1
/*
2
 * Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
#include <openssl/ssl.h>
10
#include "internal/recordmethod.h"
11
#include "internal/quic_tls.h"
12
#include "../ssl_local.h"
13
#include "internal/quic_record_util.h"
14
#include "internal/quic_error.h"
15
#include "internal/quic_types.h"
16
#include "internal/ssl_unwrap.h"
17

18
#define QUIC_TLS_FATAL(rl, ad, err)    \
19
    do {                               \
20
        if ((rl) != NULL)              \
21
            (rl)->alert = (ad);        \
22
        ERR_raise(ERR_LIB_SSL, (err)); \
23
        if ((rl) != NULL)              \
24
            (rl)->qtls->inerror = 1;   \
25
    } while (0)
26

27
struct quic_tls_st {
28
    QUIC_TLS_ARGS args;
29

30
    /*
31
     * Transport parameters which client should send. Buffer lifetime must
32
     * exceed the lifetime of the QUIC_TLS object.
33
     */
34
    const unsigned char *local_transport_params;
35
    size_t local_transport_params_len;
36

37
    ERR_STATE *error_state;
38

39
    /*
40
     * QUIC error code (usually in the TLS Alert-mapped CRYPTO_ERR range). Valid
41
     * only if inerror is 1.
42
     */
43
    uint64_t error_code;
44

45
    /*
46
     * Error message with static storage duration. Valid only if inerror is 1.
47
     * Should be suitable for encapsulation in a CONNECTION_CLOSE frame.
48
     */
49
    const char *error_msg;
50

51
    /* Whether our SSL object for TLS has been configured for use in QUIC */
52
    unsigned int configured : 1;
53

54
    /* Set if we have hit any error state */
55
    unsigned int inerror : 1;
56

57
    /* Set if the handshake has completed */
58
    unsigned int complete : 1;
59

60
    /* Set if we have consumed the local transport parameters yet. */
61
    unsigned int local_transport_params_consumed : 1;
62
};
63

64
struct ossl_record_layer_st {
65
    QUIC_TLS *qtls;
66

67
    /* Protection level */
68
    int level;
69

70
    /* Only used for retry flags */
71
    BIO *dummybio;
72

73
    /* Number of bytes written so far if we are part way through a write */
74
    size_t written;
75

76
    /* If we are part way through a write, a copy of the template */
77
    OSSL_RECORD_TEMPLATE template;
78

79
    /*
80
     * If we hit an error, what alert code should be used
81
     */
82
    int alert;
83

84
    /* Amount of crypto stream data we read in the last call to quic_read_record */
85
    size_t recread;
86

87
    /* Amount of crypto stream data read but not yet released */
88
    size_t recunreleased;
89

90
    /* Callbacks */
91
    OSSL_FUNC_rlayer_msg_callback_fn *msg_callback;
92
    void *cbarg;
93
};
94

95
static int quic_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio);
96
static int quic_free(OSSL_RECORD_LAYER *r);
97

98
static int
99
quic_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
100
    int role, int direction, int level, uint16_t epoch,
101
    unsigned char *secret, size_t secretlen,
102
    unsigned char *key, size_t keylen, unsigned char *iv,
103
    size_t ivlen, unsigned char *mackey, size_t mackeylen,
104
    const EVP_CIPHER *ciph, size_t taglen,
105
    int mactype,
106
    const EVP_MD *md, COMP_METHOD *comp,
107
    const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
108
    BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
109
    const OSSL_PARAM *settings, const OSSL_PARAM *options,
110
    const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
111
    OSSL_RECORD_LAYER **retrl)
112
{
113
    OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
114
    int qdir;
115
    uint32_t suite_id = 0;
116

117
    if (rl == NULL) {
118
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
119
        return 0;
120
    }
121

122
    rl->qtls = (QUIC_TLS *)rlarg;
123
    rl->level = level;
124
    if (!quic_set1_bio(rl, transport)) {
125
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
126
        goto err;
127
    }
128
    rl->cbarg = cbarg;
129
    *retrl = rl;
130

131
    if (fns != NULL) {
132
        for (; fns->function_id != 0; fns++) {
133
            switch (fns->function_id) {
134
                break;
135
            case OSSL_FUNC_RLAYER_MSG_CALLBACK:
136
                rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns);
137
                break;
138
            default:
139
                /* Just ignore anything we don't understand */
140
                break;
141
            }
142
        }
143
    }
144

