aboutsummaryrefslogtreecommitdiff
path: root/lib/vquic
diff options
context:
space:
mode:
Diffstat (limited to 'lib/vquic')
-rw-r--r--lib/vquic/ngtcp2-crypto.c511
-rw-r--r--lib/vquic/ngtcp2-crypto.h91
-rw-r--r--lib/vquic/ngtcp2.c738
-rw-r--r--lib/vquic/ngtcp2.h8
4 files changed, 161 insertions, 1187 deletions
diff --git a/lib/vquic/ngtcp2-crypto.c b/lib/vquic/ngtcp2-crypto.c
deleted file mode 100644
index 887c130cb..000000000
--- a/lib/vquic/ngtcp2-crypto.c
+++ /dev/null
@@ -1,511 +0,0 @@
-/***************************************************************************
- * _ _ ____ _
- * Project ___| | | | _ \| |
- * / __| | | | |_) | |
- * | (__| |_| | _ <| |___
- * \___|\___/|_| \_\_____|
- *
- * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
- *
- * This software is licensed as described in the file COPYING, which
- * you should have received as part of this distribution. The terms
- * are also available at https://curl.haxx.se/docs/copyright.html.
- *
- * You may opt to use, copy, modify, merge, publish, distribute and/or sell
- * copies of the Software, and permit persons to whom the Software is
- * furnished to do so, under the terms of the COPYING file.
- *
- * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
- * KIND, either express or implied.
- *
- ***************************************************************************/
-
-#include "curl_setup.h"
-
-#ifdef USE_NGTCP2
-#include <ngtcp2/ngtcp2.h>
-#include <openssl/ssl.h>
-#include <openssl/evp.h>
-#include <openssl/kdf.h>
-#include "ngtcp2-crypto.h"
-/* The last 3 #include files should be in this order */
-#include "curl_printf.h"
-#include "curl_memory.h"
-#include "memdebug.h"
-
-static int hkdf_expand_label(uint8_t *dest, size_t destlen,
- const uint8_t *secret, size_t secretlen,
- const uint8_t *label, size_t labellen,
- const struct Context *ctx);
-
-void Curl_qc_prf_sha256(struct Context *ctx)
-{
- ctx->prf = EVP_sha256();
-}
-
-void Curl_qc_aead_aes_128_gcm(struct Context *ctx)
-{
- ctx->aead = EVP_aes_128_gcm();
- ctx->hp = EVP_aes_128_ctr();
-}
-
-size_t Curl_qc_aead_nonce_length(const struct Context *ctx)
-{
- return EVP_CIPHER_iv_length(ctx->aead);
-}
-
-
-int Curl_qc_negotiated_prf(struct Context *ctx, SSL *ssl)
-{
- switch(SSL_CIPHER_get_id(SSL_get_current_cipher(ssl))) {
- case 0x03001301u: /* TLS_AES_128_GCM_SHA256 */
- case 0x03001303u: /* TLS_CHACHA20_POLY1305_SHA256 */
- case 0x03001304u: /* TLS_AES_128_CCM_SHA256 */
- ctx->prf = EVP_sha256();
- return 0;
- case 0x03001302u: /* TLS_AES_256_GCM_SHA384 */
- ctx->prf = EVP_sha384();
- return 0;
- default:
- return -1;
- }
-}
-
-int Curl_qc_negotiated_aead(struct Context *ctx, SSL *ssl)
-{
- switch(SSL_CIPHER_get_id(SSL_get_current_cipher(ssl))) {
- case 0x03001301u: /* TLS_AES_128_GCM_SHA256 */
- ctx->aead = EVP_aes_128_gcm();
- ctx->hp = EVP_aes_128_ctr();
- return 0;
- case 0x03001302u: /* TLS_AES_256_GCM_SHA384 */
- ctx->aead = EVP_aes_256_gcm();
- ctx->hp = EVP_aes_256_ctr();
- return 0;
- case 0x03001303u: /* TLS_CHACHA20_POLY1305_SHA256 */
- ctx->aead = EVP_chacha20_poly1305();
- ctx->hp = EVP_chacha20();
- return 0;
- case 0x03001304u: /* TLS_AES_128_CCM_SHA256 */
- ctx->aead = EVP_aes_128_ccm();
- ctx->hp = EVP_aes_128_ctr();
- return 0;
- default:
- return -1;
- }
-}
-
-ssize_t Curl_qc_encrypt_pn(uint8_t *dest, size_t destlen,
- const uint8_t *plaintext, size_t plaintextlen,
- const struct Context *ctx,
- const uint8_t *key, size_t keylen,
- const uint8_t *nonce, size_t noncelen)
-{
- EVP_CIPHER_CTX *actx = EVP_CIPHER_CTX_new();
- size_t outlen = 0;
- int len;
- (void)destlen;
- (void)keylen;
- (void)noncelen;
-
- if(!actx)
- return -1;
-
- if(EVP_EncryptInit_ex(actx, ctx->hp, NULL, key, nonce) != 1)
- goto error;
-
- if(EVP_EncryptUpdate(actx, dest, &len, plaintext, (int)plaintextlen) != 1)
- goto error;
-
- assert(len > 0);
-
- outlen = len;
-
- if(EVP_EncryptFinal_ex(actx, dest + outlen, &len) != 1)
- goto error;
-
- assert(len == 0);
- /* outlen += len; */
-
- EVP_CIPHER_CTX_free(actx);
- return outlen;
-
- error:
- EVP_CIPHER_CTX_free(actx);
- return -1;
-}
-
-static int hkdf_expand(uint8_t *dest, size_t destlen, const uint8_t *secret,
- size_t secretlen, const uint8_t *info, size_t infolen,
- const struct Context *ctx)
-{
- void *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
- if(!pctx)
- return -1;
-
- if(EVP_PKEY_derive_init(pctx) != 1)
- goto err;
-
- if(EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) != 1)
- goto err;
-
- if(EVP_PKEY_CTX_set_hkdf_md(pctx, ctx->prf) != 1)
- goto err;
-
- if(EVP_PKEY_CTX_set1_hkdf_salt(pctx, "", 0) != 1)
- goto err;
-
- if(EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, (int)secretlen) != 1)
- goto err;
-
- if(EVP_PKEY_CTX_add1_hkdf_info(pctx, info, (int)infolen) != 1)
- goto err;
-
- if(EVP_PKEY_derive(pctx, dest, &destlen) != 1)
- goto err;
-
- return 0;
- err:
- EVP_PKEY_CTX_free(pctx);
- return -1;
-}
-
-static int hkdf_extract(uint8_t *dest, size_t destlen,
- const uint8_t *secret, size_t secretlen,
- const uint8_t *salt, size_t saltlen,
- const struct Context *ctx)
-{
- void *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
- if(!pctx)
- return -1;
-
- if(EVP_PKEY_derive_init(pctx) != 1)
- goto err;
-
- if(EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) != 1) {
- goto err;
- }
-
- if(EVP_PKEY_CTX_set_hkdf_md(pctx, ctx->prf) != 1) {
- goto err;
- }
-
- if(EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, (int)saltlen) != 1) {
- goto err;
- }
-
- if(EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, (int)secretlen) != 1) {
- goto err;
- }
-
- if(EVP_PKEY_derive(pctx, dest, &destlen) != 1) {
- goto err;
- }
-
- EVP_PKEY_CTX_free(pctx);
- return 0;
- err:
- EVP_PKEY_CTX_free(pctx);
- return -1;
-}
-
-static size_t aead_key_length(const struct Context *ctx)
-{
- return EVP_CIPHER_key_length(ctx->aead);
-}
-
-static size_t aead_tag_length(const struct Context *ctx)
-{
- if(ctx->aead == EVP_aes_128_gcm() || ctx->aead == EVP_aes_256_gcm()) {
- return EVP_GCM_TLS_TAG_LEN;
- }
- if(ctx->aead == EVP_chacha20_poly1305()) {
- return EVP_CHACHAPOLY_TLS_TAG_LEN;
- }
- if(ctx->aead == EVP_aes_128_ccm())
- return EVP_CCM_TLS_TAG_LEN;
- assert(0);
-}
-
-size_t Curl_qc_aead_max_overhead(const struct Context *ctx)
-{
- return aead_tag_length(ctx);
-}
-
-int Curl_qc_encrypt(uint8_t *dest,
- const uint8_t *plaintext, size_t plaintextlen,
- const struct Context *ctx,
- const uint8_t *key,
- const uint8_t *nonce, size_t noncelen,
- const uint8_t *ad, size_t adlen)
-{
- size_t taglen = aead_tag_length(ctx);
- EVP_CIPHER_CTX *actx;
- int outlen = 0;
- int len;
-
- actx = EVP_CIPHER_CTX_new();
- if(!actx)
- return -1;
-
- if(EVP_EncryptInit_ex(actx, ctx->aead, NULL, NULL, NULL) != 1)
- goto error;
-
- if(EVP_CIPHER_CTX_ctrl(actx, EVP_CTRL_AEAD_SET_IVLEN,
- (int)noncelen, NULL) != 1)
- goto error;
-
- if(ctx->aead == EVP_aes_128_ccm() &&
- EVP_CIPHER_CTX_ctrl(actx, EVP_CTRL_AEAD_SET_TAG, (int)taglen, NULL) != 1)
- goto error;
-
- if(EVP_EncryptInit_ex(actx, NULL, NULL, key, nonce) != 1)
- goto error;
-
- if(ctx->aead == EVP_aes_128_ccm() &&
- EVP_EncryptUpdate(actx, NULL, &len, NULL, (int)plaintextlen) != 1)
- goto error;
-
- if(EVP_EncryptUpdate(actx, NULL, &len, ad, (int)adlen) != 1)
- goto error;
-
- if(EVP_EncryptUpdate(actx, dest, &len, plaintext, (int)plaintextlen) != 1)
- goto error;
-
- outlen = len;
- if(EVP_EncryptFinal_ex(actx, dest + outlen, &len) != 1)
- goto error;
-
- if(EVP_CIPHER_CTX_ctrl(actx, EVP_CTRL_AEAD_GET_TAG,
- (int)taglen, dest + outlen) != 1)
- goto error;
-
- EVP_CIPHER_CTX_free(actx);
- return 0;
-
- error:
- EVP_CIPHER_CTX_free(actx);
- return -1;
-}
-
-int Curl_qc_decrypt(uint8_t *dest,
- const uint8_t *ciphertext, size_t ciphertextlen,
- const struct Context *ctx,
- const uint8_t *key,
- const uint8_t *nonce, size_t noncelen,
- const uint8_t *ad, size_t adlen)
-{
- size_t taglen = aead_tag_length(ctx);
- const uint8_t *tag;
- EVP_CIPHER_CTX *actx;
- int outlen;
- int len;
-
- if(taglen > ciphertextlen)
- return -1;
-
- ciphertextlen -= taglen;
- tag = ciphertext + ciphertextlen;
-
- actx = EVP_CIPHER_CTX_new();
- if(!actx)
- return -1;
-
- if(EVP_DecryptInit_ex(actx, ctx->aead, NULL, NULL, NULL) != 1)
- goto error;
-
- if(EVP_CIPHER_CTX_ctrl(actx, EVP_CTRL_AEAD_SET_IVLEN, (int)noncelen, NULL) !=
- 1)
- goto error;
-
- if(ctx->aead == EVP_aes_128_ccm() &&
- EVP_CIPHER_CTX_ctrl(actx, EVP_CTRL_AEAD_SET_TAG, (int)taglen,
- (uint8_t *)tag) != 1)
- goto error;
-
- if(EVP_DecryptInit_ex(actx, NULL, NULL, key, nonce) != 1)
- goto error;
-
- if(ctx->aead == EVP_aes_128_ccm() &&
- EVP_DecryptUpdate(actx, NULL, &len, NULL, (int)ciphertextlen) != 1)
- goto error;
-
- if(EVP_DecryptUpdate(actx, NULL, &len, ad, (int)adlen) != 1)
- goto error;
-
- if(EVP_DecryptUpdate(actx, dest, &len, ciphertext, (int)ciphertextlen) != 1)
- goto error;
-
- outlen = len;
-
- if(ctx->aead == EVP_aes_128_ccm())
- return 0;
-
- if(EVP_CIPHER_CTX_ctrl(actx, EVP_CTRL_AEAD_SET_TAG,
- (int)taglen, (char *)tag) != 1)
- goto error;
-
- if(EVP_DecryptFinal_ex(actx, dest + outlen, &len) != 1)
- goto error;
-
- EVP_CIPHER_CTX_free(actx);
- return 0;
- error:
- EVP_CIPHER_CTX_free(actx);
- return -1;
-}
-
-int Curl_qc_derive_initial_secret(uint8_t *dest, size_t destlen,
- const ngtcp2_cid *secret,
- const uint8_t *salt,
- size_t saltlen)
-{
- struct Context ctx;
- Curl_qc_prf_sha256(&ctx);
- return hkdf_extract(dest, destlen, secret->data, secret->datalen, salt,
- saltlen, &ctx);
-}
-
-int Curl_qc_derive_client_initial_secret(uint8_t *dest,
- size_t destlen,
- const uint8_t *secret,
- size_t secretlen)
-{
- static uint8_t LABEL[] = "client in";
- struct Context ctx;
- Curl_qc_prf_sha256(&ctx);
- return hkdf_expand_label(dest, destlen, secret, secretlen, LABEL,
- sizeof(LABEL) - 1, &ctx);
-}
-
-ssize_t Curl_qc_derive_packet_protection_key(uint8_t *dest, size_t destlen,
- const uint8_t *secret,
- size_t secretlen,
- const struct Context *ctx)
-{
- int rv;
- static uint8_t LABEL[] = "quic key";
- size_t keylen = aead_key_length(ctx);
- if(keylen > destlen) {
- return -1;
- }
-
- rv = hkdf_expand_label(dest, keylen, secret, secretlen, LABEL,
- sizeof(LABEL) - 1, ctx);
- if(rv) {
- return -1;
- }
-
- return keylen;
-}
-
-ssize_t Curl_qc_derive_packet_protection_iv(uint8_t *dest, size_t destlen,
- const uint8_t *secret,
- size_t secretlen,
- const struct Context *ctx)
-{
- int rv;
- static uint8_t LABEL[] = "quic iv";
-
- size_t ivlen = CURLMAX(8, Curl_qc_aead_nonce_length(ctx));
- if(ivlen > destlen) {
- return -1;
- }
-
- rv = hkdf_expand_label(dest, ivlen, secret, secretlen, LABEL,
- sizeof(LABEL) - 1, ctx);
- if(rv) {
- return -1;
- }
-
- return ivlen;
-}
-
-int Curl_qc_derive_server_initial_secret(uint8_t *dest, size_t destlen,
- const uint8_t *secret,
- size_t secretlen)
-{
- static uint8_t LABEL[] = "server in";
- struct Context ctx;
- Curl_qc_prf_sha256(&ctx);
- return hkdf_expand_label(dest, destlen, secret, secretlen, LABEL,
- sizeof(LABEL) - 1, &ctx);
-}
-
-static int
-hkdf_expand_label(uint8_t *dest, size_t destlen, const uint8_t *secret,
