (need_second_decode) {
- if (!ossl_quic_hdr_protector_decrypt(&qrl->rx_el[enc_level].hpr, &ptrs))
+ OSSL_QRL_ENC_LEVEL *el
+ = ossl_qrl_enc_level_set_get(&qrx->el_set, enc_level, 1);
+
+ assert(el != NULL); /* Already checked above */
+ if (!ossl_quic_hdr_protector_decrypt(&el->hpr, &ptrs))
goto malformed;
/*
pkt_mark(&urxe->hpr_removed, pkt_idx);
/* Decode the now unprotected header. */
- if (ossl_quic_wire_decode_pkt_hdr(pkt, qrl->short_conn_id_len,
+ if (ossl_quic_wire_decode_pkt_hdr(pkt, qrx->short_conn_id_len,
0, &rxe->hdr, NULL) != 1)
goto malformed;
}
/* Validate header and decode PN. */
- if (!qrl_validate_hdr(qrl, rxe))
+ if (!qrx_validate_hdr(qrx, rxe))
goto malformed;
/*
* HANDSHAKE packet.
*/
if (enc_level == QUIC_ENC_LEVEL_HANDSHAKE)
- qrl_el_discard(qrl, QUIC_ENC_LEVEL_INITIAL, 0, 1);
+ ossl_qrl_enc_level_set_discard(&qrx->el_set, QUIC_ENC_LEVEL_INITIAL, 1);
/*
* The AAD data is the entire (unprotected) packet header including the PN.
aad_len = rxe->hdr.data - sop;
/* Ensure the RXE buffer size is adequate for our payload. */
- if ((rxe = qrl_reserve_rxe(&qrl->rx_free, rxe, rxe->hdr.len + i)) == NULL) {
+ if ((rxe = qrx_reserve_rxe(&qrx->rx_free, rxe, rxe->hdr.len + i)) == NULL) {
/*
* Allocation failure, treat as malformed and do not bother processing
* any further packets in the datagram as they are likely to also
* corrupted.
*/
dst = (unsigned char *)rxe_data(rxe) + i;
- if (!qrl_decrypt_pkt_body(qrl, dst, rxe->hdr.data, rxe->hdr.len,
+ if (!qrx_decrypt_pkt_body(qrx, dst, rxe->hdr.data, rxe->hdr.len,
&dec_len, sop, aad_len, rxe->pn, enc_level))
goto malformed;
/* We processed the PN successfully, so update largest processed PN. */
pn_space = rxe_determine_pn_space(rxe);
- if (rxe->pn > qrl->rx_largest_pn[pn_space])
- qrl->rx_largest_pn[pn_space] = rxe->pn;
+ if (rxe->pn > qrx->largest_pn[pn_space])
+ qrx->largest_pn[pn_space] = rxe->pn;
/* Copy across network addresses from URXE to RXE. */
rxe->peer = urxe->peer;
rxe->local = urxe->local;
/* Move RXE to pending. */
- rxe_remove(&qrl->rx_free, rxe);
- rxe_insert_tail(&qrl->rx_pending, rxe);
+ rxe_remove(&qrx->rx_free, rxe);
+ rxe_insert_tail(&qrx->rx_pending, rxe);
return 0; /* success, did not defer; not distinguished from failure */
cannot_decrypt:
}
/* Process a datagram which was received. */
-static int qrl_process_datagram(OSSL_QRL *qrl, QUIC_URXE *e,
+static int qrx_process_datagram(OSSL_QRX *qrx, QUIC_URXE *e,
const unsigned char *data,
size_t data_len)
{
size_t pkt_idx = 0;
RXE *first_rxe = NULL;
- qrl->bytes_received += data_len;
+ qrx->bytes_received += data_len;
if (!PACKET_buf_init(&pkt, data, data_len))
return 0;
* we should still try to process any packets following it.
*
* In the case where the packet is so malformed we can't determine its
- * lenngth, qrl_process_pkt will take care of advancing to the end of
+ * lenngth, qrx_process_pkt will take care of advancing to the end of
* the packet, so we will exit the loop automatically in this case.
*/
- if (qrl_process_pkt(qrl, e, &pkt, pkt_idx, &first_rxe, data_len))
+ if (qrx_process_pkt(qrx, e, &pkt, pkt_idx, &first_rxe, data_len))
have_deferred = 1;
}
}
/* Process a single pending URXE. */
-static int qrl_process_one_urxl(OSSL_QRL *qrl, QUIC_URXE *e)
+static int qrx_process_one_urxl(OSSL_QRX *qrx, QUIC_URXE *e)
{
int was_deferred;
/* The next URXE we process should be at the head of the pending list. */
- if (!ossl_assert(e == qrl->urx_pending.head))
+ if (!ossl_assert(e == qrx->urx_pending.head))
return 0;
/*
* datagram, we do not attempt to process it again and silently eat the
* error.
*/
- was_deferred = qrl_process_datagram(qrl, e, ossl_quic_urxe_data(e),
+ was_deferred = qrx_process_datagram(qrx, e, ossl_quic_urxe_data(e),
e->data_len);
/*
* Remove the URXE from the pending list and return it to
* either the free or deferred list.
*/
- ossl_quic_urxe_remove(&qrl->urx_pending, e);
+ ossl_quic_urxe_remove(&qrx->urx_pending, e);
if (was_deferred > 0)
- ossl_quic_urxe_insert_tail(&qrl->urx_deferred, e);
+ ossl_quic_urxe_insert_tail(&qrx->urx_deferred, e);
else
- ossl_quic_demux_release_urxe(qrl->rx_demux, e);
+ ossl_quic_demux_release_urxe(qrx->demux, e);
return 1;
}
/* Process any pending URXEs to generate pending RXEs. */
-static int qrl_process_urxl(OSSL_QRL *qrl)
+static int qrx_process_urxl(OSSL_QRX *qrx)
{
QUIC_URXE *e;
- while ((e = qrl->urx_pending.head) != NULL)
- if (!qrl_process_one_urxl(qrl, e))
+ while ((e = qrx->urx_pending.head) != NULL)
+ if (!qrx_process_one_urxl(qrx, e))
return 0;
return 1;
}
-int ossl_qrl_read_pkt(OSSL_QRL *qrl, OSSL_QRL_RX_PKT *pkt)
+int ossl_qrx_read_pkt(OSSL_QRX *qrx, OSSL_QRX_PKT *pkt)
{
RXE *rxe;
- if (!ossl_qrl_processed_read_pending(qrl)) {
- if (!qrl_process_urxl(qrl))
+ if (!ossl_qrx_processed_read_pending(qrx)) {
+ if (!qrx_process_urxl(qrx))
return 0;
- if (!ossl_qrl_processed_read_pending(qrl))
+ if (!ossl_qrx_processed_read_pending(qrx))
return 0;
}
- rxe = qrl_pop_pending_rxe(qrl);
+ rxe = qrx_pop_pending_rxe(qrx);
if (!ossl_assert(rxe != NULL))
return 0;
return 1;
}
-void ossl_qrl_release_pkt(OSSL_QRL *qrl, void *handle)
+void ossl_qrx_release_pkt(OSSL_QRX *qrx, void *handle)
{
RXE *rxe = handle;
- qrl_recycle_rxe(qrl, rxe);
+ qrx_recycle_rxe(qrx, rxe);
}
-uint64_t ossl_qrl_get_bytes_received(OSSL_QRL *qrl, int clear)
+uint64_t ossl_qrx_get_bytes_received(OSSL_QRX *qrx, int clear)
{
- uint64_t v = qrl->bytes_received;
+ uint64_t v = qrx->bytes_received;
if (clear)
- qrl->bytes_received = 0;
+ qrx->bytes_received = 0;
return v;
}
-int ossl_qrl_set_early_rx_validation_cb(OSSL_QRL *qrl,
- ossl_qrl_early_rx_validation_cb *cb,
- void *cb_arg)
+int ossl_qrx_set_early_validation_cb(OSSL_QRX *qrx,
+ ossl_qrx_early_validation_cb *cb,
+ void *cb_arg)
{
- qrl->rx_validation_cb = cb;
- qrl->rx_validation_cb_arg = cb_arg;
+ qrx->validation_cb = cb;
+ qrx->validation_cb_arg = cb_arg;
return 1;
}
+
+uint64_t ossl_qrx_get_cur_epoch_forged_pkt_count(OSSL_QRX *qrx,
+ uint32_t enc_level)
+{
+ OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set,
+ enc_level, 1);
+
+ return el == NULL ? UINT64_MAX : el->op_count;
+}
+
+uint64_t ossl_qrx_get_max_epoch_forged_pkt_count(OSSL_QRX *qrx,
+ uint32_t enc_level)
+{
+ OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set,
+ enc_level, 1);
+
+ return el == NULL ? UINT64_MAX
+ : ossl_qrl_get_suite_max_forged_pkt(el->suite_id);
+}
--- /dev/null
+#include "quic_record_shared.h"
+#include "internal/quic_record_util.h"
+#include "internal/common.h"
+#include "../ssl_local.h"
+
+/* Constants used for key derivation in QUIC v1. */
+static const unsigned char quic_v1_iv_label[] = {
+ 0x71, 0x75, 0x69, 0x63, 0x20, 0x69, 0x76 /* "quic iv" */
+};
+static const unsigned char quic_v1_key_label[] = {
+ 0x71, 0x75, 0x69, 0x63, 0x20, 0x6b, 0x65, 0x79 /* "quic key" */
+};
+static const unsigned char quic_v1_hp_label[] = {
+ 0x71, 0x75, 0x69, 0x63, 0x20, 0x68, 0x70 /* "quic hp" */
+};
+
+OSSL_QRL_ENC_LEVEL *ossl_qrl_enc_level_set_get(OSSL_QRL_ENC_LEVEL_SET *els,
+ uint32_t enc_level,
+ int require_valid)
+{
+ OSSL_QRL_ENC_LEVEL *el;
+
+ if (!ossl_assert(enc_level < QUIC_ENC_LEVEL_NUM))
+ return NULL;
+
+ el = &els->el[enc_level];
+
+ if (require_valid && (el->cctx == NULL || el->discarded))
+ return NULL;
+
+ return el;
+}
+
+int ossl_qrl_enc_level_set_have_el(OSSL_QRL_ENC_LEVEL_SET *els,
+ uint32_t enc_level)
+{
+ OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0);
+
+ if (el == NULL)
+ return 0;
+ if (el->cctx != NULL)
+ return 1;
+ if (el->discarded)
+ return -1;
+ return 0;
+}
+
+/*
+ * Sets up cryptographic state for a given encryption level and direction by
+ * deriving "quic iv", "quic key" and "quic hp" values from a given secret.
+ *
+ * md is a hash function used for key derivation. If it is NULL, this function
+ * fetches the necessary hash function itself. If it is non-NULL, this function
+ * can reuse the caller's reference to a suitable EVP_MD; the EVP_MD provided
+ * must match the suite.
+ *
+ * On success where md is non-NULL, takes ownership of the caller's reference to
+ * md.
+ */
+int ossl_qrl_enc_level_set_provide_secret(OSSL_QRL_ENC_LEVEL_SET *els,
+ OSSL_LIB_CTX *libctx,
+ const char *propq,
+ uint32_t enc_level,
+ uint32_t suite_id,
+ EVP_MD *md,
+ const unsigned char *secret,
+ size_t secret_len)
+{
+ OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0);
+ unsigned char key[EVP_MAX_KEY_LENGTH], hpr_key[EVP_MAX_KEY_LENGTH];
+ size_t key_len = 0, hpr_key_len = 0, iv_len = 0;
+ const char *cipher_name = NULL, *md_name = NULL;
+ EVP_CIPHER *cipher = NULL;
+ EVP_CIPHER_CTX *cctx = NULL;
+ int own_md = 0, have_hpr = 0;
+
+ if (el == NULL || el->discarded)
+ /* Should not be trying to reinitialise an EL which was discarded. */
+ return 0;
+
+ cipher_name = ossl_qrl_get_suite_cipher_name(suite_id);
+ iv_len = ossl_qrl_get_suite_cipher_iv_len(suite_id);
+ key_len = ossl_qrl_get_suite_cipher_key_len(suite_id);
+ hpr_key_len = ossl_qrl_get_suite_hdr_prot_key_len(suite_id);
+ if (cipher_name == NULL)
+ return 0;
+
+ if (secret_len != ossl_qrl_get_suite_secret_len(suite_id))
+ return 0;
+
+ if (md == NULL) {
+ md_name = ossl_qrl_get_suite_md_name(suite_id);
+
+ if ((md = EVP_MD_fetch(libctx, md_name, propq)) == NULL)
+ return 0;
+
+ own_md = 1;
+ }
+
+ /* Derive "quic iv" key. */
+ if (!tls13_hkdf_expand_ex(libctx, propq,
+ md,
+ secret,
+ quic_v1_iv_label,
+ sizeof(quic_v1_iv_label),
+ NULL, 0,
+ el->iv, iv_len, 0))
+ goto err;
+
+ /* Derive "quic key" key. */
+ if (!tls13_hkdf_expand_ex(libctx, propq,
+ md,
+ secret,
+ quic_v1_key_label,
+ sizeof(quic_v1_key_label),
+ NULL, 0,
+ key, key_len, 0))
+ goto err;
+
+ /* Derive "quic hp" key. */
+ if (!tls13_hkdf_expand_ex(libctx, propq,
+ md,
+ secret,
+ quic_v1_hp_label,
+ sizeof(quic_v1_hp_label),
+ NULL, 0,
+ hpr_key, hpr_key_len, 0))
+ goto err;
+
+ /* Free any old context which is using old keying material. */
+ if (el->cctx != NULL) {
+ ossl_quic_hdr_protector_destroy(&el->hpr);
+ EVP_CIPHER_CTX_free(el->cctx);
+ el->cctx = NULL;
+ }
+
+ /* Setup header protection context. */
+ if (!ossl_quic_hdr_protector_init(&el->hpr,
+ libctx,
+ propq,
+ ossl_qrl_get_suite_hdr_prot_cipher_id(suite_id),
+ hpr_key,
+ hpr_key_len))
+ goto err;
+
+ have_hpr = 1;
+
+ /* Create and initialise cipher context. */
+ if ((cipher = EVP_CIPHER_fetch(libctx, cipher_name, propq)) == NULL)
+ goto err;
+
+ if (!ossl_assert(iv_len == (size_t)EVP_CIPHER_get_iv_length(cipher))
+ || !ossl_assert(key_len == (size_t)EVP_CIPHER_get_key_length(cipher)))
+ goto err;
+
+ if ((cctx = EVP_CIPHER_CTX_new()) == NULL)
+ goto err;
+
+ /* IV will be changed on RX/TX so we don't need to use a real value here. */
+ if (!EVP_CipherInit_ex(cctx, cipher, NULL, key, el->iv, 0))
+ goto err;
+
+ el->suite_id = suite_id;
+ el->cctx = cctx;
+ el->md = md;
+ el->tag_len = ossl_qrl_get_suite_cipher_tag_len(suite_id);
+ el->op_count = 0;
+
+ /* Zeroize intermediate keys. */
+ OPENSSL_cleanse(key, sizeof(key));
+ OPENSSL_cleanse(hpr_key, sizeof(hpr_key));
+ EVP_CIPHER_free(cipher);
+ return 1;
+
+err:
+ if (have_hpr)
+ ossl_quic_hdr_protector_destroy(&el->hpr);
+ EVP_CIPHER_CTX_free(cctx);
+ EVP_CIPHER_free(cipher);
+ if (own_md)
+ EVP_MD_free(md);
+ return 0;
+}
+
+/* Drops keying material for a given encryption level. */
+void ossl_qrl_enc_level_set_discard(OSSL_QRL_ENC_LEVEL_SET *els,
+ uint32_t enc_level, int is_final)
+{
+ OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0);
+
+ if (el == NULL || el->discarded)
+ return;
+
+ if (el->cctx != NULL) {
+ ossl_quic_hdr_protector_destroy(&el->hpr);
+
+ EVP_CIPHER_CTX_free(el->cctx);
+ el->cctx = NULL;
+
+ EVP_MD_free(el->md);
+ el->md = NULL;
+ }
+
+ /* Zeroise IV. */
+ OPENSSL_cleanse(el->iv, sizeof(el->iv));
+
+ if (is_final)
+ el->discarded = 1;
+}
--- /dev/null
+/*
+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_QUIC_RECORD_SHARED_H
+# define OSSL_QUIC_RECORD_SHARED_H
+
+# include <openssl/ssl.h>
+# include "internal/quic_types.h"
+# include "internal/quic_wire_pkt.h"
+
+/*
+ * QUIC Record Layer EL Management Utilities
+ * =========================================
+ *
+ * This defines a structure for managing the cryptographic state at a given
+ * encryption level, as this functionality is shared between QRX and QTX. For
+ * QRL use only.
+ */
+typedef struct ossl_qrl_enc_level_st {
+ /* Hash function used for key derivation. */
+ EVP_MD *md;
+ /* Context used for packet body ciphering. */
+ EVP_CIPHER_CTX *cctx;
+ /* IV used to construct nonces used for AEAD packet body ciphering. */
+ unsigned char iv[EVP_MAX_IV_LENGTH];
+ /* Have we permanently discarded this encryption level? */
+ unsigned char discarded;
+ /* QRL_SUITE_* value. */
+ uint32_t suite_id;
+ /* Length of authentication tag. */
+ uint32_t tag_len;
+ /*
+ * Cryptographic context used to apply and remove header protection from
+ * packet headers.
+ */
+ QUIC_HDR_PROTECTOR hpr;
+ /* Usage counter. The caller maintains this. */
+ uint64_t op_count;
+} OSSL_QRL_ENC_LEVEL;
+
+typedef struct ossl_qrl_enc_level_set_st {
+ OSSL_QRL_ENC_LEVEL el[QUIC_ENC_LEVEL_NUM];
+} OSSL_QRL_ENC_LEVEL_SET;
+
+/*
+ * Returns 1 if we have key material for a given encryption level, 0 if we do
+ * not yet have material and -1 if the EL is discarded.
