diff --git a/.azure/azure-pipelines.ci.yml b/.azure/azure-pipelines.ci.yml index 8182c0edf5..0f24c239f2 100644 --- a/.azure/azure-pipelines.ci.yml +++ b/.azure/azure-pipelines.ci.yml @@ -103,14 +103,6 @@ stages: tls: openssl config: Release extraBuildArgs: -EnableTelemetryAsserts - - template: ./templates/build-config-user.yml - parameters: - image: windows-latest - platform: windows - arch: x64 - tls: mitls - config: Release - extraBuildArgs: -EnableTelemetryAsserts - stage: build_windows_debug displayName: Build Windows - Debug @@ -134,14 +126,6 @@ stages: tls: stub config: Debug extraBuildArgs: -EnableTelemetryAsserts - - template: ./templates/build-config-user.yml - parameters: - image: windows-latest - platform: windows - arch: x64 - tls: mitls - config: Debug - extraBuildArgs: -EnableTelemetryAsserts - template: ./templates/build-config-user.yml parameters: image: windows-latest @@ -456,22 +440,16 @@ stages: pool: MsQuic-Win-Latest platform: windows tls: schannel - logProfile: Full.Verbose + logProfile: Full.Light extraArgs: -Filter -*CryptTest.HpMaskChaCha20:CryptTest.WellKnownChaChaPoly:Alpn.ValidAlpnLengths testCerts: true - - template: ./templates/run-bvt.yml - parameters: - image: windows-latest - platform: windows - tls: mitls - logProfile: Full.Light - extraArgs: -Filter -*Unreachable/0:CryptTest/CryptTest.Encryption/2:CryptTest.WellKnownChaChaPoly:*HandshakeParam*:CredValidation* - template: ./templates/run-bvt.yml parameters: image: windows-latest platform: windows tls: openssl - extraArgs: -Filter -*Unreachable/0:AppData/*:Misc/*:CredValidation*:*ValidateStream*:*ValidateConnection* + logProfile: Full.Light + extraArgs: -Filter -*Unreachable/0:CredValidation*:*ValidateStream*:*ValidateConnection* - template: ./templates/run-bvt.yml parameters: image: ubuntu-latest @@ -582,11 +560,6 @@ stages: pool: MsQuic-Win-Latest platform: windows tls: schannel - - template: ./templates/run-quicinterop.yml - parameters: - image: windows-latest - platform: windows - tls: mitls - template: ./templates/run-quicinterop.yml parameters: image: windows-latest diff --git a/.azure/azure-pipelines.perf.yml b/.azure/azure-pipelines.perf.yml index 52014211dd..84ffe08d4d 100644 --- a/.azure/azure-pipelines.perf.yml +++ b/.azure/azure-pipelines.perf.yml @@ -36,7 +36,6 @@ parameters: values: - schannel - openssl - - mitls - name: testToRun type: string displayName: Run Specific Test diff --git a/.gitmodules b/.gitmodules index 39b27f2c77..0dead6c01d 100644 --- a/.gitmodules +++ b/.gitmodules @@ -5,10 +5,6 @@ path = submodules/openssl url = https://github.com/quictls/openssl.git branch = OpenSSL_1_1_1k+quic -[submodule "submodules/everest"] - path = submodules/everest - url = https://github.com/nibanks/everest-dist.git - branch = pr/msquic [submodule "submodules/wil"] path = submodules/wil url = https://github.com/microsoft/wil diff --git a/CMakeLists.txt b/CMakeLists.txt index 91dad3d46c..a2576e2480 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -22,15 +22,11 @@ if ("${CMAKE_HOST_SYSTEM_NAME}" STREQUAL "Windows") set(CMAKE_VS_WINDOWS_TARGET_PLATFORM_VERSION 10.0.18362.0 CACHE STRING INTERNAL FORCE) endif() -if (QUIC_TLS STREQUAL "mitls") - message(WARNING "Policy 0091 unsupported for miTLS.") +if(POLICY CMP0091) + cmake_policy(SET CMP0091 NEW) + message(STATUS "Setting policy 0091") else() - if(POLICY CMP0091) - cmake_policy(SET CMP0091 NEW) - message(STATUS "Setting policy 0091") - else() - message(WARNING "CMake version too old to support Policy 0091; CRT static linking won't work") - endif() + message(WARNING "CMake version too old to support Policy 0091; CRT static linking won't work") endif() if (POLICY CMP0111) @@ -231,13 +227,6 @@ if(QUIC_TLS STREQUAL "openssl") list(APPEND QUIC_COMMON_DEFINES QUIC_DISABLE_CLIENT_CERT_TESTS) endif() -if(QUIC_TLS STREQUAL "mitls") - message(STATUS "Disabling PFX tests") - list(APPEND QUIC_COMMON_DEFINES QUIC_DISABLE_PFX_TESTS) - message(STATUS "Disabling client certificate tests") - list(APPEND QUIC_COMMON_DEFINES QUIC_DISABLE_CLIENT_CERT_TESTS) -endif() - if(QUIC_TLS STREQUAL "stub") list(APPEND QUIC_COMMON_DEFINES QUIC_TLS_STUB) message(STATUS "Disabling PFX tests") @@ -587,18 +576,6 @@ else() endfunction() endif() -if(QUIC_TLS STREQUAL "mitls") - # Build Everest. - add_subdirectory(submodules/everest/msquic/msvc/kremlib) - add_subdirectory(submodules/everest/msquic/msvc/evercrypt) - add_subdirectory(submodules/everest/msquic/msvc/mitls) - add_subdirectory(submodules/everest/msquic/msvc/quiccrypto) - set_property(TARGET kremlib PROPERTY FOLDER "libraries") - set_property(TARGET evercrypt PROPERTY FOLDER "libraries") - set_property(TARGET mitls PROPERTY FOLDER "libraries") - set_property(TARGET quiccrypto PROPERTY FOLDER "libraries") -endif() - if(QUIC_CODE_CHECK) find_program(CLANGTIDY NAMES clang-tidy) if(CLANGTIDY) diff --git a/THIRD-PARTY-NOTICES b/THIRD-PARTY-NOTICES index c55507f558..274f37d4b5 100644 --- a/THIRD-PARTY-NOTICES +++ b/THIRD-PARTY-NOTICES @@ -185,183 +185,3 @@ License notice for OpenSSL of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS - -License notice for Everest (mitls) -------------------------------- - - Apache License - Version 2.0, January 2004 - https://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS diff --git a/docs/BUILD.md b/docs/BUILD.md index 3e20249064..3bec4ffde2 100644 --- a/docs/BUILD.md +++ b/docs/BUILD.md @@ -123,7 +123,7 @@ The script has a lot of additional configuration options, but the default should `-Arch ` Allow for building for different architectures. **x64** is the defualt architecture. -`-Tls ` Allows for building with different TLS providers. The default is platform dependent (Windows = schannel, Linux = openssl). +`-Tls ` Allows for building with different TLS providers. The default is platform dependent (Windows = schannel, Linux = openssl). `-Clean` Forces a clean build of everything. @@ -164,7 +164,7 @@ The build needs CMake and compiler. ``` brew install cmake ``` -Minimally, build needs Xcode 'Command Line Tools`. That can be done via XCode in App Store or from command line +Minimally, build needs Xcode 'Command Line Tools`. That can be done via XCode in App Store or from command line ``` xcode-select --install ``` diff --git a/docs/InteropServerSetup.md b/docs/InteropServerSetup.md index 6ded676232..8af46ac989 100644 --- a/docs/InteropServerSetup.md +++ b/docs/InteropServerSetup.md @@ -6,7 +6,7 @@ One of the tools in the MsQuic repo is `quicinteropserver` ([source](../src/tool The tool is automatically built with the rest of the repo. See complete build instructions [here](BUILD.md). -There are a few additional things to note beyond the default build instructions. Currently, 0-RTT is only supported on Windows, when using the miTLS TLS library. To build for miTLS, you must use the `-Tls mitls` option when calling `build.ps`. If 0-RTT is not required/needed, then `-Tls schannel` should be fine to use on Windows, and `-Tls openssl` for Linux. +There are a few additional things to note beyond the default build instructions. Currently, 0-RTT is only supported on Windows, when using the OpenSSL TLS library. To build for OpenSSL, you must use the `-Tls openssl` option when calling `build.ps`. If 0-RTT is not required/needed, then `-Tls schannel` should be fine to use on Windows, and `-Tls openssl` for Linux. Once built, you can find the `quicinteropserver` in (assuming PowerShell is used to build): @@ -14,10 +14,10 @@ Once built, you can find the `quicinteropserver` in (assuming PowerShell is used ./artifacts/bin/{platform}/{arch}_{config}_{tls} ``` -For example, if you build with `build.ps1 -Config Release -Tls mitls` on Windows, the output would be in: +For example, if you build with `build.ps1 -Config Release -Tls openssl` on Windows, the output would be in: ``` -./artifacts/bin/windows/x64_release_mitls +./artifacts/bin/windows/x64_release_openssl ``` The directory contains all the build artifacts, including the base MsQuic library (`msquic.dll` or `libmsquic.so`). diff --git a/docs/TLS.md b/docs/TLS.md index bc27837fd3..6975e7dffb 100644 --- a/docs/TLS.md +++ b/docs/TLS.md @@ -52,10 +52,6 @@ MsQuic has a number of implementations for the TLS abstraction layer to support > **Important** - Currently, OpenSSL doesn't officially have QUIC API support (hopefully coming soon), so MsQuic **temporarily** relies on a [fork of OpenSSL](https://github.com/quictls/openssl) that is purely a fork + a set of (unapproved by OMC) changes to expose some QUIC functionality. This fork is only a **stopgap solution** until OpenSSL officially supports QUIC, at which MsQuic will immediately switch to it. -## miTLS - -[miTLS](https://mitls.org/) is an experimental TLS implementation from Microsoft Research. It is not officially supported by MsQuic and is generally just used for testing purposes. It is currently only works on Windows. - # Detailed Design TO-DO diff --git a/scripts/FullRunRPS.json b/scripts/FullRunRPS.json index 1a518e1a14..fcd53ed1a6 100644 --- a/scripts/FullRunRPS.json +++ b/scripts/FullRunRPS.json @@ -9,7 +9,7 @@ "TestName": "RPS", "Local": { "Platform": "Windows", - "Tls": ["stub", "schannel", "openssl", "mitls"], + "Tls": ["stub", "schannel", "openssl"], "Arch": ["x64", "x86", "arm", "arm64"], "Exe": "secnetperf", "Arguments": "-test:RPS -target:$RemoteAddress" diff --git a/scripts/RemoteTests.json b/scripts/RemoteTests.json index 103c10137d..a7a2692b56 100644 --- a/scripts/RemoteTests.json +++ b/scripts/RemoteTests.json @@ -9,7 +9,7 @@ "TestName": "ThroughputUp", "Local": { "Platform": "Windows", - "Tls": ["stub", "schannel", "openssl", "mitls"], + "Tls": ["stub", "schannel", "openssl"], "Arch": ["x64", "x86", "arm", "arm64"], "Exe": "secnetperf", "Arguments": "-test:Throughput -target:$RemoteAddress -bind:$LocalAddress:4434 -ip:4 -uni:1 -upload:2000000000" @@ -77,7 +77,7 @@ "TestName": "ThroughputDown", "Local": { "Platform": "Windows", - "Tls": ["stub", "schannel", "openssl", "mitls"], + "Tls": ["stub", "schannel", "openssl"], "Arch": ["x64", "x86", "arm", "arm64"], "Exe": "secnetperf", "Arguments": "-test:Throughput -target:$RemoteAddress -bind:$LocalAddress:4434 -ip:4 -uni:1 -download:2000000000" @@ -129,7 +129,7 @@ "TestName": "RPS", "Local": { "Platform": "Windows", - "Tls": ["stub", "schannel", "openssl", "mitls"], + "Tls": ["stub", "schannel", "openssl"], "Arch": ["x64", "x86", "arm", "arm64"], "Exe": "secnetperf", "Arguments": "-test:RPS -target:$RemoteAddress" @@ -215,7 +215,7 @@ "TestName": "HPS", "Local": { "Platform": "Windows", - "Tls": ["stub", "schannel", "openssl", "mitls"], + "Tls": ["stub", "schannel", "openssl"], "Arch": ["x64", "x86", "arm", "arm64"], "Exe": "secnetperf", "Arguments": "-test:HPS -target:$RemoteAddress" diff --git a/scripts/TcpTests.json b/scripts/TcpTests.json index a1b65f9675..80ffdfa442 100644 --- a/scripts/TcpTests.json +++ b/scripts/TcpTests.json @@ -9,7 +9,7 @@ "TestName": "TcpThroughputUp", "Local": { "Platform": "Windows", - "Tls": ["stub", "schannel", "openssl", "mitls"], + "Tls": ["stub", "schannel", "openssl"], "Arch": ["x64", "x86", "arm", "arm64"], "Exe": "secnetperf", "Arguments": "-test:Throughput -target:$RemoteAddress -bind:$LocalAddress:4434 -ip:4 -uni:1 -upload:2000000000 -tcp:1" diff --git a/scripts/build.ps1 b/scripts/build.ps1 index badad35ab1..6e905f1126 100644 --- a/scripts/build.ps1 +++ b/scripts/build.ps1 @@ -109,7 +109,7 @@ param ( [string]$Platform = "", [Parameter(Mandatory = $false)] - [ValidateSet("schannel", "openssl", "stub", "mitls")] + [ValidateSet("schannel", "openssl", "stub")] [string]$Tls = "", [Parameter(Mandatory = $false)] diff --git a/scripts/emulated-performance.ps1 b/scripts/emulated-performance.ps1 index d4b12d43a5..fc0f675193 100644 --- a/scripts/emulated-performance.ps1 +++ b/scripts/emulated-performance.ps1 @@ -55,7 +55,7 @@ param ( [string]$Arch = "x64", [Parameter(Mandatory = $false)] - [ValidateSet("schannel", "openssl", "stub", "mitls")] + [ValidateSet("schannel", "openssl", "stub")] [string]$Tls = "", [Parameter(Mandatory = $false)] diff --git a/scripts/install-build-artifacts.ps1 b/scripts/install-build-artifacts.ps1 index b8a8c6c344..66f00e3436 100644 --- a/scripts/install-build-artifacts.ps1 +++ b/scripts/install-build-artifacts.ps1 @@ -27,7 +27,7 @@ param ( [string]$Arch, [Parameter(Mandatory = $true)] - [ValidateSet("schannel", "openssl", "stub", "mitls")] + [ValidateSet("schannel", "openssl", "stub")] [string]$Tls ) diff --git a/scripts/interop.ps1 b/scripts/interop.ps1 index 7bcab73e6f..3b076de2b3 100644 --- a/scripts/interop.ps1 +++ b/scripts/interop.ps1 @@ -60,7 +60,7 @@ param ( [string]$Arch = "x64", [Parameter(Mandatory = $false)] - [ValidateSet("schannel", "openssl", "stub", "mitls")] + [ValidateSet("schannel", "openssl", "stub")] [string]$Tls = "", [Parameter(Mandatory = $false)] diff --git a/scripts/merge-coverage.ps1 b/scripts/merge-coverage.ps1 index 7da030b66c..602f615aca 100644 --- a/scripts/merge-coverage.ps1 +++ b/scripts/merge-coverage.ps1 @@ -27,7 +27,7 @@ param ( [string]$Arch = "x64", [Parameter(Mandatory = $false)] - [ValidateSet("schannel", "openssl", "stub", "mitls")] + [ValidateSet("schannel", "openssl", "stub")] [string]$Tls = "", [Parameter(Mandatory = $false)] diff --git a/scripts/merge-darwin.ps1 b/scripts/merge-darwin.ps1 index 9d781e3f20..5b9207d6bb 100644 --- a/scripts/merge-darwin.ps1 +++ b/scripts/merge-darwin.ps1 @@ -20,7 +20,7 @@ param ( [string]$Config = "Debug", [Parameter(Mandatory = $false)] - [ValidateSet("schannel", "openssl", "stub", "mitls")] + [ValidateSet("schannel", "openssl", "stub")] [string]$Tls = "" ) diff --git a/scripts/performance.ps1 b/scripts/performance.ps1 index f1e376e2e8..ed1994d321 100644 --- a/scripts/performance.ps1 +++ b/scripts/performance.ps1 @@ -77,7 +77,7 @@ param ( [string]$LocalArch = "x64", [Parameter(Mandatory = $false)] - [ValidateSet("schannel", "openssl", "stub", "mitls")] + [ValidateSet("schannel", "openssl", "stub")] [string]$LocalTls = "", [Parameter(Mandatory = $false)] @@ -85,7 +85,7 @@ param ( [string]$RemoteArch = "x64", [Parameter(Mandatory = $false)] - [ValidateSet("schannel", "openssl", "stub", "mitls")] + [ValidateSet("schannel", "openssl", "stub")] [string]$RemoteTls = "", [Parameter(Mandatory = $false)] diff --git a/scripts/ping.ps1 b/scripts/ping.ps1 index 9da8879c8d..af2b0f1765 100644 --- a/scripts/ping.ps1 +++ b/scripts/ping.ps1 @@ -57,7 +57,7 @@ param ( [string]$Arch = "x64", [Parameter(Mandatory = $false)] - [ValidateSet("schannel", "openssl", "stub", "mitls")] + [ValidateSet("schannel", "openssl", "stub")] [string]$Tls = "", [Parameter(Mandatory = $false)] diff --git a/scripts/prepare-machine.ps1 b/scripts/prepare-machine.ps1 index 6b5d854b34..0ecae26fd8 100644 --- a/scripts/prepare-machine.ps1 +++ b/scripts/prepare-machine.ps1 @@ -91,15 +91,10 @@ if ($InitSubmodules) { Write-Host "Initializing openssl submodule" git submodule init submodules/openssl git submodule update - } elseif ($Tls -eq "mitls") { - Write-Host "Initializing everest submodule" - git submodule init submodules/everest - git submodule update } if ($Kernel) { - # Remove OpenSSL and Everest - git rm submodules/everest + # Remove OpenSSL git rm submodules/openssl } diff --git a/scripts/spin.ps1 b/scripts/spin.ps1 index af10564aff..9e8fd5f49a 100644 --- a/scripts/spin.ps1 +++ b/scripts/spin.ps1 @@ -48,7 +48,7 @@ param ( [string]$Arch = "x64", [Parameter(Mandatory = $false)] - [ValidateSet("schannel", "openssl", "stub", "mitls")] + [ValidateSet("schannel", "openssl", "stub")] [string]$Tls = "", [Parameter(Mandatory = $false)] diff --git a/scripts/test.ps1 b/scripts/test.ps1 index a12d0a223a..54965bf1b1 100644 --- a/scripts/test.ps1 +++ b/scripts/test.ps1 @@ -94,7 +94,7 @@ param ( [string]$Arch = "x64", [Parameter(Mandatory = $false)] - [ValidateSet("schannel", "openssl", "stub", "mitls")] + [ValidateSet("schannel", "openssl", "stub")] [string]$Tls = "", [Parameter(Mandatory = $false)] diff --git a/src/manifest/clog.sidecar b/src/manifest/clog.sidecar index 803b2cad0f..5a1ae878b2 100644 --- a/src/manifest/clog.sidecar +++ b/src/manifest/clog.sidecar @@ -8329,22 +8329,6 @@ ], "macroName": "QuicTraceEvent" }, - "CertOpenSslGetProcessAddressFailure": { - "ModuleProperites": {}, - "TraceString": "[cert] GetProcAddress failed for %s, 0x%x", - "UniqueId": "CertOpenSslGetProcessAddressFailure", - "splitArgs": [ - { - "DefinationEncoding": "s", - "MacroVariableName": "arg2" - }, - { - "DefinationEncoding": "x", - "MacroVariableName": "arg3" - } - ], - "macroName": "QuicTraceLogVerbose" - }, "DatapathOpenUdpSocketFailed": { "ModuleProperites": {}, "TraceString": "[data] UDP send segmentation helper socket failed to open, 0x%x", @@ -8922,652 +8906,142 @@ "TraceString": "[ dll] Unloaded", "UniqueId": "WindowsUserUnloaded", "splitArgs": [], - "macroName": "QuicTraceLogInfo" - }, - "WindowsUserProcessorState": { - "ModuleProperites": {}, - "TraceString": "[ dll] Processors:%u, Groups:%u, NUMA Nodes:%u", - "UniqueId": "WindowsUserProcessorState", - "splitArgs": [ - { - "DefinationEncoding": "u", - "MacroVariableName": "arg2" - }, - { - "DefinationEncoding": "u", - "MacroVariableName": "arg3" - }, - { - "DefinationEncoding": "u", - "MacroVariableName": "arg4" - } - ], - "macroName": "QuicTraceLogInfo" - }, - "ProcessorInfo": { - "ModuleProperites": {}, - "TraceString": "[ dll] Proc[%u] Group[%hu] Index[%u] NUMA[%u]", - "UniqueId": "ProcessorInfo", - "splitArgs": [ - { - "DefinationEncoding": "u", - "MacroVariableName": "arg2" - }, - { - "DefinationEncoding": "hu", - "MacroVariableName": "arg3" - }, - { - "DefinationEncoding": "u", - "MacroVariableName": "arg4" - }, - { - "DefinationEncoding": "u", - "MacroVariableName": "arg5" - } - ], - "macroName": "QuicTraceLogInfo" - }, - "WindowsUserInitialized": { - "ModuleProperites": {}, - "TraceString": "[ dll] Initialized (AvailMem = %llu bytes)", - "UniqueId": "WindowsUserInitialized", - "splitArgs": [ - { - "DefinationEncoding": "llu", - "MacroVariableName": "arg2" - } - ], - "macroName": "QuicTraceLogInfo" - }, - "WindowsUserUninitialized": { - "ModuleProperites": {}, - "TraceString": "[ dll] Uninitialized", - "UniqueId": "WindowsUserUninitialized", - "splitArgs": [], - "macroName": "QuicTraceLogInfo" - }, - "CertFindCertificateFriendlyName": { - "ModuleProperites": {}, - "TraceString": "[test] No certificate found by FriendlyName", - "UniqueId": "CertFindCertificateFriendlyName", - "splitArgs": [], - "macroName": "QuicTraceLogWarning" - }, - "CertWaitForCreationEvent": { - "ModuleProperites": {}, - "TraceString": "[test] WaitForSingleObject returned 0x%x, proceeding without caution... (GLE: 0x%x)", - "UniqueId": "CertWaitForCreationEvent", - "splitArgs": [ - { - "DefinationEncoding": "x", - "MacroVariableName": "arg2" - }, - { - "DefinationEncoding": "x", - "MacroVariableName": "arg3" - } - ], - "macroName": "QuicTraceLogWarning" - }, - "CertCleanTestCerts": { - "ModuleProperites": {}, - "TraceString": "[cert] %d test certificates found, and %d deleted", - "UniqueId": "CertCleanTestCerts", - "splitArgs": [ - { - "DefinationEncoding": "d", - "MacroVariableName": "arg2" - }, - { - "DefinationEncoding": "d", - "MacroVariableName": "arg3" - } - ], - "macroName": "QuicTraceLogInfo" - }, - "CertOpenRsaKeySuccess": { - "ModuleProperites": {}, - "TraceString": "[cert] Successfully opened RSA key", - "UniqueId": "CertOpenRsaKeySuccess", - "splitArgs": [], - "macroName": "QuicTraceLogInfo" - }, - "CertCreateRsaKeySuccess": { - "ModuleProperites": {}, - "TraceString": "[cert] Successfully created key", - "UniqueId": "CertCreateRsaKeySuccess", - "splitArgs": [], - "macroName": "QuicTraceLogInfo" - }, - "CertCreationEventAlreadyCreated": { - "ModuleProperites": {}, - "TraceString": "[test] CreateEvent opened existing event", - "UniqueId": "CertCreationEventAlreadyCreated", - "splitArgs": [], - "macroName": "QuicTraceLogInfo" - }, - "StorageOpenKey": { - "ModuleProperites": {}, - "TraceString": "[ reg] Opening %s", - "UniqueId": "StorageOpenKey", - "splitArgs": [ - { - "DefinationEncoding": "s", - "MacroVariableName": "arg2" - } - ], - "macroName": "QuicTraceLogVerbose" - }, - "miTlsInitialize": { - "ModuleProperites": {}, - "TraceString": "[ tls] Initializing miTLS library", - "UniqueId": "miTlsInitialize", - "splitArgs": [], - "macroName": "QuicTraceLogVerbose" - }, - "miTlsUninitialize": { - "ModuleProperites": {}, - "TraceString": "[ tls] Cleaning up miTLS library", - "UniqueId": "miTlsUninitialize", - "splitArgs": [], - "macroName": "QuicTraceLogVerbose" - }, - "miTlsLogSecret": { - "ModuleProperites": {}, - "TraceString": "[ tls] %s[%u]: %s", - "UniqueId": "miTlsLogSecret", - "splitArgs": [ - { - "DefinationEncoding": "s", - "MacroVariableName": "arg2" - }, - { - "DefinationEncoding": "u", - "MacroVariableName": "arg3" - }, - { - "DefinationEncoding": "s", - "MacroVariableName": "arg4" - } - ], - "macroName": "QuicTraceLogVerbose" - }, - "miTlsFfiProcessFailed": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] FFI_mitls_quic_process failed, tls_error %hu, %s", - "UniqueId": "miTlsFfiProcessFailed", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - }, - { - "DefinationEncoding": "hu", - "MacroVariableName": "arg3" - }, - { - "DefinationEncoding": "s", - "MacroVariableName": "arg4" - } - ], - "macroName": "QuicTraceLogConnError" - }, - "miTlsFfiGetHelloSummaryFailed": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] FFI_mitls_get_hello_summary failed, cookie_len: %zu, ticket_len: %zu", - "UniqueId": "miTlsFfiGetHelloSummaryFailed", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - }, - { - "DefinationEncoding": "zu", - "MacroVariableName": "arg3" - }, - { - "DefinationEncoding": "zu", - "MacroVariableName": "arg4" - } - ], - "macroName": "QuicTraceLogConnError" - }, - "miTlsCertValidationDisabled": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] Certificate validation disabled!", - "UniqueId": "miTlsCertValidationDisabled", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - } - ], - "macroName": "QuicTraceLogConnWarning" - }, - "miTlsCertSelected": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] Server certificate selected. SNI: %s; Algorithm: 0x%4.4x", - "UniqueId": "miTlsCertSelected", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - }, - { - "DefinationEncoding": "s", - "MacroVariableName": "arg3" - }, - { - "DefinationEncoding": "4.4x", - "MacroVariableName": "arg4" - } - ], - "macroName": "QuicTraceLogConnInfo" - }, - "miTlsUsing0Rtt": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] Using 0-RTT ticket.", - "UniqueId": "miTlsUsing0Rtt", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - } - ], - "macroName": "QuicTraceLogConnVerbose" - }, - "miTlsProcess": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] Processing %u bytes", - "UniqueId": "miTlsProcess", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - }, - { - "DefinationEncoding": "u", - "MacroVariableName": "arg3" - } - ], - "macroName": "QuicTraceLogConnVerbose" - }, - "miTlsSend0RttTicket": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] Sending 0-RTT ticket", - "UniqueId": "miTlsSend0RttTicket", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - } - ], - "macroName": "QuicTraceLogConnVerbose" - }, - "miTlsFfiProces": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] FFI_mitls_quic_process processing %u input bytes", - "UniqueId": "miTlsFfiProces", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - }, - { - "DefinationEncoding": "u", - "MacroVariableName": "arg3" - } - ], - "macroName": "QuicTraceLogConnVerbose" - }, - "miTlsFfiProcessResult": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] FFI_mitls_quic_process read %u bytes and has %u bytes ready to send", - "UniqueId": "miTlsFfiProcessResult", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - }, - { - "DefinationEncoding": "u", - "MacroVariableName": "arg3" - }, - { - "DefinationEncoding": "u", - "MacroVariableName": "arg4" - } - ], - "macroName": "QuicTraceLogConnVerbose" - }, - "miTlsHandshakeComplete": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] Handshake complete", - "UniqueId": "miTlsHandshakeComplete", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - } - ], - "macroName": "QuicTraceLogConnVerbose" - }, - "miTlsEarlyDataRejected": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] Early data rejected", - "UniqueId": "miTlsEarlyDataRejected", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - } - ], - "macroName": "QuicTraceLogConnVerbose" - }, - "miTlsEarlyDataAccepted": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] Early data accepted", - "UniqueId": "miTlsEarlyDataAccepted", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - } - ], - "macroName": "QuicTraceLogConnVerbose" - }, - "miTlsEarlyDataNotAttempted": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] Early data not attempted", - "UniqueId": "miTlsEarlyDataNotAttempted", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - } - ], - "macroName": "QuicTraceLogConnVerbose" - }, - "miTlsEarlyDataAttempted": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] Early data attempted", - "UniqueId": "miTlsEarlyDataAttempted", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - } - ], - "macroName": "QuicTraceLogConnVerbose" - }, - "miTlsKeySchedule": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] Key schedule = %hu", - "UniqueId": "miTlsKeySchedule", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - }, - { - "DefinationEncoding": "hu", - "MacroVariableName": "arg3" - } - ], - "macroName": "QuicTraceLogConnVerbose" - }, - "miTls0RttReadKeyExported": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] 0-RTT read key exported", - "UniqueId": "miTls0RttReadKeyExported", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - } - ], - "macroName": "QuicTraceLogConnVerbose" - }, - "miTlsHandshakeReadKeyExported": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] Handshake read key exported", - "UniqueId": "miTlsHandshakeReadKeyExported", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - } - ], - "macroName": "QuicTraceLogConnVerbose" - }, - "miTls1RttReadKeyExported": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] 1-RTT read key exported", - "UniqueId": "miTls1RttReadKeyExported", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - } - ], - "macroName": "QuicTraceLogConnVerbose" - }, - "miTls0RttWriteKeyExported": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] 0-RTT write key exported", - "UniqueId": "miTls0RttWriteKeyExported", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - } - ], - "macroName": "QuicTraceLogConnVerbose" - }, - "miTlsHandshakeWriteKeyExported": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] Handshake write key exported", - "UniqueId": "miTlsHandshakeWriteKeyExported", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - } - ], - "macroName": "QuicTraceLogConnVerbose" - }, - "miTls1RttWriteKeyExported": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] 1-RTT write key exported", - "UniqueId": "miTls1RttWriteKeyExported", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - } - ], - "macroName": "QuicTraceLogConnVerbose" + "macroName": "QuicTraceLogInfo" }, - "miTlsHandshakeWriteOffsetSet": { + "WindowsUserProcessorState": { "ModuleProperites": {}, - "TraceString": "[conn][%p] Handshake write offset = %u", - "UniqueId": "miTlsHandshakeWriteOffsetSet", + "TraceString": "[ dll] Processors:%u, Groups:%u, NUMA Nodes:%u", + "UniqueId": "WindowsUserProcessorState", "splitArgs": [ { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" + "DefinationEncoding": "u", + "MacroVariableName": "arg2" }, { "DefinationEncoding": "u", "MacroVariableName": "arg3" - } - ], - "macroName": "QuicTraceLogConnVerbose" - }, - "miTls1RttWriteOffsetSet": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] 1-RTT write offset = %u", - "UniqueId": "miTls1RttWriteOffsetSet", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" }, { "DefinationEncoding": "u", - "MacroVariableName": "arg3" + "MacroVariableName": "arg4" } ], - "macroName": "QuicTraceLogConnVerbose" + "macroName": "QuicTraceLogInfo" }, - "miTlsFfiProcesComplete": { + "ProcessorInfo": { "ModuleProperites": {}, - "TraceString": "[conn][%p] Consumed %u bytes", - "UniqueId": "miTlsFfiProcesComplete", + "TraceString": "[ dll] Proc[%u] Group[%hu] Index[%u] NUMA[%u]", + "UniqueId": "ProcessorInfo", "splitArgs": [ { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" + "DefinationEncoding": "u", + "MacroVariableName": "arg2" }, { - "DefinationEncoding": "u", + "DefinationEncoding": "hu", "MacroVariableName": "arg3" - } - ], - "macroName": "QuicTraceLogConnVerbose" - }, - "miTlsOnCertSelect": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] OnCertSelect", - "UniqueId": "miTlsOnCertSelect", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - } - ], - "macroName": "QuicTraceLogConnVerbose" - }, - "miTlsOnNegotiate": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] OnNegotiate", - "UniqueId": "miTlsOnNegotiate", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - } - ], - "macroName": "QuicTraceLogConnVerbose" - }, - "miTlsProcessServerAlpn": { - "ModuleProperites": {}, - "TraceString": "[conn][%p] Processing server ALPN (Length=%u)", - "UniqueId": "miTlsProcessServerAlpn", - "splitArgs": [ + }, { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" + "DefinationEncoding": "u", + "MacroVariableName": "arg4" }, { "DefinationEncoding": "u", - "MacroVariableName": "arg3" + "MacroVariableName": "arg5" } ], - "macroName": "QuicTraceLogConnVerbose" + "macroName": "QuicTraceLogInfo" }, - "miTlsOnCertFormat": { + "WindowsUserInitialized": { "ModuleProperites": {}, - "TraceString": "[conn][%p] OnCertFormat", - "UniqueId": "miTlsOnCertFormat", + "TraceString": "[ dll] Initialized (AvailMem = %llu bytes)", + "UniqueId": "WindowsUserInitialized", "splitArgs": [ { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" + "DefinationEncoding": "llu", + "MacroVariableName": "arg2" } ], - "macroName": "QuicTraceLogConnVerbose" + "macroName": "QuicTraceLogInfo" }, - "miTlsOnCertSign": { + "WindowsUserUninitialized": { "ModuleProperites": {}, - "TraceString": "[conn][%p] OnCertSign", - "UniqueId": "miTlsOnCertSign", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - } - ], - "macroName": "QuicTraceLogConnVerbose" + "TraceString": "[ dll] Uninitialized", + "UniqueId": "WindowsUserUninitialized", + "splitArgs": [], + "macroName": "QuicTraceLogInfo" }, - "miTlsOnCertVerify": { + "CertFindCertificateFriendlyName": { "ModuleProperites": {}, - "TraceString": "[conn][%p] OnCertVerify", - "UniqueId": "miTlsOnCertVerify", - "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" - } - ], - "macroName": "QuicTraceLogConnVerbose" + "TraceString": "[test] No certificate found by FriendlyName", + "UniqueId": "CertFindCertificateFriendlyName", + "splitArgs": [], + "macroName": "QuicTraceLogWarning" }, - "miTlsRecvNewSessionTicket": { + "CertWaitForCreationEvent": { "ModuleProperites": {}, - "TraceString": "[conn][%p] Received new ticket. ticket_len:%u session_len:%u for %s", - "UniqueId": "miTlsRecvNewSessionTicket", + "TraceString": "[test] WaitForSingleObject returned 0x%x, proceeding without caution... (GLE: 0x%x)", + "UniqueId": "CertWaitForCreationEvent", "splitArgs": [ { - "DefinationEncoding": "p", - "MacroVariableName": "arg1" + "DefinationEncoding": "x", + "MacroVariableName": "arg2" }, { - "DefinationEncoding": "u", + "DefinationEncoding": "x", "MacroVariableName": "arg3" - }, - { - "DefinationEncoding": "u", - "MacroVariableName": "arg4" - }, - { - "DefinationEncoding": "s", - "MacroVariableName": "arg5" } ], - "macroName": "QuicTraceLogConnVerbose" + "macroName": "QuicTraceLogWarning" }, - "TlsMessage": { + "CertCleanTestCerts": { "ModuleProperites": {}, - "TraceString": "[ tls][%p] %s", - "UniqueId": "TlsMessage", + "TraceString": "[cert] %d test certificates found, and %d deleted", + "UniqueId": "CertCleanTestCerts", "splitArgs": [ { - "DefinationEncoding": "p", + "DefinationEncoding": "d", "MacroVariableName": "arg2" }, { - "DefinationEncoding": "s", + "DefinationEncoding": "d", "MacroVariableName": "arg3" } ], - "macroName": "QuicTraceEvent" + "macroName": "QuicTraceLogInfo" }, - "TlsError": { + "CertOpenRsaKeySuccess": { "ModuleProperites": {}, - "TraceString": "[ tls][%p] ERROR, %s.", - "UniqueId": "TlsError", + "TraceString": "[cert] Successfully opened RSA key", + "UniqueId": "CertOpenRsaKeySuccess", + "splitArgs": [], + "macroName": "QuicTraceLogInfo" + }, + "CertCreateRsaKeySuccess": { + "ModuleProperites": {}, + "TraceString": "[cert] Successfully created key", + "UniqueId": "CertCreateRsaKeySuccess", + "splitArgs": [], + "macroName": "QuicTraceLogInfo" + }, + "CertCreationEventAlreadyCreated": { + "ModuleProperites": {}, + "TraceString": "[test] CreateEvent opened existing event", + "UniqueId": "CertCreationEventAlreadyCreated", + "splitArgs": [], + "macroName": "QuicTraceLogInfo" + }, + "StorageOpenKey": { + "ModuleProperites": {}, + "TraceString": "[ reg] Opening %s", + "UniqueId": "StorageOpenKey", "splitArgs": [ - { - "DefinationEncoding": "p", - "MacroVariableName": "arg2" - }, { "DefinationEncoding": "s", - "MacroVariableName": "arg3" + "MacroVariableName": "arg2" } ], - "macroName": "QuicTraceEvent" + "macroName": "QuicTraceLogVerbose" }, "OpenSslLogSecret": { "ModuleProperites": {}, @@ -9893,6 +9367,22 @@ ], "macroName": "QuicTraceLogConnVerbose" }, + "TlsError": { + "ModuleProperites": {}, + "TraceString": "[ tls][%p] ERROR, %s.", + "UniqueId": "TlsError", + "splitArgs": [ + { + "DefinationEncoding": "p", + "MacroVariableName": "arg2" + }, + { + "DefinationEncoding": "s", + "MacroVariableName": "arg3" + } + ], + "macroName": "QuicTraceEvent" + }, "TlsErrorStatus": { "ModuleProperites": {}, "TraceString": "[ tls][%p] ERROR, %u, %s.", @@ -13169,10 +12659,6 @@ "UniquenessHash": "2cbc406b-c1c0-ba4d-eee8-669f30330f4a", "TraceID": "LibraryError" }, - { - "UniquenessHash": "f11702ec-fc18-f5bb-c732-90e621e3356d", - "TraceID": "CertOpenSslGetProcessAddressFailure" - }, { "UniquenessHash": "78b2984b-b937-3b8e-7684-9339d9267135", "TraceID": "DatapathOpenUdpSocketFailed" @@ -13389,150 +12875,6 @@ "UniquenessHash": "86a081de-c71a-7043-b507-672561f5fd36", "TraceID": "StorageOpenKey" }, - { - "UniquenessHash": "892901ea-49a8-594b-6e05-edb0fc36be3d", - "TraceID": "miTlsInitialize" - }, - { - "UniquenessHash": "912c1707-c315-0036-76ca-602ae12a94b7", - "TraceID": "miTlsUninitialize" - }, - { - "UniquenessHash": "e0e483e0-e15e-e93b-6ec0-cb084e300cb3", - "TraceID": "miTlsLogSecret" - }, - { - "UniquenessHash": "fc766c70-8cec-7846-ba14-63bc930b4e06", - "TraceID": "miTlsFfiProcessFailed" - }, - { - "UniquenessHash": "0e9054b4-02e7-dad9-6893-dd902ebb0dd4", - "TraceID": "miTlsFfiGetHelloSummaryFailed" - }, - { - "UniquenessHash": "76420f88-75d8-6a13-f42b-bea06884e542", - "TraceID": "miTlsCertValidationDisabled" - }, - { - "UniquenessHash": "adbd41df-cab6-b314-1ceb-dc00def1c425", - "TraceID": "miTlsCertSelected" - }, - { - "UniquenessHash": "0eb36a7a-47b3-271a-054b-94a5ebf6c257", - "TraceID": "miTlsUsing0Rtt" - }, - { - "UniquenessHash": "4cb2a299-89dc-7245-b116-4dcc9875d5fe", - "TraceID": "miTlsProcess" - }, - { - "UniquenessHash": "54a1f582-7b8d-434a-143e-9df24a874f95", - "TraceID": "miTlsSend0RttTicket" - }, - { - "UniquenessHash": "bdbaac9e-6abe-7c57-d354-df78a89838ce", - "TraceID": "miTlsFfiProces" - }, - { - "UniquenessHash": "27d4a0a4-4e32-0043-3d90-166d1b378f92", - "TraceID": "miTlsFfiProcessResult" - }, - { - "UniquenessHash": "cbc269aa-13ca-8f88-d61e-db9403a335de", - "TraceID": "miTlsHandshakeComplete" - }, - { - "UniquenessHash": "4833606e-5d9c-82d2-86e1-875d57efdaf6", - "TraceID": "miTlsEarlyDataRejected" - }, - { - "UniquenessHash": "18f82502-f22b-ca5d-6393-cdd01c7bd873", - "TraceID": "miTlsEarlyDataAccepted" - }, - { - "UniquenessHash": "717e49dd-7942-4cae-f517-3f001e43e7b5", - "TraceID": "miTlsEarlyDataNotAttempted" - }, - { - "UniquenessHash": "21c32d30-e5c5-164a-e1ee-e9485d64813f", - "TraceID": "miTlsEarlyDataAttempted" - }, - { - "UniquenessHash": "9a6e2c4c-9ed2-e2d4-56d1-f3453c281a20", - "TraceID": "miTlsKeySchedule" - }, - { - "UniquenessHash": "a18ddb89-8c56-1236-6421-a14072f160f8", - "TraceID": "miTls0RttReadKeyExported" - }, - { - "UniquenessHash": "dfaeb8b5-339e-c0e7-7289-15228d5f084a", - "TraceID": "miTlsHandshakeReadKeyExported" - }, - { - "UniquenessHash": "9d6d3263-01ca-a734-569a-07f0f9b5d3da", - "TraceID": "miTls1RttReadKeyExported" - }, - { - "UniquenessHash": "6baedb0e-b86a-72c2-b3ec-341ef8235aa9", - "TraceID": "miTls0RttWriteKeyExported" - }, - { - "UniquenessHash": "f42df196-45dc-9a31-96ef-31226467df0e", - "TraceID": "miTlsHandshakeWriteKeyExported" - }, - { - "UniquenessHash": "74e3e2f2-0fb6-e892-57ac-85fcda2a4a7a", - "TraceID": "miTls1RttWriteKeyExported" - }, - { - "UniquenessHash": "d4d7056c-435c-b5b8-900c-f95f770ddb9d", - "TraceID": "miTlsHandshakeWriteOffsetSet" - }, - { - "UniquenessHash": "dbd24fcc-7265-6088-8693-f8fdfc7030b5", - "TraceID": "miTls1RttWriteOffsetSet" - }, - { - "UniquenessHash": "71ed54f4-e631-7f1d-2d2e-65e1b533d8e5", - "TraceID": "miTlsFfiProcesComplete" - }, - { - "UniquenessHash": "0bd9bfa0-b1eb-3e4a-234b-bf10c2013d9c", - "TraceID": "miTlsOnCertSelect" - }, - { - "UniquenessHash": "36f092f6-9fee-e5ec-bd11-6e3418458161", - "TraceID": "miTlsOnNegotiate" - }, - { - "UniquenessHash": "7f747d9f-de9d-f24e-44e1-a097950c0429", - "TraceID": "miTlsProcessServerAlpn" - }, - { - "UniquenessHash": "db04d0d6-a7a5-38c6-37a6-fa059a2b11f3", - "TraceID": "miTlsOnCertFormat" - }, - { - "UniquenessHash": "e175542b-2cfb-6134-82ad-89a84cb3a964", - "TraceID": "miTlsOnCertSign" - }, - { - "UniquenessHash": "22fc0283-1a6e-1ee5-1c6e-901b14517e07", - "TraceID": "miTlsOnCertVerify" - }, - { - "UniquenessHash": "deb3fa41-4cad-e7b7-a02c-478a669346bd", - "TraceID": "miTlsRecvNewSessionTicket" - }, - { - "UniquenessHash": "71d0a82e-145c-f936-f56e-7dcb4099b96e", - "TraceID": "TlsMessage" - }, - { - "UniquenessHash": "9eac4540-061f-ff2b-c104-5c1e1b8b22b6", - "TraceID": "TlsError" - }, { "UniquenessHash": "69c5c25e-ab70-9800-8260-aa93a193bd8b", "TraceID": "OpenSslLogSecret" @@ -13617,6 +12959,10 @@ "UniquenessHash": "ff332af9-4ba2-95a8-bb2c-c5c729be4ccd", "TraceID": "OpenSslProcessData" }, + { + "UniquenessHash": "9eac4540-061f-ff2b-c104-5c1e1b8b22b6", + "TraceID": "TlsError" + }, { "UniquenessHash": "7312d23f-2305-b54b-e1da-81597fabe281", "TraceID": "TlsErrorStatus" diff --git a/src/platform/CMakeLists.txt b/src/platform/CMakeLists.txt index 046af4933f..7b38311175 100644 --- a/src/platform/CMakeLists.txt +++ b/src/platform/CMakeLists.txt @@ -53,10 +53,6 @@ elseif(QUIC_TLS STREQUAL "openssl") else() set(SOURCES ${SOURCES} selfsign_openssl.c) endif() -elseif(QUIC_TLS STREQUAL "mitls") - message(STATUS "Configuring for miTLS") - set(SOURCES ${SOURCES} cert_capi.c selfsign_capi.c tls_mitls.c) - set(EXTRA_PLATFORM_INCLUDE_DIRECTORIES ${PROJECT_SOURCE_DIR}/submodules/everest/msquic/msvc/include) else() message(STATUS "Configuring for stub TLS") set(SOURCES ${SOURCES} cert_stub.c selfsign_stub.c tls_stub.c) @@ -84,8 +80,6 @@ endif() if(QUIC_TLS STREQUAL "openssl") target_link_libraries(platform PUBLIC OpenSSL) -elseif(QUIC_TLS STREQUAL "mitls") - target_link_libraries(platform PUBLIC kremlib evercrypt mitls quiccrypto) elseif(QUIC_TLS STREQUAL "schannel") target_link_libraries(platform PUBLIC secur32) endif() diff --git a/src/platform/cert_openssl.c b/src/platform/cert_openssl.c deleted file mode 100644 index 5a3765b8bb..0000000000 --- a/src/platform/cert_openssl.c +++ /dev/null @@ -1,334 +0,0 @@ -/*++ - - Copyright (c) Microsoft Corporation. - Licensed under the MIT License. - -Abstract: - - Implements the certificate functions by calling OpenSSL (via miPKI helper). - - NOTE - Currently out of date. - ---*/ - -#include "platform_internal.h" -#ifdef QUIC_CLOG -#include "cert_openssl.c.clog.h" -#endif - -#include -#include - -typedef mipki_state* (MITLS_CALLCONV *Fn_mipki_init)(const mipki_config_entry config[], size_t config_len, password_callback pcb, int *erridx); -typedef void (MITLS_CALLCONV *Fn_mipki_free)(mipki_state *st); -typedef int (MITLS_CALLCONV *Fn_mipki_add_root_file_or_path)(mipki_state *st, const char *ca_file); -typedef mipki_chain(MITLS_CALLCONV *Fn_mipki_select_certificate)(mipki_state *st, const char *sni, size_t sni_len, const mipki_signature *algs, size_t algs_len, mipki_signature *selected); -typedef int (MITLS_CALLCONV *Fn_mipki_sign_verify)(mipki_state *st, mipki_chain cert_ptr, const mipki_signature sigalg, const char *tbs, size_t tbs_len, char *sig, size_t *sig_len, mipki_mode m); -typedef mipki_chain(MITLS_CALLCONV *Fn_mipki_parse_chain)(mipki_state *st, const char *chain, size_t chain_len); -typedef size_t(MITLS_CALLCONV *Fn_mipki_format_chain)(mipki_state *st, mipki_chain chain, char *buffer, size_t buffer_len); -typedef int (MITLS_CALLCONV *Fn_mipki_validate_chain)(mipki_state *st, mipki_chain chain, const char *host); -typedef void (MITLS_CALLCONV *Fn_mipki_free_chain)(mipki_state *st, mipki_chain chain); - -#define DECLARE_FUNC(Func) Fn_ ## Func Func - -typedef struct CXPLAT_MIPKI_LIBRARY { - - HMODULE Libmipki; - - DECLARE_FUNC(mipki_init); - DECLARE_FUNC(mipki_free); - DECLARE_FUNC(mipki_add_root_file_or_path); - DECLARE_FUNC(mipki_select_certificate); - DECLARE_FUNC(mipki_sign_verify); - DECLARE_FUNC(mipki_parse_chain); - DECLARE_FUNC(mipki_format_chain); - DECLARE_FUNC(mipki_validate_chain); - DECLARE_FUNC(mipki_free_chain); - - CXPLAT_LOCK Lock; - mipki_state *State; - -} CXPLAT_MIPKI_LIBRARY; - -CXPLAT_MIPKI_LIBRARY miPKI = { 0 }; - -static -inline -void -LogGetProcAddressFailure( - _In_ const char* FuncName, - _In_ DWORD Error - ) -{ - QuicTraceLogVerbose( - CertOpenSslGetProcessAddressFailure, - "[cert] GetProcAddress failed for %s, 0x%x", - FuncName, - Error); -} - -QUIC_STATUS -CxPlatCertLibraryInitialize( - void - ) -{ - QUIC_STATUS Status; - - if (miPKI.Libmipki) { - Status = QUIC_STATUS_SUCCESS; - goto Error; - } - - // - // First see if we can load the DLL. - // - miPKI.Libmipki = LoadLibrary("libmipki.dll"); - if (miPKI.Libmipki == NULL) { - Status = GetLastError(); - QuicTraceEvent( - LibraryErrorStatus, - "[ lib] ERROR, %u, %s.", - Status, - "Failed to Load libmipki.dll"); - goto Error; - } - -#define GetFunc(Lib, Func) \ - miPKI.Func = (Fn_ ## Func)GetProcAddress(miPKI.Lib, #Func); \ - if (miPKI.Func == NULL) { \ - Status = GetLastError(); \ - LogGetProcAddressFailure(#Func, Status); \ - goto Error; \ - } - - // - // Load the libmitls functions. - // - GetFunc(Libmipki, mipki_init); - GetFunc(Libmipki, mipki_free); - GetFunc(Libmipki, mipki_add_root_file_or_path); - GetFunc(Libmipki, mipki_select_certificate); - GetFunc(Libmipki, mipki_sign_verify); - GetFunc(Libmipki, mipki_parse_chain); - GetFunc(Libmipki, mipki_format_chain); - GetFunc(Libmipki, mipki_validate_chain); - GetFunc(Libmipki, mipki_free_chain); - - mipki_config_entry pki_config = { - .cert_file = "server.crt", - .key_file = "server.key", - .is_universal = 1 // ignore SNI - }; - - int erridx; - miPKI.State = miPKI.mipki_init(&pki_config, 1, NULL, &erridx); - - if (!miPKI.State) { - Status = QUIC_STATUS_INVALID_STATE; - QuicTraceEvent( - LibraryErrorStatus, - "[ lib] ERROR, %u, %s.", - erridx, - "mipki_init failed"); - goto Error; - } - - if (!miPKI.mipki_add_root_file_or_path(miPKI.State, "CAFile.pem")) { - Status = QUIC_STATUS_INVALID_STATE; - QuicTraceEvent( - LibraryError, - "[ lib] ERROR, %s.", - "mipki_add_root_file_or_path failed"); - goto Error; - } - - CxPlatLockInitialize(&miPKI.Lock); - - Status = QUIC_STATUS_SUCCESS; - -Error: - - if (QUIC_FAILED(Status)) { - if (miPKI.State) { - miPKI.mipki_free(miPKI.State); - miPKI.State = NULL; - } - if (miPKI.Libmipki) { - FreeLibrary(miPKI.Libmipki); - miPKI.Libmipki = NULL; - } - } - - return Status; -} - -void -CxPlatCertLibraryUninitialize( - void - ) -{ - if (miPKI.Libmipki != NULL) { - CxPlatLockUninitialize(&miPKI.Lock); - miPKI.mipki_free(miPKI.State); - FreeLibrary(miPKI.Libmipki); - miPKI.Libmipki = NULL; - } -} - -_Success_(return != NULL) -QUIC_CERTIFICATE* -CxPlatCertSelect( - _In_reads_opt_(ServerNameIndiciationLength) - const char* ServerNameIndiciation, - size_t ServerNameIndiciationLength, - _In_reads_(SignatureAlgorithmsLength) - const UINT16 *SignatureAlgorithms, - _In_ size_t SignatureAlgorithmsLength, - _Out_ UINT16 *SelectedSignature - ) -{ - CxPlatLockAcquire(&miPKI.Lock); - - mipki_chain Certificate = - miPKI.mipki_select_certificate( - miPKI.State, - ServerNameIndiciation, - ServerNameIndiciationLength, - SignatureAlgorithms, - SignatureAlgorithmsLength, - SelectedSignature); - - CxPlatLockRelease(&miPKI.Lock); - - return (QUIC_CERTIFICATE*)Certificate; -} - -_Success_(return != NULL) -QUIC_CERTIFICATE* -CxPlatCertParseChain( - _In_ size_t ChainBufferLength, - _In_reads_(ChainBufferLength) const BYTE *ChainBuffer - ) -{ - CxPlatLockAcquire(&miPKI.Lock); - - mipki_chain Certificate = - miPKI.mipki_parse_chain( - miPKI.State, - (const char*)ChainBuffer, - ChainBufferLength); - - CxPlatLockRelease(&miPKI.Lock); - - return (QUIC_CERTIFICATE*)Certificate; -} - -_Success_(return != 0) -size_t -CxPlatCertFormat( - _In_ QUIC_CERTIFICATE* Certificate, - _In_ size_t BufferLength, - _Out_writes_to_(BufferLength, return) - BYTE* Buffer - ) -{ - CxPlatLockAcquire(&miPKI.Lock); - - size_t Result = - miPKI.mipki_format_chain( - miPKI.State, - (mipki_chain)Certificate, - (char*)Buffer, - BufferLength); - - CxPlatLockRelease(&miPKI.Lock); - - return Result; -} - -_Success_(return != FALSE) -BOOLEAN -CxPlatCertValidateChain( - _In_ const QUIC_CERTIFICATE* Certificate, - _In_opt_z_ const char* Host, - _In_ uint32_t IgnoreFlags - ) -{ - UNREFERENCED_PARAMETER(IgnoreFlags); - - CxPlatLockAcquire(&miPKI.Lock); - - int Result = - miPKI.mipki_validate_chain( - miPKI.State, - (mipki_chain)Certificate, - Host); - - CxPlatLockRelease(&miPKI.Lock); - - return Result == 0 ? FALSE : TRUE; -} - -_Success_(return != FALSE) -BOOLEAN -CxPlatCertSign( - _In_ QUIC_CERTIFICATE* Certificate, - _In_ const UINT16 SignatureAlgorithm, - _In_reads_(CertListToBeSignedLength) - const BYTE *CertListToBeSigned, - _In_ size_t CertListToBeSignedLength, - _Out_writes_to_(*SignatureLength, *SignatureLength) - BYTE *Signature, - _Inout_ size_t *SignatureLength - ) -{ - CxPlatLockAcquire(&miPKI.Lock); - - int Result = - miPKI.mipki_sign_verify( - miPKI.State, - (mipki_chain)Certificate, - SignatureAlgorithm, - (const char*)CertListToBeSigned, - CertListToBeSignedLength, - (char*)Signature, - SignatureLength, - MIPKI_SIGN); - - CxPlatLockRelease(&miPKI.Lock); - - return Result == 0 ? FALSE : TRUE; -} - -_Success_(return != FALSE) -BOOLEAN -CxPlatCertVerify( - _In_ QUIC_CERTIFICATE* Certificate, - _In_ const UINT16 SignatureAlgorithm, - _In_reads_(CertListToBeSignedLength) - const BYTE *CertListToBeSigned, - _In_ size_t CertListToBeSignedLength, - _In_reads_(SignatureLength) - const BYTE *Signature, - _In_ size_t SignatureLength - ) -{ - CxPlatLockAcquire(&miPKI.Lock); - - int Result = - miPKI.mipki_sign_verify( - miPKI.State, - (mipki_chain)Certificate, - SignatureAlgorithm, - (const char*)CertListToBeSigned, - CertListToBeSignedLength, - (char*)Signature, - &SignatureLength, - MIPKI_VERIFY); - - miPKI.mipki_free_chain(miPKI.State, Certificate); - - CxPlatLockRelease(&miPKI.Lock); - - return Result == 0 ? FALSE : TRUE; -} diff --git a/src/platform/platform_winuser.c b/src/platform/platform_winuser.c index 1a5926a9d9..9e169867fd 100644 --- a/src/platform/platform_winuser.c +++ b/src/platform/platform_winuser.c @@ -544,16 +544,6 @@ CxPlatUtf8ToWideChar( return HRESULT_FROM_WIN32(Error); } -__declspec(noreturn) -void -KrmlExit( - int n - ) -{ - UNREFERENCED_PARAMETER(n); - CXPLAT_FRE_ASSERTMSG(FALSE, "miTLS hit a fatal error"); -} - #ifdef QUIC_EVENTS_MANIFEST_ETW _IRQL_requires_max_(PASSIVE_LEVEL) _IRQL_requires_same_ diff --git a/src/platform/tls_mitls.c b/src/platform/tls_mitls.c deleted file mode 100644 index dd03d9aa1f..0000000000 --- a/src/platform/tls_mitls.c +++ /dev/null @@ -1,2676 +0,0 @@ -/*++ - - Copyright (c) Microsoft Corporation. - Licensed under the MIT License. - -Abstract: - - miTLS TLS Implementation for QUIC - ---*/ - -#include "platform_internal.h" -#ifdef QUIC_CLOG -#include "tls_mitls.c.clog.h" -#endif - -#define IS_WINDOWS 1 -#pragma warning(disable:4996) // Deprecated APIs -#include -#include - -uint16_t CxPlatTlsTPHeaderSize = 0; - -#define CXPLAT_SUPPORTED_CIPHER_SUITES "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256" -#define CXPLAT_SERVER_SIGNATURE_ALGORITHMS "ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSAPSS+SHA256:RSAPSS+SHA384:RSAPSS+SHA512" -#define CXPLAT_CLIENT_SIGNATURE_ALGORITHMS "ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSAPSS+SHA256:RSAPSS+SHA384:RSAPSS+SHA512" -#if CXPLAT_PROD_MITLS -#define CXPLAT_SERVER_NAMED_GROUPS "P-521:P-384:P-256:X25519:FFDHE4096:FFDHE3072:FFDHE2048" -#define CXPLAT_CLIENT_NAMED_GROUPS "P-384:P-256:X25519" -#else -#define CXPLAT_SERVER_NAMED_GROUPS "X25519" -#define CXPLAT_CLIENT_NAMED_GROUPS "X25519" -#endif - -// -// The maximum message buffer length. -// -#define CXPLAT_TLS_MAX_MESSAGE_LENGTH (8 * 1024) - -const QUIC_PACKET_KEY_TYPE miTlsKeyTypes[2][4] = -{ - { QUIC_PACKET_KEY_INITIAL, QUIC_PACKET_KEY_HANDSHAKE, QUIC_PACKET_KEY_1_RTT, QUIC_PACKET_KEY_1_RTT }, - { QUIC_PACKET_KEY_INITIAL, QUIC_PACKET_KEY_0_RTT, QUIC_PACKET_KEY_HANDSHAKE, QUIC_PACKET_KEY_1_RTT } -}; - -// -// Callback for miTLS when extensions are ready. -// -_IRQL_requires_max_(PASSIVE_LEVEL) -_Success_(return != TLS_nego_abort) -mitls_nego_action -MITLS_CALLCONV -CxPlatTlsOnNegotiate( - _In_ void *Context, - _In_ mitls_version Version, - _In_reads_(RawExtensionsLength) - const uint8_t *RawExtensions, - _In_ size_t RawExtensionsLength, - _Deref_post_opt_count_(*CustomExtensionsLength) - mitls_extension **CustomExtensions, - _Out_ size_t *CustomExtensionsLength, - _Deref_pre_opt_count_(*CookieLength) - _Deref_post_opt_count_(*CookieLength) - uint8_t **Cookie, - _Inout_ size_t *CookieLength - ); - -// -// Callback for miTLS when a new ticket is ready. -// -_IRQL_requires_max_(PASSIVE_LEVEL) -void -MITLS_CALLCONV -CxPlatTlsOnTicketReady( - void *Context, - const char *ServerNameIndication, // SNI - const mitls_ticket *Ticket - ); - -// -// Select a certificate based on the given SNI and list of signatures. -// Signature algorithms are represented as 16-bit integers using the -// TLS 1.3 RFC code points. -// -_IRQL_requires_max_(PASSIVE_LEVEL) -void* -MITLS_CALLCONV -CxPlatTlsOnCertSelect( - void *Context, - mitls_version TlsVersion, - const uint8_t *ServerNameIndication, - size_t ServerNameIndicationLength, - const uint8_t *Alpn, - size_t AlpnLength, - const mitls_signature_scheme *SignatureAlgorithms, - size_t SignatureAlgorithmsLength, - mitls_signature_scheme *SelectedSignature - ); - -// -// Write the certificate chain to 'Buffer', returning the number of written -// bytes. The chain should be written by prefixing each certificate by its -// length encoded over 3 bytes. -// -_IRQL_requires_max_(PASSIVE_LEVEL) -size_t -MITLS_CALLCONV -CxPlatTlsOnCertFormat( - void *Context, - const void *SecContext, - uint8_t Buffer[MAX_CHAIN_LEN] - ); - -// -// Tries to sign and write the signature to 'Signature', returning the -// signature size or 0 if signature failed. -// -_IRQL_requires_max_(PASSIVE_LEVEL) -size_t -MITLS_CALLCONV -CxPlatTlsOnCertSign( - void *Context, - const void *SecContext, - const mitls_signature_scheme SignatureAlgorithm, - const uint8_t *CertListToBeSigned, // TBS - size_t CertListToBeSignedLength, - uint8_t *Signature - ); - -// -// Verifies that the chain (given in the same format as above) is valid, and -// that 'Signature' is a valid signature of 'CertListToBeSigned' for -// 'SignatureAlgorithm' using the public key stored in the leaf of the chain. -// N.B. this function must validate the chain (including applcation checks such -// as hostname matching). -// -_IRQL_requires_max_(PASSIVE_LEVEL) -int -MITLS_CALLCONV -CxPlatTlsOnCertVerify( - void *Context, - const uint8_t* ChainBuffer, - size_t ChainBufferLength, - const mitls_signature_scheme SignatureAlgorithm, - const uint8_t* CertListToBeSigned, // TBS - size_t CertListToBeSignedLength, - const uint8_t *Signature, - size_t SignatureLength - ); - -// -// Helper function for miTLS to export the key we need. -// -_IRQL_requires_max_(PASSIVE_LEVEL) -_Success_(return != FALSE) -BOOLEAN -QuicPacketKeyCreate( - _In_ CXPLAT_TLS* TlsContext, - _In_ QUIC_PACKET_KEY_TYPE KeyType, - _In_ int Epoch, - _In_ quic_direction rw, - _Out_ QUIC_PACKET_KEY** NewKey - ); - -// -// TLS Security Config -// -typedef struct CXPLAT_SEC_CONFIG { - - QUIC_CREDENTIAL_TYPE Type; - QUIC_CREDENTIAL_FLAGS Flags; - CXPLAT_TLS_CREDENTIAL_FLAGS TlsFlags; - - CXPLAT_TLS_CALLBACKS Callbacks; - - // - // The certificate context, used for signing. - // - QUIC_CERTIFICATE* Certificate; - void* PrivateKey; - - // - // Formatted certificate bytes for sending on the wire. - // - uint16_t FormatLength; - uint8_t FormatBuffer[CXPLAT_TLS_MAX_MESSAGE_LENGTH]; - -} CXPLAT_SEC_CONFIG; - -// -// Contiguous memory representation of a ticket. -// -typedef struct CXPLAT_TLS_TICKET { - - uint32_t TicketLength; - uint32_t SessionLength; - _Field_size_(TicketLength + SessionLength) - uint8_t Buffer[0]; - -} CXPLAT_TLS_TICKET; - -// -// The TLS interface context. -// -typedef struct CXPLAT_TLS { - - // - // Flag indicating if the TLS represents a server. - // - BOOLEAN IsServer : 1; - - // - // Indicates the client attempted 0-RTT. - // - BOOLEAN EarlyDataAttempted : 1; - - // - // Index into the miTlsKeyTypes array. - // - uint8_t TlsKeySchedule : 1; - uint8_t TlsKeyScheduleSet : 1; - - // - // The TLS extension type for the QUIC transport parameters. - // - uint16_t QuicTpExtType; - - // - // The TLS configuration information and credentials. - // - CXPLAT_SEC_CONFIG* SecConfig; - - // - // Server Name Indication. - // - const char* SNI; - - // - // The current write buffer length. - // - uint32_t BufferLength; - - // - // Buffer for writing. - // - const uint8_t* Buffer; - - // - // Current reader epoch. - // - int32_t CurrentReaderKey; - - // - // Current writer epoch. - // - int32_t CurrentWriterKey; - - // - // Process state for the outstanding process call. - // - CXPLAT_TLS_PROCESS_STATE* State; - - // - // Callback handlers and input connection. - // - QUIC_CONNECTION* Connection; - - // - // miTLS Config. - // - quic_config miTlsConfig; - - // - // Callbacks used my miTLS to operate on certificates. - // - mitls_cert_cb miTlsCertCallbacks; - - // - // The miTLS library state. - // - quic_state *miTlsState; - - // - // Storage for the ticket passed to miTLS. - // - mitls_ticket miTlsTicket; - - // - // Storage for encoded TLS extensions. - // - mitls_extension Extensions[2]; - -#ifdef CXPLAT_TLS_SECRETS_SUPPORT - // - // Optional pointer to struct to store TLS secrets. - // - CXPLAT_TLS_SECRETS* TlsSecrets; -#endif - -} CXPLAT_TLS; - -DWORD miTlsCurrentConnectionIndex = TLS_OUT_OF_INDEXES; // Thread-local storage index - -// -// Callback from mitls for logging purposes. -// -void -MITLS_CALLCONV -MiTlsTraceCallback( - _In_z_ const char *Msg - ) -{ - QuicTraceEvent( - TlsMessage, - "[ tls][%p] %s", - TlsGetValue(miTlsCurrentConnectionIndex), - Msg); -} - -QUIC_STATUS -CxPlatTlsLibraryInitialize( - void - ) -{ - QUIC_STATUS Status; - - miTlsCurrentConnectionIndex = TlsAlloc(); - - QuicTraceLogVerbose( - miTlsInitialize, - "[ tls] Initializing miTLS library"); - FFI_mitls_set_trace_callback(MiTlsTraceCallback); - if (!FFI_mitls_init()) { - Status = QUIC_STATUS_INVALID_STATE; - QuicTraceEvent( - LibraryError, - "[ lib] ERROR, %s.", - "FFI_mitls_init failed"); - goto Error; - } - - uint8_t Key[CXPLAT_IV_LENGTH + 32] = { 0 }; // Always use the same null key client side right now. - if (!FFI_mitls_set_sealing_key("AES256-GCM", Key, sizeof(Key))) { - Status = QUIC_STATUS_INVALID_STATE; - QuicTraceEvent( - LibraryError, - "[ lib] ERROR, %s.", - "FFI_mitls_set_sealing_key failed"); - FFI_mitls_cleanup(); - goto Error; - } - - // - // Randomly initialize the server's 0-RTT ticket encryption key. - // - CxPlatRandom(sizeof(Key), Key); - if (!FFI_mitls_set_ticket_key("AES256-GCM", Key, sizeof(Key))) { - Status = QUIC_STATUS_INVALID_STATE; - QuicTraceEvent( - LibraryError, - "[ lib] ERROR, %s.", - "FFI_mitls_set_ticket_key failed"); - FFI_mitls_cleanup(); - goto Error; - } - - Status = QUIC_STATUS_SUCCESS; - -Error: - - if (QUIC_FAILED(Status)) { - TlsFree(miTlsCurrentConnectionIndex); - } - - return Status; -} - -void -CxPlatTlsLibraryUninitialize( - void - ) -{ - QuicTraceLogVerbose( - miTlsUninitialize, - "[ tls] Cleaning up miTLS library"); - FFI_mitls_cleanup(); - TlsFree(miTlsCurrentConnectionIndex); -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -QUIC_STATUS -CxPlatTlsSecConfigCreate( - _In_ const QUIC_CREDENTIAL_CONFIG* CredConfig, - _In_ CXPLAT_TLS_CREDENTIAL_FLAGS TlsCredFlags, - _In_ const CXPLAT_TLS_CALLBACKS* TlsCallbacks, - _In_opt_ void* Context, - _In_ CXPLAT_SEC_CONFIG_CREATE_COMPLETE_HANDLER CompletionHandler - ) -{ - if (CredConfig->Flags & QUIC_CREDENTIAL_FLAG_LOAD_ASYNCHRONOUS && - CredConfig->AsyncHandler == NULL) { - return QUIC_STATUS_INVALID_PARAMETER; - } - - if (CredConfig->Flags & QUIC_CREDENTIAL_FLAG_ENABLE_OCSP || - CredConfig->Flags & QUIC_CREDENTIAL_FLAG_DEFER_CERTIFICATE_VALIDATION) { - return QUIC_STATUS_NOT_SUPPORTED; // Not supported by this TLS implementation - } - - if (CredConfig->Flags & QUIC_CREDENTIAL_FLAG_CLIENT) { - if (CredConfig->Type != QUIC_CREDENTIAL_TYPE_NONE) { - return QUIC_STATUS_NOT_SUPPORTED; // Not supported for client (yet) - } - } else { - if (CredConfig->Type == QUIC_CREDENTIAL_TYPE_NONE) { - return QUIC_STATUS_INVALID_PARAMETER; // Required for server - } - } - -#pragma prefast(suppress: __WARNING_6014, "Memory is correctly freed (CxPlatTlsSecConfigDelete).") - CXPLAT_SEC_CONFIG* SecurityConfig = CXPLAT_ALLOC_PAGED(sizeof(CXPLAT_SEC_CONFIG), QUIC_POOL_TLS_SECCONF); - if (SecurityConfig == NULL) { - return QUIC_STATUS_OUT_OF_MEMORY; - } - - SecurityConfig->Type = CredConfig->Type; - SecurityConfig->Flags = CredConfig->Flags; - SecurityConfig->TlsFlags = TlsCredFlags; - SecurityConfig->Callbacks = *TlsCallbacks; - SecurityConfig->Certificate = NULL; - SecurityConfig->PrivateKey = NULL; - SecurityConfig->FormatLength = 0; - - QUIC_STATUS Status = QUIC_STATUS_SUCCESS; - - if (!