- size_t secretlen, const uint8_t *label, size_t labellen,
- const struct Context *ctx)
-{
- uint8_t info[256];
- static const uint8_t LABEL[] = "tls13 ";
-
- uint8_t *p = &info[0];
- *p++ = (destlen / 256)&0xff;
- *p++ = destlen % 256;
- *p++ = (sizeof(LABEL) - 1 + labellen) & 0xff;
- memcpy(p, LABEL, sizeof(LABEL) - 1);
- p += sizeof(LABEL) - 1;
- memcpy(p, label, labellen);
- p += labellen;
- *p++ = 0;
-
- return hkdf_expand(dest, destlen, secret, secretlen, &info[0],
- p - &info[0], ctx);
-}
-
-ssize_t
-Curl_qc_derive_header_protection_key(uint8_t *dest, size_t destlen,
- const uint8_t *secret, size_t secretlen,
- const struct Context *ctx)
-{
- int rv;
- static uint8_t LABEL[] = "quic hp";
-
- size_t keylen = aead_key_length(ctx);
- if(keylen > destlen)
- return -1;
-
- rv = hkdf_expand_label(dest, keylen, secret, secretlen, LABEL,
- sizeof(LABEL) - 1, ctx);
-
- if(rv)
- return -1;
-
- return keylen;
-}
-
-int Curl_qc_hp_mask(uint8_t *dest, const struct Context *ctx,
- const uint8_t *key, const uint8_t *sample)
-{
- static uint8_t PLAINTEXT[] = "\x00\x00\x00\x00\x00";
- EVP_CIPHER_CTX *actx;
- int outlen = 0;
- int len;
- actx = EVP_CIPHER_CTX_new();
- if(!actx)
- return -1;
-
- if(EVP_EncryptInit_ex(actx, ctx->hp, NULL, key, sample) != 1)
- goto error;
- if(EVP_EncryptUpdate(actx, dest, &len, PLAINTEXT,
- (int)(sizeof(PLAINTEXT) - 1)) != 1)
- goto error;
-
- DEBUGASSERT(len == 5);
-
- outlen = len;
-
- if(EVP_EncryptFinal_ex(actx, dest + outlen, &len) != 1)
- goto error;
-
- DEBUGASSERT(len == 0);
-
- return 0;
- error:
- EVP_CIPHER_CTX_free(actx);
- return -1;
-}
-
-
-#endif
diff --git a/lib/vquic/ngtcp2-crypto.h b/lib/vquic/ngtcp2-crypto.h
deleted file mode 100644
index ae75517ab..000000000
--- a/lib/vquic/ngtcp2-crypto.h
+++ /dev/null
@@ -1,91 +0,0 @@
-#ifndef HEADER_CURL_VQUIC_NGTCP2_CRYPTO_H
-#define HEADER_CURL_VQUIC_NGTCP2_CRYPTO_H
-/***************************************************************************
- * _ _ ____ _
- * Project ___| | | | _ \| |
- * / __| | | | |_) | |
- * | (__| |_| | _ <| |___
- * \___|\___/|_| \_\_____|
- *
- * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
- *
- * This software is licensed as described in the file COPYING, which
- * you should have received as part of this distribution. The terms
- * are also available at https://curl.haxx.se/docs/copyright.html.
- *
- * You may opt to use, copy, modify, merge, publish, distribute and/or sell
- * copies of the Software, and permit persons to whom the Software is
- * furnished to do so, under the terms of the COPYING file.
- *
- * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
- * KIND, either express or implied.
- *
- ***************************************************************************/
-
-#include "curl_setup.h"
-
-#ifdef USE_NGTCP2
-struct Context {
-#if defined(OPENSSL_IS_BORINGSSL)
- const EVP_AEAD *aead;
-#else /* !OPENSSL_IS_BORINGSSL */
- const EVP_CIPHER *aead;
-#endif /* !OPENSSL_IS_BORINGSSL */
- const EVP_CIPHER *hp;
- const EVP_MD *prf;
- uint8_t tx_secret[64];
- uint8_t rx_secret[64];
- size_t secretlen;
-};
-
-void Curl_qc_prf_sha256(struct Context *ctx);
-void Curl_qc_aead_aes_128_gcm(struct Context *ctx);
-size_t Curl_qc_aead_nonce_length(const struct Context *ctx);
-int Curl_qc_negotiated_prf(struct Context *ctx, SSL *ssl);
-int Curl_qc_negotiated_aead(struct Context *ctx, SSL *ssl);
-size_t Curl_qc_aead_max_overhead(const struct Context *ctx);
-int Curl_qc_encrypt(uint8_t *dest,
- const uint8_t *plaintext, size_t plaintextlen,
- const struct Context *ctx,
- const uint8_t *key,
- const uint8_t *nonce, size_t noncelen,
- const uint8_t *ad, size_t adlen);
-int Curl_qc_decrypt(uint8_t *dest,
- const uint8_t *ciphertext, size_t ciphertextlen,
- const struct Context *ctx,
- const uint8_t *key,
- const uint8_t *nonce, size_t noncelen,
- const uint8_t *ad, size_t adlen);
-ssize_t Curl_qc_encrypt_pn(uint8_t *dest, size_t destlen,
- const uint8_t *plaintext, size_t plaintextlen,
- const struct Context *ctx,
- const uint8_t *key, size_t keylen,
- const uint8_t *nonce, size_t noncelen);
-int Curl_qc_derive_initial_secret(uint8_t *dest, size_t destlen,
- const ngtcp2_cid *secret,
- const uint8_t *salt,
- size_t saltlen);
-int Curl_qc_derive_client_initial_secret(uint8_t *dest,
- size_t destlen,
- const uint8_t *secret,
- size_t secretlen);
-ssize_t Curl_qc_derive_packet_protection_key(uint8_t *dest, size_t destlen,
- const uint8_t *secret,
- size_t secretlen,
- const struct Context *ctx);
-ssize_t Curl_qc_derive_packet_protection_iv(uint8_t *dest, size_t destlen,
- const uint8_t *secret,
- size_t secretlen,
- const struct Context *ctx);
-int Curl_qc_derive_server_initial_secret(uint8_t *dest, size_t destlen,
- const uint8_t *secret,
- size_t secretlen);
-ssize_t
-Curl_qc_derive_header_protection_key(uint8_t *dest, size_t destlen,
- const uint8_t *secret, size_t secretlen,
- const struct Context *ctx);
-
-int Curl_qc_hp_mask(uint8_t *dest, const struct Context *ctx,
- const uint8_t *key, const uint8_t *sample);
-#endif /* USE_NGTCP2 */
-#endif /* HEADER_CURL_VQUIC_NGTCP2_CRYPTO_H */
diff --git a/lib/vquic/ngtcp2.c b/lib/vquic/ngtcp2.c
index 6abbfa2ab..9fa04b4c7 100644
--- a/lib/vquic/ngtcp2.c
+++ b/lib/vquic/ngtcp2.c
@@ -31,7 +31,6 @@
#include "strdup.h"
#include "rand.h"
#include "ngtcp2.h"
-#include "ngtcp2-crypto.h"
#include "multiif.h"
#include "strcase.h"
#include "connect.h"
@@ -99,91 +98,31 @@ static void quic_printf(void *user_data, const char *fmt, ...)