145
    if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
146
        return 1;
147

148
    if (direction == OSSL_RECORD_DIRECTION_READ)
149
        qdir = 0;
150
    else
151
        qdir = 1;
152

153
    if (rl->qtls->args.ossl_quic) {
154
#ifndef OPENSSL_NO_QUIC
155
        /*
156
         * We only look up the suite_id/MD for internal callers. Not used in the
157
         * public API. We assume that a 3rd party QUIC stack will want to
158
         * figure this out by itself (e.g. so that they could add new
159
         * ciphersuites at a different pace to us)
160
         */
161
        if (EVP_CIPHER_is_a(ciph, "AES-128-GCM")) {
162
            suite_id = QRL_SUITE_AES128GCM;
163
        } else if (EVP_CIPHER_is_a(ciph, "AES-256-GCM")) {
164
            suite_id = QRL_SUITE_AES256GCM;
165
        } else if (EVP_CIPHER_is_a(ciph, "CHACHA20-POLY1305")) {
166
            suite_id = QRL_SUITE_CHACHA20POLY1305;
167
        } else {
168
            QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE);
169
            goto err;
170
        }
171

172
        /* We pass a ref to the md in a successful yield_secret_cb call */
173
        /* TODO(QUIC FUTURE): This cast is horrible. We should try and remove it */
174
        if (!EVP_MD_up_ref((EVP_MD *)kdfdigest)) {
175
            QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
176
            goto err;
177
        }
178
#else
179
        if (!ossl_assert("Should not happen" == NULL))
180
            goto err;
181
#endif
182
    } else {
183
        kdfdigest = NULL;
184
    }
185

186
    if (!rl->qtls->args.yield_secret_cb(level, qdir, suite_id,
187
            (EVP_MD *)kdfdigest, secret, secretlen,
188
            rl->qtls->args.yield_secret_cb_arg)) {
189
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
190
        EVP_MD_free((EVP_MD *)kdfdigest);
191
        goto err;
192
    }
193

194
    return 1;
195
err:
196
    *retrl = NULL;
197
    quic_free(rl);
198
    return 0;
199
}
200

201
static int quic_free(OSSL_RECORD_LAYER *rl)
202
{
203
    if (rl == NULL)
204
        return 1;
205

206
    BIO_free(rl->dummybio);
207
    OPENSSL_free(rl);
208
    return 1;
209
}
210

211
static int quic_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
212
{
213
    /*
214
     * Read ahead isn't really a thing for QUIC so we never have unprocessed
215
     * data pending
216
     */
217
    return 0;
218
}
219

220
static int quic_processed_read_pending(OSSL_RECORD_LAYER *rl)
221
{
222
    /*
223
     * This is currently only ever used by:
224
     * - SSL_has_pending()
225
     * - to check whether we have more records that we want to supply to the
226
     *   upper layers
227
     *
228
     * We only ever supply 1 record at a time to the upper layers, and
229
     * SSL_has_pending() will go via the QUIC method not the TLS method so that
230
     * use case doesn't apply here.
231
     * Therefore we can ignore this for now and always return 0. We might
232
     * eventually want to change this to check in the receive buffers to see if
233
     * we have any more data pending.
234
     */
235
    return 0;
236
}
237

238
static size_t quic_get_max_records(OSSL_RECORD_LAYER *rl, uint8_t type,
239
    size_t len,
240
    size_t maxfrag, size_t *preffrag)
241
{
242
    return 1;
243
}
244

245
static int quic_write_records(OSSL_RECORD_LAYER *rl,
246
    OSSL_RECORD_TEMPLATE *template,
247
    size_t numtempl)
248
{
249
    size_t consumed;
250
    unsigned char alert;
251

252
    if (!ossl_assert(numtempl == 1)) {
253
        /* How could this be? quic_get_max_records() always returns 1 */
254
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
255
        return OSSL_RECORD_RETURN_FATAL;
256
    }
257

258
    BIO_clear_retry_flags(rl->dummybio);
259

260
    if (rl->msg_callback != NULL) {
261
        unsigned char dummyrec[SSL3_RT_HEADER_LENGTH];
262