+ */
+int ossl_qrl_enc_level_set_have_el(OSSL_QRL_ENC_LEVEL_SET *els,
+ uint32_t enc_level);
+
+/*
+ * Returns EL in a set. If enc_level is not a valid QUIC_ENC_LEVEL_* value,
+ * returns NULL. If require_valid is 1, returns NULL if the EL is not
+ * provisioned or has been discarded; otherwise, the returned EL may be
+ * unprovisioned or discarded.
+ */
+OSSL_QRL_ENC_LEVEL *ossl_qrl_enc_level_set_get(OSSL_QRL_ENC_LEVEL_SET *els,
+ uint32_t enc_level,
+ int require_valid);
+
+/* Provide secret to an EL. md may be NULL. */
+int ossl_qrl_enc_level_set_provide_secret(OSSL_QRL_ENC_LEVEL_SET *els,
+ OSSL_LIB_CTX *libctx,
+ const char *propq,
+ uint32_t enc_level,
+ uint32_t suite_id,
+ EVP_MD *md,
+ const unsigned char *secret,
+ size_t secret_len);
+
+/*
+ * Discard an EL. If is_final is non-zero, no secret can be provided for the EL
+ * ever again.
+ */
+void ossl_qrl_enc_level_set_discard(OSSL_QRL_ENC_LEVEL_SET *els,
+ uint32_t enc_level,
+ int is_final);
+
+#endif
--- /dev/null
+/*
+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "internal/quic_record_tx.h"
+#include "internal/bio_addr.h"
+#include "internal/common.h"
+#include "quic_record_shared.h"
+#include "../ssl_local.h"
+
+/*
+ * TXE
+ * ===
+ * Encrypted packets awaiting transmission are kept in TX Entries (TXEs), which
+ * are queued in linked lists just like TXEs.
+ */
+typedef struct txe_st TXE;
+
+struct txe_st {
+ TXE *prev, *next;
+ size_t data_len, alloc_len;
+
+ /*
+ * Destination and local addresses, as applicable. Both of these are only
+ * used if the family is not AF_UNSPEC.
+ */
+ BIO_ADDR peer, local;
+
+ /*
+ * alloc_len allocated bytes (of which data_len bytes are valid) follow this
+ * structure.
+ */
+};
+
+static ossl_inline unsigned char *txe_data(const TXE *e)
+{
+ return (unsigned char *)(e + 1);
+}
+
+typedef struct txe_list_st {
+ TXE *head, *tail;
+} TXE_LIST;
+
+static void txe_remove(TXE_LIST *l, TXE *e)
+{
+ if (e->prev != NULL)
+ e->prev->next = e->next;
+ if (e->next != NULL)
+ e->next->prev = e->prev;
+
+ if (e == l->head)
+ l->head = e->next;
+ if (e == l->tail)
+ l->tail = e->prev;
+
+ e->next = e->prev = NULL;
+}
+
+static void txe_insert_tail(TXE_LIST *l, TXE *e)
+{
+ if (l->tail == NULL) {
+ l->head = l->tail = e;
+ e->next = e->prev = NULL;
+ return;
+ }
+
+ l->tail->next = e;
+ e->prev = l->tail;
+ e->next = NULL;
+ l->tail = e;
+}
+
+/*
+ * QTX
+ * ===
+ */
+
+/* (Encryption level, direction)-specific state. */
+typedef struct ossl_qtx_enc_level_st {
+ /* Hash function used for key derivation. */
+ EVP_MD *md;
+ /* Context used for packet body ciphering. */
+ EVP_CIPHER_CTX *cctx;
+ /* IV used to construct nonces used for AEAD packet body ciphering. */
+ unsigned char iv[EVP_MAX_IV_LENGTH];
+ /* Have we permanently discarded this encryption level? */
+ unsigned char discarded;
+ /* QTX_SUITE_* value. */
+ uint32_t suite_id;
+ /* Length of authentication tag. */
+ uint32_t tag_len;
+ /*
+ * Cryptographic context used to apply and remove header protection from
+ * packet headers.
+ */
+ QUIC_HDR_PROTECTOR hpr;
+} OSSL_QTX_ENC_LEVEL;
+
+struct ossl_qtx_st {
+ OSSL_LIB_CTX *libctx;
+ const char *propq;
+
+ /* Per encryption-level state. */
+ OSSL_QRL_ENC_LEVEL_SET el_set;
+
+ /* TX BIO. */
+ BIO *bio;
+
+ /* TX maximum datagram payload length. */
+ size_t mdpl;
+
+ /*
+ * List of TXEs which are not currently in use. These are moved to the
+ * pending list (possibly via tx_cons first) as they are filled.
+ */
+ TXE_LIST free;
+
+ /*
+ * List of TXEs which are filled with completed datagrams ready to be
+ * transmitted.
+ */
+ TXE_LIST pending;
+ size_t pending_count; /* items in list */
+ size_t pending_bytes; /* sum(txe->data_len) in pending */
+
+ /*
+ * TXE which is under construction for coalescing purposes, if any.
+ * This TXE is neither on the free nor pending list. Once the datagram
+ * is completed, it is moved to the pending list.
+ */
+ TXE *cons;
+ size_t cons_count; /* num packets */
+};
+
+/* Instantiates a new QTX. */
+OSSL_QTX *ossl_qtx_new(const OSSL_QTX_ARGS *args)
+{
+ OSSL_QTX *qtx;
+
+ qtx = OPENSSL_zalloc(sizeof(OSSL_QTX));
+ if (qtx == NULL)
+ return 0;
+
+ if (args->bio != NULL && !BIO_up_ref(args->bio)) {
+ OPENSSL_free(qtx);
+ return 0;
+ }
+
+ qtx->libctx = args->libctx;
+ qtx->propq = args->propq;
+ qtx->bio = args->bio;
+ qtx->mdpl = args->mdpl;
+ return qtx;
+}
+
+static void qtx_cleanup_txl(TXE_LIST *l)
+{
+ TXE *e, *enext;
+ for (e = l->head; e != NULL; e = enext) {
+ enext = e->next;
+ OPENSSL_free(e);
+ }
+ l->head = l->tail = NULL;
+}
+
+/* Frees the QTX. */
+void ossl_qtx_free(OSSL_QTX *qtx)
+{
+ uint32_t i;
+
+ /* Free TXE queue data. */
+ qtx_cleanup_txl(&qtx->pending);
+ qtx_cleanup_txl(&qtx->free);
+
+ /* Drop keying material and crypto resources. */
+ for (i = 0; i < QUIC_ENC_LEVEL_NUM; ++i)
+ ossl_qrl_enc_level_set_discard(&qtx->el_set, i, 1);
+
+ OPENSSL_free(qtx);
+}
+
+int ossl_qtx_provide_secret(OSSL_QTX *qtx,
+ uint32_t enc_level,
+ uint32_t suite_id,
+ EVP_MD *md,
+ const unsigned char *secret,
+ size_t secret_len)
+{
+ if (enc_level >= QUIC_ENC_LEVEL_NUM)
+ return 0;
+
+ return ossl_qrl_enc_level_set_provide_secret(&qtx->el_set,
+ qtx->libctx,
+ qtx->propq,
+ enc_level,
+ suite_id,
+ md,
+ secret,
+ secret_len);
+}
+
+int ossl_qtx_discard_enc_level(OSSL_QTX *qtx, uint32_t enc_level)
+{
+ if (enc_level >= QUIC_ENC_LEVEL_NUM)
+ return 0;
+
+ ossl_qrl_enc_level_set_discard(&qtx->el_set, enc_level, 1);
+ return 1;
+}
+
+/* Allocate a new TXE. */
+static TXE *qtx_alloc_txe(size_t alloc_len)
+{
+ TXE *txe;
+
+ if (alloc_len >= SIZE_MAX - sizeof(TXE))
+ return NULL;
+
+ txe = OPENSSL_malloc(sizeof(TXE) + alloc_len);
+ if (txe == NULL)
+ return NULL;
+
+ txe->prev = txe->next = NULL;
+ txe->alloc_len = alloc_len;
+ txe->data_len = 0;
+ return txe;
+}
+
+/*
+ * Ensures there is at least one TXE in the free list, allocating a new entry
+ * if necessary. The returned TXE is in the free list; it is not popped.
+ *
+ * alloc_len is a hint which may be used to determine the TXE size if allocation
+ * is necessary. Returns NULL on allocation failure.
+ */
+static TXE *qtx_ensure_free_txe(OSSL_QTX *qtx, size_t alloc_len)
+{
+ TXE *txe;
+
+ if (qtx->free.head != NULL)
+ return qtx->free.head;
+
+ txe = qtx_alloc_txe(alloc_len);
+ if (txe == NULL)
+ return NULL;
+
+ txe_insert_tail(&qtx->free, txe);
+ return txe;
+}
+
+/*
+ * Resize the data buffer attached to an TXE to be n bytes in size. The address
+ * of the TXE might change; the new address is returned, or NULL on failure, in
+ * which case the original TXE remains valid.
+ */
+static TXE *qtx_resize_txe(OSSL_QTX *qtx, TXE_LIST *txl, TXE *txe, size_t n)
+{
+ TXE *txe2;
+
+ /* Should never happen. */
+ if (txe == NULL)
+ return NULL;
+
+ if (n >= SIZE_MAX - sizeof(TXE))
+ return NULL;
+
+ /*
+ * NOTE: We do not clear old memory, although it does contain decrypted
+ * data.
+ */
+ txe2 = OPENSSL_realloc(txe, sizeof(TXE) + n);
+ if (txe2 == NULL)
+ /* original TXE is still in tact unchanged */
+ return NULL;
+
+ if (txl != NULL && txe != txe2) {
+ if (txl->head == txe)
+ txl->head = txe2;
+ if (txl->tail == txe)
+ txl->tail = txe2;
+ if (txe->prev != NULL)
+ txe->prev->next = txe2;
+ if (txe->next != NULL)
+ txe->next->prev = txe2;
+ }
+
+ if (qtx->cons == txe)
+ qtx->cons = txe2;
+
+ txe2->alloc_len = n;
+ return txe2;
+}
+
+/*
+ * Ensure the data buffer attached to an TXE is at least n bytes in size.
+ * Returns NULL on failure.
+ */
+static TXE *qtx_reserve_txe(OSSL_QTX *qtx, TXE_LIST *txl,
+ TXE *txe, size_t n)
+{
+ if (txe->alloc_len >= n)
+ return txe;
+
+ return qtx_resize_txe(qtx, txl, txe, n);
+}
+
+/* Move a TXE from pending to free. */
+static void qtx_pending_to_free(OSSL_QTX *qtx)
+{
+ TXE *txe = qtx->pending.head;
+
+ assert(txe != NULL);
+ txe_remove(&qtx->pending, txe);
+ --qtx->pending_count;
+ qtx->pending_bytes -= txe->data_len;
+ txe_insert_tail(&qtx->free, txe);
+}
+
+/* Add a TXE not currently in any list to the pending list. */
+static void qtx_add_to_pending(OSSL_QTX *qtx, TXE *txe)
+{
+ txe_insert_tail(&qtx->pending, txe);
+ ++qtx->pending_count;
+ qtx->pending_bytes += txe->data_len;
+}
+
+struct iovec_cur {
+ const OSSL_QTX_IOVEC *iovec;
+ size_t num_iovec, idx, byte_off, bytes_remaining;
+};
+
+static size_t iovec_total_bytes(const OSSL_QTX_IOVEC *iovec,
+ size_t num_iovec)
+{
+ size_t i, l = 0;
+
+ for (i = 0; i < num_iovec; ++i)
+ l += iovec[i].buf_len;
+
+ return l;
+}
+
+static void iovec_cur_init(struct iovec_cur *cur,
+ const OSSL_QTX_IOVEC *iovec,
+ size_t num_iovec)
+{
+ cur->iovec = iovec;
+ cur->num_iovec = num_iovec;
+ cur->idx = 0;
+ cur->byte_off = 0;
+ cur->bytes_remaining = iovec_total_bytes(iovec, num_iovec);
+}
+
+/*
+ * Get an extent of bytes from the iovec cursor. *buf is set to point to the
+ * buffer and the number of bytes in length of the buffer is returned. This
+ * value may be less than the max_buf_len argument. If no more data is
+ * available, returns 0.
+ */
+static size_t iovec_cur_get_buffer(struct iovec_cur *cur,
+ const unsigned char **buf,
+ size_t max_buf_len)
+{
+ size_t l;
+
+ if (max_buf_len == 0) {
+ *buf = NULL;
+ return 0;
+ }
+
+ for (;;) {
+ if (cur->idx >= cur->num_iovec)
+ return 0;
+
+ l = cur->iovec[cur->idx].buf_len - cur->byte_off;
+ if (l > max_buf_len)
+ l = max_buf_len;
+
+ if (l > 0) {
+ *buf = cur->iovec[cur->idx].buf + cur->byte_off;
+ cur->byte_off += l;
+ cur->bytes_remaining -= l;
+ return l;
+ }
+
+ /*
+ * Zero-length iovec entry or we already consumed all of it, try the
+ * next iovec.
+ */
+ ++cur->idx;
+ cur->byte_off = 0;
+ }
+}
+
+/* Determines the size of the AEAD output given the input size. */
+static size_t qtx_inflate_payload_len(OSSL_QTX *qtx, uint32_t enc_level,
+ size_t plaintext_len)
+{
+ OSSL_QRL_ENC_LEVEL *el
+ = ossl_qrl_enc_level_set_get(&qtx->el_set, enc_level, 1);
+
+ assert(el != NULL); /* Already checked by caller. */
+
+ /*
+ * We currently only support ciphers with a 1:1 mapping between plaintext
+ * and ciphertext size, save for authentication tag.
+ */
+ return plaintext_len + ossl_qrl_get_suite_cipher_tag_len(el->suite_id);
+}
+
+/* Any other error (including packet being too big for MDPL). */
+#define QTX_FAIL_GENERIC (-1)
+
+/*
+ * Returned where there is insufficient room in the datagram to write the
+ * packet.
+ */
+#define QTX_FAIL_INSUFFICIENT_LEN (-2)
+
+static int qtx_write_hdr(OSSL_QTX *qtx, const OSSL_QTX_PKT *pkt, TXE *txe,
+ QUIC_PKT_HDR_PTRS *ptrs)
+{
+ WPACKET wpkt;
+ size_t l = 0;
+
+ if (!WPACKET_init_static_len(&wpkt, txe_data(txe) + txe->data_len,
+ txe->alloc_len - txe->data_len, 0))
+ return 0;
+
+ if (!ossl_quic_wire_encode_pkt_hdr(&wpkt, pkt->hdr->src_conn_id.id_len,
+ pkt->hdr, ptrs)
+ || !WPACKET_get_total_written(&wpkt, &l)) {
+ WPACKET_finish(&wpkt);
+ return 0;
+ }
+
+ txe->data_len += l;
+ WPACKET_finish(&wpkt);
+ return 1;
+}
+
+static int qtx_encrypt_into_txe(OSSL_QTX *qtx, struct iovec_cur *cur, TXE *txe,
+ uint32_t enc_level, QUIC_PN pn,
+ const unsigned char *hdr, size_t hdr_len,
+ QUIC_PKT_HDR_PTRS *ptrs)
+{
+ int l = 0, l2 = 0;
+ OSSL_QRL_ENC_LEVEL *el
+ = ossl_qrl_enc_level_set_get(&qtx->el_set, enc_level, 1);
+ unsigned char nonce[EVP_MAX_IV_LENGTH];
+ size_t nonce_len, i;
+
+ /* We should not have been called if we do not have key material. */
+ if (!ossl_assert(el != NULL))
+ return 0;
+
+ /*
+ * Have we already encrypted the maximum number of packets using the current
+ * key?
+ */
+ if (el->op_count >= ossl_qrl_get_suite_max_pkt(el->suite_id))
+ return 0;
+
+ /* Construct nonce (nonce=IV ^ PN). */
+ nonce_len = EVP_CIPHER_CTX_get_iv_length(el->cctx);
+ if (!ossl_assert(nonce_len >= sizeof(QUIC_PN)))
+ return 0;
+
+ memcpy(nonce, el->iv, nonce_len);
+ for (i = 0; i < sizeof(QUIC_PN); ++i)
+ nonce[nonce_len - i - 1] ^= (unsigned char)(pn >> (i * 8));
+
+ /* type and key will already have been setup; feed the IV. */
+ if (EVP_CipherInit_ex(el->cctx, NULL, NULL, NULL, nonce, /*enc=*/1) != 1)
+ return 0;
+
+ /* Feed AAD data. */
+ if (EVP_CipherUpdate(el->cctx, NULL, &l, hdr, hdr_len) != 1)
+ return 0;
+
+ /* Encrypt plaintext directly into TXE. */
+ for (;;) {
+ const unsigned char *src;
+ size_t src_len;
+
+ src_len = iovec_cur_get_buffer(cur, &src, SIZE_MAX);
+ if (src_len == 0)
+ break;
+
+ if (EVP_CipherUpdate(el->cctx, txe_data(txe) + txe->data_len,
+ &l, src, src_len) != 1)
+ return 0;
+
+ assert(l > 0 && src_len == (size_t)l);
+ txe->data_len += src_len;
+ }
+
+ /* Finalise and get tag. */
+ if (EVP_CipherFinal_ex(el->cctx, NULL, &l2) != 1)
+ return 0;
+
+ if (EVP_CIPHER_CTX_ctrl(el->cctx, EVP_CTRL_AEAD_GET_TAG,
+ el->tag_len, txe_data(txe) + txe->data_len) != 1)
+ return 0;
+
+ txe->data_len += el->tag_len;
+
+ /* Apply header protection. */
+ if (!ossl_quic_hdr_protector_encrypt(&el->hpr, ptrs))
+ return 0;
+
+ ++el->op_count;
+ return 1;
+}
+
+/*
+ * Append a packet to the TXE buffer, serializing and encrypting it in the
+ * process.
