]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/quic/quic_tls.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
QUIC TLS: Rethink error handling
[thirdparty/openssl.git] / ssl / quic / quic_tls.c
1 /*
2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9 #include <openssl/ssl.h>
10 #include "internal/recordmethod.h"
11 #include "internal/quic_tls.h"
12 #include "../ssl_local.h"
13 #include "internal/quic_error.h"
14
15 #define QUIC_TLS_FATAL(rl, ad, err) \
16 do { \
17 (rl)->alert = (ad); \
18 ERR_raise(ERR_LIB_SSL, (err)); \
19 (rl)->qtls->inerror = 1; \
20 } while(0)
21
22 struct quic_tls_st {
23 QUIC_TLS_ARGS args;
24
25 /*
26 * Transport parameters which client should send. Buffer lifetime must
27 * exceed the lifetime of the QUIC_TLS object.
28 */
29 const unsigned char *local_transport_params;
30 size_t local_transport_params_len;
31
32 ERR_STATE *error_state;
33
34 /*
35 * QUIC error code (usually in the TLS Alert-mapped CRYPTO_ERR range). Valid
36 * only if inerror is 1.
37 */
38 uint64_t error_code;
39
40 /*
41 * Error message with static storage duration. Valid only if inerror is 1.
42 * Should be suitable for encapsulation in a CONNECTION_CLOSE frame.
43 */
44 const char *error_msg;
45
46 /* Whether our SSL object for TLS has been configured for use in QUIC */
47 unsigned int configured : 1;
48
49 /* Set if we have hit any error state */
50 unsigned int inerror : 1;
51
52 /* Set if the handshake has completed */
53 unsigned int complete : 1;
54 };
55
56 struct ossl_record_layer_st {
57 QUIC_TLS *qtls;
58
59 /* Protection level */
60 int level;
61
62 /* Only used for retry flags */
63 BIO *dummybio;
64
65 /* Number of bytes written so far if we are part way through a write */
66 size_t written;
67
68 /* If we are part way through a write, a copy of the template */
69 OSSL_RECORD_TEMPLATE template;
70
71 /*
72 * If we hit an error, what alert code should be used
73 */
74 int alert;
75
76 /* Amount of crypto stream data we read in the last call to quic_read_record */
77 size_t recread;
78
79 /* Amount of crypto stream data read but not yet released */
80 size_t recunreleased;
81
82 /* Callbacks */
83 OSSL_FUNC_rlayer_msg_callback_fn *msg_callback;
84 void *cbarg;
85 };
86
87 static int
88 quic_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
89 int role, int direction, int level, uint16_t epoch,
90 unsigned char *secret, size_t secretlen,
91 unsigned char *key, size_t keylen, unsigned char *iv,
92 size_t ivlen, unsigned char *mackey, size_t mackeylen,
93 const EVP_CIPHER *ciph, size_t taglen,
94 int mactype,
95 const EVP_MD *md, COMP_METHOD *comp,
96 const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
97 BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
98 const OSSL_PARAM *settings, const OSSL_PARAM *options,
99 const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
100 OSSL_RECORD_LAYER **retrl)
101 {
102 OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
103 uint32_t enc_level;
104 int qdir;
105 uint32_t suite_id = 0;
106
107 if (rl == NULL) {
108 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
109 return 0;
110 }
111
112 rl->qtls = (QUIC_TLS *)rlarg;
113 rl->level = level;
114 rl->dummybio = transport;
115 rl->cbarg = cbarg;
116 *retrl = rl;
117
118 if (fns != NULL) {
119 for (; fns->function_id != 0; fns++) {
120 switch (fns->function_id) {
121 break;
122 case OSSL_FUNC_RLAYER_MSG_CALLBACK:
123 rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns);
124 break;
125 default:
126 /* Just ignore anything we don't understand */
127 break;
128 }
129 }
130 }
131
132 switch (level) {
133 case OSSL_RECORD_PROTECTION_LEVEL_NONE:
134 return 1;
135
136 case OSSL_RECORD_PROTECTION_LEVEL_EARLY:
137 enc_level = QUIC_ENC_LEVEL_0RTT;
138 break;
139
140 case OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE:
141 enc_level = QUIC_ENC_LEVEL_HANDSHAKE;
142 break;
143
144 case OSSL_RECORD_PROTECTION_LEVEL_APPLICATION:
145 enc_level = QUIC_ENC_LEVEL_1RTT;
146 break;
147
148 default:
149 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
150 goto err;
151 }
152
