1 /* 2 * Copyright 2022-2026 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <openssl/ssl.h> 11 #include "internal/quic_record_rx.h" 12 #include "quic_record_shared.h" 13 #include "internal/common.h" 14 #include "internal/list.h" 15 #include "../ssl_local.h" 16 17 /* 18 * Mark a packet in a bitfield. 19 * 20 * pkt_idx: index of packet within datagram. 21 */ 22 static ossl_inline void pkt_mark(uint64_t *bitf, size_t pkt_idx) 23 { 24 assert(pkt_idx < QUIC_MAX_PKT_PER_URXE); 25 *bitf |= ((uint64_t)1) << pkt_idx; 26 } 27 28 /* Returns 1 if a packet is in the bitfield. */ 29 static ossl_inline int pkt_is_marked(const uint64_t *bitf, size_t pkt_idx) 30 { 31 assert(pkt_idx < QUIC_MAX_PKT_PER_URXE); 32 return (*bitf & (((uint64_t)1) << pkt_idx)) != 0; 33 } 34 35 /* 36 * RXE 37 * === 38 * 39 * RX Entries (RXEs) store processed (i.e., decrypted) data received from the 40 * network. One RXE is used per received QUIC packet. 41 */ 42 typedef struct rxe_st RXE; 43 44 struct rxe_st { 45 OSSL_QRX_PKT pkt; 46 OSSL_LIST_MEMBER(rxe, RXE); 47 size_t data_len, alloc_len, refcount; 48 49 /* Extra fields for per-packet information. */ 50 QUIC_PKT_HDR hdr; /* data/len are decrypted payload */ 51 52 /* Decoded packet number. */ 53 QUIC_PN pn; 54 55 /* Addresses copied from URXE. */ 56 BIO_ADDR peer, local; 57 58 /* Time we received the packet (not when we processed it). */ 59 OSSL_TIME time; 60 61 /* Total length of the datagram which contained this packet. */ 62 size_t datagram_len; 63 64 /* 65 * The key epoch the packet was received with. Always 0 for non-1-RTT 66 * packets. 67 */ 68 uint64_t key_epoch; 69 70 /* 71 * Monotonically increases with each datagram received. 72 * For diagnostic use only. 73 */ 74 uint64_t datagram_id; 75 76 /* 77 * alloc_len allocated bytes (of which data_len bytes are valid) follow this 78 * structure. 79 */ 80 }; 81 82 DEFINE_LIST_OF(rxe, RXE); 83 typedef OSSL_LIST(rxe) RXE_LIST; 84 85 static ossl_inline unsigned char *rxe_data(const RXE *e) 86 { 87 return (unsigned char *)(e + 1); 88 } 89 90 /* 91 * QRL 92 * === 93 */ 94 struct ossl_qrx_st { 95 OSSL_LIB_CTX *libctx; 96 const char *propq; 97 98 /* Demux to receive datagrams from. */ 99 QUIC_DEMUX *demux; 100 101 /* Length of connection IDs used in short-header packets in bytes. */ 102 size_t short_conn_id_len; 103 104 /* Maximum number of deferred datagrams buffered at any one time. */ 105 size_t max_deferred; 106 107 /* Current count of deferred datagrams. */ 108 size_t num_deferred; 109 110 /* 111 * List of URXEs which are filled with received encrypted data. 112 * These are returned to the DEMUX's free list as they are processed. 113 */ 114 QUIC_URXE_LIST urx_pending; 115 116 /* 117 * List of URXEs which we could not decrypt immediately and which are being 118 * kept in case they can be decrypted later. 119 */ 120 QUIC_URXE_LIST urx_deferred; 121 122 /* 123 * List of RXEs which are not currently in use. These are moved 124 * to the pending list as they are filled. 125 */ 126 RXE_LIST rx_free; 127 128 /* 129 * List of RXEs which are filled with decrypted packets ready to be passed 130 * to the user. A RXE is removed from all lists inside the QRL when passed 131 * to the user, then returned to the free list when the user returns it. 132 */ 133 RXE_LIST rx_pending; 134 135 /* Largest PN we have received and processed in a given PN space. */ 136 QUIC_PN largest_pn[QUIC_PN_SPACE_NUM]; 137 138 /* Per encryption-level state. */ 139 OSSL_QRL_ENC_LEVEL_SET el_set; 140 141 /* Bytes we have received since this counter was last cleared. */ 142 uint64_t bytes_received; 143 144 /* 145 * Number of forged packets we have received since the QRX was instantiated. 146 * Note that as per RFC 9001, this is connection-level state; it is not per 147 * EL and is not reset by a key update. 148 */ 149 uint64_t forged_pkt_count; 150 151 /* 152 * The PN the current key epoch started at, inclusive. 153 */ 154 uint64_t cur_epoch_start_pn; 155 156 /* Validation callback. */ 157 ossl_qrx_late_validation_cb *validation_cb; 158 void *validation_cb_arg; 159 160 /* Key update callback. */ 161 ossl_qrx_key_update_cb *key_update_cb; 162 void *key_update_cb_arg; 163 164 /* Initial key phase. For debugging use only; always 0 in real use. */ 165 unsigned char init_key_phase_bit; 166 167 /* Are we allowed to process 1-RTT packets yet? */ 168 unsigned char allow_1rtt; 169 170 /* Message callback related arguments */ 171 ossl_msg_cb msg_callback; 172 void *msg_callback_arg; 173 SSL *msg_callback_ssl; 174 }; 175 176 static RXE *qrx_ensure_free_rxe(OSSL_QRX *qrx, size_t alloc_len); 177 static int qrx_validate_hdr_early(OSSL_QRX *qrx, RXE *rxe, 178 const QUIC_CONN_ID *first_dcid); 179 static int qrx_relocate_buffer(OSSL_QRX *qrx, RXE **prxe, size_t *pi, 180 const unsigned char **pptr, size_t buf_len); 181 static int qrx_validate_hdr(OSSL_QRX *qrx, RXE *rxe); 182 static RXE *qrx_reserve_rxe(RXE_LIST *rxl, RXE *rxe, size_t n); 183 static int qrx_decrypt_pkt_body(OSSL_QRX *qrx, unsigned char *dst, 184 const unsigned char *src, 185 size_t src_len, size_t *dec_len, 186 const unsigned char *aad, size_t aad_len, 187 QUIC_PN pn, uint32_t enc_level, 188 unsigned char key_phase_bit, 189 uint64_t *rx_key_epoch); 190 static int qrx_validate_hdr_late(OSSL_QRX *qrx, RXE *rxe); 191 static uint32_t rxe_determine_pn_space(RXE *rxe); 192 static void ignore_res(int x); 193 194 OSSL_QRX *ossl_qrx_new(const OSSL_QRX_ARGS *args) 195 { 196 OSSL_QRX *qrx; 197 size_t i; 198 199 if (args->demux == NULL || args->max_deferred == 0) 200 return NULL; 201 202 qrx = OPENSSL_zalloc(sizeof(OSSL_QRX)); 203 if (qrx == NULL) 204 return NULL; 205 206 for (i = 0; i < OSSL_NELEM(qrx->largest_pn); ++i) 207 qrx->largest_pn[i] = args->init_largest_pn[i]; 208 209 qrx->libctx = args->libctx; 210 qrx->propq = args->propq; 211 qrx->demux = args->demux; 212 qrx->short_conn_id_len = args->short_conn_id_len; 213 qrx->init_key_phase_bit = args->init_key_phase_bit; 214 qrx->max_deferred = args->max_deferred; 215 return qrx; 216 } 217 218 static void qrx_cleanup_rxl(RXE_LIST *l) 219 { 220 RXE *e, *enext; 221 222 for (e = ossl_list_rxe_head(l); e != NULL; e = enext) { 223 enext = ossl_list_rxe_next(e); 224 ossl_list_rxe_remove(l, e); 225 