]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/quic/quic_channel.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
QUIC CHANNEL: Finish cleanup of LCIDM integration
[thirdparty/openssl.git] / ssl / quic / quic_channel.c
CommitLineData
f538b421 1/*
da1c088f 2 * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
f538b421
HL		 3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
9c3ea4e1
TM		 10#include <openssl/rand.h>
11#include <openssl/err.h>
f538b421
HL		 12#include "internal/quic_channel.h"
13#include "internal/quic_error.h"
14#include "internal/quic_rx_depack.h"
cce6fccd 15#include "internal/quic_lcidm.h"
5f86ae32 16#include "internal/quic_srtm.h"
f538b421
HL		 17#include "../ssl_local.h"
18#include "quic_channel_local.h"
34fa182e 19#include "quic_port_local.h"
f538b421 20
b1b06da2
HL		 21/*
22 * NOTE: While this channel implementation currently has basic server support,
23 * this functionality has been implemented for internal testing purposes and is
24 * not suitable for network use. In particular, it does not implement address
25 * validation, anti-amplification or retry logic.
26 *
44cb36d0
TM		 27 * TODO(QUIC SERVER): Implement address validation and anti-amplification
28 * TODO(QUIC SERVER): Implement retry logic
b1b06da2
HL		 29 */
30
29f63384
HL		 31#define INIT_CRYPTO_RECV_BUF_LEN 16384
32#define INIT_CRYPTO_SEND_BUF_LEN 16384
33#define INIT_APP_BUF_LEN 8192
f538b421 34
9cf091a3
HL		 35/*
36 * Interval before we force a PING to ensure NATs don't timeout. This is based
0815b725 37 * on the lowest commonly seen value of 30 seconds as cited in RFC 9000 s.
9cf091a3
HL		 38 * 10.1.2.
39 */
40#define MAX_NAT_INTERVAL (ossl_ms2time(25000))
41
f13868de
HL		 42/*
43 * Our maximum ACK delay on the TX side. This is up to us to choose. Note that
44 * this could differ from QUIC_DEFAULT_MAX_DELAY in future as that is a protocol
45 * value which determines the value of the maximum ACK delay if the
46 * max_ack_delay transport parameter is not set.
47 */
48#define DEFAULT_MAX_ACK_DELAY QUIC_DEFAULT_MAX_ACK_DELAY
49
ce503f5c
HL		 50DEFINE_LIST_OF_IMPL(ch, QUIC_CHANNEL);
51
982dae89 52static void ch_save_err_state(QUIC_CHANNEL *ch);
82b7a0ee 53static int ch_rx(QUIC_CHANNEL *ch, int channel_only);
f538b421 54static int ch_tx(QUIC_CHANNEL *ch);
82b7a0ee
HL		 55static int ch_tick_tls(QUIC_CHANNEL *ch, int channel_only);
56static void ch_rx_handle_packet(QUIC_CHANNEL *ch, int channel_only);
f538b421
HL		 57static OSSL_TIME ch_determine_next_tick_deadline(QUIC_CHANNEL *ch);
58static int ch_retry(QUIC_CHANNEL *ch,
59 const unsigned char *retry_token,
60 size_t retry_token_len,
61 const QUIC_CONN_ID *retry_scid);
62static void ch_cleanup(QUIC_CHANNEL *ch);
63static int ch_generate_transport_params(QUIC_CHANNEL *ch);
64static int ch_on_transport_params(const unsigned char *params,
65 size_t params_len,
66 void *arg);
67static int ch_on_handshake_alert(void *arg, unsigned char alert_code);
68static int ch_on_handshake_complete(void *arg);
69static int ch_on_handshake_yield_secret(uint32_t enc_level, int direction,
70 uint32_t suite_id, EVP_MD *md,
71 const unsigned char *secret,
72 size_t secret_len,
73 void *arg);
7257188b
MC		 74static int ch_on_crypto_recv_record(const unsigned char **buf,
75 size_t *bytes_read, void *arg);
76static int ch_on_crypto_release_record(size_t bytes_read, void *arg);
f538b421
HL		 77static int crypto_ensure_empty(QUIC_RSTREAM *rstream);
78static int ch_on_crypto_send(const unsigned char *buf, size_t buf_len,
79 size_t *consumed, void *arg);
80static OSSL_TIME get_time(void *arg);
81static uint64_t get_stream_limit(int uni, void *arg);
dfe5e7fa 82static int rx_late_validate(QUIC_PN pn, int pn_space, void *arg);
8a65e7a5 83static void rxku_detected(QUIC_PN pn, void *arg);
f538b421
HL		 84static int ch_retry(QUIC_CHANNEL *ch,
85 const unsigned char *retry_token,
86 size_t retry_token_len,
87 const QUIC_CONN_ID *retry_scid);
88static void ch_update_idle(QUIC_CHANNEL *ch);
89static int ch_discard_el(QUIC_CHANNEL *ch,
90 uint32_t enc_level);
91static void ch_on_idle_timeout(QUIC_CHANNEL *ch);
92static void ch_update_idle(QUIC_CHANNEL *ch);
3b1ab5a3 93static void ch_update_ping_deadline(QUIC_CHANNEL *ch);
f538b421
HL		 94static void ch_on_terminating_timeout(QUIC_CHANNEL *ch);
95static void ch_start_terminating(QUIC_CHANNEL *ch,
df15e990
HL		 96 const QUIC_TERMINATE_CAUSE *tcause,
97 int force_immediate);
8a65e7a5
HL		 98static void ch_on_txp_ack_tx(const OSSL_QUIC_FRAME_ACK *ack, uint32_t pn_space,
99 void *arg);
777a8a7f
HL		 100static void ch_rx_handle_version_neg(QUIC_CHANNEL *ch, OSSL_QRX_PKT *pkt);
101static void ch_raise_version_neg_failure(QUIC_CHANNEL *ch);
f538b421 102
cdd91631
P		 103DEFINE_LHASH_OF_EX(QUIC_SRT_ELEM);
104
f538b421
HL		 105static int gen_rand_conn_id(OSSL_LIB_CTX *libctx, size_t len, QUIC_CONN_ID *cid)
106{
107 if (len > QUIC_MAX_CONN_ID_LEN)
108 return 0;
109
110 cid->id_len = (unsigned char)len;
111
112 if (RAND_bytes_ex(libctx, cid->id, len, len * 8) != 1) {
96014840 113 ERR_raise(ERR_LIB_SSL, ERR_R_RAND_LIB);
f538b421
HL		 114 cid->id_len = 0;
115 return 0;
116 }
117
118 return 1;
119}
120
121/*
122 * QUIC Channel Initialization and Teardown
123 * ========================================
124 */
89b0948e
HL		 125#define DEFAULT_INIT_CONN_RXFC_WND (768 * 1024)
126#define DEFAULT_CONN_RXFC_MAX_WND_MUL 20
0815b725 127
89b0948e
HL		 128#define DEFAULT_INIT_STREAM_RXFC_WND (512 * 1024)
129#define DEFAULT_STREAM_RXFC_MAX_WND_MUL 12
0815b725 130
a6b6ea17
HL		 131#define DEFAULT_INIT_CONN_MAX_STREAMS 100
132
f538b421
HL		 133static int ch_init(QUIC_CHANNEL *ch)
134{
135 OSSL_QUIC_TX_PACKETISER_ARGS txp_args = {0};
136 OSSL_QTX_ARGS qtx_args = {0};
137 OSSL_QRX_ARGS qrx_args = {0};
2723d705 138 QUIC_TLS_ARGS tls_args = {0};
f538b421 139 uint32_t pn_space;
4ed6b48d
HL		 140 size_t rx_short_dcid_len = ossl_quic_port_get_rx_short_dcid_len(ch->port);
141 size_t tx_init_dcid_len = ossl_quic_port_get_tx_init_dcid_len(ch->port);
f538b421 142
5f86ae32 143 if (ch->port == NULL || ch->lcidm == NULL || ch->srtm == NULL)
cdd91631
P		 144 goto err;
145
b1b06da2
HL		 146 /* For clients, generate our initial DCID. */
147 if (!ch->is_server
4ed6b48d 148 && !gen_rand_conn_id(ch->port->libctx, tx_init_dcid_len, &ch->init_dcid))
f538b421
HL		 149 goto err;
150
151 /* We plug in a network write BIO to the QTX later when we get one. */
34fa182e 152 qtx_args.libctx = ch->port->libctx;
f538b421
HL		 153 qtx_args.mdpl = QUIC_MIN_INITIAL_DGRAM_LEN;
154 ch->rx_max_udp_payload_size = qtx_args.mdpl;
155
27195689
MC		 156 ch->ping_deadline = ossl_time_infinite();
157
f538b421
HL		 158 ch->qtx = ossl_qtx_new(&qtx_args);
159 if (ch->qtx == NULL)
160 goto err;
161
162 ch->txpim = ossl_quic_txpim_new();
163 if (ch->txpim == NULL)
164 goto err;
165
166 ch->cfq = ossl_quic_cfq_new();
167 if (ch->cfq == NULL)
168 goto err;
169
170 if (!ossl_quic_txfc_init(&ch->conn_txfc, NULL))
171 goto err;
172
0815b725
HL		 173 /*
174 * Note: The TP we transmit governs what the peer can transmit and thus
175 * applies to the RXFC.
176 */
177 ch->tx_init_max_stream_data_bidi_local = DEFAULT_INIT_STREAM_RXFC_WND;
178 ch->tx_init_max_stream_data_bidi_remote = DEFAULT_INIT_STREAM_RXFC_WND;
179 ch->tx_init_max_stream_data_uni = DEFAULT_INIT_STREAM_RXFC_WND;
180
f538b421 181 if (!ossl_quic_rxfc_init(&ch->conn_rxfc, NULL,
0815b725 182 DEFAULT_INIT_CONN_RXFC_WND,
e8fe7a21
HL		 183 DEFAULT_CONN_RXFC_MAX_WND_MUL *
184 DEFAULT_INIT_CONN_RXFC_WND,
b212d554 185 get_time, ch))
f538b421
HL		 186 goto err;
187
098914d0
HL		 188 for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space)
189 if (!ossl_quic_rxfc_init_standalone(&ch->crypto_rxfc[pn_space],
29f63384 190 INIT_CRYPTO_RECV_BUF_LEN,
098914d0
HL		 191 get_time, ch))
192 goto err;
193
1051b4a0
HL		 194 if (!ossl_quic_rxfc_init_standalone(&ch->max_streams_bidi_rxfc,
195 DEFAULT_INIT_CONN_MAX_STREAMS,
196 get_time, ch))
a6b6ea17
HL		 197 goto err;
198
1051b4a0
HL		 199 if (!ossl_quic_rxfc_init_standalone(&ch->max_streams_uni_rxfc,
200 DEFAULT_INIT_CONN_MAX_STREAMS,
201 get_time, ch))
a6b6ea17
HL		 202 goto err;
203
f538b421
HL		 204 if (!ossl_statm_init(&ch->statm))
205 goto err;
206
207 ch->have_statm = 1;
f6f45c55 208 ch->cc_method = &ossl_cc_newreno_method;
66ec5348 209 if ((ch->cc_data = ch->cc_method->new(get_time, ch)) == NULL)
f538b421
HL		 210 goto err;
211
b212d554 212 if ((ch->ackm = ossl_ackm_new(get_time, ch, &ch->statm,
f538b421
HL		 213 ch->cc_method, ch->cc_data)) == NULL)
214 goto err;
215
a6b6ea17
HL		 216 if (!ossl_quic_stream_map_init(&ch->qsm, get_stream_limit, ch,
217 &ch->max_streams_bidi_rxfc,
5915a900
HL		 218 &ch->max_streams_uni_rxfc,
219 ch->is_server))
f538b421
HL		 220 goto err;
221
222 ch->have_qsm = 1;
223
4760116f
HL		 224 if (!ch->is_server
225 && !ossl_quic_lcidm_generate_initial(ch->lcidm, ch, &txp_args.cur_scid))
226 goto err;
227
f538b421 228 /* We use a zero-length SCID. */
a6b6ea17
HL		 229 txp_args.cur_dcid = ch->init_dcid;
230 txp_args.ack_delay_exponent = 3;
231 txp_args.qtx = ch->qtx;
232 txp_args.txpim = ch->txpim;
233 txp_args.cfq = ch->cfq;
234 txp_args.ackm = ch->ackm;
235 txp_args.qsm = &ch->qsm;
236 txp_args.conn_txfc = &ch->conn_txfc;
237 txp_args.conn_rxfc = &ch->conn_rxfc;
238 txp_args.max_streams_bidi_rxfc = &ch->max_streams_bidi_rxfc;
239 txp_args.max_streams_uni_rxfc = &ch->max_streams_uni_rxfc;
240 txp_args.cc_method = ch->cc_method;
241 txp_args.cc_data = ch->cc_data;
242 txp_args.now = get_time;
243 txp_args.now_arg = ch;
45454ccc 244
f538b421 245 for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space) {
29f63384 246 ch->crypto_send[pn_space] = ossl_quic_sstream_new(INIT_CRYPTO_SEND_BUF_LEN);
f538b421
HL		 247 if (ch->crypto_send[pn_space] == NULL)
248 goto err;
249
250 txp_args.crypto[pn_space] = ch->crypto_send[pn_space];
251 }
252
253 ch->txp = ossl_quic_tx_packetiser_new(&txp_args);
254 if (ch->txp == NULL)
255 goto err;
256
8a65e7a5
HL		 257 ossl_quic_tx_packetiser_set_ack_tx_cb(ch->txp, ch_on_txp_ack_tx, ch);
258
34fa182e 259 qrx_args.libctx = ch->port->libctx;
4ed6b48d
HL		 260 qrx_args.demux = ch->port->demux;
261 qrx_args.short_conn_id_len = rx_short_dcid_len;
f538b421
HL		 262 qrx_args.max_deferred = 32;
263
264 if ((ch->qrx = ossl_qrx_new(&qrx_args)) == NULL)
265 goto err;
266
dfe5e7fa
HL		 267 if (!ossl_qrx_set_late_validation_cb(ch->qrx,
268 rx_late_validate,
269 ch))
f538b421
HL		 270 goto err;
271
8a65e7a5
HL		 272 if (!ossl_qrx_set_key_update_cb(ch->qrx,
273 rxku_detected,
274 ch))
275 goto err;
276
f538b421 277 for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space) {
2113ea58 278 ch->crypto_recv[pn_space] = ossl_quic_rstream_new(NULL, NULL, 0);
f538b421
HL		 279 if (ch->crypto_recv[pn_space] == NULL)
280 goto err;
281 }
282
2723d705
MC		 283 /* Plug in the TLS handshake layer. */
284 tls_args.s = ch->tls;
285 tls_args.crypto_send_cb = ch_on_crypto_send;
286 tls_args.crypto_send_cb_arg = ch;
7257188b
MC		 287 tls_args.crypto_recv_rcd_cb = ch_on_crypto_recv_record;
288 tls_args.crypto_recv_rcd_cb_arg = ch;
289 tls_args.crypto_release_rcd_cb = ch_on_crypto_release_record;
290 tls_args.crypto_release_rcd_cb_arg = ch;
2723d705
MC		 291 tls_args.yield_secret_cb = ch_on_handshake_yield_secret;
292 tls_args.yield_secret_cb_arg = ch;
293 tls_args.got_transport_params_cb = ch_on_transport_params;
294 tls_args.got_transport_params_cb_arg= ch;
295 tls_args.handshake_complete_cb = ch_on_handshake_complete;
296 tls_args.handshake_complete_cb_arg = ch;
297 tls_args.alert_cb = ch_on_handshake_alert;
298 tls_args.alert_cb_arg = ch;
299 tls_args.is_server = ch->is_server;
300
301 if ((ch->qtls = ossl_quic_tls_new(&tls_args)) == NULL)
f538b421
HL		 302 goto err;
303
f13868de 304 ch->tx_max_ack_delay = DEFAULT_MAX_ACK_DELAY;
4648eac5
HL		 305 ch->rx_max_ack_delay = QUIC_DEFAULT_MAX_ACK_DELAY;
306 ch->rx_ack_delay_exp = QUIC_DEFAULT_ACK_DELAY_EXP;
307 ch->rx_active_conn_id_limit = QUIC_MIN_ACTIVE_CONN_ID_LIMIT;
308 ch->max_idle_timeout = QUIC_DEFAULT_IDLE_TIMEOUT;
309 ch->tx_enc_level = QUIC_ENC_LEVEL_INITIAL;
310 ch->rx_enc_level = QUIC_ENC_LEVEL_INITIAL;
16f3b542 311 ch->txku_threshold_override = UINT64_MAX;
4648eac5 312
f13868de
HL		 313 ossl_ackm_set_tx_max_ack_delay(ch->ackm, ossl_ms2time(ch->tx_max_ack_delay));
314 ossl_ackm_set_rx_max_ack_delay(ch->ackm, ossl_ms2time(ch->rx_max_ack_delay));
315
f538b421
HL		 316 /*
317 * Determine the QUIC Transport Parameters and serialize the transport
318 * parameters block. (For servers, we do this later as we must defer
319 * generation until we have received the client's transport parameters.)