+ */
+static int qtx_write(OSSL_QTX *qtx, const OSSL_QTX_PKT *pkt, TXE *txe,
+ uint32_t enc_level)
+{
+ int ret, needs_encrypt;
+ size_t hdr_len, pred_hdr_len, payload_len, pkt_len, space_left;
+ size_t min_len, orig_data_len;
+ struct iovec_cur cur;
+ QUIC_PKT_HDR_PTRS ptrs;
+ unsigned char *hdr_start;
+
+ /*
+ * Determine if the packet needs encryption and the minimum conceivable
+ * serialization length.
+ */
+ if (pkt->hdr->type == QUIC_PKT_TYPE_RETRY
+ || pkt->hdr->type == QUIC_PKT_TYPE_VERSION_NEG) {
+ needs_encrypt = 0;
+ min_len = QUIC_MIN_VALID_PKT_LEN;
+ } else {
+ needs_encrypt = 1;
+ min_len = QUIC_MIN_VALID_PKT_LEN_CRYPTO;
+ }
+
+ orig_data_len = txe->data_len;
+ space_left = txe->alloc_len - txe->data_len;
+ if (space_left < min_len) {
+ /* Not even a possibility of it fitting. */
+ ret = QTX_FAIL_INSUFFICIENT_LEN;
+ goto err;
+ }
+
+ /* Walk the iovecs to determine actual input payload length. */
+ iovec_cur_init(&cur, pkt->iovec, pkt->num_iovec);
+
+ /* Determine encrypted payload length. */
+ payload_len = needs_encrypt ? qtx_inflate_payload_len(qtx, enc_level,
+ cur.bytes_remaining)
+ : cur.bytes_remaining;
+
+ /* Determine header length. */
+ pkt->hdr->data = NULL;
+ pkt->hdr->len = payload_len;
+ pred_hdr_len = ossl_quic_wire_get_encoded_pkt_hdr_len(pkt->hdr->src_conn_id.id_len,
+ pkt->hdr);
+ if (pred_hdr_len == 0) {
+ ret = QTX_FAIL_GENERIC;
+ goto err;
+ }
+
+ /* We now definitively know our packet length. */
+ pkt_len = pred_hdr_len + payload_len;
+
+ if (pkt_len > space_left) {
+ ret = QTX_FAIL_INSUFFICIENT_LEN;
+ goto err;
+ }
+
+ /* Set some fields in the header we are responsible for. */
+ pkt->hdr->key_phase = 0; /* TODO */
+ if (!ossl_quic_wire_encode_pkt_hdr_pn(pkt->pn,
+ pkt->hdr->pn,
+ pkt->hdr->pn_len)) {
+ ret = QTX_FAIL_GENERIC;
+ goto err;
+ }
+
+ /* Append the header to the TXE. */
+ hdr_start = txe_data(txe) + txe->data_len;
+ if (!qtx_write_hdr(qtx, pkt, txe, &ptrs)) {
+ ret = QTX_FAIL_GENERIC;
+ goto err;
+ }
+
+ hdr_len = (txe_data(txe) + txe->data_len) - hdr_start;
+ assert(hdr_len == pred_hdr_len);
+
+ if (!needs_encrypt) {
+ /* Just copy the payload across. */
+ const unsigned char *src;
+ size_t src_len;
+
+ for (;;) {
+ /* Buffer length has already been checked above. */
+ src_len = iovec_cur_get_buffer(&cur, &src, SIZE_MAX);
+ if (src_len == 0)
+ break;
+
+ memcpy(txe_data(txe) + txe->data_len, src, src_len);
+ txe->data_len += src_len;
+ }
+ } else {
+ /* Encrypt into TXE. */
+ if (!qtx_encrypt_into_txe(qtx, &cur, txe, enc_level, pkt->pn,
+ hdr_start, hdr_len, &ptrs)) {
+ ret = QTX_FAIL_GENERIC;
+ goto err;
+ }
+
+ assert(txe->data_len - orig_data_len == pkt_len);
+ }
+
+ return 1;
+
+err:
+ /*
+ * Restore original length so we don't leave a half-written packet in the
+ * TXE.
+ */
+ txe->data_len = orig_data_len;
+ return ret;
+}
+
+static TXE *qtx_ensure_cons(OSSL_QTX *qtx)
+{
+ TXE *txe = qtx->cons;
+
+ if (txe != NULL)
+ return txe;
+
+ txe = qtx_ensure_free_txe(qtx, qtx->mdpl);
+ if (txe == NULL)
+ return NULL;
+
+ txe_remove(&qtx->free, txe);
+ qtx->cons = txe;
+ qtx->cons_count = 0;
+ txe->data_len = 0;
+ return txe;
+}
+
+static int addr_eq(const BIO_ADDR *a, const BIO_ADDR *b)
+{
+ return ((a == NULL || BIO_ADDR_family(a) == AF_UNSPEC)
+ && (b == NULL || BIO_ADDR_family(b) == AF_UNSPEC))
+ || (a != NULL && b != NULL && memcmp(a, b, sizeof(*a)) == 0);
+}
+
+int ossl_qtx_write_pkt(OSSL_QTX *qtx, const OSSL_QTX_PKT *pkt)
+{
+ int ret;
+ int coalescing = (pkt->flags & OSSL_QTX_PKT_FLAG_COALESCE) != 0;
+ int was_coalescing;
+ TXE *txe;
+ uint32_t enc_level;
+
+ /* Must have EL configured, must have header. */
+ if (pkt->hdr == NULL)
+ return 0;
+
+ enc_level = ossl_quic_pkt_type_to_enc_level(pkt->hdr->type);
+
+ /* Some packet types must be in a packet all by themselves. */
+ if (pkt->hdr->type == QUIC_PKT_TYPE_RETRY
+ || pkt->hdr->type == QUIC_PKT_TYPE_VERSION_NEG)
+ ossl_qtx_finish_dgram(qtx);
+ else if (enc_level >= QUIC_ENC_LEVEL_NUM
+ || ossl_qrl_enc_level_set_have_el(&qtx->el_set, enc_level) != 1)
+ /* All other packet types are encrypted. */
+ return 0;
+
+ was_coalescing = (qtx->cons != NULL && qtx->cons->data_len > 0);
+ if (was_coalescing)
+ if (!addr_eq(&qtx->cons->peer, pkt->peer)
+ || !addr_eq(&qtx->cons->local, pkt->local)) {
+ /* Must stop coalescing if addresses have changed */
+ ossl_qtx_finish_dgram(qtx);
+ was_coalescing = 0;
+ }
+
+ for (;;) {
+ /*
+ * Start a new coalescing session or continue using the existing one and
+ * serialize/encrypt the packet. We always encrypt packets as soon as
+ * our caller gives them to us, which relieves the caller of any need to
+ * keep the plaintext around.
+ */
+ txe = qtx_ensure_cons(qtx);
+ if (txe == NULL)
+ return 0; /* allocation failure */
+
+ /*
+ * Ensure TXE has at least MDPL bytes allocated. This should only be
+ * possible if the MDPL has increased.
+ */
+ if (!qtx_reserve_txe(qtx, NULL, txe, qtx->mdpl))
+ return 0;
+
+ if (!was_coalescing) {
+ /* Set addresses in TXE. */
+ if (pkt->peer != NULL)
+ txe->peer = *pkt->peer;
+ else
+ BIO_ADDR_clear(&txe->peer);
+
+ if (pkt->local != NULL)
+ txe->local = *pkt->local;
+ else
+ BIO_ADDR_clear(&txe->local);
+ }
+
+ ret = qtx_write(qtx, pkt, txe, enc_level);
+ if (ret == 1) {
+ break;
+ } else if (ret == QTX_FAIL_INSUFFICIENT_LEN) {
+ if (was_coalescing) {
+ /*
+ * We failed due to insufficient length, so end the current
+ * datagram and try again.
+ */
+ ossl_qtx_finish_dgram(qtx);
+ was_coalescing = 0;
+ } else {
+ /*
+ * We failed due to insufficient length, but we were not
+ * coalescing/started with an empty datagram, so any future
+ * attempt to write this packet must also fail.
+ */
+ return 0;
+ }
+ } else {
+ return 0; /* other error */
+ }
+ }
+
+ ++qtx->cons_count;
+
+ /*
+ * Some packet types cannot have another packet come after them.
+ */
+ if (pkt->hdr->type == QUIC_PKT_TYPE_RETRY
+ || pkt->hdr->type == QUIC_PKT_TYPE_VERSION_NEG
+ || pkt->hdr->type == QUIC_PKT_TYPE_1RTT)
+ coalescing = 0;
+
+ if (!coalescing)
+ ossl_qtx_finish_dgram(qtx);
+
+ return 1;
+}
+
+/*
+ * Finish any incomplete datagrams for transmission which were flagged for
+ * coalescing. If there is no current coalescing datagram, this is a no-op.
+ */
+void ossl_qtx_finish_dgram(OSSL_QTX *qtx)
+{
+ TXE *txe = qtx->cons;
+
+ if (txe == NULL)
+ return;
+
+ if (txe->data_len == 0)
+ /*
+ * If we did not put anything in the datagram, just move it back to the
+ * free list.
+ */
+ txe_insert_tail(&qtx->free, txe);
+ else
+ qtx_add_to_pending(qtx, txe);
+
+ qtx->cons = NULL;
+ qtx->cons_count = 0;
+}
+
+static void txe_to_msg(TXE *txe, BIO_MSG *msg)
+{
+ msg->data = txe_data(txe);
+ msg->data_len = txe->data_len;
+ msg->flags = 0;
+ msg->peer
+ = BIO_ADDR_family(&txe->peer) != AF_UNSPEC ? &txe->peer : NULL;
+ msg->local
+ = BIO_ADDR_family(&txe->local) != AF_UNSPEC ? &txe->local : NULL;
+}
+
+#define MAX_MSGS_PER_SEND 32
+
+void ossl_qtx_flush_net(OSSL_QTX *qtx)
+{
+ BIO_MSG msg[MAX_MSGS_PER_SEND];
+ size_t i;
+ TXE *txe;
+ ossl_ssize_t wr;
+
+ if (qtx->bio == NULL)
+ return;
+
+ for (;;) {
+ for (txe = qtx->pending.head, i = 0;
+ txe != NULL && i < OSSL_NELEM(msg);
+ txe = txe->next, ++i)
+ txe_to_msg(txe, &msg[i]);
+
+ if (!i)
+ /* Nothing to send. */
+ return;
+
+ wr = BIO_sendmmsg(qtx->bio, msg, sizeof(BIO_MSG), i, 0);
+ if (wr <= 0)
+ /*
+ * We did not get anything, so further calls will probably not
+ * succeed either.
+ */
+ break;
+
+ /*
+ * Remove everything which was successfully sent from the pending queue.
+ */
+ for (i = 0; i < (size_t)wr; ++i)
+ qtx_pending_to_free(qtx);
+ }
+}
+
+int ossl_qtx_pop_net(OSSL_QTX *qtx, BIO_MSG *msg)
+{
+ TXE *txe = qtx->pending.head;
+
+ if (txe == NULL)
+ return 0;
+
+ txe_to_msg(txe, msg);
+ qtx_pending_to_free(qtx);
+ return 1;
+}
+
+int ossl_qtx_set1_bio(OSSL_QTX *qtx, BIO *bio)
+{
+ if (bio != NULL && !BIO_up_ref(bio))
+ return 0;
+
+ BIO_free(qtx->bio);
+ qtx->bio = bio;
+ return 1;
+}
+
+int ossl_qtx_set_mdpl(OSSL_QTX *qtx, size_t mdpl)
+{
+ qtx->mdpl = mdpl;
+ return 1;
+}
+
+size_t ossl_qtx_get_queue_len_datagrams(OSSL_QTX *qtx)
+{
+ return qtx->pending_count;
+}
+
+size_t ossl_qtx_get_queue_len_bytes(OSSL_QTX *qtx)
+{
+ return qtx->pending_bytes;
+}
+
+size_t ossl_qtx_get_cur_dgram_len_bytes(OSSL_QTX *qtx)
+{
+ return qtx->cons != NULL ? qtx->cons->data_len : 0;
+}
+
+size_t ossl_qtx_get_unflushed_pkt_count(OSSL_QTX *qtx)
+{
+ return qtx->cons_count;
+}
+
+uint64_t ossl_qtx_get_cur_epoch_pkt_count(OSSL_QTX *qtx, uint32_t enc_level)
+{
+ OSSL_QRL_ENC_LEVEL *el;
+
+ el = ossl_qrl_enc_level_set_get(&qtx->el_set, enc_level, 1);
+ if (el == NULL)
+ return UINT64_MAX;
+
+ return el->op_count;
+}
+
+uint64_t ossl_qtx_get_max_epoch_pkt_count(OSSL_QTX *qtx, uint32_t enc_level)
+{
+ OSSL_QRL_ENC_LEVEL *el;
+
+ el = ossl_qrl_enc_level_set_get(&qtx->el_set, enc_level, 1);
+ if (el == NULL)
+ return UINT64_MAX;
+
+ return ossl_qrl_get_suite_max_pkt(el->suite_id);
+}
*/
#include "internal/quic_record_util.h"
+#include "internal/quic_record_rx.h"
+#include "internal/quic_record_tx.h"
#include "internal/quic_wire_pkt.h"
+#include "../ssl_local.h"
#include <openssl/kdf.h>
#include <openssl/core_names.h>
return ret;
}
+/* Constants used for key derivation in QUIC v1. */
+static const unsigned char quic_client_in_label[] = {
+ 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x69, 0x6e /* "client in" */
+};
+static const unsigned char quic_server_in_label[] = {
+ 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x69, 0x6e /* "server in" */
+};
+
+/* Salt used to derive Initial packet protection keys (RFC 9001 Section 5.2). */
+static const unsigned char quic_v1_initial_salt[] = {
+ 0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17,
+ 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a
+};
+
+int ossl_quic_provide_initial_secret(OSSL_LIB_CTX *libctx,
+ const char *propq,
+ const QUIC_CONN_ID *dst_conn_id,
+ int is_server,
+ struct ossl_qrx_st *qrx,
+ struct ossl_qtx_st *qtx)
+{
+ unsigned char initial_secret[32];
+ unsigned char client_initial_secret[32], server_initial_secret[32];
+ unsigned char *rx_secret, *tx_secret;
+ EVP_MD *sha256;
+
+ if (qrx == NULL && qtx == NULL)
+ return 1;
+
+ /* Initial encryption always uses SHA-256. */
+ if ((sha256 = EVP_MD_fetch(libctx, "SHA256", propq)) == NULL)
+ return 0;
+
+ if (is_server) {
+ rx_secret = client_initial_secret;
+ tx_secret = server_initial_secret;
+ } else {
+ rx_secret = server_initial_secret;
+ tx_secret = client_initial_secret;
+ }
+
+ /* Derive initial secret from destination connection ID. */
+ if (!ossl_quic_hkdf_extract(libctx, propq,
+ sha256,
+ quic_v1_initial_salt,
+ sizeof(quic_v1_initial_salt),
+ dst_conn_id->id,
+ dst_conn_id->id_len,
+ initial_secret,
+ sizeof(initial_secret)))
+ goto err;
+
+ /* Derive "client in" secret. */
+ if (((qtx != NULL && tx_secret == client_initial_secret)
+ || (qrx != NULL && rx_secret == client_initial_secret))
+ && !tls13_hkdf_expand_ex(libctx, propq,
+ sha256,
+ initial_secret,
+ quic_client_in_label,
+ sizeof(quic_client_in_label),
+ NULL, 0,
+ client_initial_secret,
+ sizeof(client_initial_secret), 0))
+ goto err;
+
+ /* Derive "server in" secret. */
+ if (((qtx != NULL && tx_secret == server_initial_secret)
+ || (qrx != NULL && rx_secret == server_initial_secret))
+ && !tls13_hkdf_expand_ex(libctx, propq,
+ sha256,
+ initial_secret,
+ quic_server_in_label,
+ sizeof(quic_server_in_label),
+ NULL, 0,
+ server_initial_secret,
+ sizeof(server_initial_secret), 0))
+ goto err;
+
+ /* Setup RX EL. Initial encryption always uses AES-128-GCM. */
+ if (qrx != NULL
+ && !ossl_qrx_provide_secret(qrx, QUIC_ENC_LEVEL_INITIAL,
+ QRL_SUITE_AES128GCM,
+ sha256,
+ rx_secret,
+ sizeof(server_initial_secret)))
+ goto err;
+
+ /*
+ * ossl_qrx_provide_secret takes ownership of our ref to SHA256, so if we
+ * are initialising both sides, get a new ref for the following call for the
+ * TX side.
