2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include "internal/quic_channel.h"
11 #include "internal/quic_error.h"
12 #include "internal/quic_rx_depack.h"
13 #include "../ssl_local.h"
14 #include "quic_channel_local.h"
15 #include <openssl/rand.h>
18 * NOTE: While this channel implementation currently has basic server support,
19 * this functionality has been implemented for internal testing purposes and is
20 * not suitable for network use. In particular, it does not implement address
21 * validation, anti-amplification or retry logic.
23 * TODO(QUIC): Implement address validation and anti-amplification
24 * TODO(QUIC): Implement retry logic
27 #define INIT_DCID_LEN 8
28 #define INIT_CRYPTO_BUF_LEN 8192
29 #define INIT_APP_BUF_LEN 8192
32 * Interval before we force a PING to ensure NATs don't timeout. This is based
33 * on the lowest commonly seen value of 30 seconds as cited in RFC 9000 s.
36 #define MAX_NAT_INTERVAL (ossl_ms2time(25000))
38 static void ch_rx_pre(QUIC_CHANNEL
*ch
);
39 static int ch_rx(QUIC_CHANNEL
*ch
);
40 static int ch_tx(QUIC_CHANNEL
*ch
);
41 static void ch_tick(QUIC_TICK_RESULT
*res
, void *arg
, uint32_t flags
);
42 static void ch_rx_handle_packet(QUIC_CHANNEL
*ch
);
43 static OSSL_TIME
ch_determine_next_tick_deadline(QUIC_CHANNEL
*ch
);
44 static int ch_retry(QUIC_CHANNEL
*ch
,
45 const unsigned char *retry_token
,
46 size_t retry_token_len
,
47 const QUIC_CONN_ID
*retry_scid
);
48 static void ch_cleanup(QUIC_CHANNEL
*ch
);
49 static int ch_generate_transport_params(QUIC_CHANNEL
*ch
);
50 static int ch_on_transport_params(const unsigned char *params
,
53 static int ch_on_handshake_alert(void *arg
, unsigned char alert_code
);
54 static int ch_on_handshake_complete(void *arg
);
55 static int ch_on_handshake_yield_secret(uint32_t enc_level
, int direction
,
56 uint32_t suite_id
, EVP_MD
*md
,
57 const unsigned char *secret
,
60 static int ch_on_crypto_recv_record(const unsigned char **buf
,
61 size_t *bytes_read
, void *arg
);
62 static int ch_on_crypto_release_record(size_t bytes_read
, void *arg
);
63 static int crypto_ensure_empty(QUIC_RSTREAM
*rstream
);
64 static int ch_on_crypto_send(const unsigned char *buf
, size_t buf_len
,
65 size_t *consumed
, void *arg
);
66 static OSSL_TIME
get_time(void *arg
);
67 static uint64_t get_stream_limit(int uni
, void *arg
);
68 static int rx_early_validate(QUIC_PN pn
, int pn_space
, void *arg
);
69 static int ch_retry(QUIC_CHANNEL
*ch
,
70 const unsigned char *retry_token
,
71 size_t retry_token_len
,
72 const QUIC_CONN_ID
*retry_scid
);
73 static void ch_update_idle(QUIC_CHANNEL
*ch
);
74 static int ch_discard_el(QUIC_CHANNEL
*ch
,
76 static void ch_on_idle_timeout(QUIC_CHANNEL
*ch
);
77 static void ch_update_idle(QUIC_CHANNEL
*ch
);
78 static void ch_update_ping_deadline(QUIC_CHANNEL
*ch
);
79 static void ch_raise_net_error(QUIC_CHANNEL
*ch
);
80 static void ch_on_terminating_timeout(QUIC_CHANNEL
*ch
);
81 static void ch_start_terminating(QUIC_CHANNEL
*ch
,
82 const QUIC_TERMINATE_CAUSE
*tcause
,
84 static void ch_default_packet_handler(QUIC_URXE
*e
, void *arg
);
85 static int ch_server_on_new_conn(QUIC_CHANNEL
*ch
, const BIO_ADDR
*peer
,
86 const QUIC_CONN_ID
*peer_scid
,
87 const QUIC_CONN_ID
*peer_dcid
);
89 static int gen_rand_conn_id(OSSL_LIB_CTX
*libctx
, size_t len
, QUIC_CONN_ID
*cid
)
91 if (len
> QUIC_MAX_CONN_ID_LEN
)
94 cid
->id_len
= (unsigned char)len
;
96 if (RAND_bytes_ex(libctx
, cid
->id
, len
, len
* 8) != 1) {
105 * QUIC Channel Initialization and Teardown
106 * ========================================
108 static int ch_init(QUIC_CHANNEL
*ch
)
110 OSSL_QUIC_TX_PACKETISER_ARGS txp_args
= {0};
111 OSSL_QTX_ARGS qtx_args
= {0};
112 OSSL_QRX_ARGS qrx_args
= {0};
113 QUIC_TLS_ARGS tls_args
= {0};
115 size_t rx_short_cid_len
= ch
->is_server
? INIT_DCID_LEN
: 0;
117 /* For clients, generate our initial DCID. */
119 && !gen_rand_conn_id(ch
->libctx
, INIT_DCID_LEN
, &ch
->init_dcid
))
122 /* We plug in a network write BIO to the QTX later when we get one. */
123 qtx_args
.libctx
= ch
->libctx
;
124 qtx_args
.mdpl
= QUIC_MIN_INITIAL_DGRAM_LEN
;
125 ch
->rx_max_udp_payload_size
= qtx_args
.mdpl
;
127 ch
->qtx
= ossl_qtx_new(&qtx_args
);
131 ch
->txpim
= ossl_quic_txpim_new();
132 if (ch
->txpim
== NULL
)
135 ch
->cfq
= ossl_quic_cfq_new();
139 if (!ossl_quic_txfc_init(&ch
->conn_txfc
, NULL
))
142 if (!ossl_quic_rxfc_init(&ch
->conn_rxfc
, NULL
,
148 if (!ossl_statm_init(&ch
->statm
))
152 ch
->cc_method
= &ossl_cc_dummy_method
;
153 if ((ch
->cc_data
= ch
->cc_method
->new(get_time
, NULL
)) == NULL
)
156 if ((ch
->ackm
= ossl_ackm_new(get_time
, ch
, &ch
->statm
,
157 ch
->cc_method
, ch
->cc_data
)) == NULL
)
160 if (!ossl_quic_stream_map_init(&ch
->qsm
, get_stream_limit
, ch
))
165 /* We use a zero-length SCID. */
166 txp_args
.cur_dcid
= ch
->init_dcid
;
167 txp_args
.ack_delay_exponent
= 3;
168 txp_args
.qtx
= ch
->qtx
;
169 txp_args
.txpim
= ch
->txpim
;
170 txp_args
.cfq
= ch
->cfq
;
171 txp_args
.ackm
= ch
->ackm
;
172 txp_args
.qsm
= &ch
->qsm
;
173 txp_args
.conn_txfc
= &ch
->conn_txfc
;
174 txp_args
.conn_rxfc
= &ch
->conn_rxfc
;
175 txp_args
.cc_method
= ch
->cc_method
;
176 txp_args
.cc_data
= ch
->cc_data
;
177 txp_args
.now
= get_time
;
178 txp_args
.now_arg
= ch
;
179 for (pn_space
= QUIC_PN_SPACE_INITIAL
; pn_space
< QUIC_PN_SPACE_NUM
; ++pn_space
) {
180 ch
->crypto_send
[pn_space
] = ossl_quic_sstream_new(INIT_CRYPTO_BUF_LEN
);
181 if (ch
->crypto_send
[pn_space
] == NULL
)
184 txp_args
.crypto
[pn_space
] = ch
->crypto_send
[pn_space
];
187 ch
->txp
= ossl_quic_tx_packetiser_new(&txp_args
);
191 if ((ch
->demux
= ossl_quic_demux_new(/*BIO=*/NULL
,
192 /*Short CID Len=*/rx_short_cid_len
,
193 get_time
, ch
)) == NULL
)
197 * If we are a server, setup our handler for packets not corresponding to
198 * any known DCID on our end. This is for handling clients establishing new
202 ossl_quic_demux_set_default_handler(ch
->demux
,
203 ch_default_packet_handler
,
206 qrx_args
.libctx
= ch
->libctx
;
207 qrx_args
.demux
= ch
->demux
;
208 qrx_args
.short_conn_id_len
= rx_short_cid_len
;
209 qrx_args
.max_deferred
= 32;
211 if ((ch
->qrx
= ossl_qrx_new(&qrx_args
)) == NULL
)
214 if (!ossl_qrx_set_early_validation_cb(ch
->qrx
,
219 if (!ch
->is_server
&& !ossl_qrx_add_dst_conn_id(ch
->qrx
, &txp_args
.cur_scid
))
222 for (pn_space
= QUIC_PN_SPACE_INITIAL
; pn_space
< QUIC_PN_SPACE_NUM
; ++pn_space
) {
223 ch
->crypto_recv
[pn_space
] = ossl_quic_rstream_new(NULL
, NULL
, 0);
224 if (ch
->crypto_recv
[pn_space
] == NULL
)
228 if ((ch
->stream0
= ossl_quic_stream_map_alloc(&ch
->qsm
, 0,
229 QUIC_STREAM_INITIATOR_CLIENT
230 | QUIC_STREAM_DIR_BIDI
)) == NULL
)
233 if ((ch
->stream0
->sstream
= ossl_quic_sstream_new(INIT_APP_BUF_LEN
)) == NULL
)
236 if ((ch
->stream0
->rstream
= ossl_quic_rstream_new(NULL
, NULL
, 0)) == NULL
)
239 if (!ossl_quic_txfc_init(&ch
->stream0
->txfc
, &ch
->conn_txfc
))
242 if (!ossl_quic_rxfc_init(&ch
->stream0
->rxfc
, &ch
->conn_rxfc
,
248 /* Plug in the TLS handshake layer. */
249 tls_args
.s
= ch
->tls
;
250 tls_args
.crypto_send_cb
= ch_on_crypto_send
;
251 tls_args
.crypto_send_cb_arg
= ch
;
252 tls_args
.crypto_recv_rcd_cb
= ch_on_crypto_recv_record
;
253 tls_args
.crypto_recv_rcd_cb_arg
= ch
;
254 tls_args
.crypto_release_rcd_cb
= ch_on_crypto_release_record
;
255 tls_args
.crypto_release_rcd_cb_arg
= ch
;
256 tls_args
.yield_secret_cb
= ch_on_handshake_yield_secret
;
257 tls_args
.yield_secret_cb_arg
= ch
;
258 tls_args
.got_transport_params_cb
= ch_on_transport_params
;
259 tls_args
.got_transport_params_cb_arg
= ch
;
260 tls_args
.handshake_complete_cb
= ch_on_handshake_complete
;
261 tls_args
.handshake_complete_cb_arg
= ch
;
262 tls_args
.alert_cb
= ch_on_handshake_alert
;
263 tls_args
.alert_cb_arg
= ch
;
264 tls_args
.is_server
= ch
->is_server
;
266 if ((ch
->qtls
= ossl_quic_tls_new(&tls_args
)) == NULL
)
269 ch
->rx_max_ack_delay
= QUIC_DEFAULT_MAX_ACK_DELAY
;
270 ch
->rx_ack_delay_exp
= QUIC_DEFAULT_ACK_DELAY_EXP
;
271 ch
->rx_active_conn_id_limit
= QUIC_MIN_ACTIVE_CONN_ID_LIMIT
;
272 ch
->max_idle_timeout
= QUIC_DEFAULT_IDLE_TIMEOUT
;
273 ch
->tx_enc_level
= QUIC_ENC_LEVEL_INITIAL
;
274 ch
->rx_enc_level
= QUIC_ENC_LEVEL_INITIAL
;
277 * Determine the QUIC Transport Parameters and serialize the transport
278 * parameters block. (For servers, we do this later as we must defer
279 * generation until we have received the client's transport parameters.)
281 if (!ch
->is_server
&& !ch_generate_transport_params(ch
))
285 ossl_quic_reactor_init(&ch
->rtor
, ch_tick
, ch
,
286 ch_determine_next_tick_deadline(ch
));
294 static void ch_cleanup(QUIC_CHANNEL
*ch
)
298 if (ch
->ackm
!= NULL
)
299 for (pn_space
= QUIC_PN_SPACE_INITIAL
;
300 pn_space
< QUIC_PN_SPACE_NUM
;
302 ossl_ackm_on_pkt_space_discarded(ch
->ackm
, pn_space
);
304 ossl_quic_tx_packetiser_free(ch
->txp
);
305 ossl_quic_txpim_free(ch
->txpim
);
306 ossl_quic_cfq_free(ch
->cfq
);
307 ossl_qtx_free(ch
->qtx
);
308 if (ch
->cc_data
!= NULL
)
309 ch
->cc_method
->free(ch
->cc_data
);
311 ossl_statm_destroy(&ch
->statm
);
312 ossl_ackm_free(ch
->ackm
);
314 if (ch
->stream0
!= NULL
) {
315 assert(ch
->have_qsm
);
316 ossl_quic_stream_map_release(&ch
->qsm
, ch
->stream0
); /* frees sstream */
320 ossl_quic_stream_map_cleanup(&ch
->qsm
);
322 for (pn_space
= QUIC_PN_SPACE_INITIAL
; pn_space
< QUIC_PN_SPACE_NUM
; ++pn_space
) {
323 ossl_quic_sstream_free(ch
->crypto_send
[pn_space
]);
324 ossl_quic_rstream_free(ch
->crypto_recv
[pn_space
]);
327 ossl_qrx_pkt_release(ch
->qrx_pkt
);
330 ossl_quic_tls_free(ch
->qtls
);
331 ossl_qrx_free(ch
->qrx
);
332 ossl_quic_demux_free(ch
->demux
);
333 OPENSSL_free(ch
->local_transport_params
);
336 QUIC_CHANNEL
*ossl_quic_channel_new(const QUIC_CHANNEL_ARGS
*args
)
338 QUIC_CHANNEL
*ch
= NULL
;
340 if ((ch
= OPENSSL_zalloc(sizeof(*ch
))) == NULL
)
343 ch
->libctx
= args
->libctx
;
344 ch
->propq
= args
->propq
;
345 ch
->is_server
= args
->is_server
;
347 ch
->mutex
= args
->mutex
;
348 ch
->now_cb
= args
->now_cb
;
349 ch
->now_cb_arg
= args
->now_cb_arg
;
359 void ossl_quic_channel_free(QUIC_CHANNEL
*ch
)
368 /* Set mutator callbacks for test framework support */
369 int ossl_quic_channel_set_mutator(QUIC_CHANNEL
*ch
,
370 ossl_mutate_packet_cb mutatecb
,
371 ossl_finish_mutate_cb finishmutatecb
,
377 ossl_qtx_set_mutator(ch
->qtx
, mutatecb
, finishmutatecb
, mutatearg
);
381 int ossl_quic_channel_get_peer_addr(QUIC_CHANNEL
*ch
, BIO_ADDR
*peer_addr
)
383 *peer_addr
= ch
->cur_peer_addr
;
387 int ossl_quic_channel_set_peer_addr(QUIC_CHANNEL
*ch
, const BIO_ADDR
*peer_addr
)
389 ch
->cur_peer_addr
= *peer_addr
;
393 QUIC_REACTOR
*ossl_quic_channel_get_reactor(QUIC_CHANNEL
*ch
)
398 QUIC_STREAM_MAP
*ossl_quic_channel_get_qsm(QUIC_CHANNEL
*ch
)
403 OSSL_STATM
*ossl_quic_channel_get_statm(QUIC_CHANNEL
*ch
)
408 QUIC_STREAM
*ossl_quic_channel_get_stream_by_id(QUIC_CHANNEL
*ch
,
411 return ossl_quic_stream_map_get_by_id(&ch
->qsm
, stream_id
);
414 int ossl_quic_channel_is_active(const QUIC_CHANNEL
*ch
)
416 return ch
!= NULL
&& ch
->state
== QUIC_CHANNEL_STATE_ACTIVE
;
419 int ossl_quic_channel_is_terminating(const QUIC_CHANNEL
*ch
)
421 if (ch
->state
== QUIC_CHANNEL_STATE_TERMINATING_CLOSING
422 || ch
->state
== QUIC_CHANNEL_STATE_TERMINATING_DRAINING
)
428 int ossl_quic_channel_is_terminated(const QUIC_CHANNEL
*ch
)
430 if (ch
->state
== QUIC_CHANNEL_STATE_TERMINATED
)
436 int ossl_quic_channel_is_term_any(const QUIC_CHANNEL
*ch
)
438 return ossl_quic_channel_is_terminating(ch
)
439 || ossl_quic_channel_is_terminated(ch
);
442 QUIC_TERMINATE_CAUSE
ossl_quic_channel_get_terminate_cause(const QUIC_CHANNEL
*ch
)
444 return ch
->terminate_cause
;
447 int ossl_quic_channel_is_handshake_complete(const QUIC_CHANNEL
*ch
)
449 return ch
->handshake_complete
;
452 int ossl_quic_channel_is_handshake_confirmed(const QUIC_CHANNEL
*ch
)
454 return ch
->handshake_confirmed
;
457 QUIC_DEMUX
*ossl_quic_channel_get0_demux(QUIC_CHANNEL
*ch
)
462 CRYPTO_MUTEX
*ossl_quic_channel_get_mutex(QUIC_CHANNEL
*ch
)
468 * QUIC Channel: Callbacks from Miscellaneous Subsidiary Components
469 * ================================================================
472 /* Used by various components. */
473 static OSSL_TIME
get_time(void *arg
)
475 QUIC_CHANNEL
*ch
= arg
;
477 if (ch
->now_cb
== NULL
)
478 return ossl_time_now();
480 return ch
->now_cb(ch
->now_cb_arg
);
484 static uint64_t get_stream_limit(int uni
, void *arg
)
486 QUIC_CHANNEL
*ch
= arg
;
488 return uni
? ch
->max_local_streams_uni
: ch
->max_local_streams_bidi
;
492 * Called by QRX to determine if a packet is potentially invalid before trying
495 static int rx_early_validate(QUIC_PN pn
, int pn_space
, void *arg
)
497 QUIC_CHANNEL
*ch
= arg
;
499 /* Potential duplicates should not be processed. */
500 if (!ossl_ackm_is_rx_pn_processable(ch
->ackm
, pn
, pn_space
))
507 * QUIC Channel: Handshake Layer Event Handling
508 * ============================================
510 static int ch_on_crypto_send(const unsigned char *buf
, size_t buf_len
,
511 size_t *consumed
, void *arg
)
514 QUIC_CHANNEL
*ch
= arg
;
515 uint32_t enc_level
= ch
->tx_enc_level
;
516 uint32_t pn_space
= ossl_quic_enc_level_to_pn_space(enc_level
);
517 QUIC_SSTREAM
*sstream
= ch
->crypto_send
[pn_space
];
519 if (!ossl_assert(sstream
!= NULL
))
522 ret
= ossl_quic_sstream_append(sstream
, buf
, buf_len
, consumed
);
526 static int crypto_ensure_empty(QUIC_RSTREAM
*rstream
)
534 if (!ossl_quic_rstream_available(rstream
, &avail
, &is_fin
))
540 static int ch_on_crypto_recv_record(const unsigned char **buf
,
541 size_t *bytes_read
, void *arg
)
543 QUIC_CHANNEL
*ch
= arg
;
544 QUIC_RSTREAM
*rstream
;
545 int is_fin
= 0; /* crypto stream is never finished, so we don't use this */
549 * After we move to a later EL we must not allow our peer to send any new
550 * bytes in the crypto stream on a previous EL. Retransmissions of old bytes
553 * In practice we will only move to a new EL when we have consumed all bytes
554 * which should be sent on the crypto stream at a previous EL. For example,
555 * the Handshake EL should not be provisioned until we have completely
556 * consumed a TLS 1.3 ServerHello. Thus when we provision an EL the output
557 * of ossl_quic_rstream_available() should be 0 for all lower ELs. Thus if a
558 * given EL is available we simply ensure we have not received any further
559 * bytes at a lower EL.
561 for (i
= QUIC_ENC_LEVEL_INITIAL
; i
< ch
->rx_enc_level
; ++i
)
562 if (i
!= QUIC_ENC_LEVEL_0RTT
&&
563 !crypto_ensure_empty(ch
->crypto_recv
[ossl_quic_enc_level_to_pn_space(i
)])) {
564 /* Protocol violation (RFC 9001 s. 4.1.3) */
565 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_PROTOCOL_VIOLATION
,
566 OSSL_QUIC_FRAME_TYPE_CRYPTO
,
567 "crypto stream data in wrong EL");
571 rstream
= ch
->crypto_recv
[ossl_quic_enc_level_to_pn_space(ch
->rx_enc_level
)];
575 return ossl_quic_rstream_get_record(rstream
, buf
, bytes_read
,
579 static int ch_on_crypto_release_record(size_t bytes_read
, void *arg
)
581 QUIC_CHANNEL
*ch
= arg
;
582 QUIC_RSTREAM
*rstream
;
584 rstream
= ch
->crypto_recv
[ossl_quic_enc_level_to_pn_space(ch
->rx_enc_level
)];
588 return ossl_quic_rstream_release_record(rstream
, bytes_read
);
591 static int ch_on_handshake_yield_secret(uint32_t enc_level
, int direction
,
592 uint32_t suite_id
, EVP_MD
*md
,
593 const unsigned char *secret
,
597 QUIC_CHANNEL
*ch
= arg
;
600 if (enc_level
< QUIC_ENC_LEVEL_HANDSHAKE
|| enc_level
>= QUIC_ENC_LEVEL_NUM
)
607 if (enc_level
<= ch
->tx_enc_level
)
609 * Does not make sense for us to try and provision an EL we have already
614 if (!ossl_qtx_provide_secret(ch
->qtx
, enc_level
,
619 ch
->tx_enc_level
= enc_level
;
622 if (enc_level
<= ch
->rx_enc_level
)
624 * Does not make sense for us to try and provision an EL we have already
630 * Ensure all crypto streams for previous ELs are now empty of available
633 for (i
= QUIC_ENC_LEVEL_INITIAL
; i
< enc_level
; ++i
)
634 if (!crypto_ensure_empty(ch
->crypto_recv
[ossl_quic_enc_level_to_pn_space(i
)])) {
635 /* Protocol violation (RFC 9001 s. 4.1.3) */
636 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_PROTOCOL_VIOLATION
,
637 OSSL_QUIC_FRAME_TYPE_CRYPTO
,
638 "crypto stream data in wrong EL");
642 if (!ossl_qrx_provide_secret(ch
->qrx
, enc_level
,
647 ch
->have_new_rx_secret
= 1;
648 ch
->rx_enc_level
= enc_level
;
654 static int ch_on_handshake_complete(void *arg
)
656 QUIC_CHANNEL
*ch
= arg
;
658 if (!ossl_assert(!ch
->handshake_complete
))
659 return 0; /* this should not happen twice */
661 if (!ossl_assert(ch
->tx_enc_level
== QUIC_ENC_LEVEL_1RTT
))
664 if (!ch
->got_remote_transport_params
) {
666 * Was not a valid QUIC handshake if we did not get valid transport
669 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_PROTOCOL_VIOLATION
,
670 OSSL_QUIC_FRAME_TYPE_CRYPTO
,
671 "no transport parameters received");
675 /* Don't need transport parameters anymore. */
676 OPENSSL_free(ch
->local_transport_params
);
677 ch
->local_transport_params
= NULL
;
679 /* Tell TXP the handshake is complete. */
680 ossl_quic_tx_packetiser_notify_handshake_complete(ch
->txp
);
682 ch
->handshake_complete
= 1;
686 * On the server, the handshake is confirmed as soon as it is complete.
688 ossl_quic_channel_on_handshake_confirmed(ch
);
690 ossl_quic_tx_packetiser_schedule_handshake_done(ch
->txp
);
696 static int ch_on_handshake_alert(void *arg
, unsigned char alert_code
)
698 QUIC_CHANNEL
*ch
= arg
;
700 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_CRYPTO_ERR_BEGIN
+ alert_code
,
701 0, "handshake alert");
706 * QUIC Channel: Transport Parameter Handling
707 * ==========================================
711 * Called by handshake layer when we receive QUIC Transport Parameters from the
712 * peer. Note that these are not authenticated until the handshake is marked
715 #define TP_REASON_SERVER_ONLY(x) \
716 x " may not be sent by a client"
717 #define TP_REASON_DUP(x) \
718 x " appears multiple times"
719 #define TP_REASON_MALFORMED(x) \
721 #define TP_REASON_EXPECTED_VALUE(x) \
722 x " does not match expected value"
723 #define TP_REASON_NOT_RETRY(x) \
724 x " sent when not performing a retry"
725 #define TP_REASON_REQUIRED(x) \
726 x " was not sent but is required"
728 static int ch_on_transport_params(const unsigned char *params
,
732 QUIC_CHANNEL
*ch
= arg
;
736 const unsigned char *body
;
737 int got_orig_dcid
= 0;
738 int got_initial_scid
= 0;
739 int got_retry_scid
= 0;
740 int got_initial_max_data
= 0;
741 int got_initial_max_stream_data_bidi_local
= 0;
742 int got_initial_max_stream_data_bidi_remote
= 0;
743 int got_initial_max_stream_data_uni
= 0;
744 int got_initial_max_streams_bidi
= 0;
745 int got_initial_max_streams_uni
= 0;
746 int got_ack_delay_exp
= 0;
747 int got_max_ack_delay
= 0;
748 int got_max_udp_payload_size
= 0;
749 int got_max_idle_timeout
= 0;
750 int got_active_conn_id_limit
= 0;
752 const char *reason
= "bad transport parameter";
754 if (ch
->got_remote_transport_params
)
757 if (!PACKET_buf_init(&pkt
, params
, params_len
))
760 while (PACKET_remaining(&pkt
) > 0) {
761 if (!ossl_quic_wire_peek_transport_param(&pkt
, &id
))
765 case QUIC_TPARAM_ORIG_DCID
:
767 reason
= TP_REASON_DUP("ORIG_DCID");
772 reason
= TP_REASON_SERVER_ONLY("ORIG_DCID");
776 if (!ossl_quic_wire_decode_transport_param_cid(&pkt
, NULL
, &cid
)) {
777 reason
= TP_REASON_MALFORMED("ORIG_DCID");
781 /* Must match our initial DCID. */
782 if (!ossl_quic_conn_id_eq(&ch
->init_dcid
, &cid
)) {
783 reason
= TP_REASON_EXPECTED_VALUE("ORIG_DCID");
790 case QUIC_TPARAM_RETRY_SCID
:
792 reason
= TP_REASON_SERVER_ONLY("RETRY_SCID");
796 if (got_retry_scid
) {
797 reason
= TP_REASON_DUP("RETRY_SCID");
801 if (!ch
->doing_retry
) {
802 reason
= TP_REASON_NOT_RETRY("RETRY_SCID");
806 if (!ossl_quic_wire_decode_transport_param_cid(&pkt
, NULL
, &cid
)) {
807 reason
= TP_REASON_MALFORMED("RETRY_SCID");
811 /* Must match Retry packet SCID. */
812 if (!ossl_quic_conn_id_eq(&ch
->retry_scid
, &cid
)) {
813 reason
= TP_REASON_EXPECTED_VALUE("RETRY_SCID");
820 case QUIC_TPARAM_INITIAL_SCID
:
821 if (got_initial_scid
) {
822 /* must not appear more than once */
823 reason
= TP_REASON_DUP("INITIAL_SCID");
827 if (!ossl_quic_wire_decode_transport_param_cid(&pkt
, NULL
, &cid
)) {
828 reason
= TP_REASON_MALFORMED("INITIAL_SCID");
832 /* Must match SCID of first Initial packet from server. */
833 if (!ossl_quic_conn_id_eq(&ch
->init_scid
, &cid
)) {
834 reason
= TP_REASON_EXPECTED_VALUE("INITIAL_SCID");
838 got_initial_scid
= 1;
841 case QUIC_TPARAM_INITIAL_MAX_DATA
:
842 if (got_initial_max_data
) {
843 /* must not appear more than once */
844 reason
= TP_REASON_DUP("INITIAL_MAX_DATA");
848 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)) {
849 reason
= TP_REASON_MALFORMED("INITIAL_MAX_DATA");
853 ossl_quic_txfc_bump_cwm(&ch
->conn_txfc
, v
);
854 got_initial_max_data
= 1;
857 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL
:
858 if (got_initial_max_stream_data_bidi_local
) {
859 /* must not appear more than once */
860 reason
= TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_BIDI_LOCAL");
864 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)) {
865 reason
= TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_BIDI_LOCAL");
870 * This is correct; the BIDI_LOCAL TP governs streams created by
871 * the endpoint which sends the TP, i.e., our peer.
873 ch
->init_max_stream_data_bidi_remote
= v
;
874 got_initial_max_stream_data_bidi_local
= 1;
877 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE
:
878 if (got_initial_max_stream_data_bidi_remote
) {
879 /* must not appear more than once */
880 reason
= TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_BIDI_REMOTE");
884 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)) {
885 reason
= TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_BIDI_REMOTE");
890 * This is correct; the BIDI_REMOTE TP governs streams created
891 * by the endpoint which receives the TP, i.e., us.
893 ch
->init_max_stream_data_bidi_local
= v
;
895 /* Apply to stream 0. */
896 ossl_quic_txfc_bump_cwm(&ch
->stream0
->txfc
, v
);
897 got_initial_max_stream_data_bidi_remote
= 1;
900 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_UNI
:
901 if (got_initial_max_stream_data_uni
) {
902 /* must not appear more than once */
903 reason
= TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_UNI");
907 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)) {
908 reason
= TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_UNI");
912 ch
->init_max_stream_data_uni_remote
= v
;
913 got_initial_max_stream_data_uni
= 1;
916 case QUIC_TPARAM_ACK_DELAY_EXP
:
917 if (got_ack_delay_exp
) {
918 /* must not appear more than once */
919 reason
= TP_REASON_DUP("ACK_DELAY_EXP");
923 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
924 || v
> QUIC_MAX_ACK_DELAY_EXP
) {
925 reason
= TP_REASON_MALFORMED("ACK_DELAY_EXP");
929 ch
->rx_ack_delay_exp
= (unsigned char)v
;
930 got_ack_delay_exp
= 1;
933 case QUIC_TPARAM_MAX_ACK_DELAY
:
934 if (got_max_ack_delay
) {
935 /* must not appear more than once */
936 reason
= TP_REASON_DUP("MAX_ACK_DELAY");
940 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
941 || v
>= (((uint64_t)1) << 14)) {
942 reason
= TP_REASON_MALFORMED("MAX_ACK_DELAY");
946 ch
->rx_max_ack_delay
= v
;
947 got_max_ack_delay
= 1;
950 case QUIC_TPARAM_INITIAL_MAX_STREAMS_BIDI
:
951 if (got_initial_max_streams_bidi
) {
952 /* must not appear more than once */
953 reason
= TP_REASON_DUP("INITIAL_MAX_STREAMS_BIDI");
957 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
958 || v
> (((uint64_t)1) << 60)) {
959 reason
= TP_REASON_MALFORMED("INITIAL_MAX_STREAMS_BIDI");
963 assert(ch
->max_local_streams_bidi
== 0);
964 ch
->max_local_streams_bidi
= v
;
965 got_initial_max_streams_bidi
= 1;
968 case QUIC_TPARAM_INITIAL_MAX_STREAMS_UNI
:
969 if (got_initial_max_streams_uni
) {
970 /* must not appear more than once */
971 reason
= TP_REASON_DUP("INITIAL_MAX_STREAMS_UNI");
975 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
976 || v
> (((uint64_t)1) << 60)) {
977 reason
= TP_REASON_MALFORMED("INITIAL_MAX_STREAMS_UNI");
981 assert(ch
->max_local_streams_uni
== 0);
982 ch
->max_local_streams_uni
= v
;
983 got_initial_max_streams_uni
= 1;
986 case QUIC_TPARAM_MAX_IDLE_TIMEOUT
:
987 if (got_max_idle_timeout
) {
988 /* must not appear more than once */
989 reason
= TP_REASON_DUP("MAX_IDLE_TIMEOUT");
993 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)) {
994 reason
= TP_REASON_MALFORMED("MAX_IDLE_TIMEOUT");
998 if (v
> 0 && v
< ch
->max_idle_timeout
)
999 ch
->max_idle_timeout
= v
;
1002 got_max_idle_timeout
= 1;
1005 case QUIC_TPARAM_MAX_UDP_PAYLOAD_SIZE
:
1006 if (got_max_udp_payload_size
) {
1007 /* must not appear more than once */
1008 reason
= TP_REASON_DUP("MAX_UDP_PAYLOAD_SIZE");
1012 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
1013 || v
< QUIC_MIN_INITIAL_DGRAM_LEN
) {
1014 reason
= TP_REASON_MALFORMED("MAX_UDP_PAYLOAD_SIZE");
1018 ch
->rx_max_udp_payload_size
= v
;
1019 got_max_udp_payload_size
= 1;
1022 case QUIC_TPARAM_ACTIVE_CONN_ID_LIMIT
:
1023 if (got_active_conn_id_limit
) {
1024 /* must not appear more than once */
1025 reason
= TP_REASON_DUP("ACTIVE_CONN_ID_LIMIT");
1029 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
1030 || v
< QUIC_MIN_ACTIVE_CONN_ID_LIMIT
) {
1031 reason
= TP_REASON_MALFORMED("ACTIVE_CONN_ID_LIMIT");
1035 ch
->rx_active_conn_id_limit
= v
;
1036 got_active_conn_id_limit
= 1;
1039 case QUIC_TPARAM_STATELESS_RESET_TOKEN
:
1040 /* TODO(QUIC): Handle stateless reset tokens. */
1042 * We ignore these for now, but we must ensure a client doesn't
1045 if (ch
->is_server
) {
1046 reason
= TP_REASON_SERVER_ONLY("STATELESS_RESET_TOKEN");
1050 body
= ossl_quic_wire_decode_transport_param_bytes(&pkt
, &id
, &len
);
1051 if (body
== NULL
|| len
!= QUIC_STATELESS_RESET_TOKEN_LEN
) {
1052 reason
= TP_REASON_MALFORMED("STATELESS_RESET_TOKEN");
1058 case QUIC_TPARAM_PREFERRED_ADDR
:
1059 /* TODO(QUIC): Handle preferred address. */
1060 if (ch
->is_server
) {
1061 reason
= TP_REASON_SERVER_ONLY("PREFERRED_ADDR");
1065 body
= ossl_quic_wire_decode_transport_param_bytes(&pkt
, &id
, &len
);
1067 reason
= TP_REASON_MALFORMED("PREFERRED_ADDR");
1073 case QUIC_TPARAM_DISABLE_ACTIVE_MIGRATION
:
1074 /* We do not currently handle migration, so nothing to do. */
1076 /* Skip over and ignore. */
1077 body
= ossl_quic_wire_decode_transport_param_bytes(&pkt
, &id
,
1086 if (!got_initial_scid
) {
1087 reason
= TP_REASON_REQUIRED("INITIAL_SCID");
1091 if (!ch
->is_server
) {
1092 if (!got_orig_dcid
) {
1093 reason
= TP_REASON_REQUIRED("ORIG_DCID");
1097 if (ch
->doing_retry
&& !got_retry_scid
) {
1098 reason
= TP_REASON_REQUIRED("RETRY_SCID");
1103 ch
->got_remote_transport_params
= 1;
1105 if (got_initial_max_data
|| got_initial_max_stream_data_bidi_remote
1106 || got_initial_max_streams_bidi
|| got_initial_max_streams_uni
)
1107 /* If FC credit was bumped, we may now be able to send. */
1108 ossl_quic_stream_map_update_state(&ch
->qsm
, ch
->stream0
);
1110 /* If we are a server, we now generate our own transport parameters. */
1111 if (ch
->is_server
&& !ch_generate_transport_params(ch
)) {
1112 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_INTERNAL_ERROR
, 0,
1120 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_TRANSPORT_PARAMETER_ERROR
,
1126 * Called when we want to generate transport parameters. This is called
1127 * immediately at instantiation time for a client and after we receive the
1128 * client's transport parameters for a server.