OPENSSL_free(e); 226 } 227 } 228 229 static void qrx_cleanup_urxl(OSSL_QRX *qrx, QUIC_URXE_LIST *l) 230 { 231 QUIC_URXE *e, *enext; 232 233 for (e = ossl_list_urxe_head(l); e != NULL; e = enext) { 234 enext = ossl_list_urxe_next(e); 235 ossl_list_urxe_remove(l, e); 236 ossl_quic_demux_release_urxe(qrx->demux, e); 237 } 238 } 239 240 void ossl_qrx_update_pn_space(OSSL_QRX *src, OSSL_QRX *dst) 241 { 242 size_t i; 243 244 for (i = 0; i < QUIC_PN_SPACE_NUM; i++) 245 dst->largest_pn[i] = src->largest_pn[i]; 246 247 return; 248 } 249 250 void ossl_qrx_free(OSSL_QRX *qrx) 251 { 252 uint32_t i; 253 254 if (qrx == NULL) 255 return; 256 257 /* Free RXE queue data. */ 258 qrx_cleanup_rxl(&qrx->rx_free); 259 qrx_cleanup_rxl(&qrx->rx_pending); 260 qrx_cleanup_urxl(qrx, &qrx->urx_pending); 261 qrx_cleanup_urxl(qrx, &qrx->urx_deferred); 262 263 /* Drop keying material and crypto resources. */ 264 for (i = 0; i < QUIC_ENC_LEVEL_NUM; ++i) 265 ossl_qrl_enc_level_set_discard(&qrx->el_set, i); 266 267 OPENSSL_free(qrx); 268 } 269 270 void ossl_qrx_inject_urxe(OSSL_QRX *qrx, QUIC_URXE *urxe) 271 { 272 /* Initialize our own fields inside the URXE and add to the pending list. */ 273 urxe->processed = 0; 274 urxe->hpr_removed = 0; 275 urxe->deferred = 0; 276 ossl_list_urxe_insert_tail(&qrx->urx_pending, urxe); 277 278 if (qrx->msg_callback != NULL) 279 qrx->msg_callback(0, OSSL_QUIC1_VERSION, SSL3_RT_QUIC_DATAGRAM, urxe + 1, 280 urxe->data_len, qrx->msg_callback_ssl, 281 qrx->msg_callback_arg); 282 } 283 284 void ossl_qrx_inject_pkt(OSSL_QRX *qrx, OSSL_QRX_PKT *pkt) 285 { 286 RXE *rxe = (RXE *)pkt; 287 288 /* 289 * port_default_packet_handler() uses ossl_qrx_read_pkt() 290 * to get pkt. Such packet has refcount 1. 291 */ 292 ossl_qrx_pkt_orphan(pkt); 293 if (ossl_assert(rxe->refcount == 0)) 294 ossl_list_rxe_insert_tail(&qrx->rx_pending, rxe); 295 } 296 297 /* 298 * qrx_validate_initial_pkt() is derived from qrx_process_pkt(). Unlike 299 * qrx_process_pkt() the qrx_validate_initial_pkt() function can process 300 * initial packet only. All other packets should be discarded. This allows 301 * port_default_packet_handler() to validate incoming packet. If packet 302 * is not valid, then port_default_packet_handler() must discard the 303 * packet instead of creating a new channel for it. 304 */ 305 static int qrx_validate_initial_pkt(OSSL_QRX *qrx, QUIC_URXE *urxe, 306 const QUIC_CONN_ID *first_dcid, 307 size_t datagram_len) 308 { 309 PACKET pkt, orig_pkt; 310 RXE *rxe; 311 size_t i = 0, aad_len = 0, dec_len = 0; 312 const unsigned char *sop; 313 unsigned char *dst; 314 QUIC_PKT_HDR_PTRS ptrs; 315 uint32_t pn_space; 316 OSSL_QRL_ENC_LEVEL *el = NULL; 317 uint64_t rx_key_epoch = UINT64_MAX; 318 319 if (!PACKET_buf_init(&pkt, ossl_quic_urxe_data(urxe), urxe->data_len)) 320 return 0; 321 322 orig_pkt = pkt; 323 sop = PACKET_data(&pkt); 324 325 /* 326 * Get a free RXE. If we need to allocate a new one, use the packet length 327 * as a good ballpark figure. 328 */ 329 rxe = qrx_ensure_free_rxe(qrx, PACKET_remaining(&pkt)); 330 if (rxe == NULL) 331 return 0; 332 333 /* 334 * we expect INITIAL packet only, therefore it is OK to pass 335 * short_conn_id_len as 0. 336 */ 337 if (!ossl_quic_wire_decode_pkt_hdr(&pkt, 338 0, /* short_conn_id_len */ 339 1, /* need second decode */ 340 0, /* nodata -> want to read data */ 341 &rxe->hdr, &ptrs, 342 NULL)) 343 goto malformed; 344 345 if (rxe->hdr.type != QUIC_PKT_TYPE_INITIAL) 346 goto malformed; 347 348 if (!qrx_validate_hdr_early(qrx, rxe, NULL)) 349 goto malformed; 350 351 if (ossl_qrl_enc_level_set_have_el(&qrx->el_set, QUIC_ENC_LEVEL_INITIAL) != 1) 352 goto malformed; 353 354 if (rxe->hdr.type == QUIC_PKT_TYPE_INITIAL) { 355 const unsigned char *token = rxe->hdr.token; 356 357 /* 358 * This may change the value of rxe and change the value of the token 359 * pointer as well. So we must make a temporary copy of the pointer to 360 * the token, and then copy it back into the new location of the rxe 361 */ 362 if (!qrx_relocate_buffer(qrx, &rxe, &i, &token, rxe->hdr.token_len)) 363 goto malformed; 364 365 rxe->hdr.token = token; 366 } 367 368 pkt = orig_pkt; 369 370 el = ossl_qrl_enc_level_set_get(&qrx->el_set, QUIC_ENC_LEVEL_INITIAL, 1); 371 assert(el != NULL); /* Already checked above */ 372 373 if (!ossl_quic_hdr_protector_decrypt(&el->hpr, &ptrs)) 374 goto malformed; 375 376 /* 377 * We have removed header protection, so don't attempt to do it again if 378 * the packet gets deferred and processed again. 379 */ 380 pkt_mark(&urxe->hpr_removed, 0); 381 382 /* Decode the now unprotected header. */ 383 if (ossl_quic_wire_decode_pkt_hdr(&pkt, 0, 384 0, 0, &rxe->hdr, NULL, NULL) 385 != 1) 386 goto malformed; 387 388 /* Validate header and decode PN. */ 389 if (!qrx_validate_hdr(qrx, rxe)) 390 goto malformed; 391 392 /* 393 * The AAD data is the entire (unprotected) packet header including the PN. 394 * The packet header has been unprotected in place, so we can just reuse the 395 * PACKET buffer. The header ends where the payload begins. 396 */ 397 aad_len = rxe->hdr.data - sop; 398 399 /* Ensure the RXE buffer size is adequate for our payload. */ 400 if ((rxe = qrx_reserve_rxe(&qrx->rx_free, rxe, rxe->hdr.len + i)) == NULL) 401 goto malformed; 402 403 /* 404 * We decrypt the packet body to immediately after the token at the start of 405 * the RXE buffer (where present). 406 * 407 * Do the decryption from the PACKET (which points into URXE memory) to our 408 * RXE payload (single-copy decryption), then fixup the pointers in the 409 * header to point to our new buffer. 410 * 411 * If decryption fails this is considered a permanent error; we defer 412 * packets we don't yet have decryption keys for above, so if this fails, 413 * something has gone wrong with the handshake process or a packet has been 414 * corrupted. 