263
        /*
264
         * For the purposes of the callback we "pretend" to be normal TLS,
265
         * and manufacture a dummy record header
266
         */
267
        dummyrec[0] = (rl->level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
268
            ? template->type
269
            : SSL3_RT_APPLICATION_DATA;
270
        dummyrec[1] = (unsigned char)((template->version >> 8) & 0xff);
271
        dummyrec[2] = (unsigned char)(template->version & 0xff);
272
        /*
273
         * We assume that buflen is always <= UINT16_MAX. Since this is
274
         * generated by libssl itself we actually expect it to never
275
         * exceed SSL3_RT_MAX_PLAIN_LENGTH - so it should be a safe
276
         * assumption
277
         */
278
        dummyrec[3] = (unsigned char)((template->buflen >> 8) & 0xff);
279
        dummyrec[4] = (unsigned char)(template->buflen & 0xff);
280

281
        rl->msg_callback(1, TLS1_3_VERSION, SSL3_RT_HEADER, dummyrec,
282
            SSL3_RT_HEADER_LENGTH, rl->cbarg);
283

284
        if (rl->level != OSSL_RECORD_PROTECTION_LEVEL_NONE) {
285
            rl->msg_callback(1, TLS1_3_VERSION, SSL3_RT_INNER_CONTENT_TYPE,
286
                &template->type, 1, rl->cbarg);
287
        }
288
    }
289

290
    switch (template->type) {
291
    case SSL3_RT_ALERT:
292
        if (template->buflen != 2) {
293
            /*
294
             * We assume that libssl always sends both bytes of an alert to
295
             * us in one go, and never fragments it. If we ever get more
296
             * or less bytes than exactly 2 then this is very unexpected.
297
             */
298
            QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_VALUE);
299
            return OSSL_RECORD_RETURN_FATAL;
300
        }
301
        /*
302
         * Byte 0 is the alert level (we ignore it) and byte 1 is the alert
303
         * description that we are actually interested in.
304
         */
305
        alert = template->buf[1];
306

307
        if (!rl->qtls->args.alert_cb(rl->qtls->args.alert_cb_arg, alert)) {
308
            QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
309
            return OSSL_RECORD_RETURN_FATAL;
310
        }
311
        break;
312

313
    case SSL3_RT_HANDSHAKE:
314
        /*
315
         * We expect this to only fail on some fatal error (e.g. malloc
316
         * failure)
317
         */
318
        if (!rl->qtls->args.crypto_send_cb(template->buf + rl->written,
319
                template->buflen - rl->written,
320
                &consumed,
321
                rl->qtls->args.crypto_send_cb_arg)) {
322
            QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
323
            return OSSL_RECORD_RETURN_FATAL;
324
        }
325
        /*
326
         * We might have written less than we wanted to if we have filled the
327
         * send stream buffer.
328
         */
329
        if (consumed + rl->written != template->buflen) {
330
            if (!ossl_assert(consumed + rl->written < template->buflen)) {
331
                QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
332
                return OSSL_RECORD_RETURN_FATAL;
333
            }
334

335
            /*
336
             * We've not written everything we wanted to. Take a copy of the
337
             * template, remember how much we wrote so far and signal a retry.
338
             * The buffer supplied in the template is guaranteed to be the same
339
             * on a retry for handshake data
340
             */
341
            rl->written += consumed;
342
            rl->template = *template;
343
            BIO_set_retry_write(rl->dummybio);
344

345
            return OSSL_RECORD_RETURN_RETRY;
346
        }
347
        rl->written = 0;
348
        break;
349

350
    default:
351
        /* Anything else is unexpected and an error */
352
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
353
        return OSSL_RECORD_RETURN_FATAL;
354
    }
355

356
    return OSSL_RECORD_RETURN_SUCCESS;
357
}
358

359
static int quic_retry_write_records(OSSL_RECORD_LAYER *rl)
360
{
361
    return quic_write_records(rl, &rl->template, 1);
362
}
363

364
static int quic_read_record(OSSL_RECORD_LAYER *rl, void **rechandle,
365
    int *rversion, uint8_t *type, const unsigned char **data,
366
    size_t *datalen, uint16_t *epoch,
367
    unsigned char *seq_num)
368
{
369
    if (rl->recread != 0 || rl->recunreleased != 0)
370
        return OSSL_RECORD_RETURN_FATAL;
371

372
    BIO_clear_retry_flags(rl->dummybio);
373

374
    if (!rl->qtls->args.crypto_recv_rcd_cb(data, datalen,
375
            rl->qtls->args.crypto_recv_rcd_cb_arg)) {
376
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
377
        return OSSL_RECORD_RETURN_FATAL;
378
    }
379

380
    if (*datalen == 0) {
381
        BIO_set_retry_read(rl->dummybio);
382
        return OSSL_RECORD_RETURN_RETRY;
383
    }
384

385
    *rechandle = rl;
386
    *rversion = TLS1_3_VERSION;
387
    *type = SSL3_RT_HANDSHAKE;
388
    rl->recread = rl->recunreleased = *datalen;
389
    /* epoch/seq_num are not relevant for TLS */
390

391
    if (rl->msg_callback != NULL) {
392
        unsigned char dummyrec[SSL3_RT_HEADER_LENGTH];
393

394
        /*
395
         * For the purposes of the callback we "pretend" to be normal TLS,
396
         * and manufacture a dummy record header
397
         */
398
        dummyrec[0] = (rl->level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
399
            ? SSL3_RT_HANDSHAKE
400
            : SSL3_RT_APPLICATION_DATA;
401
        dummyrec[1] = (unsigned char)((TLS1_2_VERSION >> 8) & 0xff);
402
        dummyrec[2] = (unsigned char)(TLS1_2_VERSION & 0xff);
403
        /*
404
         * *datalen will always fit into 2 bytes because our original buffer
405
         * size is less than that.
406
         */
407
        dummyrec[3] = (unsigned char)((*datalen >> 8) & 0xff);
408
        dummyrec[4] = (unsigned char)(*datalen & 0xff);
409

410
        rl->msg_callback(0, TLS1_3_VERSION, SSL3_RT_HEADER, dummyrec,
411
            SSL3_RT_HEADER_LENGTH, rl->cbarg);
412
        rl->msg_callback(0, TLS1_3_VERSION, SSL3_RT_INNER_CONTENT_TYPE, type, 1,
413
            rl->cbarg);
414
    }
415

416
    return OSSL_RECORD_RETURN_SUCCESS;
417
}
418

419
static int quic_release_record(OSSL_RECORD_LAYER *rl, void *rechandle,
420
    size_t length)
421
{
422
    if (!ossl_assert(rl->recread > 0)
423
        || !ossl_assert(rl->recunreleased <= rl->recread)
424
        || !ossl_assert(rl == rechandle)
425
        || !ossl_assert(length <= rl->recunreleased)) {
426
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
427
        return OSSL_RECORD_RETURN_FATAL;
428
    }
429

430
    if (rl->recunreleased == length) {
431
        if (!rl->qtls->args.crypto_release_rcd_cb(rl->recread,
432
                rl->qtls->args.crypto_release_rcd_cb_arg)) {
433
            QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
434
            return OSSL_RECORD_RETURN_FATAL;
435
        }
436
        rl->recread = 0;
437
    }
438
    rl->recunreleased -= length;
439
    return OSSL_RECORD_RETURN_SUCCESS;
440
}
441

442
static int quic_get_alert_code(OSSL_RECORD_LAYER *rl)
443
{
444
    return rl->alert;
445
}
446

447
static int quic_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
448
{
449
    /* We only support TLSv1.3, so its bad if we negotiate anything else */
450
    if (!ossl_assert(version == TLS1_3_VERSION)) {
451
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
452
        return 0;
453
    }
454

455
    return 1;
456
}
457

458
static void quic_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow)
459
{
460
    /* We don't care */
461
}
462

463
static void quic_set_first_handshake(OSSL_RECORD_LAYER *rl, int first)
464
{
465
    /* We don't care */
466
}
467

468
static void quic_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines)
469
{
470
    /* We don't care */
471
}
472

473
static void quic_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr,
474
    const char **longstr)
475
{
476
    /*
477
     * According to the docs, valid read state strings are: "RH"/"read header",
478
     * "RB"/"read body", and "unknown"/"unknown". We don't read records in quite
479
     * that way, so we report every "normal" state as "read header". In the
480
     * event of error then we report "unknown".
481
     */
482

483
    if (rl->qtls->inerror) {
484
        if (shortstr != NULL)
485
            *shortstr = "unknown";
486
        if (longstr != NULL)
487
            *longstr = "unknown";
488
    } else {
489
        if (shortstr != NULL)
490
            *shortstr = "RH";
491
        if (longstr != NULL)
492
            *longstr = "read header";
493
    }
494
}
495

496
static int quic_set_options(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options)
497
{
498
    /*
499
     * We don't support any options yet - but we might do at some point so
500
     * this could be useful.
501
     */
502
    return 1;
503
}
504

505
static const COMP_METHOD *quic_get_compression(OSSL_RECORD_LAYER *rl)
506
{
507
    /* We only support TLSv1.3 which doesn't have compression */
508
    return NULL;
509
}
510

511
static void quic_set_max_frag_len(OSSL_RECORD_LAYER *rl, size_t max_frag_len)
512
{
513
    /* This really doesn't make any sense for QUIC. Ignore it */
514
}
515

516
static int quic_alloc_buffers(OSSL_RECORD_LAYER *rl)
517
{
518
    /*
519
     * This is a hint only. We don't support it (yet), so just ignore the
520
     * request
521
     */
522
    return 1;
523
}
524

525
static int quic_free_buffers(OSSL_RECORD_LAYER *rl)
526
{
527
    /*
528
     * This is a hint only. We don't support it (yet), so just ignore the
529
     * request
530
     */
531
    return 1;
532
}
533

534
static int quic_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
535
{
536
    if (bio != NULL && !BIO_up_ref(bio))
537
        return 0;
538
    BIO_free(rl->dummybio);
539
    rl->dummybio = bio;
540

541
    return 1;
542
}
543

544
/*
545
 * Never called functions
546
 *
547
 * Due to the way we are configured and used we never expect any of the next set
548
 * of functions to be called. Therefore we set them to always fail.
549
 */
550

551
static size_t quic_app_data_pending(OSSL_RECORD_LAYER *rl)
552
{
553
    QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
554
    return (size_t)ossl_assert(0);
555
}
556

557
static size_t quic_get_max_record_overhead(OSSL_RECORD_LAYER *rl)
558
{
559
    QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
560
    return (size_t)ossl_assert(0);
561
}
562

563
static int quic_increment_sequence_ctr(OSSL_RECORD_LAYER *rl)
564
{
565
    QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
566
    return ossl_assert(0);
567
}
568

569
/* End of never called functions */
570

571
static const OSSL_RECORD_METHOD quic_tls_record_method = {
572
    quic_new_record_layer,
573
    quic_free,
574
    quic_unprocessed_read_pending,
575
    quic_processed_read_pending,
576
    quic_app_data_pending, /* Never called */
577
    quic_get_max_records,
578
    quic_write_records,
579
    quic_retry_write_records,
580
    quic_read_record,
581
    quic_release_record,
582
    quic_get_alert_code,
583
    quic_set1_bio,
584
    quic_set_protocol_version,
585
    quic_set_plain_alerts,
586
    quic_set_first_handshake,
587
    quic_set_max_pipelines,
588
    NULL, /* set_in_init: Optional - we don't need it */
589
    quic_get_state,
590
    quic_set_options,
591
    quic_get_compression,
592
    quic_set_max_frag_len,
593
    quic_get_max_record_overhead, /* Never called */
594
    quic_increment_sequence_ctr, /* Never called */
595
    quic_alloc_buffers,
596
    quic_free_buffers
597
};
598

599
static int add_transport_params_cb(SSL *s, unsigned int ext_type,
600
    unsigned int context,
601
    const unsigned char **out, size_t *outlen,
602
    X509 *x, size_t chainidx, int *al,
603
    void *add_arg)
604
{
605
    QUIC_TLS *qtls = add_arg;
606

607
    *out = qtls->local_transport_params;
608
    *outlen = qtls->local_transport_params_len;
609
    qtls->local_transport_params_consumed = 1;
610
    return 1;
611
}
612

613
static void free_transport_params_cb(SSL *s, unsigned int ext_type,
614
    unsigned int context,
615
    const unsigned char *out,
616
    void *add_arg)
617
{
618
}
619