+ */
+ if (qrx != NULL && qtx != NULL && !EVP_MD_up_ref(sha256)) {
+ sha256 = NULL;
+ goto err;
+ }
+
+ /* Setup TX cipher. */
+ if (qtx != NULL
+ && !ossl_qtx_provide_secret(qtx, QUIC_ENC_LEVEL_INITIAL,
+ QRL_SUITE_AES128GCM,
+ sha256,
+ tx_secret,
+ sizeof(server_initial_secret)))
+ goto err;
+
+ return 1;
+
+err:
+ EVP_MD_free(sha256);
+ return 0;
+}
+
/*
* QUIC Record Layer Ciphersuite Info
* ==================================
const char *cipher_name, *md_name;
uint32_t secret_len, cipher_key_len, cipher_iv_len, cipher_tag_len;
uint32_t hdr_prot_key_len, hdr_prot_cipher_id;
+ uint64_t max_pkt, max_forged_pkt;
};
static const struct suite_info suite_aes128gcm = {
"AES-128-GCM", "SHA256", 32, 16, 12, 16, 16,
- QUIC_HDR_PROT_CIPHER_AES_128
+ QUIC_HDR_PROT_CIPHER_AES_128,
+ ((uint64_t)1) << 23, /* Limits as prescribed by RFC 9001 */
+ ((uint64_t)1) << 52,
};
static const struct suite_info suite_aes256gcm = {
"AES-256-GCM", "SHA384", 48, 32, 12, 16, 32,
- QUIC_HDR_PROT_CIPHER_AES_256
+ QUIC_HDR_PROT_CIPHER_AES_256,
+ ((uint64_t)1) << 23, /* Limits as prescribed by RFC 9001 */
+ ((uint64_t)1) << 52,
};
static const struct suite_info suite_chacha20poly1305 = {
"ChaCha20-Poly1305", "SHA256", 32, 32, 12, 16, 32,
- QUIC_HDR_PROT_CIPHER_CHACHA
+ QUIC_HDR_PROT_CIPHER_CHACHA,
+ /* Do not use UINT64_MAX here as this represents an invalid value */
+ UINT64_MAX - 1, /* No applicable limit for this suite (RFC 9001) */
+ ((uint64_t)1) << 36, /* Limit as prescribed by RFC 9001 */
};
static const struct suite_info *get_suite(uint32_t suite_id)
const struct suite_info *c = get_suite(suite_id);
return c != NULL ? c->hdr_prot_key_len : 0;
}
+
+uint64_t ossl_qrl_get_suite_max_pkt(uint32_t suite_id)
+{
+ const struct suite_info *c = get_suite(suite_id);
+ return c != NULL ? c->max_pkt : UINT64_MAX;
+}
+
+uint64_t ossl_qrl_get_suite_max_forged_pkt(uint32_t suite_id)
+{
+ const struct suite_info *c = get_suite(suite_id);
+ return c != NULL ? c->max_forged_pkt : UINT64_MAX;
+}
QUIC_PKT_HDR_PTRS *ptrs)
{
unsigned char b0;
- size_t off_start, off_sample, off_sample_end, off_pn;
+ size_t off_start, off_sample, off_pn;
+ unsigned char *start = WPACKET_get_curr(pkt);
if (!WPACKET_get_total_written(pkt, &off_start))
return 0;
return 0;
off_sample = off_pn + 4;
- if (!WPACKET_get_total_written(pkt, &off_sample_end))
- return 0;
if (ptrs != NULL) {
- ptrs->raw_start = (unsigned char *)pkt->buf->data + off_start;
- ptrs->raw_sample = (unsigned char *)pkt->buf->data + off_sample;
- ptrs->raw_sample_len = off_sample_end - off_sample;
- ptrs->raw_pn = (unsigned char *)pkt->buf->data + off_pn;
+ ptrs->raw_start = start;
+ ptrs->raw_sample = start + (off_sample - off_start);
+ ptrs->raw_sample_len
+ = WPACKET_get_curr(pkt) + hdr->len - ptrs->raw_sample;
+ ptrs->raw_pn = start + (off_pn - off_start);
}
return 1;
}
+int ossl_quic_wire_get_encoded_pkt_hdr_len(size_t short_conn_id_len,
+ const QUIC_PKT_HDR *hdr)
+{
+ size_t len = 0, enclen;
+
+ /* Cannot serialize a partial header, or one whose DCID length is wrong. */
+ if (hdr->partial
+ || (hdr->type == QUIC_PKT_TYPE_1RTT
+ && hdr->dst_conn_id.id_len != short_conn_id_len))
+ return 0;
+
+ if (hdr->type == QUIC_PKT_TYPE_1RTT) {
+ /* Short header. */
+
+ /*
+ * Cannot serialize a header whose DCID length is wrong, or with an
+ * invalid PN length.
+ */
+ if (hdr->dst_conn_id.id_len != short_conn_id_len
+ || short_conn_id_len > QUIC_MAX_CONN_ID_LEN
+ || hdr->pn_len < 1 || hdr->pn_len > 4)
+ return 0;
+
+ return 1 + short_conn_id_len + hdr->pn_len;
+ } else {
+ /* Long header. */
+ if (hdr->dst_conn_id.id_len > QUIC_MAX_CONN_ID_LEN
+ || hdr->src_conn_id.id_len > QUIC_MAX_CONN_ID_LEN)
+ return 0;
+
+ if (hdr->type != QUIC_PKT_TYPE_VERSION_NEG
+ && hdr->type != QUIC_PKT_TYPE_RETRY
+ && (hdr->pn_len < 1 || hdr->pn_len > 4))
+ return 0;
+
+ len += 1 /* Initial byte */ + 4 /* Version */
+ + 1 + hdr->dst_conn_id.id_len /* DCID Len, DCID */
+ + 1 + hdr->src_conn_id.id_len /* SCID Len, SCID */
+ + hdr->pn_len; /* PN */
+
+ if (hdr->type == QUIC_PKT_TYPE_INITIAL) {
+ enclen = ossl_quic_vlint_encode_len(hdr->token_len);
+ if (!enclen)
+ return 0;
+ len += enclen;
+ }
+
+ enclen = ossl_quic_vlint_encode_len(hdr->len);
+ if (!enclen)
+ return 0;
+
+ len += enclen;
+ return len;
+ }
+}
+
int ossl_quic_wire_get_pkt_hdr_dst_conn_id(const unsigned char *buf,
size_t buf_len,
size_t short_conn_id_len,
* https://www.openssl.org/source/license.html
*/
-#include "internal/quic_record.h"
+#include "internal/quic_record_rx.h"
+#include "internal/quic_record_tx.h"
#include "testutil.h"
static const QUIC_CONN_ID empty_conn_id = {0, {0}};
-struct test_case {
- const unsigned char *dgram;
- size_t dgram_len;
-};
-
-#define TEST_OP_END 0 /* end of script */
-#define TEST_OP_SET_SCID_LEN 1 /* change SCID length */
-#define TEST_OP_SET_INIT_LARGEST_PN 2 /* set initial largest PN */
-#define TEST_OP_ADD_RX_DCID 3 /* register an RX DCID */
-#define TEST_OP_INJECT 4 /* inject a datagram into demux */
-#define TEST_OP_PROVIDE_SECRET 5 /* provide RX secret */
-#define TEST_OP_PROVIDE_SECRET_INITIAL 6 /* provide RX secret for initial */
-#define TEST_OP_DISCARD_EL 7 /* discard an encryption level */
-#define TEST_OP_CHECK_PKT 8 /* read packet, compare to expected */
-#define TEST_OP_CHECK_NO_PKT 9 /* check no packet is available to read */
-
-struct test_op {
+#define RX_TEST_OP_END 0 /* end of script */
+#define RX_TEST_OP_SET_SCID_LEN 1 /* change SCID length */
+#define RX_TEST_OP_SET_INIT_LARGEST_PN 2 /* set initial largest PN */
+#define RX_TEST_OP_ADD_RX_DCID 3 /* register an RX DCID */
+#define RX_TEST_OP_INJECT 4 /* inject a datagram into demux */
+#define RX_TEST_OP_PROVIDE_SECRET 5 /* provide RX secret */
+#define RX_TEST_OP_PROVIDE_SECRET_INITIAL 6 /* provide RX secret for initial */
+#define RX_TEST_OP_DISCARD_EL 7 /* discard an encryption level */
+#define RX_TEST_OP_CHECK_PKT 8 /* read packet, compare to expected */
+#define RX_TEST_OP_CHECK_NO_PKT 9 /* check no packet is available to read */
+
+struct rx_test_op {
unsigned char op;
const unsigned char *buf;
size_t buf_len;
uint32_t enc_level, suite_id;
QUIC_PN largest_pn;
const QUIC_CONN_ID *dcid;
- int (*new_qrl)(QUIC_DEMUX **demux, OSSL_QRL **qrl);
-};
-
-#define OP_END \
- { TEST_OP_END }
-#define OP_SET_SCID_LEN(scid_len) \
- { TEST_OP_SET_SCID_LEN, NULL, 0, NULL, (scid_len), 0, 0, NULL, NULL },
-#define OP_SET_INIT_LARGEST_PN(largest_pn) \
- { TEST_OP_SET_INIT_LARGEST_PN, NULL, 0, NULL, 0, 0, (largest_pn), NULL, NULL },
-#define OP_ADD_RX_DCID(dcid) \
- { TEST_OP_ADD_RX_DCID, NULL, 0, NULL, 0, 0, 0, &(dcid), NULL },
-#define OP_INJECT(dgram) \
- { TEST_OP_INJECT, (dgram), sizeof(dgram), NULL, 0, 0, 0, NULL },
-#define OP_PROVIDE_SECRET(el, suite, key) \
+ int (*new_qrx)(QUIC_DEMUX **demux, OSSL_QRX **qrx);
+};
+
+#define RX_OP_END \
+ { RX_TEST_OP_END }
+#define RX_OP_SET_SCID_LEN(scid_len) \
+ { RX_TEST_OP_SET_SCID_LEN, NULL, 0, NULL, (scid_len), 0, 0, NULL, NULL },
+#define RX_OP_SET_INIT_LARGEST_PN(largest_pn) \
+ { RX_TEST_OP_SET_INIT_LARGEST_PN, NULL, 0, NULL, 0, 0, (largest_pn), NULL, NULL },
+#define RX_OP_ADD_RX_DCID(dcid) \
+ { RX_TEST_OP_ADD_RX_DCID, NULL, 0, NULL, 0, 0, 0, &(dcid), NULL },
+#define RX_OP_INJECT(dgram) \
+ { RX_TEST_OP_INJECT, (dgram), sizeof(dgram), NULL, 0, 0, 0, NULL },
+#define RX_OP_PROVIDE_SECRET(el, suite, key) \
{ \
- TEST_OP_PROVIDE_SECRET, (key), sizeof(key), \
+ RX_TEST_OP_PROVIDE_SECRET, (key), sizeof(key), \
NULL, (el), (suite), 0, NULL, NULL \
},
-#define OP_PROVIDE_SECRET_INITIAL(dcid) \
- { TEST_OP_PROVIDE_SECRET_INITIAL, NULL, 0, NULL, 0, 0, 0, &(dcid), NULL },
-#define OP_DISCARD_EL(el) \
- { TEST_OP_DISCARD_EL, NULL, 0, NULL, (el), 0, 0, NULL, NULL },
-#define OP_CHECK_PKT(expect_hdr, expect_body) \
+#define RX_OP_PROVIDE_SECRET_INITIAL(dcid) \
+ { RX_TEST_OP_PROVIDE_SECRET_INITIAL, NULL, 0, NULL, 0, 0, 0, &(dcid), NULL },
+#define RX_OP_DISCARD_EL(el) \
+ { RX_TEST_OP_DISCARD_EL, NULL, 0, NULL, (el), 0, 0, NULL, NULL },
+#define RX_OP_CHECK_PKT(expect_hdr, expect_body) \
{ \
- TEST_OP_CHECK_PKT, (expect_body), sizeof(expect_body), \
+ RX_TEST_OP_CHECK_PKT, (expect_body), sizeof(expect_body), \
&(expect_hdr), 0, 0, 0, NULL, NULL \
},
-#define OP_CHECK_NO_PKT() \
- { TEST_OP_CHECK_NO_PKT, NULL, 0, NULL, 0, 0, 0, NULL, NULL },
+#define RX_OP_CHECK_NO_PKT() \
+ { RX_TEST_OP_CHECK_NO_PKT, NULL, 0, NULL, 0, 0, 0, NULL, NULL },
-#define OP_INJECT_N(n) \
- OP_INJECT(script_##n##_in)
-#define OP_CHECK_PKT_N(n) \
- OP_CHECK_PKT(script_##n##_expect_hdr, script_##n##_body)
+#define RX_OP_INJECT_N(n) \
+ RX_OP_INJECT(rx_script_##n##_in)
+#define RX_OP_CHECK_PKT_N(n) \
+ RX_OP_CHECK_PKT(rx_script_##n##_expect_hdr, rx_script_##n##_body)
-#define OP_INJECT_CHECK(n) \
- OP_INJECT_N(n) \
- OP_CHECK_PKT_N(n)
+#define RX_OP_INJECT_CHECK(n) \
+ RX_OP_INJECT_N(n) \
+ RX_OP_CHECK_PKT_N(n)
/* 1. RFC 9001 - A.3 Server Initial */
-static const unsigned char script_1_in[] = {
+static const unsigned char rx_script_1_in[] = {
0xcf, 0x00, 0x00, 0x00, 0x01, 0x00, 0x08, 0xf0, 0x67, 0xa5, 0x50, 0x2a,
0x42, 0x62, 0xb5, 0x00, 0x40, 0x75, 0xc0, 0xd9, 0x5a, 0x48, 0x2c, 0xd0,
0x99, 0x1c, 0xd2, 0x5b, 0x0a, 0xac, 0x40, 0x6a, 0x58, 0x16, 0xb6, 0x39,
0xd0, 0x74, 0xee
};
-static const unsigned char script_1_body[] = {
+static const unsigned char rx_script_1_body[] = {
0x02, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x40, 0x5a, 0x02, 0x00, 0x00,
0x56, 0x03, 0x03, 0xee, 0xfc, 0xe7, 0xf7, 0xb3, 0x7b, 0xa1, 0xd1, 0x63,
0x2e, 0x96, 0x67, 0x78, 0x25, 0xdd, 0xf7, 0x39, 0x88, 0xcf, 0xc7, 0x98,
0x02, 0x03, 0x04
};
-static const QUIC_CONN_ID script_1_dcid = {
+static const QUIC_CONN_ID rx_script_1_dcid = {
8, { 0x83, 0x94, 0xc8, 0xf0, 0x3e, 0x51, 0x57, 0x08 }
};
-static const QUIC_PKT_HDR script_1_expect_hdr = {
+static const QUIC_PKT_HDR rx_script_1_expect_hdr = {
QUIC_PKT_TYPE_INITIAL,
0, 0, 2, 0, 1, 1, { 0, {0} },
{ 8, {0xf0, 0x67, 0xa5, 0x50, 0x2a, 0x42, 0x62, 0xb5 } },
99, NULL
};
-static const struct test_op script_1[] = {
- OP_SET_SCID_LEN(2)
- OP_SET_INIT_LARGEST_PN(0)
- OP_ADD_RX_DCID(empty_conn_id)
- OP_PROVIDE_SECRET_INITIAL(script_1_dcid)
- OP_INJECT_CHECK(1)
- OP_CHECK_NO_PKT()
- OP_END
+static const struct rx_test_op rx_script_1[] = {
+ RX_OP_SET_SCID_LEN(2)
+ RX_OP_SET_INIT_LARGEST_PN(0)
+ RX_OP_ADD_RX_DCID(empty_conn_id)
+ RX_OP_PROVIDE_SECRET_INITIAL(rx_script_1_dcid)
+ RX_OP_INJECT_CHECK(1)
+ RX_OP_CHECK_NO_PKT()
+ RX_OP_END
};
/* 2. RFC 9001 - A.5 ChaCha20-Poly1305 Short Header Packet */
-static const unsigned char script_2_in[] = {
+static const unsigned char rx_script_2_in[] = {
0x4c, 0xfe, 0x41, 0x89, 0x65, 0x5e, 0x5c, 0xd5, 0x5c, 0x41, 0xf6, 0x90,
0x80, 0x57, 0x5d, 0x79, 0x99, 0xc2, 0x5a, 0x5b, 0xfb
};
-static const unsigned char script_2_secret[] = {
+static const unsigned char rx_script_2_secret[] = {
0x9a, 0xc3, 0x12, 0xa7, 0xf8, 0x77, 0x46, 0x8e, 0xbe, 0x69, 0x42, 0x27,