153 if (direction == OSSL_RECORD_DIRECTION_READ)
154 qdir = 0;
155 else
156 qdir = 1;
157
158 if (EVP_CIPHER_is_a(ciph, "AES-128-GCM")) {
159 suite_id = QRL_SUITE_AES128GCM;
160 } else if (EVP_CIPHER_is_a(ciph, "AES-256-GCM")) {
161 suite_id = QRL_SUITE_AES256GCM;
162 } else if (EVP_CIPHER_is_a(ciph, "CHACHA20-POLY1305")) {
163 suite_id = QRL_SUITE_CHACHA20POLY1305;
164 } else {
165 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE);
166 goto err;
167 }
168
169 /* We pass a ref to the md in a successful yield_secret_cb call */
170 /* TODO(QUIC): This cast is horrible. We should try and remove it */
171 if (!EVP_MD_up_ref((EVP_MD *)kdfdigest)) {
172 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
173 goto err;
174 }
175
176 if (!rl->qtls->args.yield_secret_cb(enc_level, qdir, suite_id,
177 (EVP_MD *)kdfdigest, secret, secretlen,
178 rl->qtls->args.yield_secret_cb_arg)) {
179 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
180 EVP_MD_free((EVP_MD *)kdfdigest);
181 goto err;
182 }
183
184 return 1;
185 err:
186 *retrl = NULL;
187 OPENSSL_free(rl);
188 return 0;
189 }
190
191 static int quic_free(OSSL_RECORD_LAYER *rl)
192 {
193 if (rl == NULL)
194 return 1;
195
196 OPENSSL_free(rl);
197 return 1;
198 }
199
200 static int quic_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
201 {
202 /*
203 * Read ahead isn't really a thing for QUIC so we never have unprocessed
204 * data pending
205 */
206 return 0;
207 }
208
209 static int quic_processed_read_pending(OSSL_RECORD_LAYER *rl)
210 {
211 /*
212 * This is currently only ever used by:
213 * - SSL_has_pending()
214 * - to check whether we have more records that we want to supply to the
215 * upper layers
216 *
217 * We only ever supply 1 record at a time to the upper layers, and
218 * SSL_has_pending() will go via the QUIC method not the TLS method so that
219 * use case doesn't apply here.
220 * Therefore we can ignore this for now and always return 0. We might
221 * eventually want to change this to check in the receive buffers to see if
222 * we have any more data pending.
223 */
224 return 0;
225 }
226
227 static size_t quic_get_max_records(OSSL_RECORD_LAYER *rl, int type, size_t len,
228 size_t maxfrag, size_t *preffrag)
229 {
230 return 1;
231 }
232
233 static int quic_write_records(OSSL_RECORD_LAYER *rl,
234 OSSL_RECORD_TEMPLATE *template,
235 size_t numtempl)
236 {
237 size_t consumed;
238 unsigned char alert;
239
240 if (!ossl_assert(numtempl == 1)) {
241 /* How could this be? quic_get_max_records() always returns 1 */
242 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
243 return OSSL_RECORD_RETURN_FATAL;
244 }
245
246 BIO_clear_retry_flags(rl->dummybio);
247
248 if (rl->msg_callback != NULL) {
249 unsigned char dummyrec[SSL3_RT_HEADER_LENGTH];
250
251 /*
252 * For the purposes of the callback we "pretend" to be normal TLS,
253 * and manufacture a dummy record header
254 */
255 dummyrec[0] = (rl->level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
256 ? template->type
257 : SSL3_RT_APPLICATION_DATA;
258 dummyrec[1] = (unsigned char)((template->version >> 8) & 0xff);
259 dummyrec[2] = (unsigned char)(template->version & 0xff);
260 /*
261 * We assume that buflen is always <= UINT16_MAX. Since this is
262 * generated by libssl itself we actually expect it to never
263 * exceed SSL3_RT_MAX_PLAIN_LENGTH - so it should be a safe
264 * assumption
265 */
266 dummyrec[3] = (unsigned char)((template->buflen >> 8) & 0xff);
267 dummyrec[4] = (unsigned char)(template->buflen & 0xff);
268
269 rl->msg_callback(1, TLS1_3_VERSION, SSL3_RT_HEADER, dummyrec,
270 SSL3_RT_HEADER_LENGTH, rl->cbarg);
271
272 if (rl->level != OSSL_RECORD_PROTECTION_LEVEL_NONE) {
273 rl->msg_callback(1, TLS1_3_VERSION, SSL3_RT_INNER_CONTENT_TYPE,
274 &template->type, 1, rl->cbarg);
275 }
276 }
277
278 switch (template->type) {
279 case SSL3_RT_ALERT:
280 if (template->buflen != 2) {
281 /*
282 * We assume that libssl always sends both bytes of an alert to
283 * us in one go, and never fragments it. If we ever get more
284 * or less bytes than exactly 2 then this is very unexpected.