415 */ 416 dst = (unsigned char *)rxe_data(rxe) + i; 417 if (!qrx_decrypt_pkt_body(qrx, dst, rxe->hdr.data, rxe->hdr.len, 418 &dec_len, sop, aad_len, rxe->pn, QUIC_ENC_LEVEL_INITIAL, 419 rxe->hdr.key_phase, &rx_key_epoch)) 420 goto malformed; 421 422 /* 423 * ----------------------------------------------------- 424 * IMPORTANT: ANYTHING ABOVE THIS LINE IS UNVERIFIED 425 * AND MUST BE TIMING-CHANNEL SAFE. 426 * ----------------------------------------------------- 427 * 428 * At this point, we have successfully authenticated the AEAD tag and no 429 * longer need to worry about exposing the PN, PN length or Key Phase bit in 430 * timing channels. Invoke any configured validation callback to allow for 431 * rejection of duplicate PNs. 432 */ 433 if (!qrx_validate_hdr_late(qrx, rxe)) 434 goto malformed; 435 436 pkt_mark(&urxe->processed, 0); 437 438 /* 439 * Update header to point to the decrypted buffer, which may be shorter 440 * due to AEAD tags, block padding, etc. 441 */ 442 rxe->hdr.data = dst; 443 rxe->hdr.len = dec_len; 444 rxe->data_len = dec_len; 445 rxe->datagram_len = datagram_len; 446 rxe->key_epoch = rx_key_epoch; 447 448 /* We processed the PN successfully, so update largest processed PN. */ 449 pn_space = rxe_determine_pn_space(rxe); 450 if (rxe->pn > qrx->largest_pn[pn_space]) 451 qrx->largest_pn[pn_space] = rxe->pn; 452 453 /* Copy across network addresses and RX time from URXE to RXE. */ 454 rxe->peer = urxe->peer; 455 rxe->local = urxe->local; 456 rxe->time = urxe->time; 457 rxe->datagram_id = urxe->datagram_id; 458 459 /* 460 * The packet is decrypted, we are going to move it from 461 * rx_pending queue where it waits to be further processed 462 * by ch_rx(). 463 */ 464 ossl_list_rxe_remove(&qrx->rx_free, rxe); 465 ossl_list_rxe_insert_tail(&qrx->rx_pending, rxe); 466 467 return 1; 468 469 malformed: 470 /* caller (port_default_packet_handler()) should discard urxe */ 471 return 0; 472 } 473 474 int ossl_qrx_validate_initial_packet(OSSL_QRX *qrx, QUIC_URXE *urxe, 475 const QUIC_CONN_ID *dcid) 476 { 477 urxe->processed = 0; 478 urxe->hpr_removed = 0; 479 urxe->deferred = 0; 480 481 return qrx_validate_initial_pkt(qrx, urxe, dcid, urxe->data_len); 482 } 483 484 static void qrx_requeue_deferred(OSSL_QRX *qrx) 485 { 486 QUIC_URXE *e; 487 488 while ((e = ossl_list_urxe_head(&qrx->urx_deferred)) != NULL) { 489 ossl_list_urxe_remove(&qrx->urx_deferred, e); 490 ossl_list_urxe_insert_tail(&qrx->urx_pending, e); 491 } 492 } 493 494 int ossl_qrx_provide_secret(OSSL_QRX *qrx, uint32_t enc_level, 495 uint32_t suite_id, EVP_MD *md, 496 const unsigned char *secret, size_t secret_len) 497 { 498 if (enc_level >= QUIC_ENC_LEVEL_NUM) 499 return 0; 500 501 if (!ossl_qrl_enc_level_set_provide_secret(&qrx->el_set, 502 qrx->libctx, 503 qrx->propq, 504 enc_level, 505 suite_id, 506 md, 507 secret, 508 secret_len, 509 qrx->init_key_phase_bit, 510 /*is_tx=*/0)) 511 return 0; 512 513 /* 514 * Any packets we previously could not decrypt, we may now be able to 515 * decrypt, so move any datagrams containing deferred packets from the 516 * deferred to the pending queue. 517 */ 518 qrx_requeue_deferred(qrx); 519 return 1; 520 } 521 522 int ossl_qrx_discard_enc_level(OSSL_QRX *qrx, uint32_t enc_level) 523 { 524 if (enc_level >= QUIC_ENC_LEVEL_NUM) 525 return 0; 526 527 ossl_qrl_enc_level_set_discard(&qrx->el_set, enc_level); 528 return 1; 529 } 530 531 /* Returns 1 if there are one or more pending RXEs. */ 532 int ossl_qrx_processed_read_pending(OSSL_QRX *qrx) 533 { 534 return !ossl_list_rxe_is_empty(&qrx->rx_pending); 535 } 536 537 /* Returns 1 if there are yet-unprocessed packets. */ 538 int ossl_qrx_unprocessed_read_pending(OSSL_QRX *qrx) 539 { 540 return !ossl_list_urxe_is_empty(&qrx->urx_pending) 541 || !ossl_list_urxe_is_empty(&qrx->urx_deferred); 542 } 543 544 /* Pop the next pending RXE. Returns NULL if no RXE is pending. */ 545 static RXE *qrx_pop_pending_rxe(OSSL_QRX *qrx) 546 { 547 RXE *rxe = ossl_list_rxe_head(&qrx->rx_pending); 548 549 if (rxe == NULL) 550 return NULL; 551 552 ossl_list_rxe_remove(&qrx->rx_pending, rxe); 553 return rxe; 554 } 555 556 /* Allocate a new RXE. */ 557 static RXE *qrx_alloc_rxe(size_t alloc_len) 558 { 559 RXE *rxe; 560 561 if (alloc_len >= SIZE_MAX - sizeof(RXE)) 562 return NULL; 563 564 rxe = OPENSSL_malloc(sizeof(RXE) + alloc_len); 565 if (rxe == NULL) 566 return NULL; 567 568 ossl_list_rxe_init_elem(rxe); 569 rxe->alloc_len = alloc_len; 570 rxe->data_len = 0; 571 rxe->refcount = 0; 572 return rxe; 573 } 574 575 /* 576 * Ensures there is at least one RXE in the RX free list, allocating a new entry 577 * if necessary. The returned RXE is in the RX free list; it is not popped. 578 * 579 * alloc_len is a hint which may be used to determine the RXE size if allocation 580 * is necessary. Returns NULL on allocation failure. 581 */ 582 static RXE *qrx_ensure_free_rxe(OSSL_QRX *qrx, size_t alloc_len) 583 { 584 RXE *rxe; 585 586 if (ossl_list_rxe_head(&qrx->rx_free) != NULL) 587 return ossl_list_rxe_head(&qrx->rx_free); 588 589 rxe = qrx_alloc_rxe(alloc_len); 590 if (rxe == NULL) 591 return NULL; 592 593 ossl_list_rxe_insert_tail(&qrx->rx_free, rxe); 594 return rxe; 595 } 596 597 /* 598 * Resize the data buffer attached to an RXE to be n bytes in size. The address 599 * of the RXE might change; the new address is returned, or NULL on failure, in 600 * which case the original RXE remains valid. 601 */ 602 static RXE *qrx_resize_rxe(RXE_LIST *rxl, RXE *rxe, size_t n) 603 { 604 RXE *rxe2, *p; 605 606 /* Should never happen. */ 607 if (rxe == NULL) 608 return NULL; 609 610 if (n >= SIZE_MAX - sizeof(RXE)) 611 return NULL; 612 613 /* Remove the item from the list to avoid accessing freed memory */ 614 p = ossl_list_rxe_prev(rxe); 615 ossl_list_rxe_remove(rxl, rxe); 616 617 /* Should never resize an RXE which has been handed out. */ 618 if (!ossl_assert(rxe->refcount == 0)) 619 return NULL; 620 621 /* 622 * NOTE: We do not clear old memory, although it does contain decrypted 623 * data. 624 */ 625 rxe2 = OPENSSL_realloc(rxe, sizeof(RXE) + n); 626 if (rxe2 == NULL) { 627 /* Resize failed, restore old allocation. */ 628 if (p == NULL) 629 ossl_list_rxe_insert_head(rxl, rxe); 630 else 631 ossl_list_rxe_insert_after(rxl, p, rxe); 632 return NULL; 633 } 634 635 if (p == NULL) 636 ossl_list_rxe_insert_head(rxl, rxe2); 637 else 638 ossl_list_rxe_insert_after(rxl, p, rxe2); 639 640 rxe2->alloc_len = n; 641 return rxe2; 642 } 643 644 /* 645 * Ensure the data buffer attached to an RXE is at least n bytes in size. 646 * Returns NULL on failure. 