1130 static int ch_generate_transport_params(QUIC_CHANNEL
*ch
)
1133 BUF_MEM
*buf_mem
= NULL
;
1138 if (ch
->local_transport_params
!= NULL
)
1141 if ((buf_mem
= BUF_MEM_new()) == NULL
)
1144 if (!WPACKET_init(&wpkt
, buf_mem
))
1149 if (ossl_quic_wire_encode_transport_param_bytes(&wpkt
, QUIC_TPARAM_DISABLE_ACTIVE_MIGRATION
,
1153 if (ch
->is_server
) {
1154 if (!ossl_quic_wire_encode_transport_param_cid(&wpkt
, QUIC_TPARAM_ORIG_DCID
,
1158 if (!ossl_quic_wire_encode_transport_param_cid(&wpkt
, QUIC_TPARAM_INITIAL_SCID
,
1159 &ch
->cur_local_dcid
))
1162 /* Client always uses an empty SCID. */
1163 if (ossl_quic_wire_encode_transport_param_bytes(&wpkt
, QUIC_TPARAM_INITIAL_SCID
,
1168 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_MAX_IDLE_TIMEOUT
,
1169 ch
->max_idle_timeout
))
1172 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_MAX_UDP_PAYLOAD_SIZE
,
1173 QUIC_MIN_INITIAL_DGRAM_LEN
))
1176 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_ACTIVE_CONN_ID_LIMIT
,
1180 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_DATA
,
1181 ossl_quic_rxfc_get_cwm(&ch
->conn_rxfc
)))
1185 * We actually want the default CWM for a new RXFC, but here we just use
1186 * stream0 as a representative specimen. TODO(QUIC): revisit this when we
1187 * support multiple streams.
1189 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL
,
1190 ossl_quic_rxfc_get_cwm(&ch
->stream0
->rxfc
)))
1193 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE
,
1194 ossl_quic_rxfc_get_cwm(&ch
->stream0
->rxfc
)))
1197 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_UNI
,
1198 ossl_quic_rxfc_get_cwm(&ch
->stream0
->rxfc
)))
1201 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_STREAMS_BIDI
,
1202 ch
->is_server
? 1 : 0))
1205 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_STREAMS_UNI
,
1209 if (!WPACKET_get_total_written(&wpkt
, &buf_len
))
1212 ch
->local_transport_params
= (unsigned char *)buf_mem
->data
;
1213 buf_mem
->data
= NULL
;
1215 if (!WPACKET_finish(&wpkt
))
1220 if (!ossl_quic_tls_set_transport_params(ch
->qtls
, ch
->local_transport_params
,
1227 WPACKET_cleanup(&wpkt
);
1228 BUF_MEM_free(buf_mem
);
1233 * QUIC Channel: Ticker-Mutator
1234 * ============================
1238 * The central ticker function called by the reactor. This does everything, or
1239 * at least everything network I/O related. Best effort - not allowed to fail
1242 static void ch_tick(QUIC_TICK_RESULT
*res
, void *arg
, uint32_t flags
)
1244 OSSL_TIME now
, deadline
;
1245 QUIC_CHANNEL
*ch
= arg
;
1246 int channel_only
= (flags
& QUIC_REACTOR_TICK_FLAG_CHANNEL_ONLY
) != 0;
1249 * When we tick the QUIC connection, we do everything we need to do
1250 * periodically. In order, we:
1252 * - handle any incoming data from the network;
1253 * - handle any timer events which are due to fire (ACKM, etc.)
1254 * - write any data to the network due to be sent, to the extent
1256 * - determine the time at which we should next be ticked.
1259 /* If we are in the TERMINATED state, there is nothing to do. */
1260 if (ossl_quic_channel_is_terminated(ch
)) {
1261 res
->net_read_desired
= 0;
1262 res
->net_write_desired
= 0;
1263 res
->tick_deadline
= ossl_time_infinite();
1268 * If we are in the TERMINATING state, check if the terminating timer has
1271 if (ossl_quic_channel_is_terminating(ch
)) {
1274 if (ossl_time_compare(now
, ch
->terminate_deadline
) >= 0) {
1275 ch_on_terminating_timeout(ch
);
1276 res
->net_read_desired
= 0;
1277 res
->net_write_desired
= 0;
1278 res
->tick_deadline
= ossl_time_infinite();
1279 return; /* abort normal processing, nothing to do */
1283 /* Handle any incoming data from network. */
1287 /* Process queued incoming packets. */
1291 * Allow the handshake layer to check for any new incoming data and generate
1292 * new outgoing data.
1294 ch
->have_new_rx_secret
= 0;
1296 ossl_quic_tls_tick(ch
->qtls
);
1299 * If the handshake layer gave us a new secret, we need to do RX again
1300 * because packets that were not previously processable and were
1301 * deferred might now be processable.
1303 * TODO(QUIC): Consider handling this in the yield_secret callback.
1305 } while (ch
->have_new_rx_secret
);
1308 * Handle any timer events which are due to fire; namely, the loss detection
1309 * deadline and the idle timeout.
1311 * ACKM ACK generation deadline is polled by TXP, so we don't need to handle
1315 if (ossl_time_compare(now
, ch
->idle_deadline
) >= 0) {
1317 * Idle timeout differs from normal protocol violation because we do not
1318 * send a CONN_CLOSE frame; go straight to TERMINATED.
1320 ch_on_idle_timeout(ch
);
1321 res
->net_read_desired
= 0;
1322 res
->net_write_desired
= 0;
1323 res
->tick_deadline
= ossl_time_infinite();
1327 deadline
= ossl_ackm_get_loss_detection_deadline(ch
->ackm
);
1328 if (!ossl_time_is_zero(deadline
) && ossl_time_compare(now
, deadline
) >= 0)
1329 ossl_ackm_on_timeout(ch
->ackm
);
1331 /* If a ping is due, inform TXP. */
1332 if (ossl_time_compare(now
, ch
->ping_deadline
) >= 0) {
1333 int pn_space
= ossl_quic_enc_level_to_pn_space(ch
->tx_enc_level
);
1335 ossl_quic_tx_packetiser_schedule_ack_eliciting(ch
->txp
, pn_space
);
1338 /* Write any data to the network due to be sent. */
1341 /* Determine the time at which we should next be ticked. */
1342 res
->tick_deadline
= ch_determine_next_tick_deadline(ch
);
1345 * Always process network input unless we are now terminated.
1346 * Although we had not terminated at the beginning of this tick, network
1347 * errors in ch_rx_pre() or ch_tx() may have caused us to transition to the
1350 res
->net_read_desired
= !ossl_quic_channel_is_terminated(ch
);
1352 /* We want to write to the network if we have any in our queue. */
1353 res
->net_write_desired
1354 = (!ossl_quic_channel_is_terminated(ch
)
1355 && ossl_qtx_get_queue_len_datagrams(ch
->qtx
) > 0);
1358 /* Process incoming datagrams, if any. */
1359 static void ch_rx_pre(QUIC_CHANNEL
*ch
)
1363 if (!ch
->is_server
&& !ch
->have_sent_any_pkt
)
1367 * Get DEMUX to BIO_recvmmsg from the network and queue incoming datagrams
1368 * to the appropriate QRX instance.
1370 ret
= ossl_quic_demux_pump(ch
->demux
);
1371 if (ret
== QUIC_DEMUX_PUMP_RES_PERMANENT_FAIL
)
1373 * We don't care about transient failure, but permanent failure means we
1374 * should tear down the connection as though a protocol violation
1375 * occurred. Skip straight to the Terminating state as there is no point
1376 * trying to send CONNECTION_CLOSE frames if the network BIO is not
1377 * operating correctly.
1379 ch_raise_net_error(ch
);
1382 /* Process queued incoming packets and handle frames, if any. */
1383 static int ch_rx(QUIC_CHANNEL
*ch
)
1385 int handled_any
= 0;
1387 if (!ch
->is_server
&& !ch
->have_sent_any_pkt
)
1389 * We have not sent anything yet, therefore there is no need to check
1390 * for incoming data.
1395 assert(ch
->qrx_pkt
== NULL
);
1397 if (!ossl_qrx_read_pkt(ch
->qrx
, &ch
->qrx_pkt
))
1403 ch_rx_handle_packet(ch
); /* best effort */
1406 * Regardless of the outcome of frame handling, unref the packet.
1407 * This will free the packet unless something added another
1408 * reference to it during frame processing.
1410 ossl_qrx_pkt_release(ch
->qrx_pkt
);
1413 ch
->have_sent_ack_eliciting_since_rx
= 0;
1418 * When in TERMINATING - CLOSING, generate a CONN_CLOSE frame whenever we
1419 * process one or more incoming packets.
1421 if (handled_any
&& ch
->state
== QUIC_CHANNEL_STATE_TERMINATING_CLOSING
)
1422 ch
->conn_close_queued
= 1;
1427 /* Handles the packet currently in ch->qrx_pkt->hdr. */
1428 static void ch_rx_handle_packet(QUIC_CHANNEL
*ch
)
1432 assert(ch
->qrx_pkt
!= NULL
);
1434 if (ossl_quic_pkt_type_is_encrypted(ch
->qrx_pkt
->hdr
->type
)) {
1435 if (!ch
->have_received_enc_pkt
) {
1436 ch
->init_scid
= ch
->qrx_pkt
->hdr
->src_conn_id
;
1437 ch
->have_received_enc_pkt
= 1;
1440 * We change to using the SCID in the first Initial packet as the
1443 ossl_quic_tx_packetiser_set_cur_dcid(ch
->txp
, &ch
->init_scid
);
1446 enc_level
= ossl_quic_pkt_type_to_enc_level(ch
->qrx_pkt
->hdr
->type
);
1447 if ((ch
->el_discarded
& (1U << enc_level
)) != 0)
1448 /* Do not process packets from ELs we have already discarded. */
1452 /* Handle incoming packet. */
1453 switch (ch
->qrx_pkt
->hdr
->type
) {
1454 case QUIC_PKT_TYPE_RETRY
:
1455 if (ch
->doing_retry
|| ch
->is_server
)
1457 * It is not allowed to ask a client to do a retry more than
1458 * once. Clients may not send retries.
1462 if (ch
->qrx_pkt
->hdr
->len
<= QUIC_RETRY_INTEGRITY_TAG_LEN
)
1463 /* Packets with zero-length Retry Tokens are invalid. */
1467 * TODO(QUIC): Theoretically this should probably be in the QRX.
1468 * However because validation is dependent on context (namely the
1469 * client's initial DCID) we can't do this cleanly. In the future we
1470 * should probably add a callback to the QRX to let it call us (via
1471 * the DEMUX) and ask us about the correct original DCID, rather
1472 * than allow the QRX to emit a potentially malformed packet to the
1473 * upper layers. However, special casing this will do for now.
1475 if (!ossl_quic_validate_retry_integrity_tag(ch
->libctx
,
1479 /* Malformed retry packet, ignore. */
1482 ch_retry(ch
, ch
->qrx_pkt
->hdr
->data
,
1483 ch
->qrx_pkt
->hdr
->len
- QUIC_RETRY_INTEGRITY_TAG_LEN
,
1484 &ch
->qrx_pkt
->hdr
->src_conn_id
);
1487 case QUIC_PKT_TYPE_0RTT
:
1489 /* Clients should never receive 0-RTT packets. */
1493 * TODO(QUIC): Implement 0-RTT on the server side. We currently do
1494 * not need to implement this as a client can only do 0-RTT if we
1495 * have given it permission to in a previous session.
1499 case QUIC_PKT_TYPE_INITIAL
:
1500 case QUIC_PKT_TYPE_HANDSHAKE
:
1501 case QUIC_PKT_TYPE_1RTT
:
1502 if (ch
->qrx_pkt
->hdr
->type
== QUIC_PKT_TYPE_HANDSHAKE
)
1504 * We automatically drop INITIAL EL keys when first successfully
1505 * decrypting a HANDSHAKE packet, as per the RFC.
1507 ch_discard_el(ch
, QUIC_ENC_LEVEL_INITIAL
);
1509 /* This packet contains frames, pass to the RXDP. */
1510 ossl_quic_handle_frames(ch
, ch
->qrx_pkt
); /* best effort */
1520 * This is called by the demux when we get a packet not destined for any known
1523 static void ch_default_packet_handler(QUIC_URXE
*e
, void *arg
)
1525 QUIC_CHANNEL
*ch
= arg
;
1529 if (!ossl_assert(ch
->is_server
))
1533 * We only support one connection to our server currently, so if we already
1534 * started one, ignore any new connection attempts.
1536 if (ch
->state
!= QUIC_CHANNEL_STATE_IDLE
)
1540 * We have got a packet for an unknown DCID. This might be an attempt to
1541 * open a new connection.
1543 if (e
->data_len
< QUIC_MIN_INITIAL_DGRAM_LEN
)
1546 if (!PACKET_buf_init(&pkt
, ossl_quic_urxe_data(e
), e
->data_len
))
1550 * We set short_conn_id_len to SIZE_MAX here which will cause the decode
1551 * operation to fail if we get a 1-RTT packet. This is fine since we only
1552 * care about Initial packets.
1554 if (!ossl_quic_wire_decode_pkt_hdr(&pkt
, SIZE_MAX
, 1, &hdr
, NULL
))
1557 switch (hdr
.version
) {
1558 case QUIC_VERSION_1
:
1561 case QUIC_VERSION_NONE
:
1563 /* Unknown version or proactive version negotiation request, bail. */
1564 /* TODO(QUIC): Handle version negotiation on server side */
1569 * We only care about Initial packets which might be trying to establish a
1572 if (hdr
.type
!= QUIC_PKT_TYPE_INITIAL
)
1576 * Assume this is a valid attempt to initiate a connection.
1578 * We do not register the DCID in the initial packet we received and that
1579 * DCID is not actually used again, thus after provisioning the correct
1580 * Initial keys derived from it (which is done in the call below) we pass
1581 * the received packet directly to the QRX so that it can process it as a
1582 * one-time thing, instead of going through the usual DEMUX DCID-based
1585 if (!ch_server_on_new_conn(ch
, &e
->peer
,
1590 ossl_qrx_inject_urxe(ch
->qrx
, e
);
1594 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_INTERNAL_ERROR
, 0,
1597 ossl_quic_demux_release_urxe(ch
->demux
, e
);
1600 /* Try to generate packets and if possible, flush them to the network. */
1601 static int ch_tx(QUIC_CHANNEL
*ch
)
1603 int sent_ack_eliciting
= 0;
1605 if (ch
->state
== QUIC_CHANNEL_STATE_TERMINATING_CLOSING
) {
1607 * While closing, only send CONN_CLOSE if we've received more traffic
1608 * from the peer. Once we tell the TXP to generate CONN_CLOSE, all
1609 * future calls to it generate CONN_CLOSE frames, so otherwise we would
1610 * just constantly generate CONN_CLOSE frames.
1612 if (!ch
->conn_close_queued
)
1615 ch
->conn_close_queued
= 0;
1619 * Send a packet, if we need to. Best effort. The TXP consults the CC and
1620 * applies any limitations imposed by it, so we don't need to do it here.
1622 * Best effort. In particular if TXP fails for some reason we should still
1623 * flush any queued packets which we already generated.
1625 switch (ossl_quic_tx_packetiser_generate(ch
->txp
,
1626 TX_PACKETISER_ARCHETYPE_NORMAL
,
1627 &sent_ack_eliciting
)) {
1628 case TX_PACKETISER_RES_SENT_PKT
:
1629 ch
->have_sent_any_pkt
= 1; /* Packet was sent */
1632 * RFC 9000 s. 10.1. 'An endpoint also restarts its idle timer when
1633 * sending an ack-eliciting packet if no other ack-eliciting packets
1634 * have been sent since last receiving and processing a packet.'
1636 if (sent_ack_eliciting
&& !ch
->have_sent_ack_eliciting_since_rx
) {
1638 ch
->have_sent_ack_eliciting_since_rx
= 1;
1641 ch_update_ping_deadline(ch
);
1644 case TX_PACKETISER_RES_NO_PKT
:
1645 break; /* No packet was sent */
1647 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_INTERNAL_ERROR
, 0,
1649 break; /* Internal failure (e.g. allocation, assertion) */
1652 /* Flush packets to network. */
1653 switch (ossl_qtx_flush_net(ch
->qtx
)) {
1654 case QTX_FLUSH_NET_RES_OK
:
1655 case QTX_FLUSH_NET_RES_TRANSIENT_FAIL
:
1656 /* Best effort, done for now. */
1659 case QTX_FLUSH_NET_RES_PERMANENT_FAIL
:
1661 /* Permanent underlying network BIO, start terminating. */
1662 ch_raise_net_error(ch
);
1669 /* Determine next tick deadline. */
1670 static OSSL_TIME
ch_determine_next_tick_deadline(QUIC_CHANNEL
*ch
)
1675 if (ossl_quic_channel_is_terminated(ch
))
1676 return ossl_time_infinite();
1678 deadline
= ossl_ackm_get_loss_detection_deadline(ch
->ackm
);
1679 if (ossl_time_is_zero(deadline
))
1680 deadline
= ossl_time_infinite();
1682 for (pn_space
= QUIC_PN_SPACE_INITIAL
; pn_space
< QUIC_PN_SPACE_NUM
; ++pn_space
)
1683 deadline
= ossl_time_min(deadline
,
1684 ossl_ackm_get_ack_deadline(ch
->ackm
, pn_space
));
1686 /* When will CC let us send more? */
1687 if (ossl_quic_tx_packetiser_has_pending(ch
->txp
, TX_PACKETISER_ARCHETYPE_NORMAL
,
1688 TX_PACKETISER_BYPASS_CC
))
1689 deadline
= ossl_time_min(deadline
,
1690 ch
->cc_method
->get_wakeup_deadline(ch
->cc_data
));
1692 /* Is the terminating timer armed? */
1693 if (ossl_quic_channel_is_terminating(ch
))
1694 deadline
= ossl_time_min(deadline
,
1695 ch
->terminate_deadline
);
1696 else if (!ossl_time_is_infinite(ch
->idle_deadline
))
1697 deadline
= ossl_time_min(deadline
,
1701 * When do we need to send an ACK-eliciting packet to reset the idle
1702 * deadline timer for the peer?
