From c21e213b97098a1545248adc1681877cb1fc87ce Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 3 Jan 2025 15:57:47 +0000 Subject: [PATCH] Enable the quic-tls API to work, even in the case of no-quic Reviewed-by: Tim Hudson Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/26683) --- include/internal/quic_predef.h | 1 - include/internal/quic_tls.h | 7 +----- ssl/build.info | 6 +---- ssl/quic/build.info | 44 ++++++++++++++++++---------------- ssl/quic/quic_channel_local.h | 1 + ssl/quic/quic_tls.c | 41 +++++++++++++++++++++---------- ssl/quic/quic_tls_api.c | 2 +- ssl/ssl_local.h | 1 + test/sslapitest.c | 6 ++--- 9 files changed, 61 insertions(+), 48 deletions(-) diff --git a/include/internal/quic_predef.h b/include/internal/quic_predef.h index 7c7567b9c5..07d6f43e78 100644 --- a/include/internal/quic_predef.h +++ b/include/internal/quic_predef.h @@ -14,7 +14,6 @@ typedef struct quic_port_st QUIC_PORT; typedef struct quic_channel_st QUIC_CHANNEL; -typedef struct quic_tls_st QUIC_TLS; typedef struct quic_txpim_st QUIC_TXPIM; typedef struct quic_fifd_st QUIC_FIFD; typedef struct quic_cfq_st QUIC_CFQ; diff --git a/include/internal/quic_tls.h b/include/internal/quic_tls.h index 70a99a294c..5e53a45d52 100644 --- a/include/internal/quic_tls.h +++ b/include/internal/quic_tls.h @@ -11,10 +11,8 @@ # define OSSL_QUIC_TLS_H # include -# include "internal/quic_stream.h" -# include "internal/quic_predef.h" -# ifndef OPENSSL_NO_QUIC +typedef struct quic_tls_st QUIC_TLS; typedef struct quic_tls_args_st { /* @@ -44,7 +42,6 @@ typedef struct quic_tls_args_st { int (*crypto_release_rcd_cb)(size_t bytes_read, void *arg); void *crypto_release_rcd_cb_arg; - /* * Called when a traffic secret is available for a given TLS protection * level. @@ -111,6 +108,4 @@ int ossl_quic_tls_get_error(QUIC_TLS *qtls, int ossl_quic_tls_is_cert_request(QUIC_TLS *qtls); int ossl_quic_tls_has_bad_max_early_data(QUIC_TLS *qtls); -# endif - #endif diff --git a/ssl/build.info b/ssl/build.info index adfc966379..3443bf2818 100644 --- a/ssl/build.info +++ b/ssl/build.info @@ -1,11 +1,7 @@ -SUBDIRS=record rio +SUBDIRS=record rio quic LIBS=../libssl -IF[{- !$disabled{quic} -}] - SUBDIRS=quic -ENDIF - SOURCE[../libssl]=\ pqueue.c \ statem/statem_srvr.c statem/statem_clnt.c s3_lib.c s3_enc.c \ diff --git a/ssl/quic/build.info b/ssl/quic/build.info index 88ddc5363b..2eecafe6b3 100644 --- a/ssl/quic/build.info +++ b/ssl/quic/build.info @@ -1,24 +1,28 @@ $LIBSSL=../../libssl -SOURCE[$LIBSSL]=quic_method.c quic_impl.c quic_wire.c quic_ackm.c quic_statm.c -SOURCE[$LIBSSL]=cc_newreno.c quic_demux.c quic_record_rx.c -SOURCE[$LIBSSL]=quic_record_tx.c quic_record_util.c quic_record_shared.c quic_wire_pkt.c -SOURCE[$LIBSSL]=quic_rx_depack.c -SOURCE[$LIBSSL]=quic_fc.c uint_set.c -SOURCE[$LIBSSL]=quic_cfq.c quic_txpim.c quic_fifd.c quic_txp.c -SOURCE[$LIBSSL]=quic_stream_map.c -SOURCE[$LIBSSL]=quic_sf_list.c quic_rstream.c quic_sstream.c -SOURCE[$LIBSSL]=quic_reactor.c -SOURCE[$LIBSSL]=quic_channel.c quic_port.c quic_engine.c -SOURCE[$LIBSSL]=quic_tserver.c +#QUIC TLS API is available even in the event of no-quic SOURCE[$LIBSSL]=quic_tls.c quic_tls_api.c -SOURCE[$LIBSSL]=quic_thread_assist.c -SOURCE[$LIBSSL]=quic_trace.c -SOURCE[$LIBSSL]=quic_srtm.c quic_srt_gen.c -SOURCE[$LIBSSL]=quic_lcidm.c quic_rcidm.c -SOURCE[$LIBSSL]=quic_types.c -SOURCE[$LIBSSL]=qlog_event_helpers.c -IF[{- !$disabled{qlog} -}] - SOURCE[$LIBSSL]=json_enc.c qlog.c - SHARED_SOURCE[$LIBSSL]=../../crypto/getenv.c ../../crypto/ctype.c + +IF[{- !$disabled{quic} -}] + SOURCE[$LIBSSL]=quic_method.c quic_impl.c quic_wire.c quic_ackm.c quic_statm.c + SOURCE[$LIBSSL]=cc_newreno.c quic_demux.c quic_record_rx.c + SOURCE[$LIBSSL]=quic_record_tx.c quic_record_util.c quic_record_shared.c quic_wire_pkt.c + SOURCE[$LIBSSL]=quic_rx_depack.c + SOURCE[$LIBSSL]=quic_fc.c uint_set.c + SOURCE[$LIBSSL]=quic_cfq.c quic_txpim.c quic_fifd.c quic_txp.c + SOURCE[$LIBSSL]=quic_stream_map.c + SOURCE[$LIBSSL]=quic_sf_list.c quic_rstream.c quic_sstream.c + SOURCE[$LIBSSL]=quic_reactor.c + SOURCE[$LIBSSL]=quic_channel.c quic_port.c quic_engine.c + SOURCE[$LIBSSL]=quic_tserver.c + SOURCE[$LIBSSL]=quic_thread_assist.c + SOURCE[$LIBSSL]=quic_trace.c + SOURCE[$LIBSSL]=quic_srtm.c quic_srt_gen.c + SOURCE[$LIBSSL]=quic_lcidm.c quic_rcidm.c + SOURCE[$LIBSSL]=quic_types.c + SOURCE[$LIBSSL]=qlog_event_helpers.c + IF[{- !$disabled{qlog} -}] + SOURCE[$LIBSSL]=json_enc.c qlog.c + SHARED_SOURCE[$LIBSSL]=../../crypto/getenv.c ../../crypto/ctype.c + ENDIF ENDIF diff --git a/ssl/quic/quic_channel_local.h b/ssl/quic/quic_channel_local.h index 16d96ef7d9..37219cadfe 100644 --- a/ssl/quic/quic_channel_local.h +++ b/ssl/quic/quic_channel_local.h @@ -10,6 +10,7 @@ # include "internal/quic_predef.h" # include "internal/quic_fc.h" # include "internal/quic_stream_map.h" +# include "internal/quic_tls.h" /* * QUIC Channel Structure diff --git a/ssl/quic/quic_tls.c b/ssl/quic/quic_tls.c index 5de711ab06..6cd656ea42 100644 --- a/ssl/quic/quic_tls.c +++ b/ssl/quic/quic_tls.c @@ -11,6 +11,7 @@ #include "internal/quic_tls.h" #include "../ssl_local.h" #include "internal/quic_error.h" +#include "internal/quic_types.h" #define QUIC_TLS_FATAL(rl, ad, err) \ do { \ @@ -143,6 +144,7 @@ quic_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, qdir = 1; if (rl->qtls->args.ossl_quic) { +#ifndef OPENSSL_NO_QUIC /* * We only look up the suite_id/MD for internal callers. Not used in the * public API. We assume that a 3rd party QUIC stack will want to @@ -166,6 +168,10 @@ quic_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } +#else + if (!ossl_assert("Should not happen" == NULL)) + goto err; +#endif } if (!rl->qtls->args.yield_secret_cb(level, qdir, suite_id, @@ -632,7 +638,7 @@ QUIC_TLS *ossl_quic_tls_new(const QUIC_TLS_ARGS *args) if (qtls == NULL) return NULL; - if ((qtls->error_state = OSSL_ERR_STATE_new()) == NULL) { + if (args->ossl_quic && (qtls->error_state = OSSL_ERR_STATE_new()) == NULL) { OPENSSL_free(qtls); return NULL; } @@ -660,23 +666,27 @@ static int raise_error(QUIC_TLS *qtls, uint64_t error_code, * with any underlying libssl errors underneath it (but our cover error may * be the only error in some cases). Then capture this into an ERR_STATE so * we can report it later if need be when the QUIC_CHANNEL asks for it. + * For external QUIC TLS we just raise the error. */ ERR_new(); ERR_set_debug(src_file, src_line, src_func); ERR_set_error(ERR_LIB_SSL, SSL_R_QUIC_HANDSHAKE_LAYER_ERROR, "handshake layer error, error code %llu (0x%llx) (\"%s\")", error_code, error_code, error_msg); - OSSL_ERR_STATE_save_to_mark(qtls->error_state); - /* - * We record the error information reported via the QUIC protocol - * separately. - */ - qtls->error_code = error_code; - qtls->error_msg = error_msg; - qtls->inerror = 1; + if (qtls->args.ossl_quic) { + OSSL_ERR_STATE_save_to_mark(qtls->error_state); - ERR_pop_to_mark(); + /* + * We record the error information reported via the QUIC protocol + * separately. + */ + qtls->error_code = error_code; + qtls->error_msg = error_msg; + qtls->inerror = 1; + + ERR_pop_to_mark(); + } return 0; } @@ -684,8 +694,13 @@ static int raise_error(QUIC_TLS *qtls, uint64_t error_code, raise_error((qtls), (error_code), (error_msg), \ OPENSSL_FILE, OPENSSL_LINE, OPENSSL_FUNC) -#define RAISE_INTERNAL_ERROR(qtls) \ +#ifndef OPENSSL_NO_QUIC +# define RAISE_INTERNAL_ERROR(qtls) \ RAISE_ERROR((qtls), OSSL_QUIC_ERR_INTERNAL_ERROR, "internal error") +#else +# define RAISE_INTERNAL_ERROR(qtls) \ + RAISE_ERROR((qtls), 0x01, "internal error") +#endif int ossl_quic_tls_configure(QUIC_TLS *qtls) { @@ -699,7 +714,7 @@ int ossl_quic_tls_configure(QUIC_TLS *qtls) if (!ossl_tls_add_custom_ext_intern(NULL, &sc->cert->custext, qtls->args.is_server ? ENDPOINT_SERVER - : ENDPOINT_CLIENT, + : ENDPOINT_CLIENT, TLSEXT_TYPE_quic_transport_parameters, SSL_EXT_TLS1_3_ONLY | SSL_EXT_CLIENT_HELLO @@ -714,6 +729,7 @@ int ossl_quic_tls_configure(QUIC_TLS *qtls) return 1; } +#ifndef OPENSSL_NO_QUIC int ossl_quic_tls_tick(QUIC_TLS *qtls) { int ret, err; @@ -829,6 +845,7 @@ int ossl_quic_tls_tick(QUIC_TLS *qtls) ERR_pop_to_mark(); return 1; } +#endif int ossl_quic_tls_set_transport_params(QUIC_TLS *qtls, const unsigned char *transport_params, diff --git a/ssl/quic/quic_tls_api.c b/ssl/quic/quic_tls_api.c index 504cfe3667..11b008c64e 100644 --- a/ssl/quic/quic_tls_api.c +++ b/ssl/quic/quic_tls_api.c @@ -139,7 +139,7 @@ int SSL_set_quic_tls_cbs(SSL *s, const OSSL_DISPATCH *qtdis, void *arg) } if (!tls_callbacks_from_dispatch(&sc->qtcb, qtdis)) - /* ERR_raise already called*/ + /* ERR_raise already called */ return 0; sc->qtarg = arg; diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index ec8d934f32..45d898bc55 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -39,6 +39,7 @@ # include "internal/cryptlib.h" # include "record/record.h" # include "internal/quic_predef.h" +# include "internal/quic_tls.h" # ifdef OPENSSL_BUILD_SHLIBSSL # undef OPENSSL_EXTERN diff --git a/test/sslapitest.c b/test/sslapitest.c index 9428c1f59d..373f4e6992 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -12403,7 +12403,7 @@ static int test_alpn(int idx) return testresult; } -#if !defined(OPENSSL_NO_QUIC) && !defined(OSSL_NO_USABLE_TLS1_3) +#if !defined(OSSL_NO_USABLE_TLS1_3) struct quic_tls_test_data { struct quic_tls_test_data *peer; uint32_t renc_level; @@ -12622,7 +12622,7 @@ static int test_quic_tls(void) return testresult; } -#endif /* !defined(OPENSSL_NO_QUIC) && !defined(OSSL_NO_USABLE_TLS1_3) */ +#endif /* !defined(OSSL_NO_USABLE_TLS1_3) */ OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n") @@ -12946,7 +12946,7 @@ int setup_tests(void) ADD_ALL_TESTS(test_npn, 5); #endif ADD_ALL_TESTS(test_alpn, 4); -#if !defined(OPENSSL_NO_QUIC) && !defined(OSSL_NO_USABLE_TLS1_3) +#if !defined(OSSL_NO_USABLE_TLS1_3) ADD_TEST(test_quic_tls); #endif return 1;