diff options
author | jsing <> | 2022-07-24 14:28:16 +0000 |
---|---|---|
committer | jsing <> | 2022-07-24 14:28:16 +0000 |
commit | f7f7655b1951f8dd9a8166cb6203a780f911d0bc (patch) | |
tree | f814f798e3d47e53e29dfd4db0eece8481fc97ad /src/lib/libssl/tls13_lib.c | |
parent | c804d574e337158da589e90dc9cbb13d6ffde44f (diff) | |
download | openbsd-f7f7655b1951f8dd9a8166cb6203a780f911d0bc.tar.gz openbsd-f7f7655b1951f8dd9a8166cb6203a780f911d0bc.tar.bz2 openbsd-f7f7655b1951f8dd9a8166cb6203a780f911d0bc.zip |
Provide record layer callbacks for QUIC.
QUIC uses TLS to complete the handshake, however unlike normal TLS it does
not use the TLS record layer, rather it provides its own transport. This
means that we need to intercept all communication between the TLS handshake
and the record layer. This allows TLS handshake message writes to be
directed to QUIC, likewise for TLS handshake message reads. Alerts also
need to be sent via QUIC, plus it needs to be provided with the traffic
keys that are derived by TLS.
ok tb@
Diffstat (limited to 'src/lib/libssl/tls13_lib.c')
-rw-r--r-- | src/lib/libssl/tls13_lib.c | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c index d63951a0ff..57c58a3d30 100644 --- a/src/lib/libssl/tls13_lib.c +++ b/src/lib/libssl/tls13_lib.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: tls13_lib.c,v 1.69 2022/07/24 14:19:45 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_lib.c,v 1.70 2022/07/24 14:28:16 jsing Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
4 | * Copyright (c) 2019 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2019 Bob Beck <beck@openbsd.org> |
@@ -103,7 +103,7 @@ tls13_cipher_hash(const SSL_CIPHER *cipher) | |||
103 | return NULL; | 103 | return NULL; |
104 | } | 104 | } |
105 | 105 | ||
106 | static void | 106 | void |
107 | tls13_alert_received_cb(uint8_t alert_desc, void *arg) | 107 | tls13_alert_received_cb(uint8_t alert_desc, void *arg) |
108 | { | 108 | { |
109 | struct tls13_ctx *ctx = arg; | 109 | struct tls13_ctx *ctx = arg; |
@@ -132,7 +132,7 @@ tls13_alert_received_cb(uint8_t alert_desc, void *arg) | |||
132 | SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session); | 132 | SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session); |
133 | } | 133 | } |
134 | 134 | ||
135 | static void | 135 | void |
136 | tls13_alert_sent_cb(uint8_t alert_desc, void *arg) | 136 | tls13_alert_sent_cb(uint8_t alert_desc, void *arg) |
137 | { | 137 | { |
138 | struct tls13_ctx *ctx = arg; | 138 | struct tls13_ctx *ctx = arg; |
@@ -328,7 +328,7 @@ tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
328 | return tls13_send_alert(ctx->rl, alert); | 328 | return tls13_send_alert(ctx->rl, alert); |
329 | } | 329 | } |
330 | 330 | ||
331 | static ssize_t | 331 | ssize_t |
332 | tls13_phh_received_cb(void *cb_arg) | 332 | tls13_phh_received_cb(void *cb_arg) |
333 | { | 333 | { |
334 | ssize_t ret = TLS13_IO_FAILURE; | 334 | ssize_t ret = TLS13_IO_FAILURE; |
@@ -369,7 +369,7 @@ tls13_phh_received_cb(void *cb_arg) | |||
369 | return ret; | 369 | return ret; |
370 | } | 370 | } |
371 | 371 | ||
372 | static void | 372 | void |
373 | tls13_phh_done_cb(void *cb_arg) | 373 | tls13_phh_done_cb(void *cb_arg) |
374 | { | 374 | { |
375 | struct tls13_ctx *ctx = cb_arg; | 375 | struct tls13_ctx *ctx = cb_arg; |
@@ -380,10 +380,11 @@ tls13_phh_done_cb(void *cb_arg) | |||
380 | } | 380 | } |
381 | } | 381 | } |
382 | 382 | ||
383 | static const struct tls13_record_layer_callbacks rl_callbacks = { | 383 | static const struct tls13_record_layer_callbacks tls13_rl_callbacks = { |
384 | .wire_read = tls13_legacy_wire_read_cb, | 384 | .wire_read = tls13_legacy_wire_read_cb, |
385 | .wire_write = tls13_legacy_wire_write_cb, | 385 | .wire_write = tls13_legacy_wire_write_cb, |
386 | .wire_flush = tls13_legacy_wire_flush_cb, | 386 | .wire_flush = tls13_legacy_wire_flush_cb, |
387 | |||
387 | .alert_recv = tls13_alert_received_cb, | 388 | .alert_recv = tls13_alert_received_cb, |
388 | .alert_sent = tls13_alert_sent_cb, | 389 | .alert_sent = tls13_alert_sent_cb, |
389 | .phh_recv = tls13_phh_received_cb, | 390 | .phh_recv = tls13_phh_received_cb, |
@@ -402,7 +403,7 @@ tls13_ctx_new(int mode, SSL *ssl) | |||
402 | ctx->mode = mode; | 403 | ctx->mode = mode; |
403 | ctx->ssl = ssl; | 404 | ctx->ssl = ssl; |
404 | 405 | ||
405 | if ((ctx->rl = tls13_record_layer_new(&rl_callbacks, ctx)) == NULL) | 406 | if ((ctx->rl = tls13_record_layer_new(&tls13_rl_callbacks, ctx)) == NULL) |
406 | goto err; | 407 | goto err; |
407 | 408 | ||
408 | ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb; | 409 | ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb; |
@@ -410,11 +411,15 @@ tls13_ctx_new(int mode, SSL *ssl) | |||
410 | ctx->info_cb = tls13_legacy_info_cb; | 411 | ctx->info_cb = tls13_legacy_info_cb; |
411 | ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb; | 412 | ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb; |
412 | 413 | ||
413 | if (!SSL_is_quic(ssl)) | 414 | ctx->middlebox_compat = 1; |
414 | ctx->middlebox_compat = 1; | ||
415 | 415 | ||
416 | ssl->internal->tls13 = ctx; | 416 | ssl->internal->tls13 = ctx; |
417 | 417 | ||
418 | if (SSL_is_quic(ssl)) { | ||
419 | if (!tls13_quic_init(ctx)) | ||
420 | goto err; | ||
421 | } | ||
422 | |||
418 | return ctx; | 423 | return ctx; |
419 | 424 | ||
420 | err: | 425 | err: |