}
#endif
-static int setup_initial_crypto_context(struct quicsocket *qs)
-{
- int rv;
- uint8_t initial_secret[32];
- uint8_t secret[32];
- const ngtcp2_cid *dcid;
- uint8_t key[16];
- ssize_t keylen;
- uint8_t iv[16];
- ssize_t ivlen;
- uint8_t hp[16];
- ssize_t hplen;
-
- dcid = ngtcp2_conn_get_dcid(qs->qconn);
- rv = Curl_qc_derive_initial_secret(initial_secret, sizeof(initial_secret),
- dcid, (uint8_t *)NGTCP2_INITIAL_SALT,
- strlen(NGTCP2_INITIAL_SALT));
- if(rv) {
- return -1;
- }
-
- Curl_qc_prf_sha256(&qs->hs_crypto_ctx);
- Curl_qc_aead_aes_128_gcm(&qs->hs_crypto_ctx);
-
- rv = Curl_qc_derive_client_initial_secret(secret, sizeof(secret),
- initial_secret,
- sizeof(initial_secret));
- if(rv) {
- return -1;
- }
-
- keylen = Curl_qc_derive_packet_protection_key(key, sizeof(key),
- secret, sizeof(secret),
- &qs->hs_crypto_ctx);
- if(keylen < 0) {
- return -1;
- }
-
- ivlen = Curl_qc_derive_packet_protection_iv(iv, sizeof(iv),
- secret, sizeof(secret),
- &qs->hs_crypto_ctx);
- if(ivlen < 0) {
- return -1;
- }
-
- hplen = Curl_qc_derive_header_protection_key(hp, sizeof(hp),
- secret, sizeof(secret),
- &qs->hs_crypto_ctx);
- if(hplen < 0) {
- return -1;
- }
-
- ngtcp2_conn_install_initial_tx_keys(qs->qconn, key, keylen, iv, ivlen,
- hp, hplen);
-
- rv = Curl_qc_derive_server_initial_secret(secret, sizeof(secret),
- initial_secret,
- sizeof(initial_secret));
- if(rv) {
- return -1;
- }
-
- keylen = Curl_qc_derive_packet_protection_key(key, sizeof(key),
- secret, sizeof(secret),
- &qs->hs_crypto_ctx);
- if(keylen < 0) {
- return -1;
+static ngtcp2_crypto_level
+quic_from_ossl_level(OSSL_ENCRYPTION_LEVEL ossl_level)
+{
+ switch(ossl_level) {
+ case ssl_encryption_initial:
+ return NGTCP2_CRYPTO_LEVEL_INITIAL;
+ case ssl_encryption_early_data:
+ return NGTCP2_CRYPTO_LEVEL_EARLY;
+ case ssl_encryption_handshake:
+ return NGTCP2_CRYPTO_LEVEL_HANDSHAKE;
+ case ssl_encryption_application:
+ return NGTCP2_CRYPTO_LEVEL_APP;
+ default:
+ assert(0);
}
+}
- ivlen = Curl_qc_derive_packet_protection_iv(iv, sizeof(iv),
- secret, sizeof(secret),
- &qs->hs_crypto_ctx);
- if(ivlen < 0) {
- return -1;
- }
+static int setup_initial_crypto_context(struct quicsocket *qs)
+{
+ const ngtcp2_cid *dcid = ngtcp2_conn_get_dcid(qs->qconn);
- hplen = Curl_qc_derive_header_protection_key(hp, sizeof(hp),
- secret, sizeof(secret),
- &qs->hs_crypto_ctx);
- if(hplen < 0) {
+ if(ngtcp2_crypto_derive_and_install_initial_key(
+ qs->qconn, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, dcid,
+ NGTCP2_CRYPTO_SIDE_CLIENT) != 0)
return -1;
- }
-
- ngtcp2_conn_install_initial_rx_keys(qs->qconn,
- key, keylen, iv, ivlen, hp, hplen);
return 0;
}
@@ -206,85 +145,6 @@ static void quic_settings(ngtcp2_settings *s)
s->idle_timeout = QUIC_IDLE_TIMEOUT;
}
-/* SSL extension functions */
-static int transport_params_add_cb(SSL *ssl, unsigned int ext_type,
- unsigned int content,
- const unsigned char **out,
- size_t *outlen, X509 *x,
- size_t chainidx, int *al, void *add_arg)
-{
- struct quicsocket *qs = (struct quicsocket *)SSL_get_app_data(ssl);
- ngtcp2_transport_params params;
- uint8_t buf[64];
- ssize_t nwrite;
- (void)ext_type;
- (void)content;
- (void)x;
- (void)chainidx;
- (void)add_arg;
-
- ngtcp2_conn_get_local_transport_params(qs->qconn, &params);
-
- nwrite = ngtcp2_encode_transport_params(
- buf, sizeof(buf), NGTCP2_TRANSPORT_PARAMS_TYPE_CLIENT_HELLO, &params);
- if(nwrite < 0) {
- fprintf(stderr, "ngtcp2_encode_transport_params: %s\n",
- ngtcp2_strerror((int)nwrite));
- *al = SSL_AD_INTERNAL_ERROR;
- return -1;
- }
-
- *out = Curl_memdup(buf, nwrite);
- *outlen = nwrite;
-
- return 1;
-}
-
-static void transport_params_free_cb(SSL *ssl, unsigned int ext_type,
- unsigned int context,
- const unsigned char *out,
- void *add_arg)
-{
- (void)ssl;
- (void)ext_type;
- (void)context;
- (void)add_arg;
- free((char *)out);
-}
-
-static int transport_params_parse_cb(SSL *ssl, unsigned int ext_type,
- unsigned int context,
- const unsigned char *in,
- size_t inlen, X509 *x, size_t chainidx,
- int *al, void *parse_arg)
-{
- struct quicsocket *qs = (struct quicsocket *)SSL_get_app_data(ssl);
- int rv;
- ngtcp2_transport_params params;
- (void)ext_type;
- (void)context;
- (void)x;
- (void)chainidx;
- (void)parse_arg;
-
- rv = ngtcp2_decode_transport_params(
- &params, NGTCP2_TRANSPORT_PARAMS_TYPE_ENCRYPTED_EXTENSIONS, in, inlen);
- if(rv) {
- fprintf(stderr, "ngtcp2_decode_transport_params: %s\n",
- ngtcp2_strerror(rv));
- *al = SSL_AD_ILLEGAL_PARAMETER;
- return -1;
- }
-
- rv = ngtcp2_conn_set_remote_transport_params(qs->qconn, &params);
- if(rv) {
- *al = SSL_AD_ILLEGAL_PARAMETER;
- return -1;
- }
-
- return 1;
-}
-
static FILE *keylog_file; /* not thread-safe */
static void keylog_callback(const SSL *ssl, const char *line)
{
@@ -294,180 +154,62 @@ static void keylog_callback(const SSL *ssl, const char *line)
fflush(keylog_file);
}
-static SSL_CTX *quic_ssl_ctx(struct Curl_easy *data)
-{
- SSL_CTX *ssl_ctx = SSL_CTX_new(TLS_method());
- const char *keylog_filename;
-
- SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_3_VERSION);
- SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_3_VERSION);
-
- /* This makes OpenSSL client not send CCS after an initial ClientHello. */
- SSL_CTX_clear_options(ssl_ctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
-
- SSL_CTX_set_default_verify_paths(ssl_ctx);
-
- if(SSL_CTX_set_ciphersuites(ssl_ctx, QUIC_CIPHERS) != 1) {
- failf(data, "SSL_CTX_set_ciphersuites: %s",
- ERR_error_string(ERR_get_error(), NULL));
- return NULL;
- }
-
- if(SSL_CTX_set1_groups_list(ssl_ctx, QUIC_GROUPS) != 1) {
- failf(data, "SSL_CTX_set1_groups_list failed");
- return NULL;
- }
-
- SSL_CTX_set_mode(ssl_ctx, SSL_MODE_QUIC_HACK);
-
- if(SSL_CTX_add_custom_ext(ssl_ctx,
- NGTCP2_TLSEXT_QUIC_TRANSPORT_PARAMETERS,
- SSL_EXT_CLIENT_HELLO |
- SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
- transport_params_add_cb,
- transport_params_free_cb, NULL,
- transport_params_parse_cb, NULL) != 1) {
- failf(data, "SSL_CTX_add_custom_ext(NGTCP2_TLSEXT_QUIC_TRANSPORT_"
- "PARAMETERS) failed: %s\n",
- ERR_error_string(ERR_get_error(), NULL));
- return NULL;
- }
-
- keylog_filename = getenv("SSLKEYLOGFILE");
- if(keylog_filename) {
- keylog_file = fopen(keylog_filename, "wb");
- if(keylog_file) {
- SSL_CTX_set_keylog_callback(ssl_ctx, keylog_callback);
- }
- }
-
- return ssl_ctx;
-}
-
-/** SSL callbacks ***/
-
-static void set_tls_alert(struct quicsocket *qs, uint8_t alert)
-{
- qs->tls_alert = alert;
-}
static int init_ngh3_conn(struct quicsocket *qs);
-static int ssl_on_key(struct quicsocket *qs,
- int name, const uint8_t *secret, size_t secretlen)
+static int quic_set_encryption_secrets(SSL *ssl,
+ OSSL_ENCRYPTION_LEVEL ossl_level,
+ const uint8_t *rx_secret,
+ const uint8_t *tx_secret,
+ size_t secretlen)
{
+ struct quicsocket *qs = (struct quicsocket *)SSL_get_app_data(ssl);
+ int level = quic_from_ossl_level(ossl_level);
int rv;
- uint8_t hp[64];
- ssize_t hplen;
- uint8_t key[64];
- ssize_t keylen;
- uint8_t iv[64];
- ssize_t ivlen;
- struct Context *crypto_ctx = &qs->crypto_ctx;
-
- switch(name) {
- case SSL_KEY_CLIENT_EARLY_TRAFFIC:
- case SSL_KEY_CLIENT_HANDSHAKE_TRAFFIC:
- case SSL_KEY_CLIENT_APPLICATION_TRAFFIC:
- case SSL_KEY_SERVER_HANDSHAKE_TRAFFIC:
- case SSL_KEY_SERVER_APPLICATION_TRAFFIC:
- break;
- default:
- return 0;
- }
- /* TODO We don't have to call this everytime we get key generated. */
- rv = Curl_qc_negotiated_prf(crypto_ctx, qs->ssl);
- if(rv != 0) {
- return -1;
- }
- rv = Curl_qc_negotiated_aead(crypto_ctx, qs->ssl);
- if(rv != 0) {
- return -1;
+ if(!qs->crypto_ctx.aead.native_handle) {
+ ngtcp2_crypto_ctx_tls(&qs->crypto_ctx, ssl);
+ ngtcp2_conn_set_aead_overhead(
+ qs->qconn, ngtcp2_crypto_aead_taglen(&qs->crypto_ctx.aead));
}
- keylen = Curl_qc_derive_packet_protection_key(key, sizeof(key), secret,
- secretlen, crypto_ctx);
- if(keylen < 0) {
- return -1;
- }
+ if(ngtcp2_crypto_derive_and_install_key(
+ qs->qconn, NULL, NULL, NULL, NULL, NULL, NULL, &qs->crypto_ctx.aead,
+ &qs->crypto_ctx.md, level, rx_secret, tx_secret, secretlen,
+ NGTCP2_CRYPTO_SIDE_CLIENT) != 0)
+ return 0;
- ivlen = Curl_qc_derive_packet_protection_iv(iv, sizeof(iv), secret,
- secretlen, crypto_ctx);
- if(ivlen < 0) {
- return -1;
- }
+ if(level == NGTCP2_CRYPTO_LEVEL_APP) {
+ const uint8_t *tp;
+ size_t tplen;
+ ngtcp2_transport_params params;
- hplen =
- Curl_qc_derive_header_protection_key(hp, sizeof(hp),
- secret, secretlen, crypto_ctx);
- if(hplen < 0)
- return -1;
+ SSL_get_peer_quic_transport_params(ssl, &tp, &tplen);
- /* TODO Just call this once. */
- ngtcp2_conn_set_aead_overhead(qs->qconn,
- Curl_qc_aead_max_overhead(crypto_ctx));
+ rv = ngtcp2_decode_transport_params(
+ &params, NGTCP2_TRANSPORT_PARAMS_TYPE_ENCRYPTED_EXTENSIONS, tp, tplen);
+ if(rv != 0)
+ return 0;
- switch(name) {
- case SSL_KEY_CLIENT_EARLY_TRAFFIC:
- ngtcp2_conn_install_early_keys(qs->qconn, key, keylen, iv, ivlen,
- hp, hplen);
- break;
- case SSL_KEY_CLIENT_HANDSHAKE_TRAFFIC:
- ngtcp2_conn_install_handshake_tx_keys(qs->qconn, key, keylen,
- iv, ivlen, hp, hplen);
- qs->tx_crypto_level = NGTCP2_CRYPTO_LEVEL_HANDSHAKE;
- break;
- case SSL_KEY_CLIENT_APPLICATION_TRAFFIC:
- ngtcp2_conn_install_tx_keys(qs->qconn, key, keylen, iv, ivlen,
- hp, hplen);
- break;
- case SSL_KEY_SERVER_HANDSHAKE_TRAFFIC:
- ngtcp2_conn_install_handshake_rx_keys(qs->qconn, key, keylen,
- iv, ivlen,
- hp, hplen);
- qs->rx_crypto_level = NGTCP2_CRYPTO_LEVEL_HANDSHAKE;
- break;
- case SSL_KEY_SERVER_APPLICATION_TRAFFIC:
- ngtcp2_conn_install_rx_keys(qs->qconn, key, keylen, iv, ivlen,
- hp, hplen);
- qs->rx_crypto_level = NGTCP2_CRYPTO_LEVEL_APP;
- if(init_ngh3_conn(qs) != CURLE_OK) {
- return NGTCP2_ERR_CALLBACK_FAILURE;
- }
+ rv = ngtcp2_conn_set_remote_transport_params(qs->qconn, &params);
+ if(rv != 0)
+ return 0;
- break;
+ if(init_ngh3_conn(qs) != CURLE_OK)
+ return 0;
}
- return 0;
+
+ return 1;
}
-static void ssl_msg_cb(int write_p, int version, int content_type,
- const void *buf, size_t len, SSL *ssl, void *user_data)
+static int quic_add_handshake_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL ossl_level,
+ const uint8_t *data, size_t len)
{
- int rv;
- struct quicsocket *qs = (struct quicsocket *)user_data;
- uint8_t *msg = (uint8_t *)buf;
+ struct quicsocket *qs = (struct quicsocket *)SSL_get_app_data(ssl);
struct quic_handshake *crypto_data;
- (void)version;
- (void)ssl;
-
- if(!write_p)
- return;
-
- switch(content_type) {
- case SSL3_RT_HANDSHAKE:
- break;
- case SSL3_RT_ALERT:
- assert(len == 2);
- if(msg[0] != 2 /* FATAL */) {
- return;
- }
- set_tls_alert(qs, msg[1]);
- return;
- default:
- return;
- }
+ ngtcp2_crypto_level level = quic_from_ossl_level(ossl_level);
+ int rv;
- crypto_data = &qs->client_crypto_data[qs->tx_crypto_level];
+ crypto_data = &qs->client_crypto_data[level];
if(crypto_data->buf == NULL) {
crypto_data->buf = malloc(4096);
crypto_data->alloclen = 4096;
@@ -478,155 +220,78 @@ static void ssl_msg_cb(int write_p, int version, int content_type,
now */
assert(crypto_data->len + len <= crypto_data->alloclen);
- memcpy(&crypto_data->buf[crypto_data->len], buf, len);
+ memcpy(&crypto_data->buf[crypto_data->len], data, len);
crypto_data->len += len;
- rv = ngtcp2_conn_submit_crypto_data(qs->qconn, qs->tx_crypto_level,
- (uint8_t *)
- (&crypto_data->buf[
- crypto_data->len] - len), len);
+ rv = ngtcp2_conn_submit_crypto_data(
+ qs->qconn, level, (uint8_t *)(&crypto_data->buf[crypto_data->len] - len),
+ len);
if(rv) {
fprintf(stderr, "write_client_handshake failed\n");
}
assert(0 == rv);
+
+ return 1;
}
-static int ssl_key_cb(SSL *ssl, int name,
- const unsigned char *secret,
- size_t secretlen,
- void *arg)
+static int quic_flush_flight(SSL *ssl)
{
- struct quicsocket *qs = (struct quicsocket *)arg;
(void)ssl;
-
- if(ssl_on_key(qs, name, secret, secretlen) != 0)
- return 0;
-
- /* log_secret(ssl, name, secret, secretlen); */
-
return 1;
}
-static int read_server_handshake(struct quicsocket *qs,
- char *buf, int buflen)
+static int quic_send_alert(SSL *ssl, enum ssl_encryption_level_t level,
+ uint8_t alert)
{
- struct quic_handshake *hs = &qs->handshake;
- int avail = (int)(hs->len - hs->nread);
- int n = CURLMIN(buflen, avail);
- memcpy(buf, &hs->buf[hs->nread], n);
-#ifdef DEBUG_NGTCP2
- infof(qs->conn->data, "read %d bytes of handshake data\n", n);
-#endif
- hs->nread += n;
- return n;
-}
+ struct quicsocket *qs = (struct quicsocket *)SSL_get_app_data(ssl);
+ (void)level;
-static void write_server_handshake(struct quicsocket *qs,
- const uint8_t *ptr, size_t datalen)
-{
- char *p;
- struct quic_handshake *hs = &qs->handshake;
- size_t alloclen = datalen + hs->alloclen;
-#ifdef DEBUG_NGTCP2
- infof(qs->conn->data, "store %zd bytes of handshake data\n", datalen);
-#endif
- if(alloclen > hs->alloclen) {
- alloclen *= 2;
- p = realloc(qs->handshake.buf, alloclen);
- if(!p)
- return; /* BAAAAAD */
- hs->buf = p;
- hs->alloclen = alloclen;
- }
- memcpy(&hs->buf[hs->len], ptr, datalen);
- hs->len += datalen;
+ qs->tls_alert = alert;
+ return 1;
}
-/** BIO functions ***/
+static SSL_QUIC_METHOD quic_method = {quic_set_encryption_secrets,
+ quic_add_handshake_data,
+ quic_flush_flight, quic_send_alert};
-static int bio_write(BIO *b, const char *buf, int len)
+static SSL_CTX *quic_ssl_ctx(struct Curl_easy *data)
{
- (void)b;
- (void)buf;
- (void)len;
- assert(0);
- return -1;
-}
+ SSL_CTX *ssl_ctx = SSL_CTX_new(TLS_method());
+ const char *keylog_filename;
-static int bio_read(BIO *b, char *buf, int len)
-{
- struct quicsocket *qs;
- BIO_clear_retry_flags(b);
+ SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_3_VERSION);
+ SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_3_VERSION);
- qs = (struct quicsocket *)BIO_get_data(b);
+ SSL_CTX_set_default_verify_paths(ssl_ctx);
- len = read_server_handshake(qs, buf, len);
- if(len == 0) {
- BIO_set_retry_read(b);
- return -1;
+ if(SSL_CTX_set_ciphersuites(ssl_ctx, QUIC_CIPHERS) != 1) {
+ failf(data, "SSL_CTX_set_ciphersuites: %s",
+ ERR_error_string(ERR_get_error(), NULL));
+ return NULL;
}
- return len;
-}
-
-static int bio_puts(BIO *b, const char *str)
-{
- return bio_write(b, str, (int)strlen(str));
-}
-
-static int bio_gets(BIO *b, char *buf, int len)
-{
- (void)b;
- (void)buf;
- (void)len;
- return -1;
-}
-
-static long bio_ctrl(BIO *b, int cmd, long num, void *ptr)
-{
- (void)b;
- (void)cmd;
- (void)num;
- (void)ptr;
- switch(cmd) {
- case BIO_CTRL_FLUSH:
- return 1;
+ if(SSL_CTX_set1_groups_list(ssl_ctx, QUIC_GROUPS) != 1) {
+ failf(data, "SSL_CTX_set1_groups_list failed");
+ return NULL;
}
- return 0;
-}
+ SSL_CTX_set_quic_method(ssl_ctx, &quic_method);
-static int bio_create(BIO *b)
-{
- BIO_set_init(b, 1);
- return 1;
-}
-
-static int bio_destroy(BIO *b)
-{
- if(!b)
- return 0;
-
- return 1;
-}
+ keylog_filename = getenv("SSLKEYLOGFILE");
+ if(keylog_filename) {
+ keylog_file = fopen(keylog_filename, "wb");
+ if(keylog_file) {
+ SSL_CTX_set_keylog_callback(ssl_ctx, keylog_callback);
+ }
+ }
-static BIO_METHOD *create_bio_method(void)
-{
- BIO_METHOD *meth = BIO_meth_new(BIO_TYPE_FD, "bio");
- BIO_meth_set_write(meth, bio_write);
- BIO_meth_set_read(meth, bio_read);
- BIO_meth_set_puts(meth, bio_puts);
- BIO_meth_set_gets(meth, bio_gets);
- BIO_meth_set_ctrl(meth, bio_ctrl);
- BIO_meth_set_create(meth, bio_create);
- BIO_meth_set_destroy(meth, bio_destroy);
- return meth;
+ return ssl_ctx;
}
+/** SSL callbacks ***/
static int quic_init_ssl(struct quicsocket *qs)
{
- BIO *bio;
const uint8_t *alpn = NULL;
size_t alpnlen = 0;
/* this will need some attention when HTTPS proxy over QUIC get fixed */
@@ -636,16 +301,9 @@ static int quic_init_ssl(struct quicsocket *qs)
SSL_free(qs->ssl);
qs->ssl = SSL_new(qs->sslctx);
- bio = BIO_new(create_bio_method());
- /* supposedly this can fail too? */
- BIO_set_data(bio, qs);
- SSL_set_bio(qs->ssl, bio, bio);
SSL_set_app_data(qs->ssl, qs);
SSL_set_connect_state(qs->ssl);
- SSL_set_msg_callback(qs->ssl, ssl_msg_cb);
- SSL_set_msg_callback_arg(qs->ssl, qs);
- SSL_set_key_callback(qs->ssl, ssl_key_cb, qs);
switch(qs->version) {
#ifdef NGTCP2_PROTO_VER
@@ -663,105 +321,15 @@ static int quic_init_ssl(struct quicsocket *qs)
return 0;
}
-static int quic_tls_handshake(struct quicsocket *qs,
- bool resumption,
- bool initial)
-{
- int rv;
- ERR_clear_error();
-
- /* Note that SSL_SESSION_get_max_early_data() and
- SSL_get_max_early_data() return completely different value. */
- if(initial && resumption &&
- SSL_SESSION_get_max_early_data(SSL_get_session(qs->ssl))) {
- size_t nwrite;
- /* OpenSSL returns error if SSL_write_early_data is called when resumption
- is not attempted. Sending empty string is a trick to just early_data
- extension. */
- rv = SSL_write_early_data(qs->ssl, "", 0, &nwrite);
- if(rv == 0) {
- int err = SSL_get_error(qs->ssl, rv);
- switch(err) {
- case SSL_ERROR_SSL:
- fprintf(stderr, "TLS handshake error: %s\n",
- ERR_error_string(ERR_get_error(), NULL));
- return -1;
- default:
- fprintf(stderr, "TLS handshake error: %d\n", err);
- return -1;
- }
- }
- }
-
- rv = SSL_do_handshake(qs->ssl);
- if(rv <= 0) {
- int err = SSL_get_error(qs->ssl, rv);
- switch(err) {
- case SSL_ERROR_WANT_READ:
- case SSL_ERROR_WANT_WRITE:
- return 0;
- case SSL_ERROR_SSL:
- fprintf(stderr, "TLS handshake error: %s\n",
- ERR_error_string(ERR_get_error(), NULL));
- return -1;
- default:
- fprintf(stderr, "TLS handshake error: %d\n", err);
- return -1;
- }
- }
-
- /* SSL_get_early_data_status works after handshake completes. */
- if(resumption &&
- SSL_get_early_data_status(qs->ssl) != SSL_EARLY_DATA_ACCEPTED) {
- fprintf(stderr, "Early data was rejected by server\n");
- ngtcp2_conn_early_data_rejected(qs->qconn);
- }
-
- ngtcp2_conn_handshake_completed(qs->qconn);
- return 0;
-}
-
static int cb_initial(ngtcp2_conn *quic, void *user_data)
{
struct quicsocket *qs = (struct quicsocket *)user_data;
- (void)quic;
- if(quic_tls_handshake(qs, false, true) != 0)
- return NGTCP2_ERR_CALLBACK_FAILURE;
- return 0;
-}
-static int quic_read_tls(struct quicsocket *qs)
-{
- uint8_t buf[4096];
- size_t nread;
+ if(ngtcp2_crypto_read_write_crypto_data(
+ quic, qs->ssl, NGTCP2_CRYPTO_LEVEL_INITIAL, NULL, 0) != 0)
+ return NGTCP2_ERR_CALLBACK_FAILURE;
- ERR_clear_error();
- for(;;) {
- int err;
- int rv = SSL_read_ex(qs->ssl, buf, sizeof(buf), &nread);
- if(rv == 1) {
-#ifdef DEBUG_NGTCP2
- infof(qs->conn->data, "Read %zd bytes from TLS crypto stream",
- nread);
-#endif
- continue;
- }
- err = SSL_get_error(qs->ssl, 0);
- switch(err) {
- case SSL_ERROR_WANT_READ:
- case SSL_ERROR_WANT_WRITE:
- return 0;
- case SSL_ERROR_SSL:
- case SSL_ERROR_ZERO_RETURN:
- infof(qs->conn->data, "TLS read error: %s\n",
- ERR_error_string(ERR_get_error(), NULL));
- return NGTCP2_ERR_CRYPTO;
- default:
- infof(qs->conn->data, "TLS read error: %d\n", err);
- return NGTCP2_ERR_CRYPTO;
- }
- }
- /* NEVER-REACHED */
+ return 0;
}
static int
@@ -772,25 +340,18 @@ cb_recv_crypto_data(ngtcp2_conn *tconn, ngtcp2_crypto_level crypto_level,
{
struct quicsocket *qs = (struct quicsocket *)user_data;
(void)offset;
- (void)crypto_level;
-
- write_server_handshake(qs, data, datalen);
- if(!ngtcp2_conn_get_handshake_completed(tconn) &&
- quic_tls_handshake(qs, false, false)) {
+ if(ngtcp2_crypto_read_write_crypto_data(tconn, qs->ssl, crypto_level, data,
+ datalen) != 0)
return NGTCP2_ERR_CRYPTO;
- }
- /* SSL_do_handshake() might not consume all data (e.g.,
- NewSessionTicket). */
- return quic_read_tls(qs);
+ return 0;
}
static int cb_handshake_completed(ngtcp2_conn *tconn, void *user_data)
{
struct quicsocket *qs = (struct quicsocket *)user_data;
(void)tconn;
- qs->tx_crypto_level = NGTCP2_CRYPTO_LEVEL_APP;
infof(qs->conn->data, "QUIC handshake is completed\n");
return 0;
@@ -802,16 +363,17 @@ static int cb_in_encrypt(ngtcp2_conn *tconn, uint8_t *dest,
size_t noncelen, const uint8_t *ad, size_t adlen,
void *user_data)
{
- struct quicsocket *qs = (struct quicsocket *)user_data;
- int nwrite = Curl_qc_encrypt(dest, plaintext, plaintextlen,
- &qs->hs_crypto_ctx,
- key, nonce, noncelen, ad, adlen);
- if(nwrite < 0) {
- return NGTCP2_ERR_CALLBACK_FAILURE;
- }
+ ngtcp2_crypto_ctx crypto_ctx;
(void)tconn;
+ (void)user_data;
- return nwrite;
+ ngtcp2_crypto_ctx_initial(&crypto_ctx);
+
+ if(ngtcp2_crypto_encrypt(dest, &crypto_ctx.aead, plaintext, plaintextlen,