0x48, 0xad, 0x00, 0xa1, 0x54, 0x43, 0xf1, 0x82, 0x03, 0xa0, 0x7d, 0x60,
0x60, 0xf6, 0x88, 0xf3, 0x0f, 0x21, 0x63, 0x2b
};
-static const unsigned char script_2_body[] = {
+static const unsigned char rx_script_2_body[] = {
0x01
};
-static const QUIC_PKT_HDR script_2_expect_hdr = {
+static const QUIC_PKT_HDR rx_script_2_expect_hdr = {
QUIC_PKT_TYPE_1RTT,
0, 0, 3, 0, 1, 0, {0, {0}}, {0, {0}},
{0x00, 0xbf, 0xf4, 0x00},
1, NULL
};
-static const struct test_op script_2[] = {
- OP_SET_INIT_LARGEST_PN(654360560)
- OP_ADD_RX_DCID(empty_conn_id)
- OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT, QRL_SUITE_CHACHA20POLY1305,
- script_2_secret)
- OP_INJECT_CHECK(2)
- OP_CHECK_NO_PKT()
- OP_END
+static const struct rx_test_op rx_script_2[] = {
+ RX_OP_SET_INIT_LARGEST_PN(654360560)
+ RX_OP_ADD_RX_DCID(empty_conn_id)
+ RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT, QRL_SUITE_CHACHA20POLY1305,
+ rx_script_2_secret)
+ RX_OP_INJECT_CHECK(2)
+ RX_OP_CHECK_NO_PKT()
+ RX_OP_END
};
/* 3. Real World - Version Negotiation Response */
-static const unsigned char script_3_in[] = {
+static const unsigned char rx_script_3_in[] = {
0xc7, /* Long; Random Bits */
0x00, 0x00, 0x00, 0x00, /* Version 0 (Version Negotiation) */
0x00, /* DCID */
0xaa, 0x9a, 0x3a, 0x9a /* Supported Version: Random (GREASE) */
};
-static const QUIC_PKT_HDR script_3_expect_hdr = {
+static const QUIC_PKT_HDR rx_script_3_expect_hdr = {
QUIC_PKT_TYPE_VERSION_NEG,
0, /* Spin Bit */
0, /* Key Phase */
8, NULL
};
-static const unsigned char script_3_body[] = {
+static const unsigned char rx_script_3_body[] = {
0x00, 0x00, 0x00, 0x01,
0xaa, 0x9a, 0x3a, 0x9a
};
-static const struct test_op script_3[] = {
- OP_ADD_RX_DCID(empty_conn_id)
- OP_INJECT_CHECK(3)
- OP_CHECK_NO_PKT()
- OP_END
+static const struct rx_test_op rx_script_3[] = {
+ RX_OP_ADD_RX_DCID(empty_conn_id)
+ RX_OP_INJECT_CHECK(3)
+ RX_OP_CHECK_NO_PKT()
+ RX_OP_END
};
/* 4. Real World - Retry (S2C) */
-static const unsigned char script_4_in[] = {
+static const unsigned char rx_script_4_in[] = {
0xf0, /* Long; Retry */
0x00, 0x00, 0x00, 0x01, /* Version 1 */
0x00, /* DCID */
0x9d, 0x82, 0xb3, 0x45, 0x62, 0x4c,
};
-static const QUIC_PKT_HDR script_4_expect_hdr = {
+static const QUIC_PKT_HDR rx_script_4_expect_hdr = {
QUIC_PKT_TYPE_RETRY,
0, /* Spin Bit */
0, /* Key Phase */
114, NULL
};
-static const unsigned char script_4_body[] = {
+static const unsigned char rx_script_4_body[] = {
0xf6, 0x8b, 0x6e, 0xa3, 0xdc, 0x40, 0x38, 0xc6, 0xa5, 0x99, 0x1c, 0xa9,
0x77, 0xe6, 0x1d, 0x4f, 0x09, 0x36, 0x12, 0x26, 0x00, 0x56, 0x0b, 0x29,
0x7d, 0x5e, 0xda, 0x39, 0xc6, 0x61, 0x57, 0x69, 0x15, 0xff, 0x93, 0x39,
0x9d, 0x82, 0xb3, 0x45, 0x62, 0x4c
};
-static const struct test_op script_4[] = {
- OP_ADD_RX_DCID(empty_conn_id)
- OP_INJECT_CHECK(4)
- OP_CHECK_NO_PKT()
- OP_END
+static const struct rx_test_op rx_script_4[] = {
+ RX_OP_ADD_RX_DCID(empty_conn_id)
+ RX_OP_INJECT_CHECK(4)
+ RX_OP_CHECK_NO_PKT()
+ RX_OP_END
};
/*
* 5. Real World - S2C Multiple Packets
* - Initial, Handshake, 1-RTT (AES-128-GCM/SHA256)
*/
-static const QUIC_CONN_ID script_5_c2s_init_dcid = {
+static const QUIC_CONN_ID rx_script_5_c2s_init_dcid = {
4, {0xad, 0x15, 0x3f, 0xae}
};
-static const unsigned char script_5_handshake_secret[32] = {
+static const unsigned char rx_script_5_handshake_secret[32] = {
0x5e, 0xc6, 0x4a, 0x4d, 0x0d, 0x40, 0x43, 0x3b, 0xd5, 0xbd, 0xe0, 0x19,
0x71, 0x47, 0x56, 0xf3, 0x59, 0x3a, 0xa6, 0xc9, 0x3e, 0xdc, 0x81, 0x1e,
0xc7, 0x72, 0x9d, 0x83, 0xd8, 0x8f, 0x88, 0x77
};
-static const unsigned char script_5_1rtt_secret[32] = {
+static const unsigned char rx_script_5_1rtt_secret[32] = {
0x53, 0xf2, 0x1b, 0x94, 0xa7, 0x65, 0xf7, 0x76, 0xfb, 0x06, 0x27, 0xaa,
0xd2, 0x3f, 0xe0, 0x9a, 0xbb, 0xcf, 0x99, 0x6f, 0x13, 0x2c, 0x6a, 0x37,
0x95, 0xf3, 0xda, 0x21, 0xcb, 0xcb, 0xa5, 0x26,
};
-static const unsigned char script_5_in[] = {
+static const unsigned char rx_script_5_in[] = {
/* First Packet: Initial */
0xc4, /* Long, Initial, PN Length=2 bytes */
0x00, 0x00, 0x00, 0x01, /* Version */
0x9a, 0x31, 0x56, 0xc7,
};
-static const QUIC_PKT_HDR script_5a_expect_hdr = {
+static const QUIC_PKT_HDR rx_script_5a_expect_hdr = {
QUIC_PKT_TYPE_INITIAL,
0, /* Spin Bit */
0, /* Key Phase */
448, NULL
};
-static const unsigned char script_5a_body[] = {
+static const unsigned char rx_script_5a_body[] = {
0x02, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x1f, 0x54, 0x86, 0x1d,
};
-static const QUIC_PKT_HDR script_5b_expect_hdr = {
+static const QUIC_PKT_HDR rx_script_5b_expect_hdr = {
QUIC_PKT_TYPE_HANDSHAKE,
0, /* Spin Bit */
0, /* Key Phase */
650, NULL
};
-static const unsigned char script_5b_body[] = {
+static const unsigned char rx_script_5b_body[] = {
0x06, 0x00, 0x42, 0x86, 0x08, 0x00, 0x00, 0x7d, 0x00, 0x7b, 0x00, 0x10,
0x00, 0x08, 0x00, 0x06, 0x05, 0x64, 0x75, 0x6d, 0x6d, 0x79, 0x00, 0x39,
0x00, 0x6b, 0x4b, 0x20, 0x0b, 0x1b, 0xe1, 0x1f, 0xd0, 0x78, 0xc0, 0x69,
0x53, 0x0a,
};
-static const QUIC_PKT_HDR script_5c_expect_hdr = {
+static const QUIC_PKT_HDR rx_script_5c_expect_hdr = {
QUIC_PKT_TYPE_1RTT,
0, /* Spin Bit */
0, /* Key Phase */
72, NULL
};
-static const unsigned char script_5c_body[] = {
+static const unsigned char rx_script_5c_body[] = {
0x18, 0x03, 0x00, 0x04, 0x92, 0xec, 0xaa, 0xd6, 0x47, 0xd8, 0x8b, 0x56,
0x3b, 0x5f, 0x67, 0xe6, 0xb9, 0xb9, 0xca, 0x72, 0xca, 0xf2, 0x49, 0x7d,
0x18, 0x02, 0x00, 0x04, 0xa9, 0x6e, 0x9b, 0x84, 0x26, 0x43, 0x00, 0xc7,
0xef, 0x97, 0x1e, 0x9a, 0x3c, 0xab, 0x1e, 0xfc, 0xb7, 0x90, 0xc3, 0x1a,
};
-static const struct test_op script_5[] = {
- OP_ADD_RX_DCID(empty_conn_id)
- OP_PROVIDE_SECRET_INITIAL(script_5_c2s_init_dcid)
- OP_INJECT_N(5)
- OP_CHECK_PKT_N(5a)
- OP_CHECK_NO_PKT() /* not got secret for next packet yet */
- OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE,
- QRL_SUITE_AES128GCM, script_5_handshake_secret)
- OP_CHECK_PKT_N(5b)
- OP_CHECK_NO_PKT() /* not got secret for next packet yet */
- OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT,
- QRL_SUITE_AES128GCM, script_5_1rtt_secret)
- OP_CHECK_PKT_N(5c)
- OP_CHECK_NO_PKT()
+static const struct rx_test_op rx_script_5[] = {
+ RX_OP_ADD_RX_DCID(empty_conn_id)
+ RX_OP_PROVIDE_SECRET_INITIAL(rx_script_5_c2s_init_dcid)
+ RX_OP_INJECT_N(5)
+ RX_OP_CHECK_PKT_N(5a)
+ RX_OP_CHECK_NO_PKT() /* not got secret for next packet yet */
+ RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE,
+ QRL_SUITE_AES128GCM, rx_script_5_handshake_secret)
+ RX_OP_CHECK_PKT_N(5b)
+ RX_OP_CHECK_NO_PKT() /* not got secret for next packet yet */
+ RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT,
+ QRL_SUITE_AES128GCM, rx_script_5_1rtt_secret)
+ RX_OP_CHECK_PKT_N(5c)
+ RX_OP_CHECK_NO_PKT()
/* Try injecting the packet again */
- OP_INJECT_N(5)
+ RX_OP_INJECT_N(5)
/*
* Initial packet is not output due to receiving a Handshake packet causing
* auto-discard of Initial keys
*/
- OP_CHECK_PKT_N(5b)
- OP_CHECK_PKT_N(5c)
- OP_CHECK_NO_PKT()
+ RX_OP_CHECK_PKT_N(5b)
+ RX_OP_CHECK_PKT_N(5c)
+ RX_OP_CHECK_NO_PKT()
/* Try again with discarded keys */
- OP_DISCARD_EL(QUIC_ENC_LEVEL_HANDSHAKE)
- OP_INJECT_N(5)
- OP_CHECK_PKT_N(5c)
- OP_CHECK_NO_PKT()
+ RX_OP_DISCARD_EL(QUIC_ENC_LEVEL_HANDSHAKE)
+ RX_OP_INJECT_N(5)
+ RX_OP_CHECK_PKT_N(5c)
+ RX_OP_CHECK_NO_PKT()
/* Try again */
- OP_INJECT_N(5)
- OP_CHECK_PKT_N(5c)
- OP_CHECK_NO_PKT()
+ RX_OP_INJECT_N(5)
+ RX_OP_CHECK_PKT_N(5c)
+ RX_OP_CHECK_NO_PKT()
/* Try again with discarded 1-RTT keys */
- OP_DISCARD_EL(QUIC_ENC_LEVEL_1RTT)
- OP_INJECT_N(5)
- OP_CHECK_NO_PKT()
+ RX_OP_DISCARD_EL(QUIC_ENC_LEVEL_1RTT)
+ RX_OP_INJECT_N(5)
+ RX_OP_CHECK_NO_PKT()
/* Recreate QRL, test reading packets received before key */
- OP_SET_SCID_LEN(0)
- OP_ADD_RX_DCID(empty_conn_id)
- OP_INJECT_N(5)
- OP_CHECK_NO_PKT()
- OP_PROVIDE_SECRET_INITIAL(script_5_c2s_init_dcid)
- OP_CHECK_PKT_N(5a)
- OP_CHECK_NO_PKT()
- OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE,
- QRL_SUITE_AES128GCM, script_5_handshake_secret)
- OP_CHECK_PKT_N(5b)
- OP_CHECK_NO_PKT()
- OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT,
- QRL_SUITE_AES128GCM, script_5_1rtt_secret)
- OP_CHECK_PKT_N(5c)
- OP_CHECK_NO_PKT()
-
- OP_DISCARD_EL(QUIC_ENC_LEVEL_HANDSHAKE)
- OP_DISCARD_EL(QUIC_ENC_LEVEL_1RTT)
- OP_INJECT_N(5)
- OP_CHECK_NO_PKT()
-
- OP_END
+ RX_OP_SET_SCID_LEN(0)
+ RX_OP_ADD_RX_DCID(empty_conn_id)
+ RX_OP_INJECT_N(5)
+ RX_OP_CHECK_NO_PKT()
+ RX_OP_PROVIDE_SECRET_INITIAL(rx_script_5_c2s_init_dcid)
+ RX_OP_CHECK_PKT_N(5a)
+ RX_OP_CHECK_NO_PKT()
+ RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE,
+ QRL_SUITE_AES128GCM, rx_script_5_handshake_secret)
+ RX_OP_CHECK_PKT_N(5b)
+ RX_OP_CHECK_NO_PKT()
+ RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT,
+ QRL_SUITE_AES128GCM, rx_script_5_1rtt_secret)
+ RX_OP_CHECK_PKT_N(5c)
+ RX_OP_CHECK_NO_PKT()
+
+ RX_OP_DISCARD_EL(QUIC_ENC_LEVEL_HANDSHAKE)
+ RX_OP_DISCARD_EL(QUIC_ENC_LEVEL_1RTT)
+ RX_OP_INJECT_N(5)
+ RX_OP_CHECK_NO_PKT()
+
+ RX_OP_END
};
/*
* 6. Real World - S2C Multiple Packets
* - Initial, Handshake, 1-RTT (AES-256-GCM/SHA384)
*/
-static const QUIC_CONN_ID script_6_c2s_init_dcid = {
+static const QUIC_CONN_ID rx_script_6_c2s_init_dcid = {
4, {0xac, 0x88, 0x95, 0xbd}
};
-static const unsigned char script_6_handshake_secret[48] = {
+static const unsigned char rx_script_6_handshake_secret[48] = {
0xd1, 0x41, 0xb0, 0xf6, 0x0d, 0x8b, 0xbd, 0xe8, 0x5b, 0xa8, 0xff, 0xd7,
0x18, 0x9a, 0x23, 0x7b, 0x13, 0x5c, 0x1e, 0x90, 0x1d, 0x08, 0x95, 0xcc,
0xc5, 0x8e, 0x73, 0x4e, 0x02, 0x6f, 0x3c, 0xb6, 0x26, 0x77, 0x8d, 0x53,
0xc5, 0x62, 0x9f, 0xb5, 0xf0, 0x88, 0xfb, 0xe5, 0x14, 0x71, 0xab, 0xe6,
};
-static const unsigned char script_6_1rtt_secret[48] = {
+static const unsigned char rx_script_6_1rtt_secret[48] = {
0x2d, 0x6b, 0x9d, 0xd4, 0x39, 0xa0, 0xe7, 0xff, 0x17, 0xe2, 0xcb, 0x5c,
0x0d, 0x4a, 0xf6, 0x3f, 0xf4, 0xfe, 0xfc, 0xe5, 0x22, 0xfa, 0xf5, 0x5b,
0xc0, 0xb2, 0x18, 0xbb, 0x92, 0x4d, 0x35, 0xea, 0x67, 0xa6, 0xe7, 0xc1,
0x90, 0x10, 0xc9, 0x14, 0x46, 0xf5, 0x95, 0x57, 0x8b, 0x90, 0x88, 0x5d,
};
-static const unsigned char script_6_in[] = {
+static const unsigned char rx_script_6_in[] = {
/* First Packet: Initial */
0xc5, /* Long, Initial, PN Length=2 bytes */
0x00, 0x00, 0x00, 0x01, /* Version */
0xfe, 0xb1, 0x25, 0x1a,
};
-static const QUIC_PKT_HDR script_6a_expect_hdr = {
+static const QUIC_PKT_HDR rx_script_6a_expect_hdr = {
QUIC_PKT_TYPE_INITIAL,
0, /* Spin Bit */
0, /* Key Phase */
428, NULL
};
-static const unsigned char script_6a_body[] = {
+static const unsigned char rx_script_6a_body[] = {
0x02, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xb2, 0xd9, 0xad, 0xd1, 0x14, 0xdc, 0x84, 0x61,
};
-static const QUIC_PKT_HDR script_6b_expect_hdr = {
+static const QUIC_PKT_HDR rx_script_6b_expect_hdr = {
QUIC_PKT_TYPE_HANDSHAKE,
0, /* Spin Bit */
0, /* Key Phase */
670, NULL
};
-static const unsigned char script_6b_body[] = {
+static const unsigned char rx_script_6b_body[] = {
0x06, 0x00, 0x42, 0x9a, 0x08, 0x00, 0x00, 0x80, 0x00, 0x7e, 0x00, 0x10,
0x00, 0x08, 0x00, 0x06, 0x05, 0x64, 0x75, 0x6d, 0x6d, 0x79, 0x00, 0x39,
0x00, 0x6e, 0x47, 0xfa, 0x05, 0x5a, 0xe0, 0xec, 0x4a, 0xf3, 0x05, 0x04,
0xc4, 0x4e, 0x96, 0x19, 0x68, 0x2d, 0xbe, 0x6f, 0x49, 0xfa,
};
-static const QUIC_PKT_HDR script_6c_expect_hdr = {
+static const QUIC_PKT_HDR rx_script_6c_expect_hdr = {
QUIC_PKT_TYPE_1RTT,
0, /* Spin Bit */
0, /* Key Phase */
72, NULL
};
-static const unsigned char script_6c_body[] = {
+static const unsigned char rx_script_6c_body[] = {
0x18, 0x03, 0x00, 0x04, 0xf2, 0x94, 0x49, 0xc3, 0x34, 0xa1, 0xf4, 0x0f,
0xcb, 0xb8, 0x03, 0x04, 0x1f, 0xc8, 0x69, 0xb9, 0x3b, 0xd5, 0xc6, 0x93,
0x18, 0x02, 0x00, 0x04, 0x9a, 0x4f, 0xec, 0x52, 0xde, 0xd2, 0xc8, 0xb7,
0xfc, 0x58, 0x0e, 0xa4, 0xf4, 0xf3, 0x23, 0x1b, 0xd6, 0x8e, 0x5b, 0x08,
};
-static const struct test_op script_6[] = {
- OP_ADD_RX_DCID(empty_conn_id)
- OP_PROVIDE_SECRET_INITIAL(script_6_c2s_init_dcid)
- OP_INJECT_N(6)
- OP_CHECK_PKT_N(6a)
- OP_CHECK_NO_PKT() /* not got secret for next packet yet */
- OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE,
- QRL_SUITE_AES256GCM, script_6_handshake_secret)
- OP_CHECK_PKT_N(6b)
- OP_CHECK_NO_PKT() /* not got secret for next packet yet */
- OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT,
- QRL_SUITE_AES256GCM, script_6_1rtt_secret)
- OP_CHECK_PKT_N(6c)
- OP_CHECK_NO_PKT()
+static const struct rx_test_op rx_script_6[] = {
+ RX_OP_ADD_RX_DCID(empty_conn_id)
+ RX_OP_PROVIDE_SECRET_INITIAL(rx_script_6_c2s_init_dcid)
+ RX_OP_INJECT_N(6)
+ RX_OP_CHECK_PKT_N(6a)
+ RX_OP_CHECK_NO_PKT() /* not got secret for next packet yet */
+ RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE,
+ QRL_SUITE_AES256GCM, rx_script_6_handshake_secret)
+ RX_OP_CHECK_PKT_N(6b)
+ RX_OP_CHECK_NO_PKT() /* not got secret for next packet yet */
+ RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT,
+ QRL_SUITE_AES256GCM, rx_script_6_1rtt_secret)
+ RX_OP_CHECK_PKT_N(6c)
+ RX_OP_CHECK_NO_PKT()
/* Try injecting the packet again */
- OP_INJECT_N(6)
+ RX_OP_INJECT_N(6)
/*
* Initial packet is not output due to receiving a Handshake packet causing
* auto-discard of Initial keys
*/
- OP_CHECK_PKT_N(6b)
- OP_CHECK_PKT_N(6c)
- OP_CHECK_NO_PKT()
+ RX_OP_CHECK_PKT_N(6b)
+ RX_OP_CHECK_PKT_N(6c)
+ RX_OP_CHECK_NO_PKT()
/* Try again with discarded keys */
- OP_DISCARD_EL(QUIC_ENC_LEVEL_HANDSHAKE)
- OP_INJECT_N(6)
- OP_CHECK_PKT_N(6c)
- OP_CHECK_NO_PKT()
+ RX_OP_DISCARD_EL(QUIC_ENC_LEVEL_HANDSHAKE)
+ RX_OP_INJECT_N(6)
+ RX_OP_CHECK_PKT_N(6c)
+ RX_OP_CHECK_NO_PKT()
/* Try again */
- OP_INJECT_N(6)
- OP_CHECK_PKT_N(6c)
- OP_CHECK_NO_PKT()
+ RX_OP_INJECT_N(6)
+ RX_OP_CHECK_PKT_N(6c)
+ RX_OP_CHECK_NO_PKT()
/* Try again with discarded 1-RTT keys */
- OP_DISCARD_EL(QUIC_ENC_LEVEL_1RTT)
- OP_INJECT_N(6)
- OP_CHECK_NO_PKT()
+ RX_OP_DISCARD_EL(QUIC_ENC_LEVEL_1RTT)
+ RX_OP_INJECT_N(6)
+ RX_OP_CHECK_NO_PKT()
/* Recreate QRL, test reading packets received before key */
- OP_SET_SCID_LEN(0)
- OP_ADD_RX_DCID(empty_conn_id)
- OP_INJECT_N(6)
- OP_CHECK_NO_PKT()
- OP_PROVIDE_SECRET_INITIAL(script_6_c2s_init_dcid)
- OP_CHECK_PKT_N(6a)
- OP_CHECK_NO_PKT()
- OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE,
- QRL_SUITE_AES256GCM, script_6_handshake_secret)
- OP_CHECK_PKT_N(6b)
- OP_CHECK_NO_PKT()
- OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT,
- QRL_SUITE_AES256GCM, script_6_1rtt_secret)
- OP_CHECK_PKT_N(6c)
- OP_CHECK_NO_PKT()
-
- OP_END
+ RX_OP_SET_SCID_LEN(0)
+ RX_OP_ADD_RX_DCID(empty_conn_id)
+ RX_OP_INJECT_N(6)
+ RX_OP_CHECK_NO_PKT()
+ RX_OP_PROVIDE_SECRET_INITIAL(rx_script_6_c2s_init_dcid)
+ RX_OP_CHECK_PKT_N(6a)
+ RX_OP_CHECK_NO_PKT()
+ RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE,
+ QRL_SUITE_AES256GCM, rx_script_6_handshake_secret)
+ RX_OP_CHECK_PKT_N(6b)
+ RX_OP_CHECK_NO_PKT()
+ RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT,
+ QRL_SUITE_AES256GCM, rx_script_6_1rtt_secret)
+ RX_OP_CHECK_PKT_N(6c)
+ RX_OP_CHECK_NO_PKT()
+
+ RX_OP_END
};
/*
* 7. Real World - S2C Multiple Packets
* - Initial, Handshake, 1-RTT (ChaCha20-Poly1305)
*/
-static const QUIC_CONN_ID script_7_c2s_init_dcid = {
+static const QUIC_CONN_ID rx_script_7_c2s_init_dcid = {
4, {0xfa, 0x5d, 0xd6, 0x80}
};
-static const unsigned char script_7_handshake_secret[32] = {
+static const unsigned char rx_script_7_handshake_secret[32] = {
0x85, 0x44, 0xa4, 0x02, 0x46, 0x5b, 0x2a, 0x92, 0x80, 0x71, 0xfd, 0x11,
0x89, 0x73, 0x84, 0xeb, 0x3e, 0x0d, 0x89, 0x4f, 0x71, 0xdc, 0x9c, 0xdd,
0x55, 0x77, 0x9e, 0x79, 0x7b, 0xeb, 0xfa, 0x86,
};
-static const unsigned char script_7_1rtt_secret[32] = {
+static const unsigned char rx_script_7_1rtt_secret[32] = {
0x4a, 0x77, 0xb6, 0x0e, 0xfd, 0x90, 0xca, 0xbf, 0xc0, 0x1a, 0x64, 0x9f,
0xc0, 0x03, 0xd3, 0x8d, 0xc5, 0x41, 0x04, 0x50, 0xb1, 0x5b, 0x74, 0xe7,
0xe3, 0x99, 0x0c, 0xdf, 0x74, 0x61, 0x35, 0xe6,
};
-static const unsigned char script_7_in[] = {
+static const unsigned char rx_script_7_in[] = {
/* First Packet: Initial */
0xc2, /* Long, Initial, PN Length=2 bytes */
0x00, 0x00, 0x00, 0x01, /* Version */
0x7f, 0x33, 0x86, 0xbb,
};
-static const QUIC_PKT_HDR script_7a_expect_hdr = {
+static const QUIC_PKT_HDR rx_script_7a_expect_hdr = {
QUIC_PKT_TYPE_INITIAL,
0, /* Spin Bit */
0, /* Key Phase */
441, NULL
};
-static const unsigned char script_7a_body[] = {
+static const unsigned char rx_script_7a_body[] = {
0x02, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x08, 0xa9, 0x0b, 0xfd, 0xbe, 0xf1, 0x57, 0x21, 0x34,
};
-static const QUIC_PKT_HDR script_7b_expect_hdr = {
+static const QUIC_PKT_HDR rx_script_7b_expect_hdr = {
QUIC_PKT_TYPE_HANDSHAKE,
0, /* Spin Bit */
0, /* Key Phase */
657, NULL
};
-static const unsigned char script_7b_body[] = {
+static const unsigned char rx_script_7b_body[] = {
0x06, 0x00, 0x42, 0x8d, 0x08, 0x00, 0x00, 0x82, 0x00, 0x80, 0x00, 0x10,
0x00, 0x08, 0x00, 0x06, 0x05, 0x64, 0x75, 0x6d, 0x6d, 0x79, 0x00, 0x39,
0x00, 0x70, 0x46, 0x0a, 0x0d, 0xdc, 0x59, 0xf0, 0x4e, 0xb2, 0x2c, 0xac,
0x80, 0x93, 0x40, 0xda, 0x41, 0x33, 0x08, 0x10, 0x2c,
};
-static const QUIC_PKT_HDR script_7c_expect_hdr = {
+static const QUIC_PKT_HDR rx_script_7c_expect_hdr = {
QUIC_PKT_TYPE_1RTT,
0, /* Spin Bit */
0, /* Key Phase */
72, NULL
};
-static const unsigned char script_7c_body[] = {
+static const unsigned char rx_script_7c_body[] = {
0x18, 0x03, 0x00, 0x04, 0xf7, 0x75, 0x72, 0xa2, 0xfd, 0x17, 0xd4, 0x82,
0x8e, 0xe9, 0x5b, 0xce, 0xed, 0xec, 0x88, 0xb9, 0x73, 0xbf, 0x36, 0x9f,
0x18, 0x02, 0x00, 0x04, 0x5f, 0x43, 0x96, 0xe4, 0x15, 0xdc, 0x56, 0x6b,
0xaf, 0x0d, 0xd2, 0x38, 0xa4, 0xf1, 0x94, 0xff, 0x63, 0x24, 0xd3, 0x7a,
};
-static const struct test_op script_7[] = {
- OP_ADD_RX_DCID(empty_conn_id)
- OP_PROVIDE_SECRET_INITIAL(script_7_c2s_init_dcid)
- OP_INJECT_N(7)
- OP_CHECK_PKT_N(7a)
- OP_CHECK_NO_PKT() /* not got secret for next packet yet */
- OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE,
- QRL_SUITE_CHACHA20POLY1305, script_7_handshake_secret)
- OP_CHECK_PKT_N(7b)
- OP_CHECK_NO_PKT() /* not got secret for next packet yet */
- OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT,
- QRL_SUITE_CHACHA20POLY1305, script_7_1rtt_secret)
- OP_CHECK_PKT_N(7c)
- OP_CHECK_NO_PKT()
+static const struct rx_test_op rx_script_7[] = {
+ RX_OP_ADD_RX_DCID(empty_conn_id)
+ RX_OP_PROVIDE_SECRET_INITIAL(rx_script_7_c2s_init_dcid)
+ RX_OP_INJECT_N(7)
+ RX_OP_CHECK_PKT_N(7a)
+ RX_OP_CHECK_NO_PKT() /* not got secret for next packet yet */
+ RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE,
+ QRL_SUITE_CHACHA20POLY1305, rx_script_7_handshake_secret)
+ RX_OP_CHECK_PKT_N(7b)
+ RX_OP_CHECK_NO_PKT() /* not got secret for next packet yet */
+ RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT,
+ QRL_SUITE_CHACHA20POLY1305, rx_script_7_1rtt_secret)
+ RX_OP_CHECK_PKT_N(7c)
+ RX_OP_CHECK_NO_PKT()
/* Try injecting the packet again */
- OP_INJECT_N(7)
+ RX_OP_INJECT_N(7)
/*
* Initial packet is not output due to receiving a Handshake packet causing
* auto-discard of Initial keys
*/
- OP_CHECK_PKT_N(7b)
- OP_CHECK_PKT_N(7c)
- OP_CHECK_NO_PKT()
+ RX_OP_CHECK_PKT_N(7b)
+ RX_OP_CHECK_PKT_N(7c)
+ RX_OP_CHECK_NO_PKT()
/* Try again with discarded keys */
- OP_DISCARD_EL(QUIC_ENC_LEVEL_HANDSHAKE)
- OP_INJECT_N(7)
- OP_CHECK_PKT_N(7c)
- OP_CHECK_NO_PKT()
+ RX_OP_DISCARD_EL(QUIC_ENC_LEVEL_HANDSHAKE)
+ RX_OP_INJECT_N(7)
+ RX_OP_CHECK_PKT_N(7c)
+ RX_OP_CHECK_NO_PKT()
/* Try again */
- OP_INJECT_N(7)
- OP_CHECK_PKT_N(7c)
- OP_CHECK_NO_PKT()
+ RX_OP_INJECT_N(7)
+ RX_OP_CHECK_PKT_N(7c)
+ RX_OP_CHECK_NO_PKT()
/* Try again with discarded 1-RTT keys */
- OP_DISCARD_EL(QUIC_ENC_LEVEL_1RTT)
- OP_INJECT_N(7)
- OP_CHECK_NO_PKT()
+ RX_OP_DISCARD_EL(QUIC_ENC_LEVEL_1RTT)
+ RX_OP_INJECT_N(7)
+ RX_OP_CHECK_NO_PKT()
/* Recreate QRL, test reading packets received before key */
- OP_SET_SCID_LEN(0)
- OP_ADD_RX_DCID(empty_conn_id)
- OP_INJECT_N(7)
- OP_CHECK_NO_PKT()
- OP_PROVIDE_SECRET_INITIAL(script_7_c2s_init_dcid)
- OP_CHECK_PKT_N(7a)
- OP_CHECK_NO_PKT()
- OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE,
- QRL_SUITE_CHACHA20POLY1305, script_7_handshake_secret)
- OP_CHECK_PKT_N(7b)
- OP_CHECK_NO_PKT()
- OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT,
- QRL_SUITE_CHACHA20POLY1305, script_7_1rtt_secret)
- OP_CHECK_PKT_N(7c)
- OP_CHECK_NO_PKT()
-
- OP_END
-};
-
-static const struct test_op *scripts[] = {
- script_1,
- script_2,
- script_3,
- script_4,
- script_5,
- script_6,
- script_7
+ RX_OP_SET_SCID_LEN(0)
+ RX_OP_ADD_RX_DCID(empty_conn_id)
+ RX_OP_INJECT_N(7)
+ RX_OP_CHECK_NO_PKT()
+ RX_OP_PROVIDE_SECRET_INITIAL(rx_script_7_c2s_init_dcid)
+ RX_OP_CHECK_PKT_N(7a)
+ RX_OP_CHECK_NO_PKT()
+ RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE,
+ QRL_SUITE_CHACHA20POLY1305, rx_script_7_handshake_secret)
+ RX_OP_CHECK_PKT_N(7b)
+ RX_OP_CHECK_NO_PKT()
+ RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT,
+ QRL_SUITE_CHACHA20POLY1305, rx_script_7_1rtt_secret)
+ RX_OP_CHECK_PKT_N(7c)
+ RX_OP_CHECK_NO_PKT()
+
+ RX_OP_END
+};
+
+static const struct rx_test_op *rx_scripts[] = {
+ rx_script_1,
+ rx_script_2,
+ rx_script_3,
+ rx_script_4,
+ rx_script_5,
+ rx_script_6,
+ rx_script_7
};
static int cmp_pkt_hdr(const QUIC_PKT_HDR *a, const QUIC_PKT_HDR *b,
return ok;
}
-struct state {
+struct rx_state {
QUIC_DEMUX *demux;
- OSSL_QRL *qrl;
- OSSL_QRL_ARGS args;
+ OSSL_QRX *qrx;
+ OSSL_QRX_ARGS args;
};
-static void state_teardown(struct state *s)
+static void rx_state_teardown(struct rx_state *s)
{
- if (s->qrl != NULL) {
- ossl_qrl_free(s->qrl);
- s->qrl = NULL;
+ if (s->qrx != NULL) {
+ ossl_qrx_free(s->qrx);
+ s->qrx = NULL;
}
if (s->demux != NULL) {
}
}
-static int state_ensure(struct state *s)
+static int rx_state_ensure(struct rx_state *s)
{
if (s->demux == NULL
&& !TEST_ptr(s->demux = ossl_quic_demux_new(NULL,
1500)))
return 0;
- s->args.rx_demux = s->demux;
+ s->args.demux = s->demux;
- if (s->qrl == NULL
- && !TEST_ptr(s->qrl = ossl_qrl_new(&s->args)))
+ if (s->qrx == NULL
+ && !TEST_ptr(s->qrx = ossl_qrx_new(&s->args)))
return 0;
return 1;
}
-static int run_script(const struct test_op *script)
+static int rx_run_script(const struct rx_test_op *script)
{
int testresult = 0, pkt_outstanding = 0;
- struct state s = {0};
+ struct rx_state s = {0};
size_t i;
- OSSL_QRL_RX_PKT pkt = {0};
- const struct test_op *op = script;
+ OSSL_QRX_PKT pkt = {0};
+ const struct rx_test_op *op = script;
- for (; op->op != TEST_OP_END; ++op)
+ for (; op->op != RX_TEST_OP_END; ++op)
switch (op->op) {
- case TEST_OP_SET_SCID_LEN:
- state_teardown(&s);
+ case RX_TEST_OP_SET_SCID_LEN:
+ rx_state_teardown(&s);
s.args.short_conn_id_len = op->enc_level;
break;
- case TEST_OP_SET_INIT_LARGEST_PN:
- state_teardown(&s);
+ case RX_TEST_OP_SET_INIT_LARGEST_PN:
+ rx_state_teardown(&s);
for (i = 0; i < QUIC_PN_SPACE_NUM; ++i)
- s.args.rx_init_largest_pn[i] = op->largest_pn;
+ s.args.init_largest_pn[i] = op->largest_pn;
break;
- case TEST_OP_ADD_RX_DCID:
- if (!TEST_true(state_ensure(&s)))
+ case RX_TEST_OP_ADD_RX_DCID:
+ if (!TEST_true(rx_state_ensure(&s)))
goto err;
- if (!TEST_true(ossl_qrl_add_dst_conn_id(s.qrl, op->dcid)))
+ if (!TEST_true(ossl_qrx_add_dst_conn_id(s.qrx, op->dcid)))
goto err;
break;
- case TEST_OP_PROVIDE_SECRET:
- if (!TEST_true(state_ensure(&s)))
+ case RX_TEST_OP_PROVIDE_SECRET:
+ if (!TEST_true(rx_state_ensure(&s)))
goto err;
- if (!TEST_true(ossl_qrl_provide_rx_secret(s.qrl, op->enc_level,
- op->suite_id,
- op->buf,
- op->buf_len)))
+ if (!TEST_true(ossl_qrx_provide_secret(s.qrx, op->enc_level,
+ op->suite_id, NULL,
+ op->buf,
+ op->buf_len)))
goto err;
break;
- case TEST_OP_PROVIDE_SECRET_INITIAL:
- if (!TEST_true(state_ensure(&s)))
+ case RX_TEST_OP_PROVIDE_SECRET_INITIAL:
+ if (!TEST_true(rx_state_ensure(&s)))
goto err;
- if (!TEST_true(ossl_qrl_provide_rx_secret_initial(s.qrl,
- op->dcid)))
+ if (!TEST_true(ossl_quic_provide_initial_secret(NULL, NULL,
+ op->dcid, 0,
+ s.qrx, NULL)))
goto err;
break;
- case TEST_OP_DISCARD_EL:
- if (!TEST_true(state_ensure(&s)))
+ case RX_TEST_OP_DISCARD_EL:
+ if (!TEST_true(rx_state_ensure(&s)))
goto err;
- if (!TEST_true(ossl_qrl_discard_enc_level(s.qrl, op->enc_level)))
+ if (!TEST_true(ossl_qrx_discard_enc_level(s.qrx, op->enc_level)))
goto err;
break;
- case TEST_OP_INJECT:
- if (!TEST_true(state_ensure(&s)))
+ case RX_TEST_OP_INJECT:
+ if (!TEST_true(rx_state_ensure(&s)))
goto err;
if (!TEST_true(ossl_quic_demux_inject(s.demux,
op->buf, op->buf_len,
NULL, NULL)))
goto err;
break;
- case TEST_OP_CHECK_PKT:
- if (!TEST_true(state_ensure(&s)))
+ case RX_TEST_OP_CHECK_PKT:
+ if (!TEST_true(rx_state_ensure(&s)))
goto err;
- if (!TEST_true(ossl_qrl_read_pkt(s.qrl, &pkt)))
+ if (!TEST_true(ossl_qrx_read_pkt(s.qrx, &pkt)))
goto err;
pkt_outstanding = 1;
op->buf, op->buf_len, 1)))
goto err;
- ossl_qrl_release_pkt(s.qrl, pkt.handle);
+ ossl_qrx_release_pkt(s.qrx, pkt.handle);
pkt_outstanding = 0;
break;
- case TEST_OP_CHECK_NO_PKT:
- if (!TEST_true(state_ensure(&s)))
+ case RX_TEST_OP_CHECK_NO_PKT:
+ if (!TEST_true(rx_state_ensure(&s)))
goto err;
- if (!TEST_false(ossl_qrl_read_pkt(s.qrl, &pkt)))
+ if (!TEST_false(ossl_qrx_read_pkt(s.qrx, &pkt)))
goto err;
break;
testresult = 1;
err:
if (pkt_outstanding)
- ossl_qrl_release_pkt(s.qrl, pkt.handle);
- state_teardown(&s);
+ ossl_qrx_release_pkt(s.qrx, pkt.handle);
+ rx_state_teardown(&s);
return testresult;
}
-static int test_script(int idx)
+static int test_rx_script(int idx)
{
- return run_script(scripts[idx]);
+ return rx_run_script(rx_scripts[idx]);
}
/* Packet Header Tests */
return test_wire_pkt_hdr_inner(tidx, repeat, cipher);
}
+/* TX Tests */
+#define TX_TEST_OP_END 0 /* end of script */
+#define TX_TEST_OP_WRITE 1 /* write packet */
+#define TX_TEST_OP_PROVIDE_SECRET 2 /* provide TX secret */
+#define TX_TEST_OP_PROVIDE_SECRET_INITIAL 3 /* provide TX secret for initial */
+#define TX_TEST_OP_DISCARD_EL 4 /* discard an encryption level */
+#define TX_TEST_OP_CHECK_DGRAM 5 /* read datagram, compare to expected */
+#define TX_TEST_OP_CHECK_NO_DGRAM 6 /* check no datagram is in queue */
+
+struct tx_test_op {
+ unsigned char op;
+ const unsigned char *buf;
+ size_t buf_len;
+ const OSSL_QTX_PKT *pkt;
+ uint32_t enc_level, suite_id;
+ const QUIC_CONN_ID *dcid;
+};
+
+#define TX_OP_END \
+ { TX_TEST_OP_END }
+#define TX_OP_WRITE(pkt) \
+ { TX_TEST_OP_WRITE, NULL, 0, &(pkt), 0, 0, NULL },
+#define TX_OP_PROVIDE_SECRET(el, suite, key) \
+ { \
+ TX_TEST_OP_PROVIDE_SECRET, (key), sizeof(key), \
+ NULL, (el), (suite), NULL \
+ },
+#define TX_OP_PROVIDE_SECRET_INITIAL(dcid, is_server) \
+ { TX_TEST_OP_PROVIDE_SECRET_INITIAL, \
+ NULL, 0, NULL, 0, (is_server), &(dcid) },
+#define TX_OP_DISCARD_EL(el) \
+ { TX_TEST_OP_DISCARD_EL, NULL, 0, NULL, (el), 0, NULL },
+#define TX_OP_CHECK_DGRAM(expect_dgram) \
+ { \
+ TX_TEST_OP_CHECK_DGRAM, (expect_dgram), sizeof(expect_dgram), \
+ NULL, 0, 0, NULL \
+ },
+#define TX_OP_CHECK_NO_DGRAM() \
+ { TX_TEST_OP_CHECK_NO_PKT, NULL, 0, NULL, 0, 0, NULL },
+
+#define TX_OP_WRITE_N(n) \
+ TX_OP_WRITE(tx_script_##n##_pkt)
+#define TX_OP_CHECK_DGRAM_N(n) \
+ TX_OP_CHECK_DGRAM(tx_script_##n##_dgram)
+
+#define TX_OP_WRITE_CHECK(n) \
+ TX_OP_WRITE_N(n) \
+ TX_OP_CHECK_DGRAM_N(n)
+
+/* 1. RFC 9001 - A.2 Client Initial */
+static const unsigned char tx_script_1_body[1162] = {
+ 0x06, 0x00, 0x40, 0xf1, 0x01, 0x00, 0x00, 0xed, 0x03, 0x03, 0xeb, 0xf8,
+ 0xfa, 0x56, 0xf1, 0x29, 0x39, 0xb9, 0x58, 0x4a, 0x38, 0x96, 0x47, 0x2e,
+ 0xc4, 0x0b, 0xb8, 0x63, 0xcf, 0xd3, 0xe8, 0x68, 0x04, 0xfe, 0x3a, 0x47,
+ 0xf0, 0x6a, 0x2b, 0x69, 0x48, 0x4c, 0x00, 0x00, 0x04, 0x13, 0x01, 0x13,
+ 0x02, 0x01, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x10, 0x00, 0x0e, 0x00,
+ 0x00, 0x0b, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f,
+ 0x6d, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06,
+ 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x10, 0x00, 0x07, 0x00, 0x05,
+ 0x04, 0x61, 0x6c, 0x70, 0x6e, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x33, 0x00, 0x26, 0x00, 0x24, 0x00, 0x1d, 0x00, 0x20,
+ 0x93, 0x70, 0xb2, 0xc9, 0xca, 0xa4, 0x7f, 0xba, 0xba, 0xf4, 0x55, 0x9f,
+ 0xed, 0xba, 0x75, 0x3d, 0xe1, 0x71, 0xfa, 0x71, 0xf5, 0x0f, 0x1c, 0xe1,
+ 0x5d, 0x43, 0xe9, 0x94, 0xec, 0x74, 0xd7, 0x48, 0x00, 0x2b, 0x00, 0x03,
+ 0x02, 0x03, 0x04, 0x00, 0x0d, 0x00, 0x10, 0x00, 0x0e, 0x04, 0x03, 0x05,
+ 0x03, 0x06, 0x03, 0x02, 0x03, 0x08, 0x04, 0x08, 0x05, 0x08, 0x06, 0x00,
+ 0x2d, 0x00, 0x02, 0x01, 0x01, 0x00, 0x1c, 0x00, 0x02, 0x40, 0x01, 0x00,
+ 0x39, 0x00, 0x32, 0x04, 0x08, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0x05, 0x04, 0x80, 0x00, 0xff, 0xff, 0x07, 0x04, 0x80, 0x00, 0xff,
+ 0xff, 0x08, 0x01, 0x10, 0x01, 0x04, 0x80, 0x00, 0x75, 0x30, 0x09, 0x01,
+ 0x10, 0x0f, 0x08, 0x83, 0x94, 0xc8, 0xf0, 0x3e, 0x51, 0x57, 0x08, 0x06,
+ 0x04, 0x80, 0x00, 0xff, 0xff /* followed by zero padding */
+};
+
+static const unsigned char tx_script_1_dgram[] = {
+ 0xc0, 0x00, 0x00, 0x00, 0x01, 0x08, 0x83, 0x94, 0xc8, 0xf0, 0x3e, 0x51,
+ 0x57, 0x08, 0x00, 0x00, 0x44, 0x9e, 0x7b, 0x9a, 0xec, 0x34, 0xd1, 0xb1,
+ 0xc9, 0x8d, 0xd7, 0x68, 0x9f, 0xb8, 0xec, 0x11, 0xd2, 0x42, 0xb1, 0x23,
+ 0xdc, 0x9b, 0xd8, 0xba, 0xb9, 0x36, 0xb4, 0x7d, 0x92, 0xec, 0x35, 0x6c,
+ 0x0b, 0xab, 0x7d, 0xf5, 0x97, 0x6d, 0x27, 0xcd, 0x44, 0x9f, 0x63, 0x30,
+ 0x00, 0x99, 0xf3, 0x99, 0x1c, 0x26, 0x0e, 0xc4, 0xc6, 0x0d, 0x17, 0xb3,
+ 0x1f, 0x84, 0x29, 0x15, 0x7b, 0xb3, 0x5a, 0x12, 0x82, 0xa6, 0x43, 0xa8,
+ 0xd2, 0x26, 0x2c, 0xad, 0x67, 0x50, 0x0c, 0xad, 0xb8, 0xe7, 0x37, 0x8c,
+ 0x8e, 0xb7, 0x53, 0x9e, 0xc4, 0xd4, 0x90, 0x5f, 0xed, 0x1b, 0xee, 0x1f,
+ 0xc8, 0xaa, 0xfb, 0xa1, 0x7c, 0x75, 0x0e, 0x2c, 0x7a, 0xce, 0x01, 0xe6,
+ 0x00, 0x5f, 0x80, 0xfc, 0xb7, 0xdf, 0x62, 0x12, 0x30, 0xc8, 0x37, 0x11,
+ 0xb3, 0x93, 0x43, 0xfa, 0x02, 0x8c, 0xea, 0x7f, 0x7f, 0xb5, 0xff, 0x89,
+ 0xea, 0xc2, 0x30, 0x82, 0x49, 0xa0, 0x22, 0x52, 0x15, 0x5e, 0x23, 0x47,
+ 0xb6, 0x3d, 0x58, 0xc5, 0x45, 0x7a, 0xfd, 0x84, 0xd0, 0x5d, 0xff, 0xfd,
+ 0xb2, 0x03, 0x92, 0x84, 0x4a, 0xe8, 0x12, 0x15, 0x46, 0x82, 0xe9, 0xcf,
+ 0x01, 0x2f, 0x90, 0x21, 0xa6, 0xf0, 0xbe, 0x17, 0xdd, 0xd0, 0xc2, 0x08,
+ 0x4d, 0xce, 0x25, 0xff, 0x9b, 0x06, 0xcd, 0xe5, 0x35, 0xd0, 0xf9, 0x20,
+ 0xa2, 0xdb, 0x1b, 0xf3, 0x62, 0xc2, 0x3e, 0x59, 0x6d, 0x11, 0xa4, 0xf5,
+ 0xa6, 0xcf, 0x39, 0x48, 0x83, 0x8a, 0x3a, 0xec, 0x4e, 0x15, 0xda, 0xf8,
+ 0x50, 0x0a, 0x6e, 0xf6, 0x9e, 0xc4, 0xe3, 0xfe, 0xb6, 0xb1, 0xd9, 0x8e,
+ 0x61, 0x0a, 0xc8, 0xb7, 0xec, 0x3f, 0xaf, 0x6a, 0xd7, 0x60, 0xb7, 0xba,
+ 0xd1, 0xdb, 0x4b, 0xa3, 0x48, 0x5e, 0x8a, 0x94, 0xdc, 0x25, 0x0a, 0xe3,
+ 0xfd, 0xb4, 0x1e, 0xd1, 0x5f, 0xb6, 0xa8, 0xe5, 0xeb, 0xa0, 0xfc, 0x3d,
+ 0xd6, 0x0b, 0xc8, 0xe3, 0x0c, 0x5c, 0x42, 0x87, 0xe5, 0x38, 0x05, 0xdb,
+ 0x05, 0x9a, 0xe0, 0x64, 0x8d, 0xb2, 0xf6, 0x42, 0x64, 0xed, 0x5e, 0x39,
+ 0xbe, 0x2e, 0x20, 0xd8, 0x2d, 0xf5, 0x66, 0xda, 0x8d, 0xd5, 0x99, 0x8c,
+ 0xca, 0xbd, 0xae, 0x05, 0x30, 0x60, 0xae, 0x6c, 0x7b, 0x43, 0x78, 0xe8,
+ 0x46, 0xd2, 0x9f, 0x37, 0xed, 0x7b, 0x4e, 0xa9, 0xec, 0x5d, 0x82, 0xe7,
+ 0x96, 0x1b, 0x7f, 0x25, 0xa9, 0x32, 0x38, 0x51, 0xf6, 0x81, 0xd5, 0x82,
+ 0x36, 0x3a, 0xa5, 0xf8, 0x99, 0x37, 0xf5, 0xa6, 0x72, 0x58, 0xbf, 0x63,
+ 0xad, 0x6f, 0x1a, 0x0b, 0x1d, 0x96, 0xdb, 0xd4, 0xfa, 0xdd, 0xfc, 0xef,
+ 0xc5, 0x26, 0x6b, 0xa6, 0x61, 0x17, 0x22, 0x39, 0x5c, 0x90, 0x65, 0x56,
+ 0xbe, 0x52, 0xaf, 0xe3, 0xf5, 0x65, 0x63, 0x6a, 0xd1, 0xb1, 0x7d, 0x50,
+ 0x8b, 0x73, 0xd8, 0x74, 0x3e, 0xeb, 0x52, 0x4b, 0xe2, 0x2b, 0x3d, 0xcb,
+ 0xc2, 0xc7, 0x46, 0x8d, 0x54, 0x11, 0x9c, 0x74, 0x68, 0x44, 0x9a, 0x13,
+ 0xd8, 0xe3, 0xb9, 0x58, 0x11, 0xa1, 0x98, 0xf3, 0x49, 0x1d, 0xe3, 0xe7,
+ 0xfe, 0x94, 0x2b, 0x33, 0x04, 0x07, 0xab, 0xf8, 0x2a, 0x4e, 0xd7, 0xc1,
+ 0xb3, 0x11, 0x66, 0x3a, 0xc6, 0x98, 0x90, 0xf4, 0x15, 0x70, 0x15, 0x85,
+ 0x3d, 0x91, 0xe9, 0x23, 0x03, 0x7c, 0x22, 0x7a, 0x33, 0xcd, 0xd5, 0xec,
+ 0x28, 0x1c, 0xa3, 0xf7, 0x9c, 0x44, 0x54, 0x6b, 0x9d, 0x90, 0xca, 0x00,
+ 0xf0, 0x64, 0xc9, 0x9e, 0x3d, 0xd9, 0x79, 0x11, 0xd3, 0x9f, 0xe9, 0xc5,
+ 0xd0, 0xb2, 0x3a, 0x22, 0x9a, 0x23, 0x4c, 0xb3, 0x61, 0x86, 0xc4, 0x81,
+ 0x9e, 0x8b, 0x9c, 0x59, 0x27, 0x72, 0x66, 0x32, 0x29, 0x1d, 0x6a, 0x41,
+ 0x82, 0x11, 0xcc, 0x29, 0x62, 0xe2, 0x0f, 0xe4, 0x7f, 0xeb, 0x3e, 0xdf,
+ 0x33, 0x0f, 0x2c, 0x60, 0x3a, 0x9d, 0x48, 0xc0, 0xfc, 0xb5, 0x69, 0x9d,
+ 0xbf, 0xe5, 0x89, 0x64, 0x25, 0xc5, 0xba, 0xc4, 0xae, 0xe8, 0x2e, 0x57,
+ 0xa8, 0x5a, 0xaf, 0x4e, 0x25, 0x13, 0xe4, 0xf0, 0x57, 0x96, 0xb0, 0x7b,
+ 0xa2, 0xee, 0x47, 0xd8, 0x05, 0x06, 0xf8, 0xd2, 0xc2, 0x5e, 0x50, 0xfd,
+ 0x14, 0xde, 0x71, 0xe6, 0xc4, 0x18, 0x55, 0x93, 0x02, 0xf9, 0x39, 0xb0,
+ 0xe1, 0xab, 0xd5, 0x76, 0xf2, 0x79, 0xc4, 0xb2, 0xe0, 0xfe, 0xb8, 0x5c,
+ 0x1f, 0x28, 0xff, 0x18, 0xf5, 0x88, 0x91, 0xff, 0xef, 0x13, 0x2e, 0xef,
