QUIC: Add internal APIs for white-box testing of key update

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21029)
2025-04-06 20:20:50 +08:00 · 2023-05-23 12:23:06 +01:00 · 2023-05-23 12:23:06 +01:00 · 16f3b542f8
commit 16f3b542f8
parent 48120ea5e3
7 changed files with 75 additions and 2 deletions
--- a/include/internal/quic_channel.h
+++ b/include/internal/quic_channel.h
@ -330,6 +330,14 @@ void ossl_quic_channel_set_msg_callback(QUIC_CHANNEL *ch,
 void ossl_quic_channel_set_msg_callback_arg(QUIC_CHANNEL *ch,
                                            void *msg_callback_arg);

+/* Testing use only - sets a TXKU threshold packet count override value. */
+void ossl_quic_channel_set_txku_threshold_override(QUIC_CHANNEL *ch,
+                                                   uint64_t tx_pkt_threshold);
+
+/* Testing use only - gets current 1-RTT key epochs for QTX and QRX. */
+uint64_t ossl_quic_channel_get_tx_key_epoch(QUIC_CHANNEL *ch);
+uint64_t ossl_quic_channel_get_rx_key_epoch(QUIC_CHANNEL *ch);
+
 # endif

 #endif
--- a/include/internal/quic_record_tx.h
+++ b/include/internal/quic_record_tx.h
@ -362,6 +362,12 @@ uint64_t ossl_qtx_get_cur_epoch_pkt_count(OSSL_QTX *qtx, uint32_t enc_level);
 */
 uint64_t ossl_qtx_get_max_epoch_pkt_count(OSSL_QTX *qtx, uint32_t enc_level);

+/*
+ * Get the 1-RTT EL key epoch number for the QTX. This is intended for
+ * diagnostic purposes. Returns 0 if 1-RTT EL is not provisioned yet.
+ */
+uint64_t ossl_qtx_get_key_epoch(OSSL_QTX *qtx);
+
 # endif

 #endif
--- a/include/internal/quic_ssl.h
+++ b/include/internal/quic_ssl.h
@ -14,6 +14,7 @@
 # include <openssl/bio.h>
 # include "internal/quic_record_rx.h" /* OSSL_QRX */
 # include "internal/quic_ackm.h"      /* OSSL_ACKM */
+# include "internal/quic_channel.h"   /* QUIC_CHANNEL */

 # ifndef OPENSSL_NO_QUIC

@ -108,6 +109,9 @@ int ossl_quic_conn_set_override_now_cb(SSL *s,
 */
 void ossl_quic_conn_force_assist_thread_wake(SSL *s);

+/* For use by tests only. */
+QUIC_CHANNEL *ossl_quic_conn_get_channel(SSL *s);
+
 # endif

 #endif
--- a/ssl/quic/quic_channel.c
+++ b/ssl/quic/quic_channel.c
@ -296,6 +296,7 @@ static int ch_init(QUIC_CHANNEL *ch)
    ch->max_idle_timeout        = QUIC_DEFAULT_IDLE_TIMEOUT;
    ch->tx_enc_level            = QUIC_ENC_LEVEL_INITIAL;
    ch->rx_enc_level            = QUIC_ENC_LEVEL_INITIAL;
+    ch->txku_threshold_override = UINT64_MAX;

    /*
     * Determine the QUIC Transport Parameters and serialize the transport
@ -595,14 +596,18 @@ static int txku_recommendable(QUIC_CHANNEL *ch)
 QUIC_NEEDS_LOCK
 static int txku_desirable(QUIC_CHANNEL *ch)
 {
-    uint64_t cur_pkt_count, max_pkt_count;
+    uint64_t cur_pkt_count, max_pkt_count, thresh_pkt_count;
    const uint32_t enc_level = QUIC_ENC_LEVEL_1RTT;

    /* Check AEAD limit to determine if we should perform a spontaneous TXKU. */
    cur_pkt_count = ossl_qtx_get_cur_epoch_pkt_count(ch->qtx, enc_level);
    max_pkt_count = ossl_qtx_get_max_epoch_pkt_count(ch->qtx, enc_level);

-    return cur_pkt_count >= max_pkt_count / 2;
+    thresh_pkt_count = max_pkt_count / 2;
+    if (ch->txku_threshold_override != UINT64_MAX)
+        thresh_pkt_count = ch->txku_threshold_override;
+
+    return cur_pkt_count >= thresh_pkt_count;
 }

 QUIC_NEEDS_LOCK
@ -2858,3 +2863,19 @@ void ossl_quic_channel_set_msg_callback_arg(QUIC_CHANNEL *ch,
    ossl_quic_tx_packetiser_set_msg_callback_arg(ch->txp, msg_callback_arg);
    ossl_qrx_set_msg_callback_arg(ch->qrx, msg_callback_arg);
 }
+
+void ossl_quic_channel_set_txku_threshold_override(QUIC_CHANNEL *ch,
+                                                   uint64_t tx_pkt_threshold)
+{
+    ch->txku_threshold_override = tx_pkt_threshold;
+}
+
+uint64_t ossl_quic_channel_get_tx_key_epoch(QUIC_CHANNEL *ch)
+{
+    return ossl_qtx_get_key_epoch(ch->qtx);
+}
+
+uint64_t ossl_quic_channel_get_rx_key_epoch(QUIC_CHANNEL *ch)
+{
+    return ossl_qrx_get_key_epoch(ch->qrx);
+}
--- a/ssl/quic/quic_channel_local.h
+++ b/ssl/quic/quic_channel_local.h
@ -193,6 +193,14 @@ struct quic_channel_st {
     */
    uint64_t                        incoming_stream_auto_reject_aec;

+    /*
+     * Override packet count threshold at which we do a spontaneous TXKU.
+     * Usually UINT64_MAX in which case a suitable value is chosen based on AEAD
+     * limit advice from the QRL utility functions. This is intended for testing
+     * use only. Usually set to UINT64_MAX.
+     */
+    uint64_t                        txku_threshold_override;
+
    /* Valid if we are in the TERMINATING or TERMINATED states. */
    QUIC_TERMINATE_CAUSE            terminate_cause;

--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@ -2746,3 +2746,18 @@ const SSL_CIPHER *ossl_quic_get_cipher(unsigned int u)
 {
    return NULL;
 }
+
+/*
+ * Internal Testing APIs
+ * =====================
+ */
+
+QUIC_CHANNEL *ossl_quic_conn_get_channel(SSL *s)
+{
+    QCTX ctx;
+
+    if (!expect_quic_conn_only(s, &ctx))
+        return NULL;
+
+    return ctx.qc->ch;
+}
--- a/ssl/quic/quic_record_tx.c
+++ b/ssl/quic/quic_record_tx.c
@ -1014,3 +1014,14 @@ void ossl_qtx_set_msg_callback_arg(OSSL_QTX *qtx, void *msg_callback_arg)
 {
    qtx->msg_callback_arg = msg_callback_arg;
 }
+
+uint64_t ossl_qtx_get_key_epoch(OSSL_QTX *qtx)
+{
+    OSSL_QRL_ENC_LEVEL *el;
+
+    el = ossl_qrl_enc_level_set_get(&qtx->el_set, QUIC_ENC_LEVEL_1RTT, 1);
+    if (el == NULL)
+        return 0;
+
+    return el->key_epoch;
+}