From 1957148384c72ea7bc33a5c415d8f84526ed6480 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 11 Aug 2022 11:24:57 +0100 Subject: [PATCH] QUIC Record Layer (Refactor and TX Side) Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/18949) --- include/internal/quic_demux.h | 23 +- include/internal/quic_record.h | 311 ------ include/internal/quic_record_rx.h | 488 ++++++++ include/internal/quic_record_tx.h | 293 +++++ include/internal/quic_record_util.h | 50 + include/internal/quic_wire_pkt.h | 31 + ssl/quic/build.info | 2 +- ssl/quic/{quic_record.c => quic_record_rx.c} | 643 +++-------- ssl/quic/quic_record_shared.c | 209 ++++ ssl/quic/quic_record_shared.h | 86 ++ ssl/quic/quic_record_tx.c | 906 +++++++++++++++ ssl/quic/quic_record_util.c | 142 ++- ssl/quic/quic_wire_pkt.c | 70 +- test/quic_record_test.c | 1054 ++++++++++++------ 14 files changed, 3197 insertions(+), 1111 deletions(-) delete mode 100644 include/internal/quic_record.h create mode 100644 include/internal/quic_record_rx.h create mode 100644 include/internal/quic_record_tx.h rename ssl/quic/{quic_record.c => quic_record_rx.c} (57%) create mode 100644 ssl/quic/quic_record_shared.c create mode 100644 ssl/quic/quic_record_shared.h create mode 100644 ssl/quic/quic_record_tx.c diff --git a/include/internal/quic_demux.h b/include/internal/quic_demux.h index 7d4b0df67e..06f1afab5b 100644 --- a/include/internal/quic_demux.h +++ b/include/internal/quic_demux.h @@ -21,15 +21,16 @@ * The QUIC connection demuxer is the entity responsible for receiving datagrams * from the network via a datagram BIO. It parses packet headers to determine * each packet's destination connection ID (DCID) and hands off processing of - * the packet to the correct QUIC Record Layer (QRL)'s RX side. + * the packet to the correct QUIC Record Layer (QRL)'s RX side (known as the + * QRX). * - * A QRL is instantiated per QUIC connection and contains the cryptographic + * A QRX is instantiated per QUIC connection and contains the cryptographic * resources needed to decrypt QUIC packets for that connection. Received - * datagrams are passed from the demuxer to the QRL via a callback registered - * for a specific DCID by the QRL; thus the demuxer has no specific knowledge of - * the QRL and is not coupled to it. + * datagrams are passed from the demuxer to the QRX via a callback registered + * for a specific DCID by the QRX; thus the demuxer has no specific knowledge of + * the QRX and is not coupled to it. * - * A connection may have multiple connection IDs associated with it; a QRL + * A connection may have multiple connection IDs associated with it; a QRX * handles this simply by registering multiple connection IDs with the demuxer * via multiple register calls. * @@ -49,12 +50,12 @@ * packets, however, this is not the demuxer's concern. QUIC prohibits different * packets in the same datagram from containing different DCIDs; the demuxer * only considers the DCID of the first packet in a datagram when deciding how - * to route a received datagram, and it is the responsibility of the QRL to + * to route a received datagram, and it is the responsibility of the QRX to * enforce this rule. Packets other than the first packet in a datagram are not * examined by the demuxer, and the demuxer does not perform validation of * packet headers other than to the minimum extent necessary to extract the * DCID; further parsing and validation of packet headers is the responsibility - * of the QRL. + * of the QRX. * * Rather than defining an opaque interface, the URXE structure internals * are exposed. Since the demuxer is only exposed to other parts of the QUIC @@ -62,10 +63,10 @@ * advantages: * * - Fields in the URXE can be allocated to support requirements in other - * components, like the QRL, which would otherwise have to allocate extra + * components, like the QRX, which would otherwise have to allocate extra * memory corresponding to each URXE. * - * - Other components, like the QRL, can keep the URXE in queues of its own + * - Other components, like the QRX, can keep the URXE in queues of its own * when it is not being managed by the demuxer. * * URX Queue Structure @@ -99,7 +100,7 @@ struct quic_urxe_st { /* * Bitfields per packet. processed indicates the packet has been processed * and must not be processed again, hpr_removed indicates header protection - * has already been removed. Used by QRL only; not used by the demuxer. + * has already been removed. Used by QRX only; not used by the demuxer. */ uint64_t processed, hpr_removed; diff --git a/include/internal/quic_record.h b/include/internal/quic_record.h deleted file mode 100644 index 06284c251b..0000000000 --- a/include/internal/quic_record.h +++ /dev/null @@ -1,311 +0,0 @@ -/* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#ifndef OSSL_QUIC_RECORD_H -# define OSSL_QUIC_RECORD_H - -# include -# include "internal/quic_wire_pkt.h" -# include "internal/quic_types.h" -# include "internal/quic_record_util.h" -# include "internal/quic_demux.h" - -/* - * QUIC Record Layer - * ================= - */ -typedef struct ossl_qrl_st OSSL_QRL; - -typedef struct ossl_qrl_args_st { - OSSL_LIB_CTX *libctx; - const char *propq; - - /* Demux to receive datagrams from. */ - QUIC_DEMUX *rx_demux; - - /* Length of connection IDs used in short-header packets in bytes. */ - size_t short_conn_id_len; - - /* Initial reference PN used for RX. */ - QUIC_PN rx_init_largest_pn[QUIC_PN_SPACE_NUM]; -} OSSL_QRL_ARGS; - -/* Instantiates a new QRL. */ -OSSL_QRL *ossl_qrl_new(const OSSL_QRL_ARGS *args); - -/* - * Frees the QRL. All packets obtained using ossl_qrl_read_pkt must already - * have been released by calling ossl_qrl_release_pkt. - * - * You do not need to call ossl_qrl_remove_dst_conn_id first; this function will - * unregister the QRL from the demuxer for all registered destination connection - * IDs (DCIDs) automatically. - */ -void ossl_qrl_free(OSSL_QRL *qrl); - -/* - * DCID Management - * =============== - */ - -/* - * Adds a given DCID to the QRL. The QRL will register the DCID with the demuxer - * so that incoming packets with that DCID are passed to the given QRL. Multiple - * DCIDs may be associated with a QRL at any one time. You will need to add at - * least one DCID after instantiating the QRL. A zero-length DCID is a valid - * input to this function. This function fails if the DCID is already - * registered. - * - * Returns 1 on success or 0 on error. - */ -int ossl_qrl_add_dst_conn_id(OSSL_QRL *qrl, - const QUIC_CONN_ID *dst_conn_id); - -/* - * Remove a DCID previously registered with ossl_qrl_add_dst_conn_id. The DCID - * is unregistered from the demuxer. Fails if the DCID is not registered with - * the demuxer. - * - * Returns 1 on success or 0 on error. - */ -int ossl_qrl_remove_dst_conn_id(OSSL_QRL *qrl, - const QUIC_CONN_ID *dst_conn_id); - -/* - * Secret Management - * ================= - * - * A QRL has several encryption levels (Initial, Handshake, 0-RTT, 1-RTT) and - * two directions (RX, TX). At any given time, key material is managed for each - * (EL, RX/TX) combination. - * - * Broadly, for a given (EL, RX/TX), the following state machine is applicable: - * - * WAITING_FOR_KEYS --[Provide]--> HAVE_KEYS --[Discard]--> | DISCARDED | - * \-------------------------------------[Discard]--> | | - * - * To transition the RX side of an EL from WAITING_FOR_KEYS to HAVE_KEYS, call - * ossl_qrl_provide_rx_secret (or for the INITIAL EL, - * ossl_qrl_provide_rx_secret_initial). - * - * Once keys have been provisioned for an EL, you call - * ossl_qrl_discard_enc_level to transition the EL to the DISCARDED state. You - * can also call this function to transition directly to the DISCARDED state - * even before any keys have been provisioned for that EL. - * - * The DISCARDED state is terminal for a given EL; you cannot provide a secret - * again for that EL after reaching it. - * - * Incoming packets cannot be processed and decrypted if they target an EL - * not in the HAVE_KEYS state. However, there is a distinction between - * the WAITING_FOR_KEYS and DISCARDED states: - * - * - In the WAITING_FOR_KEYS state, the QRL assumes keys for the given - * EL will eventually arrive. Therefore, if it receives any packet - * for an EL in this state, it buffers it and tries to process it - * again once the EL reaches HAVE_KEYS. - * - * - In the DISCARDED state, the QRL assumes no keys for the given - * EL will ever arrive again. If it receives any packet for an EL - * in this state, it is simply discarded. - * - * If the user wishes to instantiate a new QRL to replace an old one for - * whatever reason, for example to take over for an already established QUIC - * connection, it is important that all ELs no longer being used (i.e., INITIAL, - * 0-RTT, 1-RTT) are transitioned to the DISCARDED state. Otherwise, the QRL - * will assume that keys for these ELs will arrive in future, and will buffer - * any received packets for those ELs perpetually. This can be done by calling - * ossl_qrl_discard_enc_level for all non-1-RTT ELs immediately after - * instantiating the QRL. - * - * The INITIAL EL is not setup automatically when the QRL is instantiated. This - * allows the caller to instead discard it immediately after instantiation of - * the QRL if it is not needed, for example if the QRL is being instantiated to - * take over handling of an existing connection which has already passed the - * INITIAL phase. This avoids the unnecessary derivation of INITIAL keys where - * they are not needed. In the ordinary case, ossl_qrl_provide_rx_secret_initial - * should be called immediately after instantiation. - */ - -/* - * A QUIC client sends its first INITIAL packet with a random DCID, which is - * used to compute the secret used for INITIAL packet encryption. This function - * must be called to provide the DCID used for INITIAL packet secret computation - * before the QRL can process any INITIAL response packets. - * - * It is possible to use the QRL without ever calling this, for example if there - * is no desire to handle INITIAL packets (e.g. if the QRL is instantiated to - * succeed a previous QRL and handle a connection which is already established.) - * However, in this case you should make sure you call - * ossl_qrl_discard_enc_level (see above). - * - * Returns 1 on success or 0 on error. - */ -int ossl_qrl_provide_rx_secret_initial(OSSL_QRL *qrl, - const QUIC_CONN_ID *dst_conn_id); - -/* - * Provides a secret to the QRL, which arises due to an encryption level change. - * enc_level is a QUIC_ENC_LEVEL_* value. This function cannot be used to - * initialise the INITIAL encryption level; see - * ossl_qrl_provide_rx_secret_initial instead. - * - * You should seek to call this function for a given EL before packets of that - * EL arrive and are processed by the QRL. However, if packets have already - * arrived for a given EL, the QRL will defer processing of them and perform - * processing of them when this function is eventually called for the EL in - * question. - * - * suite_id is a QRL_SUITE_* value which determines the AEAD function used for - * the QRL. - * - * The secret passed is used directly to derive the "quic key", "quic iv" and - * "quic hp" values. - * - * secret_len is the length of the secret buffer in bytes. The buffer must be - * sized correctly to the chosen suite, else the function fails. - * - * This function can only be called once for a given EL. Subsequent calls fail, - * as do calls made after a corresponding call to ossl_qrl_discard_enc_level for - * that EL. The secret for a EL cannot be changed after it is set because QUIC - * has no facility for introducing additional key material after an EL is setup. - * QUIC key updates are managed automatically by the QRL and do not require user - * intervention. - * - * Returns 1 on success or 0 on failure. - */ -int ossl_qrl_provide_rx_secret(OSSL_QRL *qrl, - uint32_t enc_level, - uint32_t suite_id, - const unsigned char *secret, - size_t secret_len); - -/* - * Informs the QRL that it can now discard key material for a given EL. The QRL - * will no longer be able to process incoming packets received at that - * encryption level. This function is idempotent and succeeds if the EL has - * already been discarded. - * - * Returns 1 on success and 0 on failure. - */ -int ossl_qrl_discard_enc_level(OSSL_QRL *qrl, uint32_t enc_level); - -/* - * Packet Reception - * ================ - */ - -/* Information about a received packet. */ -typedef struct ossl_qrl_rx_pkt_st { - /* Opaque handle to be passed to ossl_qrl_release_pkt. */ - void *handle; - - /* - * Points to a logical representation of the decoded QUIC packet header. The - * data and len fields point to the decrypted QUIC payload (i.e., to a - * sequence of zero or more (potentially malformed) frames to be decoded). - */ - QUIC_PKT_HDR *hdr; - - /* - * Address the packet was received from. If this is not available for this - * packet, this field is NULL (but this can only occur for manually injected - * packets). - */ - const BIO_ADDR *peer; - - /* - * Local address the packet was sent to. If this is not available for this - * packet, this field is NULL. - */ - const BIO_ADDR *local; - - /* - * This is the length of the datagram which contained this packet. Note that - * the datagram may have contained other packets than this. The intended use - * for this is so that the user can enforce minimum datagram sizes (e.g. for - * datagrams containing INITIAL packets), as required by RFC 9000. - */ - size_t datagram_len; -} OSSL_QRL_RX_PKT; - -/* - * Tries to read a new decrypted packet from the QRL. - * - * On success, all fields of *pkt are filled and 1 is returned. - * Else, returns 0. - * - * The resources referenced by pkt->hdr, pkt->data and pkt->peer will remain - * allocated at least until the user frees them by calling ossl_qrl_release_pkt, - * which must be called once you are done with the packet. - */ -int ossl_qrl_read_pkt(OSSL_QRL *qrl, OSSL_QRL_RX_PKT *pkt); - -/* - * Release the resources pointed to by an OSSL_QRL_RX_PKT returned by - * ossl_qrl_read_pkt. Pass the opaque value pkt->handle returned in the - * structure. - */ -void ossl_qrl_release_pkt(OSSL_QRL *qrl, void *handle); - -/* - * Returns 1 if there are any already processed (i.e. decrypted) packets waiting - * to be read from the QRL. - */ -int ossl_qrl_processed_read_pending(OSSL_QRL *qrl); - -/* - * Returns 1 if there arre any unprocessed (i.e. not yet decrypted) packets - * waiting to be processed by the QRL. These may or may not result in - * successfully decrypted packets once processed. This indicates whether - * unprocessed data is buffered by the QRL, not whether any data is available in - * a kernel socket buffer. - */ -int ossl_qrl_unprocessed_read_pending(OSSL_QRL *qrl); - -/* - * Returns the number of UDP payload bytes received from the network so far - * since the last time this counter was cleared. If clear is 1, clears the - * counter and returns the old value. - * - * The intended use of this is to allow callers to determine how much credit to - * add to their anti-amplification budgets. This is reported separately instead - * of in the OSSL_QRL_RX_PKT structure so that a caller can apply - * anti-amplification credit as soon as a datagram is received, before it has - * necessarily read all processed packets contained within that datagram from - * the QRL. - */ -uint64_t ossl_qrl_get_bytes_received(OSSL_QRL *qrl, int clear); - -/* - * Sets a callback which is called when a packet is received and being - * validated before being queued in the read queue. This is called before packet - * body decryption. pn_space is a QUIC_PN_SPACE_* value denoting which PN space - * the PN belongs to. - * - * If this callback returns 1, processing continues normally. - * If this callback returns 0, the packet is discarded. - * - * Other packets in the same datagram will still be processed where possible. - * - * The intended use for this function is to allow early validation of whether - * a PN is a potential duplicate before spending CPU time decrypting the - * packet payload. - * - * The callback is optional and can be unset by passing NULL for cb. - * cb_arg is an opaque value passed to cb. - */ -typedef int (ossl_qrl_early_rx_validation_cb)(QUIC_PN pn, int pn_space, - void *arg); - -int ossl_qrl_set_early_rx_validation_cb(OSSL_QRL *qrl, - ossl_qrl_early_rx_validation_cb *cb, - void *cb_arg); - -#endif diff --git a/include/internal/quic_record_rx.h b/include/internal/quic_record_rx.h new file mode 100644 index 0000000000..8f9ffab365 --- /dev/null +++ b/include/internal/quic_record_rx.h @@ -0,0 +1,488 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef OSSL_QUIC_RECORD_RX_H +# define OSSL_QUIC_RECORD_RX_H + +# include +# include "internal/quic_wire_pkt.h" +# include "internal/quic_types.h" +# include "internal/quic_record_util.h" +# include "internal/quic_demux.h" + +/* + * QUIC Record Layer - RX + * ====================== + */ +typedef struct ossl_qrx_st OSSL_QRX; + +typedef struct ossl_qrx_args_st { + OSSL_LIB_CTX *libctx; + const char *propq; + + /* Demux to receive datagrams from. */ + QUIC_DEMUX *demux; + + /* Length of connection IDs used in short-header packets in bytes. */ + size_t short_conn_id_len; + + /* Initial reference PN used for RX. */ + QUIC_PN init_largest_pn[QUIC_PN_SPACE_NUM]; +} OSSL_QRX_ARGS; + +/* Instantiates a new QRX. */ +OSSL_QRX *ossl_qrx_new(const OSSL_QRX_ARGS *args); + +/* + * Frees the QRX. All packets obtained using ossl_qrx_read_pkt must already + * have been released by calling ossl_qrx_release_pkt. + * + * You do not need to call ossl_qrx_remove_dst_conn_id first; this function will + * unregister the QRX from the demuxer for all registered destination connection + * IDs (DCIDs) automatically. + */ +void ossl_qrx_free(OSSL_QRX *qrx); + +/* + * DCID Management + * =============== + */ + +/* + * Adds a given DCID to the QRX. The QRX will register the DCID with the demuxer + * so that incoming packets with that DCID are passed to the given QRX. Multiple + * DCIDs may be associated with a QRX at any one time. You will need to add at + * least one DCID after instantiating the QRX. A zero-length DCID is a valid + * input to this function. This function fails if the DCID is already + * registered. + * + * Returns 1 on success or 0 on error. + */ +int ossl_qrx_add_dst_conn_id(OSSL_QRX *qrx, + const QUIC_CONN_ID *dst_conn_id); + +/* + * Remove a DCID previously registered with ossl_qrx_add_dst_conn_id. The DCID + * is unregistered from the demuxer. Fails if the DCID is not registered with + * the demuxer. + * + * Returns 1 on success or 0 on error. + */ +int ossl_qrx_remove_dst_conn_id(OSSL_QRX *qrx, + const QUIC_CONN_ID *dst_conn_id); + +/* + * Secret Management + * ================= + * + * A QRX has several encryption levels (Initial, Handshake, 0-RTT, 1-RTT) and + * two directions (RX, TX). At any given time, key material is managed for each + * (EL, RX/TX) combination. + * + * Broadly, for a given (EL, RX/TX), the following state machine is applicable: + * + * WAITING_FOR_KEYS --[Provide]--> HAVE_KEYS --[Discard]--> | DISCARDED | + * \-------------------------------------[Discard]--> | | + * + * To transition the RX side of an EL from WAITING_FOR_KEYS to HAVE_KEYS, call + * ossl_qrx_provide_secret (for the INITIAL EL, use of + * ossl_qrl_provide_initial_secret is recommended). + * + * Once keys have been provisioned for an EL, you call + * ossl_qrx_discard_enc_level to transition the EL to the DISCARDED state. You + * can also call this function to transition directly to the DISCARDED state + * even before any keys have been provisioned for that EL. + * + * The DISCARDED state is terminal for a given EL; you cannot provide a secret + * again for that EL after reaching it. + * + * Incoming packets cannot be processed and decrypted if they target an EL + * not in the HAVE_KEYS state. However, there is a distinction between + * the WAITING_FOR_KEYS and DISCARDED states: + * + * - In the WAITING_FOR_KEYS state, the QRX assumes keys for the given + * EL will eventually arrive. Therefore, if it receives any packet + * for an EL in this state, it buffers it and tries to process it + * again once the EL reaches HAVE_KEYS. + * + * - In the DISCARDED state, the QRX assumes no keys for the given + * EL will ever arrive again. If it receives any packet for an EL + * in this state, it is simply discarded. + * + * If the user wishes to instantiate a new QRX to replace an old one for + * whatever reason, for example to take over for an already established QUIC + * connection, it is important that all ELs no longer being used (i.e., INITIAL, + * 0-RTT, 1-RTT) are transitioned to the DISCARDED state. Otherwise, the QRX + * will assume that keys for these ELs will arrive in future, and will buffer + * any received packets for those ELs perpetually. This can be done by calling + * ossl_qrx_discard_enc_level for all non-1-RTT ELs immediately after + * instantiating the QRX. + * + * The INITIAL EL is not setup automatically when the QRX is instantiated. This + * allows the caller to instead discard it immediately after instantiation of + * the QRX if it is not needed, for example if the QRX is being instantiated to + * take over handling of an existing connection which has already passed the + * INITIAL phase. This avoids the unnecessary derivation of INITIAL keys where + * they are not needed. In the ordinary case, ossl_qrx_provide_secret_initial + * should be called immediately after instantiation. + */ + +/* + * Provides a secret to the QRX, which arises due to an encryption level change. + * enc_level is a QUIC_ENC_LEVEL_* value. To initialise the INITIAL encryption + * level, it is recommended to use ossl_qrl_provide_initial_secret instead. + * + * You should seek to call this function for a given EL before packets of that + * EL arrive and are processed by the QRX. However, if packets have already + * arrived for a given EL, the QRX will defer processing of them and perform + * processing of them when this function is eventually called for the EL in + * question. + * + * suite_id is a QRX_SUITE_* value which determines the AEAD function used for + * the QRX. + * + * The secret passed is used directly to derive the "quic key", "quic iv" and + * "quic hp" values. + * + * secret_len is the length of the secret buffer in bytes. The buffer must be + * sized correctly to the chosen suite, else the function fails. + * + * This function can only be called once for a given EL. Subsequent calls fail, + * as do calls made after a corresponding call to ossl_qrx_discard_enc_level for + * that EL. The secret for a EL cannot be changed after it is set because QUIC + * has no facility for introducing additional key material after an EL is setup. + * QUIC key updates are managed automatically by the QRX and do not require user + * intervention. + * + * md is for internal use and should be NULL. + * + * Returns 1 on success or 0 on failure. + */ +int ossl_qrx_provide_secret(OSSL_QRX *qrx, + uint32_t enc_level, + uint32_t suite_id, + EVP_MD *md, + const unsigned char *secret, + size_t secret_len); + +/* + * Informs the QRX that it can now discard key material for a given EL. The QRX + * will no longer be able to process incoming packets received at that + * encryption level. This function is idempotent and succeeds if the EL has + * already been discarded. + * + * Returns 1 on success and 0 on failure. + */ +int ossl_qrx_discard_enc_level(OSSL_QRX *qrx, uint32_t enc_level); + +/* + * Packet Reception + * ================ + */ + +/* Information about a received packet. */ +typedef struct ossl_qrx_pkt_st { + /* Opaque handle to be passed to ossl_qrx_release_pkt. */ + void *handle; + + /* + * Points to a logical representation of the decoded QUIC packet header. The + * data and len fields point to the decrypted QUIC payload (i.e., to a + * sequence of zero or more (potentially malformed) frames to be decoded). + */ + QUIC_PKT_HDR *hdr; + + /* + * Address the packet was received from. If this is not available for this + * packet, this field is NULL (but this can only occur for manually injected + * packets). + */ + const BIO_ADDR *peer; + + /* + * Local address the packet was sent to. If this is not available for this + * packet, this field is NULL. + */ + const BIO_ADDR *local; + + /* + * This is the length of the datagram which contained this packet. Note that + * the datagram may have contained other packets than this. The intended use + * for this is so that the user can enforce minimum datagram sizes (e.g. for + * datagrams containing INITIAL packets), as required by RFC 9000. + */ + size_t datagram_len; +} OSSL_QRX_PKT; + +/* + * Tries to read a new decrypted packet from the QRX. + * + * On success, all fields of *pkt are filled and 1 is returned. + * Else, returns 0. + * + * The resources referenced by pkt->hdr, pkt->data and pkt->peer will remain + * allocated at least until the user frees them by calling ossl_qrx_release_pkt, + * which must be called once you are done with the packet. + */ +int ossl_qrx_read_pkt(OSSL_QRX *qrx, OSSL_QRX_PKT *pkt); + +/* + * Release the resources pointed to by an OSSL_QRX_PKT returned by + * ossl_qrx_read_pkt. Pass the opaque value pkt->handle returned in the + * structure. + */ +void ossl_qrx_release_pkt(OSSL_QRX *qrx, void *handle); + +/* + * Returns 1 if there are any already processed (i.e. decrypted) packets waiting + * to be read from the QRX. + */ +int ossl_qrx_processed_read_pending(OSSL_QRX *qrx); + +/* + * Returns 1 if there arre any unprocessed (i.e. not yet decrypted) packets + * waiting to be processed by the QRX. These may or may not result in + * successfully decrypted packets once processed. This indicates whether + * unprocessed data is buffered by the QRX, not whether any data is available in + * a kernel socket buffer. + */ +int ossl_qrx_unprocessed_read_pending(OSSL_QRX *qrx); + +/* + * Returns the number of UDP payload bytes received from the network so far + * since the last time this counter was cleared. If clear is 1, clears the + * counter and returns the old value. + * + * The intended use of this is to allow callers to determine how much credit to + * add to their anti-amplification budgets. This is reported separately instead + * of in the OSSL_QRX_PKT structure so that a caller can apply + * anti-amplification credit as soon as a datagram is received, before it has + * necessarily read all processed packets contained within that datagram from + * the QRX. + */ +uint64_t ossl_qrx_get_bytes_received(OSSL_QRX *qrx, int clear); + +/* + * Sets a callback which is called when a packet is received and being + * validated before being queued in the read queue. This is called before packet + * body decryption. pn_space is a QUIC_PN_SPACE_* value denoting which PN space + * the PN belongs to. + * + * If this callback returns 1, processing continues normally. + * If this callback returns 0, the packet is discarded. + * + * Other packets in the same datagram will still be processed where possible. + * + * The intended use for this function is to allow early validation of whether + * a PN is a potential duplicate before spending CPU time decrypting the + * packet payload. + * + * The callback is optional and can be unset by passing NULL for cb. + * cb_arg is an opaque value passed to cb. + */ +typedef int (ossl_qrx_early_validation_cb)(QUIC_PN pn, int pn_space, + void *arg); + +int ossl_qrx_set_early_validation_cb(OSSL_QRX *qrx, + ossl_qrx_early_validation_cb *cb, + void *cb_arg); + +/* + * Key Update (RX) + * =============== + * + * Key update on the RX side is a largely but not entirely automatic process. + * + * Key update is initially triggered by receiving a 1-RTT packet with a + * different Key Phase value. This could be caused by an attacker in the network + * flipping random bits, therefore such a key update is tentative until the + * packet payload is successfully decrypted and authenticated by the AEAD with + * the 'next' keys. These 'next' keys then become the 'current' keys and the + * 'current' keys then become the 'previous' keys. The 'previous' keys must be + * kept around temporarily as some packets may still be in flight in the network + * encrypted with the old keys. If the old Key Phase value is X and the new Key + * Phase Value is Y (where obviously X != Y), this creates an ambiguity as any + * new packet received with a KP of X could either be an attempt to initiate yet + * another key update right after the last one, or an old packet encrypted + * before the key update. + * + * RFC 9001 provides some guidance on handling this issue: + * + * Strategy 1: + * Three keys, disambiguation using packet numbers + * + * "A recovered PN that is lower than any PN from the current KP uses the + * previous packet protection keys; a recovered PN that is higher than any + * PN from the current KP requires use of the next packet protection + * keys." + * + * Strategy 2: + * Two keys and a timer + * + * "Alternatively, endpoints can retain only two sets of packet protection + * neys, swapping previous keys for next after enough time has passed to + * allow for reordering in the network. In this case, the KP bit alone can + * be used to select keys." + * + * Strategy 2 is more efficient (we can keep fewer cipher contexts around) and + * should cover all actually possible network conditions. It also allows a delay + * after we make the 'next' keys our 'current' keys before we generate new + * 'next' keys, which allows us to mitigate against malicious peers who try to + * initiate an excessive number of key updates. + * + * We therefore model the following state machine: + * + * + * PROVISIONED + * _______________________________ + * | | + * UNPROVISIONED --|----> NORMAL <----------\ |------> DROPPED + * | | | | + * | | | | + * | v | | + * | UPDATE_CONFIRMED | | + * | | | | + * | | | | + * | v | | + * | COOLDOWN | | + * | | | | + * | | | | + * | \---------------| | + * |_______________________________| + * + * + * The RX starts (once a secret has been provisioned) in the NORMAL state. In + * the NORMAL state, the current expected value of the Key Phase bit is + * recorded. When a flipped Key Phase bit is detected, the RX attempts to + * decrypt and authenticate the received packet with the 'next' keys rather than + * the 'current' keys. If (and only if) this authentication is successful, we + * move to the UPDATE_CONFIRMED state. (An attacker in the network could flip + * the Key Phase bit randomly, so it is essential we do nothing until AEAD + * authentication is complete.) + * + * In the UPDATE_CONFIRMED state, we know a key update is occurring and record + * the new Key Phase bit value as the newly current value, but we still keep the + * old keys around so that we can still process any packets which were still in + * flight when the key update was initiated. In the UPDATE_CONFIRMED state, a + * Key Phase bit value different to the current expected value is treated not as +* the initiation of another key update, but a reference to our old keys. + * + * Eventually we will be reasonably sure we are not going to receive any more + * packets with the old keys. At this point, we can transition to the COOLDOWN + * state. This transition occurs automatically after a certain amount of time; + * RFC 9001 recommends it be the PTO interval, which relates to our RTT to the + * peer. The duration also SHOULD NOT exceed three times the PTO to assist with + * maintaining PFS. + * + * In the COOLDOWN phase, the old keys have been securely erased and only one + * set of keys can be used: the current keys. If a packet is received with a Key + * Phase bit value different to the current Key Phase Bit value, this is treated + * as a request for a Key Update, but this request is ignored and the packet is + * treated as malformed. We do this to allow mitigation against malicious peers + * trying to initiate an excessive number of Key Updates. The timeout for the + * transition from UPDATE_CONFIRMED to COOLDOWN is recommended as adequate for + * this purpose in itself by the RFC, so the normal additional timeout value for + * the transition from COOLDOWN to normal is zero (immediate transition). + * + * A summary of each state: + * + * Exp KP Uses Keys KS0 KS1 If Non-Expected KP Bit + * ------ --------- ------ ----- ---------------------- + * NORMAL 0 Keyset 0 Gen 0 Gen 1 → UPDATE_CONFIRMED + * UPDATE_CONFIRMED 1 Keyset 1 Gen 0 Gen 1 Use Keyset 0 + * COOLDOWN 1 Keyset 1 Erased Gen 1 Ignore Packet + * + * NORMAL 1 Keyset 1 Gen 2 Gen 1 → UPDATE_CONFIRMED + * UPDATE_CONFIRMED 0 Keyset 0 Gen 2 Gen 1 Use Keyset 1 + * COOLDOWN 0 Keyset 0 Gen 2 Erased Ignore Packet + * + * Note that the key material for the next key generation ("key epoch") is + * always kept in the NORMAL state (necessary to avoid side-channel attacks). + * This material is derived during the transition from COOLDOWN to NORMAL. + * + * Note that when a peer initiates a Key Update, we MUST also initiate a Key + * Update as per the RFC. The caller is responsible for detecting this condition + * and making the necessary calls to the TX side by detecting changes to the + * return value of ossl_qrx_get_key_epoch(). + * + * The above states (NORMAL, UPDATE_CONFIRMED, COOLDOWN) can themselves be + * considered substates of the PROVISIONED state. Providing a secret to the QRX + * for an EL transitions from UNPROVISIONED, the initial state, to PROVISIONED + * (NORMAL). Dropping key material for an EL transitions from whatever the + * current substate of the PROVISIONED state is to the DROPPED state, which is + * the terminal state. + * + * Note that non-1RTT ELs cannot undergo key update, therefore a non-1RT EL is + * always in the NORMAL substate if it is in the PROVISIONED state. + */ + +/* + * Return the current RX key epoch. This is initially zero and is incremented by + * one for every Key Update successfully signalled by the peer. + * + * A necessary implication of this API is that the least significant bit of the + * returned value corresponds to the currently expected Key Phase bit, though + * callers are not anticipated to have any need of this information. + * + * It is not possible for the returned value to overflow, as a QUIC connection + * cannot support more than 2**62 packet numbers, and a connection must be + * terminated if this limit is reached. + * + * The caller should use this function to detect when the key epoch has changed + * and use it to initiate a key update on the TX side. + * + * The value returned by this function increments specifically at the transition + * from the NORMAL to the UPDATE_CONFIRMED state discussed above. + */ +uint64_t ossl_qrx_get_key_epoch(OSSL_QRX *qrx); + +/* + * The caller should call this after the UPDATE_CONFIRMED state is reached, + * after a timeout to be determined by the caller. + * + * This transitions from the UPDATE_CONFIRMED state to the COOLDOWN state (if + * still in the UPDATE_CONFIRMED state). If normal is 1, then transitions from + * the COOLDOWN state to the NORMAL state. Both transitions can be performed at + * once if desired. + * + * If in the normal state, or if in the COOLDOWN state and normal is 0, this is + * a no-op and returns 1. + * + * It is essential that the caller call this within a few PTO intervals of a key + * update occurring (as detected by the caller in a call to + * ossl_qrx_key_get_key_epoch()), as otherwise the peer will not be able to + * perform a Key Update ever again. + */ +int ossl_qrx_key_update_timeout(OSSL_QRX *qrx, int normal); + + +/* + * Key Expiration + * ============== + */ + +/* + * Returns the number of seemingly forged packets which have been received by + * the QRX. If this value reaches the value returned by + * ossl_qrx_get_max_epoch_forged_pkt_count(), all further received encrypted + * packets will be discarded without processing; thus, callers should trigger a + * key update on the TX side (which will cause the peer to trigger a key update + * on our RX side) well before this occurs. + */ +uint64_t ossl_qrx_get_cur_epoch_forged_pkt_count(OSSL_QRX *qrx, + uint32_t enc_level); + +/* + * Returns the maximum number of forged packets which the record layer + * will permit to be verified using the current set of RX keys. + */ +uint64_t ossl_qrx_get_max_epoch_forged_pkt_count(OSSL_QRX *qrx, + uint32_t enc_level); + +#endif diff --git a/include/internal/quic_record_tx.h b/include/internal/quic_record_tx.h new file mode 100644 index 0000000000..13405ad578 --- /dev/null +++ b/include/internal/quic_record_tx.h @@ -0,0 +1,293 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef OSSL_QUIC_RECORD_TX_H +# define OSSL_QUIC_RECORD_TX_H + +# include +# include "internal/quic_wire_pkt.h" +# include "internal/quic_types.h" +# include "internal/quic_record_util.h" + +/* + * QUIC Record Layer - TX + * ====================== + */ +typedef struct ossl_qtx_st OSSL_QTX; + +typedef struct ossl_qtx_args_st { + OSSL_LIB_CTX *libctx; + const char *propq; + + /* BIO to transmit to. */ + BIO *bio; + + /* Maximum datagram payload length (MDPL) for TX purposes. */ + size_t mdpl; +} OSSL_QTX_ARGS; + +/* Instantiates a new QTX. */ +OSSL_QTX *ossl_qtx_new(const OSSL_QTX_ARGS *args); + +/* Frees the QTX. */ +void ossl_qtx_free(OSSL_QTX *qtx); + +/* + * Secret Management + * ----------------- + */ + +/* + * Provides a secret to the QTX, which arises due to an encryption level change. + * enc_level is a QUIC_ENC_LEVEL_* value. + * + * This function can be used to initialise the INITIAL encryption level, but you + * should not do so directly; see the utility function + * ossl_qrl_provide_initial_secret() instead, which can initialise the INITIAL + * encryption level of a QRX and QTX simultaneously without duplicating certain + * key derivation steps. + * + * You must call this function for a given EL before transmitting packets at + * that EL using this QTX, otherwise ossl_qtx_write_pkt will fail. + * + * suite_id is a QRL_SUITE_* value which determines the AEAD function used for + * the QTX. + * + * The secret passed is used directly to derive the "quic key", "quic iv" and + * "quic hp" values. + * + * secret_len is the length of the secret buffer in bytes. The buffer must be + * sized correctly to the chosen suite, else the function fails. + * + * This function can only be called once for a given EL. Subsequent calls fail, + * as do calls made after a corresponding call to ossl_qtx_discard_enc_level for + * that EL. The secret for a EL cannot be changed after it is set because QUIC + * has no facility for introducing additional key material after an EL is setup. + * (QUIC key updates generate new keys from existing key material and do not + * introduce new entropy into a connection's key material.) + * + * Returns 1 on success or 0 on failure. + */ +int ossl_qtx_provide_secret(OSSL_QTX *qtx, + uint32_t enc_level, + uint32_t suite_id, + EVP_MD *md, + const unsigned char *secret, + size_t secret_len); + +/* + * Informs the QTX that it can now discard key material for a given EL. The QTX + * will no longer be able to generate packets at that EL. This function is + * idempotent and succeeds if the EL has already been discarded. + * + * Returns 1 on success and 0 on failure. + */ +int ossl_qtx_discard_enc_level(OSSL_QTX *qtx, uint32_t enc_level); + + +/* + * Packet Transmission + * ------------------- + */ +typedef struct ossl_qtx_iovec_st { + const unsigned char *buf; + size_t buf_len; +} OSSL_QTX_IOVEC; + +typedef struct ossl_qtx_pkt_st { + /* Logical packet header to be serialized. */ + QUIC_PKT_HDR *hdr; + + /* + * iovecs expressing the logical packet payload buffer. Zero-length entries + * are permitted. + */ + const OSSL_QTX_IOVEC *iovec; + size_t num_iovec; + + /* Destination address. Will be passed through to the BIO if non-NULL. */ + const BIO_ADDR *peer; + + /* + * Local address (optional). Specify as non-NULL only if TX BIO + * has local address support enabled. + */ + const BIO_ADDR *local; + + /* + * Logical PN. Used for encryption. This will automatically be encoded to + * hdr->pn, which need not be initialized. + */ + QUIC_PN pn; + + /* Packet flags. Zero or more OSSL_QTX_PKT_FLAG_* values. */ + uint32_t flags; +} OSSL_QTX_PKT; + +/* + * More packets will be written which should be coalesced into a single + * datagram; do not send this packet yet. To use this, set this flag for all + * packets but the final packet in a datagram, then send the final packet + * without this flag set. + * + * This flag is not a guarantee and the QTX may transmit immediately anyway if + * it is not possible to fit any more packets in the current datagram. + * + * If the caller change its mind and needs to cause a packet queued with + * COALESCE after having passed it to this function but without writing another + * packet, it should call ossl_qtx_flush_pkt(). + */ +#define OSSL_QTX_PKT_FLAG_COALESCE (1U << 0) + +/* + * Writes a packet. + * + * *pkt need be valid only for the duration of the call to this function. + * + * pkt->hdr->data and pkt->hdr->len are unused. The payload buffer is specified + * via an array of OSSL_QTX_IOVEC structures. The API is designed to support + * single-copy transmission; data is copied from the iovecs as it is encrypted + * into an internal staging buffer for transmission. + * + * The function may modify and clobber pkt->hdr->data, pkt->hdr->len, + * pkt->hdr->key_phase and pkt->hdr->pn for its own internal use. No other + * fields of pkt or pkt->hdr will be modified. + * + * It is the callers responsibility to determine how long the PN field in the + * encoded packet should be by setting pkt->hdr->pn_len. This function takes + * care of the PN encoding. Set pkt->pn to the desired PN. + * + * The packet is queued regardless of whether it is able to be sent immediately. + * Returns 1 on success or 0 on failure. + */ +int ossl_qtx_write_pkt(OSSL_QTX *qtx, const OSSL_QTX_PKT *pkt); + +/* + * Finish any incomplete datagrams for transmission which were flagged for + * coalescing. If there is no current coalescing datagram, this is a no-op. + */ +void ossl_qtx_finish_dgram(OSSL_QTX *qtx); + +/* + * (Attempt to) flush any datagrams which are queued for transmission. Note that + * this does not cancel coalescing; call ossl_qtx_finish_dgram() first if that + * is desired. The queue is drained into the OS's sockets as much as possible. + * To determine if there is still data to be sent after calling this function, + * use ossl_qtx_get_queue_len_bytes(). + */ +void ossl_qtx_flush_net(OSSL_QTX *qtx); + +/* + * Diagnostic function. If there is any datagram pending transmission, pops it + * and writes the details of the datagram as they would have been passed to + * *msg. Returns 1, or 0 if there are no datagrams pending. For test use only. + */ +int ossl_qtx_pop_net(OSSL_QTX *qtx, BIO_MSG *msg); + +/* Returns number of datagrams which are fully-formed but not yet sent. */ +size_t ossl_qtx_get_queue_len_datagrams(OSSL_QTX *qtx); + +/* + * Returns number of payload bytes across all datagrams which are fully-formed + * but not yet sent. Does not count any incomplete coalescing datagram. + */ +size_t ossl_qtx_get_queue_len_bytes(OSSL_QTX *qtx); + +/* + * Returns number of bytes in the current coalescing datagram, or 0 if there is + * no current coalescing datagram. Returns 0 after a call to + * ossl_qtx_finish_dgram(). + */ +size_t ossl_qtx_get_cur_dgram_len_bytes(OSSL_QTX *qtx); + +/* + * Returns number of queued coalesced packets which have not been put into a + * datagram yet. If this is non-zero, ossl_qtx_flush_pkt() needs to be called. + */ +size_t ossl_qtx_get_unflushed_pkt_count(OSSL_QTX *qtx); + +/* + * Change the BIO being used by the QTX. May be NULL if actual transmission is + * not currently required. + */ +int ossl_qtx_set1_bio(OSSL_QTX *qtx, BIO *bio); + +/* Changes the MDPL. */ +int ossl_qtx_set_mdpl(OSSL_QTX *qtx, size_t mdpl); + + +/* + * Key Update + * ---------- + * + * For additional discussion of key update considerations, see QRX header file. + */ + +/* + * Triggers a key update. The key update will be started by inverting the Key + * Phase bit of the next packet transmitted; no key update occurs until the next + * packet is transmitted. Thus, this function should generally be called + * immediately before queueing the next packet. + * + * There are substantial requirements imposed by RFC 9001 on under what + * circumstances a key update can be initiated. The caller is responsible for + * meeting most of these requirements. For example, this function cannot be + * called too soon after a previous key update has occurred. Key updates also + * cannot be initiated until the 1-RTT encryption level is reached. + * + * As a sanity check, this function will fail and return 0 if the non-1RTT + * encryption levels have not yet been dropped. + * + * The caller may decide itself to initiate a key update, but it also MUST + * initiate a key update where it detects that the peer has initiated a key + * update. The caller is responsible for initiating a TX key update by calling + * this function in this circumstance; thus, the caller is responsible for + * coupling the RX and TX QUIC record layers in this way. + */ +int ossl_qtx_trigger_key_update(OSSL_QTX *qtx); + + +/* + * Key Expiration + * -------------- + */ + +/* + * Returns the number of packets which have been encrypted for transmission with + * the current set of TX keys (the current "TX key epoch"). Reset to zero after + * a key update and incremented for each packet queued. If enc_level is not + * valid or relates to an EL which is not currently available, returns + * UINT64_MAX. + */ +uint64_t ossl_qtx_get_cur_epoch_pkt_count(OSSL_QTX *qtx, uint32_t enc_level); + +/* + * Returns the maximum number of packets which the record layer will permit to + * be encrypted using the current set of TX keys. If this limit is reached (that + * is, if the counter returned by ossl_qrx_tx_get_cur_epoch_pkt_count() reaches + * this value), as a safety measure, the QTX will not permit any further packets + * to be queued. All calls to ossl_qrx_write_pkt that try to send packets of a + * kind which need to be encrypted will fail. It is not possible to recover from + * this condition and the QTX must then be destroyed; therefore, callers should + * ensure they always trigger a key update well in advance of reaching this + * limit. + * + * The value returned by this function is based on the ciphersuite configured + * for the given encryption level. If keys have not been provisioned for the + * specified enc_level or the enc_level argument is invalid, this function + * returns UINT64_MAX, which is not a valid value. Note that it is not possible + * to perform a key update at any encryption level other than 1-RTT, therefore + * if this limit is reached at earlier encryption levels (which should not be + * possible) the connection must be terminated. Since this condition precludes + * the transmission of further packets, the only possible signalling of such an + * error condition to a peer is a Stateless Reset packet. + */ +uint64_t ossl_qtx_get_max_epoch_pkt_count(OSSL_QTX *qtx, uint32_t enc_level); + +#endif diff --git a/include/internal/quic_record_util.h b/include/internal/quic_record_util.h index cc103505c4..739b876576 100644 --- a/include/internal/quic_record_util.h +++ b/include/internal/quic_record_util.h @@ -11,6 +11,10 @@ # define OSSL_QUIC_RECORD_UTIL_H # include +# include "internal/quic_types.h" + +struct ossl_qrx_st; +struct ossl_qtx_st; /* * QUIC Key Derivation Utilities @@ -25,6 +29,40 @@ int ossl_quic_hkdf_extract(OSSL_LIB_CTX *libctx, const unsigned char *ikm, size_t ikm_len, unsigned char *out, size_t out_len); +/* + * A QUIC client sends its first INITIAL packet with a random DCID, which + * is used to compute the secrets used for INITIAL packet encryption in both + * directions (both client-to-server and server-to-client). + * + * This function performs the necessary DCID-based key derivation, and then + * provides the derived key material for the INITIAL encryption level to a QRX + * instance, a QTX instance, or both. + * + * This function derives the necessary key material and then: + * - if qrx is non-NULL, provides the appropriate secret to it; + * - if qtx is non-NULL, provides the appropriate secret to it. + * + * If both qrx and qtx are NULL, this is a no-op. This function is equivalent to + * making the appropriate calls to ossl_qrx_provide_secret() and + * ossl_qtx_provide_secret(). + * + * It is possible to use a QRX or QTX without ever calling this, for example if + * there is no desire to handle INITIAL packets (e.g. if a QRX/QTX is + * instantiated to succeed a previous QRX/QTX and handle a connection which is + * already established). However in this case you should make sure you call + * ossl_qrx_discard_enc_level(); see the header for that function for more + * details. Calling ossl_qtx_discard_enc_level() is not essential but could + * protect against programming errors. + * + * Returns 1 on success or 0 on error. + */ +int ossl_quic_provide_initial_secret(OSSL_LIB_CTX *libctx, + const char *propq, + const QUIC_CONN_ID *dst_conn_id, + int is_server, + struct ossl_qrx_st *qrx, + struct ossl_qtx_st *qtx); + /* * QUIC Record Layer Ciphersuite Info * ================================== @@ -59,4 +97,16 @@ uint32_t ossl_qrl_get_suite_hdr_prot_cipher_id(uint32_t suite_id); /* Returns header protection key length in bytes or 0 if suite ID is invalid. */ uint32_t ossl_qrl_get_suite_hdr_prot_key_len(uint32_t suite_id); +/* + * Returns maximum number of packets which may be safely encrypted with a suite + * or 0 if suite ID is invalid. + */ +uint64_t ossl_qrl_get_suite_max_pkt(uint32_t suite_id); + +/* + * Returns maximum number of RX'd packets which may safely fail AEAD decryption + * for a given suite or 0 if suite ID is invalid. + */ +uint64_t ossl_qrl_get_suite_max_forged_pkt(uint32_t suite_id); + #endif diff --git a/include/internal/quic_wire_pkt.h b/include/internal/quic_wire_pkt.h index 614593b920..0c3cbbf673 100644 --- a/include/internal/quic_wire_pkt.h +++ b/include/internal/quic_wire_pkt.h @@ -25,6 +25,27 @@ # define QUIC_PKT_TYPE_1RTT 5 # define QUIC_PKT_TYPE_VERSION_NEG 6 +/* + * Determine encryption level from packet type. Returns QUIC_ENC_LEVEL_NUM if + * the packet is not of a type which is encrypted. + */ +static ossl_inline ossl_unused uint32_t +ossl_quic_pkt_type_to_enc_level(uint32_t pkt_type) +{ + switch (pkt_type) { + case QUIC_PKT_TYPE_INITIAL: + return QUIC_ENC_LEVEL_INITIAL; + case QUIC_PKT_TYPE_HANDSHAKE: + return QUIC_ENC_LEVEL_HANDSHAKE; + case QUIC_PKT_TYPE_0RTT: + return QUIC_ENC_LEVEL_0RTT; + case QUIC_PKT_TYPE_1RTT: + return QUIC_ENC_LEVEL_1RTT; + default: + return QUIC_ENC_LEVEL_NUM; + } +} + /* * Smallest possible QUIC packet size as per RFC (aside from version negotiation * packets). @@ -394,6 +415,16 @@ int ossl_quic_wire_get_pkt_hdr_dst_conn_id(const unsigned char *buf, size_t short_conn_id_len, QUIC_CONN_ID *dst_conn_id); +/* + * Precisely predicts the encoded length of a packet header structure. + * + * May return 0 if the packet header is not valid, but the fact that this + * function returns non-zero does not guarantee that + * ossl_quic_wire_encode_pkt_hdr() will succeed. + */ +int ossl_quic_wire_get_encoded_pkt_hdr_len(size_t short_conn_id_len, + const QUIC_PKT_HDR *hdr); + /* * Packet Number Encoding * ====================== diff --git a/ssl/quic/build.info b/ssl/quic/build.info index 482338be95..82e4da71e4 100644 --- a/ssl/quic/build.info +++ b/ssl/quic/build.info @@ -1,3 +1,3 @@ $LIBSSL=../../libssl -SOURCE[$LIBSSL]=quic_method.c quic_impl.c quic_wire.c quic_ackm.c quic_statm.c cc_dummy.c quic_demux.c quic_record.c quic_record_util.c quic_wire_pkt.c +SOURCE[$LIBSSL]=quic_method.c quic_impl.c quic_wire.c quic_ackm.c quic_statm.c cc_dummy.c quic_demux.c quic_record_rx.c quic_record_tx.c quic_record_util.c quic_record_shared.c quic_wire_pkt.c diff --git a/ssl/quic/quic_record.c b/ssl/quic/quic_record_rx.c similarity index 57% rename from ssl/quic/quic_record.c rename to ssl/quic/quic_record_rx.c index 95044d2836..e1093f791b 100644 --- a/ssl/quic/quic_record.c +++ b/ssl/quic/quic_record_rx.c @@ -7,7 +7,8 @@ * https://www.openssl.org/source/license.html */ -#include "internal/quic_record.h" +#include "internal/quic_record_rx.h" +#include "quic_record_shared.h" #include "internal/common.h" #include "../ssl_local.h" @@ -53,9 +54,14 @@ struct rxe_st { /* Total length of the datagram which contained this packet. */ size_t datagram_len; + + /* + * alloc_len allocated bytes (of which data_len bytes are valid) follow this + * structure. + */ }; -typedef struct ossl_qrl_rxe_list_st { +typedef struct ossl_qrx_rxe_list_st { RXE *head, *tail; } RXE_LIST; @@ -97,34 +103,12 @@ static void rxe_insert_tail(RXE_LIST *l, RXE *e) * QRL * === */ - -/* (Encryption level, direction)-specific state. */ -typedef struct ossl_qrl_enc_level_st { - /* Hash function used for key derivation. */ - EVP_MD *md; - /* Context used for packet body ciphering. */ - EVP_CIPHER_CTX *cctx; - /* IV used to construct nonces used for AEAD packet body ciphering. */ - unsigned char iv[EVP_MAX_IV_LENGTH]; - /* Have we permanently discarded this encryption level? */ - unsigned char discarded; - /* QRL_SUITE_* value. */ - uint32_t suite_id; - /* Length of authentication tag. */ - uint32_t tag_len; - /* - * Cryptographic context used to apply and remove header protection from - * packet headers. - */ - QUIC_HDR_PROTECTOR hpr; -} OSSL_QRL_ENC_LEVEL; - -struct ossl_qrl_st { +struct ossl_qrx_st { OSSL_LIB_CTX *libctx; const char *propq; /* Demux to receive datagrams from. */ - QUIC_DEMUX *rx_demux; + QUIC_DEMUX *demux; /* Length of connection IDs used in short-header packets in bytes. */ size_t short_conn_id_len; @@ -155,252 +139,44 @@ struct ossl_qrl_st { RXE_LIST rx_pending; /* Largest PN we have received and processed in a given PN space. */ - QUIC_PN rx_largest_pn[QUIC_PN_SPACE_NUM]; + QUIC_PN largest_pn[QUIC_PN_SPACE_NUM]; /* Per encryption-level state. */ - OSSL_QRL_ENC_LEVEL rx_el[QUIC_ENC_LEVEL_NUM]; - OSSL_QRL_ENC_LEVEL tx_el[QUIC_ENC_LEVEL_NUM]; + OSSL_QRL_ENC_LEVEL_SET el_set; /* Bytes we have received since this counter was last cleared. */ uint64_t bytes_received; /* Validation callback. */ - ossl_qrl_early_rx_validation_cb *rx_validation_cb; - void *rx_validation_cb_arg; -}; - -static void qrl_on_rx(QUIC_URXE *urxe, void *arg); - -/* Constants used for key derivation in QUIC v1. */ -static const unsigned char quic_client_in_label[] = { - 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x69, 0x6e /* "client in" */ -}; -static const unsigned char quic_server_in_label[] = { - 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x69, 0x6e /* "server in" */ -}; -static const unsigned char quic_v1_iv_label[] = { - 0x71, 0x75, 0x69, 0x63, 0x20, 0x69, 0x76 /* "quic iv" */ + ossl_qrx_early_validation_cb *validation_cb; + void *validation_cb_arg; }; -static const unsigned char quic_v1_key_label[] = { - 0x71, 0x75, 0x69, 0x63, 0x20, 0x6b, 0x65, 0x79 /* "quic key" */ -}; -static const unsigned char quic_v1_hp_label[] = { - 0x71, 0x75, 0x69, 0x63, 0x20, 0x68, 0x70 /* "quic hp" */ -}; -/* Salt used to derive Initial packet protection keys (RFC 9001 Section 5.2). */ -static const unsigned char quic_v1_initial_salt[] = { - 0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, - 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a -}; - -static ossl_inline OSSL_QRL_ENC_LEVEL *qrl_get_el(OSSL_QRL *qrl, - uint32_t enc_level, - int is_tx) -{ - if (!ossl_assert(enc_level < QUIC_ENC_LEVEL_NUM)) - return NULL; - return is_tx ? &qrl->tx_el[enc_level] : &qrl->rx_el[enc_level]; -} - -/* - * Returns 1 if we have key material for a given encryption level, 0 if we do - * not yet have material and -1 if the EL is discarded. - */ -static int qrl_have_el(OSSL_QRL *qrl, uint32_t enc_level, int is_tx) -{ - OSSL_QRL_ENC_LEVEL *el = qrl_get_el(qrl, enc_level, is_tx); - - if (el->cctx != NULL) - return 1; - if (el->discarded) - return -1; - return 0; -} - -/* Drops keying material for a given encryption level. */ -static void qrl_el_discard(OSSL_QRL *qrl, uint32_t enc_level, - int is_tx, int final) -{ - OSSL_QRL_ENC_LEVEL *el = qrl_get_el(qrl, enc_level, is_tx); - - if (el->discarded) - return; - - if (el->cctx != NULL) { - ossl_quic_hdr_protector_destroy(&el->hpr); - - EVP_CIPHER_CTX_free(el->cctx); - el->cctx = NULL; - - EVP_MD_free(el->md); - el->md = NULL; - } - - /* Zeroise IV. */ - OPENSSL_cleanse(el->iv, sizeof(el->iv)); - - if (final) - el->discarded = 1; -} - -/* - * Sets up cryptographic state for a given encryption level and direction by - * deriving "quic iv", "quic key" and "quic hp" values from a given secret. - * - * md is a hash function used for key derivation. If it is NULL, this function - * fetches the necessary hash function itself. If it is non-NULL, this function - * can reuse the caller's reference to a suitable EVP_MD; the EVP_MD provided - * must match the suite. - * - * On success where md is non-NULL, takes ownership of the caller's reference to - * md. - */ -static int qrl_el_set_secret(OSSL_QRL *qrl, uint32_t enc_level, - uint32_t suite_id, EVP_MD *md, - int is_tx, - const unsigned char *secret, - size_t secret_len) -{ - OSSL_QRL_ENC_LEVEL *el = qrl_get_el(qrl, enc_level, is_tx); - unsigned char key[EVP_MAX_KEY_LENGTH], hpr_key[EVP_MAX_KEY_LENGTH]; - size_t key_len = 0, hpr_key_len = 0, iv_len = 0; - const char *cipher_name = NULL, *md_name = NULL; - EVP_CIPHER *cipher = NULL; - EVP_CIPHER_CTX *cctx = NULL; - int own_md = 0, have_hpr = 0; - - if (el->discarded) - /* Should not be trying to reinitialise an EL which was discarded. */ - return 0; - - cipher_name = ossl_qrl_get_suite_cipher_name(suite_id); - iv_len = ossl_qrl_get_suite_cipher_iv_len(suite_id); - key_len = ossl_qrl_get_suite_cipher_key_len(suite_id); - hpr_key_len = ossl_qrl_get_suite_hdr_prot_key_len(suite_id); - if (cipher_name == NULL) - return 0; - - if (secret_len != ossl_qrl_get_suite_secret_len(suite_id)) - return 0; - - if (md == NULL) { - md_name = ossl_qrl_get_suite_md_name(suite_id); - - if ((md = EVP_MD_fetch(qrl->libctx, - md_name, qrl->propq)) == NULL) - return 0; - - own_md = 1; - } - /* Derive "quic iv" key. */ - if (!tls13_hkdf_expand_ex(qrl->libctx, qrl->propq, - md, - secret, - quic_v1_iv_label, - sizeof(quic_v1_iv_label), - NULL, 0, - el->iv, iv_len, 0)) - goto err; - - /* Derive "quic key" key. */ - if (!tls13_hkdf_expand_ex(qrl->libctx, qrl->propq, - md, - secret, - quic_v1_key_label, - sizeof(quic_v1_key_label), - NULL, 0, - key, key_len, 0)) - goto err; - - /* Derive "quic hp" key. */ - if (!tls13_hkdf_expand_ex(qrl->libctx, qrl->propq, - md, - secret, - quic_v1_hp_label, - sizeof(quic_v1_hp_label), - NULL, 0, - hpr_key, hpr_key_len, 0)) - goto err; - - /* Free any old context which is using old keying material. */ - if (el->cctx != NULL) { - ossl_quic_hdr_protector_destroy(&el->hpr); - EVP_CIPHER_CTX_free(el->cctx); - el->cctx = NULL; - } - - /* Setup header protection context. */ - if (!ossl_quic_hdr_protector_init(&el->hpr, - qrl->libctx, - qrl->propq, - ossl_qrl_get_suite_hdr_prot_cipher_id(suite_id), - hpr_key, - hpr_key_len)) - goto err; - - have_hpr = 1; - - /* Create and initialise cipher context. */ - if ((cipher = EVP_CIPHER_fetch(qrl->libctx, cipher_name, - qrl->propq)) == NULL) - goto err; - - if (!ossl_assert(iv_len == (size_t)EVP_CIPHER_get_iv_length(cipher)) - || !ossl_assert(key_len == (size_t)EVP_CIPHER_get_key_length(cipher))) - goto err; - - if ((cctx = EVP_CIPHER_CTX_new()) == NULL) - goto err; - - /* IV will be changed on RX so we don't need to use a real value here. */ - if (!EVP_CipherInit_ex(cctx, cipher, NULL, key, el->iv, 0)) - goto err; - - el->suite_id = suite_id; - el->cctx = cctx; - el->md = md; - el->tag_len = ossl_qrl_get_suite_cipher_tag_len(suite_id); - - /* Zeroize intermediate keys. */ - OPENSSL_cleanse(key, sizeof(key)); - OPENSSL_cleanse(hpr_key, sizeof(hpr_key)); - EVP_CIPHER_free(cipher); - return 1; +static void qrx_on_rx(QUIC_URXE *urxe, void *arg); -err: - if (have_hpr) - ossl_quic_hdr_protector_destroy(&el->hpr); - EVP_CIPHER_CTX_free(cctx); - EVP_CIPHER_free(cipher); - if (own_md) - EVP_MD_free(md); - return 0; -} - -OSSL_QRL *ossl_qrl_new(const OSSL_QRL_ARGS *args) +OSSL_QRX *ossl_qrx_new(const OSSL_QRX_ARGS *args) { - OSSL_QRL *qrl; + OSSL_QRX *qrx; size_t i; - if (args->rx_demux == NULL) + if (args->demux == NULL) return 0; - qrl = OPENSSL_zalloc(sizeof(OSSL_QRL)); - if (qrl == NULL) + qrx = OPENSSL_zalloc(sizeof(OSSL_QRX)); + if (qrx == NULL) return 0; - for (i = 0; i < OSSL_NELEM(qrl->rx_largest_pn); ++i) - qrl->rx_largest_pn[i] = args->rx_init_largest_pn[i]; + for (i = 0; i < OSSL_NELEM(qrx->largest_pn); ++i) + qrx->largest_pn[i] = args->init_largest_pn[i]; - qrl->libctx = args->libctx; - qrl->propq = args->propq; - qrl->rx_demux = args->rx_demux; - qrl->short_conn_id_len = args->short_conn_id_len; - return qrl; + qrx->libctx = args->libctx; + qrx->propq = args->propq; + qrx->demux = args->demux; + qrx->short_conn_id_len = args->short_conn_id_len; + return qrx; } -static void qrl_cleanup_rxl(RXE_LIST *l) +static void qrx_cleanup_rxl(RXE_LIST *l) { RXE *e, *enext; for (e = l->head; e != NULL; e = enext) { @@ -410,82 +186,86 @@ static void qrl_cleanup_rxl(RXE_LIST *l) l->head = l->tail = NULL; } -static void qrl_cleanup_urxl(OSSL_QRL *qrl, QUIC_URXE_LIST *l) +static void qrx_cleanup_urxl(OSSL_QRX *qrx, QUIC_URXE_LIST *l) { QUIC_URXE *e, *enext; for (e = l->head; e != NULL; e = enext) { enext = e->next; - ossl_quic_demux_release_urxe(qrl->rx_demux, e); + ossl_quic_demux_release_urxe(qrx->demux, e); } l->head = l->tail = NULL; } -void ossl_qrl_free(OSSL_QRL *qrl) +void ossl_qrx_free(OSSL_QRX *qrx) { uint32_t i; /* Unregister from the RX DEMUX. */ - ossl_quic_demux_unregister_by_cb(qrl->rx_demux, qrl_on_rx, qrl); + ossl_quic_demux_unregister_by_cb(qrx->demux, qrx_on_rx, qrx); /* Free RXE queue data. */ - qrl_cleanup_rxl(&qrl->rx_free); - qrl_cleanup_rxl(&qrl->rx_pending); - qrl_cleanup_urxl(qrl, &qrl->urx_pending); - qrl_cleanup_urxl(qrl, &qrl->urx_deferred); + qrx_cleanup_rxl(&qrx->rx_free); + qrx_cleanup_rxl(&qrx->rx_pending); + qrx_cleanup_urxl(qrx, &qrx->urx_pending); + qrx_cleanup_urxl(qrx, &qrx->urx_deferred); /* Drop keying material and crypto resources. */ - for (i = 0; i < QUIC_ENC_LEVEL_NUM; ++i) { - qrl_el_discard(qrl, i, 0, 1); - qrl_el_discard(qrl, i, 1, 1); - } + for (i = 0; i < QUIC_ENC_LEVEL_NUM; ++i) + ossl_qrl_enc_level_set_discard(&qrx->el_set, i, 1); - OPENSSL_free(qrl); + OPENSSL_free(qrx); } -static void qrl_on_rx(QUIC_URXE *urxe, void *arg) +static void qrx_on_rx(QUIC_URXE *urxe, void *arg) { - OSSL_QRL *qrl = arg; + OSSL_QRX *qrx = arg; /* Initialize our own fields inside the URXE and add to the pending list. */ urxe->processed = 0; urxe->hpr_removed = 0; - ossl_quic_urxe_insert_tail(&qrl->urx_pending, urxe); + ossl_quic_urxe_insert_tail(&qrx->urx_pending, urxe); } -int ossl_qrl_add_dst_conn_id(OSSL_QRL *qrl, +int ossl_qrx_add_dst_conn_id(OSSL_QRX *qrx, const QUIC_CONN_ID *dst_conn_id) { - return ossl_quic_demux_register(qrl->rx_demux, + return ossl_quic_demux_register(qrx->demux, dst_conn_id, - qrl_on_rx, - qrl); + qrx_on_rx, + qrx); } -int ossl_qrl_remove_dst_conn_id(OSSL_QRL *qrl, +int ossl_qrx_remove_dst_conn_id(OSSL_QRX *qrx, const QUIC_CONN_ID *dst_conn_id) { - return ossl_quic_demux_unregister(qrl->rx_demux, dst_conn_id); + return ossl_quic_demux_unregister(qrx->demux, dst_conn_id); } -static void qrl_requeue_deferred(OSSL_QRL *qrl) +static void qrx_requeue_deferred(OSSL_QRX *qrx) { QUIC_URXE *e; - while ((e = qrl->urx_deferred.head) != NULL) { - ossl_quic_urxe_remove(&qrl->urx_deferred, e); - ossl_quic_urxe_insert_head(&qrl->urx_pending, e); + while ((e = qrx->urx_deferred.head) != NULL) { + ossl_quic_urxe_remove(&qrx->urx_deferred, e); + ossl_quic_urxe_insert_head(&qrx->urx_pending, e); } } -int ossl_qrl_provide_rx_secret(OSSL_QRL *qrl, uint32_t enc_level, - uint32_t suite_id, - const unsigned char *secret, size_t secret_len) +int ossl_qrx_provide_secret(OSSL_QRX *qrx, uint32_t enc_level, + uint32_t suite_id, EVP_MD *md, + const unsigned char *secret, size_t secret_len) { - if (enc_level == QUIC_ENC_LEVEL_INITIAL || enc_level >= QUIC_ENC_LEVEL_NUM) + if (enc_level >= QUIC_ENC_LEVEL_NUM) return 0; - if (!qrl_el_set_secret(qrl, enc_level, suite_id, NULL, - /*is_tx=*/0, secret, secret_len)) + if (!ossl_qrl_enc_level_set_provide_secret(&qrx->el_set, + qrx->libctx, + qrx->propq, + enc_level, + suite_id, + md, + secret, + secret_len)) return 0; /* @@ -493,137 +273,45 @@ int ossl_qrl_provide_rx_secret(OSSL_QRL *qrl, uint32_t enc_level, * decrypt, so move any datagrams containing deferred packets from the * deferred to the pending queue. */ - qrl_requeue_deferred(qrl); + qrx_requeue_deferred(qrx); return 1; } -/* Initialise key material for the INITIAL encryption level. */ -int ossl_qrl_provide_rx_secret_initial(OSSL_QRL *qrl, - const QUIC_CONN_ID *dst_conn_id) -{ - unsigned char initial_secret[32]; - unsigned