285 */
286 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_VALUE);
287 return OSSL_RECORD_RETURN_FATAL;
288 }
289 /*
290 * Byte 0 is the alert level (we ignore it) and byte 1 is the alert
291 * description that we are actually interested in.
292 */
293 alert = template->buf[1];
294
295 if (!rl->qtls->args.alert_cb(rl->qtls->args.alert_cb_arg, alert)) {
296 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
297 return OSSL_RECORD_RETURN_FATAL;
298 }
299 break;
300
301 case SSL3_RT_HANDSHAKE:
302 /*
303 * We expect this to only fail on some fatal error (e.g. malloc
304 * failure)
305 */
306 if (!rl->qtls->args.crypto_send_cb(template->buf + rl->written,
307 template->buflen - rl->written,
308 &consumed,
309 rl->qtls->args.crypto_send_cb_arg)) {
310 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
311 return OSSL_RECORD_RETURN_FATAL;
312 }
313 /*
314 * We might have written less than we wanted to if we have filled the
315 * send stream buffer.
316 */
317 if (consumed + rl->written != template->buflen) {
318 if (!ossl_assert(consumed + rl->written < template->buflen)) {
319 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
320 return OSSL_RECORD_RETURN_FATAL;
321 }
322
323 /*
324 * We've not written everything we wanted to. Take a copy of the
325 * template, remember how much we wrote so far and signal a retry.
326 * The buffer supplied in the template is guaranteed to be the same
327 * on a retry for handshake data
328 */
329 rl->written += consumed;
330 rl->template = *template;
331 BIO_set_retry_write(rl->dummybio);
332
333 return OSSL_RECORD_RETURN_RETRY;
334 }
335 rl->written = 0;
336 break;
337
338 default:
339 /* Anything else is unexpected and an error */
340 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
341 return OSSL_RECORD_RETURN_FATAL;
342 }
343
344 return OSSL_RECORD_RETURN_SUCCESS;
345 }
346
347 static int quic_retry_write_records(OSSL_RECORD_LAYER *rl)
348 {
349 return quic_write_records(rl, &rl->template, 1);
350 }
351
352 static int quic_read_record(OSSL_RECORD_LAYER *rl, void **rechandle,
353 int *rversion, int *type, const unsigned char **data,
354 size_t *datalen, uint16_t *epoch,
355 unsigned char *seq_num)
356 {
357 if (rl->recread != 0 || rl->recunreleased != 0)
358 return OSSL_RECORD_RETURN_FATAL;
359
360 BIO_clear_retry_flags(rl->dummybio);
361
362 if (!rl->qtls->args.crypto_recv_rcd_cb(data, datalen,
363 rl->qtls->args.crypto_recv_rcd_cb_arg)) {
364 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
365 return OSSL_RECORD_RETURN_FATAL;
366 }
367
368 if (*datalen == 0) {
369 BIO_set_retry_read(rl->dummybio);
370 return OSSL_RECORD_RETURN_RETRY;
371 }
372
373 *rechandle = rl;
374 *rversion = TLS1_3_VERSION;
375 *type = SSL3_RT_HANDSHAKE;
376 rl->recread = rl->recunreleased = *datalen;
377 /* epoch/seq_num are not relevant for TLS */
378
379 if (rl->msg_callback != NULL) {
380 unsigned char dummyrec[SSL3_RT_HEADER_LENGTH];
381
382 /*
383 * For the purposes of the callback we "pretend" to be normal TLS,
384 * and manufacture a dummy record header
385 */
386 dummyrec[0] = (rl->level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
387 ? SSL3_RT_HANDSHAKE
388 : SSL3_RT_APPLICATION_DATA;
389 dummyrec[1] = (unsigned char)((TLS1_2_VERSION >> 8) & 0xff);
390 dummyrec[2] = (unsigned char)(TLS1_2_VERSION & 0xff);
391 /*
392 * *datalen will always fit into 2 bytes because our original buffer
393 * size is less than that.