+ 0x2f, 0xa0, 0x93, 0x46, 0xae, 0xe3, 0x3c, 0x28, 0xeb, 0x13, 0x0f, 0xf2,
+ 0x8f, 0x5b, 0x76, 0x69, 0x53, 0x33, 0x41, 0x13, 0x21, 0x19, 0x96, 0xd2,
+ 0x00, 0x11, 0xa1, 0x98, 0xe3, 0xfc, 0x43, 0x3f, 0x9f, 0x25, 0x41, 0x01,
+ 0x0a, 0xe1, 0x7c, 0x1b, 0xf2, 0x02, 0x58, 0x0f, 0x60, 0x47, 0x47, 0x2f,
+ 0xb3, 0x68, 0x57, 0xfe, 0x84, 0x3b, 0x19, 0xf5, 0x98, 0x40, 0x09, 0xdd,
+ 0xc3, 0x24, 0x04, 0x4e, 0x84, 0x7a, 0x4f, 0x4a, 0x0a, 0xb3, 0x4f, 0x71,
+ 0x95, 0x95, 0xde, 0x37, 0x25, 0x2d, 0x62, 0x35, 0x36, 0x5e, 0x9b, 0x84,
+ 0x39, 0x2b, 0x06, 0x10, 0x85, 0x34, 0x9d, 0x73, 0x20, 0x3a, 0x4a, 0x13,
+ 0xe9, 0x6f, 0x54, 0x32, 0xec, 0x0f, 0xd4, 0xa1, 0xee, 0x65, 0xac, 0xcd,
+ 0xd5, 0xe3, 0x90, 0x4d, 0xf5, 0x4c, 0x1d, 0xa5, 0x10, 0xb0, 0xff, 0x20,
+ 0xdc, 0xc0, 0xc7, 0x7f, 0xcb, 0x2c, 0x0e, 0x0e, 0xb6, 0x05, 0xcb, 0x05,
+ 0x04, 0xdb, 0x87, 0x63, 0x2c, 0xf3, 0xd8, 0xb4, 0xda, 0xe6, 0xe7, 0x05,
+ 0x76, 0x9d, 0x1d, 0xe3, 0x54, 0x27, 0x01, 0x23, 0xcb, 0x11, 0x45, 0x0e,
+ 0xfc, 0x60, 0xac, 0x47, 0x68, 0x3d, 0x7b, 0x8d, 0x0f, 0x81, 0x13, 0x65,
+ 0x56, 0x5f, 0xd9, 0x8c, 0x4c, 0x8e, 0xb9, 0x36, 0xbc, 0xab, 0x8d, 0x06,
+ 0x9f, 0xc3, 0x3b, 0xd8, 0x01, 0xb0, 0x3a, 0xde, 0xa2, 0xe1, 0xfb, 0xc5,
+ 0xaa, 0x46, 0x3d, 0x08, 0xca, 0x19, 0x89, 0x6d, 0x2b, 0xf5, 0x9a, 0x07,
+ 0x1b, 0x85, 0x1e, 0x6c, 0x23, 0x90, 0x52, 0x17, 0x2f, 0x29, 0x6b, 0xfb,
+ 0x5e, 0x72, 0x40, 0x47, 0x90, 0xa2, 0x18, 0x10, 0x14, 0xf3, 0xb9, 0x4a,
+ 0x4e, 0x97, 0xd1, 0x17, 0xb4, 0x38, 0x13, 0x03, 0x68, 0xcc, 0x39, 0xdb,
+ 0xb2, 0xd1, 0x98, 0x06, 0x5a, 0xe3, 0x98, 0x65, 0x47, 0x92, 0x6c, 0xd2,
+ 0x16, 0x2f, 0x40, 0xa2, 0x9f, 0x0c, 0x3c, 0x87, 0x45, 0xc0, 0xf5, 0x0f,
+ 0xba, 0x38, 0x52, 0xe5, 0x66, 0xd4, 0x45, 0x75, 0xc2, 0x9d, 0x39, 0xa0,
+ 0x3f, 0x0c, 0xda, 0x72, 0x19, 0x84, 0xb6, 0xf4, 0x40, 0x59, 0x1f, 0x35,
+ 0x5e, 0x12, 0xd4, 0x39, 0xff, 0x15, 0x0a, 0xab, 0x76, 0x13, 0x49, 0x9d,
+ 0xbd, 0x49, 0xad, 0xab, 0xc8, 0x67, 0x6e, 0xef, 0x02, 0x3b, 0x15, 0xb6,
+ 0x5b, 0xfc, 0x5c, 0xa0, 0x69, 0x48, 0x10, 0x9f, 0x23, 0xf3, 0x50, 0xdb,
+ 0x82, 0x12, 0x35, 0x35, 0xeb, 0x8a, 0x74, 0x33, 0xbd, 0xab, 0xcb, 0x90,
+ 0x92, 0x71, 0xa6, 0xec, 0xbc, 0xb5, 0x8b, 0x93, 0x6a, 0x88, 0xcd, 0x4e,
+ 0x8f, 0x2e, 0x6f, 0xf5, 0x80, 0x01, 0x75, 0xf1, 0x13, 0x25, 0x3d, 0x8f,
+ 0xa9, 0xca, 0x88, 0x85, 0xc2, 0xf5, 0x52, 0xe6, 0x57, 0xdc, 0x60, 0x3f,
+ 0x25, 0x2e, 0x1a, 0x8e, 0x30, 0x8f, 0x76, 0xf0, 0xbe, 0x79, 0xe2, 0xfb,
+ 0x8f, 0x5d, 0x5f, 0xbb, 0xe2, 0xe3, 0x0e, 0xca, 0xdd, 0x22, 0x07, 0x23,
+ 0xc8, 0xc0, 0xae, 0xa8, 0x07, 0x8c, 0xdf, 0xcb, 0x38, 0x68, 0x26, 0x3f,
+ 0xf8, 0xf0, 0x94, 0x00, 0x54, 0xda, 0x48, 0x78, 0x18, 0x93, 0xa7, 0xe4,
+ 0x9a, 0xd5, 0xaf, 0xf4, 0xaf, 0x30, 0x0c, 0xd8, 0x04, 0xa6, 0xb6, 0x27,
+ 0x9a, 0xb3, 0xff, 0x3a, 0xfb, 0x64, 0x49, 0x1c, 0x85, 0x19, 0x4a, 0xab,
+ 0x76, 0x0d, 0x58, 0xa6, 0x06, 0x65, 0x4f, 0x9f, 0x44, 0x00, 0xe8, 0xb3,
+ 0x85, 0x91, 0x35, 0x6f, 0xbf, 0x64, 0x25, 0xac, 0xa2, 0x6d, 0xc8, 0x52,
+ 0x44, 0x25, 0x9f, 0xf2, 0xb1, 0x9c, 0x41, 0xb9, 0xf9, 0x6f, 0x3c, 0xa9,
+ 0xec, 0x1d, 0xde, 0x43, 0x4d, 0xa7, 0xd2, 0xd3, 0x92, 0xb9, 0x05, 0xdd,
+ 0xf3, 0xd1, 0xf9, 0xaf, 0x93, 0xd1, 0xaf, 0x59, 0x50, 0xbd, 0x49, 0x3f,
+ 0x5a, 0xa7, 0x31, 0xb4, 0x05, 0x6d, 0xf3, 0x1b, 0xd2, 0x67, 0xb6, 0xb9,
+ 0x0a, 0x07, 0x98, 0x31, 0xaa, 0xf5, 0x79, 0xbe, 0x0a, 0x39, 0x01, 0x31,
+ 0x37, 0xaa, 0xc6, 0xd4, 0x04, 0xf5, 0x18, 0xcf, 0xd4, 0x68, 0x40, 0x64,
+ 0x7e, 0x78, 0xbf, 0xe7, 0x06, 0xca, 0x4c, 0xf5, 0xe9, 0xc5, 0x45, 0x3e,
+ 0x9f, 0x7c, 0xfd, 0x2b, 0x8b, 0x4c, 0x8d, 0x16, 0x9a, 0x44, 0xe5, 0x5c,
+ 0x88, 0xd4, 0xa9, 0xa7, 0xf9, 0x47, 0x42, 0x41, 0xe2, 0x21, 0xaf, 0x44,
+ 0x86, 0x00, 0x18, 0xab, 0x08, 0x56, 0x97, 0x2e, 0x19, 0x4c, 0xd9, 0x34
+};
+
+static QUIC_PKT_HDR tx_script_1_hdr = {
+ QUIC_PKT_TYPE_INITIAL, /* type */
+ 0, /* spin bit */
+ 0, /* key phase */
+ 4, /* PN length */
+ 0, /* partial */
+ 0, /* fixed */
+ 1, /* version */
+ {8, {0x83, 0x94, 0xc8, 0xf0, 0x3e, 0x51, 0x57, 0x08}}, /* DCID */
+ { 0, {0} }, /* SCID */
+ { 0 }, /* PN */
+ NULL, 0, /* Token */
+ 5555, NULL /* Len/Data */
+};
+
+static const OSSL_QTX_IOVEC tx_script_1_iovec[] = {
+ { tx_script_1_body, sizeof(tx_script_1_body) }
+};
+
+static const OSSL_QTX_PKT tx_script_1_pkt = {
+ &tx_script_1_hdr,
+ tx_script_1_iovec,
+ OSSL_NELEM(tx_script_1_iovec),
+ NULL, NULL,
+ 2,
+ 0
+};
+
+static const struct tx_test_op tx_script_1[] = {
+ TX_OP_PROVIDE_SECRET_INITIAL(tx_script_1_hdr.dst_conn_id, 0)
+ TX_OP_WRITE_CHECK(1)
+ TX_OP_END
+};
+
+/* 2. RFC 9001 - A.3 Server Initial */
+static const unsigned char tx_script_2_body[] = {
+ 0x02, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x40, 0x5a, 0x02, 0x00, 0x00,
+ 0x56, 0x03, 0x03, 0xee, 0xfc, 0xe7, 0xf7, 0xb3, 0x7b, 0xa1, 0xd1, 0x63,
+ 0x2e, 0x96, 0x67, 0x78, 0x25, 0xdd, 0xf7, 0x39, 0x88, 0xcf, 0xc7, 0x98,
+ 0x25, 0xdf, 0x56, 0x6d, 0xc5, 0x43, 0x0b, 0x9a, 0x04, 0x5a, 0x12, 0x00,
+ 0x13, 0x01, 0x00, 0x00, 0x2e, 0x00, 0x33, 0x00, 0x24, 0x00, 0x1d, 0x00,
+ 0x20, 0x9d, 0x3c, 0x94, 0x0d, 0x89, 0x69, 0x0b, 0x84, 0xd0, 0x8a, 0x60,
+ 0x99, 0x3c, 0x14, 0x4e, 0xca, 0x68, 0x4d, 0x10, 0x81, 0x28, 0x7c, 0x83,
+ 0x4d, 0x53, 0x11, 0xbc, 0xf3, 0x2b, 0xb9, 0xda, 0x1a, 0x00, 0x2b, 0x00,
+ 0x02, 0x03, 0x04
+};
+
+static const unsigned char tx_script_2_dgram[] = {
+
+ 0xcf, 0x00, 0x00, 0x00, 0x01, 0x00, 0x08, 0xf0, 0x67, 0xa5, 0x50, 0x2a,
+ 0x42, 0x62, 0xb5, 0x00, 0x40, 0x75, 0xc0, 0xd9, 0x5a, 0x48, 0x2c, 0xd0,
+ 0x99, 0x1c, 0xd2, 0x5b, 0x0a, 0xac, 0x40, 0x6a, 0x58, 0x16, 0xb6, 0x39,
+ 0x41, 0x00, 0xf3, 0x7a, 0x1c, 0x69, 0x79, 0x75, 0x54, 0x78, 0x0b, 0xb3,
+ 0x8c, 0xc5, 0xa9, 0x9f, 0x5e, 0xde, 0x4c, 0xf7, 0x3c, 0x3e, 0xc2, 0x49,
+ 0x3a, 0x18, 0x39, 0xb3, 0xdb, 0xcb, 0xa3, 0xf6, 0xea, 0x46, 0xc5, 0xb7,
+ 0x68, 0x4d, 0xf3, 0x54, 0x8e, 0x7d, 0xde, 0xb9, 0xc3, 0xbf, 0x9c, 0x73,
+ 0xcc, 0x3f, 0x3b, 0xde, 0xd7, 0x4b, 0x56, 0x2b, 0xfb, 0x19, 0xfb, 0x84,
+ 0x02, 0x2f, 0x8e, 0xf4, 0xcd, 0xd9, 0x37, 0x95, 0xd7, 0x7d, 0x06, 0xed,
+ 0xbb, 0x7a, 0xaf, 0x2f, 0x58, 0x89, 0x18, 0x50, 0xab, 0xbd, 0xca, 0x3d,
+ 0x20, 0x39, 0x8c, 0x27, 0x64, 0x56, 0xcb, 0xc4, 0x21, 0x58, 0x40, 0x7d,
+ 0xd0, 0x74, 0xee
+};
+
+static QUIC_PKT_HDR tx_script_2_hdr = {
+ QUIC_PKT_TYPE_INITIAL, /* type */
+ 0, /* spin bit */
+ 0, /* key phase */
+ 2, /* PN length */
+ 0, /* partial */
+ 0, /* fixed */
+ 1, /* version */
+ { 0, {0} }, /* DCID */
+ {8, {0xf0, 0x67, 0xa5, 0x50, 0x2a, 0x42, 0x62, 0xb5}}, /* SCID */
+ { 0 }, /* PN */
+ NULL, 0, /* Token */
+ 5555, NULL /* Len/Data */
+};
+
+static const OSSL_QTX_IOVEC tx_script_2_iovec[] = {
+ { tx_script_2_body, sizeof(tx_script_2_body) }
+};
+
+static const OSSL_QTX_PKT tx_script_2_pkt = {
+ &tx_script_2_hdr,
+ tx_script_2_iovec,
+ OSSL_NELEM(tx_script_2_iovec),
+ NULL, NULL,
+ 1,
+ 0
+};
+
+static const struct tx_test_op tx_script_2[] = {
+ TX_OP_PROVIDE_SECRET_INITIAL(tx_script_1_hdr.dst_conn_id, 1)
+ TX_OP_WRITE_CHECK(2)
+ TX_OP_END
+};
+
+/* 3. RFC 9001 - A.5 ChaCha20-Poly1305 Short Header Packet */
+static const unsigned char tx_script_3_body[] = {
+ 0x01
+};
+
+static const unsigned char tx_script_3_dgram[] = {
+ 0x4c, 0xfe, 0x41, 0x89, 0x65, 0x5e, 0x5c, 0xd5, 0x5c, 0x41, 0xf6, 0x90,
+ 0x80, 0x57, 0x5d, 0x79, 0x99, 0xc2, 0x5a, 0x5b, 0xfb
+};
+static const unsigned char tx_script_3_secret[] = {
+ 0x9a, 0xc3, 0x12, 0xa7, 0xf8, 0x77, 0x46, 0x8e, 0xbe, 0x69, 0x42, 0x27,
+ 0x48, 0xad, 0x00, 0xa1, 0x54, 0x43, 0xf1, 0x82, 0x03, 0xa0, 0x7d, 0x60,
+ 0x60, 0xf6, 0x88, 0xf3, 0x0f, 0x21, 0x63, 0x2b
+};
+
+static QUIC_PKT_HDR tx_script_3_hdr = {
+ QUIC_PKT_TYPE_1RTT, /* type */
+ 0, /* spin bit */
+ 0, /* key phase */
+ 3, /* PN length */
+ 0, /* partial */
+ 0, /* fixed */
+ 0, /* version */
+ { 0, {0} }, /* DCID */
+ { 0, {0} }, /* SCID */
+ { 0 }, /* PN */
+ NULL, 0, /* Token */
+ 5555, NULL /* Len/Data */
+};
+
+static const OSSL_QTX_IOVEC tx_script_3_iovec[] = {
+ { tx_script_3_body, sizeof(tx_script_3_body) }
+};
+
+static const OSSL_QTX_PKT tx_script_3_pkt = {
+ &tx_script_3_hdr,
+ tx_script_3_iovec,
+ OSSL_NELEM(tx_script_3_iovec),
+ NULL, NULL,
+ 654360564,
+ 0
+};
+
+static const struct tx_test_op tx_script_3[] = {
+ TX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT, QRL_SUITE_CHACHA20POLY1305, tx_script_3_secret)
+ TX_OP_WRITE_CHECK(3)
+ TX_OP_END
+};
+
+static const struct tx_test_op *const tx_scripts[] = {
+ tx_script_1,
+ tx_script_2,
+ tx_script_3
+};
+
+static int tx_run_script(const struct tx_test_op *script)
+{
+ int testresult = 0;
+ const struct tx_test_op *op = script;
+ OSSL_QTX *qtx = NULL;
+ BIO_MSG msg = {0};
+ OSSL_QTX_ARGS args = {0};
+
+ args.mdpl = 1472;
+
+ if (!TEST_ptr(qtx = ossl_qtx_new(&args)))
+ goto err;
+
+ for (; op->op != TX_TEST_OP_END; ++op)
+ switch (op->op) {
+ case TX_TEST_OP_PROVIDE_SECRET:
+ if (!TEST_true(ossl_qtx_provide_secret(qtx, op->enc_level,
+ op->suite_id, NULL,
+ op->buf, op->buf_len)))
+ goto err;
+ break;
+ case TX_TEST_OP_PROVIDE_SECRET_INITIAL:
+ if (!TEST_true(ossl_quic_provide_initial_secret(NULL, NULL,
+ op->dcid,
+ (int)op->suite_id,
+ NULL, qtx)))
+ goto err;
+ break;
+ case TX_TEST_OP_DISCARD_EL:
+ if (!TEST_true(ossl_qtx_discard_enc_level(qtx, op->enc_level)))
+ goto err;
+ break;
+ case TX_TEST_OP_WRITE:
+ {
+ uint32_t enc_level
+ = ossl_quic_pkt_type_to_enc_level(op->pkt->hdr->type);
+ uint64_t old_value = 0, new_value, max_value;
+
+ if (enc_level < QUIC_ENC_LEVEL_NUM) { /* encrypted packet */
+ max_value = ossl_qtx_get_max_epoch_pkt_count(qtx, enc_level);
+
+ if (!TEST_uint64_t_lt(max_value, UINT64_MAX))
+ goto err;
+
+ old_value = ossl_qtx_get_cur_epoch_pkt_count(qtx, enc_level);
+ if (!TEST_uint64_t_lt(old_value, UINT64_MAX))
+ goto err;
+ }
+
+ if (!TEST_true(ossl_qtx_write_pkt(qtx, op->pkt)))
+ goto err;
+
+ if (enc_level < QUIC_ENC_LEVEL_NUM) {
+ new_value = ossl_qtx_get_cur_epoch_pkt_count(qtx, enc_level);
+ if (!TEST_uint64_t_eq(old_value + 1, new_value))
+ goto err;
+ }
+ }
+ break;
+ case TX_TEST_OP_CHECK_DGRAM:
+ if (!TEST_true(ossl_qtx_pop_net(qtx, &msg)))
+ goto err;
+
+ if (!TEST_mem_eq(msg.data, msg.data_len, op->buf, op->buf_len))
+ goto err;
+
+ break;
+ case TX_TEST_OP_CHECK_NO_DGRAM:
+ if (!TEST_false(ossl_qtx_pop_net(qtx, &msg)))
+ goto err;
+ break;
+ default:
+ OPENSSL_assert(0);
+ goto err;
+ }
+
+ testresult = 1;
+err:
+ if (qtx != NULL)
+ ossl_qtx_free(qtx);
+
+ return testresult;
+}
+
+static int test_tx_script(int idx)
+{
+ return tx_run_script(tx_scripts[idx]);
+}
+
int setup_tests(void)
{
- ADD_ALL_TESTS(test_script, OSSL_NELEM(scripts));
+ ADD_ALL_TESTS(test_rx_script, OSSL_NELEM(rx_scripts));
/*
* Each instance of this test is executed multiple times to get enough
* statistical coverage for our statistical test, as well as for each
* and otherwise random test ordering will cause itt to randomly fail.
*/
ADD_ALL_TESTS(test_wire_pkt_hdr, NUM_WIRE_PKT_HDR_TESTS + 1);
+ ADD_ALL_TESTS(test_tx_script, OSSL_NELEM(tx_scripts));
return 1;
}
projects / thirdparty / openssl.git / commitdiff
