2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
9 #include <openssl/ssl.h>
10 #include "internal/recordmethod.h"
11 #include "internal/quic_tls.h"
12 #include "../ssl_local.h"
13 #include "internal/quic_error.h"
15 #define QUIC_TLS_FATAL(rl, ad, err) \
18 ERR_raise(ERR_LIB_SSL, (err)); \
19 (rl)->qtls->inerror = 1; \
26 * Transport parameters which client should send. Buffer lifetime must
27 * exceed the lifetime of the QUIC_TLS object.
29 const unsigned char *local_transport_params
;
30 size_t local_transport_params_len
;
32 ERR_STATE
*error_state
;
35 * QUIC error code (usually in the TLS Alert-mapped CRYPTO_ERR range). Valid
36 * only if inerror is 1.
41 * Error message with static storage duration. Valid only if inerror is 1.
42 * Should be suitable for encapsulation in a CONNECTION_CLOSE frame.
44 const char *error_msg
;
46 /* Whether our SSL object for TLS has been configured for use in QUIC */
47 unsigned int configured
: 1;
49 /* Set if we have hit any error state */
50 unsigned int inerror
: 1;
52 /* Set if the handshake has completed */
53 unsigned int complete
: 1;
56 struct ossl_record_layer_st
{
59 /* Protection level */
62 /* Only used for retry flags */
65 /* Number of bytes written so far if we are part way through a write */
68 /* If we are part way through a write, a copy of the template */
69 OSSL_RECORD_TEMPLATE
template;
72 * If we hit an error, what alert code should be used
76 /* Amount of crypto stream data we read in the last call to quic_read_record */
79 /* Amount of crypto stream data read but not yet released */
83 OSSL_FUNC_rlayer_msg_callback_fn
*msg_callback
;
88 quic_new_record_layer(OSSL_LIB_CTX
*libctx
, const char *propq
, int vers
,
89 int role
, int direction
, int level
, uint16_t epoch
,
90 unsigned char *secret
, size_t secretlen
,
91 unsigned char *key
, size_t keylen
, unsigned char *iv
,
92 size_t ivlen
, unsigned char *mackey
, size_t mackeylen
,
93 const EVP_CIPHER
*ciph
, size_t taglen
,
95 const EVP_MD
*md
, COMP_METHOD
*comp
,
96 const EVP_MD
*kdfdigest
, BIO
*prev
, BIO
*transport
,
97 BIO
*next
, BIO_ADDR
*local
, BIO_ADDR
*peer
,
98 const OSSL_PARAM
*settings
, const OSSL_PARAM
*options
,
99 const OSSL_DISPATCH
*fns
, void *cbarg
, void *rlarg
,
100 OSSL_RECORD_LAYER
**retrl
)
102 OSSL_RECORD_LAYER
*rl
= OPENSSL_zalloc(sizeof(*rl
));
105 uint32_t suite_id
= 0;
108 QUIC_TLS_FATAL(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
112 rl
->qtls
= (QUIC_TLS
*)rlarg
;
114 rl
->dummybio
= transport
;
119 for (; fns
->function_id
!= 0; fns
++) {
120 switch (fns
->function_id
) {
122 case OSSL_FUNC_RLAYER_MSG_CALLBACK
:
123 rl
->msg_callback
= OSSL_FUNC_rlayer_msg_callback(fns
);
126 /* Just ignore anything we don't understand */
133 case OSSL_RECORD_PROTECTION_LEVEL_NONE
:
136 case OSSL_RECORD_PROTECTION_LEVEL_EARLY
:
137 enc_level
= QUIC_ENC_LEVEL_0RTT
;
140 case OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE
:
141 enc_level
= QUIC_ENC_LEVEL_HANDSHAKE
;
144 case OSSL_RECORD_PROTECTION_LEVEL_APPLICATION
:
145 enc_level
= QUIC_ENC_LEVEL_1RTT
;
149 QUIC_TLS_FATAL(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
153 if (direction
== OSSL_RECORD_DIRECTION_READ
)
158 if (EVP_CIPHER_is_a(ciph
, "AES-128-GCM")) {
159 suite_id
= QRL_SUITE_AES128GCM
;
160 } else if (EVP_CIPHER_is_a(ciph
, "AES-256-GCM")) {
161 suite_id
= QRL_SUITE_AES256GCM
;
162 } else if (EVP_CIPHER_is_a(ciph
, "CHACHA20-POLY1305")) {
163 suite_id