647 */ 648 static RXE *qrx_reserve_rxe(RXE_LIST *rxl, 649 RXE *rxe, size_t n) 650 { 651 if (rxe->alloc_len >= n) 652 return rxe; 653 654 return qrx_resize_rxe(rxl, rxe, n); 655 } 656 657 /* Return a RXE handed out to the user back to our freelist. */ 658 static void qrx_recycle_rxe(OSSL_QRX *qrx, RXE *rxe) 659 { 660 /* RXE should not be in any list */ 661 assert(ossl_list_rxe_prev(rxe) == NULL && ossl_list_rxe_next(rxe) == NULL); 662 rxe->pkt.hdr = NULL; 663 rxe->pkt.peer = NULL; 664 rxe->pkt.local = NULL; 665 ossl_list_rxe_insert_tail(&qrx->rx_free, rxe); 666 } 667 668 /* 669 * Given a pointer to a pointer pointing to a buffer and the size of that 670 * buffer, copy the buffer into *prxe, expanding the RXE if necessary (its 671 * pointer may change due to realloc). *pi is the offset in bytes to copy the 672 * buffer to, and on success is updated to be the offset pointing after the 673 * copied buffer. *pptr is updated to point to the new location of the buffer. 674 */ 675 static int qrx_relocate_buffer(OSSL_QRX *qrx, RXE **prxe, size_t *pi, 676 const unsigned char **pptr, size_t buf_len) 677 { 678 RXE *rxe; 679 unsigned char *dst; 680 681 if (!buf_len) 682 return 1; 683 684 if ((rxe = qrx_reserve_rxe(&qrx->rx_free, *prxe, *pi + buf_len)) == NULL) 685 return 0; 686 687 *prxe = rxe; 688 dst = (unsigned char *)rxe_data(rxe) + *pi; 689 690 memcpy(dst, *pptr, buf_len); 691 *pi += buf_len; 692 *pptr = dst; 693 return 1; 694 } 695 696 static uint32_t qrx_determine_enc_level(const QUIC_PKT_HDR *hdr) 697 { 698 switch (hdr->type) { 699 case QUIC_PKT_TYPE_INITIAL: 700 return QUIC_ENC_LEVEL_INITIAL; 701 case QUIC_PKT_TYPE_HANDSHAKE: 702 return QUIC_ENC_LEVEL_HANDSHAKE; 703 case QUIC_PKT_TYPE_0RTT: 704 return QUIC_ENC_LEVEL_0RTT; 705 case QUIC_PKT_TYPE_1RTT: 706 return QUIC_ENC_LEVEL_1RTT; 707 708 default: 709 assert(0); 710 case QUIC_PKT_TYPE_RETRY: 711 case QUIC_PKT_TYPE_VERSION_NEG: 712 return QUIC_ENC_LEVEL_INITIAL; /* not used */ 713 } 714 } 715 716 static uint32_t rxe_determine_pn_space(RXE *rxe) 717 { 718 uint32_t enc_level; 719 720 enc_level = qrx_determine_enc_level(&rxe->hdr); 721 return ossl_quic_enc_level_to_pn_space(enc_level); 722 } 723 724 static int qrx_validate_hdr_early(OSSL_QRX *qrx, RXE *rxe, 725 const QUIC_CONN_ID *first_dcid) 726 { 727 /* Ensure version is what we want. */ 728 if (rxe->hdr.version != QUIC_VERSION_1 729 && rxe->hdr.version != QUIC_VERSION_NONE) 730 return 0; 731 732 /* Clients should never receive 0-RTT packets. */ 733 if (rxe->hdr.type == QUIC_PKT_TYPE_0RTT) 734 return 0; 735 736 /* Version negotiation and retry packets must be the first packet. */ 737 if (first_dcid != NULL && !ossl_quic_pkt_type_can_share_dgram(rxe->hdr.type)) 738 return 0; 739 740 /* 741 * If this is not the first packet in a datagram, the destination connection 742 * ID must match the one in that packet. 743 */ 744 if (first_dcid != NULL) { 745 if (!ossl_assert(first_dcid->id_len < QUIC_MAX_CONN_ID_LEN) 746 || !ossl_quic_conn_id_eq(first_dcid, 747 &rxe->hdr.dst_conn_id)) 748 return 0; 749 } 750 751 return 1; 752 } 753 754 /* Validate header and decode PN. */ 755 static int qrx_validate_hdr(OSSL_QRX *qrx, RXE *rxe) 756 { 757 int pn_space = rxe_determine_pn_space(rxe); 758 759 if (!ossl_quic_wire_decode_pkt_hdr_pn(rxe->hdr.pn, rxe->hdr.pn_len, 760 qrx->largest_pn[pn_space], 761 &rxe->pn)) 762 return 0; 763 764 return 1; 765 } 766 767 /* Late packet header validation. */ 768 static int qrx_validate_hdr_late(OSSL_QRX *qrx, RXE *rxe) 769 { 770 int pn_space = rxe_determine_pn_space(rxe); 771 772 /* 773 * Allow our user to decide whether to discard the packet before we try and 774 * decrypt it. 775 */ 776 if (qrx->validation_cb != NULL 777 && !qrx->validation_cb(rxe->pn, pn_space, qrx->validation_cb_arg)) 778 return 0; 779 780 return 1; 781 } 782 783 /* 784 * Retrieves the correct cipher context for an EL and key phase. Writes the key 785 * epoch number actually used for packet decryption to *rx_key_epoch. 786 */ 787 static size_t qrx_get_cipher_ctx_idx(OSSL_QRX *qrx, OSSL_QRL_ENC_LEVEL *el, 788 uint32_t enc_level, 789 unsigned char key_phase_bit, 790 uint64_t *rx_key_epoch, 791 int *is_old_key) 792 { 793 size_t idx; 794 795 *is_old_key = 0; 796 797 if (enc_level != QUIC_ENC_LEVEL_1RTT) { 798 *rx_key_epoch = 0; 799 return 0; 800 } 801 802 if (!ossl_assert(key_phase_bit <= 1)) 803 return SIZE_MAX; 804 805 /* 806 * RFC 9001 requires that we not create timing channels which could reveal 807 * the decrypted value of the Key Phase bit. We usually handle this by 808 * keeping the cipher contexts for both the current and next key epochs 809 * around, so that we just select a cipher context blindly using the key 810 * phase bit, which is time-invariant. 811 * 812 * In the COOLDOWN state, we only have one keyslot/cipher context. RFC 9001 813 * suggests an implementation strategy to avoid creating a timing channel in 814 * this case: 815 * 816 * Endpoints can use randomized packet protection keys in place of 817 * discarded keys when key updates are not yet permitted. 818 * 819 * Rather than use a randomised key, we simply use our existing key as it 820 * will fail AEAD verification anyway. This avoids the need to keep around a 821 * dedicated garbage key. 822 * 823 * Note: Accessing different cipher contexts is technically not 824 * timing-channel safe due to microarchitectural side channels, but this is 825 * the best we can reasonably do and appears to be directly suggested by the 826 * RFC. 827 */ 828 idx = (el->state == QRL_EL_STATE_PROV_COOLDOWN ? el->key_epoch & 1 829 : key_phase_bit); 830 831 /* 832 * We also need to determine the key epoch number which this index 833 * corresponds to. This is so we can report the key epoch number in the 834 * OSSL_QRX_PKT structure, which callers need to validate whether it was OK 835 * for a packet to be sent using a given key epoch's keys. 836 */ 837 switch (el->state) { 838 case QRL_EL_STATE_PROV_NORMAL: 839 /* 840 * If we are in the NORMAL state, usually the KP bit will match the LSB 841 * of our key epoch, meaning no new key update is being signalled. If it 842 * does not match, this means the packet (purports to) belong to 843 * the next key epoch. 844 * 845 * IMPORTANT: The AEAD tag has not been verified yet when this function 846 * is called, so this code must be timing-channel safe, hence use of 847 * XOR. Moreover, the value output below is not yet authenticated. 848 */ 849 *rx_key_epoch 850 = el->key_epoch + ((el->key_epoch & 1) ^ (uint64_t)key_phase_bit); 851 break; 852 853 case QRL_EL_STATE_PROV_UPDATING: 854 /* 855 * If we are in the UPDATING state, usually the KP bit will match the 856 * LSB of our key epoch. If it does not match, this means that the 857 * packet (purports to) belong to the previous key epoch. 858 * 859 * As above, must be timing-channel safe. 860 */ 861 *is_old_key = (el->key_epoch & 1) ^ (uint64_t)key_phase_bit; 862 *rx_key_epoch = el->key_epoch - (uint64_t)*is_old_key; 863 break; 864 865 case QRL_EL_STATE_PROV_COOLDOWN: 866 /* 867 * If we are in COOLDOWN, there is only one key epoch we can possibly 868 * decrypt with, so just try that. If AEAD decryption fails, the 869 * value we output here isn't used anyway. 870 */ 871 *rx_key_epoch = el->key_epoch; 872 break; 873 } 874 875 return idx; 876 } 877 878 /* 879 * Tries to decrypt a packet payload. 880 * 881 * Returns 1 on success or 0 on failure (which is permanent). The payload is 882 * decrypted from src and written to dst. The buffer dst must be of at least 883 * src_len bytes in length. The actual length of the output in bytes is written 884 * to *dec_len on success, which will always be equal to or less than (usually 885 * less than) src_len. 886 */ 887 static int qrx_decrypt_pkt_body(OSSL_QRX *qrx, unsigned char *dst, 888 const unsigned char *src, 889 size_t src_len, size_t *dec_len, 890 const unsigned char *aad, size_t aad_len, 891 QUIC_PN pn, uint32_t enc_level, 892 unsigned char key_phase_bit, 893 uint64_t *rx_key_epoch) 894 { 895 int l = 0, l2 = 0, is_old_key, nonce_len; 896 unsigned char nonce[EVP_MAX_IV_LENGTH]; 897 size_t i, cctx_idx; 898 OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set, 899 enc_level, 1); 900 EVP_CIPHER_CTX *cctx; 901 902 if (src_len > INT_MAX || aad_len > INT_MAX) 903 return 0; 904 905 /* We should not have been called if we do not have key material. */ 906 if (!ossl_assert(el != NULL)) 907 return 0; 908 909 if (el->tag_len >= src_len) 910 return 0; 911 912 /* 913 * If we have failed to authenticate a certain number of ciphertexts, refuse 914 * to decrypt any more ciphertexts. 915 */ 916 if (qrx->forged_pkt_count >= ossl_qrl_get_suite_max_forged_pkt(el->suite_id)) 917 return 0; 918 919 cctx_idx = qrx_get_cipher_ctx_idx(qrx, el, enc_level, key_phase_bit, 920 rx_key_epoch, &is_old_key); 921 if (!ossl_assert(cctx_idx < OSSL_NELEM(el->cctx))) 922 return 0; 923 924 if (is_old_key && pn >= qrx->cur_epoch_start_pn) 925 /* 926 * RFC 9001 s. 5.5: Once an endpoint successfully receives a packet with 927 * a given PN, it MUST discard all packets in the same PN space with 928 * higher PNs if they cannot be successfully unprotected with the same 929 * key, or -- if there is a key update -- a subsequent packet protection 930 * key. 931 * 932 * In other words, once a PN x triggers a KU, it is invalid for us to 933 * receive a packet with a newer PN y (y > x) using the old keys. 934 */ 935 return 0; 936 937 cctx = el->cctx[cctx_idx]; 938 939 /* Construct nonce (nonce=IV ^ PN). */ 940 nonce_len = EVP_CIPHER_CTX_get_iv_length(cctx); 941 if (!ossl_assert(nonce_len >= (int)sizeof(QUIC_PN))) 942 return 0; 943 944 memcpy(nonce, el->iv[cctx_idx], nonce_len); 945 for (i = 0; i < sizeof(QUIC_PN); ++i) 946 nonce[nonce_len - i - 1] ^= (unsigned char)(pn >> (i * 8)); 947 948 /* type and key will already have been setup; feed the IV. */ 949 if (EVP_CipherInit_ex(cctx, NULL, 950 NULL, NULL, nonce, /*enc=*/0) 951 != 1) 952 return 0; 953 954 /* Feed the AEAD tag we got so the cipher can validate it. */ 955 if (EVP_CIPHER_CTX_ctrl(cctx, EVP_CTRL_AEAD_SET_TAG, 956 el->tag_len, 957 (unsigned char *)src + src_len - el->tag_len) 958 != 1) 959 return 0; 960 961 /* Feed AAD data. */ 962 if (EVP_CipherUpdate(cctx, NULL, &l, aad, aad_len) != 1) 963 return 0; 964 965 /* Feed encrypted packet body. */ 966 if (EVP_CipherUpdate(cctx, dst, &l, src, src_len - el->tag_len) != 1) 967 return 0; 968 969 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION 970 /* 971 * Throw away what we just decrypted and just use the ciphertext instead 972 * (which should be unencrypted) 973 */ 974 memcpy(dst, src, l); 975 976 /* Pretend to authenticate the tag but ignore it */ 977 if (EVP_CipherFinal_ex(cctx, NULL, &l2) != 1) { 978 /* We don't care */ 979 } 980 #else 981 /* Ensure authentication succeeded. */ 982 if (EVP_CipherFinal_ex(cctx, NULL, &l2) != 1) { 983 /* Authentication failed, increment failed auth counter. */ 984 ++qrx->forged_pkt_count; 985 return 0; 986 } 987 #endif 988 989 *dec_len = l; 990 return 1; 991 } 992 993 static ossl_inline void ignore_res(int x) 994 { 995 /* No-op. */ 996 } 997 998 static void qrx_key_update_initiated(OSSL_QRX *qrx, QUIC_PN pn) 999 { 1000 if (!ossl_qrl_enc_level_set_key_update(&qrx->el_set, QUIC_ENC_LEVEL_1RTT)) 1001 /* We are already in RXKU, so we don't call the callback again. */ 1002 return; 1003 1004 qrx->cur_epoch_start_pn = pn; 1005 1006 if (qrx->key_update_cb != NULL) 1007 qrx->key_update_cb(pn, qrx->key_update_cb_arg); 1008 } 1009 1010 /* Process a single packet in a datagram. */ 1011 static int qrx_process_pkt(OSSL_QRX *qrx, QUIC_URXE *urxe, 1012 PACKET *pkt, size_t pkt_idx, 1013 QUIC_CONN_ID *first_dcid, 1014 size_t datagram_len) 1015 { 1016 RXE *rxe; 1017 const unsigned char *eop = NULL; 1018 size_t i, aad_len = 0, dec_len = 0; 1019 PACKET orig_pkt = *pkt; 1020 const unsigned char *sop = PACKET_data(pkt); 1021 unsigned char *dst; 1022 char need_second_decode = 0, already_processed = 0; 1023 QUIC_PKT_HDR_PTRS ptrs; 1024 uint32_t pn_space, enc_level; 1025 OSSL_QRL_ENC_LEVEL *el = NULL; 1026 uint64_t rx_key_epoch = UINT64_MAX; 1027 1028 /* 1029 * Get a free RXE. If we need to allocate a new one, use the packet length 1030 * as a good ballpark figure. 1031 */ 1032 rxe = qrx_ensure_free_rxe(qrx, PACKET_remaining(pkt)); 1033 if (rxe == NULL) 1034 /* 1035 * Allocation failure, treat as malformed as we cannot process this 1036 * packet. The header has not been read yet so we do not know the 1037 * packet size and cannot skip just this packet, so we drop the rest of 1038 * the datagram instead. 1039 */ 1040 goto malformed; 1041 1042 /* Have we already processed this packet? */ 1043 if (pkt_is_marked(&urxe->processed, pkt_idx)) 1044 already_processed = 1; 1045 1046 /* 1047 * Decode the header into the RXE structure. We first decrypt and read the 1048 * unprotected part of the packet header (unless we already removed header 1049 * protection, in which case we decode all of it). 1050 */ 1051 need_second_decode = !pkt_is_marked(&urxe->hpr_removed, pkt_idx); 1052 if (!ossl_quic_wire_decode_pkt_hdr(pkt, 1053 qrx->short_conn_id_len, 1054 need_second_decode, 0, &rxe->hdr, &ptrs, 1055 NULL)) 1056 goto malformed; 1057 1058 /* 1059 * Our successful decode above included an intelligible length and the 1060 * PACKET is now pointing to the end of the QUIC packet. 1061 */ 1062 eop = PACKET_data(pkt); 1063 1064 /* 1065 * Make a note of the first packet's DCID so we can later ensure the 1066 * destination connection IDs of all packets in a datagram match. 1067 */ 1068 if (pkt_idx == 0) 1069 *first_dcid = rxe->hdr.dst_conn_id; 1070 1071 /* 1072 * Early header validation. Since we now know the packet length, we can also 1073 * now skip over it if we already processed it. 1074 */ 1075 if (already_processed 1076 || !qrx_validate_hdr_early(qrx, rxe, pkt_idx == 0 ? NULL : first_dcid)) 1077 /* 1078 * Already processed packets are handled identically to malformed 1079 * packets; i.e., they are ignored. 1080 */ 1081 goto malformed; 1082 1083 if (!ossl_quic_pkt_type_is_encrypted(rxe->hdr.type)) { 1084 /* 1085 * Version negotiation and retry packets are a special case. They do not 1086 * contain a payload which needs decrypting and have no header 1087 * protection. 1088 */ 1089 1090 /* Just copy the payload from the URXE to the RXE. */ 1091 if ((rxe = qrx_reserve_rxe(&qrx->rx_free, rxe, rxe->hdr.len)) == NULL) 1092 /* 1093 * Allocation failure. EOP will be pointing to the end of the 1094 * datagram so processing of this datagram will end here. 1095 */ 1096 goto malformed; 1097 1098 /* We are now committed to returning the packet. */ 1099 memcpy(rxe_data(rxe), rxe->hdr.data, rxe->hdr.len); 1100 pkt_mark(&urxe->processed, pkt_idx); 1101 1102 rxe->hdr.data = rxe_data(rxe); 1103 rxe->pn = QUIC_PN_INVALID; 1104 1105 rxe->data_len = rxe->hdr.len; 1106 rxe->datagram_len = datagram_len; 1107 rxe->key_epoch = 0; 1108 rxe->peer = urxe->peer; 1109 rxe->local = urxe->local; 1110 rxe->time = urxe->time; 1111 rxe->datagram_id = urxe->datagram_id; 1112 1113 /* Move RXE to pending. */ 1114 ossl_list_rxe_remove(&qrx->rx_free, rxe); 1115 ossl_list_rxe_insert_tail(&qrx->rx_pending, rxe); 1116 return 0; /* success, did not defer */ 1117 } 1118 1119 /* Determine encryption level of packet. */ 1120 enc_level = qrx_determine_enc_level(&rxe->hdr); 1121 1122 /* If we do not have keying material for this encryption level yet, defer. */ 1123 switch (ossl_qrl_enc_level_set_have_el(&qrx->el_set, enc_level)) { 1124 case 1: 1125 /* We have keys. */ 1126 if (enc_level == QUIC_ENC_LEVEL_1RTT && !qrx->allow_1rtt) 1127 /* 1128 * But we cannot process 1-RTT packets until the handshake is 1129 * completed (RFC 9000 s. 5.7). 1130 */ 1131 goto cannot_decrypt; 1132 1133 break; 1134 case 0: 1135 /* No keys yet. */ 1136 goto cannot_decrypt; 1137 default: 1138 /* We already discarded keys for this EL, we will never process this.*/ 1139 goto malformed; 1140 } 1141 1142 /* 1143 * We will copy any token included in the packet to the start of our RXE 1144 * data buffer (so that we don't reference the URXE buffer any more and can 1145 * recycle it). Track our position in the RXE buffer by index instead of 1146 * pointer as the pointer may change as reallocs occur. 1147 */ 1148 i = 0; 1149 1150 /* 1151 * rxe->hdr.data is now pointing at the (encrypted) packet payload. rxe->hdr 1152 * also has fields pointing into the PACKET buffer which will be going away 1153 * soon (the URXE will be reused for another incoming packet). 1154 * 1155 * Firstly, relocate some of these fields into the RXE as needed. 1156 * 1157 * Relocate token buffer and fix pointer. 1158 */ 1159 if (rxe->hdr.type == QUIC_PKT_TYPE_INITIAL) { 1160 const unsigned char *token = rxe->hdr.token; 1161 1162 /* 1163 * This may change the value of rxe and change the value of the token 1164 * pointer as well. So we must make a temporary copy of the pointer to 1165 * the token, and then copy it back into the new location of the rxe 1166 */ 1167 if (!qrx_relocate_buffer(qrx, &rxe, &i, &token, rxe->hdr.token_len)) 1168 goto malformed; 1169 1170 rxe->hdr.token = token; 1171 } 1172 1173 /* Now remove header protection. */ 1174 *pkt = orig_pkt; 1175 1176 el = ossl_qrl_enc_level_set_get(&qrx->el_set, enc_level, 1); 1177 assert(el != NULL); /* Already checked above */ 1178 1179 if (need_second_decode) { 1180 if (!ossl_quic_hdr_protector_decrypt(&el->hpr, &ptrs)) 1181 goto malformed; 1182 1183 /* 1184 * We have removed header protection, so don't attempt to do it again if 1185 * the packet gets deferred and processed again. 1186 */ 1187 pkt_mark(&urxe->hpr_removed, pkt_idx); 1188 1189 /* Decode the now unprotected header. */ 1190 if (ossl_quic_wire_decode_pkt_hdr(pkt, qrx->short_conn_id_len, 1191 0, 0, &rxe->hdr, NULL, NULL) 1192 != 1) 1193 goto malformed; 1194 } 1195 1196 /* Validate header and decode PN. */ 1197 if (!qrx_validate_hdr(qrx, rxe)) 1198 goto malformed; 1199 1200 if (qrx->msg_callback != NULL) 1201 qrx->msg_callback(0, OSSL_QUIC1_VERSION, SSL3_RT_QUIC_PACKET, sop, 1202 eop - sop - rxe->hdr.len, qrx->msg_callback_ssl, 1203 qrx->msg_callback_arg); 1204 1205 /* 1206 * The AAD data is the entire (unprotected) packet header including the PN. 1207 * The packet header has been unprotected in place, so we can just reuse the 1208 * PACKET buffer. The header ends where the payload begins. 1209 */ 1210 aad_len = rxe->hdr.data - sop; 1211 1212 /* Ensure the RXE buffer size is adequate for our payload. */ 1213 if ((rxe = qrx_reserve_rxe(&qrx->rx_free, rxe, rxe->hdr.len + i)) == NULL) { 1214 /* 1215 * Allocation failure, treat as malformed and do not bother processing 1216 * any further packets in the datagram as they are likely to also 1217 * encounter allocation failures. 1218 */ 1219 eop = NULL; 1220 goto malformed; 1221 } 1222 1223 /* 1224 * We decrypt the packet body to immediately after the token at the start of 1225 * the RXE buffer (where present). 1226 * 1227 * Do the decryption from the PACKET (which points into URXE memory) to our 1228 * RXE payload (single-copy decryption), then fixup the pointers in the 1229 * header to point to our new buffer. 1230 * 1231 * If decryption fails this is considered a permanent error; we defer 1232 * packets we don't yet have decryption keys for above, so if this fails, 1233 * something has gone wrong with the handshake process or a packet has been 1234 * corrupted. 1235 */ 1236 dst = (unsigned char *)rxe_data(rxe) + i; 1237 if (!qrx_decrypt_pkt_body(qrx, dst, rxe->hdr.data, rxe->hdr.len, 1238 &dec_len, sop, aad_len, rxe->pn, enc_level, 1239 rxe->hdr.key_phase, &rx_key_epoch)) 1240 goto malformed; 1241 1242 /* 1243 * ----------------------------------------------------- 1244 * IMPORTANT: ANYTHING ABOVE THIS LINE IS UNVERIFIED 1245 * AND MUST BE TIMING-CHANNEL SAFE. 1246 * ----------------------------------------------------- 1247 * 1248 * At this point, we have successfully authenticated the AEAD tag and no 1249 * longer need to worry about exposing the PN, PN length or Key Phase bit in 1250 * timing channels. Invoke any configured validation callback to allow for 1251 * rejection of duplicate PNs. 1252 */ 1253 if (!qrx_validate_hdr_late(qrx, rxe)) 1254 goto malformed; 1255 1256 /* Check for a Key Phase bit differing from our expectation. */ 1257 if (rxe->hdr.type == QUIC_PKT_TYPE_1RTT 1258 && rxe->hdr.key_phase != (el->key_epoch & 1)) 1259 qrx_key_update_initiated(qrx, rxe->pn); 1260 1261 /* 1262 * We have now successfully decrypted the packet payload. If there are 1263 * additional packets in the datagram, it is possible we will fail to 1264 * decrypt them and need to defer them until we have some key material we 1265 * don't currently possess. If this happens, the URXE will be moved to the 1266 * deferred queue. Since a URXE corresponds to one datagram, which may 1267 * contain multiple packets, we must ensure any packets we have already 1268 * processed in the URXE are not processed again (this is an RFC 1269 * requirement). We do this by marking the nth packet in the datagram as 1270 * processed. 1271 * 1272 * We are now committed to returning this decrypted packet to the user, 1273 * meaning we now consider the packet processed and must mark it 1274 * accordingly. 1275 */ 1276 pkt_mark(&urxe->processed, pkt_idx); 1277 1278 /* 1279 * Update header to point to the decrypted buffer, which may be shorter 1280 * due to AEAD tags, block padding, etc. 1281 */ 1282 rxe->hdr.data = dst; 1283 rxe->hdr.len = dec_len; 1284 rxe->data_len = dec_len; 1285 rxe->datagram_len = datagram_len; 1286 rxe->key_epoch = rx_key_epoch; 1287 1288 /* We processed the PN successfully, so update largest processed PN. */ 1289 pn_space = rxe_determine_pn_space(rxe); 1290 if (rxe->pn > qrx->largest_pn[pn_space]) 1291 qrx->largest_pn[pn_space] = rxe->pn; 1292 1293 /* Copy across network addresses and RX time from URXE to RXE. */ 1294 rxe->peer = urxe->peer; 1295 rxe->local = urxe->local; 1296 rxe->time = urxe->time; 1297 rxe->datagram_id = urxe->datagram_id; 1298 1299 /* Move RXE to pending. */ 1300 ossl_list_rxe_remove(&qrx->rx_free, rxe); 1301 ossl_list_rxe_insert_tail(&qrx->rx_pending, rxe); 1302 return 0; /* success, did not defer; not distinguished from failure */ 1303 1304 cannot_decrypt: 1305 /* 1306 * We cannot process this packet right now (but might be able to later). We 1307 * MUST attempt to process any other packets in the datagram, so defer it 1308 * and skip over it. 1309 */ 1310 assert(eop != NULL && eop >= PACKET_data(pkt)); 1311 /* 1312 * We don't care if this fails as it will just result in the packet being at 1313 * the end of the datagram buffer. 1314 */ 1315 ignore_res(PACKET_forward(pkt, eop - PACKET_data(pkt))); 1316 return 1; /* deferred */ 1317 1318 malformed: 1319 if (eop != NULL) { 1320 /* 1321 * This packet cannot be processed and will never be processable. We 1322 * were at least able to decode its header and determine its length, so 1323 * we can skip over it and try to process any subsequent packets in the 1324 * datagram. 1325 * 1326 * Mark as processed as an optimization. 1327 */ 1328 assert(eop >= PACKET_data(pkt)); 1329 pkt_mark(&urxe->processed, pkt_idx); 1330 /* We don't care if this fails (see above) */ 1331 ignore_res(PACKET_forward(pkt, eop - PACKET_data(pkt))); 1332 } else { 1333 /* 1334 * This packet cannot be processed and will never be processable. 1335 * Because even its header is not intelligible, we cannot examine any 1336 * further packets in the datagram because its length cannot be 1337 * discerned. 1338 * 1339 * Advance over the entire remainder of the datagram, and mark it as 1340 * processed as an optimization. 1341 */ 1342 pkt_mark(&urxe->processed, pkt_idx); 1343 /* We don't care if this fails (see above) */ 1344 ignore_res(PACKET_forward(pkt, PACKET_remaining(pkt))); 1345 } 1346 return 0; /* failure, did not defer; not distinguished from success */ 1347 } 1348 1349 /* Process a datagram which was received. */ 1350 static int qrx_process_datagram(OSSL_QRX *qrx, QUIC_URXE *e, 1351 const unsigned char *data, 1352 size_t data_len) 1353 { 1354 int have_deferred = 0; 1355 PACKET pkt; 1356 size_t pkt_idx = 0; 1357 QUIC_CONN_ID first_dcid = { 255 }; 1358 1359 qrx->bytes_received += data_len; 1360 1361 if (!PACKET_buf_init(&pkt, data, data_len)) 1362 return 0; 1363 1364 for (; PACKET_remaining(&pkt) > 0; ++pkt_idx) { 1365 /* 1366 * A packet smaller than the minimum possible QUIC packet size is not 1367 * considered valid. We also ignore more than a certain number of 1368 * packets within the same datagram. 