320 */
321 if (!ch->is_server && !ch_generate_transport_params(ch))
322 goto err;
323
f538b421 324 ch_update_idle(ch);
ce503f5c
HL		 325 ossl_list_ch_insert_tail(&ch->port->channel_list, ch);
326 ch->on_port_list = 1;
f538b421
HL		 327 return 1;
328
329err:
330 ch_cleanup(ch);
331 return 0;
332}
333
334static void ch_cleanup(QUIC_CHANNEL *ch)
335{
336 uint32_t pn_space;
337
338 if (ch->ackm != NULL)
339 for (pn_space = QUIC_PN_SPACE_INITIAL;
340 pn_space < QUIC_PN_SPACE_NUM;
341 ++pn_space)
342 ossl_ackm_on_pkt_space_discarded(ch->ackm, pn_space);
343
cce6fccd 344 ossl_quic_lcidm_cull(ch->lcidm, ch);
5f86ae32 345 ossl_quic_srtm_cull(ch->srtm, ch);
f538b421
HL		 346 ossl_quic_tx_packetiser_free(ch->txp);
347 ossl_quic_txpim_free(ch->txpim);
348 ossl_quic_cfq_free(ch->cfq);
349 ossl_qtx_free(ch->qtx);
350 if (ch->cc_data != NULL)
351 ch->cc_method->free(ch->cc_data);
352 if (ch->have_statm)
353 ossl_statm_destroy(&ch->statm);
354 ossl_ackm_free(ch->ackm);
355
f538b421
HL		 356 if (ch->have_qsm)
357 ossl_quic_stream_map_cleanup(&ch->qsm);
358
359 for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space) {
360 ossl_quic_sstream_free(ch->crypto_send[pn_space]);
361 ossl_quic_rstream_free(ch->crypto_recv[pn_space]);
362 }
363
364 ossl_qrx_pkt_release(ch->qrx_pkt);
365 ch->qrx_pkt = NULL;
366
2723d705 367 ossl_quic_tls_free(ch->qtls);
f538b421 368 ossl_qrx_free(ch->qrx);
f538b421 369 OPENSSL_free(ch->local_transport_params);
40c8c756 370 OPENSSL_free((char *)ch->terminate_cause.reason);
9c3ea4e1 371 OSSL_ERR_STATE_free(ch->err_state);
8c792b0c 372 OPENSSL_free(ch->ack_range_scratch);
cdd91631 373
ce503f5c
HL		 374 if (ch->on_port_list) {
375 ossl_list_ch_remove(&ch->port->channel_list, ch);
376 ch->on_port_list = 0;
377 }
f538b421
HL		 378}
379
380QUIC_CHANNEL *ossl_quic_channel_new(const QUIC_CHANNEL_ARGS *args)
381{
382 QUIC_CHANNEL *ch = NULL;
383
384 if ((ch = OPENSSL_zalloc(sizeof(*ch))) == NULL)
385 return NULL;
386
12ab8afc 387 ch->port = args->port;
5cf99b40
MC		 388 ch->is_server = args->is_server;
389 ch->tls = args->tls;
cce6fccd 390 ch->lcidm = args->lcidm;
5f86ae32 391 ch->srtm = args->srtm;
f538b421
HL		 392
393 if (!ch_init(ch)) {
394 OPENSSL_free(ch);
395 return NULL;
396 }
397
398 return ch;
399}
400
401void ossl_quic_channel_free(QUIC_CHANNEL *ch)
402{
403 if (ch == NULL)
404 return;
405
406 ch_cleanup(ch);
407 OPENSSL_free(ch);
408}
409
14e31409
MC		 410/* Set mutator callbacks for test framework support */
411int ossl_quic_channel_set_mutator(QUIC_CHANNEL *ch,
412 ossl_mutate_packet_cb mutatecb,
413 ossl_finish_mutate_cb finishmutatecb,
414 void *mutatearg)
415{
416 if (ch->qtx == NULL)
417 return 0;
418
419 ossl_qtx_set_mutator(ch->qtx, mutatecb, finishmutatecb, mutatearg);
420 return 1;
421}
422
f538b421
HL		 423int ossl_quic_channel_get_peer_addr(QUIC_CHANNEL *ch, BIO_ADDR *peer_addr)
424{
617b459d
HL		 425 if (!ch->addressed_mode)
426 return 0;
427
f538b421
HL		 428 *peer_addr = ch->cur_peer_addr;
429 return 1;
430}
431
432int ossl_quic_channel_set_peer_addr(QUIC_CHANNEL *ch, const BIO_ADDR *peer_addr)
433{
617b459d
HL		 434 if (ch->state != QUIC_CHANNEL_STATE_IDLE)
435 return 0;
436
437 if (peer_addr == NULL || BIO_ADDR_family(peer_addr) == AF_UNSPEC) {
438 BIO_ADDR_clear(&ch->cur_peer_addr);
439 ch->addressed_mode = 0;
440 return 1;
441 }
442
443 ch->cur_peer_addr = *peer_addr;
444 ch->addressed_mode = 1;
f538b421
HL		 445 return 1;
446}
447
448QUIC_REACTOR *ossl_quic_channel_get_reactor(QUIC_CHANNEL *ch)
449{
632b0c7e 450 return ossl_quic_port_get0_reactor(ch->port);
f538b421
HL		 451}
452
453QUIC_STREAM_MAP *ossl_quic_channel_get_qsm(QUIC_CHANNEL *ch)
454{
455 return &ch->qsm;
456}
457
458OSSL_STATM *ossl_quic_channel_get_statm(QUIC_CHANNEL *ch)
459{
460 return &ch->statm;
461}
462
463QUIC_STREAM *ossl_quic_channel_get_stream_by_id(QUIC_CHANNEL *ch,
464 uint64_t stream_id)
465{
466 return ossl_quic_stream_map_get_by_id(&ch->qsm, stream_id);
467}
468
469int ossl_quic_channel_is_active(const QUIC_CHANNEL *ch)
470{
471 return ch != NULL && ch->state == QUIC_CHANNEL_STATE_ACTIVE;
472}
473
7757f5ef 474int ossl_quic_channel_is_closing(const QUIC_CHANNEL *ch)
f538b421 475{
afe4a797
P		 476 return ch->state == QUIC_CHANNEL_STATE_TERMINATING_CLOSING;
477}
c12e1113 478
afe4a797
P		 479static int ossl_quic_channel_is_draining(const QUIC_CHANNEL *ch)
480{
481 return ch->state == QUIC_CHANNEL_STATE_TERMINATING_DRAINING;
f538b421
HL		 482}
483
afe4a797 484static int ossl_quic_channel_is_terminating(const QUIC_CHANNEL *ch)
f538b421 485{
afe4a797
P		 486 return ossl_quic_channel_is_closing(ch)
487 || ossl_quic_channel_is_draining(ch);
488}
c12e1113 489
afe4a797
P		 490int ossl_quic_channel_is_terminated(const QUIC_CHANNEL *ch)
491{
492 return ch->state == QUIC_CHANNEL_STATE_TERMINATED;
f538b421
HL		 493}
494
c12e1113
MC		 495int ossl_quic_channel_is_term_any(const QUIC_CHANNEL *ch)
496{
497 return ossl_quic_channel_is_terminating(ch)
498 || ossl_quic_channel_is_terminated(ch);
499}
500
723cbe8a
HL		 501const QUIC_TERMINATE_CAUSE *
502ossl_quic_channel_get_terminate_cause(const QUIC_CHANNEL *ch)
f538b421 503{
723cbe8a 504 return ossl_quic_channel_is_term_any(ch) ? &ch->terminate_cause : NULL;
f538b421
HL		 505}
506
507int ossl_quic_channel_is_handshake_complete(const QUIC_CHANNEL *ch)
508{
509 return ch->handshake_complete;
510}
511
ce8f20b6
MC		 512int ossl_quic_channel_is_handshake_confirmed(const QUIC_CHANNEL *ch)
513{
514 return ch->handshake_confirmed;
515}
516
553a4e00
HL		 517QUIC_DEMUX *ossl_quic_channel_get0_demux(QUIC_CHANNEL *ch)
518{
4ed6b48d 519 return ch->port->demux;
553a4e00
HL		 520}
521
12ab8afc
HL		 522QUIC_PORT *ossl_quic_channel_get0_port(QUIC_CHANNEL *ch)
523{
524 return ch->port;
525}
526
fb2245c4
HL		 527CRYPTO_MUTEX *ossl_quic_channel_get_mutex(QUIC_CHANNEL *ch)
528{
f98bc5c9 529 return ossl_quic_port_get0_mutex(ch->port);
fb2245c4
HL		 530}
531
9280d26a
HL		 532int ossl_quic_channel_has_pending(const QUIC_CHANNEL *ch)
533{
4ed6b48d 534 return ossl_quic_demux_has_pending(ch->port->demux)
9280d26a
HL		 535 || ossl_qrx_processed_read_pending(ch->qrx);
536}
537
f538b421
HL		 538/*
539 * QUIC Channel: Callbacks from Miscellaneous Subsidiary Components
540 * ================================================================
541 */
542
543/* Used by various components. */
544static OSSL_TIME get_time(void *arg)
545{
b212d554
HL		 546 QUIC_CHANNEL *ch = arg;
547
f98bc5c9 548 return ossl_quic_port_get_time(ch->port);
f538b421
HL		 549}
550
551/* Used by QSM. */
552static uint64_t get_stream_limit(int uni, void *arg)
553{
554 QUIC_CHANNEL *ch = arg;
555
556 return uni ? ch->max_local_streams_uni : ch->max_local_streams_bidi;
557}
558
559/*
560 * Called by QRX to determine if a packet is potentially invalid before trying
561 * to decrypt it.
562 */
dfe5e7fa 563static int rx_late_validate(QUIC_PN pn, int pn_space, void *arg)
f538b421
HL		 564{
565 QUIC_CHANNEL *ch = arg;
566
567 /* Potential duplicates should not be processed. */
568 if (!ossl_ackm_is_rx_pn_processable(ch->ackm, pn, pn_space))
569 return 0;
570
571 return 1;
572}
573
8a65e7a5
HL		 574/*
575 * Triggers a TXKU (whether spontaneous or solicited). Does not check whether
576 * spontaneous TXKU is currently allowed.
577 */
578QUIC_NEEDS_LOCK
579static void ch_trigger_txku(QUIC_CHANNEL *ch)
580{
581 uint64_t next_pn
582 = ossl_quic_tx_packetiser_get_next_pn(ch->txp, QUIC_PN_SPACE_APP);
583
584 if (!ossl_quic_pn_valid(next_pn)
585 || !ossl_qtx_trigger_key_update(ch->qtx)) {
586 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_INTERNAL_ERROR, 0,
587 "key update");
588 return;
589 }
590
591 ch->txku_in_progress = 1;
592 ch->txku_pn = next_pn;
593 ch->rxku_expected = ch->ku_locally_initiated;
594}
595
596QUIC_NEEDS_LOCK
597static int txku_in_progress(QUIC_CHANNEL *ch)
598{
599 if (ch->txku_in_progress
600 && ossl_ackm_get_largest_acked(ch->ackm, QUIC_PN_SPACE_APP) >= ch->txku_pn) {
601 OSSL_TIME pto = ossl_ackm_get_pto_duration(ch->ackm);
602
603 /*
604 * RFC 9001 s. 6.5: Endpoints SHOULD wait three times the PTO before
605 * initiating a key update after receiving an acknowledgment that
606 * confirms that the previous key update was received.
607 *
608 * Note that by the above wording, this period starts from when we get
609 * the ack for a TXKU-triggering packet, not when the TXKU is initiated.
610 * So we defer TXKU cooldown deadline calculation to this point.
611 */
612 ch->txku_in_progress = 0;
613 ch->txku_cooldown_deadline = ossl_time_add(get_time(ch),
614 ossl_time_multiply(pto, 3));
615 }
616
617 return ch->txku_in_progress;
618}
619
620QUIC_NEEDS_LOCK
621static int txku_allowed(QUIC_CHANNEL *ch)
622{
623 return ch->tx_enc_level == QUIC_ENC_LEVEL_1RTT /* Sanity check. */
624 /* Strict RFC 9001 criterion for TXKU. */
625 && ch->handshake_confirmed
626 && !txku_in_progress(ch);
627}
628
629QUIC_NEEDS_LOCK
630static int txku_recommendable(QUIC_CHANNEL *ch)
631{
632 if (!txku_allowed(ch))
633 return 0;
634
635 return
636 /* Recommended RFC 9001 criterion for TXKU. */
637 ossl_time_compare(get_time(ch), ch->txku_cooldown_deadline) >= 0
638 /* Some additional sensible criteria. */
639 && !ch->rxku_in_progress
640 && !ch->rxku_pending_confirm;
641}
642
643QUIC_NEEDS_LOCK
644static int txku_desirable(QUIC_CHANNEL *ch)
645{
16f3b542 646 uint64_t cur_pkt_count, max_pkt_count, thresh_pkt_count;
8a65e7a5
HL		 647 const uint32_t enc_level = QUIC_ENC_LEVEL_1RTT;
648
649 /* Check AEAD limit to determine if we should perform a spontaneous TXKU. */
650 cur_pkt_count = ossl_qtx_get_cur_epoch_pkt_count(ch->qtx, enc_level);
651 max_pkt_count = ossl_qtx_get_max_epoch_pkt_count(ch->qtx, enc_level);
652
16f3b542
HL		 653 thresh_pkt_count = max_pkt_count / 2;
654 if (ch->txku_threshold_override != UINT64_MAX)
655 thresh_pkt_count = ch->txku_threshold_override;
656
657 return cur_pkt_count >= thresh_pkt_count;
8a65e7a5
HL		 658}
659
660QUIC_NEEDS_LOCK
661static void ch_maybe_trigger_spontaneous_txku(QUIC_CHANNEL *ch)
662{
663 if (!txku_recommendable(ch) || !txku_desirable(ch))
664 return;
665
666 ch->ku_locally_initiated = 1;
667 ch_trigger_txku(ch);
668}
669
670QUIC_NEEDS_LOCK
671static int rxku_allowed(QUIC_CHANNEL *ch)
672{
673 /*
674 * RFC 9001 s. 6.1: An endpoint MUST NOT initiate a key update prior to
675 * having confirmed the handshake (Section 4.1.2).
676 *
677 * RFC 9001 s. 6.1: An endpoint MUST NOT initiate a subsequent key update
678 * unless it has received an acknowledgment for a packet that was sent
679 * protected with keys from the current key phase.
680 *
681 * RFC 9001 s. 6.2: If an endpoint detects a second update before it has
682 * sent any packets with updated keys containing an acknowledgment for the
683 * packet that initiated the key update, it indicates that its peer has
684 * updated keys twice without awaiting confirmation. An endpoint MAY treat
685 * such consecutive key updates as a connection error of type
686 * KEY_UPDATE_ERROR.
687 */
688 return ch->handshake_confirmed && !ch->rxku_pending_confirm;
689}
690
691/*
692 * Called when the QRX detects a new RX key update event.
693 */
694enum rxku_decision {
695 DECISION_RXKU_ONLY,
696 DECISION_PROTOCOL_VIOLATION,
697 DECISION_SOLICITED_TXKU
698};
699
700/* Called when the QRX detects a key update has occurred. */
701QUIC_NEEDS_LOCK
702static void rxku_detected(QUIC_PN pn, void *arg)
703{
704 QUIC_CHANNEL *ch = arg;
705 enum rxku_decision decision;
706 OSSL_TIME pto;
707
708 /*
709 * Note: rxku_in_progress is always 0 here as an RXKU cannot be detected
710 * when we are still in UPDATING or COOLDOWN (see quic_record_rx.h).
711 */
712 assert(!ch->rxku_in_progress);
713
714 if (!rxku_allowed(ch))
715 /* Is RXKU even allowed at this time? */
716 decision = DECISION_PROTOCOL_VIOLATION;
717
718 else if (ch->ku_locally_initiated)
719 /*
720 * If this key update was locally initiated (meaning that this detected
721 * RXKU event is a result of our own spontaneous TXKU), we do not
722 * trigger another TXKU; after all, to do so would result in an infinite
723 * ping-pong of key updates. We still process it as an RXKU.
724 */
725 decision = DECISION_RXKU_ONLY;
726
727 else
728 /*
729 * Otherwise, a peer triggering a KU means we have to trigger a KU also.
730 */
731 decision = DECISION_SOLICITED_TXKU;
732
733 if (decision == DECISION_PROTOCOL_VIOLATION) {
734 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_KEY_UPDATE_ERROR,
735 0, "RX key update again too soon");
736 return;
737 }
738
739 pto = ossl_ackm_get_pto_duration(ch->ackm);
740
741 ch->ku_locally_initiated = 0;
742 ch->rxku_in_progress = 1;
743 ch->rxku_pending_confirm = 1;
744 ch->rxku_trigger_pn = pn;
745 ch->rxku_update_end_deadline = ossl_time_add(get_time(ch), pto);
c93f7668 746 ch->rxku_expected = 0;
8a65e7a5
HL		 747
748 if (decision == DECISION_SOLICITED_TXKU)
749 /* NOT gated by usual txku_allowed() */
750 ch_trigger_txku(ch);
37ba2bc7
HL		 751
752 /*
753 * Ordinarily, we only generate ACK when some ACK-eliciting frame has been
754 * received. In some cases, this may not occur for a long time, for example
755 * if transmission of application data is going in only one direction and
756 * nothing else is happening with the connection. However, since the peer
757 * cannot initiate a subsequent (spontaneous) TXKU until its prior
692a3cab 758 * (spontaneous or solicited) TXKU has completed - meaning that prior
37ba2bc7
HL		 759 * TXKU's trigger packet (or subsequent packet) has been acknowledged, this
760 * can lead to very long times before a TXKU is considered 'completed'.
761 * Optimise this by forcing ACK generation after triggering TXKU.
762 * (Basically, we consider a RXKU event something that is 'ACK-eliciting',
763 * which it more or less should be; it is necessarily separate from ordinary
764 * processing of ACK-eliciting frames as key update is not indicated via a
765 * frame.)
766 */
767 ossl_quic_tx_packetiser_schedule_ack(ch->txp, QUIC_PN_SPACE_APP);
8a65e7a5
HL		 768}
769
770/* Called per tick to handle RXKU timer events. */
771QUIC_NEEDS_LOCK
772static void ch_rxku_tick(QUIC_CHANNEL *ch)
773{
774 if (!ch->rxku_in_progress
775 || ossl_time_compare(get_time(ch), ch->rxku_update_end_deadline) < 0)
776 return;
777
778 ch->rxku_update_end_deadline = ossl_time_infinite();
779 ch->rxku_in_progress = 0;
780
781 if (!ossl_qrx_key_update_timeout(ch->qrx, /*normal=*/1))
782 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_INTERNAL_ERROR, 0,
783 "RXKU cooldown internal error");
784}
785
786QUIC_NEEDS_LOCK
787static void ch_on_txp_ack_tx(const OSSL_QUIC_FRAME_ACK *ack, uint32_t pn_space,
788 void *arg)
789{
790 QUIC_CHANNEL *ch = arg;
791
792 if (pn_space != QUIC_PN_SPACE_APP || !ch->rxku_pending_confirm
793 || !ossl_quic_frame_ack_contains_pn(ack, ch->rxku_trigger_pn))
794 return;
795
796 /*
797 * Defer clearing rxku_pending_confirm until TXP generate call returns
798 * successfully.
799 */
800 ch->rxku_pending_confirm_done = 1;
801}
802
f538b421
HL		 803/*
804 * QUIC Channel: Handshake Layer Event Handling
805 * ============================================
806 */
807static int ch_on_crypto_send(const unsigned char *buf, size_t buf_len,
808 size_t *consumed, void *arg)
809{
810 int ret;
811 QUIC_CHANNEL *ch = arg;
812 uint32_t enc_level = ch->tx_enc_level;
813 uint32_t pn_space = ossl_quic_enc_level_to_pn_space(enc_level);
814 QUIC_SSTREAM *sstream = ch->crypto_send[pn_space];
815
816 if (!ossl_assert(sstream != NULL))
817 return 0;
818
819 ret = ossl_quic_sstream_append(sstream, buf, buf_len, consumed);
820 return ret;
821}
822
823static int crypto_ensure_empty(QUIC_RSTREAM *rstream)
824{
825 size_t avail = 0;
826 int is_fin = 0;
827
828 if (rstream == NULL)
829 return 1;
830
831 if (!ossl_quic_rstream_available(rstream, &avail, &is_fin))
832 return 0;
833
834 return avail == 0;
835}
836
7257188b
MC		 837static int ch_on_crypto_recv_record(const unsigned char **buf,
838 size_t *bytes_read, void *arg)
f538b421
HL		 839{
840 QUIC_CHANNEL *ch = arg;
841 QUIC_RSTREAM *rstream;
842 int is_fin = 0; /* crypto stream is never finished, so we don't use this */
843 uint32_t i;
844
845 /*
846 * After we move to a later EL we must not allow our peer to send any new
847 * bytes in the crypto stream on a previous EL. Retransmissions of old bytes
848 * are allowed.
