Skip to content

Commit

Permalink
deps: various quic patches from akamai/openssl
Browse files Browse the repository at this point in the history
Add support for BoringSSL QUIC APIs

This is a cherry-pick of 2a4b03a306439307e0b822b17eda3bdabddfbb68
on the master-quic-support2 branch (2019-10-07)
Which was a rebase/squash of master-quic-support:

* 5aa62ce Add support for more secrets - Todd Short/Todd Short (master-quic-support)
* 58e0643 Tweeks to quic_change_cipher_state() - Todd Short/Todd Short
* 8169702 Move QUIC code out of tls13_change_cipher_state() - Todd Short/Todd Short
* a08cfe6 Correctly disable middlebox compat - Todd Short/Todd Short
* 3a9eabf Add OPENSSL_NO_QUIC wrapper - Todd Short/Todd Short
* f550eca Add client early traffic secret storage - Todd Short/Todd Short
* 1b787ae Quick fix: s2c to c2s for early secret - Todd Short/Todd Short
* f97e6a9 Don't process an incomplete message - Todd Short/Todd Short
* 81f0ce2 Reset init state in SSL_process_quic_post_handshake() - Todd Short/Todd Short
* 5d59cf9 Fix quic_transport constructors/parsers - Todd Short/Todd Short
* 5e5f91c Fix INSTALL nit. - Todd Short/Todd Short
* bd290ab Fix duplicate word in docs - Todd Short/Todd Short
* 699590b fixup! Handle partial handshake messages - Todd Short/Todd Short
* a472a8d Handle partial handshake messages - Todd Short/Todd Short
* 363cf3d fixup! Use proper secrets for handshake - Todd Short/Todd Short
* b03fee6 Use proper secrets for handshake - Todd Short/Todd Short
* 2ab1aa0 Move QUIC transport params to encrypted extensions - Todd Short/Todd Short
* 0d16af9 Make temp secret names less confusing - Todd Short/Todd Short
* abb6f39 New method to get QUIC secret length - Todd Short/Todd Short
* 05fdae9 Add support for BoringSSL QUIC APIs - Todd Short/Todd Short

This adds a compatible API for BoringSSL's QUIC support, based
on the current |draft-ietf-quic-tls|.

Based on BoringSSL commit 3c034b2cf386b3131f75520705491871a2e0cafe
Based on BoringSSL commit c8e0f90f83b9ec38ea833deb86b5a41360b62b6a
Based on BoringSSL commit 3cbb0299a28a8bd0136257251a78b91a96c5eec8
Based on BoringSSL commit cc9d935256539af2d3b7f831abf57c0d685ffd81
Based on BoringSSL commit e6eef1ca16a022e476bbaedffef044597cfc8f4b
Based on BoringSSL commit 6f733791148cf8a076bf0e95498235aadbe5926d
Based on BoringSSL commit 384d0eaf1930af1ebc47eda751f0c78dfcba1c03
Based on BoringSSL commit a0373182eb5cc7b81d49f434596b473c7801c942
Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37

New method to get QUIC secret length

Make temp secret names less confusing

Move QUIC transport params to encrypted extensions

Use proper secrets for handshake

fixup! Use proper secrets for handshake

Handle partial handshake messages

fixup! Handle partial handshake messages

Fix duplicate word in docs

Fix INSTALL nit.

Fix quic_transport constructors/parsers

Reset init state in SSL_process_quic_post_handshake()

Don't process an incomplete message

Quick fix: s2c to c2s for early secret

Add client early traffic secret storage

Add OPENSSL_NO_QUIC wrapper

Correctly disable middlebox compat

Move QUIC code out of tls13_change_cipher_state()

Create quic_change_cipher_state() that does the minimal required
to generate the QUIC secrets. (e.g. encryption contexts are not
initialized).

Tweeks to quic_change_cipher_state()

Add support for more secrets

Fix resumption secret

(cherry picked from commit 16fafdf4e0ec6cddd5705f407e5dca26cb30914d)

QUIC: Handle EndOfEarlyData and MaxEarlyData

QUIC: Increase HKDF_MAXBUF to 2048

Fall-through for 0RTT

Some cleanup for the main QUIC changes

Try to reduce unneeded whitespace changes and wrap new code to 80 columns.
Reword documentation to attempt to improve clarity.
Add some more sanity checks and clarifying comments to the code.
Update referenced I-D versions.

Prevent KeyUpdate for QUIC

QUIC does not use the TLS KeyUpdate message/mechanism, and indeed
it is an error to generate or receive such a message.  Add the
necessary checks (noting that the check for receipt should be
redundant since SSL_provide_quic_data() is the only way to provide
input to the TLS layer for a QUIC connection).

Test KeyUpdate rejection

For now, just test that we don't generate any, since we don't really
expose the mechanics for encrypting one and the QUIC API is not
integrated into the TLSProxy setup.

Fix out-of-bounds read when TLS msg is split up into multiple chunks

Previously, SSL_provide_quic_data tried to handle this kind of
situation, but it failed when the length of input data is less than
SSL3_HM_HEADER_LENGTH.  If that happens, the code might get wrong
message length by reading value from out-of-bounds region.

Revert "Fix out-of-bounds read when TLS msg is split up into multiple chunks"

This reverts commit 18f993cbdae498111c94a075fd9b115bd8367574.

Test HKDF with empty IKM

Add an extra EVP test that provides empty input key material.
It currently fails, since attempting to set a zero-length key
on an EVP_PKEY_CTX results in a call to OPENSSL_memdup() with
length zero, which returns NULL and is detected as failure.

Allow zero-length HKDF keys

When making a copy to keep in the EVP_PKEY_CTX, allocate a single
byte for the cached key instead of letting memdup return NULL
and cause the call to fail.  The length still gets set to zero
properly, so we don't end up inspecting the allocated byte, but
it's important to have a non-NULL pointer set.

Buffer all provided quic data

Make all data supplied via SSL_provide_quic_data() pass through an
internal buffer, so that we can handle data supplied with arbitrary
framing and only parse complete TLS records onto the list of QUIC_DATA
managed by quic_input_data_head/quic_input_data_tail.

This lets us remove the concept of "incomplete" QUIC_DATA structures,
and the 'offset' field needed to support them.

However, we've already moved the provided data onto the buffer by
the time we can check for KeyUpdate messages, so defer that check
to quic_get_message() (where it is adjacent to the preexisting
ChangeCipherSpec check).

To avoid extra memory copies, we also make the QUIC_DATA structures
just store offsets into the consolidated buffer instead of having copies
of the TLS handshake messages themselves.

enforce consistent encryption level for handshake messages

The QUIC-TLS spec requires that TLS handshake messages do not cross
encryption level boundaries, but we were not previously enforcing this.

PR-URL: #36520
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
  • Loading branch information
tmshort authored and targos committed Dec 21, 2020
1 parent 27fb651 commit 309e297
Show file tree
Hide file tree
Showing 35 changed files with 1,532 additions and 33 deletions.
3 changes: 3 additions & 0 deletions deps/openssl/openssl/CHANGES
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,9 @@

Changes between 1.1.1c and 1.1.1d [10 Sep 2019]

*) Implement BoringSSL's QUIC API
[Todd Short]

*) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
number generator (RNG). This was intended to include protection in the
event of a fork() system call in order to ensure that the parent and child
Expand Down
3 changes: 3 additions & 0 deletions deps/openssl/openssl/Configure
Original file line number Diff line number Diff line change
Expand Up @@ -401,6 +401,7 @@ my @disablables = (
"poly1305",
"posix-io",
"psk",
"quic",
"rc2",
"rc4",
"rc5",
Expand Down Expand Up @@ -517,6 +518,8 @@ my @disable_cascades = (
sub { !$disabled{"unit-test"} } => [ "heartbeats" ],

sub { !$disabled{"msan"} } => [ "asm" ],

"tls1_3" => [ "quic" ],
);

# Avoid protocol support holes. Also disable all versions below N, if version
Expand Down
3 changes: 3 additions & 0 deletions deps/openssl/openssl/INSTALL
Original file line number Diff line number Diff line change
Expand Up @@ -456,6 +456,9 @@
no-psk
Don't build support for Pre-Shared Key based ciphersuites.

no-quic
Don't build with support for QUIC.

no-rdrand
Don't use hardware RDRAND capabilities.

Expand Down
20 changes: 19 additions & 1 deletion deps/openssl/openssl/crypto/err/openssl.txt
Original file line number Diff line number Diff line change
Expand Up @@ -1183,7 +1183,7 @@ SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE:431:*
SSL_F_OSSL_STATEM_SERVER_POST_PROCESS_MESSAGE:601:\
ossl_statem_server_post_process_message
SSL_F_OSSL_STATEM_SERVER_POST_WORK:602:ossl_statem_server_post_work
SSL_F_OSSL_STATEM_SERVER_PRE_WORK:640:
SSL_F_OSSL_STATEM_SERVER_PRE_WORK:640:ossl_statem_server_pre_work
SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE:603:ossl_statem_server_process_message
SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION:418:ossl_statem_server_read_transition
SSL_F_OSSL_STATEM_SERVER_WRITE_TRANSITION:604:\
Expand All @@ -1192,6 +1192,9 @@ SSL_F_PARSE_CA_NAMES:541:parse_ca_names
SSL_F_PITEM_NEW:624:pitem_new
SSL_F_PQUEUE_NEW:625:pqueue_new
SSL_F_PROCESS_KEY_SHARE_EXT:439:*
SSL_F_QUIC_CHANGE_CIPHER_STATE:639:quic_change_cipher_state
SSL_F_QUIC_GET_MESSAGE:641:quic_get_message
SSL_F_QUIC_SET_ENCRYPTION_SECRETS:642:quic_set_encryption_secrets
SSL_F_READ_STATE_MACHINE:352:read_state_machine
SSL_F_SET_CLIENT_CIPHERSUITE:540:set_client_ciphersuite
SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET:595:srp_generate_client_master_secret
Expand All @@ -1202,7 +1205,9 @@ SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM:130:ssl3_check_cert_and_algorithm
SSL_F_SSL3_CTRL:213:ssl3_ctrl
SSL_F_SSL3_CTX_CTRL:133:ssl3_ctx_ctrl
SSL_F_SSL3_DIGEST_CACHED_RECORDS:293:ssl3_digest_cached_records
SSL_F_SSL3_DISPATCH_ALERT:643:ssl3_dispatch_alert
SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC:292:ssl3_do_change_cipher_spec
SSL_F_SSL3_DO_WRITE:644:ssl3_do_write
SSL_F_SSL3_ENC:608:ssl3_enc
SSL_F_SSL3_FINAL_FINISH_MAC:285:ssl3_final_finish_mac
SSL_F_SSL3_FINISH_MAC:587:ssl3_finish_mac
Expand Down Expand Up @@ -1310,6 +1315,8 @@ SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT:311:*
SSL_F_SSL_PEEK:270:SSL_peek
SSL_F_SSL_PEEK_EX:432:SSL_peek_ex
SSL_F_SSL_PEEK_INTERNAL:522:ssl_peek_internal
SSL_F_SSL_PROCESS_QUIC_POST_HANDSHAKE:645:SSL_process_quic_post_handshake
SSL_F_SSL_PROVIDE_QUIC_DATA:646:SSL_provide_quic_data
SSL_F_SSL_READ:223:SSL_read
SSL_F_SSL_READ_EARLY_DATA:529:SSL_read_early_data
SSL_F_SSL_READ_EX:434:SSL_read_ex
Expand Down Expand Up @@ -1359,6 +1366,7 @@ SSL_F_SSL_WRITE_EARLY_DATA:526:SSL_write_early_data
SSL_F_SSL_WRITE_EARLY_FINISH:527:*
SSL_F_SSL_WRITE_EX:433:SSL_write_ex
SSL_F_SSL_WRITE_INTERNAL:524:ssl_write_internal
SSL_F_STATEM_FLUSH:647:statem_flush
SSL_F_STATE_MACHINE:353:state_machine
SSL_F_TLS12_CHECK_PEER_SIGALG:333:tls12_check_peer_sigalg
SSL_F_TLS12_COPY_SIGALGS:533:tls12_copy_sigalgs
Expand Down Expand Up @@ -1422,6 +1430,8 @@ SSL_F_TLS_CONSTRUCT_CTOS_POST_HANDSHAKE_AUTH:619:\
tls_construct_ctos_post_handshake_auth
SSL_F_TLS_CONSTRUCT_CTOS_PSK:501:tls_construct_ctos_psk
SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES:509:tls_construct_ctos_psk_kex_modes
SSL_F_TLS_CONSTRUCT_CTOS_QUIC_TRANSPORT_PARAMS:648:\
tls_construct_ctos_quic_transport_params
SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE:473:tls_construct_ctos_renegotiate
SSL_F_TLS_CONSTRUCT_CTOS_SCT:474:tls_construct_ctos_sct
SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME:475:tls_construct_ctos_server_name
Expand Down Expand Up @@ -1463,6 +1473,8 @@ SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE:456:tls_construct_stoc_key_share
SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN:548:tls_construct_stoc_maxfragmentlen
SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG:457:tls_construct_stoc_next_proto_neg
SSL_F_TLS_CONSTRUCT_STOC_PSK:504:tls_construct_stoc_psk
SSL_F_TLS_CONSTRUCT_STOC_QUIC_TRANSPORT_PARAMS:649:\
tls_construct_stoc_quic_transport_params
SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE:458:tls_construct_stoc_renegotiate
SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME:459:tls_construct_stoc_server_name
SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET:460:tls_construct_stoc_session_ticket
Expand Down Expand Up @@ -1491,6 +1503,8 @@ SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN:571:tls_parse_ctos_maxfragmentlen
SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH:620:tls_parse_ctos_post_handshake_auth
SSL_F_TLS_PARSE_CTOS_PSK:505:tls_parse_ctos_psk
SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES:572:tls_parse_ctos_psk_kex_modes
SSL_F_TLS_PARSE_CTOS_QUIC_TRANSPORT_PARAMS:650:\
tls_parse_ctos_quic_transport_params
SSL_F_TLS_PARSE_CTOS_RENEGOTIATE:464:tls_parse_ctos_renegotiate
SSL_F_TLS_PARSE_CTOS_SERVER_NAME:573:tls_parse_ctos_server_name
SSL_F_TLS_PARSE_CTOS_SESSION_TICKET:574:tls_parse_ctos_session_ticket
Expand All @@ -1509,6 +1523,8 @@ SSL_F_TLS_PARSE_STOC_KEY_SHARE:445:tls_parse_stoc_key_share
SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN:581:tls_parse_stoc_maxfragmentlen
SSL_F_TLS_PARSE_STOC_NPN:582:tls_parse_stoc_npn
SSL_F_TLS_PARSE_STOC_PSK:502:tls_parse_stoc_psk
SSL_F_TLS_PARSE_STOC_QUIC_TRANSPORT_PARAMS:651:\
tls_parse_stoc_quic_transport_params
SSL_F_TLS_PARSE_STOC_RENEGOTIATE:448:tls_parse_stoc_renegotiate
SSL_F_TLS_PARSE_STOC_SCT:564:tls_parse_stoc_sct
SSL_F_TLS_PARSE_STOC_SERVER_NAME:583:tls_parse_stoc_server_name
Expand Down Expand Up @@ -2713,6 +2729,7 @@ SSL_R_INCONSISTENT_EARLY_DATA_ALPN:222:inconsistent early data alpn
SSL_R_INCONSISTENT_EARLY_DATA_SNI:231:inconsistent early data sni
SSL_R_INCONSISTENT_EXTMS:104:inconsistent extms
SSL_R_INSUFFICIENT_SECURITY:241:insufficient security
SSL_R_INTERNAL_ERROR:295:internal error
SSL_R_INVALID_ALERT:205:invalid alert
SSL_R_INVALID_CCS_MESSAGE:260:invalid ccs message
SSL_R_INVALID_CERTIFICATE_OR_ALG:238:invalid certificate or alg
Expand Down Expand Up @@ -2888,6 +2905,7 @@ SSL_R_VERSION_TOO_LOW:396:version too low
SSL_R_WRONG_CERTIFICATE_TYPE:383:wrong certificate type
SSL_R_WRONG_CIPHER_RETURNED:261:wrong cipher returned
SSL_R_WRONG_CURVE:378:wrong curve
SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED:296:wrong encryption level received
SSL_R_WRONG_SIGNATURE_LENGTH:264:wrong signature length
SSL_R_WRONG_SIGNATURE_SIZE:265:wrong signature size
SSL_R_WRONG_SIGNATURE_TYPE:370:wrong signature type
Expand Down
7 changes: 5 additions & 2 deletions deps/openssl/openssl/crypto/kdf/hkdf.c
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
#include "internal/cryptlib.h"
#include "crypto/evp.h"

#define HKDF_MAXBUF 1024
#define HKDF_MAXBUF 2048

static unsigned char *HKDF(const EVP_MD *evp_md,
const unsigned char *salt, size_t salt_len,
Expand Down Expand Up @@ -107,7 +107,10 @@ static int pkey_hkdf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
if (kctx->key != NULL)
OPENSSL_clear_free(kctx->key, kctx->key_len);

kctx->key = OPENSSL_memdup(p2, p1);
if (p1 == 0)
kctx->key = OPENSSL_zalloc(1);
else
kctx->key = OPENSSL_memdup(p2, p1);
if (kctx->key == NULL)
return 0;

Expand Down
13 changes: 13 additions & 0 deletions deps/openssl/openssl/doc/man3/SSL_CIPHER_get_name.pod
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ SSL_CIPHER_get_digest_nid,
SSL_CIPHER_get_handshake_digest,
SSL_CIPHER_get_kx_nid,
SSL_CIPHER_get_auth_nid,
SSL_CIPHER_get_prf_nid,
SSL_CIPHER_is_aead,
SSL_CIPHER_find,
SSL_CIPHER_get_id,
Expand All @@ -34,6 +35,7 @@ SSL_CIPHER_get_protocol_id
const EVP_MD *SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c);
int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c);
int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c);
int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *c);
int SSL_CIPHER_is_aead(const SSL_CIPHER *c);
const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr);
uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c);
Expand Down Expand Up @@ -91,6 +93,15 @@ TLS 1.3 cipher suites) B<NID_auth_any> is returned. Examples (not comprehensive)
NID_auth_ecdsa
NID_auth_psk

SSL_CIPHER_get_prf_nid() retuns the pseudo-random function NID for B<c>. If B<c> is
a pre-TLS-1.2 cipher, it returns B<NID_md5_sha1> but note these ciphers use
SHA-256 in TLS 1.2. Other return values may be treated uniformly in all
applicable versions. Examples (not comprehensive):

NID_md5_sha1
NID_sha256
NID_sha384

SSL_CIPHER_is_aead() returns 1 if the cipher B<c> is AEAD (e.g. GCM or
ChaCha20/Poly1305), and 0 if it is not AEAD.

Expand Down Expand Up @@ -201,6 +212,8 @@ required to enable this function.

The OPENSSL_cipher_name() function was added in OpenSSL 1.1.1.

The SSL_CIPHER_get_prf_nid() function was added in OpenSSL 3.0.0.

=head1 COPYRIGHT

Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
Expand Down
Loading

0 comments on commit 309e297

Please sign in to comment.