(CredConfig->Flags & QUIC_CREDENTIAL_FLAG_CLIENT)) { - - Status = CxPlatCertCreate(CredConfig, &SecurityConfig->Certificate); - if (QUIC_FAILED(Status)) { - goto Error; - } - - SecurityConfig->PrivateKey = - CxPlatCertGetPrivateKey(SecurityConfig->Certificate); - if (SecurityConfig->PrivateKey == NULL) { - Status = QUIC_STATUS_INVALID_PARAMETER; - goto Error; - } - - SecurityConfig->FormatLength = - (uint16_t)CxPlatCertFormat( - SecurityConfig->Certificate, - sizeof(SecurityConfig->FormatBuffer), - SecurityConfig->FormatBuffer); - } - - CompletionHandler( - CredConfig, - Context, - Status, - SecurityConfig); - SecurityConfig = NULL; - - if (CredConfig->Flags & QUIC_CREDENTIAL_FLAG_LOAD_ASYNCHRONOUS) { - Status = QUIC_STATUS_PENDING; - } else { - Status = QUIC_STATUS_SUCCESS; - } - -Error: - - if (SecurityConfig != NULL) { - CxPlatTlsSecConfigDelete(SecurityConfig); - } - - return Status; -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -void -CxPlatTlsSecConfigDelete( - __drv_freesMem(ServerConfig) _Frees_ptr_ _In_ - CXPLAT_SEC_CONFIG* SecurityConfig - ) -{ - if (SecurityConfig->PrivateKey != NULL) { - CxPlatCertDeletePrivateKey(SecurityConfig->PrivateKey); - } - if (SecurityConfig->Certificate != NULL && - (SecurityConfig->Type != QUIC_CREDENTIAL_TYPE_CERTIFICATE_CONTEXT)) { - CxPlatCertFree(SecurityConfig->Certificate); - } - CXPLAT_FREE(SecurityConfig, QUIC_POOL_TLS_SECCONF); -} - -const uint8_t miTlsTicketKeyLength = 44; - -_IRQL_requires_max_(PASSIVE_LEVEL) -QUIC_STATUS -CxPlatTlsSecConfigSetTicketKeys( - _In_ CXPLAT_SEC_CONFIG* SecurityConfig, - _In_reads_(KeyCount) QUIC_TICKET_KEY_CONFIG* KeyConfig, - _In_ uint8_t KeyCount - ) -{ - CXPLAT_DBG_ASSERT(KeyCount >= 1); - UNREFERENCED_PARAMETER(KeyCount); - - if (KeyConfig->MaterialLength < miTlsTicketKeyLength) { - return QUIC_STATUS_INVALID_PARAMETER; - } - - if (SecurityConfig->Flags & QUIC_CREDENTIAL_FLAG_CLIENT) { - if (!FFI_mitls_set_sealing_key("AES256-GCM", KeyConfig->Material, miTlsTicketKeyLength)) { - QuicTraceEvent( - LibraryError, - "[ lib] ERROR, %s.", - "FFI_mitls_set_sealing_key failed"); - return QUIC_STATUS_INVALID_STATE; - } - - } else { - if (!FFI_mitls_set_ticket_key("AES256-GCM", KeyConfig->Material, miTlsTicketKeyLength)) { - QuicTraceEvent( - LibraryError, - "[ lib] ERROR, %s.", - "FFI_mitls_set_ticket_key failed"); - return QUIC_STATUS_INVALID_STATE; - } - } - - return QUIC_STATUS_SUCCESS; -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -QUIC_STATUS -CxPlatTlsInitialize( - _In_ const CXPLAT_TLS_CONFIG* Config, - _Inout_ CXPLAT_TLS_PROCESS_STATE* State, - _Out_ CXPLAT_TLS** NewTlsContext - ) -{ - QUIC_STATUS Status; - CXPLAT_TLS* TlsContext; - - CXPLAT_DBG_ASSERT(Config != NULL); - CXPLAT_DBG_ASSERT(NewTlsContext != NULL); - CXPLAT_DBG_ASSERT(Config->SecConfig != NULL); - UNREFERENCED_PARAMETER(State); - - TlsSetValue(miTlsCurrentConnectionIndex, Config->Connection); - - TlsContext = CXPLAT_ALLOC_PAGED(sizeof(CXPLAT_TLS) + sizeof(uint16_t) + Config->AlpnBufferLength, QUIC_POOL_TLS_CTX); - if (TlsContext == NULL) { - QuicTraceEvent( - AllocFailure, - "Allocation of '%s' failed. (%llu bytes)", - "CXPLAT_TLS", - sizeof(CXPLAT_TLS) + sizeof(uint16_t) + Config->AlpnBufferLength); - Status = QUIC_STATUS_OUT_OF_MEMORY; - goto Exit; - } - - CxPlatZeroMemory(TlsContext, sizeof(CXPLAT_TLS)); - - // - // Initialize internal variables. - // - TlsContext->IsServer = Config->IsServer; - TlsContext->SecConfig = Config->SecConfig; - TlsContext->QuicTpExtType = Config->TPType; - TlsContext->CurrentReaderKey = -1; - TlsContext->CurrentWriterKey = -1; - TlsContext->Connection = Config->Connection; - - TlsContext->Extensions[0].ext_type = TLS_EXTENSION_TYPE_APPLICATION_LAYER_PROTOCOL_NEGOTIATION; - TlsContext->Extensions[0].ext_data_len = sizeof(uint16_t) + Config->AlpnBufferLength; - TlsContext->Extensions[0].ext_data = (uint8_t*)(TlsContext + 1); - *(uint16_t*)TlsContext->Extensions[0].ext_data = CxPlatByteSwapUint16(Config->AlpnBufferLength); - CxPlatCopyMemory( - (uint8_t*)TlsContext->Extensions[0].ext_data + sizeof(uint16_t), - Config->AlpnBuffer, - Config->AlpnBufferLength); - - TlsContext->Extensions[1].ext_type = Config->TPType; - TlsContext->Extensions[1].ext_data_len = Config->LocalTPLength; - TlsContext->Extensions[1].ext_data = Config->LocalTPBuffer; - - TlsContext->miTlsConfig.enable_0rtt = - !Config->IsServer || - !(Config->SecConfig->TlsFlags & CXPLAT_TLS_CREDENTIAL_FLAG_DISABLE_RESUMPTION); - TlsContext->miTlsConfig.exts = TlsContext->Extensions; - TlsContext->miTlsConfig.exts_count = ARRAYSIZE(TlsContext->Extensions); - TlsContext->miTlsConfig.cipher_suites = CXPLAT_SUPPORTED_CIPHER_SUITES; - TlsContext->miTlsConfig.nego_callback = CxPlatTlsOnNegotiate; - TlsContext->miTlsConfig.cert_callbacks = &TlsContext->miTlsCertCallbacks; - -#ifdef CXPLAT_TLS_SECRETS_SUPPORT - TlsContext->TlsSecrets = Config->TlsSecrets; -#endif - - if (Config->IsServer) { - - CXPLAT_DBG_ASSERT(Config->ResumptionTicketBuffer == NULL); - - TlsContext->miTlsConfig.is_server = TRUE; - TlsContext->miTlsConfig.callback_state = TlsContext; - - TlsContext->miTlsCertCallbacks.select = CxPlatTlsOnCertSelect; - TlsContext->miTlsCertCallbacks.format = CxPlatTlsOnCertFormat; - TlsContext->miTlsCertCallbacks.sign = CxPlatTlsOnCertSign; - - // - // Specific algorithm depending on the cert we are using. - // - TlsContext->miTlsConfig.signature_algorithms = CXPLAT_SERVER_SIGNATURE_ALGORITHMS; - TlsContext->miTlsConfig.named_groups = CXPLAT_SERVER_NAMED_GROUPS; - - } else { - TlsContext->miTlsConfig.is_server = FALSE; - - if (Config->ServerName != NULL) { - const size_t ServerNameLength = - strnlen(Config->ServerName, QUIC_MAX_SNI_LENGTH + 1); - if (ServerNameLength == QUIC_MAX_SNI_LENGTH + 1) { - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "SNI Too Long"); - Status = QUIC_STATUS_INVALID_PARAMETER; - goto Error; - } - - TlsContext->SNI = CXPLAT_ALLOC_PAGED(ServerNameLength + 1, QUIC_POOL_TLS_SNI); - if (TlsContext->SNI == NULL) { - QuicTraceEvent( - AllocFailure, - "Allocation of '%s' failed. (%llu bytes)", - "SNI", - ServerNameLength + 1); - Status = QUIC_STATUS_OUT_OF_MEMORY; - goto Error; - } - memcpy((char*)TlsContext->SNI, Config->ServerName, ServerNameLength + 1); - - if (Config->ResumptionTicketBuffer != NULL) { - - QuicTraceLogConnVerbose( - miTlsUsing0Rtt, - TlsContext->Connection, - "Using 0-RTT ticket."); - - CXPLAT_TLS_TICKET* SerializedTicket = - (CXPLAT_TLS_TICKET*)Config->ResumptionTicketBuffer; - if (SerializedTicket->SessionLength + SerializedTicket->TicketLength - != Config->ResumptionTicketLength - sizeof(CXPLAT_TLS_TICKET)) { - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "0-RTT ticket is corrupt"); - } else { - TlsContext->miTlsTicket.ticket_len = SerializedTicket->TicketLength; - TlsContext->miTlsTicket.ticket = SerializedTicket->Buffer; - - TlsContext->miTlsTicket.session_len = SerializedTicket->SessionLength; - TlsContext->miTlsTicket.session = - SerializedTicket->Buffer + SerializedTicket->TicketLength; - - TlsContext->miTlsConfig.server_ticket = &TlsContext->miTlsTicket; - } - } - } - - TlsContext->miTlsConfig.host_name = TlsContext->SNI; - TlsContext->miTlsConfig.callback_state = TlsContext; - - TlsContext->miTlsConfig.ticket_callback = CxPlatTlsOnTicketReady; - TlsContext->miTlsCertCallbacks.verify = CxPlatTlsOnCertVerify; - - // - // List of supported algorithms for the client. - // - TlsContext->miTlsConfig.signature_algorithms = CXPLAT_CLIENT_SIGNATURE_ALGORITHMS; - TlsContext->miTlsConfig.named_groups = CXPLAT_CLIENT_NAMED_GROUPS; - } - - // - // Initialize the miTLS library. - // - if (!FFI_mitls_quic_create(&TlsContext->miTlsState, &TlsContext->miTlsConfig)) { - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "FFI_mitls_quic_create failed"); - Status = QUIC_STATUS_INVALID_PARAMETER; - goto Error; - } - - *NewTlsContext = TlsContext; - Status = QUIC_STATUS_SUCCESS; - -Error: - - if (QUIC_FAILED(Status)) { - if (TlsContext->SNI) { - CXPLAT_FREE(TlsContext->SNI, QUIC_POOL_TLS_SNI); - } - CXPLAT_FREE(TlsContext, QUIC_POOL_TLS_CTX); - } - -Exit: - - return Status; -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -void -CxPlatTlsUninitialize( - _In_opt_ CXPLAT_TLS* TlsContext - ) -{ - if (TlsContext != NULL) { - - FFI_mitls_quic_free(TlsContext->miTlsState); - - if (TlsContext->miTlsTicket.ticket != NULL) { - CXPLAT_TLS_TICKET* SerializedTicket = - CONTAINING_RECORD( - TlsContext->miTlsTicket.ticket, - CXPLAT_TLS_TICKET, - Buffer); - CXPLAT_FREE(SerializedTicket, QUIC_POOL_CRYPTO_RESUMPTION_TICKET); - } - - if (TlsContext->SNI != NULL) { - CXPLAT_FREE(TlsContext->SNI, QUIC_POOL_TLS_SNI); - } - - if (TlsContext->Extensions[1].ext_data != NULL) { - CXPLAT_FREE(TlsContext->Extensions[1].ext_data, QUIC_POOL_TLS_TRANSPARAMS); - } - - CXPLAT_FREE(TlsContext, QUIC_POOL_TLS_CTX); - } -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -CXPLAT_TLS_RESULT_FLAGS -CxPlatTlsProcessData( - _In_ CXPLAT_TLS* TlsContext, - _In_ CXPLAT_TLS_DATA_TYPE DataType, - _In_reads_bytes_(*BufferLength) - const uint8_t * Buffer, - _Inout_ uint32_t * BufferLength, - _Inout_ CXPLAT_TLS_PROCESS_STATE* State - ) -{ - CXPLAT_TLS_RESULT_FLAGS ResultFlags = 0; - uint32_t ConsumedBytes; - - CXPLAT_DBG_ASSERT(Buffer != NULL || *BufferLength == 0); - - TlsSetValue(miTlsCurrentConnectionIndex, TlsContext->Connection); - - TlsContext->State = State; - - if (DataType == CXPLAT_TLS_CRYPTO_DATA) { - - // - // Validate buffer lengths. - // - if (TlsContext->BufferLength + *BufferLength > CXPLAT_TLS_MAX_MESSAGE_LENGTH) { - ResultFlags = CXPLAT_TLS_RESULT_ERROR; - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "TLS buffer too big"); - goto Error; - } - - if (*BufferLength) { - QuicTraceLogConnVerbose( - miTlsProcess, - TlsContext->Connection, - "Processing %u bytes", - *BufferLength); - - // - // Copy the data pointer into our buffer pointer. - // - TlsContext->Buffer = Buffer; - - // - // Store new buffer length. - // - TlsContext->BufferLength = *BufferLength; - - // - // Indicate that we will return pending, but just immediately invoke - // the completed callback. - // - ResultFlags = CXPLAT_TLS_RESULT_PENDING; - TlsContext->SecConfig->Callbacks.ProcessComplete(TlsContext->Connection); - - } else { - - // - // We process the inital data inline. - // - TlsContext->BufferLength = 0; - ResultFlags = CxPlatTlsProcessDataComplete(TlsContext, &ConsumedBytes); - *BufferLength = ConsumedBytes; - } - - } else { - CXPLAT_DBG_ASSERT(DataType == CXPLAT_TLS_TICKET_DATA); - - CXPLAT_DBG_ASSERT(TlsContext->IsServer); - - QuicTraceLogConnVerbose( - miTlsSend0RttTicket, - TlsContext->Connection, - "Sending 0-RTT ticket"); - - if (!FFI_mitls_quic_send_ticket(TlsContext->miTlsState, Buffer, *BufferLength)) { - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "FFI_mitls_quic_send_ticket failed"); - ResultFlags |= CXPLAT_TLS_RESULT_ERROR; - } else { - TlsContext->SecConfig->Callbacks.ProcessComplete(TlsContext->Connection); - ResultFlags |= CXPLAT_TLS_RESULT_PENDING; - } - } - -Error: - - return ResultFlags; -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -CXPLAT_TLS_RESULT_FLAGS -CxPlatTlsProcessDataComplete( - _In_ CXPLAT_TLS* TlsContext, - _Out_ uint32_t * BufferConsumed - ) -{ - CXPLAT_TLS_RESULT_FLAGS ResultFlags = 0; - CXPLAT_TLS_PROCESS_STATE* State = TlsContext->State; - - if (TlsContext->IsServer) { - CXPLAT_DBG_ASSERT(TlsContext->State->HandshakeComplete || TlsContext->Buffer != NULL); - } - - TlsSetValue(miTlsCurrentConnectionIndex, TlsContext->Connection); - - uint32_t BufferOffset = 0; - - while (!(ResultFlags & CXPLAT_TLS_RESULT_ERROR)) { - - quic_process_ctx Context = { - TlsContext->Buffer + BufferOffset, // input - TlsContext->BufferLength - BufferOffset, // input_len - State->Buffer + State->BufferLength, // output - State->BufferAllocLength - State->BufferLength, // output_len - 0 - }; - - QuicTraceLogConnVerbose( - miTlsFfiProces, - TlsContext->Connection, - "FFI_mitls_quic_process processing %u input bytes", - (uint32_t)Context.input_len); - - // - // Pass the data to miTLS for processing. - // - if (!FFI_mitls_quic_process(TlsContext->miTlsState, &Context)) { - QuicTraceLogConnError( - miTlsFfiProcessFailed, - TlsContext->Connection, - "FFI_mitls_quic_process failed, tls_error %hu, %s", - Context.tls_error, - Context.tls_error_desc); - State->AlertCode = Context.tls_error; - ResultFlags |= CXPLAT_TLS_RESULT_ERROR; - break; - } - - QuicTraceLogConnVerbose( - miTlsFfiProcessResult, - TlsContext->Connection, - "FFI_mitls_quic_process read %u bytes and has %u bytes ready to send", - (uint32_t)Context.consumed_bytes, - (uint32_t)Context.output_len); - - CXPLAT_DBG_ASSERT(Context.consumed_bytes <= Context.input_len); - CXPLAT_DBG_ASSERT((int64_t)Context.output_len <= State->BufferAllocLength - State->BufferLength); - CXPLAT_FRE_ASSERT(Context.to_be_written == 0); // TODO - Support dynamic sizes? - - // - // Update the buffer offsets based on the output of miTLS. - // - BufferOffset += (uint32_t)Context.consumed_bytes; - State->BufferLength += (uint16_t)Context.output_len; - State->BufferTotalLength += (uint16_t)Context.output_len; - - if (Context.output_len != 0) { - ResultFlags |= CXPLAT_TLS_RESULT_DATA; - } - - if (Context.flags & QFLAG_COMPLETE && !State->HandshakeComplete) { - QuicTraceLogConnVerbose( - miTlsHandshakeComplete, - TlsContext->Connection, - "Handshake complete"); - State->HandshakeComplete = TRUE; - ResultFlags |= CXPLAT_TLS_RESULT_COMPLETE; - } - - if (Context.flags & QFLAG_REJECTED_0RTT) { - if (TlsContext->IsServer) { - TlsContext->EarlyDataAttempted = TRUE; - } - if (TlsContext->EarlyDataAttempted) { - ResultFlags |= CXPLAT_TLS_RESULT_EARLY_DATA_REJECT; - } - State->EarlyDataState = CXPLAT_TLS_EARLY_DATA_REJECTED; - QuicTraceLogConnVerbose( - miTlsEarlyDataRejected, - TlsContext->Connection, - "Early data rejected"); - } - - BOOLEAN ReadKeyUpdated = Context.cur_reader_key != TlsContext->CurrentReaderKey; - BOOLEAN WriteKeyUpdated = Context.cur_writer_key != TlsContext->CurrentWriterKey; - - // - // If there was no state change or output, break out now. - // - if (Context.output_len == 0 && !ReadKeyUpdated && !WriteKeyUpdated) { - break; - } - - if (!TlsContext->TlsKeyScheduleSet) { - // - // Some magic code that determines if we are using the 0-RTT key enum or not. - // - if (TlsContext->IsServer) { - if (ReadKeyUpdated) { - // - // We know early data is accepted if we get 0-RTT keys. - // - ResultFlags |= CXPLAT_TLS_RESULT_EARLY_DATA_ACCEPT; - QuicTraceLogConnVerbose( - miTlsEarlyDataAccepted, - TlsContext->Connection, - "Early data accepted"); - TlsContext->TlsKeySchedule = 1; // 0-RTT allowed. - State->SessionResumed = TRUE; - TlsContext->EarlyDataAttempted = TRUE; - State->EarlyDataState = CXPLAT_TLS_EARLY_DATA_ACCEPTED; - // - // Get resumption data from the client hello - // - uint32_t PreviousOffset = BufferOffset - (uint32_t)Context.consumed_bytes; - mitls_hello_summary HelloSummary = { 0 }; - uint8_t* Cookie = NULL; - size_t CookieLen = 0; - uint8_t* Ticket = NULL; - size_t TicketLen = 0; - if (!FFI_mitls_get_hello_summary( - TlsContext->Buffer + PreviousOffset, TlsContext->BufferLength - PreviousOffset, - FALSE, - &HelloSummary, - &Cookie, &CookieLen, - &Ticket, &TicketLen)) { - QuicTraceLogConnError( - miTlsFfiGetHelloSummaryFailed, - TlsContext->Connection, - "FFI_mitls_get_hello_summary failed, cookie_len: %zu, ticket_len: %zu", - CookieLen, - TicketLen); - ResultFlags |= CXPLAT_TLS_RESULT_ERROR; - break; - } - CXPLAT_FRE_ASSERT(TicketLen <= UINT32_MAX); - if (!TlsContext->SecConfig->Callbacks.ReceiveTicket( - TlsContext->Connection, - (uint32_t)TicketLen, Ticket)) { - // - // QUIC or the app rejected the resumption ticket. - // Abandon the early data and continue the handshake. - // - ResultFlags &= ~CXPLAT_TLS_RESULT_EARLY_DATA_ACCEPT; - ResultFlags |= CXPLAT_TLS_RESULT_EARLY_DATA_REJECT; - State->EarlyDataState = CXPLAT_TLS_EARLY_DATA_REJECTED; - State->SessionResumed = FALSE; - } - if (Cookie) { - FFI_mitls_global_free(Cookie); - Cookie = NULL; - } - if (Ticket) { - FFI_mitls_global_free(Ticket); - Ticket = NULL; - } - } else { - TlsContext->TlsKeySchedule = 0; - if (!(Context.flags & QFLAG_REJECTED_0RTT)) { - QuicTraceLogConnVerbose( - miTlsEarlyDataNotAttempted, - TlsContext->Connection, - "Early data not attempted"); - } - } - } else { - if (WriteKeyUpdated) { - QuicTraceLogConnVerbose( - miTlsEarlyDataAttempted, - TlsContext->Connection, - "Early data attempted"); - TlsContext->TlsKeySchedule = 1; // 0-RTT allowed. - TlsContext->EarlyDataAttempted = TRUE; - } else { - TlsContext->TlsKeySchedule = 0; - } - } - QuicTraceLogConnVerbose( - miTlsKeySchedule, - TlsContext->Connection, - "Key schedule = %hu", - TlsContext->TlsKeySchedule); - TlsContext->TlsKeyScheduleSet = TRUE; - } - - if (ReadKeyUpdated) { - QUIC_PACKET_KEY_TYPE NewKeyType = - miTlsKeyTypes[TlsContext->TlsKeySchedule][Context.cur_reader_key + 1]; - if (QuicPacketKeyCreate( - TlsContext, - NewKeyType, - Context.cur_reader_key, - QUIC_Reader, - &State->ReadKeys[NewKeyType])) { - switch (NewKeyType) { - case QUIC_PACKET_KEY_0_RTT: - QuicTraceLogConnVerbose( - miTls0RttReadKeyExported, - TlsContext->Connection, - "0-RTT read key exported"); - break; - case QUIC_PACKET_KEY_HANDSHAKE: - QuicTraceLogConnVerbose( - miTlsHandshakeReadKeyExported, - TlsContext->Connection, - "Handshake read key exported"); - break; - case QUIC_PACKET_KEY_1_RTT: - QuicTraceLogConnVerbose( - miTls1RttReadKeyExported, - TlsContext->Connection, - "1-RTT read key exported"); - if (!TlsContext->IsServer) { - if (TlsContext->EarlyDataAttempted && - !(Context.flags & QFLAG_REJECTED_0RTT)) { - // - // We know 0-RTT was accepted by the server once we have - // the 1-RTT keys and we haven't received any 0-RTT - // rejected event/flag from miTLS. - // - ResultFlags |= CXPLAT_TLS_RESULT_EARLY_DATA_ACCEPT; - State->SessionResumed = TRUE; - State->EarlyDataState = CXPLAT_TLS_EARLY_DATA_ACCEPTED; - QuicTraceLogConnVerbose( - miTlsEarlyDataAccepted, - TlsContext->Connection, - "Early data accepted"); - } - } - break; - default: - CXPLAT_FRE_ASSERT(FALSE); - break; - } - } - - ResultFlags |= CXPLAT_TLS_RESULT_READ_KEY_UPDATED; - State->ReadKey = NewKeyType; - TlsContext->CurrentReaderKey = Context.cur_reader_key; - - if (State->ReadKey > State->WriteKey && - State->ReadKey != QUIC_PACKET_KEY_0_RTT) { - // - // Must always have corresponding write key for every read key. - // - ResultFlags |= CXPLAT_TLS_RESULT_WRITE_KEY_UPDATED; - State->WriteKey = QUIC_PACKET_KEY_HANDSHAKE; - } - } - - if (WriteKeyUpdated) { - QUIC_PACKET_KEY_TYPE NewKeyType = - miTlsKeyTypes[TlsContext->TlsKeySchedule][Context.cur_writer_key + 1]; - if (QuicPacketKeyCreate( - TlsContext, - NewKeyType, - Context.cur_writer_key, - QUIC_Writer, - &State->WriteKeys[NewKeyType])) { - switch (NewKeyType) { - case QUIC_PACKET_KEY_0_RTT: - QuicTraceLogConnVerbose( - miTls0RttWriteKeyExported, - TlsContext->Connection, - "0-RTT write key exported"); - break; - case QUIC_PACKET_KEY_HANDSHAKE: - QuicTraceLogConnVerbose( - miTlsHandshakeWriteKeyExported, - TlsContext->Connection, - "Handshake write key exported"); - break; - case QUIC_PACKET_KEY_1_RTT: - QuicTraceLogConnVerbose( - miTls1RttWriteKeyExported, - TlsContext->Connection, - "1-RTT write key exported"); - break; - default: - CXPLAT_FRE_ASSERT(FALSE); - break; - } - } - - switch (NewKeyType) { - case QUIC_PACKET_KEY_0_RTT: - break; - case QUIC_PACKET_KEY_HANDSHAKE: - State->BufferOffsetHandshake = State->BufferTotalLength; - QuicTraceLogConnVerbose( - miTlsHandshakeWriteOffsetSet, - TlsContext->Connection, - "Handshake write offset = %u", - State->BufferOffsetHandshake); - break; - case QUIC_PACKET_KEY_1_RTT: - State->BufferOffset1Rtt = State->BufferTotalLength; - QuicTraceLogConnVerbose( - miTls1RttWriteOffsetSet, - TlsContext->Connection, - "1-RTT write offset = %u", - State->BufferOffset1Rtt); - break; - default: - CXPLAT_FRE_ASSERT(FALSE); - break; - } - - ResultFlags |= CXPLAT_TLS_RESULT_WRITE_KEY_UPDATED; - TlsContext->CurrentWriterKey = Context.cur_writer_key; - - if (NewKeyType > State->WriteKey && - NewKeyType != QUIC_PACKET_KEY_0_RTT) { - ResultFlags |= CXPLAT_TLS_RESULT_WRITE_KEY_UPDATED; - State->WriteKey = NewKeyType; - } - } - } - - // - // Report how much buffer was drained, and reset the Buffer and Length. - // - TlsContext->BufferLength = 0; - TlsContext->Buffer = NULL; - *BufferConsumed = BufferOffset; - - QuicTraceLogConnVerbose( - miTlsFfiProcesComplete, - TlsContext->Connection, - "Consumed %u bytes", - BufferOffset); - - return ResultFlags; -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -void* -MITLS_CALLCONV -CxPlatTlsOnCertSelect( - void *Context, - mitls_version TlsVersion, - const uint8_t *ServerNameIndication, - size_t ServerNameIndicationLength, - const uint8_t *AlpnBuffer, - size_t AlpnBufferLength, - const mitls_signature_scheme *SignatureAlgorithms, - size_t SignatureAlgorithmsLength, - mitls_signature_scheme *SelectedSignature - ) -{ - UNREFERENCED_PARAMETER(AlpnBuffer); - UNREFERENCED_PARAMETER(AlpnBufferLength); - CXPLAT_TLS* TlsContext = (CXPLAT_TLS*)Context; - const CXPLAT_SEC_CONFIG* SecurityConfig = NULL; - - CXPLAT_DBG_ASSERT(TlsContext); - CXPLAT_DBG_ASSERT(TlsContext->IsServer); - - QuicTraceLogConnVerbose( - miTlsOnCertSelect, - TlsContext->Connection, - "OnCertSelect"); - - // - // Only allow TLS 1.3. - // - if (TlsVersion != TLS_1p3) { - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "Unsupported TLS version"); - goto Error; - } - - // - // Validate and save a copy of the SNI. - // - - if (ServerNameIndicationLength >= QUIC_MAX_SNI_LENGTH) { - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "SNI too long"); - goto Error; - } - - if (ServerNameIndicationLength != 0) { - TlsContext->SNI = CXPLAT_ALLOC_PAGED((uint16_t)(ServerNameIndicationLength + 1), QUIC_POOL_TLS_SNI); - if (TlsContext->SNI == NULL) { - QuicTraceEvent( - AllocFailure, - "Allocation of '%s' failed. (%llu bytes)", - "SNI", - ServerNameIndicationLength + 1); - goto Error; - } - - memcpy((char*)TlsContext->SNI, ServerNameIndication, ServerNameIndicationLength); - ((char*)TlsContext->SNI)[ServerNameIndicationLength] = 0; - } else { - TlsContext->SNI = NULL; - } - - // - // Use the application layer-selected certificate. - // - SecurityConfig = TlsContext->SecConfig; - CXPLAT_DBG_ASSERT(SecurityConfig != NULL); - - // - // Select a matching signature algorithm for the certificate. - // - CXPLAT_DBG_ASSERT(SignatureAlgorithmsLength != 0); - if (!CxPlatCertSelect( - SecurityConfig->Certificate, - SignatureAlgorithms, - SignatureAlgorithmsLength, - SelectedSignature)) { - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "CxPlatCertSelect failed"); - SecurityConfig = NULL; - goto Error; - } - - QuicTraceLogConnInfo( - miTlsCertSelected, - TlsContext->Connection, - "Server certificate selected. SNI: %s; Algorithm: 0x%4.4x", - TlsContext->SNI, - *SelectedSignature); - -Error: - - return (void*)SecurityConfig; -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -_Success_(return != TLS_nego_abort) -mitls_nego_action -MITLS_CALLCONV -CxPlatTlsOnNegotiate( - _In_ void *Context, - _In_ mitls_version Version, - _In_reads_(RawExtensionsLength) - const uint8_t *RawExtensions, - _In_ size_t RawExtensionsLength, - _Deref_post_opt_count_(*CustomExtensionsLength) - mitls_extension **CustomExtensions, - _Out_ size_t *CustomExtensionsLength, - _Deref_pre_opt_count_(*CookieLength) - _Deref_post_opt_count_(*CookieLength) - uint8_t **Cookie, - _Inout_ size_t *CookieLength - ) -{ - CXPLAT_TLS* TlsContext = (CXPLAT_TLS*)Context; - CXPLAT_DBG_ASSERT(TlsContext); - - mitls_nego_action Action = TLS_nego_abort; - uint8_t *ExtensionData; - size_t ExtensionDataLength; - - UNREFERENCED_PARAMETER(Cookie); - UNREFERENCED_PARAMETER(CookieLength); - - QuicTraceLogConnVerbose( - miTlsOnNegotiate, - TlsContext->Connection, - "OnNegotiate"); - - // - // Only allow TLS 1.3. - // - if (Version != TLS_1p3) { - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "Unsupported TLS version"); - goto Exit; - } - - if (!TlsContext->IsServer) { - // - // Decode and extract the negotiated ALPN. - // - if (!FFI_mitls_find_custom_extension( - TlsContext->IsServer, - RawExtensions, - RawExtensionsLength, - TLS_EXTENSION_TYPE_APPLICATION_LAYER_PROTOCOL_NEGOTIATION, - &ExtensionData, - &ExtensionDataLength)) { - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "Missing ALPN extension"); - goto Exit; - } - QuicTraceLogConnVerbose( - miTlsProcessServerAlpn, - TlsContext->Connection, - "Processing server ALPN (Length=%u)", - (uint32_t)ExtensionDataLength); - if (ExtensionDataLength < 4) { - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "ALPN extension length is too short"); - goto Exit; - } - const uint16_t AlpnListLength = CxPlatByteSwapUint16(*(uint16_t*)ExtensionData); - if (AlpnListLength + sizeof(uint16_t) != ExtensionDataLength) { - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "ALPN list length is incorrect"); - goto Exit; - } - const uint8_t AlpnLength = ExtensionData[2]; - if (AlpnLength + sizeof(uint8_t) != AlpnListLength) { - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "ALPN length is incorrect"); - goto Exit; - } - const uint8_t* Alpn = ExtensionData + 3; - TlsContext->State->NegotiatedAlpn = - CxPlatTlsAlpnFindInList( - (uint16_t)TlsContext->Extensions[0].ext_data_len - 2, - TlsContext->Extensions[0].ext_data + 2, - AlpnLength, - Alpn); - if (TlsContext->State->NegotiatedAlpn == NULL) { - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "Failed to find a matching ALPN"); - goto Exit; - } - - // - // Decode and validate peer's QUIC transport parameters. - // - - if (!FFI_mitls_find_custom_extension( - TlsContext->IsServer, - RawExtensions, - RawExtensionsLength, - TlsContext->QuicTpExtType, - &ExtensionData, - &ExtensionDataLength)) { - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "Missing QUIC transport parameters"); - goto Exit; - } - - if (!TlsContext->SecConfig->Callbacks.ReceiveTP( - TlsContext->Connection, - (uint16_t)ExtensionDataLength, - ExtensionData)) { - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "Failed to process the QUIC transport parameters"); - goto Exit; - } - } - - Action = TLS_nego_accept; - - if (TlsContext->IsServer) { - - // - // Configure output extensions. - // - *CustomExtensions = TlsContext->Extensions; - *CustomExtensionsLength = ARRAYSIZE(TlsContext->Extensions); - } - -Exit: - - return Action; -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -size_t -MITLS_CALLCONV -CxPlatTlsOnCertFormat( - void *Context, - const void *SecContext, - uint8_t Buffer[MAX_CHAIN_LEN] - ) -{ - CXPLAT_TLS* TlsContext = (CXPLAT_TLS*)Context; - CXPLAT_DBG_ASSERT(TlsContext); - CXPLAT_SEC_CONFIG* SecurityConfig = (CXPLAT_SEC_CONFIG*)SecContext; - CXPLAT_DBG_ASSERT(SecurityConfig); - - QuicTraceLogConnVerbose( - miTlsOnCertFormat, - TlsContext->Connection, - "OnCertFormat"); - - CXPLAT_DBG_ASSERT(SecurityConfig->FormatLength <= MAX_CHAIN_LEN); - if (SecurityConfig->FormatLength > MAX_CHAIN_LEN) { - return 0; - } - - memcpy(Buffer, SecurityConfig->FormatBuffer, SecurityConfig->FormatLength); - return SecurityConfig->FormatLength; -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -size_t -MITLS_CALLCONV -CxPlatTlsOnCertSign( - void *Context, - const void *SecContext, - const mitls_signature_scheme SignatureAlgorithm, - const uint8_t *CertListToBeSigned, - size_t CertListToBeSignedLength, - uint8_t *Signature - ) -{ - CXPLAT_TLS* TlsContext = (CXPLAT_TLS*)Context; - CXPLAT_DBG_ASSERT(TlsContext); - CXPLAT_SEC_CONFIG* SecurityConfig = (CXPLAT_SEC_CONFIG*)SecContext; - CXPLAT_DBG_ASSERT(SecurityConfig); - - QuicTraceLogConnVerbose( - miTlsOnCertSign, - TlsContext->Connection, - "OnCertSign"); - - size_t SignatureLength = MAX_SIGNATURE_LEN; - - if (SecurityConfig->PrivateKey == NULL) { - *Signature = 0; - SignatureLength = 1; - } else if (!CxPlatCertSign( - SecurityConfig->PrivateKey, - SignatureAlgorithm, - CertListToBeSigned, - CertListToBeSignedLength, - Signature, - &SignatureLength)) { - SignatureLength = 0; - } - - return SignatureLength; -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -int -MITLS_CALLCONV -CxPlatTlsOnCertVerify( - void *Context, - const uint8_t* ChainBuffer, - size_t ChainBufferLength, - const mitls_signature_scheme SignatureAlgorithm, - const uint8_t* CertListToBeSigned, - size_t CertListToBeSignedLength, - const uint8_t *Signature, - size_t SignatureLength - ) -{ - CXPLAT_TLS* TlsContext = (CXPLAT_TLS*)Context; - CXPLAT_DBG_ASSERT(TlsContext); - - QuicTraceLogConnVerbose( - miTlsOnCertVerify, - TlsContext->Connection, - "OnCertVerify"); - - int Result = 0; - QUIC_CERTIFICATE* Certificate = NULL; - - if (TlsContext->SecConfig->Flags & QUIC_CREDENTIAL_FLAG_NO_CERTIFICATE_VALIDATION) { - QuicTraceLogConnWarning( - miTlsCertValidationDisabled, - TlsContext->Connection, - "Certificate validation disabled!"); - goto Indicate; // Skip internal validation - } - - Certificate = - CxPlatCertParseChain( - ChainBufferLength, - ChainBuffer); - if (Certificate == NULL) { - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "CxPlatCertParseChain failed"); - goto Error; - } - - if (!CxPlatCertValidateChain( - Certificate, - TlsContext->SNI, - 0)) { - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "Cert chain validation failed"); - goto Error; - } - - if (!CxPlatCertVerify( - Certificate, - SignatureAlgorithm, - CertListToBeSigned, - CertListToBeSignedLength, - Signature, - SignatureLength)) { - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "CxPlatCertVerify failed"); - goto Error; - } - -Indicate: - - if ((TlsContext->SecConfig->Flags & QUIC_CREDENTIAL_FLAG_INDICATE_CERTIFICATE_RECEIVED) && - !TlsContext->SecConfig->Callbacks.CertificateReceived( - TlsContext->Connection, - NULL, - 0, - 0)) { - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "Indicate certificate received failed"); - goto Error; - } - - Result = 1; - -Error: - - if (Certificate != NULL) { - CxPlatCertFree(Certificate); - } - - return Result; -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -void -MITLS_CALLCONV -CxPlatTlsOnTicketReady( - void *Context, - const char *ServerNameIndication, - const mitls_ticket *Ticket - ) -{ - CXPLAT_TLS* TlsContext = (CXPLAT_TLS*)Context; - CXPLAT_DBG_ASSERT(TlsContext); - - QuicTraceLogConnVerbose( - miTlsRecvNewSessionTicket, - TlsContext->Connection, - "Received new ticket. ticket_len:%u session_len:%u for %s", - (uint32_t)Ticket->ticket_len, - (uint32_t)Ticket->session_len, - ServerNameIndication); - - CXPLAT_DBG_ASSERT(Ticket->ticket_len + Ticket->session_len <= UINT32_MAX); - CXPLAT_DBG_ASSERT(Ticket->ticket_len + Ticket->session_len >= Ticket->ticket_len); - - uint32_t TotalSize = - sizeof(CXPLAT_TLS_TICKET) + - (uint32_t)(Ticket->ticket_len + Ticket->session_len); - - CXPLAT_TLS_TICKET *SerializedTicket = CXPLAT_ALLOC_NONPAGED(TotalSize, QUIC_POOL_PLATFORM_TMP_ALLOC); - if (SerializedTicket == NULL) { - QuicTraceEvent( - AllocFailure, - "Allocation of '%s' failed. (%llu bytes)", - "CXPLAT_TLS_TICKET", - TotalSize); - return; - } - - SerializedTicket->TicketLength = (uint32_t)Ticket->ticket_len; - SerializedTicket->SessionLength = (uint32_t)Ticket->session_len; - CxPlatCopyMemory( - SerializedTicket->Buffer, - Ticket->ticket, - SerializedTicket->TicketLength); - CxPlatCopyMemory( - SerializedTicket->Buffer + SerializedTicket->TicketLength, - Ticket->session, - SerializedTicket->SessionLength); - - (void)TlsContext->SecConfig->Callbacks.ReceiveTicket( - TlsContext->Connection, - TotalSize, - (uint8_t*)SerializedTicket); - - CXPLAT_FREE(SerializedTicket, QUIC_POOL_PLATFORM_TMP_ALLOC); -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -QUIC_STATUS -CxPlatTlsParamSet( - _In_ CXPLAT_TLS* TlsContext, - _In_ uint32_t Param, - _In_ uint32_t BufferLength, - _In_reads_bytes_(BufferLength) - const void* Buffer - ) -{ - QUIC_STATUS Status; - - UNREFERENCED_PARAMETER(TlsContext); - UNREFERENCED_PARAMETER(BufferLength); - UNREFERENCED_PARAMETER(Buffer); - - switch (Param) { - default: - Status = QUIC_STATUS_INVALID_PARAMETER; - break; - } - - return Status; -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -QUIC_STATUS -CxPlatTlsParamGet( - _In_ CXPLAT_TLS* TlsContext, - _In_ uint32_t Param, - _Inout_ uint32_t* BufferLength, - _Inout_updates_bytes_opt_(*BufferLength) - void* Buffer - ) -{ - QUIC_STATUS Status; - - UNREFERENCED_PARAMETER(TlsContext); - UNREFERENCED_PARAMETER(BufferLength); - UNREFERENCED_PARAMETER(Buffer); - - switch (Param) { - default: - Status = QUIC_STATUS_INVALID_PARAMETER; - break; - } - - return Status; -} - -// -// Crypto / Key Functionality -// - -typedef struct CXPLAT_KEY { - CXPLAT_AEAD_TYPE Aead; - uint8_t Key[32]; -} CXPLAT_KEY; - -typedef struct CXPLAT_HASH { - CXPLAT_HASH_TYPE Type; - uint32_t SaltLength; - uint8_t Salt[0]; -} CXPLAT_HASH; - -typedef struct CXPLAT_HP_KEY { - CXPLAT_AEAD_TYPE Aead; - union { - uint8_t case_chacha20[32]; - EverCrypt_aes128_key case_aes128; - EverCrypt_aes256_key case_aes256; - }; -} CXPLAT_HP_KEY; - -Spec_Hash_Definitions_hash_alg -HashTypeToEverCrypt( - CXPLAT_HASH_TYPE Type -) { - return - (Spec_Hash_Definitions_hash_alg) - (Spec_Hash_Definitions_SHA2_256 + Type); -} - -#ifdef DEBUG -void -CxPlatTlsLogSecret( - _In_z_ const char* const Prefix, - _In_reads_(Length) - const uint8_t* const Secret, - _In_ uint32_t Length - ) -{ - #define HEX_TO_CHAR(x) ((x) > 9 ? ('a' + ((x) - 10)) : '0' + (x)) - char SecretStr[256 + 1] = {0}; - CXPLAT_DBG_ASSERT(Length * 2 < sizeof(SecretStr)); - for (uint8_t i = 0; i < Length; i++) { - SecretStr[i*2] = HEX_TO_CHAR(Secret[i] >> 4); - SecretStr[i*2 + 1] = HEX_TO_CHAR(Secret[i] & 0xf); - } - QuicTraceLogVerbose( - miTlsLogSecret, - "[ tls] %s[%u]: %s", - Prefix, - Length, - SecretStr); -} -#else -#define CxPlatTlsLogSecret(Prefix, Secret, Length) UNREFERENCED_PARAMETER(Prefix) -#endif - -_IRQL_requires_max_(PASSIVE_LEVEL) -void -CxPlatHkdfFormatLabel( - _In_z_ const char* const Label, - _In_ uint16_t HashLength, - _Out_writes_all_(5 + CXPLAT_HKDF_PREFIX_LEN + strlen(Label)) - uint8_t* const Data, - _Inout_ uint32_t* const DataLength - ) -{ - CXPLAT_DBG_ASSERT(strlen(Label) <= UINT8_MAX - CXPLAT_HKDF_PREFIX_LEN); - uint8_t LabelLength = (uint8_t)strlen(Label); - - Data[0] = HashLength >> 8; - Data[1] = HashLength & 0xff; - Data[2] = CXPLAT_HKDF_PREFIX_LEN + LabelLength; - memcpy(Data + 3, CXPLAT_HKDF_PREFIX, CXPLAT_HKDF_PREFIX_LEN); - memcpy(Data + 3 + CXPLAT_HKDF_PREFIX_LEN, Label, LabelLength); - Data[3 + CXPLAT_HKDF_PREFIX_LEN + LabelLength] = 0; - *DataLength = 3 + CXPLAT_HKDF_PREFIX_LEN + LabelLength + 1; - - Data[*DataLength] = 0x1; - *DataLength += 1; -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -QUIC_STATUS -CxPlatHkdfExpandLabel( - _In_ CXPLAT_HASH* Hash, - _In_z_ const char* const Label, - _In_ uint16_t KeyLength, - _In_ uint32_t OutputLength, // Writes CxPlatHashLength(HashType) bytes. - _Out_writes_all_(OutputLength) - uint8_t* const Output - ) -{ - uint8_t LabelBuffer[64]; - uint32_t LabelLength = sizeof(LabelBuffer); - - _Analysis_assume_(strlen(Label) <= 23); - CxPlatHkdfFormatLabel(Label, KeyLength, LabelBuffer, &LabelLength); - - return - CxPlatHashCompute( - Hash, - LabelBuffer, - LabelLength, - OutputLength, - Output); -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -QUIC_STATUS -CxPlatTlsDeriveInitialSecrets( - _In_reads_(CXPLAT_VERSION_SALT_LENGTH) - const uint8_t* const Salt, - _In_reads_(CIDLength) - const uint8_t* const CID, - _In_ uint8_t CIDLength, - _Out_ CXPLAT_SECRET *ClientInitial, - _Out_ CXPLAT_SECRET *ServerInitial - ) -{ - QUIC_STATUS Status; - CXPLAT_HASH* InitialHash = NULL; - CXPLAT_HASH* DerivedHash = NULL; - uint8_t InitialSecret[CXPLAT_HASH_SHA256_SIZE]; - - CxPlatTlsLogSecret("init cid", CID, CIDLength); - - Status = - CxPlatHashCreate( - CXPLAT_HASH_SHA256, - Salt, - CXPLAT_VERSION_SALT_LENGTH, - &InitialHash); - if (QUIC_FAILED(Status)) { - goto Error; - } - - // - // Extract secret for client and server secret expansion. - // - Status = - CxPlatHashCompute( - InitialHash, - CID, - CIDLength, - sizeof(InitialSecret), - InitialSecret); - if (QUIC_FAILED(Status)) { - goto Error; - } - - CxPlatTlsLogSecret("init secret", InitialSecret, sizeof(InitialSecret)); - - // - // Create hash for client and server secret expansion. - // - Status = - CxPlatHashCreate( - CXPLAT_HASH_SHA256, - InitialSecret, - sizeof(InitialSecret), - &DerivedHash); - if (QUIC_FAILED(Status)) { - goto Error; - } - - // - // Expand client secret. - // - ClientInitial->Hash = CXPLAT_HASH_SHA256; - ClientInitial->Aead = CXPLAT_AEAD_AES_128_GCM; - Status = - CxPlatHkdfExpandLabel( - DerivedHash, - "client in", - sizeof(InitialSecret), - CXPLAT_HASH_SHA256_SIZE, - ClientInitial->Secret); - if (QUIC_FAILED(Status)) { - goto Error; - } - - // - // Expand server secret. - // - ServerInitial->Hash = CXPLAT_HASH_SHA256; - ServerInitial->Aead = CXPLAT_AEAD_AES_128_GCM; - Status = - CxPlatHkdfExpandLabel( - DerivedHash, - "server in", - sizeof(InitialSecret), - CXPLAT_HASH_SHA256_SIZE, - ServerInitial->Secret); - if (QUIC_FAILED(Status)) { - goto Error; - } - -Error: - - CxPlatHashFree(InitialHash); - CxPlatHashFree(DerivedHash); - - RtlSecureZeroMemory(InitialSecret, sizeof(InitialSecret)); - - return Status; -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -QUIC_STATUS -QuicPacketKeyDerive( - _In_ QUIC_PACKET_KEY_TYPE KeyType, - _In_ const CXPLAT_SECRET* const Secret, - _In_z_ const char* const SecretName, - _In_ BOOLEAN CreateHpKey, - _Out_ QUIC_PACKET_KEY **NewKey - ) -{ - const uint16_t SecretLength = CxPlatHashLength(Secret->Hash); - const uint16_t KeyLength = CxPlatKeyLength(Secret->Aead); - - CXPLAT_DBG_ASSERT(SecretLength >= KeyLength); - CXPLAT_DBG_ASSERT(SecretLength >= CXPLAT_IV_LENGTH); - CXPLAT_DBG_ASSERT(SecretLength <= CXPLAT_HASH_MAX_SIZE); - - CxPlatTlsLogSecret(SecretName, Secret->Secret, SecretLength); - - const uint16_t PacketKeyLength = - sizeof(QUIC_PACKET_KEY) + - (KeyType == QUIC_PACKET_KEY_1_RTT ? sizeof(CXPLAT_SECRET) : 0); - QUIC_PACKET_KEY *Key = CXPLAT_ALLOC_NONPAGED(PacketKeyLength, QUIC_POOL_TLS_PACKETKEY); - if (Key == NULL) { - QuicTraceEvent( - AllocFailure, - "Allocation of '%s' failed. (%llu bytes)", - "QUIC_PACKET_KEY", - PacketKeyLength); - return QUIC_STATUS_OUT_OF_MEMORY; - } - CxPlatZeroMemory(Key, sizeof(QUIC_PACKET_KEY)); - Key->Type = KeyType; - - CXPLAT_HASH* Hash = NULL; - uint8_t Temp[CXPLAT_HASH_MAX_SIZE]; - - QUIC_STATUS Status = - CxPlatHashCreate( - Secret->Hash, - Secret->Secret, - SecretLength, - &Hash); - if (QUIC_FAILED(Status)) { - goto Error; - } - - Status = - CxPlatHkdfExpandLabel( - Hash, - "quic iv", - CXPLAT_IV_LENGTH, - SecretLength, - Temp); - if (QUIC_FAILED(Status)) { - goto Error; - } - - memcpy(Key->Iv, Temp, CXPLAT_IV_LENGTH); - CxPlatTlsLogSecret("static iv", Key->Iv, CXPLAT_IV_LENGTH); - - Status = - CxPlatHkdfExpandLabel( - Hash, - "quic key", - KeyLength, - SecretLength, - Temp); - if (QUIC_FAILED(Status)) { - goto Error; - } - - CxPlatTlsLogSecret("key", Temp, KeyLength); - - Status = - CxPlatKeyCreate( - Secret->Aead, - Temp, - &Key->PacketKey); - if (QUIC_FAILED(Status)) { - goto Error; - } - - if (CreateHpKey) { - Status = - CxPlatHkdfExpandLabel( - Hash, - "quic hp", - KeyLength, - SecretLength, - Temp); - if (QUIC_FAILED(Status)) { - goto Error; - } - - CxPlatTlsLogSecret("hp", Temp, KeyLength); - - Status = - CxPlatHpKeyCreate( - Secret->Aead, - Temp, - &Key->HeaderKey); - if (QUIC_FAILED(Status)) { - goto Error; - } - } - - if (KeyType == QUIC_PACKET_KEY_1_RTT) { - CxPlatCopyMemory(Key->TrafficSecret, Secret, sizeof(CXPLAT_SECRET)); - } - - *NewKey = Key; - Key = NULL; - -Error: - - QuicPacketKeyFree(Key); - CxPlatHashFree(Hash); - - RtlSecureZeroMemory(Temp, sizeof(Temp)); - - return Status; -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -_When_(NewReadKey != NULL, _At_(*NewReadKey, __drv_allocatesMem(Mem))) -_When_(NewWriteKey != NULL, _At_(*NewWriteKey, __drv_allocatesMem(Mem))) -QUIC_STATUS -QuicPacketKeyCreateInitial( - _In_ BOOLEAN IsServer, - _In_reads_(CXPLAT_VERSION_SALT_LENGTH) - const uint8_t* const Salt, // Version Specific - _In_ uint8_t CIDLength, - _In_reads_(CIDLength) - const uint8_t* const CID, - _Out_opt_ QUIC_PACKET_KEY** NewReadKey, - _Out_opt_ QUIC_PACKET_KEY** NewWriteKey - ) -{ - QUIC_STATUS Status; - CXPLAT_SECRET ClientInitial, ServerInitial; - QUIC_PACKET_KEY* ReadKey = NULL, *WriteKey = NULL; - - Status = - CxPlatTlsDeriveInitialSecrets( - Salt, - CID, - CIDLength, - &ClientInitial, - &ServerInitial); - if (QUIC_FAILED(Status)) { - goto Error; - } - - if (NewWriteKey != NULL) { - Status = - QuicPacketKeyDerive( - QUIC_PACKET_KEY_INITIAL, - IsServer ? &ServerInitial : &ClientInitial, - IsServer ? "srv secret" : "cli secret", - TRUE, - &WriteKey); - if (QUIC_FAILED(Status)) { - goto Error; - } - } - - if (NewReadKey != NULL) { - Status = - QuicPacketKeyDerive( - QUIC_PACKET_KEY_INITIAL, - IsServer ? &ClientInitial : &ServerInitial, - IsServer ? "cli secret" : "srv secret", - TRUE, - &ReadKey); - if (QUIC_FAILED(Status)) { - goto Error; - } - } - - if (NewWriteKey != NULL) { - *NewWriteKey = WriteKey; - WriteKey = NULL; - } - - if (NewReadKey != NULL) { - *NewReadKey = ReadKey; - ReadKey = NULL; - } - -Error: - - QuicPacketKeyFree(ReadKey); - QuicPacketKeyFree(WriteKey); - - RtlSecureZeroMemory(ClientInitial.Secret, sizeof(ClientInitial.Secret)); - RtlSecureZeroMemory(ServerInitial.Secret, sizeof(ServerInitial.Secret)); - - return Status; -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -_Success_(return != FALSE) -BOOLEAN -QuicPacketKeyCreate( - _In_ CXPLAT_TLS* TlsContext, - _In_ QUIC_PACKET_KEY_TYPE KeyType, - _In_ int Epoch, - _In_ quic_direction rw, - _Out_ QUIC_PACKET_KEY** NewKey - ) -{ - int Result; - quic_raw_key RecordKey; - QUIC_PACKET_KEY *Key = NULL; - - Result = - FFI_mitls_quic_get_record_key( - TlsContext->miTlsState, - &RecordKey, - Epoch, - rw); - if (Result == FALSE) { - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "FFI_mitls_quic_get_record_key failed"); - goto Error; - } - - const uint16_t PacketKeyLength = - sizeof(QUIC_PACKET_KEY) + - (KeyType == QUIC_PACKET_KEY_1_RTT ? sizeof(CXPLAT_SECRET) : 0); - Key = CXPLAT_ALLOC_NONPAGED(PacketKeyLength, QUIC_POOL_TLS_PACKETKEY); - if (Key == NULL) { - QuicTraceEvent( - AllocFailure, - "Allocation of '%s' failed. (%llu bytes)", - "QUIC_PACKET_KEY", - PacketKeyLength); - Result = FALSE; - goto Error; - } - CxPlatZeroMemory(Key, sizeof(QUIC_PACKET_KEY)); - Key->Type = KeyType; - - if (QUIC_FAILED( - CxPlatKeyCreate( - (CXPLAT_AEAD_TYPE)RecordKey.alg, - RecordKey.aead_key, - &Key->PacketKey))) { - Result = FALSE; - goto Error; - } - CxPlatTlsLogSecret((rw == QUIC_Reader) ? "read key" : "write key", RecordKey.aead_key, CxPlatKeyLength((CXPLAT_AEAD_TYPE)RecordKey.alg)); - - if (QUIC_FAILED( - CxPlatHpKeyCreate( - (CXPLAT_AEAD_TYPE)RecordKey.alg, - RecordKey.pne_key, - &Key->HeaderKey))) { - Result = FALSE; - goto Error; - } - CxPlatTlsLogSecret((rw == QUIC_Reader) ? "read hp" : "write hp", RecordKey.pne_key, CxPlatKeyLength((CXPLAT_AEAD_TYPE)RecordKey.alg)); - - memcpy(Key->Iv, RecordKey.aead_iv, CXPLAT_IV_LENGTH); - CxPlatTlsLogSecret("static iv", Key->Iv, CXPLAT_IV_LENGTH); - if (KeyType == QUIC_PACKET_KEY_1_RTT) { - quic_secret ClientReadSecret, ServerReadSecret; - Result = - FFI_mitls_quic_get_record_secrets( - TlsContext->miTlsState, - &ClientReadSecret, - &ServerReadSecret); - if (Result == FALSE) { - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "FFI_mitls_quic_get_record_secrets failed"); - goto Error; - } - quic_secret* CopySecret; - if (TlsContext->IsServer) { - CopySecret = (rw == QUIC_Reader) ? &ClientReadSecret : &ServerReadSecret; - } else { - CopySecret = (rw == QUIC_Reader) ? &ServerReadSecret : &ClientReadSecret; - } - - switch (CopySecret->hash) { - case TLS_hash_SHA256: - Key->TrafficSecret->Hash = CXPLAT_HASH_SHA256; - break; - case TLS_hash_SHA384: - Key->TrafficSecret->Hash = CXPLAT_HASH_SHA384; - break; - case TLS_hash_SHA512: - Key->TrafficSecret->Hash = CXPLAT_HASH_SHA512; - break; - default: - QuicTraceEvent( - TlsError, - "[ tls][%p] ERROR, %s.", - TlsContext->Connection, - "Unsupported hash type"); - Result = FALSE; - goto Error; - } - Key->TrafficSecret->Aead = (CXPLAT_AEAD_TYPE)CopySecret->ae; - CxPlatCopyMemory(Key->TrafficSecret->Secret, CopySecret->secret, CXPLAT_HASH_MAX_SIZE); - } - -#ifdef CXPLAT_TLS_SECRETS_SUPPORT - if (TlsContext->TlsSecrets != NULL) { - switch (KeyType) { - case QUIC_PACKET_KEY_1_RTT: { - quic_secret ClientReadSecret, ServerReadSecret; - if (FFI_mitls_quic_get_record_secrets( - TlsContext->miTlsState, - &ClientReadSecret, - &ServerReadSecret)) { - TlsContext->TlsSecrets->SecretLength = (uint8_t)CxPlatHashLength(ServerReadSecret.hash - 3); - memcpy( - TlsContext->TlsSecrets->ServerTrafficSecret0, - ServerReadSecret.secret, - TlsContext->TlsSecrets->SecretLength); - TlsContext->TlsSecrets->IsSet.ServerTrafficSecret0 = TRUE; - memcpy( - TlsContext->TlsSecrets->ClientTrafficSecret0, - ClientReadSecret.secret, - TlsContext->TlsSecrets->SecretLength); - TlsContext->TlsSecrets->IsSet.ClientTrafficSecret0 = TRUE; - } - // - // We're done with the TlsSecrets. - // - TlsContext->TlsSecrets = NULL; - break; - } - default: - // - // miTls doesn't provide an interface to get the intermediate - // traffic secrets, so only 1-RTT keys can be decrypted. - // - break; - } - } -#endif - - *NewKey = Key; - Key = NULL; - -Error: - - QuicPacketKeyFree(Key); - - return Result != FALSE; -} - -_IRQL_requires_max_(DISPATCH_LEVEL) -void -QuicPacketKeyFree( - _In_opt_ __drv_freesMem(Mem) QUIC_PACKET_KEY* Key - ) -{ - if (Key != NULL) { - CxPlatKeyFree(Key->PacketKey); - CxPlatHpKeyFree(Key->HeaderKey); - if (Key->Type >= QUIC_PACKET_KEY_1_RTT) { - RtlSecureZeroMemory(Key->TrafficSecret, sizeof(CXPLAT_SECRET)); - } - CXPLAT_FREE(Key, QUIC_POOL_TLS_PACKETKEY); - } -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -_At_(*NewKey, __drv_allocatesMem(Mem)) -QUIC_STATUS -QuicPacketKeyUpdate( - _In_ QUIC_PACKET_KEY* OldKey, - _Out_ QUIC_PACKET_KEY** NewKey - ) -{ - if (OldKey->Type != QUIC_PACKET_KEY_1_RTT) { - return QUIC_STATUS_INVALID_STATE; - } - - CXPLAT_HASH* Hash = NULL; - CXPLAT_SECRET NewTrafficSecret; - const uint16_t SecretLength = CxPlatHashLength(OldKey->TrafficSecret->Hash); - - QUIC_STATUS Status = - CxPlatHashCreate( - OldKey->TrafficSecret->Hash, - OldKey->TrafficSecret->Secret, - SecretLength, - &Hash); - if (QUIC_FAILED(Status)) { - goto Error; - } - - Status = - CxPlatHkdfExpandLabel( - Hash, - "quic ku", - SecretLength, - SecretLength, - NewTrafficSecret.Secret); - if (QUIC_FAILED(Status)) { - goto Error; - } - - NewTrafficSecret.Hash = OldKey->TrafficSecret->Hash; - NewTrafficSecret.Aead = OldKey->TrafficSecret->Aead; - - Status = - QuicPacketKeyDerive( - QUIC_PACKET_KEY_1_RTT, - &NewTrafficSecret, - "update traffic secret", - FALSE, - NewKey); - - RtlSecureZeroMemory(&NewTrafficSecret, sizeof(CXPLAT_SECRET)); - RtlSecureZeroMemory(OldKey->TrafficSecret, sizeof(CXPLAT_SECRET)); - -Error: - - CxPlatHashFree(Hash); - - return Status; -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -QUIC_STATUS -CxPlatKeyCreate( - _In_ CXPLAT_AEAD_TYPE AeadType, - _When_(AeadType == CXPLAT_AEAD_AES_128_GCM, _In_reads_(16)) - _When_(AeadType == CXPLAT_AEAD_AES_256_GCM, _In_reads_(32)) - _When_(AeadType == CXPLAT_AEAD_AES_384_GCM, _In_reads_(48)) - _When_(AeadType == CXPLAT_AEAD_CHACHA20_POLY1305, _In_reads_(32)) - const uint8_t* const RawKey, - _Out_ CXPLAT_KEY** NewKey - ) -{ - uint8_t KeyLength; - switch (AeadType) { - case CXPLAT_AEAD_AES_128_GCM: - KeyLength = 16; - break; - case CXPLAT_AEAD_AES_256_GCM: - case CXPLAT_AEAD_CHACHA20_POLY1305: - KeyLength = 32; - break; - default: - return QUIC_STATUS_NOT_SUPPORTED; - } - - CXPLAT_KEY* Key = CXPLAT_ALLOC_NONPAGED(sizeof(CXPLAT_KEY), QUIC_POOL_TLS_KEY); - if (Key == NULL) { - QuicTraceEvent( - AllocFailure, - "Allocation of '%s' failed. (%llu bytes)", - "CXPLAT_KEY", - sizeof(CXPLAT_KEY)); - return QUIC_STATUS_OUT_OF_MEMORY; - } - - Key->Aead = AeadType; - memcpy(Key->Key, RawKey, KeyLength); - - *NewKey = Key; - - return QUIC_STATUS_SUCCESS; -} - -_IRQL_requires_max_(DISPATCH_LEVEL) -void -CxPlatKeyFree( - _In_opt_ CXPLAT_KEY* Key - ) -{ - if (Key) { - CXPLAT_FREE(Key, QUIC_POOL_TLS_KEY); - } -} - -_IRQL_requires_max_(DISPATCH_LEVEL) -QUIC_STATUS -#pragma prefast(suppress: __WARNING_6262, "miTLS won't be shipped in product.") -CxPlatEncrypt( - _In_ CXPLAT_KEY* Key, - _In_reads_bytes_(CXPLAT_IV_LENGTH) - const uint8_t* const Iv, - _In_ uint16_t AuthDataLength, - _In_reads_bytes_opt_(AuthDataLength) - const uint8_t* const AuthData, - _In_ uint16_t BufferLength, - _When_(BufferLength > CXPLAT_ENCRYPTION_OVERHEAD, _Inout_updates_bytes_(BufferLength)) - _When_(BufferLength <= CXPLAT_ENCRYPTION_OVERHEAD, _Out_writes_bytes_(BufferLength)) - uint8_t* Buffer - ) -{ - CXPLAT_DBG_ASSERT(CXPLAT_ENCRYPTION_OVERHEAD <= BufferLength); - uint16_t PlainTextLength = BufferLength - CXPLAT_ENCRYPTION_OVERHEAD; - - uint8_t Temp[CXPLAT_MAX_MTU]; - CXPLAT_FRE_ASSERT(BufferLength <= sizeof(Temp)); - - if (Key->Aead == CXPLAT_AEAD_AES_128_GCM) { - EverCrypt_aes128_gcm_encrypt(Key->Key, (uint8_t*)Iv, (uint8_t*)AuthData, AuthDataLength, Buffer, PlainTextLength, Temp, Temp+PlainTextLength); - } else if (Key->Aead == CXPLAT_AEAD_AES_256_GCM) { - EverCrypt_aes256_gcm_encrypt(Key->Key, (uint8_t*)Iv, (uint8_t*)AuthData, AuthDataLength, Buffer, PlainTextLength, Temp, Temp+PlainTextLength); - } else if (Key->Aead == CXPLAT_AEAD_CHACHA20_POLY1305) { - EverCrypt_Chacha20Poly1305_aead_encrypt(Key->Key, (uint8_t*)Iv, AuthDataLength, (uint8_t*)AuthData, PlainTextLength, Buffer, Temp, Temp+PlainTextLength); - } else { - CXPLAT_FRE_ASSERT(FALSE); - return QUIC_STATUS_NOT_SUPPORTED; - } - - memcpy(Buffer, Temp, BufferLength); - - return QUIC_STATUS_SUCCESS; -} - -_IRQL_requires_max_(DISPATCH_LEVEL) -QUIC_STATUS -#pragma prefast(suppress: __WARNING_6262, "miTLS won't be shipped in product.") -CxPlatDecrypt( - _In_ CXPLAT_KEY* Key, - _In_reads_bytes_(CXPLAT_IV_LENGTH) - const uint8_t* const Iv, - _In_ uint16_t AuthDataLength, - _In_reads_bytes_opt_(AuthDataLength) - const uint8_t* const AuthData, - _In_ uint16_t BufferLength, - _Inout_updates_bytes_(BufferLength) - uint8_t* Buffer - ) -{ - CXPLAT_DBG_ASSERT(CXPLAT_ENCRYPTION_OVERHEAD <= BufferLength); - uint16_t PlainTextLength = BufferLength - CXPLAT_ENCRYPTION_OVERHEAD; - - uint8_t Temp[CXPLAT_MAX_MTU]; - CXPLAT_FRE_ASSERT(BufferLength <= sizeof(Temp)); - - int r = 0; - if (Key->Aead == CXPLAT_AEAD_AES_128_GCM) { - r = EverCrypt_aes128_gcm_decrypt(Key->Key, (uint8_t*)Iv, (uint8_t*)AuthData, AuthDataLength, Temp, PlainTextLength, Buffer, Buffer+PlainTextLength); - } else if (Key->Aead == CXPLAT_AEAD_AES_256_GCM) { - r = EverCrypt_aes256_gcm_decrypt(Key->Key, (uint8_t*)Iv, (uint8_t*)AuthData, AuthDataLength, Temp, PlainTextLength, Buffer, Buffer+PlainTextLength); - } else if (Key->Aead == CXPLAT_AEAD_CHACHA20_POLY1305) { - r = EverCrypt_Chacha20Poly1305_aead_decrypt(Key->Key, (uint8_t*)Iv, AuthDataLength, (uint8_t*)AuthData, PlainTextLength, Temp, Buffer, Buffer+PlainTextLength); - } else { - CXPLAT_FRE_ASSERT(FALSE); - return QUIC_STATUS_NOT_SUPPORTED; - } - - if (r <= 0) { - return QUIC_STATUS_INVALID_PARAMETER; - } - - memcpy(Buffer, Temp, PlainTextLength); - - return QUIC_STATUS_SUCCESS; -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -QUIC_STATUS -CxPlatHpKeyCreate( - _In_ CXPLAT_AEAD_TYPE AeadType, - _When_(AeadType == CXPLAT_AEAD_AES_128_GCM, _In_reads_(16)) - _When_(AeadType == CXPLAT_AEAD_AES_256_GCM, _In_reads_(32)) - _When_(AeadType == CXPLAT_AEAD_CHACHA20_POLY1305, _In_reads_(32)) - const uint8_t* const RawKey, - _Out_ CXPLAT_HP_KEY** NewKey - ) -{ - uint8_t KeyLength; - switch (AeadType) { - case CXPLAT_AEAD_AES_128_GCM: - KeyLength = 16; - break; - case CXPLAT_AEAD_AES_256_GCM: - case CXPLAT_AEAD_CHACHA20_POLY1305: - KeyLength = 32; - break; - default: - return QUIC_STATUS_NOT_SUPPORTED; - } - - CXPLAT_HP_KEY* Key = CXPLAT_ALLOC_NONPAGED(sizeof(CXPLAT_HP_KEY), QUIC_POOL_TLS_HP_KEY); - if (Key == NULL) { - QuicTraceEvent( - AllocFailure, - "Allocation of '%s' failed. (%llu bytes)", - "CXPLAT_HP_KEY", - sizeof(CXPLAT_HP_KEY)); - return QUIC_STATUS_OUT_OF_MEMORY; - } - - Key->Aead = AeadType; - if (AeadType == CXPLAT_AEAD_AES_128_GCM) { - Key->case_aes128 = EverCrypt_aes128_create((uint8_t*)RawKey); - } else if (AeadType == CXPLAT_AEAD_AES_256_GCM) { - Key->case_aes256 = EverCrypt_aes256_create((uint8_t*)RawKey); - } else if (AeadType == CXPLAT_AEAD_CHACHA20_POLY1305) { - memcpy(Key->case_chacha20, RawKey, 32); - } - - *NewKey = Key; - - return QUIC_STATUS_SUCCESS; -} - -_IRQL_requires_max_(DISPATCH_LEVEL) -void -CxPlatHpKeyFree( - _In_opt_ CXPLAT_HP_KEY* Key - ) -{ - if (Key) { - if (Key->Aead == CXPLAT_AEAD_AES_128_GCM) { - EverCrypt_aes128_free(Key->case_aes128); - } else if (Key->Aead == CXPLAT_AEAD_AES_256_GCM) { - EverCrypt_aes256_free(Key->case_aes256); - } - CXPLAT_FREE(Key, QUIC_POOL_TLS_HP_KEY); - } -} - -_IRQL_requires_max_(DISPATCH_LEVEL) -QUIC_STATUS -CxPlatHpComputeMask( - _In_ CXPLAT_HP_KEY* Key, - _In_ uint8_t BatchSize, - _In_reads_bytes_(CXPLAT_HP_SAMPLE_LENGTH * BatchSize) - const uint8_t* const _Cipher, - _Out_writes_bytes_(CXPLAT_HP_SAMPLE_LENGTH * BatchSize) - uint8_t* Mask - ) -{ - uint8_t* Cipher = (uint8_t*)_Cipher; - for (uint8_t i = 0; i < BatchSize; ++i) { - if (Key->Aead == CXPLAT_AEAD_AES_128_GCM) { - EverCrypt_aes128_compute(Key->case_aes128, Cipher, Mask); - } else if (Key->Aead == CXPLAT_AEAD_AES_256_GCM) { - EverCrypt_aes256_compute(Key->case_aes256, Cipher, Mask); - } else if (Key->Aead == CXPLAT_AEAD_CHACHA20_POLY1305) { - static const uint8_t zero[] = {0, 0, 0, 0, 0}; - uint32_t ctr = Cipher[0] + (Cipher[1] << 8) + (Cipher[2] << 16) + (Cipher[3] << 24); - EverCrypt_Cipher_chacha20(sizeof(zero), Mask, (uint8_t*)zero, (uint8_t*)Key->case_chacha20, Cipher+4, ctr); - } else { - return QUIC_STATUS_NOT_SUPPORTED; - } - Cipher += 16; - Mask += 16; - } - return QUIC_STATUS_SUCCESS; -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -QUIC_STATUS -CxPlatHashCreate( - _In_ CXPLAT_HASH_TYPE HashType, - _In_reads_(SaltLength) - const uint8_t* const Salt, - _In_ uint32_t SaltLength, - _Out_ CXPLAT_HASH** NewHash - ) -{ - switch (HashType) { - case CXPLAT_HASH_SHA256: - case CXPLAT_HASH_SHA384: - case CXPLAT_HASH_SHA512: - break; - default: - return QUIC_STATUS_NOT_SUPPORTED; - } - - CXPLAT_HASH* Hash = CXPLAT_ALLOC_NONPAGED(sizeof(CXPLAT_HASH) + SaltLength, QUIC_POOL_TLS_HASH); - if (Hash == NULL) { - QuicTraceEvent( - AllocFailure, - "Allocation of '%s' failed. (%llu bytes)", - "CXPLAT_HASH", - sizeof(CXPLAT_HASH) + SaltLength); - return QUIC_STATUS_OUT_OF_MEMORY; - } - - Hash->Type = HashType; - Hash->SaltLength = SaltLength; - memcpy(Hash->Salt, Salt, SaltLength); - - *NewHash = Hash; - - return QUIC_STATUS_SUCCESS; -} - -_IRQL_requires_max_(DISPATCH_LEVEL) -void -CxPlatHashFree( - _In_opt_ CXPLAT_HASH* Hash - ) -{ - if (Hash) { - CXPLAT_FREE(Hash, QUIC_POOL_TLS_HASH); - } -} - -_IRQL_requires_max_(DISPATCH_LEVEL) -QUIC_STATUS -CxPlatHashCompute( - _In_ CXPLAT_HASH* Hash, - _In_reads_(InputLength) - const uint8_t* const Input, - _In_ uint32_t InputLength, - _In_ uint32_t OutputLength, - _Out_writes_all_(OutputLength) - uint8_t* const Output - ) -{ - UNREFERENCED_PARAMETER(OutputLength); - EverCrypt_HMAC_compute( - HashTypeToEverCrypt(Hash->Type), - Output, - Hash->Salt, - Hash->SaltLength, - (uint8_t*)Input, - InputLength); - return QUIC_STATUS_SUCCESS; -} diff --git a/src/test/lib/EventTest.cpp b/src/test/lib/EventTest.cpp index d9b83b8ebc..311c337597 100644 --- a/src/test/lib/EventTest.cpp +++ b/src/test/lib/EventTest.cpp @@ -324,9 +324,8 @@ QuicTestValidateConnectionEvents1( ); ConnValidator Server( new(std::nothrow) ConnEventValidator* [6] { - new(std::nothrow) ConnEventValidator(QUIC_CONNECTION_EVENT_CONNECTED, 0, true), // This comes AFTER shutdown in miTLS + new(std::nothrow) ConnEventValidator(QUIC_CONNECTION_EVENT_CONNECTED, 0, true), new(std::nothrow) ConnEventValidator(QUIC_CONNECTION_EVENT_SHUTDOWN_INITIATED_BY_TRANSPORT), - new(std::nothrow) ConnEventValidator(QUIC_CONNECTION_EVENT_CONNECTED, 0, true), // This comes AFTER shutdown in miTLS new(std::nothrow) ConnEventValidator(QUIC_CONNECTION_EVENT_SHUTDOWN_COMPLETE), nullptr }, @@ -449,9 +448,8 @@ QuicTestValidateConnectionEvents3( ConnValidator Server( new(std::nothrow) ConnEventValidator* [8] { new(std::nothrow) ConnEventValidator(QUIC_CONNECTION_EVENT_RESUMED), - new(std::nothrow) ConnEventValidator(QUIC_CONNECTION_EVENT_CONNECTED, 0, true, true), // This comes AFTER shutdown in miTLS + new(std::nothrow) ConnEventValidator(QUIC_CONNECTION_EVENT_CONNECTED, 0, true, true), new(std::nothrow) ConnEventValidator(QUIC_CONNECTION_EVENT_SHUTDOWN_INITIATED_BY_TRANSPORT), - new(std::nothrow) ConnEventValidator(QUIC_CONNECTION_EVENT_CONNECTED, 0, true, true), // This comes AFTER shutdown in miTLS new(std::nothrow) ConnEventValidator(QUIC_CONNECTION_EVENT_SHUTDOWN_COMPLETE), nullptr }, @@ -680,9 +678,8 @@ QuicTestValidateStreamEvents2( }); Server.SetExpectedEvents( new(std::nothrow) ConnEventValidator* [6] { - new(std::nothrow) ConnEventValidator(QUIC_CONNECTION_EVENT_CONNECTED, 0, true), // This comes AFTER shutdown in miTLS + new(std::nothrow) ConnEventValidator(QUIC_CONNECTION_EVENT_CONNECTED, 0, true), new(std::nothrow) ConnEventValidator(QUIC_CONNECTION_EVENT_SHUTDOWN_INITIATED_BY_TRANSPORT), - new(std::nothrow) ConnEventValidator(QUIC_CONNECTION_EVENT_CONNECTED, 0, true), // This comes AFTER shutdown in miTLS new(std::nothrow) ConnEventValidator(QUIC_CONNECTION_EVENT_SHUTDOWN_COMPLETE), nullptr }); diff --git a/submodules/everest b/submodules/everest deleted file mode 160000 index cbd0e66391..0000000000 --- a/submodules/everest +++ /dev/null @@ -1 +0,0 @@ -Subproject commit cbd0e66391df3da7ed76635a8c15be1cad36e0b0