849 *
850 * In practice we will only move to a new EL when we have consumed all bytes
851 * which should be sent on the crypto stream at a previous EL. For example,
852 * the Handshake EL should not be provisioned until we have completely
853 * consumed a TLS 1.3 ServerHello. Thus when we provision an EL the output
854 * of ossl_quic_rstream_available() should be 0 for all lower ELs. Thus if a
855 * given EL is available we simply ensure we have not received any further
856 * bytes at a lower EL.
857 */
45ecfc9b 858 for (i = QUIC_ENC_LEVEL_INITIAL; i < ch->rx_enc_level; ++i)
f538b421
HL		 859 if (i != QUIC_ENC_LEVEL_0RTT &&
860 !crypto_ensure_empty(ch->crypto_recv[ossl_quic_enc_level_to_pn_space(i)])) {
861 /* Protocol violation (RFC 9001 s. 4.1.3) */
862 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_PROTOCOL_VIOLATION,
863 OSSL_QUIC_FRAME_TYPE_CRYPTO,
864 "crypto stream data in wrong EL");
865 return 0;
866 }
867
45ecfc9b 868 rstream = ch->crypto_recv[ossl_quic_enc_level_to_pn_space(ch->rx_enc_level)];
f538b421
HL		 869 if (rstream == NULL)
870 return 0;
871
7257188b
MC		 872 return ossl_quic_rstream_get_record(rstream, buf, bytes_read,
873 &is_fin);
874}
875
876static int ch_on_crypto_release_record(size_t bytes_read, void *arg)
877{
878 QUIC_CHANNEL *ch = arg;
879 QUIC_RSTREAM *rstream;
098914d0
HL		 880 OSSL_RTT_INFO rtt_info;
881 uint32_t rx_pn_space = ossl_quic_enc_level_to_pn_space(ch->rx_enc_level);
7257188b 882
098914d0 883 rstream = ch->crypto_recv[rx_pn_space];
7257188b
MC		 884 if (rstream == NULL)
885 return 0;
886
098914d0
HL		 887 ossl_statm_get_rtt_info(ossl_quic_channel_get_statm(ch), &rtt_info);
888 if (!ossl_quic_rxfc_on_retire(&ch->crypto_rxfc[rx_pn_space], bytes_read,
889 rtt_info.smoothed_rtt))
890 return 0;
891
7257188b 892 return ossl_quic_rstream_release_record(rstream, bytes_read);
f538b421
HL		 893}
894
895static int ch_on_handshake_yield_secret(uint32_t enc_level, int direction,
896 uint32_t suite_id, EVP_MD *md,
897 const unsigned char *secret,
898 size_t secret_len,
899 void *arg)
900{
901 QUIC_CHANNEL *ch = arg;
902 uint32_t i;
903
904 if (enc_level < QUIC_ENC_LEVEL_HANDSHAKE || enc_level >= QUIC_ENC_LEVEL_NUM)
905 /* Invalid EL. */
906 return 0;
907
f538b421
HL		 908
909 if (direction) {
910 /* TX */
45ecfc9b
MC		 911 if (enc_level <= ch->tx_enc_level)
912 /*
9f0ade7c
HL		 913 * Does not make sense for us to try and provision an EL we have already
914 * attained.
915 */
45ecfc9b
MC		 916 return 0;
917
f538b421
HL		 918 if (!ossl_qtx_provide_secret(ch->qtx, enc_level,
919 suite_id, md,
920 secret, secret_len))
921 return 0;
922
923 ch->tx_enc_level = enc_level;
924 } else {
925 /* RX */
45ecfc9b
MC		 926 if (enc_level <= ch->rx_enc_level)
927 /*
9f0ade7c
HL		 928 * Does not make sense for us to try and provision an EL we have already
929 * attained.
930 */
45ecfc9b
MC		 931 return 0;
932
933 /*
9f0ade7c
HL		 934 * Ensure all crypto streams for previous ELs are now empty of available
935 * data.
936 */
45ecfc9b 937 for (i = QUIC_ENC_LEVEL_INITIAL; i < enc_level; ++i)
e28f512f 938 if (!crypto_ensure_empty(ch->crypto_recv[ossl_quic_enc_level_to_pn_space(i)])) {
45ecfc9b
MC		 939 /* Protocol violation (RFC 9001 s. 4.1.3) */
940 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_PROTOCOL_VIOLATION,
941 OSSL_QUIC_FRAME_TYPE_CRYPTO,
942 "crypto stream data in wrong EL");
943 return 0;
944 }
945
f538b421
HL		 946 if (!ossl_qrx_provide_secret(ch->qrx, enc_level,
947 suite_id, md,
948 secret, secret_len))
949 return 0;
92282a17
HL		 950
951 ch->have_new_rx_secret = 1;
45ecfc9b 952 ch->rx_enc_level = enc_level;
f538b421
HL		 953 }
954
955 return 1;
956}
957
958static int ch_on_handshake_complete(void *arg)
959{
960 QUIC_CHANNEL *ch = arg;
961
e28f512f 962 if (!ossl_assert(!ch->handshake_complete))
f538b421
HL		 963 return 0; /* this should not happen twice */
964
965 if (!ossl_assert(ch->tx_enc_level == QUIC_ENC_LEVEL_1RTT))
966 return 0;
967
62d0da12 968 if (!ch->got_remote_transport_params) {
f538b421
HL		 969 /*
970 * Was not a valid QUIC handshake if we did not get valid transport
971 * params.
972 */
3ad5711e 973 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_CRYPTO_MISSING_EXT,
62d0da12
MC		 974 OSSL_QUIC_FRAME_TYPE_CRYPTO,
975 "no transport parameters received");
f538b421 976 return 0;
62d0da12 977 }
f538b421
HL		 978
979 /* Don't need transport parameters anymore. */
980 OPENSSL_free(ch->local_transport_params);
981 ch->local_transport_params = NULL;
982
2a6f1f2f
HL		 983 /* Tell the QRX it can now process 1-RTT packets. */
984 ossl_qrx_allow_1rtt_processing(ch->qrx);
985
f538b421
HL		 986 /* Tell TXP the handshake is complete. */
987 ossl_quic_tx_packetiser_notify_handshake_complete(ch->txp);
988
989 ch->handshake_complete = 1;
b1b06da2
HL		 990
991 if (ch->is_server) {
992 /*
993 * On the server, the handshake is confirmed as soon as it is complete.
994 */
995 ossl_quic_channel_on_handshake_confirmed(ch);
996
997 ossl_quic_tx_packetiser_schedule_handshake_done(ch->txp);
998 }
999
f538b421
HL		 1000 return 1;
1001}
1002
1003static int ch_on_handshake_alert(void *arg, unsigned char alert_code)
1004{
1005 QUIC_CHANNEL *ch = arg;
1006
b644a932
MC		 1007 /*
1008 * RFC 9001 s. 4.4: More specifically, servers MUST NOT send post-handshake
1009 * TLS CertificateRequest messages, and clients MUST treat receipt of such
1010 * messages as a connection error of type PROTOCOL_VIOLATION.
1011 */
04c7fb53 1012 if (alert_code == SSL_AD_UNEXPECTED_MESSAGE
b644a932
MC		 1013 && ch->handshake_complete
1014 && ossl_quic_tls_is_cert_request(ch->qtls))
1015 ossl_quic_channel_raise_protocol_error(ch,
1016 QUIC_ERR_PROTOCOL_VIOLATION,
1017 0,
1018 "Post-handshake TLS "
1019 "CertificateRequest received");
04c7fb53
MC		 1020 /*
1021 * RFC 9001 s. 4.6.1: Servers MUST NOT send the early_data extension with a
1022 * max_early_data_size field set to any value other than 0xffffffff. A
1023 * client MUST treat receipt of a NewSessionTicket that contains an
1024 * early_data extension with any other value as a connection error of type
1025 * PROTOCOL_VIOLATION.
1026 */
1027 else if (alert_code == SSL_AD_ILLEGAL_PARAMETER
1028 && ch->handshake_complete
1029 && ossl_quic_tls_has_bad_max_early_data(ch->qtls))
1030 ossl_quic_channel_raise_protocol_error(ch,
1031 QUIC_ERR_PROTOCOL_VIOLATION,
1032 0,
1033 "Bad max_early_data received");
b644a932
MC		 1034 else
1035 ossl_quic_channel_raise_protocol_error(ch,
1036 QUIC_ERR_CRYPTO_ERR_BEGIN
1037 + alert_code,
1038 0, "handshake alert");
1039
f538b421
HL		 1040 return 1;
1041}
1042
1043/*
1044 * QUIC Channel: Transport Parameter Handling
1045 * ==========================================
1046 */
1047
1048/*
1049 * Called by handshake layer when we receive QUIC Transport Parameters from the
1050 * peer. Note that these are not authenticated until the handshake is marked
1051 * as complete.
1052 */
3c567a52
HL		 1053#define TP_REASON_SERVER_ONLY(x) \
1054 x " may not be sent by a client"
1055#define TP_REASON_DUP(x) \
1056 x " appears multiple times"
1057#define TP_REASON_MALFORMED(x) \
1058 x " is malformed"
1059#define TP_REASON_EXPECTED_VALUE(x) \
1060 x " does not match expected value"
1061#define TP_REASON_NOT_RETRY(x) \
1062 x " sent when not performing a retry"
1063#define TP_REASON_REQUIRED(x) \
1064 x " was not sent but is required"
cdd91631
P		 1065#define TP_REASON_INTERNAL_ERROR(x) \
1066 x " encountered internal error"
3c567a52 1067
26ad16ea
HL		 1068static void txfc_bump_cwm_bidi(QUIC_STREAM *s, void *arg)
1069{
1070 if (!ossl_quic_stream_is_bidi(s)
1071 || ossl_quic_stream_is_server_init(s))
1072 return;
1073
1074 ossl_quic_txfc_bump_cwm(&s->txfc, *(uint64_t *)arg);
1075}
1076
1077static void txfc_bump_cwm_uni(QUIC_STREAM *s, void *arg)
1078{
1079 if (ossl_quic_stream_is_bidi(s)
1080 || ossl_quic_stream_is_server_init(s))
1081 return;
1082
1083 ossl_quic_txfc_bump_cwm(&s->txfc, *(uint64_t *)arg);
1084}
1085
1086static void do_update(QUIC_STREAM *s, void *arg)
1087{
1088 QUIC_CHANNEL *ch = arg;
1089
1090 ossl_quic_stream_map_update_state(&ch->qsm, s);
1091}
1092
f538b421
HL		 1093static int ch_on_transport_params(const unsigned char *params,
1094 size_t params_len,
1095 void *arg)
1096{
1097 QUIC_CHANNEL *ch = arg;
1098 PACKET pkt;
1099 uint64_t id, v;
1100 size_t len;
1101 const unsigned char *body;
1102 int got_orig_dcid = 0;
1103 int got_initial_scid = 0;
1104 int got_retry_scid = 0;
1105 int got_initial_max_data = 0;
1106 int got_initial_max_stream_data_bidi_local = 0;
1107 int got_initial_max_stream_data_bidi_remote = 0;
1108 int got_initial_max_stream_data_uni = 0;
1109 int got_initial_max_streams_bidi = 0;
1110 int got_initial_max_streams_uni = 0;
70e809b0
HL		 1111 int got_stateless_reset_token = 0;
1112 int got_preferred_addr = 0;
f538b421
HL		 1113 int got_ack_delay_exp = 0;
1114 int got_max_ack_delay = 0;
1115 int got_max_udp_payload_size = 0;
1116 int got_max_idle_timeout = 0;
1117 int got_active_conn_id_limit = 0;
0911cb4a 1118 int got_disable_active_migration = 0;
f538b421 1119 QUIC_CONN_ID cid;
3c567a52 1120 const char *reason = "bad transport parameter";
f538b421 1121
f94cacb7
HL		 1122 if (ch->got_remote_transport_params) {
1123 reason = "multiple transport parameter extensions";
f538b421 1124 goto malformed;
f94cacb7 1125 }
f538b421 1126
96014840
TM		 1127 if (!PACKET_buf_init(&pkt, params, params_len)) {
1128 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_INTERNAL_ERROR, 0,
1129 "internal error (packet buf init)");
f538b421 1130 return 0;
96014840 1131 }
f538b421
HL		 1132
1133 while (PACKET_remaining(&pkt) > 0) {
1134 if (!ossl_quic_wire_peek_transport_param(&pkt, &id))
1135 goto malformed;
1136
1137 switch (id) {
75b2920a 1138 case QUIC_TPARAM_ORIG_DCID:
3c567a52
HL		 1139 if (got_orig_dcid) {
1140 reason = TP_REASON_DUP("ORIG_DCID");
1141 goto malformed;
1142 }
1143
1144 if (ch->is_server) {
1145 reason = TP_REASON_SERVER_ONLY("ORIG_DCID");
75b2920a 1146 goto malformed;
3c567a52 1147 }
75b2920a 1148
3c567a52
HL		 1149 if (!ossl_quic_wire_decode_transport_param_cid(&pkt, NULL, &cid)) {
1150 reason = TP_REASON_MALFORMED("ORIG_DCID");
75b2920a 1151 goto malformed;
3c567a52 1152 }
75b2920a 1153
b62ac1ab 1154#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
75b2920a 1155 /* Must match our initial DCID. */
3c567a52
HL		 1156 if (!ossl_quic_conn_id_eq(&ch->init_dcid, &cid)) {
1157 reason = TP_REASON_EXPECTED_VALUE("ORIG_DCID");
75b2920a 1158 goto malformed;
3c567a52 1159 }
b62ac1ab 1160#endif
75b2920a
HL		 1161
1162 got_orig_dcid = 1;
1163 break;
1164
1165 case QUIC_TPARAM_RETRY_SCID:
3c567a52
HL		 1166 if (ch->is_server) {
1167 reason = TP_REASON_SERVER_ONLY("RETRY_SCID");
1168 goto malformed;
1169 }
1170
1171 if (got_retry_scid) {
1172 reason = TP_REASON_DUP("RETRY_SCID");
75b2920a 1173 goto malformed;
3c567a52
HL		 1174 }
1175
1176 if (!ch->doing_retry) {
1177 reason = TP_REASON_NOT_RETRY("RETRY_SCID");
1178 goto malformed;
1179 }
75b2920a 1180
3c567a52
HL		 1181 if (!ossl_quic_wire_decode_transport_param_cid(&pkt, NULL, &cid)) {
1182 reason = TP_REASON_MALFORMED("RETRY_SCID");
75b2920a 1183 goto malformed;
3c567a52 1184 }
75b2920a
HL		 1185
1186 /* Must match Retry packet SCID. */
3c567a52
HL		 1187 if (!ossl_quic_conn_id_eq(&ch->retry_scid, &cid)) {
1188 reason = TP_REASON_EXPECTED_VALUE("RETRY_SCID");
75b2920a 1189 goto malformed;
3c567a52 1190 }
75b2920a
HL		 1191
1192 got_retry_scid = 1;
1193 break;
1194
1195 case QUIC_TPARAM_INITIAL_SCID:
3c567a52 1196 if (got_initial_scid) {
75b2920a 1197 /* must not appear more than once */
3c567a52 1198 reason = TP_REASON_DUP("INITIAL_SCID");
75b2920a 1199 goto malformed;
3c567a52 1200 }
75b2920a 1201
3c567a52
HL		 1202 if (!ossl_quic_wire_decode_transport_param_cid(&pkt, NULL, &cid)) {
1203 reason = TP_REASON_MALFORMED("INITIAL_SCID");
75b2920a 1204 goto malformed;
3c567a52 1205 }
75b2920a
HL		 1206
1207 /* Must match SCID of first Initial packet from server. */
3c567a52
HL		 1208 if (!ossl_quic_conn_id_eq(&ch->init_scid, &cid)) {
1209 reason = TP_REASON_EXPECTED_VALUE("INITIAL_SCID");
75b2920a 1210 goto malformed;
3c567a52 1211 }
75b2920a
HL		 1212
1213 got_initial_scid = 1;
1214 break;
1215
1216 case QUIC_TPARAM_INITIAL_MAX_DATA:
3c567a52 1217 if (got_initial_max_data) {
75b2920a 1218 /* must not appear more than once */
3c567a52 1219 reason = TP_REASON_DUP("INITIAL_MAX_DATA");
75b2920a 1220 goto malformed;
3c567a52 1221 }
75b2920a 1222
3c567a52
HL		 1223 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
1224 reason = TP_REASON_MALFORMED("INITIAL_MAX_DATA");
75b2920a 1225 goto malformed;
3c567a52 1226 }
75b2920a
HL		 1227
1228 ossl_quic_txfc_bump_cwm(&ch->conn_txfc, v);
1229 got_initial_max_data = 1;
1230 break;
1231
1232 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL:
3c567a52 1233 if (got_initial_max_stream_data_bidi_local) {
75b2920a 1234 /* must not appear more than once */
3c567a52 1235 reason = TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_BIDI_LOCAL");
75b2920a 1236 goto malformed;
3c567a52 1237 }
75b2920a 1238
3c567a52
HL		 1239 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
1240 reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_BIDI_LOCAL");
75b2920a 1241 goto malformed;
3c567a52 1242 }
f538b421
HL		 1243
1244 /*
75b2920a
HL		 1245 * This is correct; the BIDI_LOCAL TP governs streams created by
1246 * the endpoint which sends the TP, i.e., our peer.
f538b421 1247 */
54562e89 1248 ch->rx_init_max_stream_data_bidi_remote = v;
75b2920a
HL		 1249 got_initial_max_stream_data_bidi_local = 1;
1250 break;
1251
1252 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE:
3c567a52 1253 if (got_initial_max_stream_data_bidi_remote) {
75b2920a 1254 /* must not appear more than once */
3c567a52 1255 reason = TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_BIDI_REMOTE");
75b2920a 1256 goto malformed;
3c567a52 1257 }
75b2920a 1258
3c567a52
HL		 1259 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
1260 reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_BIDI_REMOTE");
75b2920a 1261 goto malformed;
3c567a52 1262 }
75b2920a
HL		 1263
1264 /*
1265 * This is correct; the BIDI_REMOTE TP governs streams created
1266 * by the endpoint which receives the TP, i.e., us.