1369 */ 1370 if (PACKET_remaining(&pkt) < QUIC_MIN_VALID_PKT_LEN 1371 || pkt_idx >= QUIC_MAX_PKT_PER_URXE) 1372 break; 1373 1374 /* 1375 * We note whether packet processing resulted in a deferral since 1376 * this means we need to move the URXE to the deferred list rather 1377 * than the free list after we're finished dealing with it for now. 1378 * 1379 * However, we don't otherwise care here whether processing succeeded or 1380 * failed, as the RFC says even if a packet in a datagram is malformed, 1381 * we should still try to process any packets following it. 1382 * 1383 * In the case where the packet is so malformed we can't determine its 1384 * length, qrx_process_pkt will take care of advancing to the end of 1385 * the packet, so we will exit the loop automatically in this case. 1386 */ 1387 if (qrx_process_pkt(qrx, e, &pkt, pkt_idx, &first_dcid, data_len)) 1388 have_deferred = 1; 1389 } 1390 1391 /* Only report whether there were any deferrals. */ 1392 return have_deferred; 1393 } 1394 1395 /* Process a single pending URXE. */ 1396 static int qrx_process_one_urxe(OSSL_QRX *qrx, QUIC_URXE *e) 1397 { 1398 int was_deferred; 1399 1400 /* The next URXE we process should be at the head of the pending list. */ 1401 if (!ossl_assert(e == ossl_list_urxe_head(&qrx->urx_pending))) 1402 return 0; 1403 1404 /* 1405 * Attempt to process the datagram. The return value indicates only if 1406 * processing of the datagram was deferred. If we failed to process the 1407 * datagram, we do not attempt to process it again and silently eat the 1408 * error. 1409 */ 1410 was_deferred = qrx_process_datagram(qrx, e, ossl_quic_urxe_data(e), 1411 e->data_len); 1412 1413 /* 1414 * Remove the URXE from the pending list and return it to 1415 * either the free or deferred list. 1416 */ 1417 ossl_list_urxe_remove(&qrx->urx_pending, e); 1418 if (was_deferred > 0 && (e->deferred || qrx->num_deferred < qrx->max_deferred)) { 1419 ossl_list_urxe_insert_tail(&qrx->urx_deferred, e); 1420 if (!e->deferred) { 1421 e->deferred = 1; 1422 ++qrx->num_deferred; 1423 } 1424 } else { 1425 if (e->deferred) { 1426 e->deferred = 0; 1427 --qrx->num_deferred; 1428 } 1429 ossl_quic_demux_release_urxe(qrx->demux, e); 1430 } 1431 1432 return 1; 1433 } 1434 1435 /* Process any pending URXEs to generate pending RXEs. */ 1436 static int qrx_process_pending_urxl(OSSL_QRX *qrx) 1437 { 1438 QUIC_URXE *e; 1439 1440 while ((e = ossl_list_urxe_head(&qrx->urx_pending)) != NULL) 1441 if (!qrx_process_one_urxe(qrx, e)) 1442 return 0; 1443 1444 return 1; 1445 } 1446 1447 int ossl_qrx_read_pkt(OSSL_QRX *qrx, OSSL_QRX_PKT **ppkt) 1448 { 1449 RXE *rxe; 1450 1451 if (!ossl_qrx_processed_read_pending(qrx)) { 1452 if (!qrx_process_pending_urxl(qrx)) 1453 return 0; 1454 1455 if (!ossl_qrx_processed_read_pending(qrx)) 1456 return 0; 1457 } 1458 1459 rxe = qrx_pop_pending_rxe(qrx); 1460 if (!ossl_assert(rxe != NULL)) 1461 return 0; 1462 1463 assert(rxe->refcount == 0); 1464 rxe->refcount = 1; 1465 1466 rxe->pkt.hdr = &rxe->hdr; 1467 rxe->pkt.pn = rxe->pn; 1468 rxe->pkt.time = rxe->time; 1469 rxe->pkt.datagram_len = rxe->datagram_len; 1470 rxe->pkt.peer 1471 = BIO_ADDR_family(&rxe->peer) != AF_UNSPEC ? &rxe->peer : NULL; 1472 rxe->pkt.local 1473 = BIO_ADDR_family(&rxe->local) != AF_UNSPEC ? &rxe->local : NULL; 1474 rxe->pkt.key_epoch = rxe->key_epoch; 1475 rxe->pkt.datagram_id = rxe->datagram_id; 1476 rxe->pkt.qrx = qrx; 1477 *ppkt = &rxe->pkt; 1478 1479 return 1; 1480 } 1481 1482 void ossl_qrx_pkt_release(OSSL_QRX_PKT *pkt) 1483 { 1484 RXE *rxe; 1485 1486 if (pkt == NULL) 1487 return; 1488 1489 rxe = (RXE *)pkt; 1490 assert(rxe->refcount > 0); 1491 if (--rxe->refcount == 0) 1492 qrx_recycle_rxe(pkt->qrx, rxe); 1493 } 1494 1495 void ossl_qrx_pkt_orphan(OSSL_QRX_PKT *pkt) 1496 { 1497 RXE *rxe; 1498 1499 if (pkt == NULL) 1500 return; 1501 rxe = (RXE *)pkt; 1502 assert(rxe->refcount > 0); 1503 rxe->refcount--; 1504 assert(ossl_list_rxe_prev(rxe) == NULL && ossl_list_rxe_next(rxe) == NULL); 1505 return; 1506 } 1507 1508 void ossl_qrx_pkt_up_ref(OSSL_QRX_PKT *pkt) 1509 { 1510 RXE *rxe = (RXE *)pkt; 1511 1512 assert(rxe->refcount > 0); 1513 ++rxe->refcount; 1514 } 1515 1516 uint64_t ossl_qrx_get_bytes_received(OSSL_QRX *qrx, int clear) 1517 { 1518 uint64_t v = qrx->bytes_received; 1519 1520 if (clear) 1521 qrx->bytes_received = 0; 1522 1523 return v; 1524 } 1525 1526 int ossl_qrx_set_late_validation_cb(OSSL_QRX *qrx, 1527 ossl_qrx_late_validation_cb *cb, 1528 void *cb_arg) 1529 { 1530 qrx->validation_cb = cb; 1531 qrx->validation_cb_arg = cb_arg; 1532 return 1; 1533 } 1534 1535 int ossl_qrx_set_key_update_cb(OSSL_QRX *qrx, 1536 ossl_qrx_key_update_cb *cb, 1537 void *cb_arg) 1538 { 1539 qrx->key_update_cb = cb; 1540 qrx->key_update_cb_arg = cb_arg; 1541 return 1; 1542 } 1543 1544 uint64_t ossl_qrx_get_key_epoch(OSSL_QRX *qrx) 1545 { 1546 OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set, 1547 QUIC_ENC_LEVEL_1RTT, 1); 1548 1549 return el == NULL ? UINT64_MAX : el->key_epoch; 1550 } 1551 1552 int ossl_qrx_key_update_timeout(OSSL_QRX *qrx, int normal) 1553 { 1554 OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set, 1555 QUIC_ENC_LEVEL_1RTT, 1); 1556 1557 if (el == NULL) 1558 return 0; 1559 1560 if (el->state == QRL_EL_STATE_PROV_UPDATING 1561 && !ossl_qrl_enc_level_set_key_update_done(&qrx->el_set, 1562 QUIC_ENC_LEVEL_1RTT)) 1563 return 0; 1564 1565 if (normal && el->state == QRL_EL_STATE_PROV_COOLDOWN 1566 && !ossl_qrl_enc_level_set_key_cooldown_done(&qrx->el_set, 1567 QUIC_ENC_LEVEL_1RTT)) 1568 return 0; 1569 1570 return 1; 1571 } 1572 1573 uint64_t ossl_qrx_get_cur_forged_pkt_count(OSSL_QRX *qrx) 1574 { 1575 return qrx->forged_pkt_count; 1576 } 1577 1578 uint64_t ossl_qrx_get_max_forged_pkt_count(OSSL_QRX *qrx, 1579 uint32_t enc_level) 1580 { 1581 OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set, 1582 enc_level, 1); 1583 1584 return el == NULL ? UINT64_MAX 1585 : ossl_qrl_get_suite_max_forged_pkt(el->suite_id); 1586 } 1587 1588 void ossl_qrx_allow_1rtt_processing(OSSL_QRX *qrx) 1589 { 1590 if (qrx->allow_1rtt) 1591 return; 1592 1593 qrx->allow_1rtt = 1; 1594 qrx_requeue_deferred(qrx); 1595 } 1596 1597 void ossl_qrx_set_msg_callback(OSSL_QRX *qrx, ossl_msg_cb msg_callback, 1598 SSL *msg_callback_ssl) 1599 { 1600 qrx->msg_callback = msg_callback; 1601 qrx->msg_callback_ssl = msg_callback_ssl; 1602 } 1603 1604 void ossl_qrx_set_msg_callback_arg(OSSL_QRX *qrx, void *msg_callback_arg) 1605 { 1606 qrx->msg_callback_arg = msg_callback_arg; 1607 } 1608 1609 size_t ossl_qrx_get_short_hdr_conn_id_len(OSSL_QRX *qrx) 1610 { 1611 return qrx->short_conn_id_len; 1612 } 1613
Indexes created Fri Jun 26 00:24:39 UTC 2026