620
static int parse_transport_params_cb(SSL *s, unsigned int ext_type,
621
    unsigned int context,
622
    const unsigned char *in,
623
    size_t inlen, X509 *x,
624
    size_t chainidx,
625
    int *al, void *parse_arg)
626
{
627
    QUIC_TLS *qtls = parse_arg;
628

629
    return qtls->args.got_transport_params_cb(in, inlen,
630
        qtls->args.got_transport_params_cb_arg);
631
}
632

633
QUIC_TLS *ossl_quic_tls_new(const QUIC_TLS_ARGS *args)
634
{
635
    QUIC_TLS *qtls;
636

637
    if (args->crypto_send_cb == NULL
638
        || args->crypto_recv_rcd_cb == NULL
639
        || args->crypto_release_rcd_cb == NULL) {
640
        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
641
        return NULL;
642
    }
643

644
    qtls = OPENSSL_zalloc(sizeof(*qtls));
645
    if (qtls == NULL)
646
        return NULL;
647

648
    if (args->ossl_quic && (qtls->error_state = OSSL_ERR_STATE_new()) == NULL) {
649
        OPENSSL_free(qtls);
650
        return NULL;
651
    }
652

653
    qtls->args = *args;
654
    return qtls;
655
}
656

657
void ossl_quic_tls_free(QUIC_TLS *qtls)
658
{
659
    if (qtls == NULL)
660
        return;
661
    OSSL_ERR_STATE_free(qtls->error_state);
662
    OPENSSL_free(qtls);
663
}
664

665
static int raise_error(QUIC_TLS *qtls, uint64_t error_code,
666
    const char *error_msg,
667
    const char *src_file,
668
    int src_line,
669
    const char *src_func)
670
{
671
    /*
672
     * When QTLS fails, add a "cover letter" error with information, potentially
673
     * with any underlying libssl errors underneath it (but our cover error may
674
     * be the only error in some cases). Then capture this into an ERR_STATE so
675
     * we can report it later if need be when the QUIC_CHANNEL asks for it.
676
     * For external QUIC TLS we just raise the error.
677
     */
678
    ERR_new();
679
    ERR_set_debug(src_file, src_line, src_func);
680
    ERR_set_error(ERR_LIB_SSL, SSL_R_QUIC_HANDSHAKE_LAYER_ERROR,
681
        "handshake layer error, error code %llu (0x%llx) (\"%s\")",
682
        error_code, error_code, error_msg);
683

684
    if (qtls->args.ossl_quic) {
685
        OSSL_ERR_STATE_save_to_mark(qtls->error_state);
686

687
        /*
688
         * We record the error information reported via the QUIC protocol
689
         * separately.
690
         */
691
        qtls->error_code = error_code;
692
        qtls->error_msg = error_msg;
693
        qtls->inerror = 1;
694

695
        ERR_pop_to_mark();
696
    }
697
    return 0;
698
}
699

700
#define RAISE_ERROR(qtls, error_code, error_msg)   \
701
    raise_error((qtls), (error_code), (error_msg), \
702
        OPENSSL_FILE, OPENSSL_LINE, OPENSSL_FUNC)
703

704
#ifndef OPENSSL_NO_QUIC
705
#define RAISE_INTERNAL_ERROR(qtls) \
706
    RAISE_ERROR((qtls), OSSL_QUIC_ERR_INTERNAL_ERROR, "internal error")
707
#else
708
#define RAISE_INTERNAL_ERROR(qtls) \
709
    RAISE_ERROR((qtls), 0x01, "internal error")
710
#endif
711

712
int ossl_quic_tls_configure(QUIC_TLS *qtls)
713
{
714
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
715
    BIO *nullbio;
716

717
    if (sc == NULL || !SSL_set_min_proto_version(qtls->args.s, TLS1_3_VERSION))
718
        return RAISE_INTERNAL_ERROR(qtls);
719

720
    nullbio = BIO_new(BIO_s_null());
721
    if (nullbio == NULL)
722
        return RAISE_INTERNAL_ERROR(qtls);
723

724
    /*
725
     * Our custom record layer doesn't use the BIO - but libssl generally
726
     * expects one to be present.
727
     */
728
    SSL_set_bio(qtls->args.s, nullbio, nullbio);
729

730
    SSL_clear_options(qtls->args.s, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
731
    ossl_ssl_set_custom_record_layer(sc, &quic_tls_record_method, qtls);
732

733
    if (!ossl_tls_add_custom_ext_intern(NULL, &sc->cert->custext,
734
            qtls->args.is_server ? ENDPOINT_SERVER
735
                                 : ENDPOINT_CLIENT,
736
            TLSEXT_TYPE_quic_transport_parameters,
737
            SSL_EXT_TLS1_3_ONLY
738
                | SSL_EXT_CLIENT_HELLO
739
                | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
740
            add_transport_params_cb,
741
            free_transport_params_cb, qtls,
742
            parse_transport_params_cb, qtls))
743
        return 0;
744

745
    sc->s3.flags |= TLS1_FLAGS_QUIC;
746

747
    return 1;
748
}
749

750
#ifndef OPENSSL_NO_QUIC
751
int ossl_quic_tls_tick(QUIC_TLS *qtls)
752
{
753
    int ret, err;
754
    const unsigned char *alpn;
755
    unsigned int alpnlen;
756

757
    if (qtls->inerror)
758
        return 0;
759

760
    /*
761
     * SSL_get_error does not truly know what the cause of an SSL_read failure
762
     * is and to some extent guesses based on contextual information. In
763
     * particular, if there is _any_ ERR on the error stack, SSL_ERROR_SSL or
764
     * SSL_ERROR_SYSCALL will be returned no matter what and there is no
765
     * possibility of SSL_ERROR_WANT_READ/WRITE being returned, even if that was
766
     * the actual cause of the SSL_read() failure.
767
     *
768
     * This means that ordinarily, the below code might not work right if the
769
     * application has any ERR on the error stack. In order to make this code
770
     * perform correctly regardless of prior ERR state, we use a variant of
771
     * SSL_get_error() which ignores the error stack. However, some ERRs are
772
     * raised by SSL_read() and actually indicate that something has gone wrong
773
     * during the call to SSL_read(). We therefore adopt a strategy of marking
774
     * the ERR stack and seeing if any errors get appended during the call to
775
     * SSL_read(). If they are, we assume SSL_read() has raised an error and
776
     * that we should use normal SSL_get_error() handling.
777
     *
778
     * NOTE: Ensure all escape paths from this function call
779
     * ERR_clear_to_mark(). The RAISE macros handle this in failure cases.
780
     */
781
    ERR_set_mark();
782

783
    if (!qtls->configured) {
784
        SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
785
        SSL_CTX *sctx;
786

787
        if (sc == NULL)
788
            return RAISE_INTERNAL_ERROR(qtls);
789
        sctx = SSL_CONNECTION_GET_CTX(sc);
790

791
        /*
792
         * No matter how the user has configured us, there are certain
793
         * requirements for QUIC-TLS that we enforce
794
         */
795

796
        /* ALPN is a requirement for QUIC and must be set */
797
        if (qtls->args.is_server) {
798
            if (sctx->ext.alpn_select_cb == NULL)
799
                return RAISE_INTERNAL_ERROR(qtls);
800
        } else {
801
            if (sc->ext.alpn == NULL || sc->ext.alpn_len == 0)
802
                return RAISE_ERROR(qtls, OSSL_QUIC_ERR_CRYPTO_NO_APP_PROTO,
803
                    "ALPN must be configured when using QUIC");
804
        }
805

806
        if (!ossl_quic_tls_configure(qtls))
807
            return RAISE_INTERNAL_ERROR(qtls);
808

809
        sc->s3.flags |= TLS1_FLAGS_QUIC_INTERNAL;
810

811
        if (qtls->args.is_server)
812
            SSL_set_accept_state(qtls->args.s);
813
        else
814
            SSL_set_connect_state(qtls->args.s);
815

816
        qtls->configured = 1;
817
    }
818

819
    if (qtls->complete)
820
        /*
821
         * There should never be app data to read, but calling SSL_read() will
822
         * ensure any post-handshake messages are processed.
823
         */
824
        ret = SSL_read(qtls->args.s, NULL, 0);
825
    else
826
        ret = SSL_do_handshake(qtls->args.s);
827

828
    if (ret <= 0) {
829
        err = ossl_ssl_get_error(qtls->args.s, ret,
830
            /*check_err=*/ERR_count_to_mark() > 0);
831

832
        switch (err) {
833
        case SSL_ERROR_WANT_READ:
834
        case SSL_ERROR_WANT_WRITE:
835
        case SSL_ERROR_WANT_CLIENT_HELLO_CB:
836
        case SSL_ERROR_WANT_X509_LOOKUP:
837
        case SSL_ERROR_WANT_RETRY_VERIFY:
838
            ERR_pop_to_mark();
839
            return 1;
840

841
        default:
842
            return RAISE_INTERNAL_ERROR(qtls);
843
        }
844
    }
845

846
    if (!qtls->complete) {
847
        /* Validate that we have ALPN */
848
        SSL_get0_alpn_selected(qtls->args.s, &alpn, &alpnlen);
849
        if (alpn == NULL || alpnlen == 0)
850
            return RAISE_ERROR(qtls, OSSL_QUIC_ERR_CRYPTO_NO_APP_PROTO,
851
                "no application protocol negotiated");
852

853
        qtls->complete = 1;
854
        ERR_pop_to_mark();
855
        return qtls->args.handshake_complete_cb(qtls->args.handshake_complete_cb_arg);
856
    }
857

858
    ERR_pop_to_mark();
859
    return 1;
860
}
861
#endif
862

863
void ossl_quic_tls_clear(QUIC_TLS *qtls)
864
{
865
    if (qtls == NULL)
866
        return;
867
    qtls->local_transport_params_consumed = 0;
868
}
869

870
int ossl_quic_tls_set_transport_params(QUIC_TLS *qtls,
871
    const unsigned char *transport_params,
872
    size_t transport_params_len)
873
{
874
    if (qtls->local_transport_params_consumed)
875
        return 0;
876

877
    qtls->local_transport_params = transport_params;
878
    qtls->local_transport_params_len = transport_params_len;
879
    return 1;
880
}
881

882
int ossl_quic_tls_get_error(QUIC_TLS *qtls,
883
    uint64_t *error_code,
884
    const char **error_msg,
885
    ERR_STATE **error_state)
886
{
887
    if (qtls->inerror) {
888
        *error_code = qtls->error_code;
889
        *error_msg = qtls->error_msg;
890
        *error_state = qtls->error_state;
891
    }
892

893
    return qtls->inerror;
894
}
895

896
/*
897
 * Returns true if the last handshake record message we processed was a
898
 * CertificateRequest
899
 */
900
int ossl_quic_tls_is_cert_request(QUIC_TLS *qtls)
901
{
902
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
903

904
    if (sc == NULL)
905
        return 0;
906

907
    return sc->s3.tmp.message_type == SSL3_MT_CERTIFICATE_REQUEST;
908
}
909

910
/*
911
 * Returns true if the last session associated with the connection has an
912
 * invalid max_early_data value for QUIC.
913
 */
914
int ossl_quic_tls_has_bad_max_early_data(QUIC_TLS *qtls)
915
{
916
    uint32_t max_early_data = SSL_get0_session(qtls->args.s)->ext.max_early_data;
917

918
    /*
919
     * If max_early_data was present we always ensure a non-zero value is
920
     * stored in the session for QUIC. Therefore if max_early_data == 0 here
921
     * we can be confident that it was not present in the NewSessionTicket
922
     */
923
    return max_early_data != 0xffffffff && max_early_data != 0;
924
}
925

926
int ossl_quic_tls_set_early_data_enabled(QUIC_TLS *qtls, int enabled)
927
{
928
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
929

930
    if (sc == NULL || !SSL_IS_QUIC_HANDSHAKE(sc) || !SSL_in_before(qtls->args.s))
931
        return 0;
932

933
    if (!enabled) {
934
        sc->max_early_data = 0;
935
        sc->early_data_state = SSL_EARLY_DATA_NONE;
936
        return 1;
937
    }
938

939
    if (sc->server) {
940
        sc->max_early_data = 0xffffffff;
941
        sc->early_data_state = SSL_EARLY_DATA_ACCEPTING;
942
        return 1;
943
    }
944

945
    if ((sc->session == NULL || sc->session->ext.max_early_data != 0xffffffff)
946
        && sc->psk_use_session_cb == NULL)
947
        return 0;
948

949
    sc->early_data_state = SSL_EARLY_DATA_CONNECTING;
950
    return 1;
951
}
952

953