Add support for BoringSSL QUIC APIs

This is a cherry-pick of 2a4b03a306439307e0b822b17eda3bdabddfbb68
on the master-quic-support2 branch (2019-10-07)
Which was a rebase/squash of master-quic-support:

* 5aa62ce Add support for more secrets - Todd Short/Todd Short (master-quic-support)
* 58e0643 Tweeks to quic_change_cipher_state() - Todd Short/Todd Short
* 8169702 Move QUIC code out of tls13_change_cipher_state() - Todd Short/Todd Short
* a08cfe6 Correctly disable middlebox compat - Todd Short/Todd Short
* 3a9eabf Add OPENSSL_NO_QUIC wrapper - Todd Short/Todd Short
* f550eca Add client early traffic secret storage - Todd Short/Todd Short
* 1b787ae Quick fix: s2c to c2s for early secret - Todd Short/Todd Short
* f97e6a9 Don't process an incomplete message - Todd Short/Todd Short
* 81f0ce2 Reset init state in SSL_process_quic_post_handshake() - Todd Short/Todd Short
* 5d59cf9 Fix quic_transport constructors/parsers - Todd Short/Todd Short
* 5e5f91c Fix INSTALL nit. - Todd Short/Todd Short
* bd290ab Fix duplicate word in docs - Todd Short/Todd Short
* 699590b fixup! Handle partial handshake messages - Todd Short/Todd Short
* a472a8d Handle partial handshake messages - Todd Short/Todd Short
* 363cf3d fixup! Use proper secrets for handshake - Todd Short/Todd Short
* b03fee6 Use proper secrets for handshake - Todd Short/Todd Short
* 2ab1aa0 Move QUIC transport params to encrypted extensions - Todd Short/Todd Short
* 0d16af9 Make temp secret names less confusing - Todd Short/Todd Short
* abb6f39 New method to get QUIC secret length - Todd Short/Todd Short
* 05fdae9 Add support for BoringSSL QUIC APIs - Todd Short/Todd Short

This adds a compatible API for BoringSSL's QUIC support, based
on the current |draft-ietf-quic-tls|.

Based on BoringSSL commit 3c034b2cf386b3131f75520705491871a2e0cafe
Based on BoringSSL commit c8e0f90f83b9ec38ea833deb86b5a41360b62b6a
Based on BoringSSL commit 3cbb0299a28a8bd0136257251a78b91a96c5eec8
Based on BoringSSL commit cc9d935256539af2d3b7f831abf57c0d685ffd81
Based on BoringSSL commit e6eef1ca16a022e476bbaedffef044597cfc8f4b
Based on BoringSSL commit 6f733791148cf8a076bf0e95498235aadbe5926d
Based on BoringSSL commit 384d0eaf1930af1ebc47eda751f0c78dfcba1c03
Based on BoringSSL commit a0373182eb5cc7b81d49f434596b473c7801c942
Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37

New method to get QUIC secret length

Make temp secret names less confusing

Move QUIC transport params to encrypted extensions

Use proper secrets for handshake

fixup! Use proper secrets for handshake

Handle partial handshake messages

fixup! Handle partial handshake messages

Fix duplicate word in docs

Fix INSTALL nit.

Fix quic_transport constructors/parsers

Reset init state in SSL_process_quic_post_handshake()

Don't process an incomplete message

Quick fix: s2c to c2s for early secret

Add client early traffic secret storage

Add OPENSSL_NO_QUIC wrapper

Correctly disable middlebox compat

Move QUIC code out of tls13_change_cipher_state()

Create quic_change_cipher_state() that does the minimal required
to generate the QUIC secrets. (e.g. encryption contexts are not
initialized).

Tweeks to quic_change_cipher_state()

Add support for more secrets

CHANGES

@@ -9,6 +9,9 @@
 
  Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
 
+  *) Implement BoringSSL's QUIC API
+     [Todd Short]
+
   *) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
      number generator (RNG). This was intended to include protection in the
      event of a fork() system call in order to ensure that the parent and child

Configure

@@ -378,6 +378,7 @@ my @disablables = (
     "poly1305",
     "posix-io",
     "psk",
+    "quic",
     "rc2",
     "rc4",
     "rc5",
@@ -494,6 +495,8 @@ my @disable_cascades = (
     sub { !$disabled{"unit-test"} } => [ "heartbeats" ],
 
     sub { !$disabled{"msan"} } => [ "asm" ],
+
+    "tls1_3"            => [ "quic" ],
     );
 
 # Avoid protocol support holes.  Also disable all versions below N, if version

INSTALL

@@ -453,6 +453,9 @@
   no-psk
                    Don't build support for Pre-Shared Key based ciphersuites.
 
+  no-quic
+                   Don't build with support for QUIC.
+
   no-rdrand
                    Don't use hardware RDRAND capabilities.
 

crypto/err/openssl.txt

@@ -1186,6 +1186,9 @@ SSL_F_PARSE_CA_NAMES:541:parse_ca_names
 SSL_F_PITEM_NEW:624:pitem_new
 SSL_F_PQUEUE_NEW:625:pqueue_new
 SSL_F_PROCESS_KEY_SHARE_EXT:439:*
+SSL_F_QUIC_CHANGE_CIPHER_STATE:639:quic_change_cipher_state
+SSL_F_QUIC_GET_MESSAGE:640:quic_get_message
+SSL_F_QUIC_SET_ENCRYPTION_SECRETS:641:quic_set_encryption_secrets
 SSL_F_READ_STATE_MACHINE:352:read_state_machine
 SSL_F_SET_CLIENT_CIPHERSUITE:540:set_client_ciphersuite
 SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET:595:srp_generate_client_master_secret
@@ -1196,7 +1199,9 @@ SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM:130:ssl3_check_cert_and_algorithm
 SSL_F_SSL3_CTRL:213:ssl3_ctrl
 SSL_F_SSL3_CTX_CTRL:133:ssl3_ctx_ctrl
 SSL_F_SSL3_DIGEST_CACHED_RECORDS:293:ssl3_digest_cached_records
+SSL_F_SSL3_DISPATCH_ALERT:642:ssl3_dispatch_alert
 SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC:292:ssl3_do_change_cipher_spec
+SSL_F_SSL3_DO_WRITE:643:ssl3_do_write
 SSL_F_SSL3_ENC:608:ssl3_enc
 SSL_F_SSL3_FINAL_FINISH_MAC:285:ssl3_final_finish_mac
 SSL_F_SSL3_FINISH_MAC:587:ssl3_finish_mac
@@ -1304,6 +1309,8 @@ SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT:311:*
 SSL_F_SSL_PEEK:270:SSL_peek
 SSL_F_SSL_PEEK_EX:432:SSL_peek_ex
 SSL_F_SSL_PEEK_INTERNAL:522:ssl_peek_internal
+SSL_F_SSL_PROCESS_QUIC_POST_HANDSHAKE:644:SSL_process_quic_post_handshake
+SSL_F_SSL_PROVIDE_QUIC_DATA:645:SSL_provide_quic_data
 SSL_F_SSL_READ:223:SSL_read
 SSL_F_SSL_READ_EARLY_DATA:529:SSL_read_early_data
 SSL_F_SSL_READ_EX:434:SSL_read_ex
@@ -1353,6 +1360,7 @@ SSL_F_SSL_WRITE_EARLY_DATA:526:SSL_write_early_data
 SSL_F_SSL_WRITE_EARLY_FINISH:527:*
 SSL_F_SSL_WRITE_EX:433:SSL_write_ex
 SSL_F_SSL_WRITE_INTERNAL:524:ssl_write_internal
+SSL_F_STATEM_FLUSH:646:statem_flush
 SSL_F_STATE_MACHINE:353:state_machine
 SSL_F_TLS12_CHECK_PEER_SIGALG:333:tls12_check_peer_sigalg
 SSL_F_TLS12_COPY_SIGALGS:533:tls12_copy_sigalgs
@@ -1416,6 +1424,8 @@ SSL_F_TLS_CONSTRUCT_CTOS_POST_HANDSHAKE_AUTH:619:\
 	tls_construct_ctos_post_handshake_auth
 SSL_F_TLS_CONSTRUCT_CTOS_PSK:501:tls_construct_ctos_psk
 SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES:509:tls_construct_ctos_psk_kex_modes
+SSL_F_TLS_CONSTRUCT_CTOS_QUIC_TRANSPORT_PARAMS:647:\
+	tls_construct_ctos_quic_transport_params
 SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE:473:tls_construct_ctos_renegotiate
 SSL_F_TLS_CONSTRUCT_CTOS_SCT:474:tls_construct_ctos_sct
 SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME:475:tls_construct_ctos_server_name
@@ -1457,6 +1467,8 @@ SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE:456:tls_construct_stoc_key_share
 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN:548:tls_construct_stoc_maxfragmentlen
 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG:457:tls_construct_stoc_next_proto_neg
 SSL_F_TLS_CONSTRUCT_STOC_PSK:504:tls_construct_stoc_psk
+SSL_F_TLS_CONSTRUCT_STOC_QUIC_TRANSPORT_PARAMS:648:\
+	tls_construct_stoc_quic_transport_params
 SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE:458:tls_construct_stoc_renegotiate
 SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME:459:tls_construct_stoc_server_name
 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET:460:tls_construct_stoc_session_ticket
@@ -1485,6 +1497,8 @@ SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN:571:tls_parse_ctos_maxfragmentlen
 SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH:620:tls_parse_ctos_post_handshake_auth
 SSL_F_TLS_PARSE_CTOS_PSK:505:tls_parse_ctos_psk
 SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES:572:tls_parse_ctos_psk_kex_modes
+SSL_F_TLS_PARSE_CTOS_QUIC_TRANSPORT_PARAMS:649:\
+	tls_parse_ctos_quic_transport_params
 SSL_F_TLS_PARSE_CTOS_RENEGOTIATE:464:tls_parse_ctos_renegotiate
 SSL_F_TLS_PARSE_CTOS_SERVER_NAME:573:tls_parse_ctos_server_name
 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET:574:tls_parse_ctos_session_ticket
@@ -1503,6 +1517,8 @@ SSL_F_TLS_PARSE_STOC_KEY_SHARE:445:tls_parse_stoc_key_share
 SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN:581:tls_parse_stoc_maxfragmentlen
 SSL_F_TLS_PARSE_STOC_NPN:582:tls_parse_stoc_npn
 SSL_F_TLS_PARSE_STOC_PSK:502:tls_parse_stoc_psk
+SSL_F_TLS_PARSE_STOC_QUIC_TRANSPORT_PARAMS:650:\
+	tls_parse_stoc_quic_transport_params
 SSL_F_TLS_PARSE_STOC_RENEGOTIATE:448:tls_parse_stoc_renegotiate
 SSL_F_TLS_PARSE_STOC_SCT:564:tls_parse_stoc_sct
 SSL_F_TLS_PARSE_STOC_SERVER_NAME:583:tls_parse_stoc_server_name
@@ -2702,6 +2718,7 @@ SSL_R_INCONSISTENT_EARLY_DATA_ALPN:222:inconsistent early data alpn
 SSL_R_INCONSISTENT_EARLY_DATA_SNI:231:inconsistent early data sni
 SSL_R_INCONSISTENT_EXTMS:104:inconsistent extms
 SSL_R_INSUFFICIENT_SECURITY:241:insufficient security
+SSL_R_INTERNAL_ERROR:294:internal error
 SSL_R_INVALID_ALERT:205:invalid alert
 SSL_R_INVALID_CCS_MESSAGE:260:invalid ccs message
 SSL_R_INVALID_CERTIFICATE_OR_ALG:238:invalid certificate or alg
@@ -2877,6 +2894,7 @@ SSL_R_VERSION_TOO_LOW:396:version too low
 SSL_R_WRONG_CERTIFICATE_TYPE:383:wrong certificate type
 SSL_R_WRONG_CIPHER_RETURNED:261:wrong cipher returned
 SSL_R_WRONG_CURVE:378:wrong curve
+SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED:295:wrong encryption level received
 SSL_R_WRONG_SIGNATURE_LENGTH:264:wrong signature length
 SSL_R_WRONG_SIGNATURE_SIZE:265:wrong signature size
 SSL_R_WRONG_SIGNATURE_TYPE:370:wrong signature type

doc/man3/SSL_CIPHER_get_name.pod

@@ -13,6 +13,7 @@ SSL_CIPHER_get_digest_nid,
 SSL_CIPHER_get_handshake_digest,
 SSL_CIPHER_get_kx_nid,
 SSL_CIPHER_get_auth_nid,
+SSL_CIPHER_get_prf_nid,
 SSL_CIPHER_is_aead,
 SSL_CIPHER_find,
 SSL_CIPHER_get_id,
@@ -34,6 +35,7 @@ SSL_CIPHER_get_protocol_id
  const EVP_MD *SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c);
  int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c);
  int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c);
+ int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *c);
  int SSL_CIPHER_is_aead(const SSL_CIPHER *c);
  const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr);
  uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c);
@@ -91,6 +93,15 @@ TLS 1.3 cipher suites) B<NID_auth_any> is returned. Examples (not comprehensive)
  NID_auth_ecdsa
  NID_auth_psk
 
+SSL_CIPHER_get_prf_nid() retuns the pseudo-random function NID for B<c>. If B<c> is
+a pre-TLS-1.2 cipher, it returns B<NID_md5_sha1> but note these ciphers use
+SHA-256 in TLS 1.2. Other return values may be treated uniformly in all
+applicable versions. Examples (not comprehensive):
+
+ NID_md5_sha1
+ NID_sha256
+ NID_sha384
+
 SSL_CIPHER_is_aead() returns 1 if the cipher B<c> is AEAD (e.g. GCM or
 ChaCha20/Poly1305), and 0 if it is not AEAD.
 
@@ -201,6 +212,8 @@ required to enable this function.
 
 The OPENSSL_cipher_name() function was added in OpenSSL 1.1.1.
 
+The SSL_CIPHER_get_prf_nid() function was added in OpenSSL 3.0.0.
+
 =head1 COPYRIGHT
 
 Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.

doc/man3/SSL_CTX_set_quic_method.pod

@@ -0,0 +1,232 @@
+=pod
+
+=head1 NAME
+
+SSL_QUIC_METHOD,
+OSSL_ENCRYPTION_LEVEL,
+SSL_CTX_set_quic_method,
+SSL_set_quic_method,
+SSL_set_quic_transport_params,
+SSL_get_peer_quic_transport_params,
+SSL_quic_max_handshake_flight_len,
+SSL_quic_read_level,
+SSL_quic_write_level,
+SSL_provide_quic_data,
+SSL_process_quic_post_handshake,
+SSL_is_quic
+- QUIC support
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ typedef struct ssl_quic_method_st SSL_QUIC_METHOD;
+ typedef enum ssl_encryption_level_t OSSL_ENCRYPTION_LEVEL;
+
+ int SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method);
+ int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method);
+ int SSL_set_quic_transport_params(SSL *ssl,
+                                   const uint8_t *params,
+                                   size_t params_len);
+ void SSL_get_peer_quic_transport_params(const SSL *ssl,
+                                         const uint8_t **out_params,
+                                         size_t *out_params_len);
+ size_t SSL_quic_max_handshake_flight_len(const SSL *ssl, OSSL_ENCRYPTION_LEVEL level);
+ OSSL_ENCRYPTION_LEVEL SSL_quic_read_level(const SSL *ssl);
+ OSSL_ENCRYPTION_LEVEL SSL_quic_write_level(const SSL *ssl);
+ int SSL_provide_quic_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+                           const uint8_t *data, size_t len);
+ int SSL_process_quic_post_handshake(SSL *ssl);
+ int SSL_is_quic(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_quic_method() and SSL_set_quic_method() configures the QUIC methods.
+This should only be configured with a minimum version of TLS 1.3. B<quic_method>
+must remain valid for the lifetime of B<ctx> or B<ssl>. Calling this disables
+the SSL_OP_ENABLE_MIDDLEBOX_COMPAT option, which is not required for QUIC.
+
+SSL_set_quic_transport_params() configures B<ssl> to send B<params> (of length
+B<params_len>) in the quic_transport_parameters extension in either the
+ClientHello or EncryptedExtensions handshake message. This extension will
+only be sent if the TLS version is at least 1.3, and for a server, only if
+the client sent the extension. The buffer pointed to by B<params> only need be
+valid for the duration of the call to this function.
+
+SSL_get_peer_quic_transport_params() provides the caller with the value of the
+quic_transport_parameters extension sent by the peer. A pointer to the buffer
+containing the TransportParameters will be put in B<*out_params>, and its
+length in B<*out_params_len>. This buffer will be valid for the lifetime of the
+B<ssl>. If no params were received from the peer, B<*out_params_len> will be 0.
+
+SSL_quic_max_handshake_flight_len() returns the maximum number of bytes
+that may be received at the given encryption level. This function should be
+used to limit buffering in the QUIC implementation.
+
+See https://tools.ietf.org/html/draft-ietf-quic-transport-16#section-4.4.
+
+SSL_quic_read_level() returns the current read encryption level.
+
+SSL_quic_write_level() returns the current write encryption level.
+
+SSL_provide_quic_data() provides data from QUIC at a particular encryption
+level B<level>. It is an error to call this function outside of the handshake
+or with an encryption level other than the current read level. It returns one
+on success and zero on error.
+
+SSL_process_quic_post_handshake() processes any data that QUIC has provided
+after the handshake has completed. This includes NewSessionTicket messages
+sent by the server.
+
+SSL_is_quic() indicates whether a connection uses QUIC.
+
+=head1 NOTES
+
+These APIs are implementations of BoringSSL's QUIC APIs.
+
+QUIC acts as an underlying transport for the TLS 1.3 handshake. The following
+functions allow a QUIC implementation to serve as the underlying transport as
+described in draft-ietf-quic-tls.
+
+When configured for QUIC, SSL_do_handshake() will drive the handshake as
+before, but it will not use the configured B<BIO>. It will call functions on
+B<SSL_QUIC_METHOD> to configure secrets and send data. If data is needed from
+the peer, it will return B<SSL_ERROR_WANT_READ>. When received, the caller
+should call SSL_provide_quic_data() and then SSL_do_handshake() to continue
+the handshake. After the handshake is complete, the caller should call
+SSL_provide_quic_data() for any post-handshake data, followed by
+SSL_process_quic_post_handshake() to process it. It is an error to call
+SSL_read()/SSL_read_ex() and SSL_write()/SSL_write_ex() in QUIC.
+
+Note that secrets for an encryption level may be available to QUIC before the
+level is active in TLS. Callers should use SSL_quic_read_level() to determine
+the active read level for SSL_provide_quic_data(). SSL_do_handshake() will
+pass the active write level to add_handshake_data() when writing data. Callers
+can use SSL_quic_write_level() to query the active write level when
+generating their own errors.
+
+See https://tools.ietf.org/html/draft-ietf-quic-tls-15#section-4.1 for more
+details.
+
+To avoid DoS attacks, the QUIC implementation must limit the amount of data
+being queued up. The implementation can call
+SSL_quic_max_handshake_flight_len() to get the maximum buffer length at each
+encryption level.
+
+draft-ietf-quic-tls defines a new TLS extension quic_transport_parameters
+used by QUIC for each endpoint to unilaterally declare its supported
+transport parameters. draft-ietf-quic-transport (section 7.4) defines the
+contents of that extension (a TransportParameters struct) and describes how
+to handle it and its semantic meaning.
+
+OpenSSL handles this extension as an opaque byte string. The caller is
+responsible for serializing and parsing it.
+
+=head2 OSSL_ENCRYPTION_LEVEL
+
+B<OSSL_ENCRYPTION_LEVEL> (B<enum ssl_encryption_level_t>) represents the
+encryption levels:
+
+=over 4
+
+=item ssl_encryption_initial
+
+The initial encryption level that is used for client and server hellos.
+
+=item ssl_encryption_early_data
+
+The encryption level for early data. This is a write-level for the client
+and a read-level for the server.
+
+=item ssl_encryption_handshake
+
+The encryption level for the remainder of the handshake.
+
+=item ssl_encryption_application
+
+The encryption level for the application data.
+
+=back
+
+=head2 SSL_QUIC_METHOD
+
+The B<SSL_QUIC_METHOD> (B<struct ssl_quic_method_st>) describes the
+QUIC methods.
+
+ struct ssl_quic_method_st {
+     int (*set_encryption_secrets)(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+                                   const uint8_t *read_secret,
+                                   const uint8_t *write_secret, size_t secret_len);
+     int (*add_handshake_data)(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
+                               const uint8_t *data, size_t len);
+     int (*flush_flight)(SSL *ssl);
+     int (*send_alert)(SSL *ssl, enum ssl_encryption_level_t level, uint8_t alert);
+ };
+ typedef struct ssl_quic_method_st SSL_QUIC_METHOD;
+
+set_encryption_secrets() configures the read and write secrets for the given
+encryption level. This function will always be called before an encryption
+level other than B<ssl_encryption_initial> is used. Note, however, that
+secrets for a level may be configured before TLS is ready to send or accept
+data at that level.
+
+When reading packets at a given level, the QUIC implementation must send
+ACKs at the same level, so this function provides read and write secrets
+together. The exception is B<ssl_encryption_early_data>, where secrets are
+only available in the client to server direction. The other secret will be
+NULL. The server acknowledges such data at B<ssl_encryption_application>,
+which will be configured in the same SSL_do_handshake() call.
+
+This function should use SSL_get_current_cipher() to determine the TLS
+cipher suite.
+
+add_handshake_data() adds handshake data to the current flight at the given
+encryption level. It returns one on success and zero on error.
+
+OpenSSL will pack data from a single encryption level together, but a
+single handshake flight may include multiple encryption levels. Callers
+should defer writing data to the network until flush_flight() to better
+pack QUIC packets into transport datagrams.
+
+flush_flight() is called when the current flight is complete and should be
+written to the transport. Note a flight may contain data at several
+encryption levels.
+
+send_alert() sends a fatal alert at the specified encryption level.
+
+All QUIC methods return 1 on success and 0 on error.
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_quic_method(),
+SSL_set_quic_method(),
+SSL_set_quic_transport_params(), and
+SSL_process_quic_post_handshake()
+return 1 on success, and 0 on error.
+
+SSL_quic_read_level() and SSL_quic_write_level() return the current
+encryption  level as B<OSSL_ENCRYPTION_LEVEL> (B<enum ssl_encryption_level_t>).
+
+SSL_quic_max_handshake_flight_len() returns the maximum length of a flight
+for a given encryption level.
+
+SSL_is_quic() returns 1 if QUIC is being used, 0 if not.
+
+=head1 SEE ALSO
+
+L<ssl(7)>, L<SSL_CIPHER_get_prf_nid(3)>, L<SSL_do_handshake(3)>
+
+=head1 HISTORY
+
+These functions were added in OpenSSL 3.0.0.
+
+=head1 COPYRIGHT
+
+Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut