diff --git a/configure.ac b/configure.ac index 718259699..07e0a502e 100755 --- a/configure.ac +++ b/configure.ac @@ -3427,6 +3427,61 @@ if test X"$want_tcp2" != Xno; then fi +if test "x$NGTCP2_ENABLED" = "x1"; then + dnl backup the pre-ngtcp2_crypto_openssl variables + CLEANLDFLAGS="$LDFLAGS" + CLEANCPPFLAGS="$CPPFLAGS" + CLEANLIBS="$LIBS" + + CURL_CHECK_PKGCONFIG(libngtcp2_crypto_openssl, $want_tcp2_path) + + if test "$PKGCONFIG" != "no" ; then + LIB_NGTCP2_CRYPTO_OPENSSL=`CURL_EXPORT_PCDIR([$want_tcp2_path]) + $PKGCONFIG --libs-only-l libngtcp2_crypto_openssl` + AC_MSG_NOTICE([-l is $LIB_NGTCP2_CRYPTO_OPENSSL]) + + CPP_NGTCP2_CRYPTO_OPENSSL=`CURL_EXPORT_PCDIR([$want_tcp2_path]) dnl + $PKGCONFIG --cflags-only-I libngtcp2_crypto_openssl` + AC_MSG_NOTICE([-I is $CPP_NGTCP2_CRYPTO_OPENSSL]) + + LD_NGTCP2_CRYPTO_OPENSSL=`CURL_EXPORT_PCDIR([$want_tcp2_path]) + $PKGCONFIG --libs-only-L libngtcp2_crypto_openssl` + AC_MSG_NOTICE([-L is $LD_NGTCP2_CRYPTO_OPENSSL]) + + LDFLAGS="$LDFLAGS $LD_NGTCP2_CRYPTO_OPENSSL" + CPPFLAGS="$CPPFLAGS $CPP_NGTCP2_CRYPTO_OPENSSL" + LIBS="$LIB_NGTCP2_CRYPTO_OPENSSL $LIBS" + + if test "x$cross_compiling" != "xyes"; then + DIR_NGTCP2_CRYPTO_OPENSSL=`echo $LD_NGTCP2_CRYPTO_OPENSSL | $SED -e 's/-L//'` + fi + AC_CHECK_LIB(ngtcp2_crypto_openssl, ngtcp2_crypto_ctx_initial, + [ + AC_CHECK_HEADERS(ngtcp2/ngtcp2_crypto.h, + NGTCP2_ENABLED=1 + AC_DEFINE(USE_NGTCP2_CRYPTO_OPENSSL, 1, [if ngtcp2_crypto_openssl is in use]) + AC_SUBST(USE_NGTCP2_CRYPTO_OPENSSL, [1]) + CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$DIR_NGTCP2_CRYPTO_OPENSSL" + export CURL_LIBRARY_PATH + AC_MSG_NOTICE([Added $DIR_NGTCP2_CRYPTO_OPENSSL to CURL_LIBRARY_PATH]) + ) + ], + dnl not found, revert back to clean variables + LDFLAGS=$CLEANLDFLAGS + CPPFLAGS=$CLEANCPPFLAGS + LIBS=$CLEANLIBS + ) + + else + dnl no ngtcp2_crypto_openssl pkg-config found, deal with it + if test X"$want_tcp2" != Xdefault; then + dnl To avoid link errors, we do not allow --with-ngtcp2 without + dnl a pkgconfig file + AC_MSG_ERROR([--with-ngtcp2 was specified but could not find ngtcp2_crypto_openssl pkg-config file.]) + fi + fi +fi + dnl ********************************************************************** dnl Check for nghttp3 (HTTP/3 with ngtcp2) dnl ********************************************************************** diff --git a/lib/Makefile.inc b/lib/Makefile.inc index de37f2e3b..3e3a385c5 100644 --- a/lib/Makefile.inc +++ b/lib/Makefile.inc @@ -37,9 +37,9 @@ LIB_VTLS_HFILES = vtls/openssl.h vtls/vtls.h vtls/gtls.h \ vtls/wolfssl.h vtls/schannel.h vtls/sectransp.h vtls/gskit.h \ vtls/mbedtls.h vtls/mesalink.h -LIB_VQUIC_CFILES = vquic/ngtcp2.c vquic/ngtcp2-crypto.c vquic/quiche.c +LIB_VQUIC_CFILES = vquic/ngtcp2.c vquic/quiche.c -LIB_VQUIC_HFILES = vquic/ngtcp2.h vquic/ngtcp2-crypto.h vquic/quiche.h +LIB_VQUIC_HFILES = vquic/ngtcp2.h vquic/quiche.h LIB_VSSH_CFILES = vssh/libssh2.c vssh/libssh.c diff --git a/lib/vquic/ngtcp2-crypto.c b/lib/vquic/ngtcp2-crypto.c deleted file mode 100644 index 887c130cb..000000000 --- a/lib/vquic/ngtcp2-crypto.c +++ /dev/null @@ -1,511 +0,0 @@ -/*************************************************************************** - * _ _ ____ _ - * Project ___| | | | _ \| | - * / __| | | | |_) | | - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * - * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms - * are also available at https://curl.haxx.se/docs/copyright.html. - * - * You may opt to use, copy, modify, merge, publish, distribute and/or sell - * copies of the Software, and permit persons to whom the Software is - * furnished to do so, under the terms of the COPYING file. - * - * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY - * KIND, either express or implied. - * - ***************************************************************************/ - -#include "curl_setup.h" - -#ifdef USE_NGTCP2 -#include -#include -#include -#include -#include "ngtcp2-crypto.h" -/* The last 3 #include files should be in this order */ -#include "curl_printf.h" -#include "curl_memory.h" -#include "memdebug.h" - -static int hkdf_expand_label(uint8_t *dest, size_t destlen, - const uint8_t *secret, size_t secretlen, - const uint8_t *label, size_t labellen, - const struct Context *ctx); - -void Curl_qc_prf_sha256(struct Context *ctx) -{ - ctx->prf = EVP_sha256(); -} - -void Curl_qc_aead_aes_128_gcm(struct Context *ctx) -{ - ctx->aead = EVP_aes_128_gcm(); - ctx->hp = EVP_aes_128_ctr(); -} - -size_t Curl_qc_aead_nonce_length(const struct Context *ctx) -{ - return EVP_CIPHER_iv_length(ctx->aead); -} - - -int Curl_qc_negotiated_prf(struct Context *ctx, SSL *ssl) -{ - switch(SSL_CIPHER_get_id(SSL_get_current_cipher(ssl))) { - case 0x03001301u: /* TLS_AES_128_GCM_SHA256 */ - case 0x03001303u: /* TLS_CHACHA20_POLY1305_SHA256 */ - case 0x03001304u: /* TLS_AES_128_CCM_SHA256 */ - ctx->prf = EVP_sha256(); - return 0; - case 0x03001302u: /* TLS_AES_256_GCM_SHA384 */ - ctx->prf = EVP_sha384(); - return 0; - default: - return -1; - } -} - -int Curl_qc_negotiated_aead(struct Context *ctx, SSL *ssl) -{ - switch(SSL_CIPHER_get_id(SSL_get_current_cipher(ssl))) { - case 0x03001301u: /* TLS_AES_128_GCM_SHA256 */ - ctx->aead = EVP_aes_128_gcm(); - ctx->hp = EVP_aes_128_ctr(); - return 0; - case 0x03001302u: /* TLS_AES_256_GCM_SHA384 */ - ctx->aead = EVP_aes_256_gcm(); - ctx->hp = EVP_aes_256_ctr(); - return 0; - case 0x03001303u: /* TLS_CHACHA20_POLY1305_SHA256 */ - ctx->aead = EVP_chacha20_poly1305(); - ctx->hp = EVP_chacha20(); - return 0; - case 0x03001304u: /* TLS_AES_128_CCM_SHA256 */ - ctx->aead = EVP_aes_128_ccm(); - ctx->hp = EVP_aes_128_ctr(); - return 0; - default: - return -1; - } -} - -ssize_t Curl_qc_encrypt_pn(uint8_t *dest, size_t destlen, - const uint8_t *plaintext, size_t plaintextlen, - const struct Context *ctx, - const uint8_t *key, size_t keylen, - const uint8_t *nonce, size_t noncelen) -{ - EVP_CIPHER_CTX *actx = EVP_CIPHER_CTX_new(); - size_t outlen = 0; - int len; - (void)destlen; - (void)keylen; - (void)noncelen; - - if(!actx) - return -1; - - if(EVP_EncryptInit_ex(actx, ctx->hp, NULL, key, nonce) != 1) - goto error; - - if(EVP_EncryptUpdate(actx, dest, &len, plaintext, (int)plaintextlen) != 1) - goto error; - - assert(len > 0); - - outlen = len; - - if(EVP_EncryptFinal_ex(actx, dest + outlen, &len) != 1) - goto error; - - assert(len == 0); - /* outlen += len; */ - - EVP_CIPHER_CTX_free(actx); - return outlen; - - error: - EVP_CIPHER_CTX_free(actx); - return -1; -} - -static int hkdf_expand(uint8_t *dest, size_t destlen, const uint8_t *secret, - size_t secretlen, const uint8_t *info, size_t infolen, - const struct Context *ctx) -{ - void *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); - if(!pctx) - return -1; - - if(EVP_PKEY_derive_init(pctx) != 1) - goto err; - - if(EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) != 1) - goto err; - - if(EVP_PKEY_CTX_set_hkdf_md(pctx, ctx->prf) != 1) - goto err; - - if(EVP_PKEY_CTX_set1_hkdf_salt(pctx, "", 0) != 1) - goto err; - - if(EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, (int)secretlen) != 1) - goto err; - - if(EVP_PKEY_CTX_add1_hkdf_info(pctx, info, (int)infolen) != 1) - goto err; - - if(EVP_PKEY_derive(pctx, dest, &destlen) != 1) - goto err; - - return 0; - err: - EVP_PKEY_CTX_free(pctx); - return -1; -} - -static int hkdf_extract(uint8_t *dest, size_t destlen, - const uint8_t *secret, size_t secretlen, - const uint8_t *salt, size_t saltlen, - const struct Context *ctx) -{ - void *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); - if(!pctx) - return -1; - - if(EVP_PKEY_derive_init(pctx) != 1) - goto err; - - if(EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) != 1) { - goto err; - } - - if(EVP_PKEY_CTX_set_hkdf_md(pctx, ctx->prf) != 1) { - goto err; - } - - if(EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, (int)saltlen) != 1) { - goto err; - } - - if(EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, (int)secretlen) != 1) { - goto err; - } - - if(EVP_PKEY_derive(pctx, dest, &destlen) != 1) { - goto err; - } - - EVP_PKEY_CTX_free(pctx); - return 0; - err: - EVP_PKEY_CTX_free(pctx); - return -1; -} - -static size_t aead_key_length(const struct Context *ctx) -{ - return EVP_CIPHER_key_length(ctx->aead); -} - -static size_t aead_tag_length(const struct Context *ctx) -{ - if(ctx->aead == EVP_aes_128_gcm() || ctx->aead == EVP_aes_256_gcm()) { - return EVP_GCM_TLS_TAG_LEN; - } - if(ctx->aead == EVP_chacha20_poly1305()) { - return EVP_CHACHAPOLY_TLS_TAG_LEN; - } - if(ctx->aead == EVP_aes_128_ccm()) - return EVP_CCM_TLS_TAG_LEN; - assert(0); -} - -size_t Curl_qc_aead_max_overhead(const struct Context *ctx) -{ - return aead_tag_length(ctx); -} - -int Curl_qc_encrypt(uint8_t *dest, - const uint8_t *plaintext, size_t plaintextlen, - const struct Context *ctx, - const uint8_t *key, - const uint8_t *nonce, size_t noncelen, - const uint8_t *ad, size_t adlen) -{ - size_t taglen = aead_tag_length(ctx); - EVP_CIPHER_CTX *actx; - int outlen = 0; - int len; - - actx = EVP_CIPHER_CTX_new(); - if(!actx) - return -1; - - if(EVP_EncryptInit_ex(actx, ctx->aead, NULL, NULL, NULL) != 1) - goto error; - - if(EVP_CIPHER_CTX_ctrl(actx, EVP_CTRL_AEAD_SET_IVLEN, - (int)noncelen, NULL) != 1) - goto error; - - if(ctx->aead == EVP_aes_128_ccm() && - EVP_CIPHER_CTX_ctrl(actx, EVP_CTRL_AEAD_SET_TAG, (int)taglen, NULL) != 1) - goto error; - - if(EVP_EncryptInit_ex(actx, NULL, NULL, key, nonce) != 1) - goto error; - - if(ctx->aead == EVP_aes_128_ccm() && - EVP_EncryptUpdate(actx, NULL, &len, NULL, (int)plaintextlen) != 1) - goto error; - - if(EVP_EncryptUpdate(actx, NULL, &len, ad, (int)adlen) != 1) - goto error; - - if(EVP_EncryptUpdate(actx, dest, &len, plaintext, (int)plaintextlen) != 1) - goto error; - - outlen = len; - if(EVP_EncryptFinal_ex(actx, dest + outlen, &len) != 1) - goto error; - - if(EVP_CIPHER_CTX_ctrl(actx, EVP_CTRL_AEAD_GET_TAG, - (int)taglen, dest + outlen) != 1) - goto error; - - EVP_CIPHER_CTX_free(actx); - return 0; - - error: - EVP_CIPHER_CTX_free(actx); - return -1; -} - -int Curl_qc_decrypt(uint8_t *dest, - const uint8_t *ciphertext, size_t ciphertextlen, - const struct Context *ctx, - const uint8_t *key, - const uint8_t *nonce, size_t noncelen, - const uint8_t *ad, size_t adlen) -{ - size_t taglen = aead_tag_length(ctx); - const uint8_t *tag; - EVP_CIPHER_CTX *actx; - int outlen; - int len; - - if(taglen > ciphertextlen) - return -1; - - ciphertextlen -= taglen; - tag = ciphertext + ciphertextlen; - - actx = EVP_CIPHER_CTX_new(); - if(!actx) - return -1; - - if(EVP_DecryptInit_ex(actx, ctx->aead, NULL, NULL, NULL) != 1) - goto error; - - if(EVP_CIPHER_CTX_ctrl(actx, EVP_CTRL_AEAD_SET_IVLEN, (int)noncelen, NULL) != - 1) - goto error; - - if(ctx->aead == EVP_aes_128_ccm() && - EVP_CIPHER_CTX_ctrl(actx, EVP_CTRL_AEAD_SET_TAG, (int)taglen, - (uint8_t *)tag) != 1) - goto error; - - if(EVP_DecryptInit_ex(actx, NULL, NULL, key, nonce) != 1) - goto error; - - if(ctx->aead == EVP_aes_128_ccm() && - EVP_DecryptUpdate(actx, NULL, &len, NULL, (int)ciphertextlen) != 1) - goto error; - - if(EVP_DecryptUpdate(actx, NULL, &len, ad, (int)adlen) != 1) - goto error; - - if(EVP_DecryptUpdate(actx, dest, &len, ciphertext, (int)ciphertextlen) != 1) - goto error; - - outlen = len; - - if(ctx->aead == EVP_aes_128_ccm()) - return 0; - - if(EVP_CIPHER_CTX_ctrl(actx, EVP_CTRL_AEAD_SET_TAG, - (int)taglen, (char *)tag) != 1) - goto error; - - if(EVP_DecryptFinal_ex(actx, dest + outlen, &len) != 1) - goto error; - - EVP_CIPHER_CTX_free(actx); - return 0; - error: - EVP_CIPHER_CTX_free(actx); - return -1; -} - -int Curl_qc_derive_initial_secret(uint8_t *dest, size_t destlen, - const ngtcp2_cid *secret, - const uint8_t *salt, - size_t saltlen) -{ - struct Context ctx; - Curl_qc_prf_sha256(&ctx); - return hkdf_extract(dest, destlen, secret->data, secret->datalen, salt, - saltlen, &ctx); -} - -int Curl_qc_derive_client_initial_secret(uint8_t *dest, - size_t destlen, - const uint8_t *secret, - size_t secretlen) -{ - static uint8_t LABEL[] = "client in"; - struct Context ctx; - Curl_qc_prf_sha256(&ctx); - return hkdf_expand_label(dest, destlen, secret, secretlen, LABEL, - sizeof(LABEL) - 1, &ctx); -} - -ssize_t Curl_qc_derive_packet_protection_key(uint8_t *dest, size_t destlen, - const uint8_t *secret, - size_t secretlen, - const struct Context *ctx) -{ - int rv; - static uint8_t LABEL[] = "quic key"; - size_t keylen = aead_key_length(ctx); - if(keylen > destlen) { - return -1; - } - - rv = hkdf_expand_label(dest, keylen, secret, secretlen, LABEL, - sizeof(LABEL) - 1, ctx); - if(rv) { - return -1; - } - - return keylen; -} - -ssize_t Curl_qc_derive_packet_protection_iv(uint8_t *dest, size_t destlen, - const uint8_t *secret, - size_t secretlen, - const struct Context *ctx) -{ - int rv; - static uint8_t LABEL[] = "quic iv"; - - size_t ivlen = CURLMAX(8, Curl_qc_aead_nonce_length(ctx)); - if(ivlen > destlen) { - return -1; - } - - rv = hkdf_expand_label(dest, ivlen, secret, secretlen, LABEL, - sizeof(LABEL) - 1, ctx); - if(rv) { - return -1; - } - - return ivlen; -} - -int Curl_qc_derive_server_initial_secret(uint8_t *dest, size_t destlen, - const uint8_t *secret, - size_t secretlen) -{ - static uint8_t LABEL[] = "server in"; - struct Context ctx; - Curl_qc_prf_sha256(&ctx); - return hkdf_expand_label(dest, destlen, secret, secretlen, LABEL, - sizeof(LABEL) - 1, &ctx); -} - -static int -hkdf_expand_label(uint8_t *dest, size_t destlen, const uint8_t *secret, - size_t secretlen, const uint8_t *label, size_t labellen, - const struct Context *ctx) -{ - uint8_t info[256]; - static const uint8_t LABEL[] = "tls13 "; - - uint8_t *p = &info[0]; - *p++ = (destlen / 256)&0xff; - *p++ = destlen % 256; - *p++ = (sizeof(LABEL) - 1 + labellen) & 0xff; - memcpy(p, LABEL, sizeof(LABEL) - 1); - p += sizeof(LABEL) - 1; - memcpy(p, label, labellen); - p += labellen; - *p++ = 0; - - return hkdf_expand(dest, destlen, secret, secretlen, &info[0], - p - &info[0], ctx); -} - -ssize_t -Curl_qc_derive_header_protection_key(uint8_t *dest, size_t destlen, - const uint8_t *secret, size_t secretlen, - const struct Context *ctx) -{ - int rv; - static uint8_t LABEL[] = "quic hp"; - - size_t keylen = aead_key_length(ctx); - if(keylen > destlen) - return -1; - - rv = hkdf_expand_label(dest, keylen, secret, secretlen, LABEL, - sizeof(LABEL) - 1, ctx); - - if(rv) - return -1; - - return keylen; -} - -int Curl_qc_hp_mask(uint8_t *dest, const struct Context *ctx, - const uint8_t *key, const uint8_t *sample) -{ - static uint8_t PLAINTEXT[] = "\x00\x00\x00\x00\x00"; - EVP_CIPHER_CTX *actx; - int outlen = 0; - int len; - actx = EVP_CIPHER_CTX_new(); - if(!actx) - return -1; - - if(EVP_EncryptInit_ex(actx, ctx->hp, NULL, key, sample) != 1) - goto error; - if(EVP_EncryptUpdate(actx, dest, &len, PLAINTEXT, - (int)(sizeof(PLAINTEXT) - 1)) != 1) - goto error; - - DEBUGASSERT(len == 5); - - outlen = len; - - if(EVP_EncryptFinal_ex(actx, dest + outlen, &len) != 1) - goto error; - - DEBUGASSERT(len == 0); - - return 0; - error: - EVP_CIPHER_CTX_free(actx); - return -1; -} - - -#endif diff --git a/lib/vquic/ngtcp2-crypto.h b/lib/vquic/ngtcp2-crypto.h deleted file mode 100644 index ae75517ab..000000000 --- a/lib/vquic/ngtcp2-crypto.h +++ /dev/null @@ -1,91 +0,0 @@ -#ifndef HEADER_CURL_VQUIC_NGTCP2_CRYPTO_H -#define HEADER_CURL_VQUIC_NGTCP2_CRYPTO_H -/*************************************************************************** - * _ _ ____ _ - * Project ___| | | | _ \| | - * / __| | | | |_) | | - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * - * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms - * are also available at https://curl.haxx.se/docs/copyright.html. - * - * You may opt to use, copy, modify, merge, publish, distribute and/or sell - * copies of the Software, and permit persons to whom the Software is - * furnished to do so, under the terms of the COPYING file. - * - * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY - * KIND, either express or implied. - * - ***************************************************************************/ - -#include "curl_setup.h" - -#ifdef USE_NGTCP2 -struct Context { -#if defined(OPENSSL_IS_BORINGSSL) - const EVP_AEAD *aead; -#else /* !OPENSSL_IS_BORINGSSL */ - const EVP_CIPHER *aead; -#endif /* !OPENSSL_IS_BORINGSSL */ - const EVP_CIPHER *hp; - const EVP_MD *prf; - uint8_t tx_secret[64]; - uint8_t rx_secret[64]; - size_t secretlen; -}; - -void Curl_qc_prf_sha256(struct Context *ctx); -void Curl_qc_aead_aes_128_gcm(struct Context *ctx); -size_t Curl_qc_aead_nonce_length(const struct Context *ctx); -int Curl_qc_negotiated_prf(struct Context *ctx, SSL *ssl); -int Curl_qc_negotiated_aead(struct Context *ctx, SSL *ssl); -size_t Curl_qc_aead_max_overhead(const struct Context *ctx); -int Curl_qc_encrypt(uint8_t *dest, - const uint8_t *plaintext, size_t plaintextlen, - const struct Context *ctx, - const uint8_t *key, - const uint8_t *nonce, size_t noncelen, - const uint8_t *ad, size_t adlen); -int Curl_qc_decrypt(uint8_t *dest, - const uint8_t *ciphertext, size_t ciphertextlen, - const struct Context *ctx, - const uint8_t *key, - const uint8_t *nonce, size_t noncelen, - const uint8_t *ad, size_t adlen); -ssize_t Curl_qc_encrypt_pn(uint8_t *dest, size_t destlen, - const uint8_t *plaintext, size_t plaintextlen, - const struct Context *ctx, - const uint8_t *key, size_t keylen, - const uint8_t *nonce, size_t noncelen); -int Curl_qc_derive_initial_secret(uint8_t *dest, size_t destlen, - const ngtcp2_cid *secret, - const uint8_t *salt, - size_t saltlen); -int Curl_qc_derive_client_initial_secret(uint8_t *dest, - size_t destlen, - const uint8_t *secret, - size_t secretlen); -ssize_t Curl_qc_derive_packet_protection_key(uint8_t *dest, size_t destlen, - const uint8_t *secret, - size_t secretlen, - const struct Context *ctx); -ssize_t Curl_qc_derive_packet_protection_iv(uint8_t *dest, size_t destlen, - const uint8_t *secret, - size_t secretlen, - const struct Context *ctx); -int Curl_qc_derive_server_initial_secret(uint8_t *dest, size_t destlen, - const uint8_t *secret, - size_t secretlen); -ssize_t -Curl_qc_derive_header_protection_key(uint8_t *dest, size_t destlen, - const uint8_t *secret, size_t secretlen, - const struct Context *ctx); - -int Curl_qc_hp_mask(uint8_t *dest, const struct Context *ctx, - const uint8_t *key, const uint8_t *sample); -#endif /* USE_NGTCP2 */ -#endif /* HEADER_CURL_VQUIC_NGTCP2_CRYPTO_H */ diff --git a/lib/vquic/ngtcp2.c b/lib/vquic/ngtcp2.c index 6abbfa2ab..9fa04b4c7 100644 --- a/lib/vquic/ngtcp2.c +++ b/lib/vquic/ngtcp2.c @@ -31,7 +31,6 @@ #include "strdup.h" #include "rand.h" #include "ngtcp2.h" -#include "ngtcp2-crypto.h" #include "multiif.h" #include "strcase.h" #include "connect.h" @@ -99,91 +98,31 @@ static void quic_printf(void *user_data, const char *fmt, ...) } #endif +static ngtcp2_crypto_level +quic_from_ossl_level(OSSL_ENCRYPTION_LEVEL ossl_level) +{ + switch(ossl_level) { + case ssl_encryption_initial: + return NGTCP2_CRYPTO_LEVEL_INITIAL; + case ssl_encryption_early_data: + return NGTCP2_CRYPTO_LEVEL_EARLY; + case ssl_encryption_handshake: + return NGTCP2_CRYPTO_LEVEL_HANDSHAKE; + case ssl_encryption_application: + return NGTCP2_CRYPTO_LEVEL_APP; + default: + assert(0); + } +} + static int setup_initial_crypto_context(struct quicsocket *qs) { - int rv; - uint8_t initial_secret[32]; - uint8_t secret[32]; - const ngtcp2_cid *dcid; - uint8_t key[16]; - ssize_t keylen; - uint8_t iv[16]; - ssize_t ivlen; - uint8_t hp[16]; - ssize_t hplen; + const ngtcp2_cid *dcid = ngtcp2_conn_get_dcid(qs->qconn); - dcid = ngtcp2_conn_get_dcid(qs->qconn); - rv = Curl_qc_derive_initial_secret(initial_secret, sizeof(initial_secret), - dcid, (uint8_t *)NGTCP2_INITIAL_SALT, - strlen(NGTCP2_INITIAL_SALT)); - if(rv) { + if(ngtcp2_crypto_derive_and_install_initial_key( + qs->qconn, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, dcid, + NGTCP2_CRYPTO_SIDE_CLIENT) != 0) return -1; - } - - Curl_qc_prf_sha256(&qs->hs_crypto_ctx); - Curl_qc_aead_aes_128_gcm(&qs->hs_crypto_ctx); - - rv = Curl_qc_derive_client_initial_secret(secret, sizeof(secret), - initial_secret, - sizeof(initial_secret)); - if(rv) { - return -1; - } - - keylen = Curl_qc_derive_packet_protection_key(key, sizeof(key), - secret, sizeof(secret), - &qs->hs_crypto_ctx); - if(keylen < 0) { - return -1; - } - - ivlen = Curl_qc_derive_packet_protection_iv(iv, sizeof(iv), - secret, sizeof(secret), - &qs->hs_crypto_ctx); - if(ivlen < 0) { - return -1; - } - - hplen = Curl_qc_derive_header_protection_key(hp, sizeof(hp), - secret, sizeof(secret), - &qs->hs_crypto_ctx); - if(hplen < 0) { - return -1; - } - - ngtcp2_conn_install_initial_tx_keys(qs->qconn, key, keylen, iv, ivlen, - hp, hplen); - - rv = Curl_qc_derive_server_initial_secret(secret, sizeof(secret), - initial_secret, - sizeof(initial_secret)); - if(rv) { - return -1; - } - - keylen = Curl_qc_derive_packet_protection_key(key, sizeof(key), - secret, sizeof(secret), - &qs->hs_crypto_ctx); - if(keylen < 0) { - return -1; - } - - ivlen = Curl_qc_derive_packet_protection_iv(iv, sizeof(iv), - secret, sizeof(secret), - &qs->hs_crypto_ctx); - if(ivlen < 0) { - return -1; - } - - hplen = Curl_qc_derive_header_protection_key(hp, sizeof(hp), - secret, sizeof(secret), - &qs->hs_crypto_ctx); - if(hplen < 0) { - return -1; - } - - ngtcp2_conn_install_initial_rx_keys(qs->qconn, - key, keylen, iv, ivlen, hp, hplen); return 0; } @@ -206,85 +145,6 @@ static void quic_settings(ngtcp2_settings *s) s->idle_timeout = QUIC_IDLE_TIMEOUT; } -/* SSL extension functions */ -static int transport_params_add_cb(SSL *ssl, unsigned int ext_type, - unsigned int content, - const unsigned char **out, - size_t *outlen, X509 *x, - size_t chainidx, int *al, void *add_arg) -{ - struct quicsocket *qs = (struct quicsocket *)SSL_get_app_data(ssl); - ngtcp2_transport_params params; - uint8_t buf[64]; - ssize_t nwrite; - (void)ext_type; - (void)content; - (void)x; - (void)chainidx; - (void)add_arg; - - ngtcp2_conn_get_local_transport_params(qs->qconn, ¶ms); - - nwrite = ngtcp2_encode_transport_params( - buf, sizeof(buf), NGTCP2_TRANSPORT_PARAMS_TYPE_CLIENT_HELLO, ¶ms); - if(nwrite < 0) { - fprintf(stderr, "ngtcp2_encode_transport_params: %s\n", - ngtcp2_strerror((int)nwrite)); - *al = SSL_AD_INTERNAL_ERROR; - return -1; - } - - *out = Curl_memdup(buf, nwrite); - *outlen = nwrite; - - return 1; -} - -static void transport_params_free_cb(SSL *ssl, unsigned int ext_type, - unsigned int context, - const unsigned char *out, - void *add_arg) -{ - (void)ssl; - (void)ext_type; - (void)context; - (void)add_arg; - free((char *)out); -} - -static int transport_params_parse_cb(SSL *ssl, unsigned int ext_type, - unsigned int context, - const unsigned char *in, - size_t inlen, X509 *x, size_t chainidx, - int *al, void *parse_arg) -{ - struct quicsocket *qs = (struct quicsocket *)SSL_get_app_data(ssl); - int rv; - ngtcp2_transport_params params; - (void)ext_type; - (void)context; - (void)x; - (void)chainidx; - (void)parse_arg; - - rv = ngtcp2_decode_transport_params( - ¶ms, NGTCP2_TRANSPORT_PARAMS_TYPE_ENCRYPTED_EXTENSIONS, in, inlen); - if(rv) { - fprintf(stderr, "ngtcp2_decode_transport_params: %s\n", - ngtcp2_strerror(rv)); - *al = SSL_AD_ILLEGAL_PARAMETER; - return -1; - } - - rv = ngtcp2_conn_set_remote_transport_params(qs->qconn, ¶ms); - if(rv) { - *al = SSL_AD_ILLEGAL_PARAMETER; - return -1; - } - - return 1; -} - static FILE *keylog_file; /* not thread-safe */ static void keylog_callback(const SSL *ssl, const char *line) { @@ -294,6 +154,106 @@ static void keylog_callback(const SSL *ssl, const char *line) fflush(keylog_file); } +static int init_ngh3_conn(struct quicsocket *qs); + +static int quic_set_encryption_secrets(SSL *ssl, + OSSL_ENCRYPTION_LEVEL ossl_level, + const uint8_t *rx_secret, + const uint8_t *tx_secret, + size_t secretlen) +{ + struct quicsocket *qs = (struct quicsocket *)SSL_get_app_data(ssl); + int level = quic_from_ossl_level(ossl_level); + int rv; + + if(!qs->crypto_ctx.aead.native_handle) { + ngtcp2_crypto_ctx_tls(&qs->crypto_ctx, ssl); + ngtcp2_conn_set_aead_overhead( + qs->qconn, ngtcp2_crypto_aead_taglen(&qs->crypto_ctx.aead)); + } + + if(ngtcp2_crypto_derive_and_install_key( + qs->qconn, NULL, NULL, NULL, NULL, NULL, NULL, &qs->crypto_ctx.aead, + &qs->crypto_ctx.md, level, rx_secret, tx_secret, secretlen, + NGTCP2_CRYPTO_SIDE_CLIENT) != 0) + return 0; + + if(level == NGTCP2_CRYPTO_LEVEL_APP) { + const uint8_t *tp; + size_t tplen; + ngtcp2_transport_params params; + + SSL_get_peer_quic_transport_params(ssl, &tp, &tplen); + + rv = ngtcp2_decode_transport_params( + ¶ms, NGTCP2_TRANSPORT_PARAMS_TYPE_ENCRYPTED_EXTENSIONS, tp, tplen); + if(rv != 0) + return 0; + + rv = ngtcp2_conn_set_remote_transport_params(qs->qconn, ¶ms); + if(rv != 0) + return 0; + + if(init_ngh3_conn(qs) != CURLE_OK) + return 0; + } + + return 1; +} + +static int quic_add_handshake_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL ossl_level, + const uint8_t *data, size_t len) +{ + struct quicsocket *qs = (struct quicsocket *)SSL_get_app_data(ssl); + struct quic_handshake *crypto_data; + ngtcp2_crypto_level level = quic_from_ossl_level(ossl_level); + int rv; + + crypto_data = &qs->client_crypto_data[level]; + if(crypto_data->buf == NULL) { + crypto_data->buf = malloc(4096); + crypto_data->alloclen = 4096; + /* TODO Explode if malloc failed */ + } + + /* TODO Just pretend that handshake does not grow more than 4KiB for + now */ + assert(crypto_data->len + len <= crypto_data->alloclen); + + memcpy(&crypto_data->buf[crypto_data->len], data, len); + crypto_data->len += len; + + rv = ngtcp2_conn_submit_crypto_data( + qs->qconn, level, (uint8_t *)(&crypto_data->buf[crypto_data->len] - len), + len); + if(rv) { + fprintf(stderr, "write_client_handshake failed\n"); + } + assert(0 == rv); + + return 1; +} + +static int quic_flush_flight(SSL *ssl) +{ + (void)ssl; + return 1; +} + +static int quic_send_alert(SSL *ssl, enum ssl_encryption_level_t level, + uint8_t alert) +{ + struct quicsocket *qs = (struct quicsocket *)SSL_get_app_data(ssl); + (void)level; + + qs->tls_alert = alert; + return 1; +} + +static SSL_QUIC_METHOD quic_method = {quic_set_encryption_secrets, + quic_add_handshake_data, + quic_flush_flight, quic_send_alert}; + static SSL_CTX *quic_ssl_ctx(struct Curl_easy *data) { SSL_CTX *ssl_ctx = SSL_CTX_new(TLS_method()); @@ -302,9 +262,6 @@ static SSL_CTX *quic_ssl_ctx(struct Curl_easy *data) SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_3_VERSION); SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_3_VERSION); - /* This makes OpenSSL client not send CCS after an initial ClientHello. */ - SSL_CTX_clear_options(ssl_ctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT); - SSL_CTX_set_default_verify_paths(ssl_ctx); if(SSL_CTX_set_ciphersuites(ssl_ctx, QUIC_CIPHERS) != 1) { @@ -318,20 +275,7 @@ static SSL_CTX *quic_ssl_ctx(struct Curl_easy *data) return NULL; } - SSL_CTX_set_mode(ssl_ctx, SSL_MODE_QUIC_HACK); - - if(SSL_CTX_add_custom_ext(ssl_ctx, - NGTCP2_TLSEXT_QUIC_TRANSPORT_PARAMETERS, - SSL_EXT_CLIENT_HELLO | - SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, - transport_params_add_cb, - transport_params_free_cb, NULL, - transport_params_parse_cb, NULL) != 1) { - failf(data, "SSL_CTX_add_custom_ext(NGTCP2_TLSEXT_QUIC_TRANSPORT_" - "PARAMETERS) failed: %s\n", - ERR_error_string(ERR_get_error(), NULL)); - return NULL; - } + SSL_CTX_set_quic_method(ssl_ctx, &quic_method); keylog_filename = getenv("SSLKEYLOGFILE"); if(keylog_filename) { @@ -346,287 +290,8 @@ static SSL_CTX *quic_ssl_ctx(struct Curl_easy *data) /** SSL callbacks ***/ -static void set_tls_alert(struct quicsocket *qs, uint8_t alert) -{ - qs->tls_alert = alert; -} -static int init_ngh3_conn(struct quicsocket *qs); - -static int ssl_on_key(struct quicsocket *qs, - int name, const uint8_t *secret, size_t secretlen) -{ - int rv; - uint8_t hp[64]; - ssize_t hplen; - uint8_t key[64]; - ssize_t keylen; - uint8_t iv[64]; - ssize_t ivlen; - struct Context *crypto_ctx = &qs->crypto_ctx; - - switch(name) { - case SSL_KEY_CLIENT_EARLY_TRAFFIC: - case SSL_KEY_CLIENT_HANDSHAKE_TRAFFIC: - case SSL_KEY_CLIENT_APPLICATION_TRAFFIC: - case SSL_KEY_SERVER_HANDSHAKE_TRAFFIC: - case SSL_KEY_SERVER_APPLICATION_TRAFFIC: - break; - default: - return 0; - } - - /* TODO We don't have to call this everytime we get key generated. */ - rv = Curl_qc_negotiated_prf(crypto_ctx, qs->ssl); - if(rv != 0) { - return -1; - } - rv = Curl_qc_negotiated_aead(crypto_ctx, qs->ssl); - if(rv != 0) { - return -1; - } - - keylen = Curl_qc_derive_packet_protection_key(key, sizeof(key), secret, - secretlen, crypto_ctx); - if(keylen < 0) { - return -1; - } - - ivlen = Curl_qc_derive_packet_protection_iv(iv, sizeof(iv), secret, - secretlen, crypto_ctx); - if(ivlen < 0) { - return -1; - } - - hplen = - Curl_qc_derive_header_protection_key(hp, sizeof(hp), - secret, secretlen, crypto_ctx); - if(hplen < 0) - return -1; - - /* TODO Just call this once. */ - ngtcp2_conn_set_aead_overhead(qs->qconn, - Curl_qc_aead_max_overhead(crypto_ctx)); - - switch(name) { - case SSL_KEY_CLIENT_EARLY_TRAFFIC: - ngtcp2_conn_install_early_keys(qs->qconn, key, keylen, iv, ivlen, - hp, hplen); - break; - case SSL_KEY_CLIENT_HANDSHAKE_TRAFFIC: - ngtcp2_conn_install_handshake_tx_keys(qs->qconn, key, keylen, - iv, ivlen, hp, hplen); - qs->tx_crypto_level = NGTCP2_CRYPTO_LEVEL_HANDSHAKE; - break; - case SSL_KEY_CLIENT_APPLICATION_TRAFFIC: - ngtcp2_conn_install_tx_keys(qs->qconn, key, keylen, iv, ivlen, - hp, hplen); - break; - case SSL_KEY_SERVER_HANDSHAKE_TRAFFIC: - ngtcp2_conn_install_handshake_rx_keys(qs->qconn, key, keylen, - iv, ivlen, - hp, hplen); - qs->rx_crypto_level = NGTCP2_CRYPTO_LEVEL_HANDSHAKE; - break; - case SSL_KEY_SERVER_APPLICATION_TRAFFIC: - ngtcp2_conn_install_rx_keys(qs->qconn, key, keylen, iv, ivlen, - hp, hplen); - qs->rx_crypto_level = NGTCP2_CRYPTO_LEVEL_APP; - if(init_ngh3_conn(qs) != CURLE_OK) { - return NGTCP2_ERR_CALLBACK_FAILURE; - } - - break; - } - return 0; -} - -static void ssl_msg_cb(int write_p, int version, int content_type, - const void *buf, size_t len, SSL *ssl, void *user_data) -{ - int rv; - struct quicsocket *qs = (struct quicsocket *)user_data; - uint8_t *msg = (uint8_t *)buf; - struct quic_handshake *crypto_data; - (void)version; - (void)ssl; - - if(!write_p) - return; - - switch(content_type) { - case SSL3_RT_HANDSHAKE: - break; - case SSL3_RT_ALERT: - assert(len == 2); - if(msg[0] != 2 /* FATAL */) { - return; - } - set_tls_alert(qs, msg[1]); - return; - default: - return; - } - - crypto_data = &qs->client_crypto_data[qs->tx_crypto_level]; - if(crypto_data->buf == NULL) { - crypto_data->buf = malloc(4096); - crypto_data->alloclen = 4096; - /* TODO Explode if malloc failed */ - } - - /* TODO Just pretend that handshake does not grow more than 4KiB for - now */ - assert(crypto_data->len + len <= crypto_data->alloclen); - - memcpy(&crypto_data->buf[crypto_data->len], buf, len); - crypto_data->len += len; - - rv = ngtcp2_conn_submit_crypto_data(qs->qconn, qs->tx_crypto_level, - (uint8_t *) - (&crypto_data->buf[ - crypto_data->len] - len), len); - if(rv) { - fprintf(stderr, "write_client_handshake failed\n"); - } - assert(0 == rv); -} - -static int ssl_key_cb(SSL *ssl, int name, - const unsigned char *secret, - size_t secretlen, - void *arg) -{ - struct quicsocket *qs = (struct quicsocket *)arg; - (void)ssl; - - if(ssl_on_key(qs, name, secret, secretlen) != 0) - return 0; - - /* log_secret(ssl, name, secret, secretlen); */ - - return 1; -} - -static int read_server_handshake(struct quicsocket *qs, - char *buf, int buflen) -{ - struct quic_handshake *hs = &qs->handshake; - int avail = (int)(hs->len - hs->nread); - int n = CURLMIN(buflen, avail); - memcpy(buf, &hs->buf[hs->nread], n); -#ifdef DEBUG_NGTCP2 - infof(qs->conn->data, "read %d bytes of handshake data\n", n); -#endif - hs->nread += n; - return n; -} - -static void write_server_handshake(struct quicsocket *qs, - const uint8_t *ptr, size_t datalen) -{ - char *p; - struct quic_handshake *hs = &qs->handshake; - size_t alloclen = datalen + hs->alloclen; -#ifdef DEBUG_NGTCP2 - infof(qs->conn->data, "store %zd bytes of handshake data\n", datalen); -#endif - if(alloclen > hs->alloclen) { - alloclen *= 2; - p = realloc(qs->handshake.buf, alloclen); - if(!p) - return; /* BAAAAAD */ - hs->buf = p; - hs->alloclen = alloclen; - } - memcpy(&hs->buf[hs->len], ptr, datalen); - hs->len += datalen; -} - -/** BIO functions ***/ - -static int bio_write(BIO *b, const char *buf, int len) -{ - (void)b; - (void)buf; - (void)len; - assert(0); - return -1; -} - -static int bio_read(BIO *b, char *buf, int len) -{ - struct quicsocket *qs; - BIO_clear_retry_flags(b); - - qs = (struct quicsocket *)BIO_get_data(b); - - len = read_server_handshake(qs, buf, len); - if(len == 0) { - BIO_set_retry_read(b); - return -1; - } - - return len; -} - -static int bio_puts(BIO *b, const char *str) -{ - return bio_write(b, str, (int)strlen(str)); -} - -static int bio_gets(BIO *b, char *buf, int len) -{ - (void)b; - (void)buf; - (void)len; - return -1; -} - -static long bio_ctrl(BIO *b, int cmd, long num, void *ptr) -{ - (void)b; - (void)cmd; - (void)num; - (void)ptr; - switch(cmd) { - case BIO_CTRL_FLUSH: - return 1; - } - - return 0; -} - -static int bio_create(BIO *b) -{ - BIO_set_init(b, 1); - return 1; -} - -static int bio_destroy(BIO *b) -{ - if(!b) - return 0; - - return 1; -} - -static BIO_METHOD *create_bio_method(void) -{ - BIO_METHOD *meth = BIO_meth_new(BIO_TYPE_FD, "bio"); - BIO_meth_set_write(meth, bio_write); - BIO_meth_set_read(meth, bio_read); - BIO_meth_set_puts(meth, bio_puts); - BIO_meth_set_gets(meth, bio_gets); - BIO_meth_set_ctrl(meth, bio_ctrl); - BIO_meth_set_create(meth, bio_create); - BIO_meth_set_destroy(meth, bio_destroy); - return meth; -} - - static int quic_init_ssl(struct quicsocket *qs) { - BIO *bio; const uint8_t *alpn = NULL; size_t alpnlen = 0; /* this will need some attention when HTTPS proxy over QUIC get fixed */ @@ -636,16 +301,9 @@ static int quic_init_ssl(struct quicsocket *qs) SSL_free(qs->ssl); qs->ssl = SSL_new(qs->sslctx); - bio = BIO_new(create_bio_method()); - /* supposedly this can fail too? */ - BIO_set_data(bio, qs); - SSL_set_bio(qs->ssl, bio, bio); SSL_set_app_data(qs->ssl, qs); SSL_set_connect_state(qs->ssl); - SSL_set_msg_callback(qs->ssl, ssl_msg_cb); - SSL_set_msg_callback_arg(qs->ssl, qs); - SSL_set_key_callback(qs->ssl, ssl_key_cb, qs); switch(qs->version) { #ifdef NGTCP2_PROTO_VER @@ -663,107 +321,17 @@ static int quic_init_ssl(struct quicsocket *qs) return 0; } -static int quic_tls_handshake(struct quicsocket *qs, - bool resumption, - bool initial) -{ - int rv; - ERR_clear_error(); - - /* Note that SSL_SESSION_get_max_early_data() and - SSL_get_max_early_data() return completely different value. */ - if(initial && resumption && - SSL_SESSION_get_max_early_data(SSL_get_session(qs->ssl))) { - size_t nwrite; - /* OpenSSL returns error if SSL_write_early_data is called when resumption - is not attempted. Sending empty string is a trick to just early_data - extension. */ - rv = SSL_write_early_data(qs->ssl, "", 0, &nwrite); - if(rv == 0) { - int err = SSL_get_error(qs->ssl, rv); - switch(err) { - case SSL_ERROR_SSL: - fprintf(stderr, "TLS handshake error: %s\n", - ERR_error_string(ERR_get_error(), NULL)); - return -1; - default: - fprintf(stderr, "TLS handshake error: %d\n", err); - return -1; - } - } - } - - rv = SSL_do_handshake(qs->ssl); - if(rv <= 0) { - int err = SSL_get_error(qs->ssl, rv); - switch(err) { - case SSL_ERROR_WANT_READ: - case SSL_ERROR_WANT_WRITE: - return 0; - case SSL_ERROR_SSL: - fprintf(stderr, "TLS handshake error: %s\n", - ERR_error_string(ERR_get_error(), NULL)); - return -1; - default: - fprintf(stderr, "TLS handshake error: %d\n", err); - return -1; - } - } - - /* SSL_get_early_data_status works after handshake completes. */ - if(resumption && - SSL_get_early_data_status(qs->ssl) != SSL_EARLY_DATA_ACCEPTED) { - fprintf(stderr, "Early data was rejected by server\n"); - ngtcp2_conn_early_data_rejected(qs->qconn); - } - - ngtcp2_conn_handshake_completed(qs->qconn); - return 0; -} - static int cb_initial(ngtcp2_conn *quic, void *user_data) { struct quicsocket *qs = (struct quicsocket *)user_data; - (void)quic; - if(quic_tls_handshake(qs, false, true) != 0) + + if(ngtcp2_crypto_read_write_crypto_data( + quic, qs->ssl, NGTCP2_CRYPTO_LEVEL_INITIAL, NULL, 0) != 0) return NGTCP2_ERR_CALLBACK_FAILURE; + return 0; } -static int quic_read_tls(struct quicsocket *qs) -{ - uint8_t buf[4096]; - size_t nread; - - ERR_clear_error(); - for(;;) { - int err; - int rv = SSL_read_ex(qs->ssl, buf, sizeof(buf), &nread); - if(rv == 1) { -#ifdef DEBUG_NGTCP2 - infof(qs->conn->data, "Read %zd bytes from TLS crypto stream", - nread); -#endif - continue; - } - err = SSL_get_error(qs->ssl, 0); - switch(err) { - case SSL_ERROR_WANT_READ: - case SSL_ERROR_WANT_WRITE: - return 0; - case SSL_ERROR_SSL: - case SSL_ERROR_ZERO_RETURN: - infof(qs->conn->data, "TLS read error: %s\n", - ERR_error_string(ERR_get_error(), NULL)); - return NGTCP2_ERR_CRYPTO; - default: - infof(qs->conn->data, "TLS read error: %d\n", err); - return NGTCP2_ERR_CRYPTO; - } - } - /* NEVER-REACHED */ -} - static int cb_recv_crypto_data(ngtcp2_conn *tconn, ngtcp2_crypto_level crypto_level, uint64_t offset, @@ -772,25 +340,18 @@ cb_recv_crypto_data(ngtcp2_conn *tconn, ngtcp2_crypto_level crypto_level, { struct quicsocket *qs = (struct quicsocket *)user_data; (void)offset; - (void)crypto_level; - write_server_handshake(qs, data, datalen); - - if(!ngtcp2_conn_get_handshake_completed(tconn) && - quic_tls_handshake(qs, false, false)) { + if(ngtcp2_crypto_read_write_crypto_data(tconn, qs->ssl, crypto_level, data, + datalen) != 0) return NGTCP2_ERR_CRYPTO; - } - /* SSL_do_handshake() might not consume all data (e.g., - NewSessionTicket). */ - return quic_read_tls(qs); + return 0; } static int cb_handshake_completed(ngtcp2_conn *tconn, void *user_data) { struct quicsocket *qs = (struct quicsocket *)user_data; (void)tconn; - qs->tx_crypto_level = NGTCP2_CRYPTO_LEVEL_APP; infof(qs->conn->data, "QUIC handshake is completed\n"); return 0; @@ -802,16 +363,17 @@ static int cb_in_encrypt(ngtcp2_conn *tconn, uint8_t *dest, size_t noncelen, const uint8_t *ad, size_t adlen, void *user_data) { - struct quicsocket *qs = (struct quicsocket *)user_data; - int nwrite = Curl_qc_encrypt(dest, plaintext, plaintextlen, - &qs->hs_crypto_ctx, - key, nonce, noncelen, ad, adlen); - if(nwrite < 0) { - return NGTCP2_ERR_CALLBACK_FAILURE; - } + ngtcp2_crypto_ctx crypto_ctx; (void)tconn; + (void)user_data; - return nwrite; + ngtcp2_crypto_ctx_initial(&crypto_ctx); + + if(ngtcp2_crypto_encrypt(dest, &crypto_ctx.aead, plaintext, plaintextlen, + key, nonce, noncelen, ad, adlen) != 0) + return NGTCP2_ERR_CALLBACK_FAILURE; + + return 0; } static int cb_in_decrypt(ngtcp2_conn *tconn, uint8_t *dest, @@ -820,11 +382,16 @@ static int cb_in_decrypt(ngtcp2_conn *tconn, uint8_t *dest, size_t noncelen, const uint8_t *ad, size_t adlen, void *user_data) { - struct quicsocket *qs = (struct quicsocket *)user_data; + ngtcp2_crypto_ctx crypto_ctx; (void)tconn; - return Curl_qc_decrypt(dest, ciphertext, ciphertextlen, - &qs->hs_crypto_ctx, key, - nonce, noncelen, ad, adlen); + (void)user_data; + + ngtcp2_crypto_ctx_initial(&crypto_ctx); + if(ngtcp2_crypto_decrypt(dest, &crypto_ctx.aead, ciphertext, ciphertextlen, + key, nonce, noncelen, ad, adlen) != 0) + return NGTCP2_ERR_TLS_DECRYPT; + + return 0; } @@ -837,14 +404,13 @@ static int cb_encrypt_data(ngtcp2_conn *tconn, void *user_data) { struct quicsocket *qs = (struct quicsocket *)user_data; - int rc; (void)tconn; - rc = Curl_qc_encrypt(dest, plaintext, plaintextlen, - &qs->crypto_ctx, - key, nonce, noncelen, ad, adlen); - if(rc < 0) + + if(ngtcp2_crypto_encrypt(dest, &qs->crypto_ctx.aead, plaintext, plaintextlen, + key, nonce, noncelen, ad, adlen) != 0) return NGTCP2_ERR_CALLBACK_FAILURE; - return rc; + + return 0; } static int cb_decrypt_data(ngtcp2_conn *tconn, uint8_t *dest, @@ -855,13 +421,14 @@ static int cb_decrypt_data(ngtcp2_conn *tconn, uint8_t *dest, void *user_data) { struct quicsocket *qs = (struct quicsocket *)user_data; - int rc; (void)tconn; - rc = Curl_qc_decrypt(dest, ciphertext, ciphertextlen, - &qs->crypto_ctx, key, nonce, noncelen, ad, adlen); - if(rc < 0) + + if(ngtcp2_crypto_decrypt(dest, &qs->crypto_ctx.aead, ciphertext, + ciphertextlen, key, nonce, noncelen, ad, + adlen) != 0) return NGTCP2_ERR_TLS_DECRYPT; - return rc; + + return 0; } static int cb_recv_stream_data(ngtcp2_conn *tconn, int64_t stream_id, @@ -974,15 +541,16 @@ static int cb_in_hp_mask(ngtcp2_conn *tconn, uint8_t *dest, const uint8_t *key, const uint8_t *sample, void *user_data) { - struct quicsocket *qs = (struct quicsocket *)user_data; - int nwrite; + ngtcp2_crypto_ctx crypto_ctx; (void)tconn; + (void)user_data; - nwrite = Curl_qc_hp_mask(dest, &qs->hs_crypto_ctx, key, sample); - if(nwrite < 0) + ngtcp2_crypto_ctx_initial(&crypto_ctx); + + if(ngtcp2_crypto_hp_mask(dest, &crypto_ctx.hp, key, sample) != 0) return NGTCP2_ERR_CALLBACK_FAILURE; - return nwrite; + return 0; } static int cb_hp_mask(ngtcp2_conn *tconn, uint8_t *dest, @@ -990,14 +558,12 @@ static int cb_hp_mask(ngtcp2_conn *tconn, uint8_t *dest, void *user_data) { struct quicsocket *qs = (struct quicsocket *)user_data; - int nwrite; (void)tconn; - nwrite = Curl_qc_hp_mask(dest, &qs->crypto_ctx, key, sample); - if(nwrite < 0) + if(ngtcp2_crypto_hp_mask(dest, &qs->crypto_ctx.hp, key, sample) != 0) return NGTCP2_ERR_CALLBACK_FAILURE; - return nwrite; + return 0; } static int cb_extend_max_local_streams_bidi(ngtcp2_conn *tconn, @@ -1101,6 +667,9 @@ CURLcode Curl_quic_connect(struct connectdata *conn, struct quicsocket *qs = &conn->hequic[sockindex]; char ipbuf[40]; long port; + uint8_t paramsbuf[64]; + ngtcp2_transport_params params; + ssize_t nwrite; (void)addrlen; qs->conn = conn; @@ -1136,9 +705,6 @@ CURLcode Curl_quic_connect(struct connectdata *conn, quic_settings(&qs->settings); - qs->tx_crypto_level = NGTCP2_CRYPTO_LEVEL_INITIAL; - qs->rx_crypto_level = NGTCP2_CRYPTO_LEVEL_INITIAL; - qs->local_addrlen = sizeof(qs->local_addr); rv = getsockname(sockfd, (struct sockaddr *)&qs->local_addr, &qs->local_addrlen); @@ -1159,6 +725,20 @@ CURLcode Curl_quic_connect(struct connectdata *conn, if(rc) return CURLE_FAILED_INIT; /* TODO: create a QUIC error code */ + ngtcp2_conn_get_local_transport_params(qs->qconn, ¶ms); + nwrite = ngtcp2_encode_transport_params( + paramsbuf, sizeof(paramsbuf), NGTCP2_TRANSPORT_PARAMS_TYPE_CLIENT_HELLO, + ¶ms); + if(nwrite < 0) { + fprintf(stderr, "ngtcp2_encode_transport_params: %s\n", + ngtcp2_strerror((int)nwrite)); + + return CURLE_FAILED_INIT; + } + + if(!SSL_set_quic_transport_params(qs->ssl, paramsbuf, nwrite)) + return CURLE_FAILED_INIT; + rc = setup_initial_crypto_context(qs); if(rc) return CURLE_FAILED_INIT; /* TODO: better return code */ diff --git a/lib/vquic/ngtcp2.h b/lib/vquic/ngtcp2.h index 4937fe1e9..19987db94 100644 --- a/lib/vquic/ngtcp2.h +++ b/lib/vquic/ngtcp2.h @@ -27,9 +27,9 @@ #ifdef USE_NGTCP2 #include +#include #include #include -#include "ngtcp2-crypto.h" struct quic_handshake { char *buf; /* pointer to the buffer */ @@ -47,14 +47,10 @@ struct quicsocket { ngtcp2_settings settings; SSL_CTX *sslctx; SSL *ssl; - struct Context crypto_ctx; - struct Context hs_crypto_ctx; - struct quic_handshake handshake; + ngtcp2_crypto_ctx crypto_ctx; struct quic_handshake client_crypto_data[3]; /* the last TLS alert description generated by the local endpoint */ uint8_t tls_alert; - ngtcp2_crypto_level tx_crypto_level; - ngtcp2_crypto_level rx_crypto_level; struct sockaddr_storage local_addr; socklen_t local_addrlen;