1267 */
54562e89 1268 ch->rx_init_max_stream_data_bidi_local = v;
75b2920a 1269
26ad16ea
HL		 1270 /* Apply to all existing streams. */
1271 ossl_quic_stream_map_visit(&ch->qsm, txfc_bump_cwm_bidi, &v);
75b2920a
HL		 1272 got_initial_max_stream_data_bidi_remote = 1;
1273 break;
1274
1275 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_UNI:
3c567a52 1276 if (got_initial_max_stream_data_uni) {
75b2920a 1277 /* must not appear more than once */
3c567a52 1278 reason = TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_UNI");
75b2920a 1279 goto malformed;
3c567a52 1280 }
75b2920a 1281
3c567a52
HL		 1282 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
1283 reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_UNI");
75b2920a 1284 goto malformed;
3c567a52 1285 }
75b2920a 1286
e8fe7a21 1287 ch->rx_init_max_stream_data_uni = v;
26ad16ea
HL		 1288
1289 /* Apply to all existing streams. */
1290 ossl_quic_stream_map_visit(&ch->qsm, txfc_bump_cwm_uni, &v);
75b2920a
HL		 1291 got_initial_max_stream_data_uni = 1;
1292 break;
1293
1294 case QUIC_TPARAM_ACK_DELAY_EXP:
3c567a52 1295 if (got_ack_delay_exp) {
75b2920a 1296 /* must not appear more than once */
3c567a52 1297 reason = TP_REASON_DUP("ACK_DELAY_EXP");
75b2920a 1298 goto malformed;
3c567a52 1299 }
75b2920a
HL		 1300
1301 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
3c567a52
HL		 1302 || v > QUIC_MAX_ACK_DELAY_EXP) {
1303 reason = TP_REASON_MALFORMED("ACK_DELAY_EXP");
75b2920a 1304 goto malformed;
3c567a52 1305 }
75b2920a
HL		 1306
1307 ch->rx_ack_delay_exp = (unsigned char)v;
1308 got_ack_delay_exp = 1;
1309 break;
1310
1311 case QUIC_TPARAM_MAX_ACK_DELAY:
3c567a52 1312 if (got_max_ack_delay) {
75b2920a 1313 /* must not appear more than once */
3c567a52 1314 reason = TP_REASON_DUP("MAX_ACK_DELAY");
96014840 1315 goto malformed;
3c567a52 1316 }
75b2920a
HL		 1317
1318 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
3c567a52
HL		 1319 || v >= (((uint64_t)1) << 14)) {
1320 reason = TP_REASON_MALFORMED("MAX_ACK_DELAY");
75b2920a 1321 goto malformed;
3c567a52 1322 }
75b2920a
HL		 1323
1324 ch->rx_max_ack_delay = v;
f13868de
HL		 1325 ossl_ackm_set_rx_max_ack_delay(ch->ackm,
1326 ossl_ms2time(ch->rx_max_ack_delay));
1327
75b2920a
HL		 1328 got_max_ack_delay = 1;
1329 break;
1330
1331 case QUIC_TPARAM_INITIAL_MAX_STREAMS_BIDI:
3c567a52 1332 if (got_initial_max_streams_bidi) {
75b2920a 1333 /* must not appear more than once */
3c567a52 1334 reason = TP_REASON_DUP("INITIAL_MAX_STREAMS_BIDI");
96014840 1335 goto malformed;
3c567a52 1336 }
75b2920a
HL		 1337
1338 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
3c567a52
HL		 1339 || v > (((uint64_t)1) << 60)) {
1340 reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAMS_BIDI");
75b2920a 1341 goto malformed;
3c567a52 1342 }
75b2920a
HL		 1343
1344 assert(ch->max_local_streams_bidi == 0);
1345 ch->max_local_streams_bidi = v;
1346 got_initial_max_streams_bidi = 1;
1347 break;
1348
1349 case QUIC_TPARAM_INITIAL_MAX_STREAMS_UNI:
3c567a52 1350 if (got_initial_max_streams_uni) {
75b2920a 1351 /* must not appear more than once */
3c567a52 1352 reason = TP_REASON_DUP("INITIAL_MAX_STREAMS_UNI");
75b2920a 1353 goto malformed;
3c567a52 1354 }
75b2920a
HL		 1355
1356 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
3c567a52
HL		 1357 || v > (((uint64_t)1) << 60)) {
1358 reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAMS_UNI");
75b2920a 1359 goto malformed;
3c567a52 1360 }
75b2920a
HL		 1361
1362 assert(ch->max_local_streams_uni == 0);
1363 ch->max_local_streams_uni = v;
1364 got_initial_max_streams_uni = 1;
1365 break;
1366
1367 case QUIC_TPARAM_MAX_IDLE_TIMEOUT:
3c567a52 1368 if (got_max_idle_timeout) {
75b2920a 1369 /* must not appear more than once */
3c567a52 1370 reason = TP_REASON_DUP("MAX_IDLE_TIMEOUT");
75b2920a 1371 goto malformed;
3c567a52 1372 }
75b2920a 1373
3c567a52
HL		 1374 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
1375 reason = TP_REASON_MALFORMED("MAX_IDLE_TIMEOUT");
75b2920a 1376 goto malformed;
3c567a52 1377 }
75b2920a 1378
4648eac5 1379 if (v > 0 && v < ch->max_idle_timeout)
75b2920a
HL		 1380 ch->max_idle_timeout = v;
1381
1382 ch_update_idle(ch);
1383 got_max_idle_timeout = 1;
1384 break;
f538b421 1385
75b2920a 1386 case QUIC_TPARAM_MAX_UDP_PAYLOAD_SIZE:
3c567a52 1387 if (got_max_udp_payload_size) {
75b2920a 1388 /* must not appear more than once */
3c567a52 1389 reason = TP_REASON_DUP("MAX_UDP_PAYLOAD_SIZE");
75b2920a 1390 goto malformed;
3c567a52 1391 }
f538b421 1392
75b2920a 1393 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
3c567a52
HL		 1394 || v < QUIC_MIN_INITIAL_DGRAM_LEN) {
1395 reason = TP_REASON_MALFORMED("MAX_UDP_PAYLOAD_SIZE");
75b2920a 1396 goto malformed;
3c567a52 1397 }
75b2920a
HL		 1398
1399 ch->rx_max_udp_payload_size = v;
1400 got_max_udp_payload_size = 1;
1401 break;
1402
1403 case QUIC_TPARAM_ACTIVE_CONN_ID_LIMIT:
3c567a52 1404 if (got_active_conn_id_limit) {
75b2920a 1405 /* must not appear more than once */
3c567a52 1406 reason = TP_REASON_DUP("ACTIVE_CONN_ID_LIMIT");
75b2920a 1407 goto malformed;
3c567a52 1408 }
75b2920a
HL		 1409
1410 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
3c567a52
HL		 1411 || v < QUIC_MIN_ACTIVE_CONN_ID_LIMIT) {
1412 reason = TP_REASON_MALFORMED("ACTIVE_CONN_ID_LIMIT");
75b2920a 1413 goto malformed;
3c567a52 1414 }
75b2920a
HL		 1415
1416 ch->rx_active_conn_id_limit = v;
1417 got_active_conn_id_limit = 1;
1418 break;
1419
3c567a52 1420 case QUIC_TPARAM_STATELESS_RESET_TOKEN:
70e809b0
HL		 1421 if (got_stateless_reset_token) {
1422 reason = TP_REASON_DUP("STATELESS_RESET_TOKEN");
1423 goto malformed;
1424 }
1425
3c567a52 1426 /*
cdd91631
P		 1427 * We must ensure a client doesn't send them because we don't have
1428 * processing for them.
1429 *
1430 * TODO(QUIC SERVER): remove this restriction
3c567a52
HL		 1431 */
1432 if (ch->is_server) {
1433 reason = TP_REASON_SERVER_ONLY("STATELESS_RESET_TOKEN");
1434 goto malformed;
1435 }
1436
1437 body = ossl_quic_wire_decode_transport_param_bytes(&pkt, &id, &len);
1438 if (body == NULL || len != QUIC_STATELESS_RESET_TOKEN_LEN) {
1439 reason = TP_REASON_MALFORMED("STATELESS_RESET_TOKEN");
1440 goto malformed;
1441 }
5f86ae32
HL		 1442 if (!ossl_quic_srtm_add(ch->srtm, ch, ch->cur_remote_seq_num,
1443 (const QUIC_STATELESS_RESET_TOKEN *)body)) {
cdd91631
P		 1444 reason = TP_REASON_INTERNAL_ERROR("STATELESS_RESET_TOKEN");
1445 goto malformed;
1446 }
3c567a52 1447
70e809b0 1448 got_stateless_reset_token = 1;
3c567a52
HL		 1449 break;
1450
1451 case QUIC_TPARAM_PREFERRED_ADDR:
54bd1f24 1452 {
44cb36d0 1453 /* TODO(QUIC FUTURE): Handle preferred address. */
54bd1f24 1454 QUIC_PREFERRED_ADDR pfa;
70e809b0
HL		 1455 if (got_preferred_addr) {
1456 reason = TP_REASON_DUP("PREFERRED_ADDR");
1457 goto malformed;
1458 }
54bd1f24
HL		 1459
1460 /*
1461 * RFC 9000 s. 18.2: "A server that chooses a zero-length
1462 * connection ID MUST NOT provide a preferred address.
1463 * Similarly, a server MUST NOT include a zero-length connection
1464 * ID in this transport parameter. A client MUST treat a
1465 * violation of these requirements as a connection error of type
1466 * TRANSPORT_PARAMETER_ERROR."
1467 */
1468 if (ch->is_server) {
1469 reason = TP_REASON_SERVER_ONLY("PREFERRED_ADDR");
1470 goto malformed;
1471 }
1472
1473 if (ch->cur_remote_dcid.id_len == 0) {
1474 reason = "PREFERRED_ADDR provided for zero-length CID";
1475 goto malformed;
1476 }
1477
1478 if (!ossl_quic_wire_decode_transport_param_preferred_addr(&pkt, &pfa)) {
1479 reason = TP_REASON_MALFORMED("PREFERRED_ADDR");
1480 goto malformed;
1481 }
1482
1483 if (pfa.cid.id_len == 0) {
1484 reason = "zero-length CID in PREFERRED_ADDR";
1485 goto malformed;
1486 }
70e809b0
HL		 1487
1488 got_preferred_addr = 1;
3c567a52 1489 }
3c567a52 1490 break;
75b2920a
HL		 1491
1492 case QUIC_TPARAM_DISABLE_ACTIVE_MIGRATION:
1493 /* We do not currently handle migration, so nothing to do. */
0911cb4a
HL		 1494 if (got_disable_active_migration) {
1495 /* must not appear more than once */
1496 reason = TP_REASON_DUP("DISABLE_ACTIVE_MIGRATION");
1497 goto malformed;
1498 }
1499
1500 body = ossl_quic_wire_decode_transport_param_bytes(&pkt, &id, &len);
1501 if (body == NULL || len > 0) {
1502 reason = TP_REASON_MALFORMED("DISABLE_ACTIVE_MIGRATION");
1503 goto malformed;
1504 }
1505
1506 got_disable_active_migration = 1;
1507 break;
1508
75b2920a 1509 default:
0911cb4a
HL		 1510 /*
1511 * Skip over and ignore.
1512 *
1513 * RFC 9000 s. 7.4: We SHOULD treat duplicated transport parameters
1514 * as a connection error, but we are not required to. Currently,
1515 * handle this programmatically by checking for duplicates in the
1516 * parameters that we recognise, as above, but don't bother
1517 * maintaining a list of duplicates for anything we don't recognise.
1518 */
75b2920a
HL		 1519 body = ossl_quic_wire_decode_transport_param_bytes(&pkt, &id,
1520 &len);
1521 if (body == NULL)
1522 goto malformed;
1523
1524 break;
f538b421
HL		 1525 }
1526 }
1527
3c567a52
HL		 1528 if (!got_initial_scid) {
1529 reason = TP_REASON_REQUIRED("INITIAL_SCID");
f538b421 1530 goto malformed;
3c567a52
HL		 1531 }
1532
1533 if (!ch->is_server) {
1534 if (!got_orig_dcid) {
1535 reason = TP_REASON_REQUIRED("ORIG_DCID");
1536 goto malformed;
1537 }
1538
1539 if (ch->doing_retry && !got_retry_scid) {
1540 reason = TP_REASON_REQUIRED("RETRY_SCID");
1541 goto malformed;
1542 }
1543 }
f538b421
HL		 1544
1545 ch->got_remote_transport_params = 1;
1546
1547 if (got_initial_max_data || got_initial_max_stream_data_bidi_remote
1548 || got_initial_max_streams_bidi || got_initial_max_streams_uni)
26ad16ea
HL		 1549 /*
1550 * If FC credit was bumped, we may now be able to send. Update all
1551 * streams.
1552 */
1553 ossl_quic_stream_map_visit(&ch->qsm, do_update, ch);
f538b421
HL		 1554
1555 /* If we are a server, we now generate our own transport parameters. */
1556 if (ch->is_server && !ch_generate_transport_params(ch)) {
1557 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_INTERNAL_ERROR, 0,
1558 "internal error");
1559 return 0;
1560 }
1561
1562 return 1;
1563
1564malformed:
1565 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_TRANSPORT_PARAMETER_ERROR,
3c567a52 1566 0, reason);
f538b421
HL		 1567 return 0;
1568}
1569
1570/*
1571 * Called when we want to generate transport parameters. This is called
1572 * immediately at instantiation time for a client and after we receive the
1573 * client's transport parameters for a server.
1574 */
1575static int ch_generate_transport_params(QUIC_CHANNEL *ch)
1576{
1577 int ok = 0;
1578 BUF_MEM *buf_mem = NULL;
1579 WPACKET wpkt;
1580 int wpkt_valid = 0;
1581 size_t buf_len = 0;
1582
1583 if (ch->local_transport_params != NULL)
1584 goto err;
1585
1586 if ((buf_mem = BUF_MEM_new()) == NULL)
1587 goto err;
1588
1589 if (!WPACKET_init(&wpkt, buf_mem))
1590 goto err;
1591
1592 wpkt_valid = 1;
1593
1594 if (ossl_quic_wire_encode_transport_param_bytes(&wpkt, QUIC_TPARAM_DISABLE_ACTIVE_MIGRATION,
1595 NULL, 0) == NULL)
1596 goto err;
1597
3c567a52
HL		 1598 if (ch->is_server) {
1599 if (!ossl_quic_wire_encode_transport_param_cid(&wpkt, QUIC_TPARAM_ORIG_DCID,
1600 &ch->init_dcid))
1601 goto err;
1602
1603 if (!ossl_quic_wire_encode_transport_param_cid(&wpkt, QUIC_TPARAM_INITIAL_SCID,
bbc97540 1604 &ch->cur_local_cid))
3c567a52
HL		 1605 goto err;
1606 } else {
1607 /* Client always uses an empty SCID. */
1608 if (ossl_quic_wire_encode_transport_param_bytes(&wpkt, QUIC_TPARAM_INITIAL_SCID,
1609 NULL, 0) == NULL)
1610 goto err;
1611 }
f538b421
HL		 1612
1613 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_MAX_IDLE_TIMEOUT,
1614 ch->max_idle_timeout))
1615 goto err;
1616
1617 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_MAX_UDP_PAYLOAD_SIZE,
1618 QUIC_MIN_INITIAL_DGRAM_LEN))
1619 goto err;
1620
1621 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_ACTIVE_CONN_ID_LIMIT,
54bd1f24 1622 QUIC_MIN_ACTIVE_CONN_ID_LIMIT))
f538b421
HL		 1623 goto err;
1624
f13868de
HL		 1625 if (ch->tx_max_ack_delay != QUIC_DEFAULT_MAX_ACK_DELAY
1626 && !ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_MAX_ACK_DELAY,
1627 ch->tx_max_ack_delay))
1628 goto err;
1629
f538b421
HL		 1630 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_DATA,
1631 ossl_quic_rxfc_get_cwm(&ch->conn_rxfc)))
1632 goto err;
1633
0815b725 1634 /* Send the default CWM for a new RXFC. */
f538b421 1635 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL,
0815b725 1636 ch->tx_init_max_stream_data_bidi_local))
f538b421
HL		 1637 goto err;
1638
1639 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE,
0815b725 1640 ch->tx_init_max_stream_data_bidi_remote))
f538b421
HL		 1641 goto err;
1642
1643 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_UNI,
0815b725 1644 ch->tx_init_max_stream_data_uni))
f538b421
HL		 1645 goto err;
1646
1647 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAMS_BIDI,
a6b6ea17 1648 ossl_quic_rxfc_get_cwm(&ch->max_streams_bidi_rxfc)))
f538b421
HL		 1649 goto err;
1650
1651 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAMS_UNI,
a6b6ea17 1652 ossl_quic_rxfc_get_cwm(&ch->max_streams_uni_rxfc)))
f538b421
HL		 1653 goto err;
1654
eff04652
TM		 1655 if (!WPACKET_finish(&wpkt))
1656 goto err;
1657
1658 wpkt_valid = 0;
1659
f538b421
HL		 1660 if (!WPACKET_get_total_written(&wpkt, &buf_len))
1661 goto err;
1662
1663 ch->local_transport_params = (unsigned char *)buf_mem->data;
1664 buf_mem->data = NULL;
1665
f538b421 1666
2723d705 1667 if (!ossl_quic_tls_set_transport_params(ch->qtls, ch->local_transport_params,
f538b421
HL		 1668 buf_len))
1669 goto err;
1670
1671 ok = 1;
1672err:
1673 if (wpkt_valid)
1674 WPACKET_cleanup(&wpkt);
1675 BUF_MEM_free(buf_mem);
1676 return ok;
1677}
1678
1679/*
1680 * QUIC Channel: Ticker-Mutator
1681 * ============================
1682 */
1683
1684/*
1685 * The central ticker function called by the reactor. This does everything, or
1686 * at least everything network I/O related. Best effort - not allowed to fail
1687 * "loudly".
1688 */
632b0c7e
HL		 1689void ossl_quic_channel_subtick(QUIC_CHANNEL *ch, QUIC_TICK_RESULT *res,
1690 uint32_t flags)
f538b421
HL		 1691{
1692 OSSL_TIME now, deadline;
9cf091a3 1693 int channel_only = (flags & QUIC_REACTOR_TICK_FLAG_CHANNEL_ONLY) != 0;
f538b421
HL		 1694
1695 /*
1696 * When we tick the QUIC connection, we do everything we need to do
632b0c7e
HL		 1697 * periodically. Network I/O handling will already have been performed
1698 * as necessary by the QUIC port. Thus, in order, we:
f538b421 1699 *
632b0c7e
HL		 1700 * - handle any packets the DEMUX has queued up for us;
1701 * - handle any timer events which are due to fire (ACKM, etc.);
1702 * - generate any packets which need to be sent;
f538b421
HL		 1703 * - determine the time at which we should next be ticked.
1704 */
1705
1706 /* If we are in the TERMINATED state, there is nothing to do. */
c12e1113 1707 if (ossl_quic_channel_is_terminated(ch)) {
b639475a
HL		 1708 res->net_read_desired = 0;
1709 res->net_write_desired = 0;
1710 res->tick_deadline = ossl_time_infinite();
f538b421
HL		 1711 return;
1712 }
1713
1714 /*
1715 * If we are in the TERMINATING state, check if the terminating timer has
1716 * expired.
1717 */
c12e1113 1718 if (ossl_quic_channel_is_terminating(ch)) {
b212d554 1719 now = get_time(ch);
f538b421
HL		 1720
1721 if (ossl_time_compare(now, ch->terminate_deadline) >= 0) {
1722 ch_on_terminating_timeout(ch);
b639475a
HL		 1723 res->net_read_desired = 0;
1724 res->net_write_desired = 0;
1725 res->tick_deadline = ossl_time_infinite();
f538b421
HL		 1726 return; /* abort normal processing, nothing to do */
1727 }
1728 }
1729
632b0c7e 1730 if (!ch->port->inhibit_tick) {
03b38595
HL		 1731 /* Handle RXKU timeouts. */
1732 ch_rxku_tick(ch);
8a65e7a5 1733
03b38595
HL		 1734 do {
1735 /* Process queued incoming packets. */
82b7a0ee
HL		 1736 ch->did_tls_tick = 0;
1737 ch->have_new_rx_secret = 0;
1738 ch_rx(ch, channel_only);
f538b421 1739
03b38595
HL		 1740 /*
1741 * Allow the handshake layer to check for any new incoming data and
1742 * generate new outgoing data.
1743 */
82b7a0ee
HL		 1744 if (!ch->did_tls_tick)
1745 ch_tick_tls(ch, channel_only);
80bcc4f1 1746
03b38595
HL		 1747 /*
1748 * If the handshake layer gave us a new secret, we need to do RX
1749 * again because packets that were not previously processable and
1750 * were deferred might now be processable.
1751 *
44cb36d0 1752 * TODO(QUIC FUTURE): Consider handling this in the yield_secret callback.
03b38595
HL		 1753 */
1754 } while (ch->have_new_rx_secret);
1755 }
f538b421
HL		 1756
1757 /*
03b38595
HL		 1758 * Handle any timer events which are due to fire; namely, the loss
1759 * detection deadline and the idle timeout.
f538b421 1760 *
03b38595
HL		 1761 * ACKM ACK generation deadline is polled by TXP, so we don't need to
1762 * handle it here.
f538b421 1763 */
b212d554 1764 now = get_time(ch);
f538b421
HL		 1765 if (ossl_time_compare(now, ch->idle_deadline) >= 0) {
1766 /*
03b38595
HL		 1767 * Idle timeout differs from normal protocol violation because we do
1768 * not send a CONN_CLOSE frame; go straight to TERMINATED.
f538b421 1769 */
632b0c7e 1770 if (!ch->port->inhibit_tick)
03b38595
HL		 1771 ch_on_idle_timeout(ch);
1772
b639475a
HL		 1773 res->net_read_desired = 0;
1774 res->net_write_desired = 0;
1775 res->tick_deadline = ossl_time_infinite();
f538b421
HL		 1776 return;
1777 }
1778
632b0c7e 1779 if (!ch->port->inhibit_tick) {
03b38595
HL		 1780 deadline = ossl_ackm_get_loss_detection_deadline(ch->ackm);
1781 if (!ossl_time_is_zero(deadline)
1782 && ossl_time_compare(now, deadline) >= 0)
1783 ossl_ackm_on_timeout(ch->ackm);
f538b421 1784
03b38595
HL		 1785 /* If a ping is due, inform TXP. */
1786 if (ossl_time_compare(now, ch->ping_deadline) >= 0) {
1787 int pn_space = ossl_quic_enc_level_to_pn_space(ch->tx_enc_level);
3b1ab5a3 1788
03b38595 1789 ossl_quic_tx_packetiser_schedule_ack_eliciting(ch->txp, pn_space);
c7ed5e46
HL		 1790
1791 /*
1792 * If we have no CC budget at this time we cannot process the above
1793 * PING request immediately. In any case we have scheduled the
1794 * request so bump the ping deadline. If we don't do this we will
1795 * busy-loop endlessly as the above deadline comparison condition
1796 * will still be met.
1797 */
1798 ch_update_ping_deadline(ch);
03b38595 1799 }
3b1ab5a3 1800
632b0c7e 1801 /* Queue any data to be sent for transmission. */
03b38595 1802 ch_tx(ch);
f538b421 1803
03b38595
HL		 1804 /* Do stream GC. */
1805 ossl_quic_stream_map_gc(&ch->qsm);
1806 }
0847e63e 1807
f538b421
HL		 1808 /* Determine the time at which we should next be ticked. */
1809 res->tick_deadline = ch_determine_next_tick_deadline(ch);
1810
df15e990 1811 /*
632b0c7e
HL		 1812 * Always process network input unless we are now terminated. Although we
1813 * had not terminated at the beginning of this tick, network errors in
1814 * ch_tx() may have caused us to transition to the Terminated state.
df15e990 1815 */
c12e1113 1816 res->net_read_desired = !ossl_quic_channel_is_terminated(ch);
f538b421 1817
632b0c7e 1818 /* We want to write to the network if we have any data in our TX queue. */
b639475a 1819 res->net_write_desired
c12e1113 1820 = (!ossl_quic_channel_is_terminated(ch)
df15e990 1821 && ossl_qtx_get_queue_len_datagrams(ch->qtx) > 0);
f538b421
HL		 1822}
1823
82b7a0ee
HL		 1824static int ch_tick_tls(QUIC_CHANNEL *ch, int channel_only)
1825{
1826 uint64_t error_code;
1827 const char *error_msg;
1828 ERR_STATE *error_state = NULL;
1829
1830 if (channel_only)
1831 return 1;
1832
1833 ch->did_tls_tick = 1;
1834 ossl_quic_tls_tick(ch->qtls);
1835
1836 if (ossl_quic_tls_get_error(ch->qtls, &error_code, &error_msg,
1837 &error_state)) {
1838 ossl_quic_channel_raise_protocol_error_state(ch, error_code, 0,
1839 error_msg, error_state);
1840 return 0;
1841 }
1842
1843 return 1;
1844}
1845
48120ea5
HL		 1846/* Check incoming forged packet limit and terminate connection if needed. */
1847static void ch_rx_check_forged_pkt_limit(QUIC_CHANNEL *ch)
1848{
1849 uint32_t enc_level;
1850 uint64_t limit = UINT64_MAX, l;
1851
1852 for (enc_level = QUIC_ENC_LEVEL_INITIAL;
1853 enc_level < QUIC_ENC_LEVEL_NUM;
1854 ++enc_level)
1855 {
1856 /*
1857 * Different ELs can have different AEADs which can in turn impose
1858 * different limits, so use the lowest value of any currently valid EL.
1859 */
1860 if ((ch->el_discarded & (1U << enc_level)) != 0)
1861 continue;
1862
1863 if (enc_level > ch->rx_enc_level)
1864 break;
1865
1866 l = ossl_qrx_get_max_forged_pkt_count(ch->qrx, enc_level);
1867 if (l < limit)
1868 limit = l;
1869 }
1870
1871 if (ossl_qrx_get_cur_forged_pkt_count(ch->qrx) < limit)
1872 return;
1873
1874 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_AEAD_LIMIT_REACHED, 0,
1875 "forgery limit");
1876}
1877
3bf4dc8c 1878/* Process queued incoming packets and handle frames, if any. */
82b7a0ee 1879static int ch_rx(QUIC_CHANNEL *ch, int channel_only)
f538b421
HL		 1880{
1881 int handled_any = 0;
50e76846 1882 const int closing = ossl_quic_channel_is_closing(ch);
f538b421 1883
b1b06da2 1884 if (!ch->is_server && !ch->have_sent_any_pkt)
f538b421
HL		 1885 /*
1886 * We have not sent anything yet, therefore there is no need to check
75b2920a 1887 * for incoming data.
f538b421
HL		 1888 */
1889 return 1;
1890
f538b421
HL		 1891 for (;;) {
1892 assert(ch->qrx_pkt == NULL);
1893
1894 if (!ossl_qrx_read_pkt(ch->qrx, &ch->qrx_pkt))
1895 break;
1896
50e76846
P		 1897 /* Track the amount of data received while in the closing state */
1898 if (closing)
1899 ossl_quic_tx_packetiser_record_received_closing_bytes(
1900 ch->txp, ch->qrx_pkt->hdr->len);
1901
8fd32a0e 1902 if (!handled_any) {
f538b421 1903 ch_update_idle(ch);
8fd32a0e
TM		 1904 ch_update_ping_deadline(ch);
1905 }
f538b421 1906
82b7a0ee 1907 ch_rx_handle_packet(ch, channel_only); /* best effort */
f538b421
HL		 1908
1909 /*
1910 * Regardless of the outcome of frame handling, unref the packet.
1911 * This will free the packet unless something added another
1912 * reference to it during frame processing.
1913 */
1914 ossl_qrx_pkt_release(ch->qrx_pkt);
1915 ch->qrx_pkt = NULL;
1916
3b1ab5a3 1917 ch->have_sent_ack_eliciting_since_rx = 0;
f538b421
HL		 1918 handled_any = 1;
1919 }
1920
48120ea5
HL		 1921 ch_rx_check_forged_pkt_limit(ch);
1922
f538b421
HL		 1923 /*
1924 * When in TERMINATING - CLOSING, generate a CONN_CLOSE frame whenever we
1925 * process one or more incoming packets.
1926 */
50e76846 1927 if (handled_any && closing)
f538b421
HL		 1928 ch->conn_close_queued = 1;
1929
1930 return 1;
1931}
1932
3ffb7d10
HL		 1933static int bio_addr_eq(const BIO_ADDR *a, const BIO_ADDR *b)
1934{
1935 if (BIO_ADDR_family(a) != BIO_ADDR_family(b))
1936 return 0;
1937
1938 switch (BIO_ADDR_family(a)) {
1939 case AF_INET:
1940 return !memcmp(&a->s_in.sin_addr,
1941 &b->s_in.sin_addr,
1942 sizeof(a->s_in.sin_addr))
1943 && a->s_in.sin_port == b->s_in.sin_port;
9c8d04db 1944#if OPENSSL_USE_IPV6
3ffb7d10
HL		 1945 case AF_INET6:
1946 return !memcmp(&a->s_in6.sin6_addr,
1947 &b->s_in6.sin6_addr,
1948 sizeof(a->s_in6.sin6_addr))
1949 && a->s_in6.sin6_port == b->s_in6.sin6_port;
9c8d04db 1950#endif
3ffb7d10
HL		 1951 default:
1952 return 0; /* not supported */
1953 }
1954
1955 return 1;
1956}
1957
f538b421 1958/* Handles the packet currently in ch->qrx_pkt->hdr. */
82b7a0ee 1959static void ch_rx_handle_packet(QUIC_CHANNEL *ch, int channel_only)
f538b421
HL		 1960{
1961 uint32_t enc_level;
777a8a7f 1962 int old_have_processed_any_pkt = ch->have_processed_any_pkt;
f538b421
HL		 1963
1964 assert(ch->qrx_pkt != NULL);
1965
50e76846
P		 1966 /*
1967 * RFC 9000 s. 10.2.1 Closing Connection State:
1968 * An endpoint that is closing is not required to process any
1969 * received frame.
1970 */
8a6a00e3 1971 if (!ossl_quic_channel_is_active(ch))
8a6a00e3
HL		 1972 return;
1973
f538b421
HL		 1974 if (ossl_quic_pkt_type_is_encrypted(ch->qrx_pkt->hdr->type)) {
1975 if (!ch->have_received_enc_pkt) {
eff04652 1976 ch->cur_remote_dcid = ch->init_scid = ch->qrx_pkt->hdr->src_conn_id;
f538b421
HL		 1977 ch->have_received_enc_pkt = 1;
1978
1979 /*
1980 * We change to using the SCID in the first Initial packet as the
1981 * DCID.
1982 */
1983 ossl_quic_tx_packetiser_set_cur_dcid(ch->txp, &ch->init_scid);
1984 }
1985
1986 enc_level = ossl_quic_pkt_type_to_enc_level(ch->qrx_pkt->hdr->type);
1987 if ((ch->el_discarded & (1U << enc_level)) != 0)
1988 /* Do not process packets from ELs we have already discarded. */
1989 return;
1990 }
1991
3ffb7d10
HL		 1992 /*
1993 * RFC 9000 s. 9.6: "If a client receives packets from a new server address
1994 * when the client has not initiated a migration to that address, the client
1995 * SHOULD discard these packets."
1996 *
1997 * We need to be a bit careful here as due to the BIO abstraction layer an
1998 * application is liable to be weird and lie to us about peer addresses.
96b7df60
HL		 1999 * Only apply this check if we actually are using a real AF_INET or AF_INET6
2000 * address.
3ffb7d10
HL		 2001 */
2002 if (!ch->is_server
2003 && ch->qrx_pkt->peer != NULL
9c8d04db
TC		 2004 && (
2005 BIO_ADDR_family(&ch->cur_peer_addr) == AF_INET
2006#if OPENSSL_USE_IPV6
2007 || BIO_ADDR_family(&ch->cur_peer_addr) == AF_INET6
2008#endif
2009 )
3ffb7d10
HL		 2010 && !bio_addr_eq(ch->qrx_pkt->peer, &ch->cur_peer_addr))
2011 return;
2012
0911cb4a
HL		 2013 if (!ch->is_server
2014 && ch->have_received_enc_pkt
2015 && ossl_quic_pkt_type_has_scid(ch->qrx_pkt->hdr->type)) {
2016 /*
3ffb7d10 2017 * RFC 9000 s. 7.2: "Once a client has received a valid Initial packet
0911cb4a
HL		 2018 * from the server, it MUST discard any subsequent packet it receives on
2019 * that connection with a different SCID."
2020 */
2021 if (!ossl_quic_conn_id_eq(&ch->qrx_pkt->hdr->src_conn_id,
2022 &ch->init_scid))
2023 return;
2024 }
2025
2026 if (ossl_quic_pkt_type_has_version(ch->qrx_pkt->hdr->type)
2027 && ch->qrx_pkt->hdr->version != QUIC_VERSION_1)
2028 /*
2029 * RFC 9000 s. 5.2.1: If a client receives a packet that uses a
2030 * different version than it initially selected, it MUST discard the
2031 * packet. We only ever use v1, so require it.
2032 */
2033 return;
2034
777a8a7f
HL		 2035 ch->have_processed_any_pkt = 1;
2036
08cb9a83
HL		 2037 /*
2038 * RFC 9000 s. 17.2: "An endpoint MUST treat receipt of a packet that has a
2039 * non-zero value for [the reserved bits] after removing both packet and
2040 * header protection as a connection error of type PROTOCOL_VIOLATION."
2041 */
2042 if (ossl_quic_pkt_type_is_encrypted(ch->qrx_pkt->hdr->type)
2043 && ch->qrx_pkt->hdr->reserved != 0) {
2044 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_PROTOCOL_VIOLATION,
2045 0, "packet header reserved bits");
2046 return;
2047 }
2048
f538b421
HL		 2049 /* Handle incoming packet. */
2050 switch (ch->qrx_pkt->hdr->type) {
75b2920a 2051 case QUIC_PKT_TYPE_RETRY:
b1b06da2 2052 if (ch->doing_retry || ch->is_server)
75b2920a
HL		 2053 /*
2054 * It is not allowed to ask a client to do a retry more than
b1b06da2 2055 * once. Clients may not send retries.
75b2920a
HL		 2056 */
2057 return;
f538b421 2058
56e30325
MC		 2059 /*
2060 * RFC 9000 s 17.2.5.2: After the client has received and processed an
2061 * Initial or Retry packet from the server, it MUST discard any
2062 * subsequent Retry packets that it receives.
2063 */
2064 if (ch->have_received_enc_pkt)
2065 return;
2066
75b2920a
HL		 2067 if (ch->qrx_pkt->hdr->len <= QUIC_RETRY_INTEGRITY_TAG_LEN)
2068 /* Packets with zero-length Retry Tokens are invalid. */
2069 return;
f538b421 2070
75b2920a 2071 /*
44cb36d0 2072 * TODO(QUIC FUTURE): Theoretically this should probably be in the QRX.
75b2920a
HL		 2073 * However because validation is dependent on context (namely the
2074 * client's initial DCID) we can't do this cleanly. In the future we
2075 * should probably add a callback to the QRX to let it call us (via
2076 * the DEMUX) and ask us about the correct original DCID, rather
2077 * than allow the QRX to emit a potentially malformed packet to the
2078 * upper layers. However, special casing this will do for now.
2079 */
34fa182e
HL		 2080 if (!ossl_quic_validate_retry_integrity_tag(ch->port->libctx,
2081 ch->port->propq,
75b2920a
HL		 2082 ch->qrx_pkt->hdr,
2083 &ch->init_dcid))
2084 /* Malformed retry packet, ignore. */
2085 return;
f538b421 2086
96014840
TM		 2087 if (!ch_retry(ch, ch->qrx_pkt->hdr->data,
2088 ch->qrx_pkt->hdr->len - QUIC_RETRY_INTEGRITY_TAG_LEN,
2089 &ch->qrx_pkt->hdr->src_conn_id))
2090 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_INTERNAL_ERROR,
2091 0, "handling retry packet");
75b2920a 2092 break;
f538b421 2093
75b2920a 2094 case QUIC_PKT_TYPE_0RTT:
b1b06da2
HL		 2095 if (!ch->is_server)
2096 /* Clients should never receive 0-RTT packets. */
2097 return;
2098
2099 /*
44cb36d0
TM		 2100 * TODO(QUIC 0RTT): Implement 0-RTT on the server side. We currently
2101 * do not need to implement this as a client can only do 0-RTT if we
b1b06da2
HL		 2102 * have given it permission to in a previous session.
2103 */
75b2920a
HL		 2104 break;
2105
b1b06da2
HL		 2106 case QUIC_PKT_TYPE_INITIAL:
2107 case QUIC_PKT_TYPE_HANDSHAKE:
2108 case QUIC_PKT_TYPE_1RTT:
b6125b54 2109 if (ch->is_server && ch->qrx_pkt->hdr->type == QUIC_PKT_TYPE_HANDSHAKE)
75b2920a
HL		 2110 /*
2111 * We automatically drop INITIAL EL keys when first successfully
2112 * decrypting a HANDSHAKE packet, as per the RFC.
2113 */
2114 ch_discard_el(ch, QUIC_ENC_LEVEL_INITIAL);
2115
54fb0072
HL		 2116 if (ch->rxku_in_progress
2117 && ch->qrx_pkt->hdr->type == QUIC_PKT_TYPE_1RTT
2118 && ch->qrx_pkt->pn >= ch->rxku_trigger_pn
2119 && ch->qrx_pkt->key_epoch < ossl_qrx_get_key_epoch(ch->qrx)) {
2120 /*
2121 * RFC 9001 s. 6.4: Packets with higher packet numbers MUST be
2122 * protected with either the same or newer packet protection keys
2123 * than packets with lower packet numbers. An endpoint that
2124 * successfully removes protection with old keys when newer keys
2125 * were used for packets with lower packet numbers MUST treat this
2126 * as a connection error of type KEY_UPDATE_ERROR.
2127 */
2128 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_KEY_UPDATE_ERROR,
2129 0, "new packet with old keys");
2130 break;
2131 }
2132
fd0d5932
HL		 2133 if (!ch->is_server
2134 && ch->qrx_pkt->hdr->type == QUIC_PKT_TYPE_INITIAL
2135 && ch->qrx_pkt->hdr->token_len > 0) {
2136 /*
2137 * RFC 9000 s. 17.2.2: Clients that receive an Initial packet with a
2138 * non-zero Token Length field MUST either discard the packet or
2139 * generate a connection error of type PROTOCOL_VIOLATION.
bed20874 2140 *
8e520d27 2141 * TODO(QUIC FUTURE): consider the implications of RFC 9000 s. 10.2.3
bed20874
P		 2142 * Immediate Close during the Handshake:
2143 * However, at the cost of reducing feedback about
2144 * errors for legitimate peers, some forms of denial of
2145 * service can be made more difficult for an attacker
2146 * if endpoints discard illegal packets rather than
2147 * terminating a connection with CONNECTION_CLOSE. For
2148 * this reason, endpoints MAY discard packets rather
2149 * than immediately close if errors are detected in
2150 * packets that lack authentication.
2151 * I.e. should we drop this packet instead of closing the connection?
fd0d5932
HL		 2152 */
2153 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_PROTOCOL_VIOLATION,
2154 0, "client received initial token");
2155 break;
2156 }
2157
75b2920a
HL		 2158 /* This packet contains frames, pass to the RXDP. */
2159 ossl_quic_handle_frames(ch, ch->qrx_pkt); /* best effort */
82b7a0ee
HL		 2160
2161 if (ch->did_crypto_frame)
2162 ch_tick_tls(ch, channel_only);
2163
75b2920a 2164 break;
b1b06da2 2165
777a8a7f
HL		 2166 case QUIC_PKT_TYPE_VERSION_NEG:
2167 /*
2168 * "A client MUST discard any Version Negotiation packet if it has
2169 * received and successfully processed any other packet."
2170 */
2171 if (!old_have_processed_any_pkt)
2172 ch_rx_handle_version_neg(ch, ch->qrx_pkt);
2173
2174 break;
2175
b1b06da2
HL		 2176 default:
2177 assert(0);
2178 break;
2179 }
2180}
2181
777a8a7f
HL		 2182static void ch_rx_handle_version_neg(QUIC_CHANNEL *ch, OSSL_QRX_PKT *pkt)
2183{
2184 /*
2185 * We do not support version negotiation at this time. As per RFC 9000 s.
2186 * 6.2., we MUST abandon the connection attempt if we receive a Version
2187 * Negotiation packet, unless we have already successfully processed another
2188 * incoming packet, or the packet lists the QUIC version we want to use.
2189 */
2190 PACKET vpkt;
2191 unsigned long v;
2192
2193 if (!PACKET_buf_init(&vpkt, pkt->hdr->data, pkt->hdr->len))
2194 return;
2195
2196 while (PACKET_remaining(&vpkt) > 0) {
2197 if (!PACKET_get_net_4(&vpkt, &v))
2198 break;
2199
2200 if ((uint32_t)v == QUIC_VERSION_1)
2201 return;
2202 }
2203
2204 /* No match, this is a failure case. */
2205 ch_raise_version_neg_failure(ch);
2206}
2207
2208static void ch_raise_version_neg_failure(QUIC_CHANNEL *ch)
2209{
2210 QUIC_TERMINATE_CAUSE tcause = {0};
2211
2212 tcause.error_code = QUIC_ERR_CONNECTION_REFUSED;
2213 tcause.reason = "version negotiation failure";
2214 tcause.reason_len = strlen(tcause.reason);
2215
2216 /*
2217 * Skip TERMINATING state; this is not considered a protocol error and we do
2218 * not send CONNECTION_CLOSE.
2219 */
2220 ch_start_terminating(ch, &tcause, 1);
2221}
2222
f538b421
HL		 2223/* Try to generate packets and if possible, flush them to the network. */
2224static int ch_tx(QUIC_CHANNEL *ch)
2225{
a3a51d6e 2226 QUIC_TXP_STATUS status;
64fd6991 2227 int res;
3b1ab5a3 2228
afe4a797
P		 2229 /*
2230 * RFC 9000 s. 10.2.2: Draining Connection State:
2231 * While otherwise identical to the closing state, an endpoint
2232 * in the draining state MUST NOT send any packets.
2233 * and:
2234 * An endpoint MUST NOT send further packets.
2235 */
2236 if (ossl_quic_channel_is_draining(ch))
2237 return 0;
2238
2239 if (ossl_quic_channel_is_closing(ch)) {
f538b421
HL		 2240 /*
2241 * While closing, only send CONN_CLOSE if we've received more traffic
2242 * from the peer. Once we tell the TXP to generate CONN_CLOSE, all
2243 * future calls to it generate CONN_CLOSE frames, so otherwise we would
2244 * just constantly generate CONN_CLOSE frames.
6b3b5f9d 2245 *
afe4a797 2246 * Confirming to RFC 9000 s. 10.2.1 Closing Connection State:
6b3b5f9d 2247 * An endpoint SHOULD limit the rate at which it generates
afe4a797 2248 * packets in the closing state.
f538b421
HL		 2249 */
2250 if (!ch->conn_close_queued)
2251 return 0;
2252
2253 ch->conn_close_queued = 0;
2254 }
2255
8a65e7a5
HL		 2256 /* Do TXKU if we need to. */
2257 ch_maybe_trigger_spontaneous_txku(ch);
2258
2259 ch->rxku_pending_confirm_done = 0;
2260
aa433014
MC		 2261 /* Loop until we stop generating packets to send */
2262 do {
3b1ab5a3 2263 /*
aa433014
MC		 2264 * Send packet, if we need to. Best effort. The TXP consults the CC and
2265 * applies any limitations imposed by it, so we don't need to do it here.
2266 *
2267 * Best effort. In particular if TXP fails for some reason we should
2268 * still flush any queued packets which we already generated.
2269 */
2270 res = ossl_quic_tx_packetiser_generate(ch->txp, &status);
2271 if (status.sent_pkt > 0) {
2272 ch->have_sent_any_pkt = 1; /* Packet(s) were sent */
3b1ab5a3 2273
3eb0f9a7 2274 /*
aa433014
MC		 2275 * RFC 9000 s. 10.1. 'An endpoint also restarts its idle timer when
2276 * sending an ack-eliciting packet if no other ack-eliciting packets
2277 * have been sent since last receiving and processing a packet.'
2278 */
2279 if (status.sent_ack_eliciting
2280 && !ch->have_sent_ack_eliciting_since_rx) {
2281 ch_update_idle(ch);
2282 ch->have_sent_ack_eliciting_since_rx = 1;
2283 }
3eb0f9a7 2284
aa433014
MC		 2285 if (!ch->is_server && status.sent_handshake)
2286 /*
2287 * RFC 9001 s. 4.9.1: A client MUST discard Initial keys when it
2288 * first sends a Handshake packet.
2289 */
2290 ch_discard_el(ch, QUIC_ENC_LEVEL_INITIAL);
8a65e7a5 2291
aa433014
MC		 2292 if (ch->rxku_pending_confirm_done)
2293 ch->rxku_pending_confirm = 0;
5a1b1d2b 2294
aa433014
MC		 2295 ch_update_ping_deadline(ch);
2296 }
2297
2298 if (!res) {
2299 /*
2300 * One case where TXP can fail is if we reach a TX PN of 2**62 - 1.
2301 * As per RFC 9000 s. 12.3, if this happens we MUST close the
2302 * connection without sending a CONNECTION_CLOSE frame. This is
2303 * actually handled as an emergent consequence of our design, as the
2304 * TX packetiser will never transmit another packet when the TX PN
2305 * reaches the limit.
2306 *
2307 * Calling the below function terminates the connection; its attempt
2308 * to schedule a CONNECTION_CLOSE frame will not actually cause a
2309 * packet to be transmitted for this reason.
2310 */
2311 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_INTERNAL_ERROR,
2312 0,
2313 "internal error (txp generate)");
2314 break;
2315 }
2316 } while (status.sent_pkt > 0);
df15e990
HL		 2317
2318 /* Flush packets to network. */
2319 switch (ossl_qtx_flush_net(ch->qtx)) {
2320 case QTX_FLUSH_NET_RES_OK:
2321 case QTX_FLUSH_NET_RES_TRANSIENT_FAIL:
2322 /* Best effort, done for now. */
2323 break;
2324
2325 case QTX_FLUSH_NET_RES_PERMANENT_FAIL:
2326 default:
2327 /* Permanent underlying network BIO, start terminating. */
632b0c7e 2328 ossl_quic_port_raise_net_error(ch->port);
df15e990
HL		 2329 break;
2330 }
f538b421 2331
f538b421
HL		 2332 return 1;
2333}
2334
2335/* Determine next tick deadline. */
2336static OSSL_TIME ch_determine_next_tick_deadline(QUIC_CHANNEL *ch)
2337{
2338 OSSL_TIME deadline;
ca711651 2339 int i;
f538b421 2340
c12e1113 2341 if (ossl_quic_channel_is_terminated(ch))
df15e990
HL		 2342 return ossl_time_infinite();
2343
f538b421
HL		 2344 deadline = ossl_ackm_get_loss_detection_deadline(ch->ackm);
2345 if (ossl_time_is_zero(deadline))
2346 deadline = ossl_time_infinite();
2347
ca711651 2348 /*
4d100bb7
HL		 2349 * Check the ack deadline for all enc_levels that are actually provisioned.
2350 * ACKs aren't restricted by CC.
ca711651 2351 */
4d100bb7
HL		 2352 for (i = 0; i < QUIC_ENC_LEVEL_NUM; i++) {
2353 if (ossl_qtx_is_enc_level_provisioned(ch->qtx, i)) {
2354 deadline = ossl_time_min(deadline,
2355 ossl_ackm_get_ack_deadline(ch->ackm,
2356 ossl_quic_enc_level_to_pn_space(i)));
ca711651
MC		 2357 }
2358 }
f538b421 2359
4d100bb7
HL		 2360 /*
2361 * When do we need to send an ACK-eliciting packet to reset the idle
2362 * deadline timer for the peer?
2363 */
2364 if (!ossl_time_is_infinite(ch->ping_deadline))
2365 deadline = ossl_time_min(deadline, ch->ping_deadline);
2366
c206f2aa
HL		 2367 /* Apply TXP wakeup deadline. */
2368 deadline = ossl_time_min(deadline,
2369 ossl_quic_tx_packetiser_get_deadline(ch->txp));
f538b421
HL		 2370
2371 /* Is the terminating timer armed? */
c12e1113 2372 if (ossl_quic_channel_is_terminating(ch))
f538b421
HL		 2373 deadline = ossl_time_min(deadline,
2374 ch->terminate_deadline);
2375 else if (!ossl_time_is_infinite(ch->idle_deadline))
2376 deadline = ossl_time_min(deadline,
2377 ch->idle_deadline);
2378
8a65e7a5
HL		 2379 /* When does the RXKU process complete? */
2380 if (ch->rxku_in_progress)
2381 deadline = ossl_time_min(deadline, ch->rxku_update_end_deadline);
2382
f538b421
HL		 2383 return deadline;
2384}
2385
f538b421
HL		 2386/*
2387 * QUIC Channel: Lifecycle Events
2388 * ==============================
2389 */
f538b421
HL		 2390int ossl_quic_channel_start(QUIC_CHANNEL *ch)
2391{
b1b06da2
HL		 2392 if (ch->is_server)
2393 /*
2394 * This is not used by the server. The server moves to active
2395 * automatically on receiving an incoming connection.
2396 */
2397 return 0;
2398
f538b421
HL		 2399 if (ch->state != QUIC_CHANNEL_STATE_IDLE)
2400 /* Calls to connect are idempotent */
2401 return 1;
2402
2403 /* Inform QTX of peer address. */
2404 if (!ossl_quic_tx_packetiser_set_peer(ch->txp, &ch->cur_peer_addr))
2405 return 0;
2406
2407 /* Plug in secrets for the Initial EL. */
34fa182e
HL		 2408 if (!ossl_quic_provide_initial_secret(ch->port->libctx,
2409 ch->port->propq,
f538b421 2410 &ch->init_dcid,
091f532e 2411 ch->is_server,
f538b421
HL		 2412 ch->qrx, ch->qtx))
2413 return 0;
2414
2415 /* Change state. */
2416 ch->state = QUIC_CHANNEL_STATE_ACTIVE;
2417 ch->doing_proactive_ver_neg = 0; /* not currently supported */
2418
2419 /* Handshake layer: start (e.g. send CH). */
82b7a0ee 2420 if (!ch_tick_tls(ch, /*channel_only=*/0))
f538b421
HL		 2421 return 0;
2422
632b0c7e 2423 ossl_quic_reactor_tick(ossl_quic_port_get0_reactor(ch->port), 0); /* best effort */
f538b421
HL		 2424 return 1;
2425}
2426
2427/* Start a locally initiated connection shutdown. */
40c8c756
HL		 2428void ossl_quic_channel_local_close(QUIC_CHANNEL *ch, uint64_t app_error_code,
2429 const char *app_reason)
f538b421
HL		 2430{
2431 QUIC_TERMINATE_CAUSE tcause = {0};
2432
c12e1113 2433 if (ossl_quic_channel_is_term_any(ch))
f538b421
HL		 2434 return;
2435
e8043229
HL		 2436 tcause.app = 1;
2437 tcause.error_code = app_error_code;
40c8c756
HL		 2438 tcause.reason = app_reason;
2439 tcause.reason_len = app_reason != NULL ? strlen(app_reason) : 0;
df15e990 2440 ch_start_terminating(ch, &tcause, 0);
f538b421
HL		 2441}
2442
2443static void free_token(const unsigned char *buf, size_t buf_len, void *arg)
2444{
2445 OPENSSL_free((unsigned char *)buf);
2446}
2447
2448/* Called when a server asks us to do a retry. */
2449static int ch_retry(QUIC_CHANNEL *ch,
2450 const unsigned char *retry_token,
2451 size_t retry_token_len,
2452 const QUIC_CONN_ID *retry_scid)
2453{
2454 void *buf;
2455
212616ed
HL		 2456 /*
2457 * RFC 9000 s. 17.2.5.1: "A client MUST discard a Retry packet that contains
2458 * a SCID field that is identical to the DCID field of its initial packet."
2459 */
2460 if (ossl_quic_conn_id_eq(&ch->init_dcid, retry_scid))
96014840 2461 return 1;
212616ed 2462
f538b421
HL		 2463 /* We change to using the SCID in the Retry packet as the DCID. */
2464 if (!ossl_quic_tx_packetiser_set_cur_dcid(ch->txp, retry_scid))
2465 return 0;
2466
2467 /*
2468 * Now we retry. We will release the Retry packet immediately, so copy
2469 * the token.
2470 */
e28f512f 2471 if ((buf = OPENSSL_memdup(retry_token, retry_token_len)) == NULL)
f538b421
HL		 2472 return 0;
2473
461d4117
HL		 2474 if (!ossl_quic_tx_packetiser_set_initial_token(ch->txp, buf,
2475 retry_token_len,
2476 free_token, NULL)) {
2477 /*
2478 * This may fail if the token we receive is too big for us to ever be
2479 * able to transmit in an outgoing Initial packet.
2480 */
2481 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_INVALID_TOKEN, 0,
2482 "received oversize token");
2483 OPENSSL_free(buf);
2484 return 0;
2485 }
f538b421
HL		 2486
2487 ch->retry_scid = *retry_scid;
2488 ch->doing_retry = 1;
2489
2490 /*
2491 * We need to stimulate the Initial EL to generate the first CRYPTO frame
2492 * again. We can do this most cleanly by simply forcing the ACKM to consider
2493 * the first Initial packet as lost, which it effectively was as the server
2494 * hasn't processed it. This also maintains the desired behaviour with e.g.
2495 * PNs not resetting and so on.
2496 *
2497 * The PN we used initially is always zero, because QUIC does not allow
2498 * repeated retries.
2499 */
2500 if (!ossl_ackm_mark_packet_pseudo_lost(ch->ackm, QUIC_PN_SPACE_INITIAL,
2501 /*PN=*/0))
2502 return 0;
2503
2504 /*
2505 * Plug in new secrets for the Initial EL. This is the only time we change
2506 * the secrets for an EL after we already provisioned it.
2507 */
34fa182e
HL		 2508 if (!ossl_quic_provide_initial_secret(ch->port->libctx,
2509 ch->port->propq,
f538b421
HL		 2510 &ch->retry_scid,
2511 /*is_server=*/0,
2512 ch->qrx, ch->qtx))
2513 return 0;
2514
2515 return 1;
2516}
2517
2518/* Called when an EL is to be discarded. */
2519static int ch_discard_el(QUIC_CHANNEL *ch,
2520 uint32_t enc_level)
2521{
2522 if (!ossl_assert(enc_level < QUIC_ENC_LEVEL_1RTT))
2523 return 0;
2524
2525 if ((ch->el_discarded & (1U << enc_level)) != 0)
2526 /* Already done. */
2527 return 1;
2528
2529 /* Best effort for all of these. */
2530 ossl_quic_tx_packetiser_discard_enc_level(ch->txp, enc_level);
2531 ossl_qrx_discard_enc_level(ch->qrx, enc_level);
2532 ossl_qtx_discard_enc_level(ch->qtx, enc_level);
2533
2534 if (enc_level != QUIC_ENC_LEVEL_0RTT) {
2535 uint32_t pn_space = ossl_quic_enc_level_to_pn_space(enc_level);
2536
2537 ossl_ackm_on_pkt_space_discarded(ch->ackm, pn_space);
2538
2539 /* We should still have crypto streams at this point. */
79534440
HL		 2540 if (!ossl_assert(ch->crypto_send[pn_space] != NULL)
2541 || !ossl_assert(ch->crypto_recv[pn_space] != NULL))
2542 return 0;
f538b421
HL		 2543
2544 /* Get rid of the crypto stream state for the EL. */
2545 ossl_quic_sstream_free(ch->crypto_send[pn_space]);
2546 ch->crypto_send[pn_space] = NULL;
2547
2548 ossl_quic_rstream_free(ch->crypto_recv[pn_space]);
2549 ch->crypto_recv[pn_space] = NULL;
2550 }
2551
2552 ch->el_discarded |= (1U << enc_level);
2553 return 1;
2554}
2555
2556/* Intended to be called by the RXDP. */
2557int ossl_quic_channel_on_handshake_confirmed(QUIC_CHANNEL *ch)
2558{
2559 if (ch->handshake_confirmed)
2560 return 1;
2561
2562 if (!ch->handshake_complete) {
2563 /*
2564 * Does not make sense for handshake to be confirmed before it is
2565 * completed.
2566 */
2567 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_PROTOCOL_VIOLATION,
2568 OSSL_QUIC_FRAME_TYPE_HANDSHAKE_DONE,
2569 "handshake cannot be confirmed "
2570 "before it is completed");
2571 return 0;
2572 }
2573
2574 ch_discard_el(ch, QUIC_ENC_LEVEL_HANDSHAKE);
2575 ch->handshake_confirmed = 1;
29a541fe 2576 ossl_ackm_on_handshake_confirmed(ch->ackm);
f538b421
HL		 2577 return 1;
2578}
2579
2580/*
2581 * Master function used when we want to start tearing down a connection:
2582 *
2583 * - If the connection is still IDLE we can go straight to TERMINATED;
2584 *
2585 * - If we are already TERMINATED this is a no-op.
2586 *
2587 * - If we are TERMINATING - CLOSING and we have now got a CONNECTION_CLOSE
9bbc5b54 2588 * from the peer (tcause->remote == 1), we move to TERMINATING - DRAINING.
f538b421
HL		 2589 *
2590 * - If we are TERMINATING - DRAINING, we remain here until the terminating
2591 * timer expires.
2592 *
2593 * - Otherwise, we are in ACTIVE and move to TERMINATING - CLOSING.
2594 * if we caused the termination (e.g. we have sent a CONNECTION_CLOSE). Note
2595 * that we are considered to have caused a termination if we sent the first
2596 * CONNECTION_CLOSE frame, even if it is caused by a peer protocol
2597 * violation. If the peer sent the first CONNECTION_CLOSE frame, we move to
2598 * TERMINATING - DRAINING.
2599 *
2600 * We record the termination cause structure passed on the first call only.
2601 * Any successive calls have their termination cause data discarded;
2602 * once we start sending a CONNECTION_CLOSE frame, we don't change the details
2603 * in it.
6b3b5f9d
P		 2604 *
2605 * This conforms to RFC 9000 s. 10.2.1: Closing Connection State:
2606 * To minimize the state that an endpoint maintains for a closing
2607 * connection, endpoints MAY send the exact same packet in response
2608 * to any received packet.
2609 *
2610 * We don't drop any connection state (specifically packet protection keys)
2611 * even though we are permitted to. This conforms to RFC 9000 s. 10.2.1:
2612 * Closing Connection State:
2613 * An endpoint MAY retain packet protection keys for incoming
2614 * packets to allow it to read and process a CONNECTION_CLOSE frame.
2615 *
2616 * Note that we do not conform to these two from the same section:
2617 * An endpoint's selected connection ID and the QUIC version
2618 * are sufficient information to identify packets for a closing
2619 * connection; the endpoint MAY discard all other connection state.
2620 * and:
2621 * An endpoint MAY drop packet protection keys when entering the
2622 * closing state and send a packet containing a CONNECTION_CLOSE
2623 * frame in response to any UDP datagram that is received.
f538b421 2624 */
40c8c756
HL		 2625static void copy_tcause(QUIC_TERMINATE_CAUSE *dst,
2626 const QUIC_TERMINATE_CAUSE *src)
2627{
2628 dst->error_code = src->error_code;
2629 dst->frame_type = src->frame_type;
2630 dst->app = src->app;
2631 dst->remote = src->remote;
2632
2633 dst->reason = NULL;
2634 dst->reason_len = 0;
2635
2636 if (src->reason != NULL && src->reason_len > 0) {
2637 size_t l = src->reason_len;
2638 char *r;
2639
2640 if (l >= SIZE_MAX)
2641 --l;
2642
2643 /*
2644 * If this fails, dst->reason becomes NULL and we simply do not use a
2645 * reason. This ensures termination is infallible.
2646 */
2647 dst->reason = r = OPENSSL_memdup(src->reason, l + 1);
2648 if (r == NULL)
2649 return;
2650
2651 r[l] = '\0';
2652 dst->reason_len = l;
2653 }
2654}
2655
f538b421 2656static void ch_start_terminating(QUIC_CHANNEL *ch,
df15e990
HL		 2657 const QUIC_TERMINATE_CAUSE *tcause,
2658 int force_immediate)
f538b421 2659{
549d0a70
HL		 2660 /* No point sending anything if we haven't sent anything yet. */
2661 if (!ch->have_sent_any_pkt)
2662 force_immediate = 1;
2663
f538b421 2664 switch (ch->state) {
75b2920a
HL		 2665 default:
2666 case QUIC_CHANNEL_STATE_IDLE:
40c8c756 2667 copy_tcause(&ch->terminate_cause, tcause);
75b2920a
HL		 2668 ch_on_terminating_timeout(ch);
2669 break;
2670
2671 case QUIC_CHANNEL_STATE_ACTIVE:
40c8c756 2672 copy_tcause(&ch->terminate_cause, tcause);
df15e990
HL		 2673
2674 if (!force_immediate) {
2675 ch->state = tcause->remote ? QUIC_CHANNEL_STATE_TERMINATING_DRAINING
2676 : QUIC_CHANNEL_STATE_TERMINATING_CLOSING;
a441d08b
P		 2677 /*
2678 * RFC 9000 s. 10.2 Immediate Close
2679 * These states SHOULD persist for at least three times
2680 * the current PTO interval as defined in [QUIC-RECOVERY].
2681 */
df15e990 2682 ch->terminate_deadline
b212d554 2683 = ossl_time_add(get_time(ch),
df15e990
HL		 2684 ossl_time_multiply(ossl_ackm_get_pto_duration(ch->ackm),
2685 3));
2686
2687 if (!tcause->remote) {
2688 OSSL_QUIC_FRAME_CONN_CLOSE f = {0};
2689
2690 /* best effort */
2691 f.error_code = ch->terminate_cause.error_code;
2692 f.frame_type = ch->terminate_cause.frame_type;
2693 f.is_app = ch->terminate_cause.app;
40c8c756
HL		 2694 f.reason = (char *)ch->terminate_cause.reason;
2695 f.reason_len = ch->terminate_cause.reason_len;
df15e990 2696 ossl_quic_tx_packetiser_schedule_conn_close(ch->txp, &f);
afe4a797
P		 2697 /*
2698 * RFC 9000 s. 10.2.2 Draining Connection State:
2699 * An endpoint that receives a CONNECTION_CLOSE frame MAY
2700 * send a single packet containing a CONNECTION_CLOSE
2701 * frame before entering the draining state, using a
2702 * NO_ERROR code if appropriate
2703 */
df15e990
HL		 2704 ch->conn_close_queued = 1;
2705 }
2706 } else {
2707 ch_on_terminating_timeout(ch);
75b2920a
HL		 2708 }
2709 break;
f538b421 2710
75b2920a 2711 case QUIC_CHANNEL_STATE_TERMINATING_CLOSING:
df15e990
HL		 2712 if (force_immediate)
2713 ch_on_terminating_timeout(ch);
2714 else if (tcause->remote)
afe4a797
P		 2715 /*
2716 * RFC 9000 s. 10.2.2 Draining Connection State:
2717 * An endpoint MAY enter the draining state from the
2718 * closing state if it receives a CONNECTION_CLOSE frame,
2719 * which indicates that the peer is also closing or draining.
2720 */
75b2920a 2721 ch->state = QUIC_CHANNEL_STATE_TERMINATING_DRAINING;
f538b421 2722
75b2920a 2723 break;
f538b421 2724
75b2920a 2725 case QUIC_CHANNEL_STATE_TERMINATING_DRAINING:
df15e990
HL		 2726 /*
2727 * Other than in the force-immediate case, we remain here until the
eb4129e1 2728 * timeout expires.
df15e990
HL		 2729 */
2730 if (force_immediate)
2731 ch_on_terminating_timeout(ch);
2732
75b2920a 2733 break;
f538b421 2734
75b2920a
HL		 2735 case QUIC_CHANNEL_STATE_TERMINATED:
2736 /* No-op. */
2737 break;
f538b421
HL		 2738 }
2739}
2740
2741/* For RXDP use. */
2742void ossl_quic_channel_on_remote_conn_close(QUIC_CHANNEL *ch,
2743 OSSL_QUIC_FRAME_CONN_CLOSE *f)
2744{
2745 QUIC_TERMINATE_CAUSE tcause = {0};
2746
2747 if (!ossl_quic_channel_is_active(ch))
2748 return;
2749
2750 tcause.remote = 1;
2751 tcause.app = f->is_app;
2752 tcause.error_code = f->error_code;
2753 tcause.frame_type = f->frame_type;
40c8c756
HL		 2754 tcause.reason = f->reason;
2755 tcause.reason_len = f->reason_len;
df15e990
HL		 2756 ch_start_terminating(ch, &tcause, 0);
2757}
2758
eff04652
TM		 2759static void free_frame_data(unsigned char *buf, size_t buf_len, void *arg)
2760{
2761 OPENSSL_free(buf);
2762}
2763
2764static int ch_enqueue_retire_conn_id(QUIC_CHANNEL *ch, uint64_t seq_num)
2765{
96014840 2766 BUF_MEM *buf_mem = NULL;
eff04652
TM		 2767 WPACKET wpkt;
2768 size_t l;
2769
5f86ae32 2770 ossl_quic_srtm_remove(ch->srtm, ch, seq_num);
cdd91631 2771
eff04652 2772 if ((buf_mem = BUF_MEM_new()) == NULL)
96014840 2773 goto err;
eff04652
TM		 2774
2775 if (!WPACKET_init(&wpkt, buf_mem))
2776 goto err;
2777
2778 if (!ossl_quic_wire_encode_frame_retire_conn_id(&wpkt, seq_num)) {
2779 WPACKET_cleanup(&wpkt);
2780 goto err;
2781 }
2782
2783 WPACKET_finish(&wpkt);
2784 if (!WPACKET_get_total_written(&wpkt, &l))
2785 goto err;
2786
2787 if (ossl_quic_cfq_add_frame(ch->cfq, 1, QUIC_PN_SPACE_APP,
371c2958 2788 OSSL_QUIC_FRAME_TYPE_RETIRE_CONN_ID, 0,
eff04652
TM		 2789 (unsigned char *)buf_mem->data, l,
2790 free_frame_data, NULL) == NULL)
2791 goto err;
2792
2793 buf_mem->data = NULL;
2794 BUF_MEM_free(buf_mem);
2795 return 1;
2796
2797err:
2798 ossl_quic_channel_raise_protocol_error(ch,
2799 QUIC_ERR_INTERNAL_ERROR,
2800 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID,
2801 "internal error enqueueing retire conn id");
2802 BUF_MEM_free(buf_mem);
2803 return 0;
2804}
2805
2806void ossl_quic_channel_on_new_conn_id(QUIC_CHANNEL *ch,
2807 OSSL_QUIC_FRAME_NEW_CONN_ID *f)
2808{
2809 uint64_t new_remote_seq_num = ch->cur_remote_seq_num;
2810 uint64_t new_retire_prior_to = ch->cur_retire_prior_to;
2811
2812 if (!ossl_quic_channel_is_active(ch))
2813 return;
2814
2815 /* We allow only two active connection ids; first check some constraints */
eff04652
TM		 2816 if (ch->cur_remote_dcid.id_len == 0) {
2817 /* Changing from 0 length connection id is disallowed */
2818 ossl_quic_channel_raise_protocol_error(ch,
2819 QUIC_ERR_PROTOCOL_VIOLATION,
2820 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID,
2821 "zero length connection id in use");
2822
2823 return;
2824 }
2825
2826 if (f->seq_num > new_remote_seq_num)
2827 new_remote_seq_num = f->seq_num;
2828 if (f->retire_prior_to > new_retire_prior_to)
2829 new_retire_prior_to = f->retire_prior_to;
2830
985429f4
P		 2831 /*
2832 * RFC 9000-5.1.1: An endpoint MUST NOT provide more connection IDs
2833 * than the peer's limit.
2834 *
2835 * After processing a NEW_CONNECTION_ID frame and adding and retiring
2836 * active connection IDs, if the number of active connection IDs exceeds
2837 * the value advertised in its active_connection_id_limit transport
2838 * parameter, an endpoint MUST close the connection with an error of
2839 * type CONNECTION_ID_LIMIT_ERROR.
2840 */
2841 if (new_remote_seq_num - new_retire_prior_to > 1) {
eff04652
TM		 2842 ossl_quic_channel_raise_protocol_error(ch,
2843 QUIC_ERR_CONNECTION_ID_LIMIT_ERROR,
2844 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID,
2845 "active_connection_id limit violated");
985429f4
P		 2846 return;
2847 }
2848
2849 /*
2850 * RFC 9000-5.1.1: An endpoint MAY send connection IDs that temporarily
2851 * exceed a peer's limit if the NEW_CONNECTION_ID frame also requires
2852 * the retirement of any excess, by including a sufficiently large
2853 * value in the Retire Prior To field.
2854 *
2855 * RFC 9000-5.1.2: An endpoint SHOULD allow for sending and tracking
2856 * a number of RETIRE_CONNECTION_ID frames of at least twice the value
2857 * of the active_connection_id_limit transport parameter. An endpoint
2858 * MUST NOT forget a connection ID without retiring it, though it MAY
2859 * choose to treat having connection IDs in need of retirement that
2860 * exceed this limit as a connection error of type CONNECTION_ID_LIMIT_ERROR.
2861 *
2862 * We are a little bit more liberal than the minimum mandated.
2863 */
2864 if (new_retire_prior_to - ch->cur_retire_prior_to > 10) {
2865 ossl_quic_channel_raise_protocol_error(ch,
2866 QUIC_ERR_CONNECTION_ID_LIMIT_ERROR,
2867 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID,
2868 "retiring connection id limit violated");
eff04652
TM		 2869
2870 return;
2871 }
2872
2873 if (new_remote_seq_num > ch->cur_remote_seq_num) {
cdd91631 2874 /* Add new stateless reset token */
5f86ae32
HL		 2875 if (!ossl_quic_srtm_add(ch->srtm, ch, new_remote_seq_num,
2876 &f->stateless_reset)) {
cdd91631
P		 2877 ossl_quic_channel_raise_protocol_error(
2878 ch, QUIC_ERR_CONNECTION_ID_LIMIT_ERROR,
2879 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID,
2880 "unable to store stateless reset token");
2881
2882 return;
2883 }
eff04652
TM		 2884 ch->cur_remote_seq_num = new_remote_seq_num;
2885 ch->cur_remote_dcid = f->conn_id;
2886 ossl_quic_tx_packetiser_set_cur_dcid(ch->txp, &ch->cur_remote_dcid);
2887 }
5cc73695 2888
985429f4
P		 2889 /*
2890 * RFC 9000-5.1.2: Upon receipt of an increased Retire Prior To
2891 * field, the peer MUST stop using the corresponding connection IDs
2892 * and retire them with RETIRE_CONNECTION_ID frames before adding the
2893 * newly provided connection ID to the set of active connection IDs.
2894 */
5cc73695
HL		 2895
2896 /*
2897 * Note: RFC 9000 s. 19.15 says:
2898 * "An endpoint that receives a NEW_CONNECTION_ID frame with a sequence
2899 * number smaller than the Retire Prior To field of a previously received
7c793cd3 2900 * NEW_CONNECTION_ID frame MUST send a corresponding
5cc73695
HL		 2901 * RETIRE_CONNECTION_ID frame that retires the newly received connection
2902 * ID, unless it has already done so for that sequence number."
2903 *
2904 * Since we currently always queue RETIRE_CONN_ID frames based on the Retire
2905 * Prior To field of a NEW_CONNECTION_ID frame immediately upon receiving
2906 * that NEW_CONNECTION_ID frame, by definition this will always be met.
2907 * This may change in future when we change our CID handling.
2908 */
eff04652
TM		 2909 while (new_retire_prior_to > ch->cur_retire_prior_to) {
2910 if (!ch_enqueue_retire_conn_id(ch, ch->cur_retire_prior_to))
2911 break;
2912 ++ch->cur_retire_prior_to;
2913 }
2914}
2915
9c3ea4e1
TM		 2916static void ch_save_err_state(QUIC_CHANNEL *ch)
2917{
2918 if (ch->err_state == NULL)
2919 ch->err_state = OSSL_ERR_STATE_new();
2920
2921 if (ch->err_state == NULL)
2922 return;
2923
2924 OSSL_ERR_STATE_save(ch->err_state);
2925}
2926
0df89732
HL		 2927void ossl_quic_channel_inject(QUIC_CHANNEL *ch, QUIC_URXE *e)
2928{
2929 ossl_qrx_inject_urxe(ch->qrx, e);
2930}
2931
61076198 2932void ossl_quic_channel_on_stateless_reset(QUIC_CHANNEL *ch)
cdd91631
P		 2933{
2934 QUIC_TERMINATE_CAUSE tcause = {0};
2935
61076198
HL		 2936 tcause.error_code = QUIC_ERR_NO_ERROR;
2937 tcause.remote = 1;
2938 ch_start_terminating(ch, &tcause, 0);
cdd91631
P		 2939}
2940
632b0c7e 2941void ossl_quic_channel_raise_net_error(QUIC_CHANNEL *ch)
df15e990
HL		 2942{
2943 QUIC_TERMINATE_CAUSE tcause = {0};
2944
5c3474ea 2945 ch->net_error = 1;
741170be
HL		 2946
2947 ERR_raise_data(ERR_LIB_SSL, SSL_R_QUIC_NETWORK_ERROR,
2948 "connection terminated due to network error");
9c3ea4e1 2949 ch_save_err_state(ch);
5c3474ea 2950
df15e990
HL		 2951 tcause.error_code = QUIC_ERR_INTERNAL_ERROR;
2952
2953 /*
2954 * Skip Terminating state and go directly to Terminated, no point trying to
2955 * send CONNECTION_CLOSE if we cannot communicate.
2956 */
2957 ch_start_terminating(ch, &tcause, 1);
f538b421
HL		 2958}
2959
5c3474ea
TM		 2960int ossl_quic_channel_net_error(QUIC_CHANNEL *ch)
2961{
2962 return ch->net_error;
2963}
2964
9c3ea4e1
TM		 2965void ossl_quic_channel_restore_err_state(QUIC_CHANNEL *ch)
2966{
2967 if (ch == NULL)
2968 return;
2969
2970 OSSL_ERR_STATE_restore(ch->err_state);
2971}
2972
741170be
HL		 2973void ossl_quic_channel_raise_protocol_error_loc(QUIC_CHANNEL *ch,
2974 uint64_t error_code,
2975 uint64_t frame_type,
2976 const char *reason,
7a2bb210 2977 ERR_STATE *err_state,
741170be
HL		 2978 const char *src_file,
2979 int src_line,
2980 const char *src_func)
f538b421
HL		 2981{
2982 QUIC_TERMINATE_CAUSE tcause = {0};
2b8126d8
TM		 2983 int err_reason = error_code == QUIC_ERR_INTERNAL_ERROR
2984 ? ERR_R_INTERNAL_ERROR : SSL_R_QUIC_PROTOCOL_ERROR;
741170be
HL		 2985 const char *err_str = ossl_quic_err_to_string(error_code);
2986 const char *err_str_pfx = " (", *err_str_sfx = ")";
2987 const char *ft_str = NULL;
2988 const char *ft_str_pfx = " (", *ft_str_sfx = ")";
2989
549d0a70
HL		 2990 if (ch->protocol_error)
2991 /* Only the first call to this function matters. */
2992 return;
2993
741170be
HL		 2994 if (err_str == NULL) {
2995 err_str = "";
2996 err_str_pfx = "";
2997 err_str_sfx = "";
2998 }
2999
7a2bb210
HL		 3000 /*
3001 * If we were provided an underlying error state, restore it and then append
3002 * our ERR on top as a "cover letter" error.
3003 */
3004 if (err_state != NULL)
3005 OSSL_ERR_STATE_restore(err_state);
3006
741170be
HL		 3007 if (frame_type != 0) {
3008 ft_str = ossl_quic_frame_type_to_string(frame_type);
3009 if (ft_str == NULL) {
3010 ft_str = "";
3011 ft_str_pfx = "";
3012 ft_str_sfx = "";
3013 }
3014
3015 ERR_raise_data(ERR_LIB_SSL, err_reason,
3016 "QUIC error code: 0x%llx%s%s%s "
3017 "(triggered by frame type: 0x%llx%s%s%s), reason: \"%s\"",
3018 (unsigned long long) error_code,
3019 err_str_pfx, err_str, err_str_sfx,
3020 (unsigned long long) frame_type,
3021 ft_str_pfx, ft_str, ft_str_sfx,
3022 reason);
3023 } else {
3024 ERR_raise_data(ERR_LIB_SSL, err_reason,
3025 "QUIC error code: 0x%llx%s%s%s, reason: \"%s\"",
3026 (unsigned long long) error_code,
3027 err_str_pfx, err_str, err_str_sfx,
3028 reason);
3029 }
3030
3031 if (src_file != NULL)
3032 ERR_set_debug(src_file, src_line, src_func);
f538b421 3033
2b8126d8 3034 ch_save_err_state(ch);
9c3ea4e1 3035
f538b421
HL		 3036 tcause.error_code = error_code;
3037 tcause.frame_type = frame_type;
40c8c756 3038 tcause.reason = reason;
f2609004 3039 tcause.reason_len = strlen(reason);
f538b421 3040
549d0a70 3041 ch->protocol_error = 1;
df15e990 3042 ch_start_terminating(ch, &tcause, 0);
f538b421
HL		 3043}
3044
3045/*
3046 * Called once the terminating timer expires, meaning we move from TERMINATING
3047 * to TERMINATED.
3048 */
3049static void ch_on_terminating_timeout(QUIC_CHANNEL *ch)
3050{
3051 ch->state = QUIC_CHANNEL_STATE_TERMINATED;
3052}
3053
758e9b53
HL		 3054/*
3055 * Determines the effective idle timeout duration. This is based on the idle
3056 * timeout values that we and our peer signalled in transport parameters
3057 * but have some limits applied.
3058 */
3059static OSSL_TIME ch_get_effective_idle_timeout_duration(QUIC_CHANNEL *ch)
3060{
3061 OSSL_TIME pto;
3062
3063 if (ch->max_idle_timeout == 0)
3064 return ossl_time_infinite();
3065
3066 /*
3067 * RFC 9000 s. 10.1: Idle Timeout
3068 * To avoid excessively small idle timeout periods, endpoints
3069 * MUST increase the idle timeout period to be at least three
3070 * times the current Probe Timeout (PTO). This allows for
3071 * multiple PTOs to expire, and therefore multiple probes to
3072 * be sent and lost, prior to idle timeout.
3073 */
3074 pto = ossl_ackm_get_pto_duration(ch->ackm);
3075 return ossl_time_max(ossl_ms2time(ch->max_idle_timeout),
3076 ossl_time_multiply(pto, 3));
3077}
3078
f538b421
HL		 3079/*
3080 * Updates our idle deadline. Called when an event happens which should bump the
3081 * idle timeout.
3082 */
3083static void ch_update_idle(QUIC_CHANNEL *ch)
3084{
758e9b53
HL		 3085 ch->idle_deadline = ossl_time_add(get_time(ch),
3086 ch_get_effective_idle_timeout_duration(ch));
f538b421
HL		 3087}
3088
3b1ab5a3
HL		 3089/*
3090 * Updates our ping deadline, which determines when we next generate a ping if
3091 * we don't have any other ACK-eliciting frames to send.
3092 */
3093static void ch_update_ping_deadline(QUIC_CHANNEL *ch)
3094{
758e9b53 3095 OSSL_TIME max_span, idle_duration;
3b1ab5a3 3096
758e9b53
HL		 3097 idle_duration = ch_get_effective_idle_timeout_duration(ch);
3098 if (ossl_time_is_infinite(idle_duration)) {
3b1ab5a3 3099 ch->ping_deadline = ossl_time_infinite();
758e9b53 3100 return;
3b1ab5a3 3101 }
758e9b53
HL		 3102
3103 /*
3104 * Maximum amount of time without traffic before we send a PING to keep
3105 * the connection open. Usually we use max_idle_timeout/2, but ensure
3106 * the period never exceeds the assumed NAT interval to ensure NAT
3107 * devices don't have their state time out (RFC 9000 s. 10.1.2).
3108 */
3109 max_span = ossl_time_divide(idle_duration, 2);
3110 max_span = ossl_time_min(max_span, MAX_NAT_INTERVAL);
3111 ch->ping_deadline = ossl_time_add(get_time(ch), max_span);
3b1ab5a3
HL		 3112}
3113
f538b421
HL		 3114/* Called when the idle timeout expires. */
3115static void ch_on_idle_timeout(QUIC_CHANNEL *ch)
3116{
3117 /*
3118 * Idle timeout does not have an error code associated with it because a
3119 * CONN_CLOSE is never sent for it. We shouldn't use this data once we reach
3120 * TERMINATED anyway.
3121 */
3122 ch->terminate_cause.app = 0;
3123 ch->terminate_cause.error_code = UINT64_MAX;
3124 ch->terminate_cause.frame_type = 0;
3125
3126 ch->state = QUIC_CHANNEL_STATE_TERMINATED;
3127}
b1b06da2
HL		 3128
3129/* Called when we, as a server, get a new incoming connection. */
4ed6b48d
HL		 3130int ossl_quic_channel_on_new_conn(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
3131 const QUIC_CONN_ID *peer_scid,
3132 const QUIC_CONN_ID *peer_dcid)
b1b06da2
HL		 3133{
3134 if (!ossl_assert(ch->state == QUIC_CHANNEL_STATE_IDLE && ch->is_server))
3135 return 0;
3136
52dfe6f1
HL		 3137 /* Generate an Initial LCID we will use for the connection. */
3138 if (!ossl_quic_lcidm_generate_initial(ch->lcidm, ch, &ch->cur_local_cid))
b1b06da2
HL		 3139 return 0;
3140
3141 /* Note our newly learnt peer address and CIDs. */
3142 ch->cur_peer_addr = *peer;
3143 ch->init_dcid = *peer_dcid;
3144 ch->cur_remote_dcid = *peer_scid;
3145
3146 /* Inform QTX of peer address. */
3147 if (!ossl_quic_tx_packetiser_set_peer(ch->txp, &ch->cur_peer_addr))
3148 return 0;
3149
3150 /* Inform TXP of desired CIDs. */
3151 if (!ossl_quic_tx_packetiser_set_cur_dcid(ch->txp, &ch->cur_remote_dcid))
3152 return 0;
3153
bbc97540 3154 if (!ossl_quic_tx_packetiser_set_cur_scid(ch->txp, &ch->cur_local_cid))
b1b06da2
HL		 3155 return 0;
3156
3157 /* Plug in secrets for the Initial EL. */
34fa182e
HL		 3158 if (!ossl_quic_provide_initial_secret(ch->port->libctx,
3159 ch->port->propq,
b1b06da2
HL		 3160 &ch->init_dcid,
3161 /*is_server=*/1,
3162 ch->qrx, ch->qtx))
3163 return 0;
3164
52dfe6f1
HL		 3165 /* Register the peer ODCID in the LCIDM. */
3166 if (!ossl_quic_lcidm_enrol_odcid(ch->lcidm, ch, &ch->init_dcid))
b1b06da2
HL		 3167 return 0;
3168
3169 /* Change state. */
3170 ch->state = QUIC_CHANNEL_STATE_ACTIVE;
3171 ch->doing_proactive_ver_neg = 0; /* not currently supported */
3172 return 1;
3173}
d03fe5de
MC		 3174
3175SSL *ossl_quic_channel_get0_ssl(QUIC_CHANNEL *ch)
3176{
3177 return ch->tls;
3178}
2dbc39de 3179
e8fe7a21
HL		 3180static int ch_init_new_stream(QUIC_CHANNEL *ch, QUIC_STREAM *qs,
3181 int can_send, int can_recv)
3182{
3183 uint64_t rxfc_wnd;
3184 int server_init = ossl_quic_stream_is_server_init(qs);
3185 int local_init = (ch->is_server == server_init);
3186 int is_uni = !ossl_quic_stream_is_bidi(qs);
3187
db2f98c4 3188 if (can_send)
6ba2edb7
TM		 3189 if ((qs->sstream = ossl_quic_sstream_new(INIT_APP_BUF_LEN)) == NULL)
3190 goto err;
e8fe7a21 3191
db2f98c4 3192 if (can_recv)
a02571a0
TM		 3193 if ((qs->rstream = ossl_quic_rstream_new(NULL, NULL, 0)) == NULL)
3194 goto err;
e8fe7a21
HL		 3195
3196 /* TXFC */
3197 if (!ossl_quic_txfc_init(&qs->txfc, &ch->conn_txfc))
3198 goto err;
3199
3200 if (ch->got_remote_transport_params) {
3201 /*
3202 * If we already got peer TPs we need to apply the initial CWM credit
3203 * now. If we didn't already get peer TPs this will be done
3204 * automatically for all extant streams when we do.
3205 */
3206 if (can_send) {
3207 uint64_t cwm;
3208
3209 if (is_uni)
3210 cwm = ch->rx_init_max_stream_data_uni;
3211 else if (local_init)
3212 cwm = ch->rx_init_max_stream_data_bidi_local;
3213 else
3214 cwm = ch->rx_init_max_stream_data_bidi_remote;
3215
3216 ossl_quic_txfc_bump_cwm(&qs->txfc, cwm);
3217 }
3218 }
3219
3220 /* RXFC */
3221 if (!can_recv)
3222 rxfc_wnd = 0;
3223 else if (is_uni)
3224 rxfc_wnd = ch->tx_init_max_stream_data_uni;
3225 else if (local_init)
3226 rxfc_wnd = ch->tx_init_max_stream_data_bidi_local;
3227 else
3228 rxfc_wnd = ch->tx_init_max_stream_data_bidi_remote;
3229
3230 if (!ossl_quic_rxfc_init(&qs->rxfc, &ch->conn_rxfc,
3231 rxfc_wnd,
3232 DEFAULT_STREAM_RXFC_MAX_WND_MUL * rxfc_wnd,
3233 get_time, ch))
3234 goto err;
3235
3236 return 1;
3237
3238err:
3239 ossl_quic_sstream_free(qs->sstream);
3240 qs->sstream = NULL;
3241 ossl_quic_rstream_free(qs->rstream);
3242 qs->rstream = NULL;
3243 return 0;
3244}
3245
9d6bd3d3
HL		 3246static uint64_t *ch_get_local_stream_next_ordinal_ptr(QUIC_CHANNEL *ch,
3247 int is_uni)
3248{
3249 return is_uni ? &ch->next_local_stream_ordinal_uni
3250 : &ch->next_local_stream_ordinal_bidi;
3251}
3252
3253int ossl_quic_channel_is_new_local_stream_admissible(QUIC_CHANNEL *ch,
3254 int is_uni)
3255{
3256 uint64_t *p_next_ordinal = ch_get_local_stream_next_ordinal_ptr(ch, is_uni);
3257
3258 return ossl_quic_stream_map_is_local_allowed_by_stream_limit(&ch->qsm,
3259 *p_next_ordinal,
3260 is_uni);
3261}
3262
f20fdd16 3263QUIC_STREAM *ossl_quic_channel_new_stream_local(QUIC_CHANNEL *ch, int is_uni)
2dbc39de
HL		 3264{
3265 QUIC_STREAM *qs;
22b1a96f 3266 int type;
2dbc39de
HL		 3267 uint64_t stream_id, *p_next_ordinal;
3268
22b1a96f
HL		 3269 type = ch->is_server ? QUIC_STREAM_INITIATOR_SERVER
3270 : QUIC_STREAM_INITIATOR_CLIENT;
2dbc39de 3271
9d6bd3d3
HL		 3272 p_next_ordinal = ch_get_local_stream_next_ordinal_ptr(ch, is_uni);
3273
3274 if (is_uni)
2dbc39de 3275 type |= QUIC_STREAM_DIR_UNI;
9d6bd3d3 3276 else
2dbc39de 3277 type |= QUIC_STREAM_DIR_BIDI;
2dbc39de
HL		 3278
3279 if (*p_next_ordinal >= ((uint64_t)1) << 62)
3280 return NULL;
3281
3282 stream_id = ((*p_next_ordinal) << 2) | type;
3283
3284 if ((qs = ossl_quic_stream_map_alloc(&ch->qsm, stream_id, type)) == NULL)
3285 return NULL;
3286
e8fe7a21
HL		 3287 /* Locally-initiated stream, so we always want a send buffer. */
3288 if (!ch_init_new_stream(ch, qs, /*can_send=*/1, /*can_recv=*/!is_uni))
3289 goto err;
3290
2dbc39de
HL		 3291 ++*p_next_ordinal;
3292 return qs;
e8fe7a21
HL		 3293
3294err:
3295 ossl_quic_stream_map_release(&ch->qsm, qs);
3296 return NULL;
2dbc39de 3297}
f20fdd16
HL		 3298
3299QUIC_STREAM *ossl_quic_channel_new_stream_remote(QUIC_CHANNEL *ch,
3300 uint64_t stream_id)
3301{
3302 uint64_t peer_role;
e8fe7a21 3303 int is_uni;
f20fdd16
HL		 3304 QUIC_STREAM *qs;
3305
3306 peer_role = ch->is_server
3307 ? QUIC_STREAM_INITIATOR_CLIENT
3308 : QUIC_STREAM_INITIATOR_SERVER;
3309
3310 if ((stream_id & QUIC_STREAM_INITIATOR_MASK) != peer_role)
3311 return NULL;
3312
e8fe7a21
HL		 3313 is_uni = ((stream_id & QUIC_STREAM_DIR_MASK) == QUIC_STREAM_DIR_UNI);
3314
f20fdd16
HL		 3315 qs = ossl_quic_stream_map_alloc(&ch->qsm, stream_id,
3316 stream_id & (QUIC_STREAM_INITIATOR_MASK
3317 | QUIC_STREAM_DIR_MASK));
3318 if (qs == NULL)
3319 return NULL;
3320
e8fe7a21
HL		 3321 if (!ch_init_new_stream(ch, qs, /*can_send=*/!is_uni, /*can_recv=*/1))
3322 goto err;
3323
995ff282
HL		 3324 if (ch->incoming_stream_auto_reject)
3325 ossl_quic_channel_reject_stream(ch, qs);
3326 else
3327 ossl_quic_stream_map_push_accept_queue(&ch->qsm, qs);
3328
f20fdd16 3329 return qs;
e8fe7a21
HL		 3330
3331err:
3332 ossl_quic_stream_map_release(&ch->qsm, qs);
3333 return NULL;
f20fdd16 3334}
995ff282
HL		 3335
3336void ossl_quic_channel_set_incoming_stream_auto_reject(QUIC_CHANNEL *ch,
3337 int enable,
3338 uint64_t aec)
3339{
3340 ch->incoming_stream_auto_reject = (enable != 0);
3341 ch->incoming_stream_auto_reject_aec = aec;
3342}
3343
3344void ossl_quic_channel_reject_stream(QUIC_CHANNEL *ch, QUIC_STREAM *qs)
3345{
e8b9f632
HL		 3346 ossl_quic_stream_map_stop_sending_recv_part(&ch->qsm, qs,
3347 ch->incoming_stream_auto_reject_aec);
995ff282 3348
e8b9f632
HL		 3349 ossl_quic_stream_map_reset_stream_send_part(&ch->qsm, qs,
3350 ch->incoming_stream_auto_reject_aec);
995ff282
HL		 3351 qs->deleted = 1;
3352
3353 ossl_quic_stream_map_update_state(&ch->qsm, qs);
3354}
bbc97540
TM		 3355
3356/* Replace local connection ID in TXP and DEMUX for testing purposes. */
3357int ossl_quic_channel_replace_local_cid(QUIC_CHANNEL *ch,
3358 const QUIC_CONN_ID *conn_id)
3359{
52dfe6f1
HL		 3360 /* Remove the current LCID from the LCIDM. */
3361 if (!ossl_quic_lcidm_debug_remove(ch->lcidm, &ch->cur_local_cid))
bbc97540
TM		 3362 return 0;
3363 ch->cur_local_cid = *conn_id;
3364 /* Set in the TXP, used only for long header packets. */
3365 if (!ossl_quic_tx_packetiser_set_cur_scid(ch->txp, &ch->cur_local_cid))
3366 return 0;
52dfe6f1
HL		 3367 /* Add the new LCID to the LCIDM. */
3368 if (!ossl_quic_lcidm_debug_add(ch->lcidm, ch, &ch->cur_local_cid,
3369 100))
bbc97540
TM		 3370 return 0;
3371 return 1;
3372}
5cf99b40
MC		 3373
3374void ossl_quic_channel_set_msg_callback(QUIC_CHANNEL *ch,
3375 ossl_msg_cb msg_callback,
c2786c8e 3376 SSL *msg_callback_ssl)
5cf99b40
MC		 3377{
3378 ch->msg_callback = msg_callback;
c2786c8e
MC		 3379 ch->msg_callback_ssl = msg_callback_ssl;
3380 ossl_qtx_set_msg_callback(ch->qtx, msg_callback, msg_callback_ssl);
5cf99b40 3381 ossl_quic_tx_packetiser_set_msg_callback(ch->txp, msg_callback,
c2786c8e
MC		 3382 msg_callback_ssl);
3383 ossl_qrx_set_msg_callback(ch->qrx, msg_callback, msg_callback_ssl);
5cf99b40
MC		 3384}
3385
3386void ossl_quic_channel_set_msg_callback_arg(QUIC_CHANNEL *ch,
3387 void *msg_callback_arg)
3388{
3389 ch->msg_callback_arg = msg_callback_arg;
3390 ossl_qtx_set_msg_callback_arg(ch->qtx, msg_callback_arg);
3391 ossl_quic_tx_packetiser_set_msg_callback_arg(ch->txp, msg_callback_arg);
3392 ossl_qrx_set_msg_callback_arg(ch->qrx, msg_callback_arg);
3393}
16f3b542
HL		 3394
3395void ossl_quic_channel_set_txku_threshold_override(QUIC_CHANNEL *ch,
3396 uint64_t tx_pkt_threshold)
3397{
3398 ch->txku_threshold_override = tx_pkt_threshold;
3399}
3400
3401uint64_t ossl_quic_channel_get_tx_key_epoch(QUIC_CHANNEL *ch)
3402{
3403 return ossl_qtx_get_key_epoch(ch->qtx);
3404}
3405
3406uint64_t ossl_quic_channel_get_rx_key_epoch(QUIC_CHANNEL *ch)
3407{
3408 return ossl_qrx_get_key_epoch(ch->qrx);
3409}
692a3cab
HL		 3410
3411int ossl_quic_channel_trigger_txku(QUIC_CHANNEL *ch)
3412{
3413 if (!txku_allowed(ch))
3414 return 0;
3415
3416 ch->ku_locally_initiated = 1;
3417 ch_trigger_txku(ch);
3418 return 1;
3419}
9ff3a99e
HL		 3420
3421int ossl_quic_channel_ping(QUIC_CHANNEL *ch)
3422{
3423 int pn_space = ossl_quic_enc_level_to_pn_space(ch->tx_enc_level);
3424
3425 ossl_quic_tx_packetiser_schedule_ack_eliciting(ch->txp, pn_space);
3426
3427 return 1;
3428}
03b38595 3429
17340e87
HL		 3430uint16_t ossl_quic_channel_get_diag_num_rx_ack(QUIC_CHANNEL *ch)
3431{
3432 return ch->diag_num_rx_ack;
3433}
ed75eb32
HL		 3434
3435void ossl_quic_channel_get_diag_local_cid(QUIC_CHANNEL *ch, QUIC_CONN_ID *cid)
3436{
3437 *cid = ch->cur_local_cid;
3438}
A mirror of the official openssl repository