= QRL_SUITE_CHACHA20POLY1305
;
165 QUIC_TLS_FATAL(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_UNKNOWN_CIPHER_TYPE
);
169 /* We pass a ref to the md in a successful yield_secret_cb call */
170 /* TODO(QUIC): This cast is horrible. We should try and remove it */
171 if (!EVP_MD_up_ref((EVP_MD
*)kdfdigest
)) {
172 QUIC_TLS_FATAL(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
176 if (!rl
->qtls
->args
.yield_secret_cb(enc_level
, qdir
, suite_id
,
177 (EVP_MD
*)kdfdigest
, secret
, secretlen
,
178 rl
->qtls
->args
.yield_secret_cb_arg
)) {
179 QUIC_TLS_FATAL(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
180 EVP_MD_free((EVP_MD
*)kdfdigest
);
191 static int quic_free(OSSL_RECORD_LAYER
*rl
)
200 static int quic_unprocessed_read_pending(OSSL_RECORD_LAYER
*rl
)
203 * Read ahead isn't really a thing for QUIC so we never have unprocessed
209 static int quic_processed_read_pending(OSSL_RECORD_LAYER
*rl
)
212 * This is currently only ever used by:
213 * - SSL_has_pending()
214 * - to check whether we have more records that we want to supply to the
217 * We only ever supply 1 record at a time to the upper layers, and
218 * SSL_has_pending() will go via the QUIC method not the TLS method so that
219 * use case doesn't apply here.
220 * Therefore we can ignore this for now and always return 0. We might
221 * eventually want to change this to check in the receive buffers to see if
222 * we have any more data pending.
227 static size_t quic_get_max_records(OSSL_RECORD_LAYER
*rl
, int type
, size_t len
,
228 size_t maxfrag
, size_t *preffrag
)
233 static int quic_write_records(OSSL_RECORD_LAYER
*rl
,
234 OSSL_RECORD_TEMPLATE
*template,
240 if (!ossl_assert(numtempl
== 1)) {
241 /* How could this be? quic_get_max_records() always returns 1 */
242 QUIC_TLS_FATAL(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
243 return OSSL_RECORD_RETURN_FATAL
;
246 BIO_clear_retry_flags(rl
->dummybio
);
248 if (rl
->msg_callback
!= NULL
) {
249 unsigned char dummyrec
[SSL3_RT_HEADER_LENGTH
];
252 * For the purposes of the callback we "pretend" to be normal TLS,
253 * and manufacture a dummy record header
255 dummyrec
[0] = (rl
->level
== OSSL_RECORD_PROTECTION_LEVEL_NONE
)
257 : SSL3_RT_APPLICATION_DATA
;
258 dummyrec
[1] = (unsigned char)((template->version
>> 8) & 0xff);
259 dummyrec
[2] = (unsigned char)(template->version
& 0xff);
261 * We assume that buflen is always <= UINT16_MAX. Since this is
262 * generated by libssl itself we actually expect it to never
263 * exceed SSL3_RT_MAX_PLAIN_LENGTH - so it should be a safe
266 dummyrec
[3] = (unsigned char)((template->buflen
>> 8) & 0xff);
267 dummyrec
[4] = (unsigned char)(template->buflen
& 0xff);
269 rl
->msg_callback(1, TLS1_3_VERSION
, SSL3_RT_HEADER
, dummyrec
,
270 SSL3_RT_HEADER_LENGTH
, rl
->cbarg
);
272 if (rl
->level
!= OSSL_RECORD_PROTECTION_LEVEL_NONE
) {
273 rl
->msg_callback(1, TLS1_3_VERSION
, SSL3_RT_INNER_CONTENT_TYPE
,
274 &template->type
, 1, rl
->cbarg
);
278 switch (template->type
) {
280 if (template->buflen
!= 2) {
282 * We assume that libssl always sends both bytes of an alert to
283 * us in one go, and never fragments it. If we ever get more
284 * or less bytes than exactly 2 then this is very unexpected.
286 QUIC_TLS_FATAL(rl
, SSL_AD_INTERNAL_ERROR
, SSL_R_BAD_VALUE
);
287 return OSSL_RECORD_RETURN_FATAL
;
290 * Byte 0 is the alert level (we ignore it) and byte 1 is the alert
291 * description that we are actually interested in.
293 alert
= template->buf
[1];
295 if (!rl
->qtls
->args
.alert_cb(rl
->qtls
->args
.alert_cb_arg
, alert
)) {
296 QUIC_TLS_FATAL(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
297 return OSSL_RECORD_RETURN_FATAL
;
301 case SSL3_RT_HANDSHAKE
:
303 * We expect this to only fail on some fatal error (e.g. malloc
306 if (!rl
->qtls
->args
.crypto_send_cb(template->buf
+ rl
->written
,
307 template->buflen
- rl
->written
,
309 rl
->qtls
->args
.crypto_send_cb_arg
)) {
310 QUIC_TLS_FATAL(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
311 return OSSL_RECORD_RETURN_FATAL
;
314 * We might have written less than we wanted to if we have filled the
315 * send stream buffer.
317 if (consumed
+ rl
->written
!= template->buflen
) {
318 if (!ossl_assert(consumed
+ rl
->written
< template->buflen
)) {
319 QUIC_TLS_FATAL(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
320 return OSSL_RECORD_RETURN_FATAL
;
324 * We've not written everything we wanted to. Take a copy of the
325 * template, remember how much we wrote so far and signal a retry.
326 * The buffer supplied in the template is guaranteed to be the same
327 * on a retry for handshake data
329 rl
->written
+= consumed
;
330 rl
->template = *template;
331 BIO_set_retry_write(rl
->dummybio
);
333 return OSSL_RECORD_RETURN_RETRY
;
339 /* Anything else is unexpected and an error */
340 QUIC_TLS_FATAL(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
341 return OSSL_RECORD_RETURN_FATAL
;
344 return OSSL_RECORD_RETURN_SUCCESS
;
347 static int quic_retry_write_records(OSSL_RECORD_LAYER
*rl
)
349 return quic_write_records(rl
, &rl
->template, 1);
352 static int quic_read_record(OSSL_RECORD_LAYER
*rl
, void **rechandle
,
353 int *rversion
, int *type
, const unsigned char **data
,
354 size_t *datalen
, uint16_t *epoch
,
355 unsigned char *seq_num
)
357 if (rl
->recread
!= 0 || rl
->recunreleased
!= 0)
358 return OSSL_RECORD_RETURN_FATAL
;
360 BIO_clear_retry_flags(rl
->dummybio
);
362 if (!rl
->qtls
->args
.crypto_recv_rcd_cb(data
, datalen
,
363 rl
->qtls
->args
.crypto_recv_rcd_cb_arg
)) {
364 QUIC_TLS_FATAL(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
365 return OSSL_RECORD_RETURN_FATAL
;
369 BIO_set_retry_read(rl
->dummybio
);
370 return OSSL_RECORD_RETURN_RETRY
;
374 *rversion
= TLS1_3_VERSION
;
375 *type
= SSL3_RT_HANDSHAKE
;
376 rl
->recread
= rl
->recunreleased
= *datalen
;
377 /* epoch/seq_num are not relevant for TLS */
379 if (rl
->msg_callback
!= NULL
) {
380 unsigned char dummyrec
[SSL3_RT_HEADER_LENGTH
];
383 * For the purposes of the callback we "pretend" to be normal TLS,
384 * and manufacture a dummy record header
386 dummyrec
[0] = (rl
->level
== OSSL_RECORD_PROTECTION_LEVEL_NONE
)
388 : SSL3_RT_APPLICATION_DATA
;
389 dummyrec
[1] = (unsigned char)((TLS1_2_VERSION
>> 8) & 0xff);
390 dummyrec
[2] = (unsigned char)(TLS1_2_VERSION
& 0xff);
392 * *datalen will always fit into 2 bytes because our original buffer
393 * size is less than that.
395 dummyrec
[3] = (unsigned char)((*datalen
>> 8) & 0xff);
396 dummyrec
[4] = (unsigned char)(*datalen
& 0xff);
398 rl
->msg_callback(0, TLS1_3_VERSION
, SSL3_RT_HEADER
, dummyrec
,
399 SSL3_RT_HEADER_LENGTH
, rl
->cbarg
);
400 rl
->msg_callback(0, TLS1_3_VERSION
, SSL3_RT_INNER_CONTENT_TYPE
, type
, 1,
404 return OSSL_RECORD_RETURN_SUCCESS
;
407 static int quic_release_record(OSSL_RECORD_LAYER
*rl
, void *rechandle
,
410 if (!ossl_assert(rl
->recread
> 0)
411 || !ossl_assert(rl
->recunreleased
<= rl
->recread
)
412 || !ossl_assert(rl
== rechandle
)
413 || !ossl_assert(length
<= rl
->recunreleased
)) {
414 QUIC_TLS_FATAL(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
415 return OSSL_RECORD_RETURN_FATAL
;
418 rl
->recunreleased
-= length
;
420 if (rl
->recunreleased
> 0)
421 return OSSL_RECORD_RETURN_SUCCESS
;
423 if (!rl
->qtls
->args
.crypto_release_rcd_cb(rl
->recread
,
424 rl
->qtls
->args
.crypto_release_rcd_cb_arg
)) {
425 QUIC_TLS_FATAL(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
426 return OSSL_RECORD_RETURN_FATAL
;
430 return OSSL_RECORD_RETURN_SUCCESS
;
433 static int quic_get_alert_code(OSSL_RECORD_LAYER
*rl
)
438 static int quic_set_protocol_version(OSSL_RECORD_LAYER
*rl
, int version
)
440 /* We only support TLSv1.3, so its bad if we negotiate anything else */
441 if (!ossl_assert(version
== TLS1_3_VERSION
)) {
442 QUIC_TLS_FATAL(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
449 static void quic_set_plain_alerts(OSSL_RECORD_LAYER
*rl
, int allow
)
454 static void quic_set_first_handshake(OSSL_RECORD_LAYER
*rl
, int first
)
459 static void quic_set_max_pipelines(OSSL_RECORD_LAYER
*rl
, size_t max_pipelines
)
464 static void quic_get_state(OSSL_RECORD_LAYER
*rl
, const char **shortstr
,
465 const char **longstr
)
468 * According to the docs, valid read state strings are: "RH"/"read header",
469 * "RB"/"read body", and "unknown"/"unknown". We don't read records in quite
470 * that way, so we report every "normal" state as "read header". In the
471 * event of error then we report "unknown".
474 if (rl
->qtls
->inerror
) {
475 if (shortstr
!= NULL
)
476 *shortstr
= "unknown";
478 *longstr
= "unknown";
480 if (shortstr
!= NULL
)
483 *longstr
= "read header";
487 static int quic_set_options(OSSL_RECORD_LAYER
*rl
, const OSSL_PARAM
*options
)
490 * We don't support any options yet - but we might do at some point so
491 * this could be useful.
496 static const COMP_METHOD
*quic_get_compression(OSSL_RECORD_LAYER
*rl
)
498 /* We only support TLSv1.3 which doesn't have compression */
502 static void quic_set_max_frag_len(OSSL_RECORD_LAYER
*rl
, size_t max_frag_len
)
504 /* This really doesn't make any sense for QUIC. Ignore it */
507 static int quic_alloc_buffers(OSSL_RECORD_LAYER
*rl
)
510 * This is a hint only. We don't support it (yet), so just ignore the
516 static int quic_free_buffers(OSSL_RECORD_LAYER
*rl
)
519 * This is a hint only. We don't support it (yet), so just ignore the
525 static int quic_set1_bio(OSSL_RECORD_LAYER
*rl
, BIO
*bio
)
528 * Can be called to set the buffering BIO - which is then never used by us.
535 * Never called functions
537 * Due to the way we are configured and used we never expect any of the next set
538 * of functions to be called. Therefore we set them to always fail.
541 static size_t quic_app_data_pending(OSSL_RECORD_LAYER
*rl
)
543 QUIC_TLS_FATAL(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
);
544 return (size_t)ossl_assert(0);
547 static size_t quic_get_max_record_overhead(OSSL_RECORD_LAYER
*rl
)
549 QUIC_TLS_FATAL(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
);
550 return (size_t)ossl_assert(0);
553 static int quic_increment_sequence_ctr(OSSL_RECORD_LAYER
*rl
)
555 QUIC_TLS_FATAL(rl
, SSL_AD_INTERNAL_ERROR
, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
);
556 return ossl_assert(0);
559 /* End of never called functions */
561 static const OSSL_RECORD_METHOD quic_tls_record_method
= {
562 quic_new_record_layer
,
564 quic_unprocessed_read_pending
,
565 quic_processed_read_pending
,
566 quic_app_data_pending
, /* Never called */
567 quic_get_max_records
,
569 quic_retry_write_records
,
574 quic_set_protocol_version
,
575 quic_set_plain_alerts
,
576 quic_set_first_handshake
,
577 quic_set_max_pipelines
,
578 NULL
, /* set_in_init: Optional - we don't need it */
581 quic_get_compression
,
582 quic_set_max_frag_len
,
583 quic_get_max_record_overhead
, /* Never called */
584 quic_increment_sequence_ctr
, /* Never called */
589 static int add_transport_params_cb(SSL
*s
, unsigned int ext_type
,
590 unsigned int context
,
591 const unsigned char **out
, size_t *outlen
,
592 X509
*x
, size_t chainidx
, int *al
,
595 QUIC_TLS
*qtls
= add_arg
;
597 *out
= qtls
->local_transport_params
;
598 *outlen
= qtls
->local_transport_params_len
;
602 static void free_transport_params_cb(SSL
*s
, unsigned int ext_type
,
603 unsigned int context
,
604 const unsigned char *out
,
609 static int parse_transport_params_cb(SSL
*s
, unsigned int ext_type
,
610 unsigned int context
,
611 const unsigned char *in
,
612 size_t inlen
, X509
*x
,
614 int *al
, void *parse_arg
)
616 QUIC_TLS
*qtls
= parse_arg
;
618 return qtls
->args
.got_transport_params_cb(in
, inlen
,
619 qtls
->args
.got_transport_params_cb_arg
);
622 QUIC_TLS
*ossl_quic_tls_new(const QUIC_TLS_ARGS
*args
)
626 if (args
->crypto_send_cb
== NULL
627 || args
->crypto_recv_rcd_cb
== NULL
628 || args
->crypto_release_rcd_cb
== NULL
) {
629 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_NULL_PARAMETER
);
633 qtls
= OPENSSL_zalloc(sizeof(*qtls
));
637 if ((qtls
->error_state
= OSSL_ERR_STATE_new()) == NULL
) {
646 void ossl_quic_tls_free(QUIC_TLS
*qtls
)
648 OSSL_ERR_STATE_free(qtls
->error_state
);
652 static int raise_error(QUIC_TLS
*qtls
, uint64_t error_code
,
653 const char *error_msg
,
654 const char *src_file
,
656 const char *src_func
)
659 * When QTLS fails, add a "cover letter" error with information, potentially
660 * with any underlying libssl errors underneath it (but our cover error may
661 * be the only error in some cases). Then capture this into an ERR_STATE so
662 * we can report it later if need be when the QUIC_CHANNEL asks for it.
665 ERR_set_debug(src_file
, src_line
, src_func
);
666 ERR_set_error(ERR_LIB_SSL
, SSL_R_QUIC_HANDSHAKE_LAYER_ERROR
,
667 "handshake layer error, error code %zu (\"%s\")",
668 error_code
, error_msg
);
669 OSSL_ERR_STATE_save_to_mark(qtls
->error_state
);
672 * We record the error information reported via the QUIC protocol
675 qtls
->error_code
= error_code
;
676 qtls
->error_msg
= error_msg
;
683 #define RAISE_ERROR(qtls, error_code, error_msg) \
684 raise_error((qtls), (error_code), (error_msg), \
685 OPENSSL_FILE, OPENSSL_LINE, OPENSSL_FUNC)
687 #define RAISE_INTERNAL_ERROR(qtls) \
688 RAISE_ERROR((qtls), QUIC_ERR_INTERNAL_ERROR, "internal error")
690 int ossl_quic_tls_tick(QUIC_TLS
*qtls
)
693 const unsigned char *alpn
;
694 unsigned int alpnlen
;
697 * TODO(QUIC): There are various calls here that could fail and ordinarily
698 * would result in an ERR_raise call - but "tick" calls aren't supposed to
699 * fail "loudly" - so its unclear how we will report these errors. The
700 * ERR_raise calls are omitted from this function for now.
707 * SSL_get_error does not truly know what the cause of an SSL_read failure
708 * is and to some extent guesses based on contextual information. In
709 * particular, if there is _any_ ERR on the error stack, SSL_ERROR_SSL or
710 * SSL_ERROR_SYSCALL will be returned no matter what and there is no
711 * possibility of SSL_ERROR_WANT_READ/WRITE being returned, even if that was
712 * the actual cause of the SSL_read() failure.
714 * This means that ordinarily, the below code might not work right if the
715 * application has any ERR on the error stack. In order to make this code
716 * perform correctly regardless of prior ERR state, we use a variant of
717 * SSL_get_error() which ignores the error stack. However, some ERRs are
718 * raised by SSL_read() and actually indicate that something has gone wrong
719 * during the call to SSL_read(). We therefore adopt a strategy of marking
720 * the ERR stack and seeing if any errors get appended during the call to
721 * SSL_read(). If they are, we assume SSL_read() has raised an error and
722 * that we should use normal SSL_get_error() handling.
724 * NOTE: Ensure all escape paths from this function call
725 * ERR_clear_to_mark(). The RAISE macros handle this in failure cases.
729 if (!qtls
->configured
) {
730 SSL_CONNECTION
*sc
= SSL_CONNECTION_FROM_SSL(qtls
->args
.s
);
731 SSL_CTX
*sctx
= SSL_CONNECTION_GET_CTX(sc
);
735 * No matter how the user has configured us, there are certain
736 * requirements for QUIC-TLS that we enforce
739 /* ALPN is a requirement for QUIC and must be set */
740 if (qtls
->args
.is_server
) {
741 if (sctx
->ext
.alpn_select_cb
== NULL
)
742 return RAISE_INTERNAL_ERROR(qtls
);
744 if (sc
->ext
.alpn
== NULL
|| sc
->ext
.alpn_len
== 0)
745 return RAISE_INTERNAL_ERROR(qtls
);
747 if (!SSL_set_min_proto_version(qtls
->args
.s
, TLS1_3_VERSION
))
748 return RAISE_INTERNAL_ERROR(qtls
);
750 SSL_clear_options(qtls
->args
.s
, SSL_OP_ENABLE_MIDDLEBOX_COMPAT
);
751 ossl_ssl_set_custom_record_layer(sc
, &quic_tls_record_method
, qtls
);
753 if (!ossl_tls_add_custom_ext_intern(NULL
, &sc
->cert
->custext
,
754 qtls
->args
.is_server
? ENDPOINT_SERVER
756 TLSEXT_TYPE_quic_transport_parameters
,
758 | SSL_EXT_CLIENT_HELLO
759 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
,
760 add_transport_params_cb
,
761 free_transport_params_cb
, qtls
,
762 parse_transport_params_cb
, qtls
))
763 return RAISE_INTERNAL_ERROR(qtls
);
765 nullbio
= BIO_new(BIO_s_null());
767 return RAISE_INTERNAL_ERROR(qtls
);
770 * Our custom record layer doesn't use the BIO - but libssl generally
771 * expects one to be present.
773 SSL_set_bio(qtls
->args
.s
, nullbio
, nullbio
);
775 if (qtls
->args
.is_server
)
776 SSL_set_accept_state(qtls
->args
.s
);
778 SSL_set_connect_state(qtls
->args
.s
);
780 qtls
->configured
= 1;
785 * There should never be app data to read, but calling SSL_read() will
786 * ensure any post-handshake messages are processed.
788 ret
= SSL_read(qtls
->args
.s
, NULL
, 0);
790 ret
= SSL_do_handshake(qtls
->args
.s
);
793 err
= ossl_ssl_get_error(qtls
->args
.s
, ret
,
794 /*check_err=*/ERR_count_to_mark() > 0);
797 case SSL_ERROR_WANT_READ
:
798 case SSL_ERROR_WANT_WRITE
:
803 return RAISE_INTERNAL_ERROR(qtls
);
807 if (!qtls
->complete
) {
808 /* Validate that we have ALPN */
809 SSL_get0_alpn_selected(qtls
->args
.s
, &alpn
, &alpnlen
);
810 if (alpn
== NULL
|| alpnlen
== 0)
811 return RAISE_ERROR(qtls
, QUIC_ERR_CRYPTO_NO_APP_PROTO
,
812 "no application protocol negotiated");
816 return qtls
->args
.handshake_complete_cb(qtls
->args
.handshake_complete_cb_arg
);
823 int ossl_quic_tls_set_transport_params(QUIC_TLS
*qtls
,
824 const unsigned char *transport_params
,
825 size_t transport_params_len
)
827 qtls
->local_transport_params
= transport_params
;
828 qtls
->local_transport_params_len
= transport_params_len
;
832 int ossl_quic_tls_get_error(QUIC_TLS
*qtls
,
833 uint64_t *error_code
,
834 const char **error_msg
,
835 ERR_STATE
**error_state
)
838 *error_code
= qtls
->error_code
;
839 *error_msg
= qtls
->error_msg
;
840 *error_state
= qtls
->error_state
;
843 return qtls
->inerror
;