akamai
diff --git a/‎CHANGES‎
Lines changed: 3 additions & 0 deletions b/‎CHANGES‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎Configure‎
Lines changed: 3 additions & 0 deletions b/‎Configure‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎INSTALL‎
Lines changed: 3 additions & 0 deletions b/‎INSTALL‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎crypto/err/openssl.txt‎
Lines changed: 18 additions & 0 deletions b/‎crypto/err/openssl.txt‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎doc/man3/SSL_CIPHER_get_name.pod‎
Lines changed: 13 additions & 0 deletions b/‎doc/man3/SSL_CIPHER_get_name.pod‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎doc/man3/SSL_CTX_set_quic_method.pod‎
Lines changed: 232 additions & 0 deletions b/‎doc/man3/SSL_CTX_set_quic_method.pod‎
Lines changed: 232 additions & 0 deletions
@@ -9,6 +9,9 @@
 
  Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
 
+  *) Implement BoringSSL's QUIC API
+     [Todd Short]
+
   *) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
      number generator (RNG). This was intended to include protection in the
      event of a fork() system call in order to ensure that the parent and child
 
@@ -378,6 +378,7 @@ my @disablables = (
     "poly1305",
     "posix-io",
     "psk",
+    "quic",
     "rc2",
     "rc4",
     "rc5",
@@ -494,6 +495,8 @@ my @disable_cascades = (
     sub { !$disabled{"unit-test"} } => [ "heartbeats" ],
 
     sub { !$disabled{"msan"} } => [ "asm" ],
+
+    "tls1_3"            => [ "quic" ],
     );
 
 # Avoid protocol support holes.  Also disable all versions below N, if version
 
@@ -453,6 +453,9 @@
   no-psk
                    Don't build support for Pre-Shared Key based ciphersuites.
 
+  no-quic
+                   Don't build with support for QUIC.
+
   no-rdrand
                    Don't use hardware RDRAND capabilities.
 
 
@@ -1186,6 +1186,9 @@ SSL_F_PARSE_CA_NAMES:541:parse_ca_names
 SSL_F_PITEM_NEW:624:pitem_new
 SSL_F_PQUEUE_NEW:625:pqueue_new
 SSL_F_PROCESS_KEY_SHARE_EXT:439:*
+SSL_F_QUIC_CHANGE_CIPHER_STATE:639:quic_change_cipher_state
+SSL_F_QUIC_GET_MESSAGE:640:quic_get_message
+SSL_F_QUIC_SET_ENCRYPTION_SECRETS:641:quic_set_encryption_secrets
 SSL_F_READ_STATE_MACHINE:352:read_state_machine
 SSL_F_SET_CLIENT_CIPHERSUITE:540:set_client_ciphersuite
 SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET:595:srp_generate_client_master_secret
@@ -1196,7 +1199,9 @@ SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM:130:ssl3_check_cert_and_algorithm
 SSL_F_SSL3_CTRL:213:ssl3_ctrl
 SSL_F_SSL3_CTX_CTRL:133:ssl3_ctx_ctrl
 SSL_F_SSL3_DIGEST_CACHED_RECORDS:293:ssl3_digest_cached_records
+SSL_F_SSL3_DISPATCH_ALERT:642:ssl3_dispatch_alert
 SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC:292:ssl3_do_change_cipher_spec
+SSL_F_SSL3_DO_WRITE:643:ssl3_do_write
 SSL_F_SSL3_ENC:608:ssl3_enc
 SSL_F_SSL3_FINAL_FINISH_MAC:285:ssl3_final_finish_mac
 SSL_F_SSL3_FINISH_MAC:587:ssl3_finish_mac
@@ -1304,6 +1309,8 @@ SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT:311:*
 SSL_F_SSL_PEEK:270:SSL_peek
 SSL_F_SSL_PEEK_EX:432:SSL_peek_ex
 SSL_F_SSL_PEEK_INTERNAL:522:ssl_peek_internal
+SSL_F_SSL_PROCESS_QUIC_POST_HANDSHAKE:644:SSL_process_quic_post_handshake
+SSL_F_SSL_PROVIDE_QUIC_DATA:645:SSL_provide_quic_data
 SSL_F_SSL_READ:223:SSL_read
 SSL_F_SSL_READ_EARLY_DATA:529:SSL_read_early_data
 SSL_F_SSL_READ_EX:434:SSL_read_ex
@@ -1353,6 +1360,7 @@ SSL_F_SSL_WRITE_EARLY_DATA:526:SSL_write_early_data
 SSL_F_SSL_WRITE_EARLY_FINISH:527:*
 SSL_F_SSL_WRITE_EX:433:SSL_write_ex
 SSL_F_SSL_WRITE_INTERNAL:524:ssl_write_internal
+SSL_F_STATEM_FLUSH:646:statem_flush
 SSL_F_STATE_MACHINE:353:state_machine
 SSL_F_TLS12_CHECK_PEER_SIGALG:333:tls12_check_peer_sigalg
 SSL_F_TLS12_COPY_SIGALGS:533:tls12_copy_sigalgs
@@ -1416,6 +1424,8 @@ SSL_F_TLS_CONSTRUCT_CTOS_POST_HANDSHAKE_AUTH:619:\
 	tls_construct_ctos_post_handshake_auth
 SSL_F_TLS_CONSTRUCT_CTOS_PSK:501:tls_construct_ctos_psk
 SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES:509:tls_construct_ctos_psk_kex_modes
+SSL_F_TLS_CONSTRUCT_CTOS_QUIC_TRANSPORT_PARAMS:647:\
+	tls_construct_ctos_quic_transport_params
 SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE:473:tls_construct_ctos_renegotiate
 SSL_F_TLS_CONSTRUCT_CTOS_SCT:474:tls_construct_ctos_sct
 SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME:475:tls_construct_ctos_server_name
@@ -1457,6 +1467,8 @@ SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE:456:tls_construct_stoc_key_share
 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN:548:tls_construct_stoc_maxfragmentlen
 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG:457:tls_construct_stoc_next_proto_neg
 SSL_F_TLS_CONSTRUCT_STOC_PSK:504:tls_construct_stoc_psk
+SSL_F_TLS_CONSTRUCT_STOC_QUIC_TRANSPORT_PARAMS:648:\
+	tls_construct_stoc_quic_transport_params
 SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE:458:tls_construct_stoc_renegotiate
 SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME:459:tls_construct_stoc_server_name
 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET:460:tls_construct_stoc_session_ticket
@@ -1485,6 +1497,8 @@ SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN:571:tls_parse_ctos_maxfragmentlen
 SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH:620:tls_parse_ctos_post_handshake_auth
 SSL_F_TLS_PARSE_CTOS_PSK:505:tls_parse_ctos_psk
 SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES:572:tls_parse_ctos_psk_kex_modes
+SSL_F_TLS_PARSE_CTOS_QUIC_TRANSPORT_PARAMS:649:\
+	tls_parse_ctos_quic_transport_params
 SSL_F_TLS_PARSE_CTOS_RENEGOTIATE:464:tls_parse_ctos_renegotiate
 SSL_F_TLS_PARSE_CTOS_SERVER_NAME:573:tls_parse_ctos_server_name
 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET:574:tls_parse_ctos_session_ticket
@@ -1503,6 +1517,8 @@ SSL_F_TLS_PARSE_STOC_KEY_SHARE:445:tls_parse_stoc_key_share
 SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN:581:tls_parse_stoc_maxfragmentlen
 SSL_F_TLS_PARSE_STOC_NPN:582:tls_parse_stoc_npn
 SSL_F_TLS_PARSE_STOC_PSK:502:tls_parse_stoc_psk
+SSL_F_TLS_PARSE_STOC_QUIC_TRANSPORT_PARAMS:650:\
+	tls_parse_stoc_quic_transport_params
 SSL_F_TLS_PARSE_STOC_RENEGOTIATE:448:tls_parse_stoc_renegotiate
 SSL_F_TLS_PARSE_STOC_SCT:564:tls_parse_stoc_sct
 SSL_F_TLS_PARSE_STOC_SERVER_NAME:583:tls_parse_stoc_server_name
@@ -2702,6 +2718,7 @@ SSL_R_INCONSISTENT_EARLY_DATA_ALPN:222:inconsistent early data alpn
 SSL_R_INCONSISTENT_EARLY_DATA_SNI:231:inconsistent early data sni
 SSL_R_INCONSISTENT_EXTMS:104:inconsistent extms
 SSL_R_INSUFFICIENT_SECURITY:241:insufficient security
+SSL_R_INTERNAL_ERROR:294:internal error
 SSL_R_INVALID_ALERT:205:invalid alert
 SSL_R_INVALID_CCS_MESSAGE:260:invalid ccs message
 SSL_R_INVALID_CERTIFICATE_OR_ALG:238:invalid certificate or alg
@@ -2877,6 +2894,7 @@ SSL_R_VERSION_TOO_LOW:396:version too low
 SSL_R_WRONG_CERTIFICATE_TYPE:383:wrong certificate type
 SSL_R_WRONG_CIPHER_RETURNED:261:wrong cipher returned
 SSL_R_WRONG_CURVE:378:wrong curve
+SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED:295:wrong encryption level received
 SSL_R_WRONG_SIGNATURE_LENGTH:264:wrong signature length
 SSL_R_WRONG_SIGNATURE_SIZE:265:wrong signature size
 SSL_R_WRONG_SIGNATURE_TYPE:370:wrong signature type
 
@@ -13,6 +13,7 @@ SSL_CIPHER_get_digest_nid,
 SSL_CIPHER_get_handshake_digest,
 SSL_CIPHER_get_kx_nid,
 SSL_CIPHER_get_auth_nid,
+SSL_CIPHER_get_prf_nid,
 SSL_CIPHER_is_aead,
 SSL_CIPHER_find,
 SSL_CIPHER_get_id,
@@ -34,6 +35,7 @@ SSL_CIPHER_get_protocol_id
  const EVP_MD *SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c);
  int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c);
  int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c);
+ int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *c);
  int SSL_CIPHER_is_aead(const SSL_CIPHER *c);
  const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr);
  uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c);
@@ -91,6 +93,15 @@ TLS 1.3 cipher suites) B<NID_auth_any> is returned. Examples (not comprehensive)
  NID_auth_ecdsa
  NID_auth_psk
 
+SSL_CIPHER_get_prf_nid() retuns the pseudo-random function NID for B<c>. If B<c> is
+a pre-TLS-1.2 cipher, it returns B<NID_md5_sha1> but note these ciphers use
+SHA-256 in TLS 1.2. Other return values may be treated uniformly in all
+applicable versions. Examples (not comprehensive):
+
+ NID_md5_sha1
+ NID_sha256
+ NID_sha384
+
 SSL_CIPHER_is_aead() returns 1 if the cipher B<c> is AEAD (e.g. GCM or
 ChaCha20/Poly1305), and 0 if it is not AEAD.
 
@@ -201,6 +212,8 @@ required to enable this function.
 
 The OPENSSL_cipher_name() function was added in OpenSSL 1.1.1.
 
+The SSL_CIPHER_get_prf_nid() function was added in OpenSSL 3.0.0.
+
 =head1 COPYRIGHT
 
 Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
 
@@ -0,0 +1,232 @@
+=pod
+
+=head1 NAME
+
+SSL_QUIC_METHOD,
+OSSL_ENCRYPTION_LEVEL,
+SSL_CTX_set_quic_method,
+SSL_set_quic_method,
+SSL_set_quic_transport_params,
+SSL_get_peer_quic_transport_params,
+SSL_quic_max_handshake_flight_len,
+SSL_quic_read_level,
+SSL_quic_write_level,
+SSL_provide_quic_data,
+SSL_process_quic_post_handshake,
+SSL_is_quic
+- QUIC support
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ typedef struct ssl_quic_method_st SSL_QUIC_METHOD;
+ typedef enum ssl_encryption_level_t OSSL_ENCRYPTION_LEVEL;
+
+ int SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method);
+ int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method);
+ int SSL_set_quic_transport_params(SSL *ssl,
+                                   const uint8_t *params,
+                                   size_t params_len);
+ void SSL_get_peer_quic_transport_params(const SSL *ssl,
+                                         const uint8_t **out_params,
+                                         size_t *out_params_len);
+ size_t SSL_quic_max_handshake_flight_len(const SSL *ssl, OSSL_ENCRYPTION_LEVEL level);
+ OSSL_ENCRYPTION_LEVEL SSL_quic_read_level(const SSL *ssl);
+ OSSL_ENCRYPTION_LEVEL SSL_quic_write_level(const SSL *ssl);
+ int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+                           const uint8_t *data, size_t len);
+ int SSL_process_quic_post_handshake(SSL *ssl);
+ int SSL_is_quic(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_quic_method() and SSL_set_quic_method() configures the QUIC methods.
+This should only be configured with a minimum version of TLS 1.3. B<quic_method>
+must remain valid for the lifetime of B<ctx> or B<ssl>. Calling this disables
+the SSL_OP_ENABLE_MIDDLEBOX_COMPAT option, which is not required for QUIC.
+
+SSL_set_quic_transport_params() configures B<ssl> to send B<params> (of length
+B<params_len>) in the quic_transport_parameters extension in either the
+ClientHello or EncryptedExtensions handshake message. This extension will
+only be sent if the TLS version is at least 1.3, and for a server, only if
+the client sent the extension. The buffer pointed to by B<params> only need be
+valid for the duration of the call to this function.
+
+SSL_get_peer_quic_transport_params() provides the caller with the value of the
+quic_transport_parameters extension sent by the peer. A pointer to the buffer
+containing the TransportParameters will be put in B<*out_params>, and its
+length in B<*out_params_len>. This buffer will be valid for the lifetime of the
+B<ssl>. If no params were received from the peer, B<*out_params_len> will be 0.
+
+SSL_quic_max_handshake_flight_len() returns the maximum number of bytes
+that may be received at the given encryption level. This function should be
+used to limit buffering in the QUIC implementation.
+
+See https://tools.ietf.org/html/draft-ietf-quic-transport-16#section-4.4.
+
+SSL_quic_read_level() returns the current read encryption level.
+
+SSL_quic_write_level() returns the current write encryption level.
+
+SSL_provide_quic_data() provides data from QUIC at a particular encryption
+level B<level>. It is an error to call this function outside of the handshake
+or with an encryption level other than the current read level. It returns one
+on success and zero on error.
+
+SSL_process_quic_post_handshake() processes any data that QUIC has provided
+after the handshake has completed. This includes NewSessionTicket messages
+sent by the server.
+
+SSL_is_quic() indicates whether a connection uses QUIC.
+
+=head1 NOTES
+
+These APIs are implementations of BoringSSL's QUIC APIs.
+
+QUIC acts as an underlying transport for the TLS 1.3 handshake. The following
+functions allow a QUIC implementation to serve as the underlying transport as
+described in draft-ietf-quic-tls.
+
+When configured for QUIC, SSL_do_handshake() will drive the handshake as
+before, but it will not use the configured B<BIO>. It will call functions on
+B<SSL_QUIC_METHOD> to configure secrets and send data. If data is needed from
+the peer, it will return B<SSL_ERROR_WANT_READ>. When received, the caller
+should call SSL_provide_quic_data() and then SSL_do_handshake() to continue
+the handshake. After the handshake is complete, the caller should call
+SSL_provide_quic_data() for any post-handshake data, followed by
+SSL_process_quic_post_handshake() to process it. It is an error to call
+SSL_read()/SSL_read_ex() and SSL_write()/SSL_write_ex() in QUIC.
+
+Note that secrets for an encryption level may be available to QUIC before the
+level is active in TLS. Callers should use SSL_quic_read_level() to determine
+the active read level for SSL_provide_quic_data(). SSL_do_handshake() will
+pass the active write level to add_handshake_data() when writing data. Callers
+can use SSL_quic_write_level() to query the active write level when
+generating their own errors.
+
+See https://tools.ietf.org/html/draft-ietf-quic-tls-15#section-4.1 for more
+details.
+
+To avoid DoS attacks, the QUIC implementation must limit the amount of data
+being queued up. The implementation can call
+SSL_quic_max_handshake_flight_len() to get the maximum buffer length at each
+encryption level.
+
+draft-ietf-quic-tls defines a new TLS extension quic_transport_parameters
+used by QUIC for each endpoint to unilaterally declare its supported
+transport parameters. draft-ietf-quic-transport (section 7.4) defines the
+contents of that extension (a TransportParameters struct) and describes how
+to handle it and its semantic meaning.
+
+OpenSSL handles this extension as an opaque byte string. The caller is
+responsible for serializing and parsing it.
+
+=head2 OSSL_ENCRYPTION_LEVEL
+
+B<OSSL_ENCRYPTION_LEVEL> (B<enum ssl_encryption_level_t>) represents the
+encryption levels:
+
+=over 4
+
+=item ssl_encryption_initial
+
+The initial encryption level that is used for client and server hellos.
+
+=item ssl_encryption_early_data
+
+The encryption level for early data. This is a write-level for the client
+and a read-level for the server.
+
+=item ssl_encryption_handshake
+
+The encryption level for the remainder of the handshake.
+
+=item ssl_encryption_application
+
+The encryption level for the application data.
+
+=back
+
+=head2 SSL_QUIC_METHOD
+
+The B<SSL_QUIC_METHOD> (B<struct ssl_quic_method_st>) describes the
+QUIC methods.
+
+ struct ssl_quic_method_st {
+     int (*set_encryption_secrets)(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+                                   const uint8_t *read_secret,
+                                   const uint8_t *write_secret, size_t secret_len);
+     int (*add_handshake_data)(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+                               const uint8_t *data, size_t len);
+     int (*flush_flight)(SSL *ssl);
+     int (*send_alert)(SSL *ssl, enum ssl_encryption_level_t level, uint8_t alert);
+ };
+ typedef struct ssl_quic_method_st SSL_QUIC_METHOD;
+
+set_encryption_secrets() configures the read and write secrets for the given
+encryption level. This function will always be called before an encryption
+level other than B<ssl_encryption_initial> is used. Note, however, that
+secrets for a level may be configured before TLS is ready to send or accept
+data at that level.
+
+When reading packets at a given level, the QUIC implementation must send
+ACKs at the same level, so this function provides read and write secrets
+together. The exception is B<ssl_encryption_early_data>, where secrets are
+only available in the client to server direction. The other secret will be
+NULL. The server acknowledges such data at B<ssl_encryption_application>,
+which will be configured in the same SSL_do_handshake() call.
+
+This function should use SSL_get_current_cipher() to determine the TLS
+cipher suite.
+
+add_handshake_data() adds handshake data to the current flight at the given
+encryption level. It returns one on success and zero on error.
+
+OpenSSL will pack data from a single encryption level together, but a
+single handshake flight may include multiple encryption levels. Callers
+should defer writing data to the network until flush_flight() to better
+pack QUIC packets into transport datagrams.
+
+flush_flight() is called when the current flight is complete and should be
+written to the transport. Note a flight may contain data at several
+encryption levels.
+
+send_alert() sends a fatal alert at the specified encryption level.
+
+All QUIC methods return 1 on success and 0 on error.
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_quic_method(),
+SSL_set_quic_method(),
+SSL_set_quic_transport_params(), and
+SSL_process_quic_post_handshake()
+return 1 on success, and 0 on error.
+
+SSL_quic_read_level() and SSL_quic_write_level() return the current
+encryption  level as B<OSSL_ENCRYPTION_LEVEL> (B<enum ssl_encryption_level_t>).
+
+SSL_quic_max_handshake_flight_len() returns the maximum length of a flight
+for a given encryption level.
+
+SSL_is_quic() returns 1 if QUIC is being used, 0 if not.
+
+=head1 SEE ALSO
+
+L<ssl(7)>, L<SSL_CIPHER_get_prf_nid(3)>, L<SSL_do_handshake(3)>
+
+=head1 HISTORY
+
+These functions were added in OpenSSL 3.0.0.
+
+=head1 COPYRIGHT
+
+Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut