1
/*
2
 * Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
#include <openssl/ssl.h>
10
#include "internal/recordmethod.h"
11
#include "internal/quic_tls.h"
12
#include "../ssl_local.h"
13
#include "internal/quic_record_util.h"
14
#include "internal/quic_error.h"
15
#include "internal/quic_types.h"
16
#include "internal/ssl_unwrap.h"
17

18
#define QUIC_TLS_FATAL(rl, ad, err) \
19
    do { \
20
        if ((rl) != NULL) (rl)->alert = (ad); \
21
        ERR_raise(ERR_LIB_SSL, (err)); \
22
        if ((rl) != NULL) (rl)->qtls->inerror = 1; \
23
    } while(0)
24

25
struct quic_tls_st {
26
    QUIC_TLS_ARGS args;
27

28
    /*
29
     * Transport parameters which client should send. Buffer lifetime must
30
     * exceed the lifetime of the QUIC_TLS object.
31
     */
32
    const unsigned char *local_transport_params;
33
    size_t local_transport_params_len;
34

35
    ERR_STATE *error_state;
36

37
    /*
38
     * QUIC error code (usually in the TLS Alert-mapped CRYPTO_ERR range). Valid
39
     * only if inerror is 1.
40
     */
41
    uint64_t error_code;
42

43
    /*
44
     * Error message with static storage duration. Valid only if inerror is 1.
45
     * Should be suitable for encapsulation in a CONNECTION_CLOSE frame.
46
     */
47
    const char *error_msg;
48

49
    /* Whether our SSL object for TLS has been configured for use in QUIC */
50
    unsigned int configured : 1;
51

52
    /* Set if we have hit any error state */
53
    unsigned int inerror : 1;
54

55
    /* Set if the handshake has completed */
56
    unsigned int complete : 1;
57

58
    /* Set if we have consumed the local transport parameters yet. */
59
    unsigned int local_transport_params_consumed : 1;
60
};
61

62
struct ossl_record_layer_st {
63
    QUIC_TLS *qtls;
64

65
    /* Protection level */
66
    int level;
67

68
    /* Only used for retry flags */
69
    BIO *dummybio;
70

71
    /* Number of bytes written so far if we are part way through a write */
72
    size_t written;
73

74
    /* If we are part way through a write, a copy of the template */
75
    OSSL_RECORD_TEMPLATE template;
76

77
    /*
78
     * If we hit an error, what alert code should be used
79
     */
80
    int alert;
81

82
    /* Amount of crypto stream data we read in the last call to quic_read_record */
83
    size_t recread;
84

85
    /* Amount of crypto stream data read but not yet released */
86
    size_t recunreleased;
87

88
    /* Callbacks */
89
    OSSL_FUNC_rlayer_msg_callback_fn *msg_callback;
90
    void *cbarg;
91
};
92

93
static int quic_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio);
94
static int quic_free(OSSL_RECORD_LAYER *r);
95

96
static int
97
quic_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
98
                      int role, int direction, int level, uint16_t epoch,
99
                      unsigned char *secret, size_t secretlen,
100
                      unsigned char *key, size_t keylen, unsigned char *iv,
101
                      size_t ivlen, unsigned char *mackey, size_t mackeylen,
102
                      const EVP_CIPHER *ciph, size_t taglen,
103
                      int mactype,
104
                      const EVP_MD *md, COMP_METHOD *comp,
105
                      const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
106
                      BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
107
                      const OSSL_PARAM *settings, const OSSL_PARAM *options,
108
                      const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
109
                      OSSL_RECORD_LAYER **retrl)
110
{
111
    OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
112
    int qdir;
113
    uint32_t suite_id = 0;
114

115
    if (rl == NULL) {
116
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
117
        return 0;
118
    }
119

120
    rl->qtls = (QUIC_TLS *)rlarg;
121
    rl->level = level;
122
    if (!quic_set1_bio(rl, transport)) {
123
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
124
        goto err;
125
    }
126
    rl->cbarg = cbarg;
127
    *retrl = rl;
128

129
    if (fns != NULL) {
130
        for (; fns->function_id != 0; fns++) {
131
            switch (fns->function_id) {
132
                break;
133
            case OSSL_FUNC_RLAYER_MSG_CALLBACK:
134
                rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns);
135
                break;
136
            default:
137
                /* Just ignore anything we don't understand */
138
                break;
139
            }
140
        }
141
    }
142

143
    if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
144
        return 1;
145

146
    if (direction == OSSL_RECORD_DIRECTION_READ)
147
        qdir = 0;
148
    else
149
        qdir = 1;
150

151
    if (rl->qtls->args.ossl_quic) {
152
#ifndef OPENSSL_NO_QUIC
153
        /*
154
         * We only look up the suite_id/MD for internal callers. Not used in the
155
         * public API. We assume that a 3rd party QUIC stack will want to
156
         * figure this out by itself (e.g. so that they could add new
157
         * ciphersuites at a different pace to us)
158
         */
159
        if (EVP_CIPHER_is_a(ciph, "AES-128-GCM")) {
160
            suite_id = QRL_SUITE_AES128GCM;
161
        } else if (EVP_CIPHER_is_a(ciph, "AES-256-GCM")) {
162
            suite_id = QRL_SUITE_AES256GCM;
163
        } else if (EVP_CIPHER_is_a(ciph, "CHACHA20-POLY1305")) {
164
            suite_id = QRL_SUITE_CHACHA20POLY1305;
165
        } else {
166
            QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE);
167
            goto err;
168
        }
169

170
        /* We pass a ref to the md in a successful yield_secret_cb call */
171
        /* TODO(QUIC FUTURE): This cast is horrible. We should try and remove it */
172
        if (!EVP_MD_up_ref((EVP_MD *)kdfdigest)) {
173
            QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
174
            goto err;
175
        }
176
#else
177
        if (!ossl_assert("Should not happen" == NULL))
178
            goto err;
179
#endif
180
    } else {
181
        kdfdigest = NULL;
182
    }
183

184
    if (!rl->qtls->args.yield_secret_cb(level, qdir, suite_id,
185
                                        (EVP_MD *)kdfdigest, secret, secretlen,
186
                                        rl->qtls->args.yield_secret_cb_arg)) {
187
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
188
        EVP_MD_free((EVP_MD *)kdfdigest);
189
        goto err;
190
    }
191

192
    return 1;
193
 err:
194
    *retrl = NULL;
195
    quic_free(rl);
196
    return 0;
197
}
198

199
static int quic_free(OSSL_RECORD_LAYER *rl)
200
{
201
    if (rl == NULL)
202
        return 1;
203

204
    BIO_free(rl->dummybio);
205
    OPENSSL_free(rl);
206
    return 1;
207
}
208

209
static int quic_unprocessed_read_pending(OSSL_RECORD_LAYER *rl)
210
{
211
    /*
212
     * Read ahead isn't really a thing for QUIC so we never have unprocessed
213
     * data pending
214
     */
215
    return 0;
216
}
217

218
static int quic_processed_read_pending(OSSL_RECORD_LAYER *rl)
219
{
220
    /*
221
     * This is currently only ever used by:
222
     * - SSL_has_pending()
223
     * - to check whether we have more records that we want to supply to the
224
     *   upper layers
225
     *
226
     * We only ever supply 1 record at a time to the upper layers, and
227
     * SSL_has_pending() will go via the QUIC method not the TLS method so that
228
     * use case doesn't apply here.
229
     * Therefore we can ignore this for now and always return 0. We might
230
     * eventually want to change this to check in the receive buffers to see if
231
     * we have any more data pending.
232
     */
233
    return 0;
234
}
235

236
static size_t quic_get_max_records(OSSL_RECORD_LAYER *rl, uint8_t type,
237
                                   size_t len,
238
                                   size_t maxfrag, size_t *preffrag)
239
{
240
    return 1;
241
}
242

243
static int quic_write_records(OSSL_RECORD_LAYER *rl,
244
                              OSSL_RECORD_TEMPLATE *template,
245
                              size_t numtempl)
246
{
247
    size_t consumed;
248
    unsigned char alert;
249

250
    if (!ossl_assert(numtempl == 1)) {
251
        /* How could this be? quic_get_max_records() always returns 1 */
252
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
253
        return OSSL_RECORD_RETURN_FATAL;
254
    }
255

256
    BIO_clear_retry_flags(rl->dummybio);
257

258
    if (rl->msg_callback != NULL) {
259
        unsigned char dummyrec[SSL3_RT_HEADER_LENGTH];
260

261
        /*
262
         * For the purposes of the callback we "pretend" to be normal TLS,
263
         * and manufacture a dummy record header
264
         */
265
        dummyrec[0] = (rl->level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
266
                        ? template->type
267
                        : SSL3_RT_APPLICATION_DATA;
268
        dummyrec[1] = (unsigned char)((template->version >> 8) & 0xff);
269
        dummyrec[2] = (unsigned char)(template->version & 0xff);
270
        /*
271
         * We assume that buflen is always <= UINT16_MAX. Since this is
272
         * generated by libssl itself we actually expect it to never
273
         * exceed SSL3_RT_MAX_PLAIN_LENGTH - so it should be a safe
274
         * assumption
275
         */
276
        dummyrec[3] = (unsigned char)((template->buflen >> 8) & 0xff);
277
        dummyrec[4] = (unsigned char)(template->buflen & 0xff);
278

279
        rl->msg_callback(1, TLS1_3_VERSION, SSL3_RT_HEADER, dummyrec,
280
                            SSL3_RT_HEADER_LENGTH, rl->cbarg);
281

282
        if (rl->level != OSSL_RECORD_PROTECTION_LEVEL_NONE) {
283
            rl->msg_callback(1, TLS1_3_VERSION, SSL3_RT_INNER_CONTENT_TYPE,
284
                             &template->type, 1, rl->cbarg);
285
        }
286
    }
287

288
    switch (template->type) {
289
    case SSL3_RT_ALERT:
290
        if (template->buflen != 2) {
291
            /*
292
             * We assume that libssl always sends both bytes of an alert to
293
             * us in one go, and never fragments it. If we ever get more
294
             * or less bytes than exactly 2 then this is very unexpected.
295
             */
296
            QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_VALUE);
297
            return OSSL_RECORD_RETURN_FATAL;
298
        }
299
        /*
300
         * Byte 0 is the alert level (we ignore it) and byte 1 is the alert
301
         * description that we are actually interested in.
302
         */
303
        alert = template->buf[1];
304

305
        if (!rl->qtls->args.alert_cb(rl->qtls->args.alert_cb_arg, alert)) {
306
            QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
307
            return OSSL_RECORD_RETURN_FATAL;
308
        }
309
        break;
310

311
    case SSL3_RT_HANDSHAKE:
312
        /*
313
         * We expect this to only fail on some fatal error (e.g. malloc
314
         * failure)
315
         */
316
        if (!rl->qtls->args.crypto_send_cb(template->buf + rl->written,
317
                                           template->buflen - rl->written,
318
                                           &consumed,
319
                                           rl->qtls->args.crypto_send_cb_arg)) {
320
            QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
321
            return OSSL_RECORD_RETURN_FATAL;
322
        }
323
        /*
324
         * We might have written less than we wanted to if we have filled the
325
         * send stream buffer.
326
         */
327
        if (consumed + rl->written != template->buflen) {
328
            if (!ossl_assert(consumed + rl->written < template->buflen)) {
329
                QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
330
                return OSSL_RECORD_RETURN_FATAL;
331
            }
332

333
            /*
334
             * We've not written everything we wanted to. Take a copy of the
335
             * template, remember how much we wrote so far and signal a retry.
336
             * The buffer supplied in the template is guaranteed to be the same
337
             * on a retry for handshake data
338
             */
339
            rl->written += consumed;
340
            rl->template = *template;
341
            BIO_set_retry_write(rl->dummybio);
342

343
            return OSSL_RECORD_RETURN_RETRY;
344
        }
345
        rl->written = 0;
346
        break;
347

348
    default:
349
        /* Anything else is unexpected and an error */
350
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
351
        return OSSL_RECORD_RETURN_FATAL;
352
    }
353

354
    return OSSL_RECORD_RETURN_SUCCESS;
355
}
356

357
static int quic_retry_write_records(OSSL_RECORD_LAYER *rl)
358
{
359
    return quic_write_records(rl, &rl->template, 1);
360
}
361

362
static int quic_read_record(OSSL_RECORD_LAYER *rl, void **rechandle,
363
                            int *rversion, uint8_t *type, const unsigned char **data,
364
                            size_t *datalen, uint16_t *epoch,
365
                            unsigned char *seq_num)
366
{
367
    if (rl->recread != 0 || rl->recunreleased != 0)
368
        return OSSL_RECORD_RETURN_FATAL;
369

370
    BIO_clear_retry_flags(rl->dummybio);
371

372
    if (!rl->qtls->args.crypto_recv_rcd_cb(data, datalen,
373
                                           rl->qtls->args.crypto_recv_rcd_cb_arg)) {
374
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
375
        return OSSL_RECORD_RETURN_FATAL;
376
    }
377

378
    if (*datalen == 0) {
379
        BIO_set_retry_read(rl->dummybio);
380
        return OSSL_RECORD_RETURN_RETRY;
381
    }
382

383
    *rechandle = rl;
384
    *rversion = TLS1_3_VERSION;
385
    *type = SSL3_RT_HANDSHAKE;
386
    rl->recread = rl->recunreleased = *datalen;
387
    /* epoch/seq_num are not relevant for TLS */
388

389
    if (rl->msg_callback != NULL) {
390
        unsigned char dummyrec[SSL3_RT_HEADER_LENGTH];
391

392
        /*
393
         * For the purposes of the callback we "pretend" to be normal TLS,
394
         * and manufacture a dummy record header
395
         */
396
        dummyrec[0] = (rl->level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
397
                      ? SSL3_RT_HANDSHAKE
398
                      : SSL3_RT_APPLICATION_DATA;
399
        dummyrec[1] = (unsigned char)((TLS1_2_VERSION >> 8) & 0xff);
400
        dummyrec[2] = (unsigned char)(TLS1_2_VERSION & 0xff);
401
        /*
402
         * *datalen will always fit into 2 bytes because our original buffer
403
         * size is less than that.
404
         */
405
        dummyrec[3] = (unsigned char)((*datalen >> 8) & 0xff);
406
        dummyrec[4] = (unsigned char)(*datalen & 0xff);
407

408
        rl->msg_callback(0, TLS1_3_VERSION, SSL3_RT_HEADER, dummyrec,
409
                         SSL3_RT_HEADER_LENGTH, rl->cbarg);
410
        rl->msg_callback(0, TLS1_3_VERSION, SSL3_RT_INNER_CONTENT_TYPE, type, 1,
411
                         rl->cbarg);
412
    }
413

414
    return OSSL_RECORD_RETURN_SUCCESS;
415
}
416

417
static int quic_release_record(OSSL_RECORD_LAYER *rl, void *rechandle,
418
                               size_t length)
419
{
420
    if (!ossl_assert(rl->recread > 0)
421
            || !ossl_assert(rl->recunreleased <= rl->recread)
422
            || !ossl_assert(rl == rechandle)
423
            || !ossl_assert(length <= rl->recunreleased)) {
424
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
425
        return OSSL_RECORD_RETURN_FATAL;
426
    }
427

428
    if (rl->recunreleased == length) {
429
        if (!rl->qtls->args.crypto_release_rcd_cb(rl->recread,
430
                                                  rl->qtls->args.crypto_release_rcd_cb_arg)) {
431
            QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
432
            return OSSL_RECORD_RETURN_FATAL;
433
        }
434
        rl->recread = 0;
435
    }
436
    rl->recunreleased -= length;
437
    return OSSL_RECORD_RETURN_SUCCESS;
438
}
439

440
static int quic_get_alert_code(OSSL_RECORD_LAYER *rl)
441
{
442
    return rl->alert;
443
}
444

445
static int quic_set_protocol_version(OSSL_RECORD_LAYER *rl, int version)
446
{
447
    /* We only support TLSv1.3, so its bad if we negotiate anything else */
448
    if (!ossl_assert(version == TLS1_3_VERSION)) {
449
        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
450
        return 0;
451
    }
452

453
    return 1;
454
}
455

456
static void quic_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow)
457
{
458
    /* We don't care */
459
}
460

461
static void quic_set_first_handshake(OSSL_RECORD_LAYER *rl, int first)
462
{
463
    /* We don't care */
464
}
465

466
static void quic_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines)
467
{
468
    /* We don't care */
469
}
470

471
static void quic_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr,
472
                    const char **longstr)
473
{
474
    /*
475
     * According to the docs, valid read state strings are: "RH"/"read header",
476
     * "RB"/"read body", and "unknown"/"unknown". We don't read records in quite
477
     * that way, so we report every "normal" state as "read header". In the
478
     * event of error then we report "unknown".
479
     */
480

481
    if (rl->qtls->inerror) {
482
        if (shortstr != NULL)
483
            *shortstr = "unknown";
484
        if (longstr != NULL)
485
            *longstr = "unknown";
486
    } else {
487
        if (shortstr != NULL)
488
            *shortstr = "RH";
489
        if (longstr != NULL)
490
            *longstr = "read header";
491
    }
492
}
493

494
static int quic_set_options(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options)
495
{
496
    /*
497
     * We don't support any options yet - but we might do at some point so
498
     * this could be useful.
499
     */
500
    return 1;
501
}
502

503
static const COMP_METHOD *quic_get_compression(OSSL_RECORD_LAYER *rl)
504
{
505
    /* We only support TLSv1.3 which doesn't have compression */
506
    return NULL;
507
}
508

509
static void quic_set_max_frag_len(OSSL_RECORD_LAYER *rl, size_t max_frag_len)
510
{
511
    /* This really doesn't make any sense for QUIC. Ignore it */
512
}
513

514
static int quic_alloc_buffers(OSSL_RECORD_LAYER *rl)
515
{
516
    /*
517
     * This is a hint only. We don't support it (yet), so just ignore the
518
     * request
519
     */
520
    return 1;
521
}
522

523
static int quic_free_buffers(OSSL_RECORD_LAYER *rl)
524
{
525
    /*
526
     * This is a hint only. We don't support it (yet), so just ignore the
527
     * request
528
     */
529
    return 1;
530
}
531

532
static int quic_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio)
533
{
534
    if (bio != NULL && !BIO_up_ref(bio))
535
        return 0;
536
    BIO_free(rl->dummybio);
537
    rl->dummybio = bio;
538

539
    return 1;
540
}
541

542
/*
543
 * Never called functions
544
 *
545
 * Due to the way we are configured and used we never expect any of the next set
546
 * of functions to be called. Therefore we set them to always fail.
547
 */
548

549
static size_t quic_app_data_pending(OSSL_RECORD_LAYER *rl)
550
{
551
    QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
552
    return (size_t)ossl_assert(0);
553
}
554

555
static size_t quic_get_max_record_overhead(OSSL_RECORD_LAYER *rl)
556
{
557
    QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
558
    return (size_t)ossl_assert(0);
559
}
560

561
static int quic_increment_sequence_ctr(OSSL_RECORD_LAYER *rl)
562
{
563
    QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
564
    return ossl_assert(0);
565
}
566

567
/* End of never called functions */
568

569
static const OSSL_RECORD_METHOD quic_tls_record_method = {
570
    quic_new_record_layer,
571
    quic_free,
572
    quic_unprocessed_read_pending,
573
    quic_processed_read_pending,
574
    quic_app_data_pending, /* Never called */
575
    quic_get_max_records,
576
    quic_write_records,
577
    quic_retry_write_records,
578
    quic_read_record,
579
    quic_release_record,
580
    quic_get_alert_code,
581
    quic_set1_bio,
582
    quic_set_protocol_version,
583
    quic_set_plain_alerts,
584
    quic_set_first_handshake,
585
    quic_set_max_pipelines,
586
    NULL, /* set_in_init: Optional - we don't need it */
587
    quic_get_state,
588
    quic_set_options,
589
    quic_get_compression,
590
    quic_set_max_frag_len,
591
    quic_get_max_record_overhead, /* Never called */
592
    quic_increment_sequence_ctr, /* Never called */
593
    quic_alloc_buffers,
594
    quic_free_buffers
595
};
596

597
static int add_transport_params_cb(SSL *s, unsigned int ext_type,
598
                                   unsigned int context,
599
                                   const unsigned char **out, size_t *outlen,
600
                                   X509 *x, size_t chainidx, int *al,
601
                                   void *add_arg)
602
{
603
    QUIC_TLS *qtls = add_arg;
604

605
    *out = qtls->local_transport_params;
606
    *outlen = qtls->local_transport_params_len;
607
    qtls->local_transport_params_consumed = 1;
608
    return 1;
609
}
610

611
static void free_transport_params_cb(SSL *s, unsigned int ext_type,
612
                                     unsigned int context,
613
                                     const unsigned char *out,
614
                                     void *add_arg)
615
{
616
}
617

618
static int parse_transport_params_cb(SSL *s, unsigned int ext_type,
619
                                     unsigned int context,
620
                                     const unsigned char *in,
621
                                     size_t inlen, X509 *x,
622
                                     size_t chainidx,
623
                                     int *al, void *parse_arg)
624
{
625
    QUIC_TLS *qtls = parse_arg;
626

627
    return qtls->args.got_transport_params_cb(in, inlen,
628
                                              qtls->args.got_transport_params_cb_arg);
629
}
630

631
QUIC_TLS *ossl_quic_tls_new(const QUIC_TLS_ARGS *args)
632
{
633
    QUIC_TLS *qtls;
634

635
    if (args->crypto_send_cb == NULL
636
        || args->crypto_recv_rcd_cb == NULL
637
        || args->crypto_release_rcd_cb == NULL) {
638
        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
639
        return NULL;
640
    }
641

642
    qtls = OPENSSL_zalloc(sizeof(*qtls));
643
    if (qtls == NULL)
644
        return NULL;
645

646
    if (args->ossl_quic && (qtls->error_state = OSSL_ERR_STATE_new()) == NULL) {
647
        OPENSSL_free(qtls);
648
        return NULL;
649
    }
650

651
    qtls->args = *args;
652
    return qtls;
653
}
654

655
void ossl_quic_tls_free(QUIC_TLS *qtls)
656
{
657
    if (qtls == NULL)
658
        return;
659
    OSSL_ERR_STATE_free(qtls->error_state);
660
    OPENSSL_free(qtls);
661
}
662

663
static int raise_error(QUIC_TLS *qtls, uint64_t error_code,
664
                       const char *error_msg,
665
                       const char *src_file,
666
                       int src_line,
667
                       const char *src_func)
668
{
669
    /*
670
     * When QTLS fails, add a "cover letter" error with information, potentially
671
     * with any underlying libssl errors underneath it (but our cover error may
672
     * be the only error in some cases). Then capture this into an ERR_STATE so
673
     * we can report it later if need be when the QUIC_CHANNEL asks for it.
674
     * For external QUIC TLS we just raise the error.
675
     */
676
    ERR_new();
677
    ERR_set_debug(src_file, src_line, src_func);
678
    ERR_set_error(ERR_LIB_SSL, SSL_R_QUIC_HANDSHAKE_LAYER_ERROR,
679
                  "handshake layer error, error code %llu (0x%llx) (\"%s\")",
680
                  error_code, error_code, error_msg);
681

682
    if (qtls->args.ossl_quic) {
683
        OSSL_ERR_STATE_save_to_mark(qtls->error_state);
684

685
        /*
686
         * We record the error information reported via the QUIC protocol
687
         * separately.
688
         */
689
        qtls->error_code        = error_code;
690
        qtls->error_msg         = error_msg;
691
        qtls->inerror           = 1;
692

693
        ERR_pop_to_mark();
694
    }
695
    return 0;
696
}
697

698
#define RAISE_ERROR(qtls, error_code, error_msg) \
699
    raise_error((qtls), (error_code), (error_msg), \
700
                OPENSSL_FILE, OPENSSL_LINE, OPENSSL_FUNC)
701

702
#ifndef OPENSSL_NO_QUIC
703
# define RAISE_INTERNAL_ERROR(qtls) \
704
    RAISE_ERROR((qtls), OSSL_QUIC_ERR_INTERNAL_ERROR, "internal error")
705
#else
706
# define RAISE_INTERNAL_ERROR(qtls) \
707
    RAISE_ERROR((qtls), 0x01, "internal error")
708
#endif
709

710
int ossl_quic_tls_configure(QUIC_TLS *qtls)
711
{
712
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
713
    BIO *nullbio;
714

715
    if (sc == NULL || !SSL_set_min_proto_version(qtls->args.s, TLS1_3_VERSION))
716
        return RAISE_INTERNAL_ERROR(qtls);
717

718
    nullbio = BIO_new(BIO_s_null());
719
    if (nullbio == NULL)
720
        return RAISE_INTERNAL_ERROR(qtls);
721

722
    /*
723
     * Our custom record layer doesn't use the BIO - but libssl generally
724
     * expects one to be present.
725
     */
726
    SSL_set_bio(qtls->args.s, nullbio, nullbio);
727

728
    SSL_clear_options(qtls->args.s, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
729
    ossl_ssl_set_custom_record_layer(sc, &quic_tls_record_method, qtls);
730

731
    if (!ossl_tls_add_custom_ext_intern(NULL, &sc->cert->custext,
732
                                        qtls->args.is_server ? ENDPOINT_SERVER
733
                                                             : ENDPOINT_CLIENT,
734
                                        TLSEXT_TYPE_quic_transport_parameters,
735
                                        SSL_EXT_TLS1_3_ONLY
736
                                        | SSL_EXT_CLIENT_HELLO
737
                                        | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
738
                                        add_transport_params_cb,
739
                                        free_transport_params_cb, qtls,
740
                                        parse_transport_params_cb, qtls))
741
        return 0;
742

743
    sc->s3.flags |= TLS1_FLAGS_QUIC;
744

745
    return 1;
746
}
747

748
#ifndef OPENSSL_NO_QUIC
749
int ossl_quic_tls_tick(QUIC_TLS *qtls)
750
{
751
    int ret, err;
752
    const unsigned char *alpn;
753
    unsigned int alpnlen;
754

755
    if (qtls->inerror)
756
        return 0;
757

758
    /*
759
     * SSL_get_error does not truly know what the cause of an SSL_read failure
760
     * is and to some extent guesses based on contextual information. In
761
     * particular, if there is _any_ ERR on the error stack, SSL_ERROR_SSL or
762
     * SSL_ERROR_SYSCALL will be returned no matter what and there is no
763
     * possibility of SSL_ERROR_WANT_READ/WRITE being returned, even if that was
764
     * the actual cause of the SSL_read() failure.
765
     *
766
     * This means that ordinarily, the below code might not work right if the
767
     * application has any ERR on the error stack. In order to make this code
768
     * perform correctly regardless of prior ERR state, we use a variant of
769
     * SSL_get_error() which ignores the error stack. However, some ERRs are
770
     * raised by SSL_read() and actually indicate that something has gone wrong
771
     * during the call to SSL_read(). We therefore adopt a strategy of marking
772
     * the ERR stack and seeing if any errors get appended during the call to
773
     * SSL_read(). If they are, we assume SSL_read() has raised an error and
774
     * that we should use normal SSL_get_error() handling.
775
     *
776
     * NOTE: Ensure all escape paths from this function call
777
     * ERR_clear_to_mark(). The RAISE macros handle this in failure cases.
778
     */
779
    ERR_set_mark();
780

781
    if (!qtls->configured) {
782
        SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
783
        SSL_CTX *sctx;
784

785
        if (sc == NULL)
786
            return RAISE_INTERNAL_ERROR(qtls);
787
        sctx = SSL_CONNECTION_GET_CTX(sc);
788

789
        /*
790
         * No matter how the user has configured us, there are certain
791
         * requirements for QUIC-TLS that we enforce
792
         */
793

794
        /* ALPN is a requirement for QUIC and must be set */
795
        if (qtls->args.is_server) {
796
            if (sctx->ext.alpn_select_cb == NULL)
797
                return RAISE_INTERNAL_ERROR(qtls);
798
        } else {
799
            if (sc->ext.alpn == NULL || sc->ext.alpn_len == 0)
800
                return RAISE_ERROR(qtls, OSSL_QUIC_ERR_CRYPTO_NO_APP_PROTO,
801
                                   "ALPN must be configured when using QUIC");
802
        }
803

804
        if (!ossl_quic_tls_configure(qtls))
805
            return RAISE_INTERNAL_ERROR(qtls);
806

807
        sc->s3.flags |= TLS1_FLAGS_QUIC_INTERNAL;
808

809
        if (qtls->args.is_server)
810
            SSL_set_accept_state(qtls->args.s);
811
        else
812
            SSL_set_connect_state(qtls->args.s);
813

814
        qtls->configured = 1;
815
    }
816

817
    if (qtls->complete)
818
        /*
819
         * There should never be app data to read, but calling SSL_read() will
820
         * ensure any post-handshake messages are processed.
821
         */
822
        ret = SSL_read(qtls->args.s, NULL, 0);
823
    else
824
        ret = SSL_do_handshake(qtls->args.s);
825

826
    if (ret <= 0) {
827
        err = ossl_ssl_get_error(qtls->args.s, ret,
828
                                 /*check_err=*/ERR_count_to_mark() > 0);
829

830
        switch (err) {
831
        case SSL_ERROR_WANT_READ:
832
        case SSL_ERROR_WANT_WRITE:
833
        case SSL_ERROR_WANT_CLIENT_HELLO_CB:
834
        case SSL_ERROR_WANT_X509_LOOKUP:
835
        case SSL_ERROR_WANT_RETRY_VERIFY:
836
            ERR_pop_to_mark();
837
            return 1;
838

839
        default:
840
            return RAISE_INTERNAL_ERROR(qtls);
841
        }
842
    }
843

844
    if (!qtls->complete) {
845
        /* Validate that we have ALPN */
846
        SSL_get0_alpn_selected(qtls->args.s, &alpn, &alpnlen);
847
        if (alpn == NULL || alpnlen == 0)
848
            return RAISE_ERROR(qtls, OSSL_QUIC_ERR_CRYPTO_NO_APP_PROTO,
849
                               "no application protocol negotiated");
850

851
        qtls->complete = 1;
852
        ERR_pop_to_mark();
853
        return qtls->args.handshake_complete_cb(qtls->args.handshake_complete_cb_arg);
854
    }
855

856
    ERR_pop_to_mark();
857
    return 1;
858
}
859
#endif
860

861
void ossl_quic_tls_clear(QUIC_TLS *qtls)
862
{
863
    if (qtls == NULL)
864
        return;
865
    qtls->local_transport_params_consumed = 0;
866
}
867

868
int ossl_quic_tls_set_transport_params(QUIC_TLS *qtls,
869
                                       const unsigned char *transport_params,
870
                                       size_t transport_params_len)
871
{
872
    if (qtls->local_transport_params_consumed)
873
        return 0;
874

875
    qtls->local_transport_params       = transport_params;
876
    qtls->local_transport_params_len   = transport_params_len;
877
    return 1;
878
}
879

880
int ossl_quic_tls_get_error(QUIC_TLS *qtls,
881
                            uint64_t *error_code,
882
                            const char **error_msg,
883
                            ERR_STATE **error_state)
884
{
885
    if (qtls->inerror) {
886
        *error_code     = qtls->error_code;
887
        *error_msg      = qtls->error_msg;
888
        *error_state    = qtls->error_state;
889
    }
890

891
    return qtls->inerror;
892
}
893

894
/*
895
 * Returns true if the last handshake record message we processed was a
896
 * CertificateRequest
897
 */
898
int ossl_quic_tls_is_cert_request(QUIC_TLS *qtls)
899
{
900
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
901

902
    if (sc == NULL)
903
        return 0;
904

905
    return sc->s3.tmp.message_type == SSL3_MT_CERTIFICATE_REQUEST;
906
}
907

908
/*
909
 * Returns true if the last session associated with the connection has an
910
 * invalid max_early_data value for QUIC.
911
 */
912
int ossl_quic_tls_has_bad_max_early_data(QUIC_TLS *qtls)
913
{
914
    uint32_t max_early_data = SSL_get0_session(qtls->args.s)->ext.max_early_data;
915

916
    /*
917
     * If max_early_data was present we always ensure a non-zero value is
918
     * stored in the session for QUIC. Therefore if max_early_data == 0 here
919
     * we can be confident that it was not present in the NewSessionTicket
920
     */
921
    return max_early_data != 0xffffffff && max_early_data != 0;
922
}
923

924
int ossl_quic_tls_set_early_data_enabled(QUIC_TLS *qtls, int enabled)
925
{
926
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
927

928
    if (sc == NULL || !SSL_IS_QUIC_HANDSHAKE(sc) || !SSL_in_before(qtls->args.s))
929
        return 0;
930

931
    if (!enabled) {
932
        sc->max_early_data = 0;
933
        sc->early_data_state = SSL_EARLY_DATA_NONE;
934
        return 1;
935
    }
936

937
    if (sc->server) {
938
        sc->max_early_data = 0xffffffff;
939
        sc->early_data_state = SSL_EARLY_DATA_ACCEPTING;
940
        return 1;
941
    }
942

943
    if ((sc->session == NULL || sc->session->ext.max_early_data != 0xffffffff)
944
        && sc->psk_use_session_cb == NULL)
945
        return 0;
946

947
    sc->early_data_state = SSL_EARLY_DATA_CONNECTING;
948
    return 1;
949
}
950

951