1704 if (!ossl_time_is_infinite(ch
->ping_deadline
))
1705 deadline
= ossl_time_min(deadline
,
1712 * QUIC Channel: Network BIO Configuration
1713 * =======================================
1716 /* Determines whether we can support a given poll descriptor. */
1717 static int validate_poll_descriptor(const BIO_POLL_DESCRIPTOR
*d
)
1719 if (d
->type
== BIO_POLL_DESCRIPTOR_TYPE_SOCK_FD
&& d
->value
.fd
< 0)
1725 BIO
*ossl_quic_channel_get_net_rbio(QUIC_CHANNEL
*ch
)
1727 return ch
->net_rbio
;
1730 BIO
*ossl_quic_channel_get_net_wbio(QUIC_CHANNEL
*ch
)
1732 return ch
->net_wbio
;
1736 * QUIC_CHANNEL does not ref any BIO it is provided with, nor is any ref
1737 * transferred to it. The caller (i.e., QUIC_CONNECTION) is responsible for
1738 * ensuring the BIO lasts until the channel is freed or the BIO is switched out
1739 * for another BIO by a subsequent successful call to this function.
1741 int ossl_quic_channel_set_net_rbio(QUIC_CHANNEL
*ch
, BIO
*net_rbio
)
1743 BIO_POLL_DESCRIPTOR d
= {0};
1745 if (ch
->net_rbio
== net_rbio
)
1748 if (net_rbio
!= NULL
) {
1749 if (!BIO_get_rpoll_descriptor(net_rbio
, &d
))
1750 /* Non-pollable BIO */
1751 d
.type
= BIO_POLL_DESCRIPTOR_TYPE_NONE
;
1753 if (!validate_poll_descriptor(&d
))
1757 ossl_quic_reactor_set_poll_r(&ch
->rtor
, &d
);
1758 ossl_quic_demux_set_bio(ch
->demux
, net_rbio
);
1759 ch
->net_rbio
= net_rbio
;
1763 int ossl_quic_channel_set_net_wbio(QUIC_CHANNEL
*ch
, BIO
*net_wbio
)
1765 BIO_POLL_DESCRIPTOR d
= {0};
1767 if (ch
->net_wbio
== net_wbio
)
1770 if (net_wbio
!= NULL
) {
1771 if (!BIO_get_wpoll_descriptor(net_wbio
, &d
))
1772 /* Non-pollable BIO */
1773 d
.type
= BIO_POLL_DESCRIPTOR_TYPE_NONE
;
1775 if (!validate_poll_descriptor(&d
))
1779 ossl_quic_reactor_set_poll_w(&ch
->rtor
, &d
);
1780 ossl_qtx_set_bio(ch
->qtx
, net_wbio
);
1781 ch
->net_wbio
= net_wbio
;
1786 * QUIC Channel: Lifecycle Events
1787 * ==============================
1789 int ossl_quic_channel_start(QUIC_CHANNEL
*ch
)
1793 * This is not used by the server. The server moves to active
1794 * automatically on receiving an incoming connection.
1798 if (ch
->state
!= QUIC_CHANNEL_STATE_IDLE
)
1799 /* Calls to connect are idempotent */
1802 /* Inform QTX of peer address. */
1803 if (!ossl_quic_tx_packetiser_set_peer(ch
->txp
, &ch
->cur_peer_addr
))
1806 /* Plug in secrets for the Initial EL. */
1807 if (!ossl_quic_provide_initial_secret(ch
->libctx
,
1815 ch
->state
= QUIC_CHANNEL_STATE_ACTIVE
;
1816 ch
->doing_proactive_ver_neg
= 0; /* not currently supported */
1818 /* Handshake layer: start (e.g. send CH). */
1819 if (!ossl_quic_tls_tick(ch
->qtls
))
1822 ossl_quic_reactor_tick(&ch
->rtor
, 0); /* best effort */
1826 /* Start a locally initiated connection shutdown. */
1827 void ossl_quic_channel_local_close(QUIC_CHANNEL
*ch
, uint64_t app_error_code
)
1829 QUIC_TERMINATE_CAUSE tcause
= {0};
1831 if (ossl_quic_channel_is_term_any(ch
))
1835 tcause
.error_code
= app_error_code
;
1836 ch_start_terminating(ch
, &tcause
, 0);
1839 static void free_token(const unsigned char *buf
, size_t buf_len
, void *arg
)
1841 OPENSSL_free((unsigned char *)buf
);
1844 /* Called when a server asks us to do a retry. */
1845 static int ch_retry(QUIC_CHANNEL
*ch
,
1846 const unsigned char *retry_token
,
1847 size_t retry_token_len
,
1848 const QUIC_CONN_ID
*retry_scid
)
1852 /* We change to using the SCID in the Retry packet as the DCID. */
1853 if (!ossl_quic_tx_packetiser_set_cur_dcid(ch
->txp
, retry_scid
))
1857 * Now we retry. We will release the Retry packet immediately, so copy
1860 if ((buf
= OPENSSL_memdup(retry_token
, retry_token_len
)) == NULL
)
1863 ossl_quic_tx_packetiser_set_initial_token(ch
->txp
, buf
, retry_token_len
,
1866 ch
->retry_scid
= *retry_scid
;
1867 ch
->doing_retry
= 1;
1870 * We need to stimulate the Initial EL to generate the first CRYPTO frame
1871 * again. We can do this most cleanly by simply forcing the ACKM to consider
1872 * the first Initial packet as lost, which it effectively was as the server
1873 * hasn't processed it. This also maintains the desired behaviour with e.g.
1874 * PNs not resetting and so on.
1876 * The PN we used initially is always zero, because QUIC does not allow
1879 if (!ossl_ackm_mark_packet_pseudo_lost(ch
->ackm
, QUIC_PN_SPACE_INITIAL
,
1884 * Plug in new secrets for the Initial EL. This is the only time we change
1885 * the secrets for an EL after we already provisioned it.
1887 if (!ossl_quic_provide_initial_secret(ch
->libctx
,
1897 /* Called when an EL is to be discarded. */
1898 static int ch_discard_el(QUIC_CHANNEL
*ch
,
1901 if (!ossl_assert(enc_level
< QUIC_ENC_LEVEL_1RTT
))
1904 if ((ch
->el_discarded
& (1U << enc_level
)) != 0)
1908 /* Best effort for all of these. */
1909 ossl_quic_tx_packetiser_discard_enc_level(ch
->txp
, enc_level
);
1910 ossl_qrx_discard_enc_level(ch
->qrx
, enc_level
);
1911 ossl_qtx_discard_enc_level(ch
->qtx
, enc_level
);
1913 if (enc_level
!= QUIC_ENC_LEVEL_0RTT
) {
1914 uint32_t pn_space
= ossl_quic_enc_level_to_pn_space(enc_level
);
1916 ossl_ackm_on_pkt_space_discarded(ch
->ackm
, pn_space
);
1918 /* We should still have crypto streams at this point. */
1919 if (!ossl_assert(ch
->crypto_send
[pn_space
] != NULL
)
1920 || !ossl_assert(ch
->crypto_recv
[pn_space
] != NULL
))
1923 /* Get rid of the crypto stream state for the EL. */
1924 ossl_quic_sstream_free(ch
->crypto_send
[pn_space
]);
1925 ch
->crypto_send
[pn_space
] = NULL
;
1927 ossl_quic_rstream_free(ch
->crypto_recv
[pn_space
]);
1928 ch
->crypto_recv
[pn_space
] = NULL
;
1931 ch
->el_discarded
|= (1U << enc_level
);
1935 /* Intended to be called by the RXDP. */
1936 int ossl_quic_channel_on_handshake_confirmed(QUIC_CHANNEL
*ch
)
1938 if (ch
->handshake_confirmed
)
1941 if (!ch
->handshake_complete
) {
1943 * Does not make sense for handshake to be confirmed before it is
1946 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_PROTOCOL_VIOLATION
,
1947 OSSL_QUIC_FRAME_TYPE_HANDSHAKE_DONE
,
1948 "handshake cannot be confirmed "
1949 "before it is completed");
1953 ch_discard_el(ch
, QUIC_ENC_LEVEL_HANDSHAKE
);
1954 ch
->handshake_confirmed
= 1;
1959 * Master function used when we want to start tearing down a connection:
1961 * - If the connection is still IDLE we can go straight to TERMINATED;
1963 * - If we are already TERMINATED this is a no-op.
1965 * - If we are TERMINATING - CLOSING and we have now got a CONNECTION_CLOSE
1966 * from the peer (tcause->remote == 1), we move to TERMINATING - DRAINING.
1968 * - If we are TERMINATING - DRAINING, we remain here until the terminating
1971 * - Otherwise, we are in ACTIVE and move to TERMINATING - CLOSING.
1972 * if we caused the termination (e.g. we have sent a CONNECTION_CLOSE). Note
1973 * that we are considered to have caused a termination if we sent the first
1974 * CONNECTION_CLOSE frame, even if it is caused by a peer protocol
1975 * violation. If the peer sent the first CONNECTION_CLOSE frame, we move to
1976 * TERMINATING - DRAINING.
1978 * We record the termination cause structure passed on the first call only.
1979 * Any successive calls have their termination cause data discarded;
1980 * once we start sending a CONNECTION_CLOSE frame, we don't change the details
1983 static void ch_start_terminating(QUIC_CHANNEL
*ch
,
1984 const QUIC_TERMINATE_CAUSE
*tcause
,
1985 int force_immediate
)
1987 switch (ch
->state
) {
1989 case QUIC_CHANNEL_STATE_IDLE
:
1990 ch
->terminate_cause
= *tcause
;
1991 ch_on_terminating_timeout(ch
);
1994 case QUIC_CHANNEL_STATE_ACTIVE
:
1995 ch
->terminate_cause
= *tcause
;
1997 if (!force_immediate
) {
1998 ch
->state
= tcause
->remote
? QUIC_CHANNEL_STATE_TERMINATING_DRAINING
1999 : QUIC_CHANNEL_STATE_TERMINATING_CLOSING
;
2000 ch
->terminate_deadline
2001 = ossl_time_add(get_time(ch
),
2002 ossl_time_multiply(ossl_ackm_get_pto_duration(ch
->ackm
),
2005 if (!tcause
->remote
) {
2006 OSSL_QUIC_FRAME_CONN_CLOSE f
= {0};
2009 f
.error_code
= ch
->terminate_cause
.error_code
;
2010 f
.frame_type
= ch
->terminate_cause
.frame_type
;
2011 f
.is_app
= ch
->terminate_cause
.app
;
2012 ossl_quic_tx_packetiser_schedule_conn_close(ch
->txp
, &f
);
2013 ch
->conn_close_queued
= 1;
2016 ch_on_terminating_timeout(ch
);
2020 case QUIC_CHANNEL_STATE_TERMINATING_CLOSING
:
2021 if (force_immediate
)
2022 ch_on_terminating_timeout(ch
);
2023 else if (tcause
->remote
)
2024 ch
->state
= QUIC_CHANNEL_STATE_TERMINATING_DRAINING
;
2028 case QUIC_CHANNEL_STATE_TERMINATING_DRAINING
:
2030 * Other than in the force-immediate case, we remain here until the
2033 if (force_immediate
)
2034 ch_on_terminating_timeout(ch
);
2038 case QUIC_CHANNEL_STATE_TERMINATED
:
2045 void ossl_quic_channel_on_remote_conn_close(QUIC_CHANNEL
*ch
,
2046 OSSL_QUIC_FRAME_CONN_CLOSE
*f
)
2048 QUIC_TERMINATE_CAUSE tcause
= {0};
2050 if (!ossl_quic_channel_is_active(ch
))
2054 tcause
.app
= f
->is_app
;
2055 tcause
.error_code
= f
->error_code
;
2056 tcause
.frame_type
= f
->frame_type
;
2058 ch_start_terminating(ch
, &tcause
, 0);
2061 static void ch_raise_net_error(QUIC_CHANNEL
*ch
)
2063 QUIC_TERMINATE_CAUSE tcause
= {0};
2065 tcause
.error_code
= QUIC_ERR_INTERNAL_ERROR
;
2068 * Skip Terminating state and go directly to Terminated, no point trying to
2069 * send CONNECTION_CLOSE if we cannot communicate.
2071 ch_start_terminating(ch
, &tcause
, 1);
2074 void ossl_quic_channel_raise_protocol_error(QUIC_CHANNEL
*ch
,
2075 uint64_t error_code
,
2076 uint64_t frame_type
,
2079 QUIC_TERMINATE_CAUSE tcause
= {0};
2081 tcause
.error_code
= error_code
;
2082 tcause
.frame_type
= frame_type
;
2084 ch_start_terminating(ch
, &tcause
, 0);
2088 * Called once the terminating timer expires, meaning we move from TERMINATING
2091 static void ch_on_terminating_timeout(QUIC_CHANNEL
*ch
)
2093 ch
->state
= QUIC_CHANNEL_STATE_TERMINATED
;
2097 * Updates our idle deadline. Called when an event happens which should bump the
2100 static void ch_update_idle(QUIC_CHANNEL
*ch
)
2102 if (ch
->max_idle_timeout
== 0)
2103 ch
->idle_deadline
= ossl_time_infinite();
2105 ch
->idle_deadline
= ossl_time_add(get_time(ch
),
2106 ossl_ms2time(ch
->max_idle_timeout
));
2110 * Updates our ping deadline, which determines when we next generate a ping if
2111 * we don't have any other ACK-eliciting frames to send.
2113 static void ch_update_ping_deadline(QUIC_CHANNEL
*ch
)
2115 if (ch
->max_idle_timeout
> 0) {
2117 * Maximum amount of time without traffic before we send a PING to keep
2118 * the connection open. Usually we use max_idle_timeout/2, but ensure
2119 * the period never exceeds the assumed NAT interval to ensure NAT
2120 * devices don't have their state time out (RFC 9000 s. 10.1.2).
2123 = ossl_time_divide(ossl_ms2time(ch
->max_idle_timeout
), 2);
2125 max_span
= ossl_time_min(max_span
, MAX_NAT_INTERVAL
);
2127 ch
->ping_deadline
= ossl_time_add(get_time(ch
), max_span
);
2129 ch
->ping_deadline
= ossl_time_infinite();
2133 /* Called when the idle timeout expires. */
2134 static void ch_on_idle_timeout(QUIC_CHANNEL
*ch
)
2137 * Idle timeout does not have an error code associated with it because a
2138 * CONN_CLOSE is never sent for it. We shouldn't use this data once we reach
2139 * TERMINATED anyway.
2141 ch
->terminate_cause
.app
= 0;
2142 ch
->terminate_cause
.error_code
= UINT64_MAX
;
2143 ch
->terminate_cause
.frame_type
= 0;
2145 ch
->state
= QUIC_CHANNEL_STATE_TERMINATED
;
2148 /* Called when we, as a server, get a new incoming connection. */
2149 static int ch_server_on_new_conn(QUIC_CHANNEL
*ch
, const BIO_ADDR
*peer
,
2150 const QUIC_CONN_ID
*peer_scid
,
2151 const QUIC_CONN_ID
*peer_dcid
)
2153 if (!ossl_assert(ch
->state
== QUIC_CHANNEL_STATE_IDLE
&& ch
->is_server
))
2156 /* Generate a SCID we will use for the connection. */
2157 if (!gen_rand_conn_id(ch
->libctx
, INIT_DCID_LEN
,
2158 &ch
->cur_local_dcid
))
2161 /* Note our newly learnt peer address and CIDs. */
2162 ch
->cur_peer_addr
= *peer
;
2163 ch
->init_dcid
= *peer_dcid
;
2164 ch
->cur_remote_dcid
= *peer_scid
;
2166 /* Inform QTX of peer address. */
2167 if (!ossl_quic_tx_packetiser_set_peer(ch
->txp
, &ch
->cur_peer_addr
))
2170 /* Inform TXP of desired CIDs. */
2171 if (!ossl_quic_tx_packetiser_set_cur_dcid(ch
->txp
, &ch
->cur_remote_dcid
))
2174 if (!ossl_quic_tx_packetiser_set_cur_scid(ch
->txp
, &ch
->cur_local_dcid
))
2177 /* Plug in secrets for the Initial EL. */
2178 if (!ossl_quic_provide_initial_secret(ch
->libctx
,
2185 /* Register our local DCID in the DEMUX. */
2186 if (!ossl_qrx_add_dst_conn_id(ch
->qrx
, &ch
->cur_local_dcid
))
2190 ch
->state
= QUIC_CHANNEL_STATE_ACTIVE
;
2191 ch
->doing_proactive_ver_neg
= 0; /* not currently supported */
2195 SSL
*ossl_quic_channel_get0_ssl(QUIC_CHANNEL
*ch
)