394 */
395 dummyrec[3] = (unsigned char)((*datalen >> 8) & 0xff);
396 dummyrec[4] = (unsigned char)(*datalen & 0xff);
397
398 rl->msg_callback(0, TLS1_3_VERSION, SSL3_RT_HEADER, dummyrec,
399 SSL3_RT_HEADER_LENGTH, rl->cbarg);
400 rl->msg_callback(0, TLS1_3_VERSION, SSL3_RT_INNER_CONTENT_TYPE, type, 1,
401 rl->cbarg);
402 }
403
404 return OSSL_RECORD_RETURN_SUCCESS;
405 }
406
407 static int quic_release_record(OSSL_RECORD_LAYER *rl, void *rechandle,
408 size_t length)
409 {
410 if (!ossl_assert(rl->recread > 0)
411 || !ossl_assert(rl->recunreleased <= rl->recread)
412 || !ossl_assert(rl == rechandle)
413 || !ossl_assert(length <= rl->recunreleased)) {
414 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
415 return OSSL_RECORD_RETURN_FATAL;
416 }
417
418 rl->recunreleased -= length;
419
420 if (rl->recunreleased > 0)
421 return OSSL_RECORD_RETURN_SUCCESS;
422
423 if (!rl->qtls->args.crypto_release_rcd_cb(rl->recread,
424 rl->qtls->args.crypto_release_rcd_cb_arg)) {
425 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
426 return OSSL_RECORD_RETURN_FATAL;
427 }
428
429 rl->recread = 0;
430 return OSSL_RECORD_RETURN_SUCCESS;
431 }
432
433 static int quic_get_alert_code(OSSL_RECORD_LAYER *rl)
434 {
435 return rl->alert;
436 }
437
438 static int quic_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
439 {
440 /* We only support TLSv1.3, so its bad if we negotiate anything else */
441 if (!ossl_assert(version == TLS1_3_VERSION)) {
442 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
443 return 0;
444 }
445
446 return 1;
447 }
448
449 static void quic_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow)
450 {
451 /* We don't care */
452 }
453
454 static void quic_set_first_handshake(OSSL_RECORD_LAYER *rl, int first)
455 {
456 /* We don't care */
457 }
458
459 static void quic_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines)
460 {
461 /* We don't care */
462 }
463
464 static void quic_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr,
465 const char **longstr)
466 {
467 /*
468 * According to the docs, valid read state strings are: "RH"/"read header",
469 * "RB"/"read body", and "unknown"/"unknown". We don't read records in quite
470 * that way, so we report every "normal" state as "read header". In the
471 * event of error then we report "unknown".
472 */
473
474 if (rl->qtls->inerror) {
475 if (shortstr != NULL)
476 *shortstr = "unknown";
477 if (longstr != NULL)
478 *longstr = "unknown";
479 } else {
480 if (shortstr != NULL)
481 *shortstr = "RH";
482 if (longstr != NULL)
483 *longstr = "read header";
484 }
485 }
486
487 static int quic_set_options(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options)
488 {
489 /*
490 * We don't support any options yet - but we might do at some point so
491 * this could be useful.
