OpenSSL 1.1.1v+quic rebase

CHANGES

@@ -646,6 +646,9 @@
 
  Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
 
+  *) Implement BoringSSL's QUIC API
+     [Todd Short]
+
   *) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
      number generator (RNG). This was intended to include protection in the
      event of a fork() system call in order to ensure that the parent and child

Configure

@@ -401,6 +401,7 @@ my @disablables = (
     "poly1305",
     "posix-io",
     "psk",
+    "quic",
     "rc2",
     "rc4",
     "rc5",
@@ -485,7 +486,7 @@ my @disable_cascades = (
     "ssl3-method"       => [ "ssl3" ],
     "zlib"              => [ "zlib-dynamic" ],
     "des"               => [ "mdc2" ],
-    "ec"                => [ "ecdsa", "ecdh" ],
+    "ec"                => [ "ecdsa", "ecdh", "quic" ],
 
     "dgram"             => [ "dtls", "sctp" ],
     "sock"              => [ "dgram" ],
@@ -514,6 +515,8 @@ my @disable_cascades = (
     "comp"              => [ "zlib" ],
     "ec"                => [ "tls1_3", "sm2" ],
     "sm3"               => [ "sm2" ],
+    "tls1_3"            => [ "quic" ],
+
     sub { !$disabled{"unit-test"} } => [ "heartbeats" ],
 
     sub { !$disabled{"msan"} } => [ "asm" ],

INSTALL

@@ -457,6 +457,9 @@
   no-psk
                    Don't build support for Pre-Shared Key based ciphersuites.
 
+  no-quic
+                   Don't build with support for QUIC.
+
   no-rdrand
                    Don't use hardware RDRAND capabilities.
 

README.md

@@ -0,0 +1,105 @@
+What This Is
+============
+
+This is a fork of [OpenSSL](https://www.openssl.org) to enable QUIC. In addition
+to the website, the official source distribution is at
+<https://github.com/openssl/openssl>. The OpenSSL `README` can be found at
+[README-OpenSSL.md](https://github.com/quictls/openssl/blob/OpenSSL_1_1_1v%2Bquic/README-OpenSSL.md).
+
+This fork adds APIs that can be used by QUIC implementations for connection
+handshakes. Quoting the IETF Working group
+[charter](https://datatracker.ietf.org/wg/quic/about/), QUIC is a "UDP-based,
+stream-multiplexing, encrypted transport protocol." If you don't need QUIC, you
+should use the official OpenSSL distributions.
+
+The APIs here are used by Microsoft's
+[MsQuic](https://github.com/microsoft/msquic) and Google's
+[Chromium QUIC](https://chromium.googlesource.com/chromium/src/+/master/net/quic/)
+
+We are not in competition with OpenSSL project. We informed them of
+our plans to fork the code before we went public. We do not speak for the
+OpenSSL project, and can only point to a
+[blog post](https://www.openssl.org/blog/blog/2020/02/17/QUIC-and-OpenSSL/) and
+[openssl-project email](https://github.com/quictls/openssl/discussions/54)
+that provides their view of QUIC support.
+
+As stated in their blog post, the OpenSSL team is focused on their 3.0 release
+(released 2021-09-07), and does not intend to add QUIC functionality to 1.1.x.
+There is a community need for a QUIC-capable TLS library. This fork is intended
+as stopgap solution to enable higher level frameworks and runtimes to use QUIC
+with the proven and reliable TLS functionality from OpenSSL. This fork will be
+maintained until OpenSSL officially provides reasonable support for QUIC
+implementations.
+
+This fork can be considered a supported version of
+[OpenSSL PR 8797](https://github.com/openssl/openssl/pull/8797).
+We will endeavor to track OpenSSL releases within a day or so, and there is an
+item below about how we'll follow their tagging.
+
+On to the questions and answers.
+
+What about branches?
+--------------------
+We don't want to conflict with OpenSSL branch names. Our current plan is to append
+`+quic`. Release tags are likely to be the QUIC branch with `-releaseX` appended.
+For example, the OpenSSL tag `openssl-3.0.0` would have a branch named
+`openssl-3.0.0+quic` and a release tag of `openssl-3.0.0+quic-release1`.
+
+How are you keeping current with OpenSSL?
+-----------------------------------------
+(In other words, "What about rebasing?")
+
+Our plan is to always rebase on top of an upstream release tag. In particular:
+- The changes for QUIC will always be at the tip of the branch -- you will know what
+is from the original OpenSSL and what is for QUIC.
+- New versions are quickly created once upstream creates a new tag.
+- The use of git commands (such as "cherry") can be used to ensure that all changes
+have moved forward with minimal or no changes. You will be able to see "QUIC: Add X"
+on all branches and the commit itself will be nearly identical on all branches, and
+any changes to that can be easily identified.
+
+What about library names?
+-------------------------
+Library names will be the same, but will use a different version number. The version
+numbers for the current OpenSSL libraries are `1.1` (for the 1.1.0 and 1.1.1 branches)
+and `3` (for the 3.0 branch). We will be prefixing `81` (ASCII for 'Q') to
+the version numbers to generate a unique version number.
+
+- `libcrypto.so.81.3` vs `libcrypto.so.3`
+- `libcrypto.so.81.1.1` vs `libcrypto.so.1.1`
+- `libssl.so.81.3` vs `libssl.so.3`
+- `libssl.so.81.1.1` vs `libssl.so.1.1`
+
+The SONAME of these libraries are all different, guaranteeing the correct library
+will be used.
+
+...and the executable?
+----------------------
+We currently do not have any plans to change the name, mainly because we
+haven't made any changes there. If you see a need, please open an issue.
+
+The `openssl version` command will report that it is `+quic` enabled.
+
+...and FIPS?
+------------
+We are not doing anything with FIPS. This is actually good news: you should
+be able to load the OpenSSL 3.0 FIPS module into an application built against
+this fork and everything should Just Work&#8482;.
+
+How can I contribute?
+---------------------
+We want any code here to be acceptable to OpenSSL. This means that all contributors
+must have signed the appropriate
+[contributor license agreements](https://www.openssl.org/policies/cla.html). We
+will not ask for copies of any paperwork, you just need to tell us that you've
+done so (and we might verify with OpenSSL). We are only interested in making it
+easier and better for at least the mentioned QUIC implementations to use a variant
+of OpenSSL. If you have a pull request that changes the TLS protocol, or adds
+assembly support for a new CPU, or otherwise is not specific to enabling QUIC,
+please contribute that to OpenSSL. This fork is intended to be a clean extension
+to OpenSSL, with the deltas being specific to QUIC.
+
+Who are you?
+------------
+This is a collaborative effort between [Akamai](https://www.akamai.com) and
+[Microsoft](https://www.microsoft.com). We welcome anyone to contribute!

crypto/cversion.c

@@ -38,6 +38,10 @@ const char *OpenSSL_version(int t)
         return "ENGINESDIR: \"" ENGINESDIR "\"";
 #else
         return "ENGINESDIR: N/A";
+#endif
+#ifndef OPENSSL_NO_QUIC
+    case OPENSSL_INFO_QUIC:
+	return "QUIC";
 #endif
     }
     return "not available";

crypto/err/openssl.txt

@@ -1162,6 +1162,7 @@ SSL_F_FINAL_EMS:486:final_ems
 SSL_F_FINAL_KEY_SHARE:503:final_key_share
 SSL_F_FINAL_MAXFRAGMENTLEN:557:final_maxfragmentlen
 SSL_F_FINAL_PSK:639:final_psk
+SSL_F_FINAL_QUIC_TRANSPORT_PARAMS:3012:final_quic_transport_params
 SSL_F_FINAL_RENEGOTIATE:483:final_renegotiate
 SSL_F_FINAL_SERVER_NAME:558:final_server_name
 SSL_F_FINAL_SIG_ALGS:497:final_sig_algs
@@ -1185,7 +1186,7 @@ SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE:431:*
 SSL_F_OSSL_STATEM_SERVER_POST_PROCESS_MESSAGE:601:\
 	ossl_statem_server_post_process_message
 SSL_F_OSSL_STATEM_SERVER_POST_WORK:602:ossl_statem_server_post_work
-SSL_F_OSSL_STATEM_SERVER_PRE_WORK:640:
+SSL_F_OSSL_STATEM_SERVER_PRE_WORK:640:ossl_statem_server_pre_work
 SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE:603:ossl_statem_server_process_message
 SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION:418:ossl_statem_server_read_transition
 SSL_F_OSSL_STATEM_SERVER_WRITE_TRANSITION:604:\
@@ -1194,6 +1195,9 @@ SSL_F_PARSE_CA_NAMES:541:parse_ca_names
 SSL_F_PITEM_NEW:624:pitem_new
 SSL_F_PQUEUE_NEW:625:pqueue_new
 SSL_F_PROCESS_KEY_SHARE_EXT:439:*
+SSL_F_QUIC_CHANGE_CIPHER_STATE:3000:quic_change_cipher_state
+SSL_F_QUIC_GET_MESSAGE:3001:quic_get_message
+SSL_F_QUIC_SET_ENCRYPTION_SECRETS:3002:quic_set_encryption_secrets
 SSL_F_READ_STATE_MACHINE:352:read_state_machine
 SSL_F_SET_CLIENT_CIPHERSUITE:540:set_client_ciphersuite
 SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET:595:srp_generate_client_master_secret
@@ -1204,7 +1208,9 @@ SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM:130:ssl3_check_cert_and_algorithm
 SSL_F_SSL3_CTRL:213:ssl3_ctrl
 SSL_F_SSL3_CTX_CTRL:133:ssl3_ctx_ctrl
 SSL_F_SSL3_DIGEST_CACHED_RECORDS:293:ssl3_digest_cached_records
+SSL_F_SSL3_DISPATCH_ALERT:3003:ssl3_dispatch_alert
 SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC:292:ssl3_do_change_cipher_spec
+SSL_F_SSL3_DO_WRITE:3004:ssl3_do_write
 SSL_F_SSL3_ENC:608:ssl3_enc
 SSL_F_SSL3_FINAL_FINISH_MAC:285:ssl3_final_finish_mac
 SSL_F_SSL3_FINISH_MAC:587:ssl3_finish_mac
@@ -1312,6 +1318,8 @@ SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT:311:*
 SSL_F_SSL_PEEK:270:SSL_peek
 SSL_F_SSL_PEEK_EX:432:SSL_peek_ex
 SSL_F_SSL_PEEK_INTERNAL:522:ssl_peek_internal
+SSL_F_SSL_PROCESS_QUIC_POST_HANDSHAKE:3005:SSL_process_quic_post_handshake
+SSL_F_SSL_PROVIDE_QUIC_DATA:3006:SSL_provide_quic_data
 SSL_F_SSL_READ:223:SSL_read
 SSL_F_SSL_READ_EARLY_DATA:529:SSL_read_early_data
 SSL_F_SSL_READ_EX:434:SSL_read_ex
@@ -1361,6 +1369,7 @@ SSL_F_SSL_WRITE_EARLY_DATA:526:SSL_write_early_data
 SSL_F_SSL_WRITE_EARLY_FINISH:527:*
 SSL_F_SSL_WRITE_EX:433:SSL_write_ex
 SSL_F_SSL_WRITE_INTERNAL:524:ssl_write_internal
+SSL_F_STATEM_FLUSH:3007:statem_flush
 SSL_F_STATE_MACHINE:353:state_machine
 SSL_F_TLS12_CHECK_PEER_SIGALG:333:tls12_check_peer_sigalg
 SSL_F_TLS12_COPY_SIGALGS:533:tls12_copy_sigalgs
@@ -1424,6 +1433,10 @@ SSL_F_TLS_CONSTRUCT_CTOS_POST_HANDSHAKE_AUTH:619:\
 	tls_construct_ctos_post_handshake_auth
 SSL_F_TLS_CONSTRUCT_CTOS_PSK:501:tls_construct_ctos_psk
 SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES:509:tls_construct_ctos_psk_kex_modes
+SSL_F_TLS_CONSTRUCT_CTOS_QUIC_TRANSPORT_PARAMS:3008:\
+	tls_construct_ctos_quic_transport_params
+SSL_F_TLS_CONSTRUCT_CTOS_QUIC_TRANSPORT_PARAMS_DRAFT:3013:\
+	tls_construct_ctos_quic_transport_params_draft
 SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE:473:tls_construct_ctos_renegotiate
 SSL_F_TLS_CONSTRUCT_CTOS_SCT:474:tls_construct_ctos_sct
 SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME:475:tls_construct_ctos_server_name
@@ -1465,6 +1478,10 @@ SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE:456:tls_construct_stoc_key_share
 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN:548:tls_construct_stoc_maxfragmentlen
 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG:457:tls_construct_stoc_next_proto_neg
 SSL_F_TLS_CONSTRUCT_STOC_PSK:504:tls_construct_stoc_psk
+SSL_F_TLS_CONSTRUCT_STOC_QUIC_TRANSPORT_PARAMS:3009:\
+	tls_construct_stoc_quic_transport_params
+SSL_F_TLS_CONSTRUCT_STOC_QUIC_TRANSPORT_PARAMS_DRAFT:3014:\
+	tls_construct_stoc_quic_transport_params_draft
 SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE:458:tls_construct_stoc_renegotiate
 SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME:459:tls_construct_stoc_server_name
 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET:460:tls_construct_stoc_session_ticket
@@ -1493,6 +1510,10 @@ SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN:571:tls_parse_ctos_maxfragmentlen
 SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH:620:tls_parse_ctos_post_handshake_auth
 SSL_F_TLS_PARSE_CTOS_PSK:505:tls_parse_ctos_psk
 SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES:572:tls_parse_ctos_psk_kex_modes
+SSL_F_TLS_PARSE_CTOS_QUIC_TRANSPORT_PARAMS:3010:\
+	tls_parse_ctos_quic_transport_params
+SSL_F_TLS_PARSE_CTOS_QUIC_TRANSPORT_PARAMS_DRAFT:3015:\
+	tls_parse_ctos_quic_transport_params_draft
 SSL_F_TLS_PARSE_CTOS_RENEGOTIATE:464:tls_parse_ctos_renegotiate
 SSL_F_TLS_PARSE_CTOS_SERVER_NAME:573:tls_parse_ctos_server_name
 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET:574:tls_parse_ctos_session_ticket
@@ -1511,6 +1532,10 @@ SSL_F_TLS_PARSE_STOC_KEY_SHARE:445:tls_parse_stoc_key_share
 SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN:581:tls_parse_stoc_maxfragmentlen
 SSL_F_TLS_PARSE_STOC_NPN:582:tls_parse_stoc_npn
 SSL_F_TLS_PARSE_STOC_PSK:502:tls_parse_stoc_psk
+SSL_F_TLS_PARSE_STOC_QUIC_TRANSPORT_PARAMS:3011:\
+	tls_parse_stoc_quic_transport_params
+SSL_F_TLS_PARSE_STOC_QUIC_TRANSPORT_PARAMS_DRAFT:3016:\
+	tls_parse_stoc_quic_transport_params_draft
 SSL_F_TLS_PARSE_STOC_RENEGOTIATE:448:tls_parse_stoc_renegotiate
 SSL_F_TLS_PARSE_STOC_SCT:564:tls_parse_stoc_sct
 SSL_F_TLS_PARSE_STOC_SERVER_NAME:583:tls_parse_stoc_server_name
@@ -2748,6 +2773,8 @@ SSL_R_MISSING_ECDSA_SIGNING_CERT:381:missing ecdsa signing cert
 SSL_R_MISSING_FATAL:256:missing fatal
 SSL_R_MISSING_PARAMETERS:290:missing parameters
 SSL_R_MISSING_PSK_KEX_MODES_EXTENSION:310:missing psk kex modes extension
+SSL_R_MISSING_QUIC_TRANSPORT_PARAMETERS_EXTENSION:801:\
+	missing quic transport parameters extension
 SSL_R_MISSING_RSA_CERTIFICATE:168:missing rsa certificate
 SSL_R_MISSING_RSA_ENCRYPTING_CERT:169:missing rsa encrypting cert
 SSL_R_MISSING_RSA_SIGNING_CERT:170:missing rsa signing cert
@@ -2897,6 +2924,7 @@ SSL_R_VERSION_TOO_LOW:396:version too low
 SSL_R_WRONG_CERTIFICATE_TYPE:383:wrong certificate type
 SSL_R_WRONG_CIPHER_RETURNED:261:wrong cipher returned
 SSL_R_WRONG_CURVE:378:wrong curve
+SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED:800:wrong encryption level received
 SSL_R_WRONG_SIGNATURE_LENGTH:264:wrong signature length
 SSL_R_WRONG_SIGNATURE_SIZE:265:wrong signature size
 SSL_R_WRONG_SIGNATURE_TYPE:370:wrong signature type

crypto/kdf/hkdf.c

@@ -15,7 +15,7 @@
 #include "internal/cryptlib.h"
 #include "crypto/evp.h"
 
-#define HKDF_MAXBUF 1024
+#define HKDF_MAXBUF 2048
 
 static unsigned char *HKDF(const EVP_MD *evp_md,
                            const unsigned char *salt, size_t salt_len,
@@ -107,7 +107,10 @@ static int pkey_hkdf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
         if (kctx->key != NULL)
             OPENSSL_clear_free(kctx->key, kctx->key_len);
 
-        kctx->key = OPENSSL_memdup(p2, p1);
+        if (p1 == 0)
+            kctx->key = OPENSSL_zalloc(1);
+        else
+            kctx->key = OPENSSL_memdup(p2, p1);
         if (kctx->key == NULL)
             return 0;
 

doc/man3/SSL_CIPHER_get_name.pod

@@ -13,6 +13,7 @@ SSL_CIPHER_get_digest_nid,
 SSL_CIPHER_get_handshake_digest,
 SSL_CIPHER_get_kx_nid,
 SSL_CIPHER_get_auth_nid,
+SSL_CIPHER_get_prf_nid,
 SSL_CIPHER_is_aead,
 SSL_CIPHER_find,
 SSL_CIPHER_get_id,
@@ -34,6 +35,7 @@ SSL_CIPHER_get_protocol_id
  const EVP_MD *SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c);
  int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c);
  int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c);
+ int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *c);
  int SSL_CIPHER_is_aead(const SSL_CIPHER *c);
  const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr);
  uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c);
@@ -91,6 +93,15 @@ TLS 1.3 cipher suites) B<NID_auth_any> is returned. Examples (not comprehensive)
  NID_auth_ecdsa
  NID_auth_psk
 
+SSL_CIPHER_get_prf_nid() retuns the pseudo-random function NID for B<c>. If B<c> is
+a pre-TLS-1.2 cipher, it returns B<NID_md5_sha1> but note these ciphers use
+SHA-256 in TLS 1.2. Other return values may be treated uniformly in all
+applicable versions. Examples (not comprehensive):
+
+ NID_md5_sha1
+ NID_sha256
+ NID_sha384
+
 SSL_CIPHER_is_aead() returns 1 if the cipher B<c> is AEAD (e.g. GCM or
 ChaCha20/Poly1305), and 0 if it is not AEAD.
 
@@ -201,6 +212,8 @@ required to enable this function.
 
 The OPENSSL_cipher_name() function was added in OpenSSL 1.1.1.
 
+The SSL_CIPHER_get_prf_nid() function was added in OpenSSL 3.0.0.
+
 =head1 COPYRIGHT
 
 Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.