Fix the use of CCM ciphersuites with QUIC TLS API

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27091)

(cherry picked from commit 207cd5bb975f1cda542757b9695ac4e5bdb71576)

diff --git a/include/internal/ssl.h b/include/internal/ssl.h
index 8a0c797496724bfb8d577e0f828e7a43a40b7ef2..622be7ec69a5b4b7f836b33278c937a22daa9b7f 100644 (file)
--- a/include/internal/ssl.h
+++ b/include/internal/ssl.h
@@ -20,5 +20,7 @@ int ossl_ssl_get_error(const SSL *s, int i, int check_err);
 
 /* Set if this is the QUIC handshake layer */
 # define TLS1_FLAGS_QUIC                         0x2000
+/* Set if this is our QUIC handshake layer */
+# define TLS1_FLAGS_QUIC_INTERNAL                0x4000
 
 #endif

diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h
index 4f076c6c9dfb9745f8e588f1578915faf9bd54fb..05373a8d60d2d34b422fbad49ee580978a115398 100644 (file)
--- a/include/openssl/ssl3.h
+++ b/include/openssl/ssl3.h
@@ -308,6 +308,7 @@ extern "C" {
 # define TLS1_FLAGS_REQUIRED_EXTMS               0x1000
 
 /* 0x2000 is reserved for TLS1_FLAGS_QUIC (internal) */
+/* 0x4000 is reserved for TLS1_FLAGS_QUIC_INTERNAL (internal) */
 
 # define SSL3_MT_HELLO_REQUEST                   0
 # define SSL3_MT_CLIENT_HELLO                    1

diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c
index 5fa422473d4ae94d224bed9fa3de9e181b22f738..4e9b63b046d2c5b0d05b6794194e03f51ef45863 100644 (file)
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@@ -583,7 +583,7 @@ SSL *ossl_quic_new(SSL_CTX *ctx)
     }
 
     /* override the user_ssl of the inner connection */
-    sc->s3.flags |= TLS1_FLAGS_QUIC;
+    sc->s3.flags |= TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL;
 
     /* Restrict options derived from the SSL_CTX. */
     sc->options &= OSSL_QUIC_PERMITTED_OPTIONS_CONN;
@@ -4436,7 +4436,7 @@ SSL *ossl_quic_new_from_listener(SSL *ssl, uint64_t flags)
         QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL);
         goto err;
     }
-    sc->s3.flags |= TLS1_FLAGS_QUIC;
+    sc->s3.flags |= TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL;
 
     qc->default_ssl_options = OSSL_QUIC_PERMITTED_OPTIONS;
     qc->last_error = SSL_ERROR_NONE;

diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c
index 9ab350fb762d7571be684fe87eb50e41d8c295b0..9097f56aa1c316f74d1402fa30ef0e9de5294659 100644 (file)
--- a/ssl/quic/quic_port.c
+++ b/ssl/quic/quic_port.c
@@ -490,7 +490,7 @@ static SSL *port_new_handshake_layer(QUIC_PORT *port, QUIC_CHANNEL *ch)
         }
 
     /* Override the user_ssl of the inner connection. */
-    tls_conn->s3.flags      |= TLS1_FLAGS_QUIC;
+    tls_conn->s3.flags      |= TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL;
 
     /* Restrict options derived from the SSL_CTX. */
     tls_conn->options       &= OSSL_QUIC_PERMITTED_OPTIONS_CONN;

diff --git a/ssl/quic/quic_tls.c b/ssl/quic/quic_tls.c
index dba1ec338fb754f6ed422cd5d532d024140f6ef6..d31c93dcf9b55bbbcea8f746820a36cba3fea0f0 100644 (file)
--- a/ssl/quic/quic_tls.c
+++ b/ssl/quic/quic_tls.c
@@ -802,6 +802,8 @@ int ossl_quic_tls_tick(QUIC_TLS *qtls)
         if (!ossl_quic_tls_configure(qtls))
             return RAISE_INTERNAL_ERROR(qtls);
 
+        sc->s3.flags |= TLS1_FLAGS_QUIC_INTERNAL;
+
         if (qtls->args.is_server)
             SSL_set_accept_state(qtls->args.s);
         else

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 08b40420109b39d50bf8e87efb6b0f4ea9b22a65..22095fbf2329eefec9988126b0022de26b9214f5 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3498,7 +3498,7 @@ int ssl3_clear(SSL *s)
      * NULL/zero-out everything in the s3 struct, but remember if we are doing
      * QUIC.
      */
-    flags = sc->s3.flags & TLS1_FLAGS_QUIC;
+    flags = sc->s3.flags & (TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL);
     memset(&sc->s3, 0, sizeof(sc->s3));
     sc->s3.flags |= flags;
 

diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 81b94ad1c2aa11a79af8e78ff5baa2578cfba5b6..3a7c809881768286459ca0545476859a45cedd99 100644 (file)
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -315,6 +315,7 @@
 # define SSL_WRITE_ETM(s) (s->s3.flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE)
 
 # define SSL_IS_QUIC_HANDSHAKE(s) (((s)->s3.flags & TLS1_FLAGS_QUIC) != 0)
+# define SSL_IS_QUIC_INT_HANDSHAKE(s) (((s)->s3.flags & TLS1_FLAGS_QUIC_INTERNAL) != 0)
 
 /* no end of early data */
 # define SSL_NO_EOED(s) SSL_IS_QUIC_HANDSHAKE(s)

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 8f5f9b4c4bdbd66277ab50814808f07dd8075fe5..a201a71cf361e56c07edd9f4eacfa43ebf0badd5 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2874,7 +2874,7 @@ int ssl_cipher_disabled(const SSL_CONNECTION *s, const SSL_CIPHER *c,
     if (s->s3.tmp.max_ver == 0)
         return 1;
 
-    if (SSL_IS_QUIC_HANDSHAKE(s))
+    if (SSL_IS_QUIC_INT_HANDSHAKE(s))
         /* For QUIC, only allow these ciphersuites. */
         switch (SSL_CIPHER_get_id(c)) {
         case TLS1_3_CK_AES_128_GCM_SHA256: