quic.go

     1  // Copyright 2023 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"context"
     9  	"errors"
    10  	"fmt"
    11  )
    12  
    13  // QUICEncryptionLevel represents a QUIC encryption level used to transmit
    14  // handshake messages.
    15  type QUICEncryptionLevel int
    16  
    17  const (
    18  	QUICEncryptionLevelInitial = QUICEncryptionLevel(iota)
    19  	QUICEncryptionLevelEarly
    20  	QUICEncryptionLevelHandshake
    21  	QUICEncryptionLevelApplication
    22  )
    23  
    24  func (l QUICEncryptionLevel) String() string {
    25  	switch l {
    26  	case QUICEncryptionLevelInitial:
    27  		return "Initial"
    28  	case QUICEncryptionLevelEarly:
    29  		return "Early"
    30  	case QUICEncryptionLevelHandshake:
    31  		return "Handshake"
    32  	case QUICEncryptionLevelApplication:
    33  		return "Application"
    34  	default:
    35  		return fmt.Sprintf("QUICEncryptionLevel(%v)", int(l))
    36  	}
    37  }
    38  
    39  // A QUICConn represents a connection which uses a QUIC implementation as the underlying
    40  // transport as described in RFC 9001.
    41  //
    42  // Methods of QUICConn are not safe for concurrent use.
    43  type QUICConn struct {
    44  	conn *Conn
    45  
    46  	sessionTicketSent bool
    47  }
    48  
    49  // A QUICConfig configures a [QUICConn].
    50  type QUICConfig struct {
    51  	TLSConfig *Config
    52  
    53  	// EnableSessionEvents may be set to true to enable the
    54  	// [QUICStoreSession] and [QUICResumeSession] events for client connections.
    55  	// When this event is enabled, sessions are not automatically
    56  	// stored in the client session cache.
    57  	// The application should use [QUICConn.StoreSession] to store sessions.
    58  	EnableSessionEvents bool
    59  }
    60  
    61  // A QUICEventKind is a type of operation on a QUIC connection.
    62  type QUICEventKind int
    63  
    64  const (
    65  	// QUICNoEvent indicates that there are no events available.
    66  	QUICNoEvent QUICEventKind = iota
    67  
    68  	// QUICSetReadSecret and QUICSetWriteSecret provide the read and write
    69  	// secrets for a given encryption level.
    70  	// QUICEvent.Level, QUICEvent.Data, and QUICEvent.Suite are set.
    71  	//
    72  	// Secrets for the Initial encryption level are derived from the initial
    73  	// destination connection ID, and are not provided by the QUICConn.
    74  	QUICSetReadSecret
    75  	QUICSetWriteSecret
    76  
    77  	// QUICWriteData provides data to send to the peer in CRYPTO frames.
    78  	// QUICEvent.Data is set.
    79  	QUICWriteData
    80  
    81  	// QUICTransportParameters provides the peer's QUIC transport parameters.
    82  	// QUICEvent.Data is set.
    83  	QUICTransportParameters
    84  
    85  	// QUICTransportParametersRequired indicates that the caller must provide
    86  	// QUIC transport parameters to send to the peer. The caller should set
    87  	// the transport parameters with QUICConn.SetTransportParameters and call
    88  	// QUICConn.NextEvent again.
    89  	//
    90  	// If transport parameters are set before calling QUICConn.Start, the
    91  	// connection will never generate a QUICTransportParametersRequired event.
    92  	QUICTransportParametersRequired
    93  
    94  	// QUICRejectedEarlyData indicates that the server rejected 0-RTT data even
    95  	// if we offered it. It's returned before QUICEncryptionLevelApplication
    96  	// keys are returned.
    97  	// This event only occurs on client connections.
    98  	QUICRejectedEarlyData
    99  
   100  	// QUICHandshakeDone indicates that the TLS handshake has completed.
   101  	QUICHandshakeDone
   102  
   103  	// QUICResumeSession indicates that a client is attempting to resume a previous session.
   104  	// [QUICEvent.SessionState] is set.
   105  	//
   106  	// For client connections, this event occurs when the session ticket is selected.
   107  	// For server connections, this event occurs when receiving the client's session ticket.
   108  	//
   109  	// The application may set [QUICEvent.SessionState.EarlyData] to false before the
   110  	// next call to [QUICConn.NextEvent] to decline 0-RTT even if the session supports it.
   111  	QUICResumeSession
   112  
   113  	// QUICStoreSession indicates that the server has provided state permitting
   114  	// the client to resume the session.
   115  	// [QUICEvent.SessionState] is set.
   116  	// The application should use [QUICConn.StoreSession] session to store the [SessionState].
   117  	// The application may modify the [SessionState] before storing it.
   118  	// This event only occurs on client connections.
   119  	QUICStoreSession
   120  
   121  	// QUICErrorEvent indicates that a fatal error has occurred.
   122  	// The handshake cannot proceed and the connection must be closed.
   123  	// QUICEvent.Err is set.
   124  	QUICErrorEvent
   125  )
   126  
   127  // A QUICEvent is an event occurring on a QUIC connection.
   128  //
   129  // The type of event is specified by the Kind field.
   130  // The contents of the other fields are kind-specific.
   131  type QUICEvent struct {
   132  	Kind QUICEventKind
   133  
   134  	// Set for QUICSetReadSecret, QUICSetWriteSecret, and QUICWriteData.
   135  	Level QUICEncryptionLevel
   136  
   137  	// Set for QUICTransportParameters, QUICSetReadSecret, QUICSetWriteSecret, and QUICWriteData.
   138  	// The contents are owned by crypto/tls, and are valid until the next NextEvent call.
   139  	Data []byte
   140  
   141  	// Set for QUICSetReadSecret and QUICSetWriteSecret.
   142  	Suite uint16
   143  
   144  	// Set for QUICResumeSession and QUICStoreSession.
   145  	SessionState *SessionState
   146  
   147  	// Set for QUICErrorEvent.
   148  	// The error will wrap AlertError.
   149  	Err error
   150  }
   151  
   152  type quicState struct {
   153  	events    []QUICEvent
   154  	nextEvent int
   155  
   156  	// eventArr is a statically allocated event array, large enough to handle
   157  	// the usual maximum number of events resulting from a single call: transport
   158  	// parameters, Initial data, Early read secret, Handshake write and read
   159  	// secrets, Handshake data, Application write secret, Application data.
   160  	eventArr [8]QUICEvent
   161  
   162  	started  bool
   163  	signalc  chan struct{}   // handshake data is available to be read
   164  	blockedc chan struct{}   // handshake is waiting for data, closed when done
   165  	ctx      context.Context // handshake context
   166  	cancel   context.CancelFunc
   167  
   168  	waitingForDrain bool
   169  	errorReturned   bool
   170  
   171  	// readbuf is shared between HandleData and the handshake goroutine.
   172  	// HandshakeCryptoData passes ownership to the handshake goroutine by
   173  	// reading from signalc, and reclaims ownership by reading from blockedc.
   174  	readbuf []byte
   175  
   176  	transportParams []byte // to send to the peer
   177  
   178  	enableSessionEvents bool
   179  }
   180  
   181  // QUICClient returns a new TLS client side connection using QUICTransport as the
   182  // underlying transport. The config cannot be nil.
   183  //
   184  // The config's MinVersion must be at least TLS 1.3.
   185  func QUICClient(config *QUICConfig) *QUICConn {
   186  	return newQUICConn(Client(nil, config.TLSConfig), config)
   187  }
   188  
   189  // QUICServer returns a new TLS server side connection using QUICTransport as the
   190  // underlying transport. The config cannot be nil.
   191  //
   192  // The config's MinVersion must be at least TLS 1.3.
   193  func QUICServer(config *QUICConfig) *QUICConn {
   194  	return newQUICConn(Server(nil, config.TLSConfig), config)
   195  }
   196  
   197  func newQUICConn(conn *Conn, config *QUICConfig) *QUICConn {
   198  	conn.quic = &quicState{
   199  		signalc:             make(chan struct{}),
   200  		blockedc:            make(chan struct{}),
   201  		enableSessionEvents: config.EnableSessionEvents,
   202  	}
   203  	conn.quic.events = conn.quic.eventArr[:0]
   204  	return &QUICConn{
   205  		conn: conn,
   206  	}
   207  }
   208  
   209  // Start starts the client or server handshake protocol.
   210  // It may produce connection events, which may be read with [QUICConn.NextEvent].
   211  //
   212  // Start must be called at most once.
   213  func (q *QUICConn) Start(ctx context.Context) error {
   214  	if q.conn.quic.started {
   215  		return quicError(errors.New("tls: Start called more than once"))
   216  	}
   217  	q.conn.quic.started = true
   218  	if q.conn.config.MinVersion < VersionTLS13 {
   219  		return quicError(errors.New("tls: Config MinVersion must be at least TLS 1.3"))
   220  	}
   221  	go q.conn.HandshakeContext(ctx)
   222  	if _, ok := <-q.conn.quic.blockedc; !ok {
   223  		return q.conn.handshakeErr
   224  	}
   225  	return nil
   226  }
   227  
   228  // NextEvent returns the next event occurring on the connection.
   229  // It returns an event with a Kind of [QUICNoEvent] when no events are available.
   230  func (q *QUICConn) NextEvent() QUICEvent {
   231  	qs := q.conn.quic
   232  	if last := qs.nextEvent - 1; last >= 0 && len(qs.events[last].Data) > 0 {
   233  		// Write over some of the previous event's data,
   234  		// to catch callers erroneously retaining it.
   235  		qs.events[last].Data[0] = 0
   236  	}
   237  	if qs.nextEvent >= len(qs.events) && qs.waitingForDrain {
   238  		qs.waitingForDrain = false
   239  		<-qs.signalc
   240  		<-qs.blockedc
   241  	}
   242  	if err := q.conn.handshakeErr; err != nil {
   243  		if qs.errorReturned {
   244  			return QUICEvent{Kind: QUICNoEvent}
   245  		}
   246  		qs.errorReturned = true
   247  		qs.events = nil
   248  		qs.nextEvent = 0
   249  		return QUICEvent{Kind: QUICErrorEvent, Err: q.conn.handshakeErr}
   250  	}
   251  	if qs.nextEvent >= len(qs.events) {
   252  		qs.events = qs.events[:0]
   253  		qs.nextEvent = 0
   254  		return QUICEvent{Kind: QUICNoEvent}
   255  	}
   256  	e := qs.events[qs.nextEvent]
   257  	qs.events[qs.nextEvent] = QUICEvent{} // zero out references to data
   258  	qs.nextEvent++
   259  	return e
   260  }
   261  
   262  // Close closes the connection and stops any in-progress handshake.
   263  func (q *QUICConn) Close() error {
   264  	if q.conn.quic.ctx == nil {
   265  		return nil // never started
   266  	}
   267  	q.conn.quic.cancel()
   268  	<-q.conn.quic.signalc
   269  	for range q.conn.quic.blockedc {
   270  		// Wait for the handshake goroutine to return.
   271  	}
   272  	return q.conn.handshakeErr
   273  }
   274  
   275  // HandleData handles handshake bytes received from the peer.
   276  // It may produce connection events, which may be read with [QUICConn.NextEvent].
   277  func (q *QUICConn) HandleData(level QUICEncryptionLevel, data []byte) error {
   278  	c := q.conn
   279  	if c.in.level != level {
   280  		return quicError(c.in.setErrorLocked(errors.New("tls: handshake data received at wrong level")))
   281  	}
   282  	c.quic.readbuf = data
   283  	<-c.quic.signalc
   284  	_, ok := <-c.quic.blockedc
   285  	if ok {
   286  		// The handshake goroutine is waiting for more data.
   287  		return nil
   288  	}
   289  	// The handshake goroutine has exited.
   290  	c.handshakeMutex.Lock()
   291  	defer c.handshakeMutex.Unlock()
   292  	c.hand.Write(c.quic.readbuf)
   293  	c.quic.readbuf = nil
   294  	for q.conn.hand.Len() >= 4 && q.conn.handshakeErr == nil {
   295  		b := q.conn.hand.Bytes()
   296  		n := int(b[1])<<16 | int(b[2])<<8 | int(b[3])
   297  		if n > maxHandshake {
   298  			q.conn.handshakeErr = fmt.Errorf("tls: handshake message of length %d bytes exceeds maximum of %d bytes", n, maxHandshake)
   299  			break
   300  		}
   301  		if len(b) < 4+n {
   302  			return nil
   303  		}
   304  		if err := q.conn.handlePostHandshakeMessage(); err != nil {
   305  			q.conn.handshakeErr = err
   306  		}
   307  	}
   308  	if q.conn.handshakeErr != nil {
   309  		return quicError(q.conn.handshakeErr)
   310  	}
   311  	return nil
   312  }
   313  
   314  type QUICSessionTicketOptions struct {
   315  	// EarlyData specifies whether the ticket may be used for 0-RTT.
   316  	EarlyData bool
   317  	Extra     [][]byte
   318  }
   319  
   320  // SendSessionTicket sends a session ticket to the client.
   321  // It produces connection events, which may be read with [QUICConn.NextEvent].
   322  // Currently, it can only be called once.
   323  func (q *QUICConn) SendSessionTicket(opts QUICSessionTicketOptions) error {
   324  	c := q.conn
   325  	if c.config.SessionTicketsDisabled {
   326  		return nil
   327  	}
   328  	if !c.isHandshakeComplete.Load() {
   329  		return quicError(errors.New("tls: SendSessionTicket called before handshake completed"))
   330  	}
   331  	if c.isClient {
   332  		return quicError(errors.New("tls: SendSessionTicket called on the client"))
   333  	}
   334  	if q.sessionTicketSent {
   335  		return quicError(errors.New("tls: SendSessionTicket called multiple times"))
   336  	}
   337  	q.sessionTicketSent = true
   338  	return quicError(c.sendSessionTicket(opts.EarlyData, opts.Extra))
   339  }
   340  
   341  // StoreSession stores a session previously received in a QUICStoreSession event
   342  // in the ClientSessionCache.
   343  // The application may process additional events or modify the SessionState
   344  // before storing the session.
   345  func (q *QUICConn) StoreSession(session *SessionState) error {
   346  	c := q.conn
   347  	if !c.isClient {
   348  		return quicError(errors.New("tls: StoreSessionTicket called on the server"))
   349  	}
   350  	cacheKey := c.clientSessionCacheKey()
   351  	if cacheKey == "" {
   352  		return nil
   353  	}
   354  	cs := &ClientSessionState{session: session}
   355  	c.config.ClientSessionCache.Put(cacheKey, cs)
   356  	return nil
   357  }
   358  
   359  // ConnectionState returns basic TLS details about the connection.
   360  func (q *QUICConn) ConnectionState() ConnectionState {
   361  	return q.conn.ConnectionState()
   362  }
   363  
   364  // SetTransportParameters sets the transport parameters to send to the peer.
   365  //
   366  // Server connections may delay setting the transport parameters until after
   367  // receiving the client's transport parameters. See [QUICTransportParametersRequired].
   368  func (q *QUICConn) SetTransportParameters(params []byte) {
   369  	if params == nil {
   370  		params = []byte{}
   371  	}
   372  	q.conn.quic.transportParams = params
   373  	if q.conn.quic.started {
   374  		<-q.conn.quic.signalc
   375  		<-q.conn.quic.blockedc
   376  	}
   377  }
   378  
   379  // quicError ensures err is an AlertError.
   380  // If err is not already, quicError wraps it with alertInternalError.
   381  func quicError(err error) error {
   382  	if err == nil {
   383  		return nil
   384  	}
   385  	if _, ok := errors.AsType[AlertError](err); ok {
   386  		return err
   387  	}
   388  	a, ok := errors.AsType[alert](err)
   389  	if !ok {
   390  		a = alertInternalError
   391  	}
   392  	// Return an error wrapping the original error and an AlertError.
   393  	// Truncate the text of the alert to 0 characters.
   394  	return fmt.Errorf("%w%.0w", err, AlertError(a))
   395  }
   396  
   397  func (c *Conn) quicReadHandshakeBytes(n int) error {
   398  	for c.hand.Len() < n {
   399  		if err := c.quicWaitForSignal(); err != nil {
   400  			return err
   401  		}
   402  	}
   403  	return nil
   404  }
   405  
   406  func (c *Conn) quicSetReadSecret(level QUICEncryptionLevel, suite uint16, secret []byte) error {
   407  	// Ensure that there are no buffered handshake messages before changing the
   408  	// read keys, since that can cause messages to be parsed that were encrypted
   409  	// using old keys which are no longer appropriate.
   410  	// TODO(roland): we should merge this check with the similar one in setReadTrafficSecret.
   411  	if c.hand.Len() != 0 {
   412  		c.sendAlert(alertUnexpectedMessage)
   413  		return errors.New("tls: handshake buffer not empty before setting read traffic secret")
   414  	}
   415  	c.quic.events = append(c.quic.events, QUICEvent{
   416  		Kind:  QUICSetReadSecret,
   417  		Level: level,
   418  		Suite: suite,
   419  		Data:  secret,
   420  	})
   421  	return nil
   422  }
   423  
   424  func (c *Conn) quicSetWriteSecret(level QUICEncryptionLevel, suite uint16, secret []byte) {
   425  	c.quic.events = append(c.quic.events, QUICEvent{
   426  		Kind:  QUICSetWriteSecret,
   427  		Level: level,
   428  		Suite: suite,
   429  		Data:  secret,
   430  	})
   431  }
   432  
   433  func (c *Conn) quicWriteCryptoData(level QUICEncryptionLevel, data []byte) {
   434  	var last *QUICEvent
   435  	if len(c.quic.events) > 0 {
   436  		last = &c.quic.events[len(c.quic.events)-1]
   437  	}
   438  	if last == nil || last.Kind != QUICWriteData || last.Level != level {
   439  		c.quic.events = append(c.quic.events, QUICEvent{
   440  			Kind:  QUICWriteData,
   441  			Level: level,
   442  		})
   443  		last = &c.quic.events[len(c.quic.events)-1]
   444  	}
   445  	last.Data = append(last.Data, data...)
   446  }
   447  
   448  func (c *Conn) quicResumeSession(session *SessionState) error {
   449  	c.quic.events = append(c.quic.events, QUICEvent{
   450  		Kind:         QUICResumeSession,
   451  		SessionState: session,
   452  	})
   453  	c.quic.waitingForDrain = true
   454  	for c.quic.waitingForDrain {
   455  		if err := c.quicWaitForSignal(); err != nil {
   456  			return err
   457  		}
   458  	}
   459  	return nil
   460  }
   461  
   462  func (c *Conn) quicStoreSession(session *SessionState) {
   463  	c.quic.events = append(c.quic.events, QUICEvent{
   464  		Kind:         QUICStoreSession,
   465  		SessionState: session,
   466  	})
   467  }
   468  
   469  func (c *Conn) quicSetTransportParameters(params []byte) {
   470  	c.quic.events = append(c.quic.events, QUICEvent{
   471  		Kind: QUICTransportParameters,
   472  		Data: params,
   473  	})
   474  }
   475  
   476  func (c *Conn) quicGetTransportParameters() ([]byte, error) {
   477  	if c.quic.transportParams == nil {
   478  		c.quic.events = append(c.quic.events, QUICEvent{
   479  			Kind: QUICTransportParametersRequired,
   480  		})
   481  	}
   482  	for c.quic.transportParams == nil {
   483  		if err := c.quicWaitForSignal(); err != nil {
   484  			return nil, err
   485  		}
   486  	}
   487  	return c.quic.transportParams, nil
   488  }
   489  
   490  func (c *Conn) quicHandshakeComplete() {
   491  	c.quic.events = append(c.quic.events, QUICEvent{
   492  		Kind: QUICHandshakeDone,
   493  	})
   494  }
   495  
   496  func (c *Conn) quicRejectedEarlyData() {
   497  	c.quic.events = append(c.quic.events, QUICEvent{
   498  		Kind: QUICRejectedEarlyData,
   499  	})
   500  }
   501  
   502  // quicWaitForSignal notifies the QUICConn that handshake progress is blocked,
   503  // and waits for a signal that the handshake should proceed.
   504  //
   505  // The handshake may become blocked waiting for handshake bytes
   506  // or for the user to provide transport parameters.
   507  func (c *Conn) quicWaitForSignal() error {
   508  	// Drop the handshake mutex while blocked to allow the user
   509  	// to call ConnectionState before the handshake completes.
   510  	c.handshakeMutex.Unlock()
   511  	defer c.handshakeMutex.Lock()
   512  	// Send on blockedc to notify the QUICConn that the handshake is blocked.
   513  	// Exported methods of QUICConn wait for the handshake to become blocked
   514  	// before returning to the user.
   515  	c.quic.blockedc <- struct{}{}
   516  	// The QUICConn reads from signalc to notify us that the handshake may
   517  	// be able to proceed. (The QUICConn reads, because we close signalc to
   518  	// indicate that the handshake has completed.)
   519  	c.quic.signalc <- struct{}{}
   520  	if c.quic.ctx.Err() != nil {
   521  		// The connection has been canceled.
   522  		return c.sendAlertLocked(alertCloseNotify)
   523  	}
   524  	c.hand.Write(c.quic.readbuf)
   525  	c.quic.readbuf = nil
   526  	return nil
   527  }
   528
View as plain text