+ key, nonce, noncelen, ad, adlen) != 0)
+ return NGTCP2_ERR_CALLBACK_FAILURE;
+
+ return 0;
}
static int cb_in_decrypt(ngtcp2_conn *tconn, uint8_t *dest,
@@ -820,11 +382,16 @@ static int cb_in_decrypt(ngtcp2_conn *tconn, uint8_t *dest,
size_t noncelen, const uint8_t *ad, size_t adlen,
void *user_data)
{
- struct quicsocket *qs = (struct quicsocket *)user_data;
+ ngtcp2_crypto_ctx crypto_ctx;
(void)tconn;
- return Curl_qc_decrypt(dest, ciphertext, ciphertextlen,
- &qs->hs_crypto_ctx, key,
- nonce, noncelen, ad, adlen);
+ (void)user_data;
+
+ ngtcp2_crypto_ctx_initial(&crypto_ctx);
+ if(ngtcp2_crypto_decrypt(dest, &crypto_ctx.aead, ciphertext, ciphertextlen,
+ key, nonce, noncelen, ad, adlen) != 0)
+ return NGTCP2_ERR_TLS_DECRYPT;
+
+ return 0;
}
@@ -837,14 +404,13 @@ static int cb_encrypt_data(ngtcp2_conn *tconn,
void *user_data)
{
struct quicsocket *qs = (struct quicsocket *)user_data;
- int rc;
(void)tconn;
- rc = Curl_qc_encrypt(dest, plaintext, plaintextlen,
- &qs->crypto_ctx,
- key, nonce, noncelen, ad, adlen);
- if(rc < 0)
+
+ if(ngtcp2_crypto_encrypt(dest, &qs->crypto_ctx.aead, plaintext, plaintextlen,
+ key, nonce, noncelen, ad, adlen) != 0)
return NGTCP2_ERR_CALLBACK_FAILURE;
- return rc;
+
+ return 0;
}
static int cb_decrypt_data(ngtcp2_conn *tconn, uint8_t *dest,
@@ -855,13 +421,14 @@ static int cb_decrypt_data(ngtcp2_conn *tconn, uint8_t *dest,
void *user_data)
{
struct quicsocket *qs = (struct quicsocket *)user_data;
- int rc;
(void)tconn;
- rc = Curl_qc_decrypt(dest, ciphertext, ciphertextlen,
- &qs->crypto_ctx, key, nonce, noncelen, ad, adlen);
- if(rc < 0)
+
+ if(ngtcp2_crypto_decrypt(dest, &qs->crypto_ctx.aead, ciphertext,
+ ciphertextlen, key, nonce, noncelen, ad,
+ adlen) != 0)
return NGTCP2_ERR_TLS_DECRYPT;
- return rc;
+
+ return 0;
}
static int cb_recv_stream_data(ngtcp2_conn *tconn, int64_t stream_id,
@@ -974,15 +541,16 @@ static int cb_in_hp_mask(ngtcp2_conn *tconn, uint8_t *dest,
const uint8_t *key, const uint8_t *sample,
void *user_data)
{
- struct quicsocket *qs = (struct quicsocket *)user_data;
- int nwrite;
+ ngtcp2_crypto_ctx crypto_ctx;
(void)tconn;
+ (void)user_data;
+
+ ngtcp2_crypto_ctx_initial(&crypto_ctx);
- nwrite = Curl_qc_hp_mask(dest, &qs->hs_crypto_ctx, key, sample);
- if(nwrite < 0)
+ if(ngtcp2_crypto_hp_mask(dest, &crypto_ctx.hp, key, sample) != 0)
return NGTCP2_ERR_CALLBACK_FAILURE;
- return nwrite;
+ return 0;
}
static int cb_hp_mask(ngtcp2_conn *tconn, uint8_t *dest,
@@ -990,14 +558,12 @@ static int cb_hp_mask(ngtcp2_conn *tconn, uint8_t *dest,
void *user_data)
{
struct quicsocket *qs = (struct quicsocket *)user_data;
- int nwrite;
(void)tconn;
- nwrite = Curl_qc_hp_mask(dest, &qs->crypto_ctx, key, sample);
- if(nwrite < 0)
+ if(ngtcp2_crypto_hp_mask(dest, &qs->crypto_ctx.hp, key, sample) != 0)
return NGTCP2_ERR_CALLBACK_FAILURE;
- return nwrite;
+ return 0;
}
static int cb_extend_max_local_streams_bidi(ngtcp2_conn *tconn,
@@ -1101,6 +667,9 @@ CURLcode Curl_quic_connect(struct connectdata *conn,
struct quicsocket *qs = &conn->hequic[sockindex];
char ipbuf[40];
long port;
+ uint8_t paramsbuf[64];
+ ngtcp2_transport_params params;
+ ssize_t nwrite;
(void)addrlen;
qs->conn = conn;
@@ -1136,9 +705,6 @@ CURLcode Curl_quic_connect(struct connectdata *conn,
quic_settings(&qs->settings);
- qs->tx_crypto_level = NGTCP2_CRYPTO_LEVEL_INITIAL;
- qs->rx_crypto_level = NGTCP2_CRYPTO_LEVEL_INITIAL;
-
qs->local_addrlen = sizeof(qs->local_addr);
rv = getsockname(sockfd, (struct sockaddr *)&qs->local_addr,
&qs->local_addrlen);
@@ -1159,6 +725,20 @@ CURLcode Curl_quic_connect(struct connectdata *conn,
if(rc)
return CURLE_FAILED_INIT; /* TODO: create a QUIC error code */
+ ngtcp2_conn_get_local_transport_params(qs->qconn, &params);
+ nwrite = ngtcp2_encode_transport_params(
+ paramsbuf, sizeof(paramsbuf), NGTCP2_TRANSPORT_PARAMS_TYPE_CLIENT_HELLO,
+ &params);
+ if(nwrite < 0) {
+ fprintf(stderr, "ngtcp2_encode_transport_params: %s\n",
+ ngtcp2_strerror((int)nwrite));
+
+ return CURLE_FAILED_INIT;
+ }
+
+ if(!SSL_set_quic_transport_params(qs->ssl, paramsbuf, nwrite))
+ return CURLE_FAILED_INIT;
+
rc = setup_initial_crypto_context(qs);
if(rc)
return CURLE_FAILED_INIT; /* TODO: better return code */
diff --git a/lib/vquic/ngtcp2.h b/lib/vquic/ngtcp2.h
index 4937fe1e9..19987db94 100644
--- a/lib/vquic/ngtcp2.h
+++ b/lib/vquic/ngtcp2.h
@@ -27,9 +27,9 @@
#ifdef USE_NGTCP2
#include <ngtcp2/ngtcp2.h>
+#include <ngtcp2/ngtcp2_crypto.h>
#include <nghttp3/nghttp3.h>
#include <openssl/ssl.h>
-#include "ngtcp2-crypto.h"
struct quic_handshake {
char *buf; /* pointer to the buffer */
@@ -47,14 +47,10 @@ struct quicsocket {
ngtcp2_settings settings;
SSL_CTX *sslctx;
SSL *ssl;
- struct Context crypto_ctx;
- struct Context hs_crypto_ctx;
- struct quic_handshake handshake;
+ ngtcp2_crypto_ctx crypto_ctx;
struct quic_handshake client_crypto_data[3];
/* the last TLS alert description generated by the local endpoint */
uint8_t tls_alert;
- ngtcp2_crypto_level tx_crypto_level;
- ngtcp2_crypto_level rx_crypto_level;
struct sockaddr_storage local_addr;
socklen_t local_addrlen;