char client_initial_secret[32], server_initial_secret[32]; - EVP_MD *sha256; - int have_rx = 0; - - /* Initial encryption always uses SHA-256. */ - if ((sha256 = EVP_MD_fetch(qrl->libctx, - "SHA256", qrl->propq)) == NULL) - return 0; - - /* Derive initial secret from destination connection ID. */ - if (!ossl_quic_hkdf_extract(qrl->libctx, qrl->propq, - sha256, - quic_v1_initial_salt, - sizeof(quic_v1_initial_salt), - dst_conn_id->id, - dst_conn_id->id_len, - initial_secret, - sizeof(initial_secret))) - goto err; - - /* Derive "client in" secret. */ - if (!tls13_hkdf_expand_ex(qrl->libctx, qrl->propq, - sha256, - initial_secret, - quic_client_in_label, - sizeof(quic_client_in_label), - NULL, 0, - client_initial_secret, - sizeof(client_initial_secret), 0)) - goto err; - - /* Derive "server in" secret. */ - if (!tls13_hkdf_expand_ex(qrl->libctx, qrl->propq, - sha256, - initial_secret, - quic_server_in_label, - sizeof(quic_server_in_label), - NULL, 0, - server_initial_secret, - sizeof(server_initial_secret), 0)) - goto err; - - /* Setup RX cipher. Initial encryption always uses AES-128-GCM. */ - if (!qrl_el_set_secret(qrl, QUIC_ENC_LEVEL_INITIAL, - QRL_SUITE_AES128GCM, - sha256, - /*is_tx=*/0, - server_initial_secret, - sizeof(server_initial_secret))) - goto err; - - have_rx = 1; - - /* - * qrl_el_set_secret takes ownership of our ref to SHA256, so get a new ref - * for the following call for the TX side. - */ - if (!EVP_MD_up_ref(sha256)) { - sha256 = NULL; - goto err; - } - - /* Setup TX cipher. */ - if (!qrl_el_set_secret(qrl, QUIC_ENC_LEVEL_INITIAL, - QRL_SUITE_AES128GCM, - sha256, - /*is_tx=*/1, - client_initial_secret, - sizeof(client_initial_secret))) - goto err; - - /* - * Any packets we previously could not decrypt, we may now be able to - * decrypt, so move any datagrams containing deferred packets from the - * deferred to the pending queue. - */ - qrl_requeue_deferred(qrl); - return 1; - -err: - if (have_rx) - qrl_el_discard(qrl, QUIC_ENC_LEVEL_INITIAL, /*is_tx=*/0, 0); - - EVP_MD_free(sha256); - return 0; -} - -int ossl_qrl_discard_enc_level(OSSL_QRL *qrl, uint32_t enc_level) +int ossl_qrx_discard_enc_level(OSSL_QRX *qrx, uint32_t enc_level) { if (enc_level >= QUIC_ENC_LEVEL_NUM) return 0; - qrl_el_discard(qrl, enc_level, 0, 1); + ossl_qrl_enc_level_set_discard(&qrx->el_set, enc_level, 1); return 1; } /* Returns 1 if there are one or more pending RXEs. */ -int ossl_qrl_processed_read_pending(OSSL_QRL *qrl) +int ossl_qrx_processed_read_pending(OSSL_QRX *qrx) { - return qrl->rx_pending.head != NULL; + return qrx->rx_pending.head != NULL; } /* Returns 1 if there are yet-unprocessed packets. */ -int ossl_qrl_unprocessed_read_pending(OSSL_QRL *qrl) +int ossl_qrx_unprocessed_read_pending(OSSL_QRX *qrx) { - return qrl->urx_pending.head != NULL || qrl->urx_deferred.head != NULL; + return qrx->urx_pending.head != NULL || qrx->urx_deferred.head != NULL; } /* Pop the next pending RXE. Returns NULL if no RXE is pending. */ -static RXE *qrl_pop_pending_rxe(OSSL_QRL *qrl) +static RXE *qrx_pop_pending_rxe(OSSL_QRX *qrx) { - RXE *rxe = qrl->rx_pending.head; + RXE *rxe = qrx->rx_pending.head; if (rxe == NULL) return NULL; - rxe_remove(&qrl->rx_pending, rxe); + rxe_remove(&qrx->rx_pending, rxe); return rxe; } /* Allocate a new RXE. */ -static RXE *qrl_alloc_rxe(size_t alloc_len) +static RXE *qrx_alloc_rxe(size_t alloc_len) { RXE *rxe; @@ -647,18 +335,18 @@ static RXE *qrl_alloc_rxe(size_t alloc_len) * alloc_len is a hint which may be used to determine the RXE size if allocation * is necessary. Returns NULL on allocation failure. */ -static RXE *qrl_ensure_free_rxe(OSSL_QRL *qrl, size_t alloc_len) +static RXE *qrx_ensure_free_rxe(OSSL_QRX *qrx, size_t alloc_len) { RXE *rxe; - if (qrl->rx_free.head != NULL) - return qrl->rx_free.head; + if (qrx->rx_free.head != NULL) + return qrx->rx_free.head; - rxe = qrl_alloc_rxe(alloc_len); + rxe = qrx_alloc_rxe(alloc_len); if (rxe == NULL) return NULL; - rxe_insert_tail(&qrl->rx_free, rxe); + rxe_insert_tail(&qrx->rx_free, rxe); return rxe; } @@ -667,7 +355,7 @@ static RXE *qrl_ensure_free_rxe(OSSL_QRL *qrl, size_t alloc_len) * of the RXE might change; the new address is returned, or NULL on failure, in * which case the original RXE remains valid. */ -static RXE *qrl_resize_rxe(RXE_LIST *rxl, RXE *rxe, size_t n) +static RXE *qrx_resize_rxe(RXE_LIST *rxl, RXE *rxe, size_t n) { RXE *rxe2; @@ -706,21 +394,21 @@ static RXE *qrl_resize_rxe(RXE_LIST *rxl, RXE *rxe, size_t n) * Ensure the data buffer attached to an RXE is at least n bytes in size. * Returns NULL on failure. */ -static RXE *qrl_reserve_rxe(RXE_LIST *rxl, +static RXE *qrx_reserve_rxe(RXE_LIST *rxl, RXE *rxe, size_t n) { if (rxe->alloc_len >= n) return rxe; - return qrl_resize_rxe(rxl, rxe, n); + return qrx_resize_rxe(rxl, rxe, n); } /* Return a RXE handed out to the user back to our freelist. */ -static void qrl_recycle_rxe(OSSL_QRL *qrl, RXE *rxe) +static void qrx_recycle_rxe(OSSL_QRX *qrx, RXE *rxe) { /* RXE should not be in any list */ assert(rxe->prev == NULL && rxe->next == NULL); - rxe_insert_tail(&qrl->rx_free, rxe); + rxe_insert_tail(&qrx->rx_free, rxe); } /* @@ -730,7 +418,7 @@ static void qrl_recycle_rxe(OSSL_QRL *qrl, RXE *rxe) * buffer to, and on success is updated to be the offset pointing after the * copied buffer. *pptr is updated to point to the new location of the buffer. */ -static int qrl_relocate_buffer(OSSL_QRL *qrl, RXE **prxe, size_t *pi, +static int qrx_relocate_buffer(OSSL_QRX *qrx, RXE **prxe, size_t *pi, const unsigned char **pptr, size_t buf_len) { RXE *rxe; @@ -739,7 +427,7 @@ static int qrl_relocate_buffer(OSSL_QRL *qrl, RXE **prxe, size_t *pi, if (!buf_len) return 1; - if ((rxe = qrl_reserve_rxe(&qrl->rx_free, *prxe, *pi + buf_len)) == NULL) + if ((rxe = qrx_reserve_rxe(&qrx->rx_free, *prxe, *pi + buf_len)) == NULL) return 0; *prxe = rxe; @@ -751,7 +439,7 @@ static int qrl_relocate_buffer(OSSL_QRL *qrl, RXE **prxe, size_t *pi, return 1; } -static uint32_t qrl_determine_enc_level(const QUIC_PKT_HDR *hdr) +static uint32_t qrx_determine_enc_level(const QUIC_PKT_HDR *hdr) { switch (hdr->type) { case QUIC_PKT_TYPE_INITIAL: @@ -775,11 +463,11 @@ static uint32_t rxe_determine_pn_space(RXE *rxe) { uint32_t enc_level; - enc_level = qrl_determine_enc_level(&rxe->hdr); + enc_level = qrx_determine_enc_level(&rxe->hdr); return ossl_quic_enc_level_to_pn_space(enc_level); } -static int qrl_validate_hdr_early(OSSL_QRL *qrl, RXE *rxe, +static int qrx_validate_hdr_early(OSSL_QRX *qrx, RXE *rxe, RXE *first_rxe) { /* Ensure version is what we want. */ @@ -809,12 +497,12 @@ static int qrl_validate_hdr_early(OSSL_QRL *qrl, RXE *rxe, } /* Validate header and decode PN. */ -static int qrl_validate_hdr(OSSL_QRL *qrl, RXE *rxe) +static int qrx_validate_hdr(OSSL_QRX *qrx, RXE *rxe) { int pn_space = rxe_determine_pn_space(rxe); if (!ossl_quic_wire_decode_pkt_hdr_pn(rxe->hdr.pn, rxe->hdr.pn_len, - qrl->rx_largest_pn[pn_space], + qrx->largest_pn[pn_space], &rxe->pn)) return 0; @@ -822,8 +510,8 @@ static int qrl_validate_hdr(OSSL_QRL *qrl, RXE *rxe) * Allow our user to decide whether to discard the packet before we try and * decrypt it. */ - if (qrl->rx_validation_cb != NULL - && !qrl->rx_validation_cb(rxe->pn, pn_space, qrl->rx_validation_cb_arg)) + if (qrx->validation_cb != NULL + && !qrx->validation_cb(rxe->pn, pn_space, qrx->validation_cb_arg)) return 0; return 1; @@ -838,7 +526,7 @@ static int qrl_validate_hdr(OSSL_QRL *qrl, RXE *rxe) * to *dec_len on success, which will always be equal to or less than (usually * less than) src_len. */ -static int qrl_decrypt_pkt_body(OSSL_QRL *qrl, unsigned char *dst, +static int qrx_decrypt_pkt_body(OSSL_QRX *qrx, unsigned char *dst, const unsigned char *src, size_t src_len, size_t *dec_len, const unsigned char *aad, size_t aad_len, @@ -847,13 +535,24 @@ static int qrl_decrypt_pkt_body(OSSL_QRL *qrl, unsigned char *dst, int l = 0, l2 = 0; unsigned char nonce[EVP_MAX_IV_LENGTH]; size_t nonce_len, i; - OSSL_QRL_ENC_LEVEL *el = &qrl->rx_el[enc_level]; + OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set, + enc_level, 1); - if (src_len > INT_MAX || aad_len > INT_MAX || el->tag_len >= src_len) + if (src_len > INT_MAX || aad_len > INT_MAX) return 0; /* We should not have been called if we do not have key material. */ - if (!ossl_assert(qrl_have_el(qrl, enc_level, /*is_tx=*/0) == 1)) + if (!ossl_assert(el != NULL)) + return 0; + + if (el->tag_len >= src_len) + return 0; + + /* + * If we have failed to authenticate a certain number of ciphertexts, refuse + * to decrypt any more ciphertexts. + */ + if (el->op_count >= ossl_qrl_get_suite_max_forged_pkt(el->suite_id)) return 0; /* Construct nonce (nonce=IV ^ PN). */ @@ -885,8 +584,11 @@ static int qrl_decrypt_pkt_body(OSSL_QRL *qrl, unsigned char *dst, return 0; /* Ensure authentication succeeded. */ - if (EVP_CipherFinal_ex(el->cctx, NULL, &l2) != 1) + if (EVP_CipherFinal_ex(el->cctx, NULL, &l2) != 1) { + /* Authentication failed, increment failed auth counter. */ + ++el->op_count; return 0; + } *dec_len = l; return 1; @@ -898,7 +600,7 @@ static ossl_inline void ignore_res(int x) } /* Process a single packet in a datagram. */ -static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, +static int qrx_process_pkt(OSSL_QRX *qrx, QUIC_URXE *urxe, PACKET *pkt, size_t pkt_idx, RXE **first_rxe, size_t datagram_len) @@ -917,7 +619,7 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, * Get a free RXE. If we need to allocate a new one, use the packet length * as a good ballpark figure. */ - rxe = qrl_ensure_free_rxe(qrl, PACKET_remaining(pkt)); + rxe = qrx_ensure_free_rxe(qrx, PACKET_remaining(pkt)); if (rxe == NULL) return 0; @@ -932,7 +634,7 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, */ need_second_decode = !pkt_is_marked(&urxe->hpr_removed, pkt_idx); if (!ossl_quic_wire_decode_pkt_hdr(pkt, - qrl->short_conn_id_len, + qrx->short_conn_id_len, need_second_decode, &rxe->hdr, &ptrs)) goto malformed; @@ -954,7 +656,7 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, * now skip over it if we already processed it. */ if (already_processed - || !qrl_validate_hdr_early(qrl, rxe, pkt_idx == 0 ? NULL : *first_rxe)) + || !qrx_validate_hdr_early(qrx, rxe, pkt_idx == 0 ? NULL : *first_rxe)) goto malformed; if (rxe->hdr.type == QUIC_PKT_TYPE_VERSION_NEG @@ -966,7 +668,7 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, */ /* Just copy the payload from the URXE to the RXE. */ - if ((rxe = qrl_reserve_rxe(&qrl->rx_free, rxe, rxe->hdr.len)) == NULL) + if ((rxe = qrx_reserve_rxe(&qrx->rx_free, rxe, rxe->hdr.len)) == NULL) /* * Allocation failure. EOP will be pointing to the end of the * datagram so processing of this datagram will end here. @@ -980,16 +682,16 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, rxe->hdr.data = rxe_data(rxe); /* Move RXE to pending. */ - rxe_remove(&qrl->rx_free, rxe); - rxe_insert_tail(&qrl->rx_pending, rxe); + rxe_remove(&qrx->rx_free, rxe); + rxe_insert_tail(&qrx->rx_pending, rxe); return 0; /* success, did not defer */ } /* Determine encryption level of packet. */ - enc_level = qrl_determine_enc_level(&rxe->hdr); + enc_level = qrx_determine_enc_level(&rxe->hdr); /* If we do not have keying material for this encryption level yet, defer. */ - switch (qrl_have_el(qrl, enc_level, /*is_tx=*/0)) { + switch (ossl_qrl_enc_level_set_have_el(&qrx->el_set, enc_level)) { case 1: /* We have keys. */ break; @@ -1019,7 +721,7 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, * Relocate token buffer and fix pointer. */ if (rxe->hdr.type == QUIC_PKT_TYPE_INITIAL - && !qrl_relocate_buffer(qrl, &rxe, &i, &rxe->hdr.token, + && !qrx_relocate_buffer(qrx, &rxe, &i, &rxe->hdr.token, rxe->hdr.token_len)) goto malformed; @@ -1027,7 +729,11 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, *pkt = orig_pkt; if (need_second_decode) { - if (!ossl_quic_hdr_protector_decrypt(&qrl->rx_el[enc_level].hpr, &ptrs)) + OSSL_QRL_ENC_LEVEL *el + = ossl_qrl_enc_level_set_get(&qrx->el_set, enc_level, 1); + + assert(el != NULL); /* Already checked above */ + if (!ossl_quic_hdr_protector_decrypt(&el->hpr, &ptrs)) goto malformed; /* @@ -1037,13 +743,13 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, pkt_mark(&urxe->hpr_removed, pkt_idx); /* Decode the now unprotected header. */ - if (ossl_quic_wire_decode_pkt_hdr(pkt, qrl->short_conn_id_len, + if (ossl_quic_wire_decode_pkt_hdr(pkt, qrx->short_conn_id_len, 0, &rxe->hdr, NULL) != 1) goto malformed; } /* Validate header and decode PN. */ - if (!qrl_validate_hdr(qrl, rxe)) + if (!qrx_validate_hdr(qrx, rxe)) goto malformed; /* @@ -1051,7 +757,7 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, * HANDSHAKE packet. */ if (enc_level == QUIC_ENC_LEVEL_HANDSHAKE) - qrl_el_discard(qrl, QUIC_ENC_LEVEL_INITIAL, 0, 1); + ossl_qrl_enc_level_set_discard(&qrx->el_set, QUIC_ENC_LEVEL_INITIAL, 1); /* * The AAD data is the entire (unprotected) packet header including the PN. @@ -1061,7 +767,7 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, aad_len = rxe->hdr.data - sop; /* Ensure the RXE buffer size is adequate for our payload. */ - if ((rxe = qrl_reserve_rxe(&qrl->rx_free, rxe, rxe->hdr.len + i)) == NULL) { + if ((rxe = qrx_reserve_rxe(&qrx->rx_free, rxe, rxe->hdr.len + i)) == NULL) { /* * Allocation failure, treat as malformed and do not bother processing * any further packets in the datagram as they are likely to also @@ -1085,7 +791,7 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, * corrupted. */ dst = (unsigned char *)rxe_data(rxe) + i; - if (!qrl_decrypt_pkt_body(qrl, dst, rxe->hdr.data, rxe->hdr.len, + if (!qrx_decrypt_pkt_body(qrx, dst, rxe->hdr.data, rxe->hdr.len, &dec_len, sop, aad_len, rxe->pn, enc_level)) goto malformed; @@ -1117,16 +823,16 @@ static int qrl_process_pkt(OSSL_QRL *qrl, QUIC_URXE *urxe, /* We processed the PN successfully, so update largest processed PN. */ pn_space = rxe_determine_pn_space(rxe); - if (rxe->pn > qrl->rx_largest_pn[pn_space]) - qrl->rx_largest_pn[pn_space] = rxe->pn; + if (rxe->pn > qrx->largest_pn[pn_space]) + qrx->largest_pn[pn_space] = rxe->pn; /* Copy across network addresses from URXE to RXE. */ rxe->peer = urxe->peer; rxe->local = urxe->local; /* Move RXE to pending. */ - rxe_remove(&qrl->rx_free, rxe); - rxe_insert_tail(&qrl->rx_pending, rxe); + rxe_remove(&qrx->rx_free, rxe); + rxe_insert_tail(&qrx->rx_pending, rxe); return 0; /* success, did not defer; not distinguished from failure */ cannot_decrypt: @@ -1175,7 +881,7 @@ malformed: } /* Process a datagram which was received. */ -static int qrl_process_datagram(OSSL_QRL *qrl, QUIC_URXE *e, +static int qrx_process_datagram(OSSL_QRX *qrx, QUIC_URXE *e, const unsigned char *data, size_t data_len) { @@ -1184,7 +890,7 @@ static int qrl_process_datagram(OSSL_QRL *qrl, QUIC_URXE *e, size_t pkt_idx = 0; RXE *first_rxe = NULL; - qrl->bytes_received += data_len; + qrx->bytes_received += data_len; if (!PACKET_buf_init(&pkt, data, data_len)) return 0; @@ -1209,10 +915,10 @@ static int qrl_process_datagram(OSSL_QRL *qrl, QUIC_URXE *e, * we should still try to process any packets following it. * * In the case where the packet is so malformed we can't determine its - * lenngth, qrl_process_pkt will take care of advancing to the end of + * lenngth, qrx_process_pkt will take care of advancing to the end of * the packet, so we will exit the loop automatically in this case. */ - if (qrl_process_pkt(qrl, e, &pkt, pkt_idx, &first_rxe, data_len)) + if (qrx_process_pkt(qrx, e, &pkt, pkt_idx, &first_rxe, data_len)) have_deferred = 1; } @@ -1221,12 +927,12 @@ static int qrl_process_datagram(OSSL_QRL *qrl, QUIC_URXE *e, } /* Process a single pending URXE. */ -static int qrl_process_one_urxl(OSSL_QRL *qrl, QUIC_URXE *e) +static int qrx_process_one_urxl(OSSL_QRX *qrx, QUIC_URXE *e) { int was_deferred; /* The next URXE we process should be at the head of the pending list. */ - if (!ossl_assert(e == qrl->urx_pending.head)) + if (!ossl_assert(e == qrx->urx_pending.head)) return 0; /* @@ -1235,47 +941,47 @@ static int qrl_process_one_urxl(OSSL_QRL *qrl, QUIC_URXE *e) * datagram, we do not attempt to process it again and silently eat the * error. */ - was_deferred = qrl_process_datagram(qrl, e, ossl_quic_urxe_data(e), + was_deferred = qrx_process_datagram(qrx, e, ossl_quic_urxe_data(e), e->data_len); /* * Remove the URXE from the pending list and return it to * either the free or deferred list. */ - ossl_quic_urxe_remove(&qrl->urx_pending, e); + ossl_quic_urxe_remove(&qrx->urx_pending, e); if (was_deferred > 0) - ossl_quic_urxe_insert_tail(&qrl->urx_deferred, e); + ossl_quic_urxe_insert_tail(&qrx->urx_deferred, e); else - ossl_quic_demux_release_urxe(qrl->rx_demux, e); + ossl_quic_demux_release_urxe(qrx->demux, e); return 1; } /* Process any pending URXEs to generate pending RXEs. */ -static int qrl_process_urxl(OSSL_QRL *qrl) +static int qrx_process_urxl(OSSL_QRX *qrx) { QUIC_URXE *e; - while ((e = qrl->urx_pending.head) != NULL) - if (!qrl_process_one_urxl(qrl, e)) + while ((e = qrx->urx_pending.head) != NULL) + if (!qrx_process_one_urxl(qrx, e)) return 0; return 1; } -int ossl_qrl_read_pkt(OSSL_QRL *qrl, OSSL_QRL_RX_PKT *pkt) +int ossl_qrx_read_pkt(OSSL_QRX *qrx, OSSL_QRX_PKT *pkt) { RXE *rxe; - if (!ossl_qrl_processed_read_pending(qrl)) { - if (!qrl_process_urxl(qrl)) + if (!ossl_qrx_processed_read_pending(qrx)) { + if (!qrx_process_urxl(qrx)) return 0; - if (!ossl_qrl_processed_read_pending(qrl)) + if (!ossl_qrx_processed_read_pending(qrx)) return 0; } - rxe = qrl_pop_pending_rxe(qrl); + rxe = qrx_pop_pending_rxe(qrx); if (!ossl_assert(rxe != NULL)) return 0; @@ -1288,28 +994,47 @@ int ossl_qrl_read_pkt(OSSL_QRL *qrl, OSSL_QRL_RX_PKT *pkt) return 1; } -void ossl_qrl_release_pkt(OSSL_QRL *qrl, void *handle) +void ossl_qrx_release_pkt(OSSL_QRX *qrx, void *handle) { RXE *rxe = handle; - qrl_recycle_rxe(qrl, rxe); + qrx_recycle_rxe(qrx, rxe); } -uint64_t ossl_qrl_get_bytes_received(OSSL_QRL *qrl, int clear) +uint64_t ossl_qrx_get_bytes_received(OSSL_QRX *qrx, int clear) { - uint64_t v = qrl->bytes_received; + uint64_t v = qrx->bytes_received; if (clear) - qrl->bytes_received = 0; + qrx->bytes_received = 0; return v; } -int ossl_qrl_set_early_rx_validation_cb(OSSL_QRL *qrl, - ossl_qrl_early_rx_validation_cb *cb, - void *cb_arg) +int ossl_qrx_set_early_validation_cb(OSSL_QRX *qrx, + ossl_qrx_early_validation_cb *cb, + void *cb_arg) { - qrl->rx_validation_cb = cb; - qrl->rx_validation_cb_arg = cb_arg; + qrx->validation_cb = cb; + qrx->validation_cb_arg = cb_arg; return 1; } + +uint64_t ossl_qrx_get_cur_epoch_forged_pkt_count(OSSL_QRX *qrx, + uint32_t enc_level) +{ + OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set, + enc_level, 1); + + return el == NULL ? UINT64_MAX : el->op_count; +} + +uint64_t ossl_qrx_get_max_epoch_forged_pkt_count(OSSL_QRX *qrx, + uint32_t enc_level) +{ + OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set, + enc_level, 1); + + return el == NULL ? UINT64_MAX + : ossl_qrl_get_suite_max_forged_pkt(el->suite_id); +} diff --git a/ssl/quic/quic_record_shared.c b/ssl/quic/quic_record_shared.c new file mode 100644 index 0000000000..f5f06e26dd --- /dev/null +++ b/ssl/quic/quic_record_shared.c @@ -0,0 +1,209 @@ +#include "quic_record_shared.h" +#include "internal/quic_record_util.h" +#include "internal/common.h" +#include "../ssl_local.h" + +/* Constants used for key derivation in QUIC v1. */ +static const unsigned char quic_v1_iv_label[] = { + 0x71, 0x75, 0x69, 0x63, 0x20, 0x69, 0x76 /* "quic iv" */ +}; +static const unsigned char quic_v1_key_label[] = { + 0x71, 0x75, 0x69, 0x63, 0x20, 0x6b, 0x65, 0x79 /* "quic key" */ +}; +static const unsigned char quic_v1_hp_label[] = { + 0x71, 0x75, 0x69, 0x63, 0x20, 0x68, 0x70 /* "quic hp" */ +}; + +OSSL_QRL_ENC_LEVEL *ossl_qrl_enc_level_set_get(OSSL_QRL_ENC_LEVEL_SET *els, + uint32_t enc_level, + int require_valid) +{ + OSSL_QRL_ENC_LEVEL *el; + + if (!ossl_assert(enc_level < QUIC_ENC_LEVEL_NUM)) + return NULL; + + el = &els->el[enc_level]; + + if (require_valid && (el->cctx == NULL || el->discarded)) + return NULL; + + return el; +} + +int ossl_qrl_enc_level_set_have_el(OSSL_QRL_ENC_LEVEL_SET *els, + uint32_t enc_level) +{ + OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0); + + if (el == NULL) + return 0; + if (el->cctx != NULL) + return 1; + if (el->discarded) + return -1; + return 0; +} + +/* + * Sets up cryptographic state for a given encryption level and direction by + * deriving "quic iv", "quic key" and "quic hp" values from a given secret. + * + * md is a hash function used for key derivation. If it is NULL, this function + * fetches the necessary hash function itself. If it is non-NULL, this function + * can reuse the caller's reference to a suitable EVP_MD; the EVP_MD provided + * must match the suite. + * + * On success where md is non-NULL, takes ownership of the caller's reference to + * md. + */ +int ossl_qrl_enc_level_set_provide_secret(OSSL_QRL_ENC_LEVEL_SET *els, + OSSL_LIB_CTX *libctx, + const char *propq, + uint32_t enc_level, + uint32_t suite_id, + EVP_MD *md, + const unsigned char *secret, + size_t secret_len) +{ + OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0); + unsigned char key[EVP_MAX_KEY_LENGTH], hpr_key[EVP_MAX_KEY_LENGTH]; + size_t key_len = 0, hpr_key_len = 0, iv_len = 0; + const char *cipher_name = NULL, *md_name = NULL; + EVP_CIPHER *cipher = NULL; + EVP_CIPHER_CTX *cctx = NULL; + int own_md = 0, have_hpr = 0; + + if (el == NULL || el->discarded) + /* Should not be trying to reinitialise an EL which was discarded. */ + return 0; + + cipher_name = ossl_qrl_get_suite_cipher_name(suite_id); + iv_len = ossl_qrl_get_suite_cipher_iv_len(suite_id); + key_len = ossl_qrl_get_suite_cipher_key_len(suite_id); + hpr_key_len = ossl_qrl_get_suite_hdr_prot_key_len(suite_id); + if (cipher_name == NULL) + return 0; + + if (secret_len != ossl_qrl_get_suite_secret_len(suite_id)) + return 0; + + if (md == NULL) { + md_name = ossl_qrl_get_suite_md_name(suite_id); + + if ((md = EVP_MD_fetch(libctx, md_name, propq)) == NULL) + return 0; + + own_md = 1; + } + + /* Derive "quic iv" key. */ + if (!tls13_hkdf_expand_ex(libctx, propq, + md, + secret, + quic_v1_iv_label, + sizeof(quic_v1_iv_label), + NULL, 0, + el->iv, iv_len, 0)) + goto err; + + /* Derive "quic key" key. */ + if (!tls13_hkdf_expand_ex(libctx, propq, + md, + secret, + quic_v1_key_label, + sizeof(quic_v1_key_label), + NULL, 0, + key, key_len, 0)) + goto err; + + /* Derive "quic hp" key. */ + if (!tls13_hkdf_expand_ex(libctx, propq, + md, + secret, + quic_v1_hp_label, + sizeof(quic_v1_hp_label), + NULL, 0, + hpr_key, hpr_key_len, 0)) + goto err; + + /* Free any old context which is using old keying material. */ + if (el->cctx != NULL) { + ossl_quic_hdr_protector_destroy(&el->hpr); + EVP_CIPHER_CTX_free(el->cctx); + el->cctx = NULL; + } + + /* Setup header protection context. */ + if (!ossl_quic_hdr_protector_init(&el->hpr, + libctx, + propq, + ossl_qrl_get_suite_hdr_prot_cipher_id(suite_id), + hpr_key, + hpr_key_len)) + goto err; + + have_hpr = 1; + + /* Create and initialise cipher context. */ + if ((cipher = EVP_CIPHER_fetch(libctx, cipher_name, propq)) == NULL) + goto err; + + if (!ossl_assert(iv_len == (size_t)EVP_CIPHER_get_iv_length(cipher)) + || !ossl_assert(key_len == (size_t)EVP_CIPHER_get_key_length(cipher))) + goto err; + + if ((cctx = EVP_CIPHER_CTX_new()) == NULL) + goto err; + + /* IV will be changed on RX/TX so we don't need to use a real value here. */ + if (!EVP_CipherInit_ex(cctx, cipher, NULL, key, el->iv, 0)) + goto err; + + el->suite_id = suite_id; + el->cctx = cctx; + el->md = md; + el->tag_len = ossl_qrl_get_suite_cipher_tag_len(suite_id); + el->op_count = 0; + + /* Zeroize intermediate keys. */ + OPENSSL_cleanse(key, sizeof(key)); + OPENSSL_cleanse(hpr_key, sizeof(hpr_key)); + EVP_CIPHER_free(cipher); + return 1; + +err: + if (have_hpr) + ossl_quic_hdr_protector_destroy(&el->hpr); + EVP_CIPHER_CTX_free(cctx); + EVP_CIPHER_free(cipher); + if (own_md) + EVP_MD_free(md); + return 0; +} + +/* Drops keying material for a given encryption level. */ +void ossl_qrl_enc_level_set_discard(OSSL_QRL_ENC_LEVEL_SET *els, + uint32_t enc_level, int is_final) +{ + OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0); + + if (el == NULL || el->discarded) + return; + + if (el->cctx != NULL) { + ossl_quic_hdr_protector_destroy(&el->hpr); + + EVP_CIPHER_CTX_free(el->cctx); + el->cctx = NULL; + + EVP_MD_free(el->md); + el->md = NULL; + } + + /* Zeroise IV. */ + OPENSSL_cleanse(el->iv, sizeof(el->iv)); + + if (is_final) + el->discarded = 1; +} diff --git a/ssl/quic/quic_record_shared.h b/ssl/quic/quic_record_shared.h new file mode 100644 index 0000000000..40f05997df --- /dev/null +++ b/ssl/quic/quic_record_shared.h @@ -0,0 +1,86 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef OSSL_QUIC_RECORD_SHARED_H +# define OSSL_QUIC_RECORD_SHARED_H + +# include +# include "internal/quic_types.h" +# include "internal/quic_wire_pkt.h" + +/* + * QUIC Record Layer EL Management Utilities + * ========================================= + * + * This defines a structure for managing the cryptographic state at a given + * encryption level, as this functionality is shared between QRX and QTX. For + * QRL use only. + */ +typedef struct ossl_qrl_enc_level_st { + /* Hash function used for key derivation. */ + EVP_MD *md; + /* Context used for packet body ciphering. */ + EVP_CIPHER_CTX *cctx; + /* IV used to construct nonces used for AEAD packet body ciphering. */ + unsigned char iv[EVP_MAX_IV_LENGTH]; + /* Have we permanently discarded this encryption level? */ + unsigned char discarded; + /* QRL_SUITE_* value. */ + uint32_t suite_id; + /* Length of authentication tag. */ + uint32_t tag_len; + /* + * Cryptographic context used to apply and remove header protection from + * packet headers. + */ + QUIC_HDR_PROTECTOR hpr; + /* Usage counter. The caller maintains this. */ + uint64_t op_count; +} OSSL_QRL_ENC_LEVEL; + +typedef struct ossl_qrl_enc_level_set_st { + OSSL_QRL_ENC_LEVEL el[QUIC_ENC_LEVEL_NUM]; +} OSSL_QRL_ENC_LEVEL_SET; + +/* + * Returns 1 if we have key material for a given encryption level, 0 if we do + * not yet have material and -1 if the EL is discarded. + */ +int ossl_qrl_enc_level_set_have_el(OSSL_QRL_ENC_LEVEL_SET *els, + uint32_t enc_level); + +/* + * Returns EL in a set. If enc_level is not a valid QUIC_ENC_LEVEL_* value, + * returns NULL. If require_valid is 1, returns NULL if the EL is not + * provisioned or has been discarded; otherwise, the returned EL may be + * unprovisioned or discarded. + */ +OSSL_QRL_ENC_LEVEL *ossl_qrl_enc_level_set_get(OSSL_QRL_ENC_LEVEL_SET *els, + uint32_t enc_level, + int require_valid); + +/* Provide secret to an EL. md may be NULL. */ +int ossl_qrl_enc_level_set_provide_secret(OSSL_QRL_ENC_LEVEL_SET *els, + OSSL_LIB_CTX *libctx, + const char *propq, + uint32_t enc_level, + uint32_t suite_id, + EVP_MD *md, + const unsigned char *secret, + size_t secret_len); + +/* + * Discard an EL. If is_final is non-zero, no secret can be provided for the EL + * ever again. + */ +void ossl_qrl_enc_level_set_discard(OSSL_QRL_ENC_LEVEL_SET *els, + uint32_t enc_level, + int is_final); + +#endif diff --git a/ssl/quic/quic_record_tx.c b/ssl/quic/quic_record_tx.c new file mode 100644 index 0000000000..8bd5fffc53 --- /dev/null +++ b/ssl/quic/quic_record_tx.c @@ -0,0 +1,906 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "internal/quic_record_tx.h" +#include "internal/bio_addr.h" +#include "internal/common.h" +#include "quic_record_shared.h" +#include "../ssl_local.h" + +/* + * TXE + * === + * Encrypted packets awaiting transmission are kept in TX Entries (TXEs), which + * are queued in linked lists just like TXEs. + */ +typedef struct txe_st TXE; + +struct txe_st { + TXE *prev, *next; + size_t data_len, alloc_len; + + /* + * Destination and local addresses, as applicable. Both of these are only + * used if the family is not AF_UNSPEC. + */ + BIO_ADDR peer, local; + + /* + * alloc_len allocated bytes (of which data_len bytes are valid) follow this + * structure. + */ +}; + +static ossl_inline unsigned char *txe_data(const TXE *e) +{ + return (unsigned char *)(e + 1); +} + +typedef struct txe_list_st { + TXE *head, *tail; +} TXE_LIST; + +static void txe_remove(TXE_LIST *l, TXE *e) +{ + if (e->prev != NULL) + e->prev->next = e->next; + if (e->next != NULL) + e->next->prev = e->prev; + + if (e == l->head) + l->head = e->next; + if (e == l->tail) + l->tail = e->prev; + + e->next = e->prev = NULL; +} + +static void txe_insert_tail(TXE_LIST *l, TXE *e) +{ + if (l->tail == NULL) { + l->head = l->tail = e; + e->next = e->prev = NULL; + return; + } + + l->tail->next = e; + e->prev = l->tail; + e->next = NULL; + l->tail = e; +} + +/* + * QTX + * === + */ + +/* (Encryption level, direction)-specific state. */ +typedef struct ossl_qtx_enc_level_st { + /* Hash function used for key derivation. */ + EVP_MD *md; + /* Context used for packet body ciphering. */ + EVP_CIPHER_CTX *cctx; + /* IV used to construct nonces used for AEAD packet body ciphering. */ + unsigned char iv[EVP_MAX_IV_LENGTH]; + /* Have we permanently discarded this encryption level? */ + unsigned char discarded; + /* QTX_SUITE_* value. */ + uint32_t suite_id; + /* Length of authentication tag. */ + uint32_t tag_len; + /* + * Cryptographic context used to apply and remove header protection from + * packet headers. + */ + QUIC_HDR_PROTECTOR hpr; +} OSSL_QTX_ENC_LEVEL; + +struct ossl_qtx_st { + OSSL_LIB_CTX *libctx; + const char *propq; + + /* Per encryption-level state. */ + OSSL_QRL_ENC_LEVEL_SET el_set; + + /* TX BIO. */ + BIO *bio; + + /* TX maximum datagram payload length. */ + size_t mdpl; + + /* + * List of TXEs which are not currently in use. These are moved to the + * pending list (possibly via tx_cons first) as they are filled. + */ + TXE_LIST free; + + /* + * List of TXEs which are filled with completed datagrams ready to be + * transmitted. + */ + TXE_LIST pending; + size_t pending_count; /* items in list */ + size_t pending_bytes; /* sum(txe->data_len) in pending */ + + /* + * TXE which is under construction for coalescing purposes, if any. + * This TXE is neither on the free nor pending list. Once the datagram + * is completed, it is moved to the pending list. + */ + TXE *cons; + size_t cons_count; /* num packets */ +}; + +/* Instantiates a new QTX. */ +OSSL_QTX *ossl_qtx_new(const OSSL_QTX_ARGS *args) +{ + OSSL_QTX *qtx; + + qtx = OPENSSL_zalloc(sizeof(OSSL_QTX)); + if (qtx == NULL) + return 0; + + if (args->bio != NULL && !BIO_up_ref(args->bio)) { + OPENSSL_free(qtx); + return 0; + } + + qtx->libctx = args->libctx; + qtx->propq = args->propq; + qtx->bio = args->bio; + qtx->mdpl = args->mdpl; + return qtx; +} + +static void qtx_cleanup_txl(TXE_LIST *l) +{ + TXE *e, *enext; + for (e = l->head; e != NULL; e = enext) { + enext = e->next; + OPENSSL_free(e); + } + l->head = l->tail = NULL; +} + +/* Frees the QTX. */ +void ossl_qtx_free(OSSL_QTX *qtx) +{ + uint32_t i; + + /* Free TXE queue data. */ + qtx_cleanup_txl(&qtx->pending); + qtx_cleanup_txl(&qtx->free); + + /* Drop keying material and crypto resources. */ + for (i = 0; i < QUIC_ENC_LEVEL_NUM; ++i) + ossl_qrl_enc_level_set_discard(&qtx->el_set, i, 1); + + OPENSSL_free(qtx); +} + +int ossl_qtx_provide_secret(OSSL_QTX *qtx, + uint32_t enc_level, + uint32_t suite_id, + EVP_MD *md, + const unsigned char *secret, + size_t secret_len) +{ + if (enc_level >= QUIC_ENC_LEVEL_NUM) + return 0; + + return ossl_qrl_enc_level_set_provide_secret(&qtx->el_set, + qtx->libctx, + qtx->propq, + enc_level, + suite_id, + md, + secret, + secret_len); +} + +int ossl_qtx_discard_enc_level(OSSL_QTX *qtx, uint32_t enc_level) +{ + if (enc_level >= QUIC_ENC_LEVEL_NUM) + return 0; + + ossl_qrl_enc_level_set_discard(&qtx->el_set, enc_level, 1); + return 1; +} + +/* Allocate a new TXE. */ +static TXE *qtx_alloc_txe(size_t alloc_len) +{ + TXE *txe; + + if (alloc_len >= SIZE_MAX - sizeof(TXE)) + return NULL; + + txe = OPENSSL_malloc(sizeof(TXE) + alloc_len); + if (txe == NULL) + return NULL; + + txe->prev = txe->next = NULL; + txe->alloc_len = alloc_len; + txe->data_len = 0; + return txe; +} + +/* + * Ensures there is at least one TXE in the free list, allocating a new entry + * if necessary. The returned TXE is in the free list; it is not popped. + * + * alloc_len is a hint which may be used to determine the TXE size if allocation + * is necessary. Returns NULL on allocation failure. + */ +static TXE *qtx_ensure_free_txe(OSSL_QTX *qtx, size_t alloc_len) +{ + TXE *txe; + + if (qtx->free.head != NULL) + return qtx->free.head; + + txe = qtx_alloc_txe(alloc_len); + if (txe == NULL) + return NULL; + + txe_insert_tail(&qtx->free, txe); + return txe; +} + +/* + * Resize the data buffer attached to an TXE to be n bytes in size. The address + * of the TXE might change; the new address is returned, or NULL on failure, in + * which case the original TXE remains valid. + */ +static TXE *qtx_resize_txe(OSSL_QTX *qtx, TXE_LIST *txl, TXE *txe, size_t n) +{ + TXE *txe2; + + /* Should never happen. */ + if (txe == NULL) + return NULL; + + if (n >= SIZE_MAX - sizeof(TXE)) + return NULL; + + /* + * NOTE: We do not clear old memory, although it does contain decrypted + * data. + */ + txe2 = OPENSSL_realloc(txe, sizeof(TXE) + n); + if (txe2 == NULL) + /* original TXE is still in tact unchanged */ + return NULL; + + if (txl != NULL && txe != txe2) { + if (txl->head == txe) + txl->head = txe2; + if (txl->tail == txe) + txl->tail = txe2; + if (txe->prev != NULL) + txe->prev->next = txe2; + if (txe->next != NULL) + txe->next->prev = txe2; + } + + if (qtx->cons == txe) + qtx->cons = txe2; + + txe2->alloc_len = n; + return txe2; +} + +/* + * Ensure the data buffer attached to an TXE is at least n bytes in size. + * Returns NULL on failure. + */ +static TXE *qtx_reserve_txe(OSSL_QTX *qtx, TXE_LIST *txl, + TXE *txe, size_t n) +{ + if (txe->alloc_len >= n) + return txe; + + return qtx_resize_txe(qtx, txl, txe, n); +} + +/* Move a TXE from pending to free. */ +static void qtx_pending_to_free(OSSL_QTX *qtx) +{ + TXE *txe = qtx->pending.head; + + assert(txe != NULL); + txe_remove(&qtx->pending, txe); + --qtx->pending_count; + qtx->pending_bytes -= txe->data_len; + txe_insert_tail(&qtx->free, txe); +} + +/* Add a TXE not currently in any list to the pending list. */ +static void qtx_add_to_pending(OSSL_QTX *qtx, TXE *txe) +{ + txe_insert_tail(&qtx->pending, txe); + ++qtx->pending_count; + qtx->pending_bytes += txe->data_len; +} + +struct iovec_cur { + const OSSL_QTX_IOVEC *iovec; + size_t num_iovec, idx, byte_off, bytes_remaining; +}; + +static size_t iovec_total_bytes(const OSSL_QTX_IOVEC *iovec, + size_t num_iovec) +{ + size_t i, l = 0; + + for (i = 0; i < num_iovec; ++i) + l += iovec[i].buf_len; + + return l; +} + +static void iovec_cur_init(struct iovec_cur *cur, + const OSSL_QTX_IOVEC *iovec, + size_t num_iovec) +{ + cur->iovec = iovec; + cur->num_iovec = num_iovec; + cur->idx = 0; + cur->byte_off = 0; + cur->bytes_remaining = iovec_total_bytes(iovec, num_iovec); +} + +/* + * Get an extent of bytes from the iovec cursor. *buf is set to point to the + * buffer and the number of bytes in length of the buffer is returned. This + * value may be less than the max_buf_len argument. If no more data is + * available, returns 0. + */ +static size_t iovec_cur_get_buffer(struct iovec_cur *cur, + const unsigned char **buf, + size_t max_buf_len) +{ + size_t l; + + if (max_buf_len == 0) { + *buf = NULL; + return 0; + } + + for (;;) { + if (cur->idx >= cur->num_iovec) + return 0; + + l = cur->iovec[cur->idx].buf_len - cur->byte_off; + if (l > max_buf_len) + l = max_buf_len; + + if (l > 0) { + *buf = cur->iovec[cur->idx].buf + cur->byte_off; + cur->byte_off += l; + cur->bytes_remaining -= l; + return l; + } + + /* + * Zero-length iovec entry or we already consumed all of it, try the + * next iovec. + */ + ++cur->idx; + cur->byte_off = 0; + } +} + +/* Determines the size of the AEAD output given the input size. */ +static size_t qtx_inflate_payload_len(OSSL_QTX *qtx, uint32_t enc_level, + size_t plaintext_len) +{ + OSSL_QRL_ENC_LEVEL *el + = ossl_qrl_enc_level_set_get(&qtx->el_set, enc_level, 1); + + assert(el != NULL); /* Already checked by caller. */ + + /* + * We currently only support ciphers with a 1:1 mapping between plaintext + * and ciphertext size, save for authentication tag. + */ + return plaintext_len + ossl_qrl_get_suite_cipher_tag_len(el->suite_id); +} + +/* Any other error (including packet being too big for MDPL). */ +#define QTX_FAIL_GENERIC (-1) + +/* + * Returned where there is insufficient room in the datagram to write the + * packet. + */ +#define QTX_FAIL_INSUFFICIENT_LEN (-2) + +static int qtx_write_hdr(OSSL_QTX *qtx, const OSSL_QTX_PKT *pkt, TXE *txe, + QUIC_PKT_HDR_PTRS *ptrs) +{ + WPACKET wpkt; + size_t l = 0; + + if (!WPACKET_init_static_len(&wpkt, txe_data(txe) + txe->data_len, + txe->alloc_len - txe->data_len, 0)) + return 0; + + if (!ossl_quic_wire_encode_pkt_hdr(&wpkt, pkt->hdr->src_conn_id.id_len, + pkt->hdr, ptrs) + || !WPACKET_get_total_written(&wpkt, &l)) { + WPACKET_finish(&wpkt); + return 0; + } + + txe->data_len += l; + WPACKET_finish(&wpkt); + return 1; +} + +static int qtx_encrypt_into_txe(OSSL_QTX *qtx, struct iovec_cur *cur, TXE *txe, + uint32_t enc_level, QUIC_PN pn, + const unsigned char *hdr, size_t hdr_len, + QUIC_PKT_HDR_PTRS *ptrs) +{ + int l = 0, l2 = 0; + OSSL_QRL_ENC_LEVEL *el + = ossl_qrl_enc_level_set_get(&qtx->el_set, enc_level, 1); + unsigned char nonce[EVP_MAX_IV_LENGTH]; + size_t nonce_len, i; + + /* We should not have been called if we do not have key material. */ + if (!ossl_assert(el != NULL)) + return 0; + + /* + * Have we already encrypted the maximum number of packets using the current + * key? + */ + if (el->op_count >= ossl_qrl_get_suite_max_pkt(el->suite_id)) + return 0; + + /* Construct nonce (nonce=IV ^ PN). */ + nonce_len = EVP_CIPHER_CTX_get_iv_length(el->cctx); + if (!ossl_assert(nonce_len >= sizeof(QUIC_PN))) + return 0; + + memcpy(nonce, el->iv, nonce_len); + for (i = 0; i < sizeof(QUIC_PN); ++i) + nonce[nonce_len - i - 1] ^= (unsigned char)(pn >> (i * 8)); + + /* type and key will already have been setup; feed the IV. */ + if (EVP_CipherInit_ex(el->cctx, NULL, NULL, NULL, nonce, /*enc=*/1) != 1) + return 0; + + /* Feed AAD data. */ + if (EVP_CipherUpdate(el->cctx, NULL, &l, hdr, hdr_len) != 1) + return 0; + + /* Encrypt plaintext directly into TXE. */ + for (;;) { + const unsigned char *src; + size_t src_len; + + src_len = iovec_cur_get_buffer(cur, &src, SIZE_MAX); + if (src_len == 0) + break; + + if (EVP_CipherUpdate(el->cctx, txe_data(txe) + txe->data_len, + &l, src, src_len) != 1) + return 0; + + assert(l > 0 && src_len == (size_t)l); + txe->data_len += src_len; + } + + /* Finalise and get tag. */ + if (EVP_CipherFinal_ex(el->cctx, NULL, &l2) != 1) + return 0; + + if (EVP_CIPHER_CTX_ctrl(el->cctx, EVP_CTRL_AEAD_GET_TAG, + el->tag_len, txe_data(txe) + txe->data_len) != 1) + return 0; + + txe->data_len += el->tag_len; + + /* Apply header protection. */ + if (!ossl_quic_hdr_protector_encrypt(&el->hpr, ptrs)) + return 0; + + ++el->op_count; + return 1; +} + +/* + * Append a packet to the TXE buffer, serializing and encrypting it in the + * process. + */ +static int qtx_write(OSSL_QTX *qtx, const OSSL_QTX_PKT *pkt, TXE *txe, + uint32_t enc_level) +{ + int ret, needs_encrypt; + size_t hdr_len, pred_hdr_len, payload_len, pkt_len, space_left; + size_t min_len, orig_data_len; + struct iovec_cur cur; + QUIC_PKT_HDR_PTRS ptrs; + unsigned char *hdr_start; + + /* + * Determine if the packet needs encryption and the minimum conceivable + * serialization length. + */ + if (pkt->hdr->type == QUIC_PKT_TYPE_RETRY + || pkt->hdr->type == QUIC_PKT_TYPE_VERSION_NEG) { + needs_encrypt = 0; + min_len = QUIC_MIN_VALID_PKT_LEN; + } else { + needs_encrypt = 1; + min_len = QUIC_MIN_VALID_PKT_LEN_CRYPTO; + } + + orig_data_len = txe->data_len; + space_left = txe->alloc_len - txe->data_len; + if (space_left < min_len) { + /* Not even a possibility of it fitting. */ + ret = QTX_FAIL_INSUFFICIENT_LEN; + goto err; + } + + /* Walk the iovecs to determine actual input payload length. */ + iovec_cur_init(&cur, pkt->iovec, pkt->num_iovec); + + /* Determine encrypted payload length. */ + payload_len = needs_encrypt ? qtx_inflate_payload_len(qtx, enc_level, + cur.bytes_remaining) + : cur.bytes_remaining; + + /* Determine header length. */ + pkt->hdr->data = NULL; + pkt->hdr->len = payload_len; + pred_hdr_len = ossl_quic_wire_get_encoded_pkt_hdr_len(pkt->hdr->src_conn_id.id_len, + pkt->hdr); + if (pred_hdr_len == 0) { + ret = QTX_FAIL_GENERIC; + goto err; + } + + /* We now definitively know our packet length. */ + pkt_len = pred_hdr_len + payload_len; + + if (pkt_len > space_left) { + ret = QTX_FAIL_INSUFFICIENT_LEN; + goto err; + } + + /* Set some fields in the header we are responsible for. */ + pkt->hdr->key_phase = 0; /* TODO */ + if (!ossl_quic_wire_encode_pkt_hdr_pn(pkt->pn, + pkt->hdr->pn, + pkt->hdr->pn_len)) { + ret = QTX_FAIL_GENERIC; + goto err; + } + + /* Append the header to the TXE. */ + hdr_start = txe_data(txe) + txe->data_len; + if (!qtx_write_hdr(qtx, pkt, txe, &ptrs)) { + ret = QTX_FAIL_GENERIC; + goto err; + } + + hdr_len = (txe_data(txe) + txe->data_len) - hdr_start; + assert(hdr_len == pred_hdr_len); + + if (!needs_encrypt) { + /* Just copy the payload across. */ + const unsigned char *src; + size_t src_len; + + for (;;) { + /* Buffer length has already been checked above. */ + src_len = iovec_cur_get_buffer(&cur, &src, SIZE_MAX); + if (src_len == 0) + break; + + memcpy(txe_data(txe) + txe->data_len, src, src_len); + txe->data_len += src_len; + } + } else { + /* Encrypt into TXE. */ + if (!qtx_encrypt_into_txe(qtx, &cur, txe, enc_level, pkt->pn, + hdr_start, hdr_len, &ptrs)) { + ret = QTX_FAIL_GENERIC; + goto err; + } + + assert(txe->data_len - orig_data_len == pkt_len); + } + + return 1; + +err: + /* + * Restore original length so we don't leave a half-written packet in the + * TXE. + */ + txe->data_len = orig_data_len; + return ret; +} + +static TXE *qtx_ensure_cons(OSSL_QTX *qtx) +{ + TXE *txe = qtx->cons; + + if (txe != NULL) + return txe; + + txe = qtx_ensure_free_txe(qtx, qtx->mdpl); + if (txe == NULL) + return NULL; + + txe_remove(&qtx->free, txe); + qtx->cons = txe; + qtx->cons_count = 0; + txe->data_len = 0; + return txe; +} + +static int addr_eq(const BIO_ADDR *a, const BIO_ADDR *b) +{ + return ((a == NULL || BIO_ADDR_family(a) == AF_UNSPEC) + && (b == NULL || BIO_ADDR_family(b) == AF_UNSPEC)) + || (a != NULL && b != NULL && memcmp(a, b, sizeof(*a)) == 0); +} + +int ossl_qtx_write_pkt(OSSL_QTX *qtx, const OSSL_QTX_PKT *pkt) +{ + int ret; + int coalescing = (pkt->flags & OSSL_QTX_PKT_FLAG_COALESCE) != 0; + int was_coalescing; + TXE *txe; + uint32_t enc_level; + + /* Must have EL configured, must have header. */ + if (pkt->hdr == NULL) + return 0; + + enc_level = ossl_quic_pkt_type_to_enc_level(pkt->hdr->type); + + /* Some packet types must be in a packet all by themselves. */ + if (pkt->hdr->type == QUIC_PKT_TYPE_RETRY + || pkt->hdr->type == QUIC_PKT_TYPE_VERSION_NEG) + ossl_qtx_finish_dgram(qtx); + else if (enc_level >= QUIC_ENC_LEVEL_NUM + || ossl_qrl_enc_level_set_have_el(&qtx->el_set, enc_level) != 1) + /* All other packet types are encrypted. */ + return 0; + + was_coalescing = (qtx->cons != NULL && qtx->cons->data_len > 0); + if (was_coalescing) + if (!addr_eq(&qtx->cons->peer, pkt->peer) + || !addr_eq(&qtx->cons->local, pkt->local)) { + /* Must stop coalescing if addresses have changed */ + ossl_qtx_finish_dgram(qtx); + was_coalescing = 0; + } + + for (;;) { + /* + * Start a new coalescing session or continue using the existing one and + * serialize/encrypt the packet. We always encrypt packets as soon as + * our caller gives them to us, which relieves the caller of any need to + * keep the plaintext around. + */ + txe = qtx_ensure_cons(qtx); + if (txe == NULL) + return 0; /* allocation failure */ + + /* + * Ensure TXE has at least MDPL bytes allocated. This should only be + * possible if the MDPL has increased. + */ + if (!qtx_reserve_txe(qtx, NULL, txe, qtx->mdpl)) + return 0; + + if (!was_coalescing) { + /* Set addresses in TXE. */ + if (pkt->peer != NULL) + txe->peer = *pkt->peer; + else + BIO_ADDR_clear(&txe->peer); + + if (pkt->local != NULL) + txe->local = *pkt->local; + else + BIO_ADDR_clear(&txe->local); + } + + ret = qtx_write(qtx, pkt, txe, enc_level); + if (ret == 1) { + break; + } else if (ret == QTX_FAIL_INSUFFICIENT_LEN) { + if (was_coalescing) { + /* + * We failed due to insufficient length, so end the current + * datagram and try again. + */ + ossl_qtx_finish_dgram(qtx); + was_coalescing = 0; + } else { + /* + * We failed due to insufficient length, but we were not + * coalescing/started with an empty datagram, so any future + * attempt to write this packet must also fail. + */ + return 0; + } + } else { + return 0; /* other error */ + } + } + + ++qtx->cons_count; + + /* + * Some packet types cannot have another packet come after them. + */ + if (pkt->hdr->type == QUIC_PKT_TYPE_RETRY + || pkt->hdr->type == QUIC_PKT_TYPE_VERSION_NEG + || pkt->hdr->type == QUIC_PKT_TYPE_1RTT) + coalescing = 0; + + if (!coalescing) + ossl_qtx_finish_dgram(qtx); + + return 1; +} + +/* + * Finish any incomplete datagrams for transmission which were flagged for + * coalescing. If there is no current coalescing datagram, this is a no-op. + */ +void ossl_qtx_finish_dgram(OSSL_QTX *qtx) +{ + TXE *txe = qtx->cons; + + if (txe == NULL) + return; + + if (txe->data_len == 0) + /* + * If we did not put anything in the datagram, just move it back to the + * free list. + */ + txe_insert_tail(&qtx->free, txe); + else + qtx_add_to_pending(qtx, txe); + + qtx->cons = NULL; + qtx->cons_count = 0; +} + +static void txe_to_msg(TXE *txe, BIO_MSG *msg) +{ + msg->data = txe_data(txe); + msg->data_len = txe->data_len; + msg->flags = 0; + msg->peer + = BIO_ADDR_family(&txe->peer) != AF_UNSPEC ? &txe->peer : NULL; + msg->local + = BIO_ADDR_family(&txe->local) != AF_UNSPEC ? &txe->local : NULL; +} + +#define MAX_MSGS_PER_SEND 32 + +void ossl_qtx_flush_net(OSSL_QTX *qtx) +{ + BIO_MSG msg[MAX_MSGS_PER_SEND]; + size_t i; + TXE *txe; + ossl_ssize_t wr; + + if (qtx->bio == NULL) + return; + + for (;;) { + for (txe = qtx->pending.head, i = 0; + txe != NULL && i < OSSL_NELEM(msg); + txe = txe->next, ++i) + txe_to_msg(txe, &msg[i]); + + if (!i) + /* Nothing to send. */ + return; + + wr = BIO_sendmmsg(qtx->bio, msg, sizeof(BIO_MSG), i, 0); + if (wr <= 0) + /* + * We did not get anything, so further calls will probably not + * succeed either. + */ + break; + + /* + * Remove everything which was successfully sent from the pending queue. + */ + for (i = 0; i < (size_t)wr; ++i) + qtx_pending_to_free(qtx); + } +} + +int ossl_qtx_pop_net(OSSL_QTX *qtx, BIO_MSG *msg) +{ + TXE *txe = qtx->pending.head; + + if (txe == NULL) + return 0; + + txe_to_msg(txe, msg); + qtx_pending_to_free(qtx); + return 1; +} + +int ossl_qtx_set1_bio(OSSL_QTX *qtx, BIO *bio) +{ + if (bio != NULL && !BIO_up_ref(bio)) + return 0; + + BIO_free(qtx->bio); + qtx->bio = bio; + return 1; +} + +int ossl_qtx_set_mdpl(OSSL_QTX *qtx, size_t mdpl) +{ + qtx->mdpl = mdpl; + return 1; +} + +size_t ossl_qtx_get_queue_len_datagrams(OSSL_QTX *qtx) +{ + return qtx->pending_count; +} + +size_t ossl_qtx_get_queue_len_bytes(OSSL_QTX *qtx) +{ + return qtx->pending_bytes; +} + +size_t ossl_qtx_get_cur_dgram_len_bytes(OSSL_QTX *qtx) +{ + return qtx->cons != NULL ? qtx->cons->data_len : 0; +} + +size_t ossl_qtx_get_unflushed_pkt_count(OSSL_QTX *qtx) +{ + return qtx->cons_count; +} + +uint64_t ossl_qtx_get_cur_epoch_pkt_count(OSSL_QTX *qtx, uint32_t enc_level) +{ + OSSL_QRL_ENC_LEVEL *el; + + el = ossl_qrl_enc_level_set_get(&qtx->el_set, enc_level, 1); + if (el == NULL) + return UINT64_MAX; + + return el->op_count; +} + +uint64_t ossl_qtx_get_max_epoch_pkt_count(OSSL_QTX *qtx, uint32_t enc_level) +{ + OSSL_QRL_ENC_LEVEL *el; + + el = ossl_qrl_enc_level_set_get(&qtx->el_set, enc_level, 1); + if (el == NULL) + return UINT64_MAX; + + return ossl_qrl_get_suite_max_pkt(el->suite_id); +} diff --git a/ssl/quic/quic_record_util.c b/ssl/quic/quic_record_util.c index 6d0eeb5759..1b26a61ec7 100644 --- a/ssl/quic/quic_record_util.c +++ b/ssl/quic/quic_record_util.c @@ -8,7 +8,10 @@ */ #include "internal/quic_record_util.h" +#include "internal/quic_record_rx.h" +#include "internal/quic_record_tx.h" #include "internal/quic_wire_pkt.h" +#include "../ssl_local.h" #include #include @@ -52,6 +55,119 @@ err: return ret; } +/* Constants used for key derivation in QUIC v1. */ +static const unsigned char quic_client_in_label[] = { + 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x69, 0x6e /* "client in" */ +}; +static const unsigned char quic_server_in_label[] = { + 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x69, 0x6e /* "server in" */ +}; + +/* Salt used to derive Initial packet protection keys (RFC 9001 Section 5.2). */ +static const unsigned char quic_v1_initial_salt[] = { + 0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, + 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a +}; + +int ossl_quic_provide_initial_secret(OSSL_LIB_CTX *libctx, + const char *propq, + const QUIC_CONN_ID *dst_conn_id, + int is_server, + struct ossl_qrx_st *qrx, + struct ossl_qtx_st *qtx) +{ + unsigned char initial_secret[32]; + unsigned char client_initial_secret[32], server_initial_secret[32]; + unsigned char *rx_secret, *tx_secret; + EVP_MD *sha256; + + if (qrx == NULL && qtx == NULL) + return 1; + + /* Initial encryption always uses SHA-256. */ + if ((sha256 = EVP_MD_fetch(libctx, "SHA256", propq)) == NULL) + return 0; + + if (is_server) { + rx_secret = client_initial_secret; + tx_secret = server_initial_secret; + } else { + rx_secret = server_initial_secret; + tx_secret = client_initial_secret; + } + + /* Derive initial secret from destination connection ID. */ + if (!ossl_quic_hkdf_extract(libctx, propq, + sha256, + quic_v1_initial_salt, + sizeof(quic_v1_initial_salt), + dst_conn_id->id, + dst_conn_id->id_len, + initial_secret, + sizeof(initial_secret))) + goto err; + + /* Derive "client in" secret. */ + if (((qtx != NULL && tx_secret == client_initial_secret) + || (qrx != NULL && rx_secret == client_initial_secret)) + && !tls13_hkdf_expand_ex(libctx, propq, + sha256, + initial_secret, + quic_client_in_label, + sizeof(quic_client_in_label), + NULL, 0, + client_initial_secret, + sizeof(client_initial_secret), 0)) + goto err; + + /* Derive "server in" secret. */ + if (((qtx != NULL && tx_secret == server_initial_secret) + || (qrx != NULL && rx_secret == server_initial_secret)) + && !tls13_hkdf_expand_ex(libctx, propq, + sha256, + initial_secret, + quic_server_in_label, + sizeof(quic_server_in_label), + NULL, 0, + server_initial_secret, + sizeof(server_initial_secret), 0)) + goto err; + + /* Setup RX EL. Initial encryption always uses AES-128-GCM. */ + if (qrx != NULL + && !ossl_qrx_provide_secret(qrx, QUIC_ENC_LEVEL_INITIAL, + QRL_SUITE_AES128GCM, + sha256, + rx_secret, + sizeof(server_initial_secret))) + goto err; + + /* + * ossl_qrx_provide_secret takes ownership of our ref to SHA256, so if we + * are initialising both sides, get a new ref for the following call for the + * TX side. + */ + if (qrx != NULL && qtx != NULL && !EVP_MD_up_ref(sha256)) { + sha256 = NULL; + goto err; + } + + /* Setup TX cipher. */ + if (qtx != NULL + && !ossl_qtx_provide_secret(qtx, QUIC_ENC_LEVEL_INITIAL, + QRL_SUITE_AES128GCM, + sha256, + tx_secret, + sizeof(server_initial_secret))) + goto err; + + return 1; + +err: + EVP_MD_free(sha256); + return 0; +} + /* * QUIC Record Layer Ciphersuite Info * ================================== @@ -61,21 +177,29 @@ struct suite_info { const char *cipher_name, *md_name; uint32_t secret_len, cipher_key_len, cipher_iv_len, cipher_tag_len; uint32_t hdr_prot_key_len, hdr_prot_cipher_id; + uint64_t max_pkt, max_forged_pkt; }; static const struct suite_info suite_aes128gcm = { "AES-128-GCM", "SHA256", 32, 16, 12, 16, 16, - QUIC_HDR_PROT_CIPHER_AES_128 + QUIC_HDR_PROT_CIPHER_AES_128, + ((uint64_t)1) << 23, /* Limits as prescribed by RFC 9001 */ + ((uint64_t)1) << 52, }; static const struct suite_info suite_aes256gcm = { "AES-256-GCM", "SHA384", 48, 32, 12, 16, 32, - QUIC_HDR_PROT_CIPHER_AES_256 + QUIC_HDR_PROT_CIPHER_AES_256, + ((uint64_t)1) << 23, /* Limits as prescribed by RFC 9001 */ + ((uint64_t)1) << 52, }; static const struct suite_info suite_chacha20poly1305 = { "ChaCha20-Poly1305", "SHA256", 32, 32, 12, 16, 32, - QUIC_HDR_PROT_CIPHER_CHACHA + QUIC_HDR_PROT_CIPHER_CHACHA, + /* Do not use UINT64_MAX here as this represents an invalid value */ + UINT64_MAX - 1, /* No applicable limit for this suite (RFC 9001) */ + ((uint64_t)1) << 36, /* Limit as prescribed by RFC 9001 */ }; static const struct suite_info *get_suite(uint32_t suite_id) @@ -139,3 +263,15 @@ uint32_t ossl_qrl_get_suite_hdr_prot_key_len(uint32_t suite_id) const struct suite_info *c = get_suite(suite_id); return c != NULL ? c->hdr_prot_key_len : 0; } + +uint64_t ossl_qrl_get_suite_max_pkt(uint32_t suite_id) +{ + const struct suite_info *c = get_suite(suite_id); + return c != NULL ? c->max_pkt : UINT64_MAX; +} + +uint64_t ossl_qrl_get_suite_max_forged_pkt(uint32_t suite_id) +{ + const struct suite_info *c = get_suite(suite_id); + return c != NULL ? c->max_forged_pkt : UINT64_MAX; +} diff --git a/ssl/quic/quic_wire_pkt.c b/ssl/quic/quic_wire_pkt.c index 5d90d70c15..2d62cb4b7d 100644 --- a/ssl/quic/quic_wire_pkt.c +++ b/ssl/quic/quic_wire_pkt.c @@ -406,7 +406,8 @@ int ossl_quic_wire_encode_pkt_hdr(WPACKET *pkt, QUIC_PKT_HDR_PTRS *ptrs) { unsigned char b0; - size_t off_start, off_sample, off_sample_end, off_pn; + size_t off_start, off_sample, off_pn; + unsigned char *start = WPACKET_get_curr(pkt); if (!WPACKET_get_total_written(pkt, &off_start)) return 0; @@ -517,19 +518,74 @@ int ossl_quic_wire_encode_pkt_hdr(WPACKET *pkt, return 0; off_sample = off_pn + 4; - if (!WPACKET_get_total_written(pkt, &off_sample_end)) - return 0; if (ptrs != NULL) { - ptrs->raw_start = (unsigned char *)pkt->buf->data + off_start; - ptrs->raw_sample = (unsigned char *)pkt->buf->data + off_sample; - ptrs->raw_sample_len = off_sample_end - off_sample; - ptrs->raw_pn = (unsigned char *)pkt->buf->data + off_pn; + ptrs->raw_start = start; + ptrs->raw_sample = start + (off_sample - off_start); + ptrs->raw_sample_len + = WPACKET_get_curr(pkt) + hdr->len - ptrs->raw_sample; + ptrs->raw_pn = start + (off_pn - off_start); } return 1; } +int ossl_quic_wire_get_encoded_pkt_hdr_len(size_t short_conn_id_len, + const QUIC_PKT_HDR *hdr) +{ + size_t len = 0, enclen; + + /* Cannot serialize a partial header, or one whose DCID length is wrong. */ + if (hdr->partial + || (hdr->type == QUIC_PKT_TYPE_1RTT + && hdr->dst_conn_id.id_len != short_conn_id_len)) + return 0; + + if (hdr->type == QUIC_PKT_TYPE_1RTT) { + /* Short header. */ + + /* + * Cannot serialize a header whose DCID length is wrong, or with an + * invalid PN length. + */ + if (hdr->dst_conn_id.id_len != short_conn_id_len + || short_conn_id_len > QUIC_MAX_CONN_ID_LEN + || hdr->pn_len < 1 || hdr->pn_len > 4) + return 0; + + return 1 + short_conn_id_len + hdr->pn_len; + } else { + /* Long header. */ + if (hdr->dst_conn_id.id_len > QUIC_MAX_CONN_ID_LEN + || hdr->src_conn_id.id_len > QUIC_MAX_CONN_ID_LEN) + return 0; + + if (hdr->type != QUIC_PKT_TYPE_VERSION_NEG + && hdr->type != QUIC_PKT_TYPE_RETRY + && (hdr->pn_len < 1 || hdr->pn_len > 4)) + return 0; + + len += 1 /* Initial byte */ + 4 /* Version */ + + 1 + hdr->dst_conn_id.id_len /* DCID Len, DCID */ + + 1 + hdr->src_conn_id.id_len /* SCID Len, SCID */ + + hdr->pn_len; /* PN */ + + if (hdr->type == QUIC_PKT_TYPE_INITIAL) { + enclen = ossl_quic_vlint_encode_len(hdr->token_len); + if (!enclen) + return 0; + len += enclen; + } + + enclen = ossl_quic_vlint_encode_len(hdr->len); + if (!enclen) + return 0; + + len += enclen; + return len; + } +} + int ossl_quic_wire_get_pkt_hdr_dst_conn_id(const unsigned char *buf, size_t buf_len, size_t short_conn_id_len, diff --git a/test/quic_record_test.c b/test/quic_record_test.c index 29c0dcf57b..436fe387ec 100644 --- a/test/quic_record_test.c +++ b/test/quic_record_test.c @@ -7,28 +7,24 @@ * https://www.openssl.org/source/license.html */ -#include "internal/quic_record.h" +#include "internal/quic_record_rx.h" +#include "internal/quic_record_tx.h" #include "testutil.h" static const QUIC_CONN_ID empty_conn_id = {0, {0}}; -struct test_case { - const unsigned char *dgram; - size_t dgram_len; -}; - -#define TEST_OP_END 0 /* end of script */ -#define TEST_OP_SET_SCID_LEN 1 /* change SCID length */ -#define TEST_OP_SET_INIT_LARGEST_PN 2 /* set initial largest PN */ -#define TEST_OP_ADD_RX_DCID 3 /* register an RX DCID */ -#define TEST_OP_INJECT 4 /* inject a datagram into demux */ -#define TEST_OP_PROVIDE_SECRET 5 /* provide RX secret */ -#define TEST_OP_PROVIDE_SECRET_INITIAL 6 /* provide RX secret for initial */ -#define TEST_OP_DISCARD_EL 7 /* discard an encryption level */ -#define TEST_OP_CHECK_PKT 8 /* read packet, compare to expected */ -#define TEST_OP_CHECK_NO_PKT 9 /* check no packet is available to read */ - -struct test_op { +#define RX_TEST_OP_END 0 /* end of script */ +#define RX_TEST_OP_SET_SCID_LEN 1 /* change SCID length */ +#define RX_TEST_OP_SET_INIT_LARGEST_PN 2 /* set initial largest PN */ +#define RX_TEST_OP_ADD_RX_DCID 3 /* register an RX DCID */ +#define RX_TEST_OP_INJECT 4 /* inject a datagram into demux */ +#define RX_TEST_OP_PROVIDE_SECRET 5 /* provide RX secret */ +#define RX_TEST_OP_PROVIDE_SECRET_INITIAL 6 /* provide RX secret for initial */ +#define RX_TEST_OP_DISCARD_EL 7 /* discard an encryption level */ +#define RX_TEST_OP_CHECK_PKT 8 /* read packet, compare to expected */ +#define RX_TEST_OP_CHECK_NO_PKT 9 /* check no packet is available to read */ + +struct rx_test_op { unsigned char op; const unsigned char *buf; size_t buf_len; @@ -36,47 +32,47 @@ struct test_op { uint32_t enc_level, suite_id; QUIC_PN largest_pn; const QUIC_CONN_ID *dcid; - int (*new_qrl)(QUIC_DEMUX **demux, OSSL_QRL **qrl); -}; - -#define OP_END \ - { TEST_OP_END } -#define OP_SET_SCID_LEN(scid_len) \ - { TEST_OP_SET_SCID_LEN, NULL, 0, NULL, (scid_len), 0, 0, NULL, NULL }, -#define OP_SET_INIT_LARGEST_PN(largest_pn) \ - { TEST_OP_SET_INIT_LARGEST_PN, NULL, 0, NULL, 0, 0, (largest_pn), NULL, NULL }, -#define OP_ADD_RX_DCID(dcid) \ - { TEST_OP_ADD_RX_DCID, NULL, 0, NULL, 0, 0, 0, &(dcid), NULL }, -#define OP_INJECT(dgram) \ - { TEST_OP_INJECT, (dgram), sizeof(dgram), NULL, 0, 0, 0, NULL }, -#define OP_PROVIDE_SECRET(el, suite, key) \ + int (*new_qrx)(QUIC_DEMUX **demux, OSSL_QRX **qrx); +}; + +#define RX_OP_END \ + { RX_TEST_OP_END } +#define RX_OP_SET_SCID_LEN(scid_len) \ + { RX_TEST_OP_SET_SCID_LEN, NULL, 0, NULL, (scid_len), 0, 0, NULL, NULL }, +#define RX_OP_SET_INIT_LARGEST_PN(largest_pn) \ + { RX_TEST_OP_SET_INIT_LARGEST_PN, NULL, 0, NULL, 0, 0, (largest_pn), NULL, NULL }, +#define RX_OP_ADD_RX_DCID(dcid) \ + { RX_TEST_OP_ADD_RX_DCID, NULL, 0, NULL, 0, 0, 0, &(dcid), NULL }, +#define RX_OP_INJECT(dgram) \ + { RX_TEST_OP_INJECT, (dgram), sizeof(dgram), NULL, 0, 0, 0, NULL }, +#define RX_OP_PROVIDE_SECRET(el, suite, key) \ { \ - TEST_OP_PROVIDE_SECRET, (key), sizeof(key), \ + RX_TEST_OP_PROVIDE_SECRET, (key), sizeof(key), \ NULL, (el), (suite), 0, NULL, NULL \ }, -#define OP_PROVIDE_SECRET_INITIAL(dcid) \ - { TEST_OP_PROVIDE_SECRET_INITIAL, NULL, 0, NULL, 0, 0, 0, &(dcid), NULL }, -#define OP_DISCARD_EL(el) \ - { TEST_OP_DISCARD_EL, NULL, 0, NULL, (el), 0, 0, NULL, NULL }, -#define OP_CHECK_PKT(expect_hdr, expect_body) \ +#define RX_OP_PROVIDE_SECRET_INITIAL(dcid) \ + { RX_TEST_OP_PROVIDE_SECRET_INITIAL, NULL, 0, NULL, 0, 0, 0, &(dcid), NULL }, +#define RX_OP_DISCARD_EL(el) \ + { RX_TEST_OP_DISCARD_EL, NULL, 0, NULL, (el), 0, 0, NULL, NULL }, +#define RX_OP_CHECK_PKT(expect_hdr, expect_body) \ { \ - TEST_OP_CHECK_PKT, (expect_body), sizeof(expect_body), \ + RX_TEST_OP_CHECK_PKT, (expect_body), sizeof(expect_body), \ &(expect_hdr), 0, 0, 0, NULL, NULL \ }, -#define OP_CHECK_NO_PKT() \ - { TEST_OP_CHECK_NO_PKT, NULL, 0, NULL, 0, 0, 0, NULL, NULL }, +#define RX_OP_CHECK_NO_PKT() \ + { RX_TEST_OP_CHECK_NO_PKT, NULL, 0, NULL, 0, 0, 0, NULL, NULL }, -#define OP_INJECT_N(n) \ - OP_INJECT(script_##n##_in) -#define OP_CHECK_PKT_N(n) \ - OP_CHECK_PKT(script_##n##_expect_hdr, script_##n##_body) +#define RX_OP_INJECT_N(n) \ + RX_OP_INJECT(rx_script_##n##_in) +#define RX_OP_CHECK_PKT_N(n) \ + RX_OP_CHECK_PKT(rx_script_##n##_expect_hdr, rx_script_##n##_body) -#define OP_INJECT_CHECK(n) \ - OP_INJECT_N(n) \ - OP_CHECK_PKT_N(n) +#define RX_OP_INJECT_CHECK(n) \ + RX_OP_INJECT_N(n) \ + RX_OP_CHECK_PKT_N(n) /* 1. RFC 9001 - A.3 Server Initial */ -static const unsigned char script_1_in[] = { +static const unsigned char rx_script_1_in[] = { 0xcf, 0x00, 0x00, 0x00, 0x01, 0x00, 0x08, 0xf0, 0x67, 0xa5, 0x50, 0x2a, 0x42, 0x62, 0xb5, 0x00, 0x40, 0x75, 0xc0, 0xd9, 0x5a, 0x48, 0x2c, 0xd0, 0x99, 0x1c, 0xd2, 0x5b, 0x0a, 0xac, 0x40, 0x6a, 0x58, 0x16, 0xb6, 0x39, @@ -91,7 +87,7 @@ static const unsigned char script_1_in[] = { 0xd0, 0x74, 0xee }; -static const unsigned char script_1_body[] = { +static const unsigned char rx_script_1_body[] = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x40, 0x5a, 0x02, 0x00, 0x00, 0x56, 0x03, 0x03, 0xee, 0xfc, 0xe7, 0xf7, 0xb3, 0x7b, 0xa1, 0xd1, 0x63, 0x2e, 0x96, 0x67, 0x78, 0x25, 0xdd, 0xf7, 0x39, 0x88, 0xcf, 0xc7, 0x98, @@ -103,11 +99,11 @@ static const unsigned char script_1_body[] = { 0x02, 0x03, 0x04 }; -static const QUIC_CONN_ID script_1_dcid = { +static const QUIC_CONN_ID rx_script_1_dcid = { 8, { 0x83, 0x94, 0xc8, 0xf0, 0x3e, 0x51, 0x57, 0x08 } }; -static const QUIC_PKT_HDR script_1_expect_hdr = { +static const QUIC_PKT_HDR rx_script_1_expect_hdr = { QUIC_PKT_TYPE_INITIAL, 0, 0, 2, 0, 1, 1, { 0, {0} }, { 8, {0xf0, 0x67, 0xa5, 0x50, 0x2a, 0x42, 0x62, 0xb5 } }, @@ -116,33 +112,33 @@ static const QUIC_PKT_HDR script_1_expect_hdr = { 99, NULL }; -static const struct test_op script_1[] = { - OP_SET_SCID_LEN(2) - OP_SET_INIT_LARGEST_PN(0) - OP_ADD_RX_DCID(empty_conn_id) - OP_PROVIDE_SECRET_INITIAL(script_1_dcid) - OP_INJECT_CHECK(1) - OP_CHECK_NO_PKT() - OP_END +static const struct rx_test_op rx_script_1[] = { + RX_OP_SET_SCID_LEN(2) + RX_OP_SET_INIT_LARGEST_PN(0) + RX_OP_ADD_RX_DCID(empty_conn_id) + RX_OP_PROVIDE_SECRET_INITIAL(rx_script_1_dcid) + RX_OP_INJECT_CHECK(1) + RX_OP_CHECK_NO_PKT() + RX_OP_END }; /* 2. RFC 9001 - A.5 ChaCha20-Poly1305 Short Header Packet */ -static const unsigned char script_2_in[] = { +static const unsigned char rx_script_2_in[] = { 0x4c, 0xfe, 0x41, 0x89, 0x65, 0x5e, 0x5c, 0xd5, 0x5c, 0x41, 0xf6, 0x90, 0x80, 0x57, 0x5d, 0x79, 0x99, 0xc2, 0x5a, 0x5b, 0xfb }; -static const unsigned char script_2_secret[] = { +static const unsigned char rx_script_2_secret[] = { 0x9a, 0xc3, 0x12, 0xa7, 0xf8, 0x77, 0x46, 0x8e, 0xbe, 0x69, 0x42, 0x27, 0x48, 0xad, 0x00, 0xa1, 0x54, 0x43, 0xf1, 0x82, 0x03, 0xa0, 0x7d, 0x60, 0x60, 0xf6, 0x88, 0xf3, 0x0f, 0x21, 0x63, 0x2b }; -static const unsigned char script_2_body[] = { +static const unsigned char rx_script_2_body[] = { 0x01 }; -static const QUIC_PKT_HDR script_2_expect_hdr = { +static const QUIC_PKT_HDR rx_script_2_expect_hdr = { QUIC_PKT_TYPE_1RTT, 0, 0, 3, 0, 1, 0, {0, {0}}, {0, {0}}, {0x00, 0xbf, 0xf4, 0x00}, @@ -150,18 +146,18 @@ static const QUIC_PKT_HDR script_2_expect_hdr = { 1, NULL }; -static const struct test_op script_2[] = { - OP_SET_INIT_LARGEST_PN(654360560) - OP_ADD_RX_DCID(empty_conn_id) - OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT, QRL_SUITE_CHACHA20POLY1305, - script_2_secret) - OP_INJECT_CHECK(2) - OP_CHECK_NO_PKT() - OP_END +static const struct rx_test_op rx_script_2[] = { + RX_OP_SET_INIT_LARGEST_PN(654360560) + RX_OP_ADD_RX_DCID(empty_conn_id) + RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT, QRL_SUITE_CHACHA20POLY1305, + rx_script_2_secret) + RX_OP_INJECT_CHECK(2) + RX_OP_CHECK_NO_PKT() + RX_OP_END }; /* 3. Real World - Version Negotiation Response */ -static const unsigned char script_3_in[] = { +static const unsigned char rx_script_3_in[] = { 0xc7, /* Long; Random Bits */ 0x00, 0x00, 0x00, 0x00, /* Version 0 (Version Negotiation) */ 0x00, /* DCID */ @@ -172,7 +168,7 @@ static const unsigned char script_3_in[] = { 0xaa, 0x9a, 0x3a, 0x9a /* Supported Version: Random (GREASE) */ }; -static const QUIC_PKT_HDR script_3_expect_hdr = { +static const QUIC_PKT_HDR rx_script_3_expect_hdr = { QUIC_PKT_TYPE_VERSION_NEG, 0, /* Spin Bit */ 0, /* Key Phase */ @@ -188,20 +184,20 @@ static const QUIC_PKT_HDR script_3_expect_hdr = { 8, NULL }; -static const unsigned char script_3_body[] = { +static const unsigned char rx_script_3_body[] = { 0x00, 0x00, 0x00, 0x01, 0xaa, 0x9a, 0x3a, 0x9a }; -static const struct test_op script_3[] = { - OP_ADD_RX_DCID(empty_conn_id) - OP_INJECT_CHECK(3) - OP_CHECK_NO_PKT() - OP_END +static const struct rx_test_op rx_script_3[] = { + RX_OP_ADD_RX_DCID(empty_conn_id) + RX_OP_INJECT_CHECK(3) + RX_OP_CHECK_NO_PKT() + RX_OP_END }; /* 4. Real World - Retry (S2C) */ -static const unsigned char script_4_in[] = { +static const unsigned char rx_script_4_in[] = { 0xf0, /* Long; Retry */ 0x00, 0x00, 0x00, 0x01, /* Version 1 */ 0x00, /* DCID */ @@ -219,7 +215,7 @@ static const unsigned char script_4_in[] = { 0x9d, 0x82, 0xb3, 0x45, 0x62, 0x4c, }; -static const QUIC_PKT_HDR script_4_expect_hdr = { +static const QUIC_PKT_HDR rx_script_4_expect_hdr = { QUIC_PKT_TYPE_RETRY, 0, /* Spin Bit */ 0, /* Key Phase */ @@ -234,7 +230,7 @@ static const QUIC_PKT_HDR script_4_expect_hdr = { 114, NULL }; -static const unsigned char script_4_body[] = { +static const unsigned char rx_script_4_body[] = { 0xf6, 0x8b, 0x6e, 0xa3, 0xdc, 0x40, 0x38, 0xc6, 0xa5, 0x99, 0x1c, 0xa9, 0x77, 0xe6, 0x1d, 0x4f, 0x09, 0x36, 0x12, 0x26, 0x00, 0x56, 0x0b, 0x29, 0x7d, 0x5e, 0xda, 0x39, 0xc6, 0x61, 0x57, 0x69, 0x15, 0xff, 0x93, 0x39, @@ -247,34 +243,34 @@ static const unsigned char script_4_body[] = { 0x9d, 0x82, 0xb3, 0x45, 0x62, 0x4c }; -static const struct test_op script_4[] = { - OP_ADD_RX_DCID(empty_conn_id) - OP_INJECT_CHECK(4) - OP_CHECK_NO_PKT() - OP_END +static const struct rx_test_op rx_script_4[] = { + RX_OP_ADD_RX_DCID(empty_conn_id) + RX_OP_INJECT_CHECK(4) + RX_OP_CHECK_NO_PKT() + RX_OP_END }; /* * 5. Real World - S2C Multiple Packets * - Initial, Handshake, 1-RTT (AES-128-GCM/SHA256) */ -static const QUIC_CONN_ID script_5_c2s_init_dcid = { +static const QUIC_CONN_ID rx_script_5_c2s_init_dcid = { 4, {0xad, 0x15, 0x3f, 0xae} }; -static const unsigned char script_5_handshake_secret[32] = { +static const unsigned char rx_script_5_handshake_secret[32] = { 0x5e, 0xc6, 0x4a, 0x4d, 0x0d, 0x40, 0x43, 0x3b, 0xd5, 0xbd, 0xe0, 0x19, 0x71, 0x47, 0x56, 0xf3, 0x59, 0x3a, 0xa6, 0xc9, 0x3e, 0xdc, 0x81, 0x1e, 0xc7, 0x72, 0x9d, 0x83, 0xd8, 0x8f, 0x88, 0x77 }; -static const unsigned char script_5_1rtt_secret[32] = { +static const unsigned char rx_script_5_1rtt_secret[32] = { 0x53, 0xf2, 0x1b, 0x94, 0xa7, 0x65, 0xf7, 0x76, 0xfb, 0x06, 0x27, 0xaa, 0xd2, 0x3f, 0xe0, 0x9a, 0xbb, 0xcf, 0x99, 0x6f, 0x13, 0x2c, 0x6a, 0x37, 0x95, 0xf3, 0xda, 0x21, 0xcb, 0xcb, 0xa5, 0x26, }; -static const unsigned char script_5_in[] = { +static const unsigned char rx_script_5_in[] = { /* First Packet: Initial */ 0xc4, /* Long, Initial, PN Length=2 bytes */ 0x00, 0x00, 0x00, 0x01, /* Version */ @@ -400,7 +396,7 @@ static const unsigned char script_5_in[] = { 0x9a, 0x31, 0x56, 0xc7, }; -static const QUIC_PKT_HDR script_5a_expect_hdr = { +static const QUIC_PKT_HDR rx_script_5a_expect_hdr = { QUIC_PKT_TYPE_INITIAL, 0, /* Spin Bit */ 0, /* Key Phase */ @@ -415,7 +411,7 @@ static const QUIC_PKT_HDR script_5a_expect_hdr = { 448, NULL }; -static const unsigned char script_5a_body[] = { +static const unsigned char rx_script_5a_body[] = { 0x02, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -456,7 +452,7 @@ static const unsigned char script_5a_body[] = { 0x1f, 0x54, 0x86, 0x1d, }; -static const QUIC_PKT_HDR script_5b_expect_hdr = { +static const QUIC_PKT_HDR rx_script_5b_expect_hdr = { QUIC_PKT_TYPE_HANDSHAKE, 0, /* Spin Bit */ 0, /* Key Phase */ @@ -471,7 +467,7 @@ static const QUIC_PKT_HDR script_5b_expect_hdr = { 650, NULL }; -static const unsigned char script_5b_body[] = { +static const unsigned char rx_script_5b_body[] = { 0x06, 0x00, 0x42, 0x86, 0x08, 0x00, 0x00, 0x7d, 0x00, 0x7b, 0x00, 0x10, 0x00, 0x08, 0x00, 0x06, 0x05, 0x64, 0x75, 0x6d, 0x6d, 0x79, 0x00, 0x39, 0x00, 0x6b, 0x4b, 0x20, 0x0b, 0x1b, 0xe1, 0x1f, 0xd0, 0x78, 0xc0, 0x69, @@ -529,7 +525,7 @@ static const unsigned char script_5b_body[] = { 0x53, 0x0a, }; -static const QUIC_PKT_HDR script_5c_expect_hdr = { +static const QUIC_PKT_HDR rx_script_5c_expect_hdr = { QUIC_PKT_TYPE_1RTT, 0, /* Spin Bit */ 0, /* Key Phase */ @@ -544,7 +540,7 @@ static const QUIC_PKT_HDR script_5c_expect_hdr = { 72, NULL }; -static const unsigned char script_5c_body[] = { +static const unsigned char rx_script_5c_body[] = { 0x18, 0x03, 0x00, 0x04, 0x92, 0xec, 0xaa, 0xd6, 0x47, 0xd8, 0x8b, 0x56, 0x3b, 0x5f, 0x67, 0xe6, 0xb9, 0xb9, 0xca, 0x72, 0xca, 0xf2, 0x49, 0x7d, 0x18, 0x02, 0x00, 0x04, 0xa9, 0x6e, 0x9b, 0x84, 0x26, 0x43, 0x00, 0xc7, @@ -553,92 +549,92 @@ static const unsigned char script_5c_body[] = { 0xef, 0x97, 0x1e, 0x9a, 0x3c, 0xab, 0x1e, 0xfc, 0xb7, 0x90, 0xc3, 0x1a, }; -static const struct test_op script_5[] = { - OP_ADD_RX_DCID(empty_conn_id) - OP_PROVIDE_SECRET_INITIAL(script_5_c2s_init_dcid) - OP_INJECT_N(5) - OP_CHECK_PKT_N(5a) - OP_CHECK_NO_PKT() /* not got secret for next packet yet */ - OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE, - QRL_SUITE_AES128GCM, script_5_handshake_secret) - OP_CHECK_PKT_N(5b) - OP_CHECK_NO_PKT() /* not got secret for next packet yet */ - OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT, - QRL_SUITE_AES128GCM, script_5_1rtt_secret) - OP_CHECK_PKT_N(5c) - OP_CHECK_NO_PKT() +static const struct rx_test_op rx_script_5[] = { + RX_OP_ADD_RX_DCID(empty_conn_id) + RX_OP_PROVIDE_SECRET_INITIAL(rx_script_5_c2s_init_dcid) + RX_OP_INJECT_N(5) + RX_OP_CHECK_PKT_N(5a) + RX_OP_CHECK_NO_PKT() /* not got secret for next packet yet */ + RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE, + QRL_SUITE_AES128GCM, rx_script_5_handshake_secret) + RX_OP_CHECK_PKT_N(5b) + RX_OP_CHECK_NO_PKT() /* not got secret for next packet yet */ + RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT, + QRL_SUITE_AES128GCM, rx_script_5_1rtt_secret) + RX_OP_CHECK_PKT_N(5c) + RX_OP_CHECK_NO_PKT() /* Try injecting the packet again */ - OP_INJECT_N(5) + RX_OP_INJECT_N(5) /* * Initial packet is not output due to receiving a Handshake packet causing * auto-discard of Initial keys */ - OP_CHECK_PKT_N(5b) - OP_CHECK_PKT_N(5c) - OP_CHECK_NO_PKT() + RX_OP_CHECK_PKT_N(5b) + RX_OP_CHECK_PKT_N(5c) + RX_OP_CHECK_NO_PKT() /* Try again with discarded keys */ - OP_DISCARD_EL(QUIC_ENC_LEVEL_HANDSHAKE) - OP_INJECT_N(5) - OP_CHECK_PKT_N(5c) - OP_CHECK_NO_PKT() + RX_OP_DISCARD_EL(QUIC_ENC_LEVEL_HANDSHAKE) + RX_OP_INJECT_N(5) + RX_OP_CHECK_PKT_N(5c) + RX_OP_CHECK_NO_PKT() /* Try again */ - OP_INJECT_N(5) - OP_CHECK_PKT_N(5c) - OP_CHECK_NO_PKT() + RX_OP_INJECT_N(5) + RX_OP_CHECK_PKT_N(5c) + RX_OP_CHECK_NO_PKT() /* Try again with discarded 1-RTT keys */ - OP_DISCARD_EL(QUIC_ENC_LEVEL_1RTT) - OP_INJECT_N(5) - OP_CHECK_NO_PKT() + RX_OP_DISCARD_EL(QUIC_ENC_LEVEL_1RTT) + RX_OP_INJECT_N(5) + RX_OP_CHECK_NO_PKT() /* Recreate QRL, test reading packets received before key */ - OP_SET_SCID_LEN(0) - OP_ADD_RX_DCID(empty_conn_id) - OP_INJECT_N(5) - OP_CHECK_NO_PKT() - OP_PROVIDE_SECRET_INITIAL(script_5_c2s_init_dcid) - OP_CHECK_PKT_N(5a) - OP_CHECK_NO_PKT() - OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE, - QRL_SUITE_AES128GCM, script_5_handshake_secret) - OP_CHECK_PKT_N(5b) - OP_CHECK_NO_PKT() - OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT, - QRL_SUITE_AES128GCM, script_5_1rtt_secret) - OP_CHECK_PKT_N(5c) - OP_CHECK_NO_PKT() - - OP_DISCARD_EL(QUIC_ENC_LEVEL_HANDSHAKE) - OP_DISCARD_EL(QUIC_ENC_LEVEL_1RTT) - OP_INJECT_N(5) - OP_CHECK_NO_PKT() - - OP_END + RX_OP_SET_SCID_LEN(0) + RX_OP_ADD_RX_DCID(empty_conn_id) + RX_OP_INJECT_N(5) + RX_OP_CHECK_NO_PKT() + RX_OP_PROVIDE_SECRET_INITIAL(rx_script_5_c2s_init_dcid) + RX_OP_CHECK_PKT_N(5a) + RX_OP_CHECK_NO_PKT() + RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE, + QRL_SUITE_AES128GCM, rx_script_5_handshake_secret) + RX_OP_CHECK_PKT_N(5b) + RX_OP_CHECK_NO_PKT() + RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT, + QRL_SUITE_AES128GCM, rx_script_5_1rtt_secret) + RX_OP_CHECK_PKT_N(5c) + RX_OP_CHECK_NO_PKT() + + RX_OP_DISCARD_EL(QUIC_ENC_LEVEL_HANDSHAKE) + RX_OP_DISCARD_EL(QUIC_ENC_LEVEL_1RTT) + RX_OP_INJECT_N(5) + RX_OP_CHECK_NO_PKT() + + RX_OP_END }; /* * 6. Real World - S2C Multiple Packets * - Initial, Handshake, 1-RTT (AES-256-GCM/SHA384) */ -static const QUIC_CONN_ID script_6_c2s_init_dcid = { +static const QUIC_CONN_ID rx_script_6_c2s_init_dcid = { 4, {0xac, 0x88, 0x95, 0xbd} }; -static const unsigned char script_6_handshake_secret[48] = { +static const unsigned char rx_script_6_handshake_secret[48] = { 0xd1, 0x41, 0xb0, 0xf6, 0x0d, 0x8b, 0xbd, 0xe8, 0x5b, 0xa8, 0xff, 0xd7, 0x18, 0x9a, 0x23, 0x7b, 0x13, 0x5c, 0x1e, 0x90, 0x1d, 0x08, 0x95, 0xcc, 0xc5, 0x8e, 0x73, 0x4e, 0x02, 0x6f, 0x3c, 0xb6, 0x26, 0x77, 0x8d, 0x53, 0xc5, 0x62, 0x9f, 0xb5, 0xf0, 0x88, 0xfb, 0xe5, 0x14, 0x71, 0xab, 0xe6, }; -static const unsigned char script_6_1rtt_secret[48] = { +static const unsigned char rx_script_6_1rtt_secret[48] = { 0x2d, 0x6b, 0x9d, 0xd4, 0x39, 0xa0, 0xe7, 0xff, 0x17, 0xe2, 0xcb, 0x5c, 0x0d, 0x4a, 0xf6, 0x3f, 0xf4, 0xfe, 0xfc, 0xe5, 0x22, 0xfa, 0xf5, 0x5b, 0xc0, 0xb2, 0x18, 0xbb, 0x92, 0x4d, 0x35, 0xea, 0x67, 0xa6, 0xe7, 0xc1, 0x90, 0x10, 0xc9, 0x14, 0x46, 0xf5, 0x95, 0x57, 0x8b, 0x90, 0x88, 0x5d, }; -static const unsigned char script_6_in[] = { +static const unsigned char rx_script_6_in[] = { /* First Packet: Initial */ 0xc5, /* Long, Initial, PN Length=2 bytes */ 0x00, 0x00, 0x00, 0x01, /* Version */ @@ -764,7 +760,7 @@ static const unsigned char script_6_in[] = { 0xfe, 0xb1, 0x25, 0x1a, }; -static const QUIC_PKT_HDR script_6a_expect_hdr = { +static const QUIC_PKT_HDR rx_script_6a_expect_hdr = { QUIC_PKT_TYPE_INITIAL, 0, /* Spin Bit */ 0, /* Key Phase */ @@ -779,7 +775,7 @@ static const QUIC_PKT_HDR script_6a_expect_hdr = { 428, NULL }; -static const unsigned char script_6a_body[] = { +static const unsigned char rx_script_6a_body[] = { 0x02, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -818,7 +814,7 @@ static const unsigned char script_6a_body[] = { 0xb2, 0xd9, 0xad, 0xd1, 0x14, 0xdc, 0x84, 0x61, }; -static const QUIC_PKT_HDR script_6b_expect_hdr = { +static const QUIC_PKT_HDR rx_script_6b_expect_hdr = { QUIC_PKT_TYPE_HANDSHAKE, 0, /* Spin Bit */ 0, /* Key Phase */ @@ -833,7 +829,7 @@ static const QUIC_PKT_HDR script_6b_expect_hdr = { 670, NULL }; -static const unsigned char script_6b_body[] = { +static const unsigned char rx_script_6b_body[] = { 0x06, 0x00, 0x42, 0x9a, 0x08, 0x00, 0x00, 0x80, 0x00, 0x7e, 0x00, 0x10, 0x00, 0x08, 0x00, 0x06, 0x05, 0x64, 0x75, 0x6d, 0x6d, 0x79, 0x00, 0x39, 0x00, 0x6e, 0x47, 0xfa, 0x05, 0x5a, 0xe0, 0xec, 0x4a, 0xf3, 0x05, 0x04, @@ -892,7 +888,7 @@ static const unsigned char script_6b_body[] = { 0xc4, 0x4e, 0x96, 0x19, 0x68, 0x2d, 0xbe, 0x6f, 0x49, 0xfa, }; -static const QUIC_PKT_HDR script_6c_expect_hdr = { +static const QUIC_PKT_HDR rx_script_6c_expect_hdr = { QUIC_PKT_TYPE_1RTT, 0, /* Spin Bit */ 0, /* Key Phase */ @@ -907,7 +903,7 @@ static const QUIC_PKT_HDR script_6c_expect_hdr = { 72, NULL }; -static const unsigned char script_6c_body[] = { +static const unsigned char rx_script_6c_body[] = { 0x18, 0x03, 0x00, 0x04, 0xf2, 0x94, 0x49, 0xc3, 0x34, 0xa1, 0xf4, 0x0f, 0xcb, 0xb8, 0x03, 0x04, 0x1f, 0xc8, 0x69, 0xb9, 0x3b, 0xd5, 0xc6, 0x93, 0x18, 0x02, 0x00, 0x04, 0x9a, 0x4f, 0xec, 0x52, 0xde, 0xd2, 0xc8, 0xb7, @@ -916,85 +912,85 @@ static const unsigned char script_6c_body[] = { 0xfc, 0x58, 0x0e, 0xa4, 0xf4, 0xf3, 0x23, 0x1b, 0xd6, 0x8e, 0x5b, 0x08, }; -static const struct test_op script_6[] = { - OP_ADD_RX_DCID(empty_conn_id) - OP_PROVIDE_SECRET_INITIAL(script_6_c2s_init_dcid) - OP_INJECT_N(6) - OP_CHECK_PKT_N(6a) - OP_CHECK_NO_PKT() /* not got secret for next packet yet */ - OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE, - QRL_SUITE_AES256GCM, script_6_handshake_secret) - OP_CHECK_PKT_N(6b) - OP_CHECK_NO_PKT() /* not got secret for next packet yet */ - OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT, - QRL_SUITE_AES256GCM, script_6_1rtt_secret) - OP_CHECK_PKT_N(6c) - OP_CHECK_NO_PKT() +static const struct rx_test_op rx_script_6[] = { + RX_OP_ADD_RX_DCID(empty_conn_id) + RX_OP_PROVIDE_SECRET_INITIAL(rx_script_6_c2s_init_dcid) + RX_OP_INJECT_N(6) + RX_OP_CHECK_PKT_N(6a) + RX_OP_CHECK_NO_PKT() /* not got secret for next packet yet */ + RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE, + QRL_SUITE_AES256GCM, rx_script_6_handshake_secret) + RX_OP_CHECK_PKT_N(6b) + RX_OP_CHECK_NO_PKT() /* not got secret for next packet yet */ + RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT, + QRL_SUITE_AES256GCM, rx_script_6_1rtt_secret) + RX_OP_CHECK_PKT_N(6c) + RX_OP_CHECK_NO_PKT() /* Try injecting the packet again */ - OP_INJECT_N(6) + RX_OP_INJECT_N(6) /* * Initial packet is not output due to receiving a Handshake packet causing * auto-discard of Initial keys */ - OP_CHECK_PKT_N(6b) - OP_CHECK_PKT_N(6c) - OP_CHECK_NO_PKT() + RX_OP_CHECK_PKT_N(6b) + RX_OP_CHECK_PKT_N(6c) + RX_OP_CHECK_NO_PKT() /* Try again with discarded keys */ - OP_DISCARD_EL(QUIC_ENC_LEVEL_HANDSHAKE) - OP_INJECT_N(6) - OP_CHECK_PKT_N(6c) - OP_CHECK_NO_PKT() + RX_OP_DISCARD_EL(QUIC_ENC_LEVEL_HANDSHAKE) + RX_OP_INJECT_N(6) + RX_OP_CHECK_PKT_N(6c) + RX_OP_CHECK_NO_PKT() /* Try again */ - OP_INJECT_N(6) - OP_CHECK_PKT_N(6c) - OP_CHECK_NO_PKT() + RX_OP_INJECT_N(6) + RX_OP_CHECK_PKT_N(6c) + RX_OP_CHECK_NO_PKT() /* Try again with discarded 1-RTT keys */ - OP_DISCARD_EL(QUIC_ENC_LEVEL_1RTT) - OP_INJECT_N(6) - OP_CHECK_NO_PKT() + RX_OP_DISCARD_EL(QUIC_ENC_LEVEL_1RTT) + RX_OP_INJECT_N(6) + RX_OP_CHECK_NO_PKT() /* Recreate QRL, test reading packets received before key */ - OP_SET_SCID_LEN(0) - OP_ADD_RX_DCID(empty_conn_id) - OP_INJECT_N(6) - OP_CHECK_NO_PKT() - OP_PROVIDE_SECRET_INITIAL(script_6_c2s_init_dcid) - OP_CHECK_PKT_N(6a) - OP_CHECK_NO_PKT() - OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE, - QRL_SUITE_AES256GCM, script_6_handshake_secret) - OP_CHECK_PKT_N(6b) - OP_CHECK_NO_PKT() - OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT, - QRL_SUITE_AES256GCM, script_6_1rtt_secret) - OP_CHECK_PKT_N(6c) - OP_CHECK_NO_PKT() - - OP_END + RX_OP_SET_SCID_LEN(0) + RX_OP_ADD_RX_DCID(empty_conn_id) + RX_OP_INJECT_N(6) + RX_OP_CHECK_NO_PKT() + RX_OP_PROVIDE_SECRET_INITIAL(rx_script_6_c2s_init_dcid) + RX_OP_CHECK_PKT_N(6a) + RX_OP_CHECK_NO_PKT() + RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE, + QRL_SUITE_AES256GCM, rx_script_6_handshake_secret) + RX_OP_CHECK_PKT_N(6b) + RX_OP_CHECK_NO_PKT() + RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT, + QRL_SUITE_AES256GCM, rx_script_6_1rtt_secret) + RX_OP_CHECK_PKT_N(6c) + RX_OP_CHECK_NO_PKT() + + RX_OP_END }; /* * 7. Real World - S2C Multiple Packets * - Initial, Handshake, 1-RTT (ChaCha20-Poly1305) */ -static const QUIC_CONN_ID script_7_c2s_init_dcid = { +static const QUIC_CONN_ID rx_script_7_c2s_init_dcid = { 4, {0xfa, 0x5d, 0xd6, 0x80} }; -static const unsigned char script_7_handshake_secret[32] = { +static const unsigned char rx_script_7_handshake_secret[32] = { 0x85, 0x44, 0xa4, 0x02, 0x46, 0x5b, 0x2a, 0x92, 0x80, 0x71, 0xfd, 0x11, 0x89, 0x73, 0x84, 0xeb, 0x3e, 0x0d, 0x89, 0x4f, 0x71, 0xdc, 0x9c, 0xdd, 0x55, 0x77, 0x9e, 0x79, 0x7b, 0xeb, 0xfa, 0x86, }; -static const unsigned char script_7_1rtt_secret[32] = { +static const unsigned char rx_script_7_1rtt_secret[32] = { 0x4a, 0x77, 0xb6, 0x0e, 0xfd, 0x90, 0xca, 0xbf, 0xc0, 0x1a, 0x64, 0x9f, 0xc0, 0x03, 0xd3, 0x8d, 0xc5, 0x41, 0x04, 0x50, 0xb1, 0x5b, 0x74, 0xe7, 0xe3, 0x99, 0x0c, 0xdf, 0x74, 0x61, 0x35, 0xe6, }; -static const unsigned char script_7_in[] = { +static const unsigned char rx_script_7_in[] = { /* First Packet: Initial */ 0xc2, /* Long, Initial, PN Length=2 bytes */ 0x00, 0x00, 0x00, 0x01, /* Version */ @@ -1121,7 +1117,7 @@ static const unsigned char script_7_in[] = { 0x7f, 0x33, 0x86, 0xbb, }; -static const QUIC_PKT_HDR script_7a_expect_hdr = { +static const QUIC_PKT_HDR rx_script_7a_expect_hdr = { QUIC_PKT_TYPE_INITIAL, 0, /* Spin Bit */ 0, /* Key Phase */ @@ -1136,7 +1132,7 @@ static const QUIC_PKT_HDR script_7a_expect_hdr = { 441, NULL }; -static const unsigned char script_7a_body[] = { +static const unsigned char rx_script_7a_body[] = { 0x02, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -1176,7 +1172,7 @@ static const unsigned char script_7a_body[] = { 0x08, 0xa9, 0x0b, 0xfd, 0xbe, 0xf1, 0x57, 0x21, 0x34, }; -static const QUIC_PKT_HDR script_7b_expect_hdr = { +static const QUIC_PKT_HDR rx_script_7b_expect_hdr = { QUIC_PKT_TYPE_HANDSHAKE, 0, /* Spin Bit */ 0, /* Key Phase */ @@ -1191,7 +1187,7 @@ static const QUIC_PKT_HDR script_7b_expect_hdr = { 657, NULL }; -static const unsigned char script_7b_body[] = { +static const unsigned char rx_script_7b_body[] = { 0x06, 0x00, 0x42, 0x8d, 0x08, 0x00, 0x00, 0x82, 0x00, 0x80, 0x00, 0x10, 0x00, 0x08, 0x00, 0x06, 0x05, 0x64, 0x75, 0x6d, 0x6d, 0x79, 0x00, 0x39, 0x00, 0x70, 0x46, 0x0a, 0x0d, 0xdc, 0x59, 0xf0, 0x4e, 0xb2, 0x2c, 0xac, @@ -1249,7 +1245,7 @@ static const unsigned char script_7b_body[] = { 0x80, 0x93, 0x40, 0xda, 0x41, 0x33, 0x08, 0x10, 0x2c, }; -static const QUIC_PKT_HDR script_7c_expect_hdr = { +static const QUIC_PKT_HDR rx_script_7c_expect_hdr = { QUIC_PKT_TYPE_1RTT, 0, /* Spin Bit */ 0, /* Key Phase */ @@ -1264,7 +1260,7 @@ static const QUIC_PKT_HDR script_7c_expect_hdr = { 72, NULL }; -static const unsigned char script_7c_body[] = { +static const unsigned char rx_script_7c_body[] = { 0x18, 0x03, 0x00, 0x04, 0xf7, 0x75, 0x72, 0xa2, 0xfd, 0x17, 0xd4, 0x82, 0x8e, 0xe9, 0x5b, 0xce, 0xed, 0xec, 0x88, 0xb9, 0x73, 0xbf, 0x36, 0x9f, 0x18, 0x02, 0x00, 0x04, 0x5f, 0x43, 0x96, 0xe4, 0x15, 0xdc, 0x56, 0x6b, @@ -1273,72 +1269,72 @@ static const unsigned char script_7c_body[] = { 0xaf, 0x0d, 0xd2, 0x38, 0xa4, 0xf1, 0x94, 0xff, 0x63, 0x24, 0xd3, 0x7a, }; -static const struct test_op script_7[] = { - OP_ADD_RX_DCID(empty_conn_id) - OP_PROVIDE_SECRET_INITIAL(script_7_c2s_init_dcid) - OP_INJECT_N(7) - OP_CHECK_PKT_N(7a) - OP_CHECK_NO_PKT() /* not got secret for next packet yet */ - OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE, - QRL_SUITE_CHACHA20POLY1305, script_7_handshake_secret) - OP_CHECK_PKT_N(7b) - OP_CHECK_NO_PKT() /* not got secret for next packet yet */ - OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT, - QRL_SUITE_CHACHA20POLY1305, script_7_1rtt_secret) - OP_CHECK_PKT_N(7c) - OP_CHECK_NO_PKT() +static const struct rx_test_op rx_script_7[] = { + RX_OP_ADD_RX_DCID(empty_conn_id) + RX_OP_PROVIDE_SECRET_INITIAL(rx_script_7_c2s_init_dcid) + RX_OP_INJECT_N(7) + RX_OP_CHECK_PKT_N(7a) + RX_OP_CHECK_NO_PKT() /* not got secret for next packet yet */ + RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE, + QRL_SUITE_CHACHA20POLY1305, rx_script_7_handshake_secret) + RX_OP_CHECK_PKT_N(7b) + RX_OP_CHECK_NO_PKT() /* not got secret for next packet yet */ + RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT, + QRL_SUITE_CHACHA20POLY1305, rx_script_7_1rtt_secret) + RX_OP_CHECK_PKT_N(7c) + RX_OP_CHECK_NO_PKT() /* Try injecting the packet again */ - OP_INJECT_N(7) + RX_OP_INJECT_N(7) /* * Initial packet is not output due to receiving a Handshake packet causing * auto-discard of Initial keys */ - OP_CHECK_PKT_N(7b) - OP_CHECK_PKT_N(7c) - OP_CHECK_NO_PKT() + RX_OP_CHECK_PKT_N(7b) + RX_OP_CHECK_PKT_N(7c) + RX_OP_CHECK_NO_PKT() /* Try again with discarded keys */ - OP_DISCARD_EL(QUIC_ENC_LEVEL_HANDSHAKE) - OP_INJECT_N(7) - OP_CHECK_PKT_N(7c) - OP_CHECK_NO_PKT() + RX_OP_DISCARD_EL(QUIC_ENC_LEVEL_HANDSHAKE) + RX_OP_INJECT_N(7) + RX_OP_CHECK_PKT_N(7c) + RX_OP_CHECK_NO_PKT() /* Try again */ - OP_INJECT_N(7) - OP_CHECK_PKT_N(7c) - OP_CHECK_NO_PKT() + RX_OP_INJECT_N(7) + RX_OP_CHECK_PKT_N(7c) + RX_OP_CHECK_NO_PKT() /* Try again with discarded 1-RTT keys */ - OP_DISCARD_EL(QUIC_ENC_LEVEL_1RTT) - OP_INJECT_N(7) - OP_CHECK_NO_PKT() + RX_OP_DISCARD_EL(QUIC_ENC_LEVEL_1RTT) + RX_OP_INJECT_N(7) + RX_OP_CHECK_NO_PKT() /* Recreate QRL, test reading packets received before key */ - OP_SET_SCID_LEN(0) - OP_ADD_RX_DCID(empty_conn_id) - OP_INJECT_N(7) - OP_CHECK_NO_PKT() - OP_PROVIDE_SECRET_INITIAL(script_7_c2s_init_dcid) - OP_CHECK_PKT_N(7a) - OP_CHECK_NO_PKT() - OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE, - QRL_SUITE_CHACHA20POLY1305, script_7_handshake_secret) - OP_CHECK_PKT_N(7b) - OP_CHECK_NO_PKT() - OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT, - QRL_SUITE_CHACHA20POLY1305, script_7_1rtt_secret) - OP_CHECK_PKT_N(7c) - OP_CHECK_NO_PKT() - - OP_END -}; - -static const struct test_op *scripts[] = { - script_1, - script_2, - script_3, - script_4, - script_5, - script_6, - script_7 + RX_OP_SET_SCID_LEN(0) + RX_OP_ADD_RX_DCID(empty_conn_id) + RX_OP_INJECT_N(7) + RX_OP_CHECK_NO_PKT() + RX_OP_PROVIDE_SECRET_INITIAL(rx_script_7_c2s_init_dcid) + RX_OP_CHECK_PKT_N(7a) + RX_OP_CHECK_NO_PKT() + RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_HANDSHAKE, + QRL_SUITE_CHACHA20POLY1305, rx_script_7_handshake_secret) + RX_OP_CHECK_PKT_N(7b) + RX_OP_CHECK_NO_PKT() + RX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT, + QRL_SUITE_CHACHA20POLY1305, rx_script_7_1rtt_secret) + RX_OP_CHECK_PKT_N(7c) + RX_OP_CHECK_NO_PKT() + + RX_OP_END +}; + +static const struct rx_test_op *rx_scripts[] = { + rx_script_1, + rx_script_2, + rx_script_3, + rx_script_4, + rx_script_5, + rx_script_6, + rx_script_7 }; static int cmp_pkt_hdr(const QUIC_PKT_HDR *a, const QUIC_PKT_HDR *b, @@ -1380,17 +1376,17 @@ static int cmp_pkt_hdr(const QUIC_PKT_HDR *a, const QUIC_PKT_HDR *b, return ok; } -struct state { +struct rx_state { QUIC_DEMUX *demux; - OSSL_QRL *qrl; - OSSL_QRL_ARGS args; + OSSL_QRX *qrx; + OSSL_QRX_ARGS args; }; -static void state_teardown(struct state *s) +static void rx_state_teardown(struct rx_state *s) { - if (s->qrl != NULL) { - ossl_qrl_free(s->qrl); - s->qrl = NULL; + if (s->qrx != NULL) { + ossl_qrx_free(s->qrx); + s->qrx = NULL; } if (s->demux != NULL) { @@ -1399,7 +1395,7 @@ static void state_teardown(struct state *s) } } -static int state_ensure(struct state *s) +static int rx_state_ensure(struct rx_state *s) { if (s->demux == NULL && !TEST_ptr(s->demux = ossl_quic_demux_new(NULL, @@ -1407,75 +1403,76 @@ static int state_ensure(struct state *s) 1500))) return 0; - s->args.rx_demux = s->demux; + s->args.demux = s->demux; - if (s->qrl == NULL - && !TEST_ptr(s->qrl = ossl_qrl_new(&s->args))) + if (s->qrx == NULL + && !TEST_ptr(s->qrx = ossl_qrx_new(&s->args))) return 0; return 1; } -static int run_script(const struct test_op *script) +static int rx_run_script(const struct rx_test_op *script) { int testresult = 0, pkt_outstanding = 0; - struct state s = {0}; + struct rx_state s = {0}; size_t i; - OSSL_QRL_RX_PKT pkt = {0}; - const struct test_op *op = script; + OSSL_QRX_PKT pkt = {0}; + const struct rx_test_op *op = script; - for (; op->op != TEST_OP_END; ++op) + for (; op->op != RX_TEST_OP_END; ++op) switch (op->op) { - case TEST_OP_SET_SCID_LEN: - state_teardown(&s); + case RX_TEST_OP_SET_SCID_LEN: + rx_state_teardown(&s); s.args.short_conn_id_len = op->enc_level; break; - case TEST_OP_SET_INIT_LARGEST_PN: - state_teardown(&s); + case RX_TEST_OP_SET_INIT_LARGEST_PN: + rx_state_teardown(&s); for (i = 0; i < QUIC_PN_SPACE_NUM; ++i) - s.args.rx_init_largest_pn[i] = op->largest_pn; + s.args.init_largest_pn[i] = op->largest_pn; break; - case TEST_OP_ADD_RX_DCID: - if (!TEST_true(state_ensure(&s))) + case RX_TEST_OP_ADD_RX_DCID: + if (!TEST_true(rx_state_ensure(&s))) goto err; - if (!TEST_true(ossl_qrl_add_dst_conn_id(s.qrl, op->dcid))) + if (!TEST_true(ossl_qrx_add_dst_conn_id(s.qrx, op->dcid))) goto err; break; - case TEST_OP_PROVIDE_SECRET: - if (!TEST_true(state_ensure(&s))) + case RX_TEST_OP_PROVIDE_SECRET: + if (!TEST_true(rx_state_ensure(&s))) goto err; - if (!TEST_true(ossl_qrl_provide_rx_secret(s.qrl, op->enc_level, - op->suite_id, - op->buf, - op->buf_len))) + if (!TEST_true(ossl_qrx_provide_secret(s.qrx, op->enc_level, + op->suite_id, NULL, + op->buf, + op->buf_len))) goto err; break; - case TEST_OP_PROVIDE_SECRET_INITIAL: - if (!TEST_true(state_ensure(&s))) + case RX_TEST_OP_PROVIDE_SECRET_INITIAL: + if (!TEST_true(rx_state_ensure(&s))) goto err; - if (!TEST_true(ossl_qrl_provide_rx_secret_initial(s.qrl, - op->dcid))) + if (!TEST_true(ossl_quic_provide_initial_secret(NULL, NULL, + op->dcid, 0, + s.qrx, NULL))) goto err; break; - case TEST_OP_DISCARD_EL: - if (!TEST_true(state_ensure(&s))) + case RX_TEST_OP_DISCARD_EL: + if (!TEST_true(rx_state_ensure(&s))) goto err; - if (!TEST_true(ossl_qrl_discard_enc_level(s.qrl, op->enc_level))) + if (!TEST_true(ossl_qrx_discard_enc_level(s.qrx, op->enc_level))) goto err; break; - case TEST_OP_INJECT: - if (!TEST_true(state_ensure(&s))) + case RX_TEST_OP_INJECT: + if (!TEST_true(rx_state_ensure(&s))) goto err; if (!TEST_true(ossl_quic_demux_inject(s.demux, op->buf, op->buf_len, NULL, NULL))) goto err; break; - case TEST_OP_CHECK_PKT: - if (!TEST_true(state_ensure(&s))) + case RX_TEST_OP_CHECK_PKT: + if (!TEST_true(rx_state_ensure(&s))) goto err; - if (!TEST_true(ossl_qrl_read_pkt(s.qrl, &pkt))) + if (!TEST_true(ossl_qrx_read_pkt(s.qrx, &pkt))) goto err; pkt_outstanding = 1; @@ -1490,14 +1487,14 @@ static int run_script(const struct test_op *script) op->buf, op->buf_len, 1))) goto err; - ossl_qrl_release_pkt(s.qrl, pkt.handle); + ossl_qrx_release_pkt(s.qrx, pkt.handle); pkt_outstanding = 0; break; - case TEST_OP_CHECK_NO_PKT: - if (!TEST_true(state_ensure(&s))) + case RX_TEST_OP_CHECK_NO_PKT: + if (!TEST_true(rx_state_ensure(&s))) goto err; - if (!TEST_false(ossl_qrl_read_pkt(s.qrl, &pkt))) + if (!TEST_false(ossl_qrx_read_pkt(s.qrx, &pkt))) goto err; break; @@ -1509,14 +1506,14 @@ static int run_script(const struct test_op *script) testresult = 1; err: if (pkt_outstanding) - ossl_qrl_release_pkt(s.qrl, pkt.handle); - state_teardown(&s); + ossl_qrx_release_pkt(s.qrx, pkt.handle); + rx_state_teardown(&s); return testresult; } -static int test_script(int idx) +static int test_rx_script(int idx) { - return run_script(scripts[idx]); + return rx_run_script(rx_scripts[idx]); } /* Packet Header Tests */ @@ -2361,9 +2358,427 @@ static int test_wire_pkt_hdr(int idx) return test_wire_pkt_hdr_inner(tidx, repeat, cipher); } +/* TX Tests */ +#define TX_TEST_OP_END 0 /* end of script */ +#define TX_TEST_OP_WRITE 1 /* write packet */ +#define TX_TEST_OP_PROVIDE_SECRET 2 /* provide TX secret */ +#define TX_TEST_OP_PROVIDE_SECRET_INITIAL 3 /* provide TX secret for initial */ +#define TX_TEST_OP_DISCARD_EL 4 /* discard an encryption level */ +#define TX_TEST_OP_CHECK_DGRAM 5 /* read datagram, compare to expected */ +#define TX_TEST_OP_CHECK_NO_DGRAM 6 /* check no datagram is in queue */ + +struct tx_test_op { + unsigned char op; + const unsigned char *buf; + size_t buf_len; + const OSSL_QTX_PKT *pkt; + uint32_t enc_level, suite_id; + const QUIC_CONN_ID *dcid; +}; + +#define TX_OP_END \ + { TX_TEST_OP_END } +#define TX_OP_WRITE(pkt) \ + { TX_TEST_OP_WRITE, NULL, 0, &(pkt), 0, 0, NULL }, +#define TX_OP_PROVIDE_SECRET(el, suite, key) \ + { \ + TX_TEST_OP_PROVIDE_SECRET, (key), sizeof(key), \ + NULL, (el), (suite), NULL \ + }, +#define TX_OP_PROVIDE_SECRET_INITIAL(dcid, is_server) \ + { TX_TEST_OP_PROVIDE_SECRET_INITIAL, \ + NULL, 0, NULL, 0, (is_server), &(dcid) }, +#define TX_OP_DISCARD_EL(el) \ + { TX_TEST_OP_DISCARD_EL, NULL, 0, NULL, (el), 0, NULL }, +#define TX_OP_CHECK_DGRAM(expect_dgram) \ + { \ + TX_TEST_OP_CHECK_DGRAM, (expect_dgram), sizeof(expect_dgram), \ + NULL, 0, 0, NULL \ + }, +#define TX_OP_CHECK_NO_DGRAM() \ + { TX_TEST_OP_CHECK_NO_PKT, NULL, 0, NULL, 0, 0, NULL }, + +#define TX_OP_WRITE_N(n) \ + TX_OP_WRITE(tx_script_##n##_pkt) +#define TX_OP_CHECK_DGRAM_N(n) \ + TX_OP_CHECK_DGRAM(tx_script_##n##_dgram) + +#define TX_OP_WRITE_CHECK(n) \ + TX_OP_WRITE_N(n) \ + TX_OP_CHECK_DGRAM_N(n) + +/* 1. RFC 9001 - A.2 Client Initial */ +static const unsigned char tx_script_1_body[1162] = { + 0x06, 0x00, 0x40, 0xf1, 0x01, 0x00, 0x00, 0xed, 0x03, 0x03, 0xeb, 0xf8, + 0xfa, 0x56, 0xf1, 0x29, 0x39, 0xb9, 0x58, 0x4a, 0x38, 0x96, 0x47, 0x2e, + 0xc4, 0x0b, 0xb8, 0x63, 0xcf, 0xd3, 0xe8, 0x68, 0x04, 0xfe, 0x3a, 0x47, + 0xf0, 0x6a, 0x2b, 0x69, 0x48, 0x4c, 0x00, 0x00, 0x04, 0x13, 0x01, 0x13, + 0x02, 0x01, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x10, 0x00, 0x0e, 0x00, + 0x00, 0x0b, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, + 0x6d, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, + 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x10, 0x00, 0x07, 0x00, 0x05, + 0x04, 0x61, 0x6c, 0x70, 0x6e, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x33, 0x00, 0x26, 0x00, 0x24, 0x00, 0x1d, 0x00, 0x20, + 0x93, 0x70, 0xb2, 0xc9, 0xca, 0xa4, 0x7f, 0xba, 0xba, 0xf4, 0x55, 0x9f, + 0xed, 0xba, 0x75, 0x3d, 0xe1, 0x71, 0xfa, 0x71, 0xf5, 0x0f, 0x1c, 0xe1, + 0x5d, 0x43, 0xe9, 0x94, 0xec, 0x74, 0xd7, 0x48, 0x00, 0x2b, 0x00, 0x03, + 0x02, 0x03, 0x04, 0x00, 0x0d, 0x00, 0x10, 0x00, 0x0e, 0x04, 0x03, 0x05, + 0x03, 0x06, 0x03, 0x02, 0x03, 0x08, 0x04, 0x08, 0x05, 0x08, 0x06, 0x00, + 0x2d, 0x00, 0x02, 0x01, 0x01, 0x00, 0x1c, 0x00, 0x02, 0x40, 0x01, 0x00, + 0x39, 0x00, 0x32, 0x04, 0x08, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0x05, 0x04, 0x80, 0x00, 0xff, 0xff, 0x07, 0x04, 0x80, 0x00, 0xff, + 0xff, 0x08, 0x01, 0x10, 0x01, 0x04, 0x80, 0x00, 0x75, 0x30, 0x09, 0x01, + 0x10, 0x0f, 0x08, 0x83, 0x94, 0xc8, 0xf0, 0x3e, 0x51, 0x57, 0x08, 0x06, + 0x04, 0x80, 0x00, 0xff, 0xff /* followed by zero padding */ +}; + +static const unsigned char tx_script_1_dgram[] = { + 0xc0, 0x00, 0x00, 0x00, 0x01, 0x08, 0x83, 0x94, 0xc8, 0xf0, 0x3e, 0x51, + 0x57, 0x08, 0x00, 0x00, 0x44, 0x9e, 0x7b, 0x9a, 0xec, 0x34, 0xd1, 0xb1, + 0xc9, 0x8d, 0xd7, 0x68, 0x9f, 0xb8, 0xec, 0x11, 0xd2, 0x42, 0xb1, 0x23, + 0xdc, 0x9b, 0xd8, 0xba, 0xb9, 0x36, 0xb4, 0x7d, 0x92, 0xec, 0x35, 0x6c, + 0x0b, 0xab, 0x7d, 0xf5, 0x97, 0x6d, 0x27, 0xcd, 0x44, 0x9f, 0x63, 0x30, + 0x00, 0x99, 0xf3, 0x99, 0x1c, 0x26, 0x0e, 0xc4, 0xc6, 0x0d, 0x17, 0xb3, + 0x1f, 0x84, 0x29, 0x15, 0x7b, 0xb3, 0x5a, 0x12, 0x82, 0xa6, 0x43, 0xa8, + 0xd2, 0x26, 0x2c, 0xad, 0x67, 0x50, 0x0c, 0xad, 0xb8, 0xe7, 0x37, 0x8c, + 0x8e, 0xb7, 0x53, 0x9e, 0xc4, 0xd4, 0x90, 0x5f, 0xed, 0x1b, 0xee, 0x1f, + 0xc8, 0xaa, 0xfb, 0xa1, 0x7c, 0x75, 0x0e, 0x2c, 0x7a, 0xce, 0x01, 0xe6, + 0x00, 0x5f, 0x80, 0xfc, 0xb7, 0xdf, 0x62, 0x12, 0x30, 0xc8, 0x37, 0x11, + 0xb3, 0x93, 0x43, 0xfa, 0x02, 0x8c, 0xea, 0x7f, 0x7f, 0xb5, 0xff, 0x89, + 0xea, 0xc2, 0x30, 0x82, 0x49, 0xa0, 0x22, 0x52, 0x15, 0x5e, 0x23, 0x47, + 0xb6, 0x3d, 0x58, 0xc5, 0x45, 0x7a, 0xfd, 0x84, 0xd0, 0x5d, 0xff, 0xfd, + 0xb2, 0x03, 0x92, 0x84, 0x4a, 0xe8, 0x12, 0x15, 0x46, 0x82, 0xe9, 0xcf, + 0x01, 0x2f, 0x90, 0x21, 0xa6, 0xf0, 0xbe, 0x17, 0xdd, 0xd0, 0xc2, 0x08, + 0x4d, 0xce, 0x25, 0xff, 0x9b, 0x06, 0xcd, 0xe5, 0x35, 0xd0, 0xf9, 0x20, + 0xa2, 0xdb, 0x1b, 0xf3, 0x62, 0xc2, 0x3e, 0x59, 0x6d, 0x11, 0xa4, 0xf5, + 0xa6, 0xcf, 0x39, 0x48, 0x83, 0x8a, 0x3a, 0xec, 0x4e, 0x15, 0xda, 0xf8, + 0x50, 0x0a, 0x6e, 0xf6, 0x9e, 0xc4, 0xe3, 0xfe, 0xb6, 0xb1, 0xd9, 0x8e, + 0x61, 0x0a, 0xc8, 0xb7, 0xec, 0x3f, 0xaf, 0x6a, 0xd7, 0x60, 0xb7, 0xba, + 0xd1, 0xdb, 0x4b, 0xa3, 0x48, 0x5e, 0x8a, 0x94, 0xdc, 0x25, 0x0a, 0xe3, + 0xfd, 0xb4, 0x1e, 0xd1, 0x5f, 0xb6, 0xa8, 0xe5, 0xeb, 0xa0, 0xfc, 0x3d, + 0xd6, 0x0b, 0xc8, 0xe3, 0x0c, 0x5c, 0x42, 0x87, 0xe5, 0x38, 0x05, 0xdb, + 0x05, 0x9a, 0xe0, 0x64, 0x8d, 0xb2, 0xf6, 0x42, 0x64, 0xed, 0x5e, 0x39, + 0xbe, 0x2e, 0x20, 0xd8, 0x2d, 0xf5, 0x66, 0xda, 0x8d, 0xd5, 0x99, 0x8c, + 0xca, 0xbd, 0xae, 0x05, 0x30, 0x60, 0xae, 0x6c, 0x7b, 0x43, 0x78, 0xe8, + 0x46, 0xd2, 0x9f, 0x37, 0xed, 0x7b, 0x4e, 0xa9, 0xec, 0x5d, 0x82, 0xe7, + 0x96, 0x1b, 0x7f, 0x25, 0xa9, 0x32, 0x38, 0x51, 0xf6, 0x81, 0xd5, 0x82, + 0x36, 0x3a, 0xa5, 0xf8, 0x99, 0x37, 0xf5, 0xa6, 0x72, 0x58, 0xbf, 0x63, + 0xad, 0x6f, 0x1a, 0x0b, 0x1d, 0x96, 0xdb, 0xd4, 0xfa, 0xdd, 0xfc, 0xef, + 0xc5, 0x26, 0x6b, 0xa6, 0x61, 0x17, 0x22, 0x39, 0x5c, 0x90, 0x65, 0x56, + 0xbe, 0x52, 0xaf, 0xe3, 0xf5, 0x65, 0x63, 0x6a, 0xd1, 0xb1, 0x7d, 0x50, + 0x8b, 0x73, 0xd8, 0x74, 0x3e, 0xeb, 0x52, 0x4b, 0xe2, 0x2b, 0x3d, 0xcb, + 0xc2, 0xc7, 0x46, 0x8d, 0x54, 0x11, 0x9c, 0x74, 0x68, 0x44, 0x9a, 0x13, + 0xd8, 0xe3, 0xb9, 0x58, 0x11, 0xa1, 0x98, 0xf3, 0x49, 0x1d, 0xe3, 0xe7, + 0xfe, 0x94, 0x2b, 0x33, 0x04, 0x07, 0xab, 0xf8, 0x2a, 0x4e, 0xd7, 0xc1, + 0xb3, 0x11, 0x66, 0x3a, 0xc6, 0x98, 0x90, 0xf4, 0x15, 0x70, 0x15, 0x85, + 0x3d, 0x91, 0xe9, 0x23, 0x03, 0x7c, 0x22, 0x7a, 0x33, 0xcd, 0xd5, 0xec, + 0x28, 0x1c, 0xa3, 0xf7, 0x9c, 0x44, 0x54, 0x6b, 0x9d, 0x90, 0xca, 0x00, + 0xf0, 0x64, 0xc9, 0x9e, 0x3d, 0xd9, 0x79, 0x11, 0xd3, 0x9f, 0xe9, 0xc5, + 0xd0, 0xb2, 0x3a, 0x22, 0x9a, 0x23, 0x4c, 0xb3, 0x61, 0x86, 0xc4, 0x81, + 0x9e, 0x8b, 0x9c, 0x59, 0x27, 0x72, 0x66, 0x32, 0x29, 0x1d, 0x6a, 0x41, + 0x82, 0x11, 0xcc, 0x29, 0x62, 0xe2, 0x0f, 0xe4, 0x7f, 0xeb, 0x3e, 0xdf, + 0x33, 0x0f, 0x2c, 0x60, 0x3a, 0x9d, 0x48, 0xc0, 0xfc, 0xb5, 0x69, 0x9d, + 0xbf, 0xe5, 0x89, 0x64, 0x25, 0xc5, 0xba, 0xc4, 0xae, 0xe8, 0x2e, 0x57, + 0xa8, 0x5a, 0xaf, 0x4e, 0x25, 0x13, 0xe4, 0xf0, 0x57, 0x96, 0xb0, 0x7b, + 0xa2, 0xee, 0x47, 0xd8, 0x05, 0x06, 0xf8, 0xd2, 0xc2, 0x5e, 0x50, 0xfd, + 0x14, 0xde, 0x71, 0xe6, 0xc4, 0x18, 0x55, 0x93, 0x02, 0xf9, 0x39, 0xb0, + 0xe1, 0xab, 0xd5, 0x76, 0xf2, 0x79, 0xc4, 0xb2, 0xe0, 0xfe, 0xb8, 0x5c, + 0x1f, 0x28, 0xff, 0x18, 0xf5, 0x88, 0x91, 0xff, 0xef, 0x13, 0x2e, 0xef, + 0x2f, 0xa0, 0x93, 0x46, 0xae, 0xe3, 0x3c, 0x28, 0xeb, 0x13, 0x0f, 0xf2, + 0x8f, 0x5b, 0x76, 0x69, 0x53, 0x33, 0x41, 0x13, 0x21, 0x19, 0x96, 0xd2, + 0x00, 0x11, 0xa1, 0x98, 0xe3, 0xfc, 0x43, 0x3f, 0x9f, 0x25, 0x41, 0x01, + 0x0a, 0xe1, 0x7c, 0x1b, 0xf2, 0x02, 0x58, 0x0f, 0x60, 0x47, 0x47, 0x2f, + 0xb3, 0x68, 0x57, 0xfe, 0x84, 0x3b, 0x19, 0xf5, 0x98, 0x40, 0x09, 0xdd, + 0xc3, 0x24, 0x04, 0x4e, 0x84, 0x7a, 0x4f, 0x4a, 0x0a, 0xb3, 0x4f, 0x71, + 0x95, 0x95, 0xde, 0x37, 0x25, 0x2d, 0x62, 0x35, 0x36, 0x5e, 0x9b, 0x84, + 0x39, 0x2b, 0x06, 0x10, 0x85, 0x34, 0x9d, 0x73, 0x20, 0x3a, 0x4a, 0x13, + 0xe9, 0x6f, 0x54, 0x32, 0xec, 0x0f, 0xd4, 0xa1, 0xee, 0x65, 0xac, 0xcd, + 0xd5, 0xe3, 0x90, 0x4d, 0xf5, 0x4c, 0x1d, 0xa5, 0x10, 0xb0, 0xff, 0x20, + 0xdc, 0xc0, 0xc7, 0x7f, 0xcb, 0x2c, 0x0e, 0x0e, 0xb6, 0x05, 0xcb, 0x05, + 0x04, 0xdb, 0x87, 0x63, 0x2c, 0xf3, 0xd8, 0xb4, 0xda, 0xe6, 0xe7, 0x05, + 0x76, 0x9d, 0x1d, 0xe3, 0x54, 0x27, 0x01, 0x23, 0xcb, 0x11, 0x45, 0x0e, + 0xfc, 0x60, 0xac, 0x47, 0x68, 0x3d, 0x7b, 0x8d, 0x0f, 0x81, 0x13, 0x65, + 0x56, 0x5f, 0xd9, 0x8c, 0x4c, 0x8e, 0xb9, 0x36, 0xbc, 0xab, 0x8d, 0x06, + 0x9f, 0xc3, 0x3b, 0xd8, 0x01, 0xb0, 0x3a, 0xde, 0xa2, 0xe1, 0xfb, 0xc5, + 0xaa, 0x46, 0x3d, 0x08, 0xca, 0x19, 0x89, 0x6d, 0x2b, 0xf5, 0x9a, 0x07, + 0x1b, 0x85, 0x1e, 0x6c, 0x23, 0x90, 0x52, 0x17, 0x2f, 0x29, 0x6b, 0xfb, + 0x5e, 0x72, 0x40, 0x47, 0x90, 0xa2, 0x18, 0x10, 0x14, 0xf3, 0xb9, 0x4a, + 0x4e, 0x97, 0xd1, 0x17, 0xb4, 0x38, 0x13, 0x03, 0x68, 0xcc, 0x39, 0xdb, + 0xb2, 0xd1, 0x98, 0x06, 0x5a, 0xe3, 0x98, 0x65, 0x47, 0x92, 0x6c, 0xd2, + 0x16, 0x2f, 0x40, 0xa2, 0x9f, 0x0c, 0x3c, 0x87, 0x45, 0xc0, 0xf5, 0x0f, + 0xba, 0x38, 0x52, 0xe5, 0x66, 0xd4, 0x45, 0x75, 0xc2, 0x9d, 0x39, 0xa0, + 0x3f, 0x0c, 0xda, 0x72, 0x19, 0x84, 0xb6, 0xf4, 0x40, 0x59, 0x1f, 0x35, + 0x5e, 0x12, 0xd4, 0x39, 0xff, 0x15, 0x0a, 0xab, 0x76, 0x13, 0x49, 0x9d, + 0xbd, 0x49, 0xad, 0xab, 0xc8, 0x67, 0x6e, 0xef, 0x02, 0x3b, 0x15, 0xb6, + 0x5b, 0xfc, 0x5c, 0xa0, 0x69, 0x48, 0x10, 0x9f, 0x23, 0xf3, 0x50, 0xdb, + 0x82, 0x12, 0x35, 0x35, 0xeb, 0x8a, 0x74, 0x33, 0xbd, 0xab, 0xcb, 0x90, + 0x92, 0x71, 0xa6, 0xec, 0xbc, 0xb5, 0x8b, 0x93, 0x6a, 0x88, 0xcd, 0x4e, + 0x8f, 0x2e, 0x6f, 0xf5, 0x80, 0x01, 0x75, 0xf1, 0x13, 0x25, 0x3d, 0x8f, + 0xa9, 0xca, 0x88, 0x85, 0xc2, 0xf5, 0x52, 0xe6, 0x57, 0xdc, 0x60, 0x3f, + 0x25, 0x2e, 0x1a, 0x8e, 0x30, 0x8f, 0x76, 0xf0, 0xbe, 0x79, 0xe2, 0xfb, + 0x8f, 0x5d, 0x5f, 0xbb, 0xe2, 0xe3, 0x0e, 0xca, 0xdd, 0x22, 0x07, 0x23, + 0xc8, 0xc0, 0xae, 0xa8, 0x07, 0x8c, 0xdf, 0xcb, 0x38, 0x68, 0x26, 0x3f, + 0xf8, 0xf0, 0x94, 0x00, 0x54, 0xda, 0x48, 0x78, 0x18, 0x93, 0xa7, 0xe4, + 0x9a, 0xd5, 0xaf, 0xf4, 0xaf, 0x30, 0x0c, 0xd8, 0x04, 0xa6, 0xb6, 0x27, + 0x9a, 0xb3, 0xff, 0x3a, 0xfb, 0x64, 0x49, 0x1c, 0x85, 0x19, 0x4a, 0xab, + 0x76, 0x0d, 0x58, 0xa6, 0x06, 0x65, 0x4f, 0x9f, 0x44, 0x00, 0xe8, 0xb3, + 0x85, 0x91, 0x35, 0x6f, 0xbf, 0x64, 0x25, 0xac, 0xa2, 0x6d, 0xc8, 0x52, + 0x44, 0x25, 0x9f, 0xf2, 0xb1, 0x9c, 0x41, 0xb9, 0xf9, 0x6f, 0x3c, 0xa9, + 0xec, 0x1d, 0xde, 0x43, 0x4d, 0xa7, 0xd2, 0xd3, 0x92, 0xb9, 0x05, 0xdd, + 0xf3, 0xd1, 0xf9, 0xaf, 0x93, 0xd1, 0xaf, 0x59, 0x50, 0xbd, 0x49, 0x3f, + 0x5a, 0xa7, 0x31, 0xb4, 0x05, 0x6d, 0xf3, 0x1b, 0xd2, 0x67, 0xb6, 0xb9, + 0x0a, 0x07, 0x98, 0x31, 0xaa, 0xf5, 0x79, 0xbe, 0x0a, 0x39, 0x01, 0x31, + 0x37, 0xaa, 0xc6, 0xd4, 0x04, 0xf5, 0x18, 0xcf, 0xd4, 0x68, 0x40, 0x64, + 0x7e, 0x78, 0xbf, 0xe7, 0x06, 0xca, 0x4c, 0xf5, 0xe9, 0xc5, 0x45, 0x3e, + 0x9f, 0x7c, 0xfd, 0x2b, 0x8b, 0x4c, 0x8d, 0x16, 0x9a, 0x44, 0xe5, 0x5c, + 0x88, 0xd4, 0xa9, 0xa7, 0xf9, 0x47, 0x42, 0x41, 0xe2, 0x21, 0xaf, 0x44, + 0x86, 0x00, 0x18, 0xab, 0x08, 0x56, 0x97, 0x2e, 0x19, 0x4c, 0xd9, 0x34 +}; + +static QUIC_PKT_HDR tx_script_1_hdr = { + QUIC_PKT_TYPE_INITIAL, /* type */ + 0, /* spin bit */ + 0, /* key phase */ + 4, /* PN length */ + 0, /* partial */ + 0, /* fixed */ + 1, /* version */ + {8, {0x83, 0x94, 0xc8, 0xf0, 0x3e, 0x51, 0x57, 0x08}}, /* DCID */ + { 0, {0} }, /* SCID */ + { 0 }, /* PN */ + NULL, 0, /* Token */ + 5555, NULL /* Len/Data */ +}; + +static const OSSL_QTX_IOVEC tx_script_1_iovec[] = { + { tx_script_1_body, sizeof(tx_script_1_body) } +}; + +static const OSSL_QTX_PKT tx_script_1_pkt = { + &tx_script_1_hdr, + tx_script_1_iovec, + OSSL_NELEM(tx_script_1_iovec), + NULL, NULL, + 2, + 0 +}; + +static const struct tx_test_op tx_script_1[] = { + TX_OP_PROVIDE_SECRET_INITIAL(tx_script_1_hdr.dst_conn_id, 0) + TX_OP_WRITE_CHECK(1) + TX_OP_END +}; + +/* 2. RFC 9001 - A.3 Server Initial */ +static const unsigned char tx_script_2_body[] = { + 0x02, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x40, 0x5a, 0x02, 0x00, 0x00, + 0x56, 0x03, 0x03, 0xee, 0xfc, 0xe7, 0xf7, 0xb3, 0x7b, 0xa1, 0xd1, 0x63, + 0x2e, 0x96, 0x67, 0x78, 0x25, 0xdd, 0xf7, 0x39, 0x88, 0xcf, 0xc7, 0x98, + 0x25, 0xdf, 0x56, 0x6d, 0xc5, 0x43, 0x0b, 0x9a, 0x04, 0x5a, 0x12, 0x00, + 0x13, 0x01, 0x00, 0x00, 0x2e, 0x00, 0x33, 0x00, 0x24, 0x00, 0x1d, 0x00, + 0x20, 0x9d, 0x3c, 0x94, 0x0d, 0x89, 0x69, 0x0b, 0x84, 0xd0, 0x8a, 0x60, + 0x99, 0x3c, 0x14, 0x4e, 0xca, 0x68, 0x4d, 0x10, 0x81, 0x28, 0x7c, 0x83, + 0x4d, 0x53, 0x11, 0xbc, 0xf3, 0x2b, 0xb9, 0xda, 0x1a, 0x00, 0x2b, 0x00, + 0x02, 0x03, 0x04 +}; + +static const unsigned char tx_script_2_dgram[] = { + + 0xcf, 0x00, 0x00, 0x00, 0x01, 0x00, 0x08, 0xf0, 0x67, 0xa5, 0x50, 0x2a, + 0x42, 0x62, 0xb5, 0x00, 0x40, 0x75, 0xc0, 0xd9, 0x5a, 0x48, 0x2c, 0xd0, + 0x99, 0x1c, 0xd2, 0x5b, 0x0a, 0xac, 0x40, 0x6a, 0x58, 0x16, 0xb6, 0x39, + 0x41, 0x00, 0xf3, 0x7a, 0x1c, 0x69, 0x79, 0x75, 0x54, 0x78, 0x0b, 0xb3, + 0x8c, 0xc5, 0xa9, 0x9f, 0x5e, 0xde, 0x4c, 0xf7, 0x3c, 0x3e, 0xc2, 0x49, + 0x3a, 0x18, 0x39, 0xb3, 0xdb, 0xcb, 0xa3, 0xf6, 0xea, 0x46, 0xc5, 0xb7, + 0x68, 0x4d, 0xf3, 0x54, 0x8e, 0x7d, 0xde, 0xb9, 0xc3, 0xbf, 0x9c, 0x73, + 0xcc, 0x3f, 0x3b, 0xde, 0xd7, 0x4b, 0x56, 0x2b, 0xfb, 0x19, 0xfb, 0x84, + 0x02, 0x2f, 0x8e, 0xf4, 0xcd, 0xd9, 0x37, 0x95, 0xd7, 0x7d, 0x06, 0xed, + 0xbb, 0x7a, 0xaf, 0x2f, 0x58, 0x89, 0x18, 0x50, 0xab, 0xbd, 0xca, 0x3d, + 0x20, 0x39, 0x8c, 0x27, 0x64, 0x56, 0xcb, 0xc4, 0x21, 0x58, 0x40, 0x7d, + 0xd0, 0x74, 0xee +}; + +static QUIC_PKT_HDR tx_script_2_hdr = { + QUIC_PKT_TYPE_INITIAL, /* type */ + 0, /* spin bit */ + 0, /* key phase */ + 2, /* PN length */ + 0, /* partial */ + 0, /* fixed */ + 1, /* version */ + { 0, {0} }, /* DCID */ + {8, {0xf0, 0x67, 0xa5, 0x50, 0x2a, 0x42, 0x62, 0xb5}}, /* SCID */ + { 0 }, /* PN */ + NULL, 0, /* Token */ + 5555, NULL /* Len/Data */ +}; + +static const OSSL_QTX_IOVEC tx_script_2_iovec[] = { + { tx_script_2_body, sizeof(tx_script_2_body) } +}; + +static const OSSL_QTX_PKT tx_script_2_pkt = { + &tx_script_2_hdr, + tx_script_2_iovec, + OSSL_NELEM(tx_script_2_iovec), + NULL, NULL, + 1, + 0 +}; + +static const struct tx_test_op tx_script_2[] = { + TX_OP_PROVIDE_SECRET_INITIAL(tx_script_1_hdr.dst_conn_id, 1) + TX_OP_WRITE_CHECK(2) + TX_OP_END +}; + +/* 3. RFC 9001 - A.5 ChaCha20-Poly1305 Short Header Packet */ +static const unsigned char tx_script_3_body[] = { + 0x01 +}; + +static const unsigned char tx_script_3_dgram[] = { + 0x4c, 0xfe, 0x41, 0x89, 0x65, 0x5e, 0x5c, 0xd5, 0x5c, 0x41, 0xf6, 0x90, + 0x80, 0x57, 0x5d, 0x79, 0x99, 0xc2, 0x5a, 0x5b, 0xfb +}; +static const unsigned char tx_script_3_secret[] = { + 0x9a, 0xc3, 0x12, 0xa7, 0xf8, 0x77, 0x46, 0x8e, 0xbe, 0x69, 0x42, 0x27, + 0x48, 0xad, 0x00, 0xa1, 0x54, 0x43, 0xf1, 0x82, 0x03, 0xa0, 0x7d, 0x60, + 0x60, 0xf6, 0x88, 0xf3, 0x0f, 0x21, 0x63, 0x2b +}; + +static QUIC_PKT_HDR tx_script_3_hdr = { + QUIC_PKT_TYPE_1RTT, /* type */ + 0, /* spin bit */ + 0, /* key phase */ + 3, /* PN length */ + 0, /* partial */ + 0, /* fixed */ + 0, /* version */ + { 0, {0} }, /* DCID */ + { 0, {0} }, /* SCID */ + { 0 }, /* PN */ + NULL, 0, /* Token */ + 5555, NULL /* Len/Data */ +}; + +static const OSSL_QTX_IOVEC tx_script_3_iovec[] = { + { tx_script_3_body, sizeof(tx_script_3_body) } +}; + +static const OSSL_QTX_PKT tx_script_3_pkt = { + &tx_script_3_hdr, + tx_script_3_iovec, + OSSL_NELEM(tx_script_3_iovec), + NULL, NULL, + 654360564, + 0 +}; + +static const struct tx_test_op tx_script_3[] = { + TX_OP_PROVIDE_SECRET(QUIC_ENC_LEVEL_1RTT, QRL_SUITE_CHACHA20POLY1305, tx_script_3_secret) + TX_OP_WRITE_CHECK(3) + TX_OP_END +}; + +static const struct tx_test_op *const tx_scripts[] = { + tx_script_1, + tx_script_2, + tx_script_3 +}; + +static int tx_run_script(const struct tx_test_op *script) +{ + int testresult = 0; + const struct tx_test_op *op = script; + OSSL_QTX *qtx = NULL; + BIO_MSG msg = {0}; + OSSL_QTX_ARGS args = {0}; + + args.mdpl = 1472; + + if (!TEST_ptr(qtx = ossl_qtx_new(&args))) + goto err; + + for (; op->op != TX_TEST_OP_END; ++op) + switch (op->op) { + case TX_TEST_OP_PROVIDE_SECRET: + if (!TEST_true(ossl_qtx_provide_secret(qtx, op->enc_level, + op->suite_id, NULL, + op->buf, op->buf_len))) + goto err; + break; + case TX_TEST_OP_PROVIDE_SECRET_INITIAL: + if (!TEST_true(ossl_quic_provide_initial_secret(NULL, NULL, + op->dcid, + (int)op->suite_id, + NULL, qtx))) + goto err; + break; + case TX_TEST_OP_DISCARD_EL: + if (!TEST_true(ossl_qtx_discard_enc_level(qtx, op->enc_level))) + goto err; + break; + case TX_TEST_OP_WRITE: + { + uint32_t enc_level + = ossl_quic_pkt_type_to_enc_level(op->pkt->hdr->type); + uint64_t old_value = 0, new_value, max_value; + + if (enc_level < QUIC_ENC_LEVEL_NUM) { /* encrypted packet */ + max_value = ossl_qtx_get_max_epoch_pkt_count(qtx, enc_level); + + if (!TEST_uint64_t_lt(max_value, UINT64_MAX)) + goto err; + + old_value = ossl_qtx_get_cur_epoch_pkt_count(qtx, enc_level); + if (!TEST_uint64_t_lt(old_value, UINT64_MAX)) + goto err; + } + + if (!TEST_true(ossl_qtx_write_pkt(qtx, op->pkt))) + goto err; + + if (enc_level < QUIC_ENC_LEVEL_NUM) { + new_value = ossl_qtx_get_cur_epoch_pkt_count(qtx, enc_level); + if (!TEST_uint64_t_eq(old_value + 1, new_value)) + goto err; + } + } + break; + case TX_TEST_OP_CHECK_DGRAM: + if (!TEST_true(ossl_qtx_pop_net(qtx, &msg))) + goto err; + + if (!TEST_mem_eq(msg.data, msg.data_len, op->buf, op->buf_len)) + goto err; + + break; + case TX_TEST_OP_CHECK_NO_DGRAM: + if (!TEST_false(ossl_qtx_pop_net(qtx, &msg))) + goto err; + break; + default: + OPENSSL_assert(0); + goto err; + } + + testresult = 1; +err: + if (qtx != NULL) + ossl_qtx_free(qtx); + + return testresult; +} + +static int test_tx_script(int idx) +{ + return tx_run_script(tx_scripts[idx]); +} + int setup_tests(void) { - ADD_ALL_TESTS(test_script, OSSL_NELEM(scripts)); + ADD_ALL_TESTS(test_rx_script, OSSL_NELEM(rx_scripts)); /* * Each instance of this test is executed multiple times to get enough * statistical coverage for our statistical test, as well as for each @@ -2374,5 +2789,6 @@ int setup_tests(void) * and otherwise random test ordering will cause itt to randomly fail. */ ADD_ALL_TESTS(test_wire_pkt_hdr, NUM_WIRE_PKT_HDR_TESTS + 1); + ADD_ALL_TESTS(test_tx_script, OSSL_NELEM(tx_scripts)); return 1; } -- 2.39.2