492 */
493 return 1;
494 }
495
496 static const COMP_METHOD *quic_get_compression(OSSL_RECORD_LAYER *rl)
497 {
498 /* We only support TLSv1.3 which doesn't have compression */
499 return NULL;
500 }
501
502 static void quic_set_max_frag_len(OSSL_RECORD_LAYER *rl, size_t max_frag_len)
503 {
504 /* This really doesn't make any sense for QUIC. Ignore it */
505 }
506
507 static int quic_alloc_buffers(OSSL_RECORD_LAYER *rl)
508 {
509 /*
510 * This is a hint only. We don't support it (yet), so just ignore the
511 * request
512 */
513 return 1;
514 }
515
516 static int quic_free_buffers(OSSL_RECORD_LAYER *rl)
517 {
518 /*
519 * This is a hint only. We don't support it (yet), so just ignore the
520 * request
521 */
522 return 1;
523 }
524
525 static int quic_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
526 {
527 /*
528 * Can be called to set the buffering BIO - which is then never used by us.
529 * We ignore it
530 */
531 return 1;
532 }
533
534 /*
535 * Never called functions
536 *
537 * Due to the way we are configured and used we never expect any of the next set
538 * of functions to be called. Therefore we set them to always fail.
539 */
540
541 static size_t quic_app_data_pending(OSSL_RECORD_LAYER *rl)
542 {
543 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
544 return (size_t)ossl_assert(0);
545 }
546
547 static size_t quic_get_max_record_overhead(OSSL_RECORD_LAYER *rl)
548 {
549 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
550 return (size_t)ossl_assert(0);
551 }
552
553 static int quic_increment_sequence_ctr(OSSL_RECORD_LAYER *rl)
554 {
555 QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
556 return ossl_assert(0);
557 }
558
559 /* End of never called functions */
560
561 static const OSSL_RECORD_METHOD quic_tls_record_method = {
562 quic_new_record_layer,
563 quic_free,
564 quic_unprocessed_read_pending,
565 quic_processed_read_pending,
566 quic_app_data_pending, /* Never called */
567 quic_get_max_records,
568 quic_write_records,
569 quic_retry_write_records,
570 quic_read_record,
571 quic_release_record,
572 quic_get_alert_code,
573 quic_set1_bio,
574 quic_set_protocol_version,
575 quic_set_plain_alerts,
576 quic_set_first_handshake,
577 quic_set_max_pipelines,
578 NULL, /* set_in_init: Optional - we don't need it */
579 quic_get_state,
580 quic_set_options,
581 quic_get_compression,
582 quic_set_max_frag_len,
583 quic_get_max_record_overhead, /* Never called */
584 quic_increment_sequence_ctr, /* Never called */
585 quic_alloc_buffers,
586 quic_free_buffers
587 };
588
589 static int add_transport_params_cb(SSL *s, unsigned int ext_type,
590 unsigned int context,
591 const unsigned char **out, size_t *outlen,
592 X509 *x, size_t chainidx, int *al,
593 void *add_arg)
594 {
595 QUIC_TLS *qtls = add_arg;
596
597 *out = qtls->local_transport_params;
598 *outlen = qtls->local_transport_params_len;
599 return 1;
600 }
601
602 static void free_transport_params_cb(SSL *s, unsigned int ext_type,
603 unsigned int context,
604 const unsigned char *out,
605 void *add_arg)
606 {
607 }
608
609 static int parse_transport_params_cb(SSL *s, unsigned int ext_type,
610 unsigned int context,
611 const unsigned char *in,
612 size_t inlen, X509 *x,
613 size_t chainidx,
614 int *al, void *parse_arg)
615 {
616 QUIC_TLS *qtls = parse_arg;
617
618 return qtls->args.got_transport_params_cb(in, inlen,
619 qtls->args.got_transport_params_cb_arg);
620 }
621
622 QUIC_TLS *ossl_quic_tls_new(const QUIC_TLS_ARGS *args)
623 {
624 QUIC_TLS *qtls;
625
626 if (args->crypto_send_cb == NULL
627 || args->crypto_recv_rcd_cb == NULL
628 || args->crypto_release_rcd_cb == NULL) {
629 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
630 return NULL;
631 }
632
633 qtls = OPENSSL_zalloc(sizeof(*qtls));
634 if (qtls == NULL)
635 return NULL;
636
637 if ((qtls->error_state = OSSL_ERR_STATE_new()) == NULL) {
638 OPENSSL_free(qtls);
639 return NULL;
640 }
641
642 qtls->args = *args;
643 return qtls;
644 }
645
646 void ossl_quic_tls_free(QUIC_TLS *qtls)
647 {
648 OSSL_ERR_STATE_free(qtls->error_state);
649 OPENSSL_free(qtls);
650 }
651
652 static int raise_error(QUIC_TLS *qtls, uint64_t error_code,
653 const char *error_msg,
654 const char *src_file,
655 int src_line,
656 const char *src_func)
657 {
658 /*
659 * When QTLS fails, add a "cover letter" error with information, potentially
660 * with any underlying libssl errors underneath it (but our cover error may
661 * be the only error in some cases). Then capture this into an ERR_STATE so
662 * we can report it later if need be when the QUIC_CHANNEL asks for it.
663 */
664 ERR_new();
665 ERR_set_debug(src_file, src_line, src_func);
666 ERR_set_error(ERR_LIB_SSL, SSL_R_QUIC_HANDSHAKE_LAYER_ERROR,
667 "handshake layer error, error code %zu (\"%s\")",
668 error_code, error_msg);
669 OSSL_ERR_STATE_save_to_mark(qtls->error_state);
670
671 /*
672 * We record the error information reported via the QUIC protocol
673 * separately.
674 */
675 qtls->error_code = error_code;
676 qtls->error_msg = error_msg;
677 qtls->inerror = 1;
678
679 ERR_pop_to_mark();
680 return 0;
681 }
682
683 #define RAISE_ERROR(qtls, error_code, error_msg) \
684 raise_error((qtls), (error_code), (error_msg), \
685 OPENSSL_FILE, OPENSSL_LINE, OPENSSL_FUNC)
686
687 #define RAISE_INTERNAL_ERROR(qtls) \
688 RAISE_ERROR((qtls), QUIC_ERR_INTERNAL_ERROR, "internal error")
689
690 int ossl_quic_tls_tick(QUIC_TLS *qtls)
691 {
692 int ret, err;
693 const unsigned char *alpn;
694 unsigned int alpnlen;
695
696 /*
697 * TODO(QUIC): There are various calls here that could fail and ordinarily
698 * would result in an ERR_raise call - but "tick" calls aren't supposed to
699 * fail "loudly" - so its unclear how we will report these errors. The
700 * ERR_raise calls are omitted from this function for now.
701 */
702
703 if (qtls->inerror)
704 return 0;
705
706 /*
707 * SSL_get_error does not truly know what the cause of an SSL_read failure
708 * is and to some extent guesses based on contextual information. In
709 * particular, if there is _any_ ERR on the error stack, SSL_ERROR_SSL or
710 * SSL_ERROR_SYSCALL will be returned no matter what and there is no
711 * possibility of SSL_ERROR_WANT_READ/WRITE being returned, even if that was
712 * the actual cause of the SSL_read() failure.
713 *
714 * This means that ordinarily, the below code might not work right if the
715 * application has any ERR on the error stack. In order to make this code
716 * perform correctly regardless of prior ERR state, we use a variant of
717 * SSL_get_error() which ignores the error stack. However, some ERRs are
718 * raised by SSL_read() and actually indicate that something has gone wrong
719 * during the call to SSL_read(). We therefore adopt a strategy of marking
720 * the ERR stack and seeing if any errors get appended during the call to
721 * SSL_read(). If they are, we assume SSL_read() has raised an error and
722 * that we should use normal SSL_get_error() handling.
723 *
724 * NOTE: Ensure all escape paths from this function call
725 * ERR_clear_to_mark(). The RAISE macros handle this in failure cases.
