openssl
openssl copied to clipboard
openssl
QUIC Demuxer and Record Layer (RX Side)
Here we go.
RX only for now aside from some small currently-vestigial pieces of TX functionality.
Key update is mandatory AIUI but involves interaction between the TX/RX pieces so the plan is:
- Develop the TX side on top of this PR and update this PR
- Add tests which get the TX and RX sides talking to each other
- Key update and key update tests
So this shouldn't be merged yet (well, it could be, and I just make a new PR), but reviews are welcome.
This includes a demuxer because implementing the QRL resulted in 90% of the functionality of a demuxer and it made no sense not to include it, since there's necessary interaction between the two.
Not sure what's going on with a/ub/msan. I can't replicate it on my machine with either clang or GCC sanitizers, and the error reported isn't even a sanitizer error... the test is supposed to be deterministic. Hm...
I've looked at the use of OSSL_RECORD_METHOD by TLS and KTLS... IMO it's going to be premature to do something like this for now, especially since the KTLS interface for QUIC literally doesn't exist yet. It makes more sense when needing to support four versions of TLS, DTLS plus KTLS, but the scope of variation for QUIC is a lot narrower. I think this can wait for now; moreover, it's either a question of refactoring this now with an unknown design space (future KTLS APIs) which will probably have to be redone later, or later when we actually know what's needed. So, I'd like to avoid introducing polymorphism into the QRL for now.
The msan issue is weird. Going to have to try and repro it on a build server.
I've looked at the use of OSSL_RECORD_METHOD by TLS and KTLS... IMO it's going to be premature to do something like this for now, especially since the KTLS interface for QUIC literally doesn't exist yet. It makes more sense when needing to support four versions of TLS, DTLS plus KTLS, but the scope of variation for QUIC is a lot narrower. I think this can wait for now; moreover, it's either a question of refactoring this now with an unknown design space (future KTLS APIs) which will probably have to be redone later, or later when we actually know what's needed. So, I'd like to avoid introducing polymorphism into the QRL for now.
Fair enough.
Updated, refactored.
The other KDF function is similar to tls13_generate_secret but not a match. It doesn't use the same label found in that function, and uses HKDF instead of TLS1_3_KDF. So I've kept this separate.
I think this settles the outstanding feedback.
Updated:
- Adds TX side.
- The QRL has been split into independent RX (QRX) and TX (QTX) objects as I'm now satisfied they can be separated reasonably cleanly.
- QRL (the RX side) has been renamed to QRX.
- Some tests for the TX side.
- Key expiration functionality has been added.
- A preview of the API and logical model for key update can be viewed in the header files
quic_record_rx.handquic_record_tx.h. No implementation yet.
Also while I remember: @paulidale, let me know if it would be more helpful for the iovecs to be a linked list instead of an array.
Updated:
-
Adds an RX time field to the OSSL_QRX_PKT structure.
-
Adds a timekeeping argument to ossl_demux_new which is used to determine packet reception time.
-
Adds a decoded PN field to the OSSL_QRX_PKT structure. This has to be decoded by the QRX anyway, and its omission was an oversight.
-
Key update support for the TX side.
-
Minor refactoring.
There's a thing I didn't notice before: ossl_quic_wire_encode_padding() and ossl_quic_wire_decode_padding(), is there a reason they don't have _frame_ in the name?
I mean, they encode/decode multiple frames. I think there was a previous comment on the naming in the PR that added them.
Updated.
I'm a bit wary of changing the name. Some identifiers are already quite long. But I'll take suggestions.