726 */
727 ERR_set_mark();
728
729 if (!qtls->configured) {
730 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
731 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(sc);
732 BIO *nullbio;
733
734 /*
735 * No matter how the user has configured us, there are certain
736 * requirements for QUIC-TLS that we enforce
737 */
738
739 /* ALPN is a requirement for QUIC and must be set */
740 if (qtls->args.is_server) {
741 if (sctx->ext.alpn_select_cb == NULL)
742 return RAISE_INTERNAL_ERROR(qtls);
743 } else {
744 if (sc->ext.alpn == NULL || sc->ext.alpn_len == 0)
745 return RAISE_INTERNAL_ERROR(qtls);
746 }
747 if (!SSL_set_min_proto_version(qtls->args.s, TLS1_3_VERSION))
748 return RAISE_INTERNAL_ERROR(qtls);
749
750 SSL_clear_options(qtls->args.s, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
751 ossl_ssl_set_custom_record_layer(sc, &quic_tls_record_method, qtls);
752
753 if (!ossl_tls_add_custom_ext_intern(NULL, &sc->cert->custext,
754 qtls->args.is_server ? ENDPOINT_SERVER
755 : ENDPOINT_CLIENT,
756 TLSEXT_TYPE_quic_transport_parameters,
757 SSL_EXT_TLS1_3_ONLY
758 | SSL_EXT_CLIENT_HELLO
759 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
760 add_transport_params_cb,
761 free_transport_params_cb, qtls,
762 parse_transport_params_cb, qtls))
763 return RAISE_INTERNAL_ERROR(qtls);
764
765 nullbio = BIO_new(BIO_s_null());
766 if (nullbio == NULL)
767 return RAISE_INTERNAL_ERROR(qtls);
768
769 /*
770 * Our custom record layer doesn't use the BIO - but libssl generally
771 * expects one to be present.
772 */
773 SSL_set_bio(qtls->args.s, nullbio, nullbio);
774
775 if (qtls->args.is_server)
776 SSL_set_accept_state(qtls->args.s);
777 else
778 SSL_set_connect_state(qtls->args.s);
779
780 qtls->configured = 1;
781 }
782
783 if (qtls->complete)
784 /*
785 * There should never be app data to read, but calling SSL_read() will
786 * ensure any post-handshake messages are processed.
787 */
788 ret = SSL_read(qtls->args.s, NULL, 0);
789 else
790 ret = SSL_do_handshake(qtls->args.s);
791
792 if (ret <= 0) {
793 err = ossl_ssl_get_error(qtls->args.s, ret,
794 /*check_err=*/ERR_count_to_mark() > 0);
795
796 switch (err) {
797 case SSL_ERROR_WANT_READ:
798 case SSL_ERROR_WANT_WRITE:
799 ERR_pop_to_mark();
800 return 1;
801
802 default:
803 return RAISE_INTERNAL_ERROR(qtls);
804 }
805 }
806
807 if (!qtls->complete) {
808 /* Validate that we have ALPN */
809 SSL_get0_alpn_selected(qtls->args.s, &alpn, &alpnlen);
810 if (alpn == NULL || alpnlen == 0)
811 return RAISE_ERROR(qtls, QUIC_ERR_CRYPTO_NO_APP_PROTO,
812 "no application protocol negotiated");
813
814 qtls->complete = 1;
815 ERR_pop_to_mark();
816 return qtls->args.handshake_complete_cb(qtls->args.handshake_complete_cb_arg);
817 }
818
819 ERR_pop_to_mark();
820 return 1;
821 }
822
823 int ossl_quic_tls_set_transport_params(QUIC_TLS *qtls,
824 const unsigned char *transport_params,
825 size_t transport_params_len)
826 {
827 qtls->local_transport_params = transport_params;
828 qtls->local_transport_params_len = transport_params_len;
829 return 1;
830 }
831
832 int ossl_quic_tls_get_error(QUIC_TLS *qtls,
833 uint64_t *error_code,
834 const char **error_msg,
835 ERR_STATE **error_state)
836 {
837 if (qtls->inerror) {
838 *error_code = qtls->error_code;
839 *error_msg = qtls->error_msg;
840 *error_state = qtls->error_state;
841 }
842
843 return qtls->inerror;
844 }
A mirror of the official openssl repository