2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include "internal/quic_channel.h"
11 #include "internal/quic_error.h"
12 #include "internal/quic_rx_depack.h"
13 #include "../ssl_local.h"
14 #include "quic_channel_local.h"
15 #include <openssl/rand.h>
18 * NOTE: While this channel implementation currently has basic server support,
19 * this functionality has been implemented for internal testing purposes and is
20 * not suitable for network use. In particular, it does not implement address
21 * validation, anti-amplification or retry logic.
23 * TODO(QUIC): Implement address validation and anti-amplification
24 * TODO(QUIC): Implement retry logic
27 #define INIT_DCID_LEN 8
28 #define INIT_CRYPTO_BUF_LEN 8192
29 #define INIT_APP_BUF_LEN 8192
31 static void ch_rx_pre(QUIC_CHANNEL
*ch
);
32 static int ch_rx(QUIC_CHANNEL
*ch
);
33 static int ch_tx(QUIC_CHANNEL
*ch
);
34 static void ch_tick(QUIC_TICK_RESULT
*res
, void *arg
);
35 static void ch_rx_handle_packet(QUIC_CHANNEL
*ch
);
36 static OSSL_TIME
ch_determine_next_tick_deadline(QUIC_CHANNEL
*ch
);
37 static int ch_retry(QUIC_CHANNEL
*ch
,
38 const unsigned char *retry_token
,
39 size_t retry_token_len
,
40 const QUIC_CONN_ID
*retry_scid
);
41 static void ch_cleanup(QUIC_CHANNEL
*ch
);
42 static int ch_generate_transport_params(QUIC_CHANNEL
*ch
);
43 static int ch_on_transport_params(const unsigned char *params
,
46 static int ch_on_handshake_alert(void *arg
, unsigned char alert_code
);
47 static int ch_on_handshake_complete(void *arg
);
48 static int ch_on_handshake_yield_secret(uint32_t enc_level
, int direction
,
49 uint32_t suite_id
, EVP_MD
*md
,
50 const unsigned char *secret
,
53 static int ch_on_crypto_recv(unsigned char *buf
, size_t buf_len
,
54 size_t *bytes_read
, void *arg
);
55 static int crypto_ensure_empty(QUIC_RSTREAM
*rstream
);
56 static int ch_on_crypto_send(const unsigned char *buf
, size_t buf_len
,
57 size_t *consumed
, void *arg
);
58 static OSSL_TIME
get_time(void *arg
);
59 static uint64_t get_stream_limit(int uni
, void *arg
);
60 static int rx_early_validate(QUIC_PN pn
, int pn_space
, void *arg
);
61 static int ch_retry(QUIC_CHANNEL
*ch
,
62 const unsigned char *retry_token
,
63 size_t retry_token_len
,
64 const QUIC_CONN_ID
*retry_scid
);
65 static void ch_update_idle(QUIC_CHANNEL
*ch
);
66 static int ch_discard_el(QUIC_CHANNEL
*ch
,
68 static void ch_on_idle_timeout(QUIC_CHANNEL
*ch
);
69 static void ch_update_idle(QUIC_CHANNEL
*ch
);
70 static void ch_raise_net_error(QUIC_CHANNEL
*ch
);
71 static void ch_on_terminating_timeout(QUIC_CHANNEL
*ch
);
72 static void ch_start_terminating(QUIC_CHANNEL
*ch
,
73 const QUIC_TERMINATE_CAUSE
*tcause
,
75 static void ch_default_packet_handler(QUIC_URXE
*e
, void *arg
);
76 static int ch_server_on_new_conn(QUIC_CHANNEL
*ch
, const BIO_ADDR
*peer
,
77 const QUIC_CONN_ID
*peer_scid
,
78 const QUIC_CONN_ID
*peer_dcid
);
80 static int gen_rand_conn_id(OSSL_LIB_CTX
*libctx
, size_t len
, QUIC_CONN_ID
*cid
)
82 if (len
> QUIC_MAX_CONN_ID_LEN
)
85 cid
->id_len
= (unsigned char)len
;
87 if (RAND_bytes_ex(libctx
, cid
->id
, len
, len
* 8) != 1) {
96 * QUIC Channel Initialization and Teardown
97 * ========================================
99 static int ch_init(QUIC_CHANNEL
*ch
)
101 OSSL_QUIC_TX_PACKETISER_ARGS txp_args
= {0};
102 OSSL_QTX_ARGS qtx_args
= {0};
103 OSSL_QRX_ARGS qrx_args
= {0};
104 QUIC_TLS_ARGS tls_args
= {0};
106 size_t rx_short_cid_len
= ch
->is_server
? INIT_DCID_LEN
: 0;
108 /* For clients, generate our initial DCID. */
110 && !gen_rand_conn_id(ch
->libctx
, INIT_DCID_LEN
, &ch
->init_dcid
))
113 /* We plug in a network write BIO to the QTX later when we get one. */
114 qtx_args
.libctx
= ch
->libctx
;
115 qtx_args
.mdpl
= QUIC_MIN_INITIAL_DGRAM_LEN
;
116 ch
->rx_max_udp_payload_size
= qtx_args
.mdpl
;
118 ch
->qtx
= ossl_qtx_new(&qtx_args
);
122 ch
->txpim
= ossl_quic_txpim_new();
123 if (ch
->txpim
== NULL
)
126 ch
->cfq
= ossl_quic_cfq_new();
130 if (!ossl_quic_txfc_init(&ch
->conn_txfc
, NULL
))
133 if (!ossl_quic_rxfc_init(&ch
->conn_rxfc
, NULL
,
139 if (!ossl_statm_init(&ch
->statm
))
143 ch
->cc_method
= &ossl_cc_dummy_method
;
144 if ((ch
->cc_data
= ch
->cc_method
->new(NULL
, NULL
, NULL
)) == NULL
)
147 if ((ch
->ackm
= ossl_ackm_new(get_time
, NULL
, &ch
->statm
,
148 ch
->cc_method
, ch
->cc_data
)) == NULL
)
151 if (!ossl_quic_stream_map_init(&ch
->qsm
, get_stream_limit
, ch
))
156 /* We use a zero-length SCID. */
157 txp_args
.cur_dcid
= ch
->init_dcid
;
158 txp_args
.ack_delay_exponent
= 3;
159 txp_args
.qtx
= ch
->qtx
;
160 txp_args
.txpim
= ch
->txpim
;
161 txp_args
.cfq
= ch
->cfq
;
162 txp_args
.ackm
= ch
->ackm
;
163 txp_args
.qsm
= &ch
->qsm
;
164 txp_args
.conn_txfc
= &ch
->conn_txfc
;
165 txp_args
.conn_rxfc
= &ch
->conn_rxfc
;
166 txp_args
.cc_method
= ch
->cc_method
;
167 txp_args
.cc_data
= ch
->cc_data
;
168 txp_args
.now
= get_time
;
169 for (pn_space
= QUIC_PN_SPACE_INITIAL
; pn_space
< QUIC_PN_SPACE_NUM
; ++pn_space
) {
170 ch
->crypto_send
[pn_space
] = ossl_quic_sstream_new(INIT_CRYPTO_BUF_LEN
);
171 if (ch
->crypto_send
[pn_space
] == NULL
)
174 txp_args
.crypto
[pn_space
] = ch
->crypto_send
[pn_space
];
177 ch
->txp
= ossl_quic_tx_packetiser_new(&txp_args
);
181 if ((ch
->demux
= ossl_quic_demux_new(/*BIO=*/NULL
,
182 /*Short CID Len=*/rx_short_cid_len
,
183 get_time
, NULL
)) == NULL
)
187 * If we are a server, setup our handler for packets not corresponding to
188 * any known DCID on our end. This is for handling clients establishing new
192 ossl_quic_demux_set_default_handler(ch
->demux
,
193 ch_default_packet_handler
,
196 qrx_args
.libctx
= ch
->libctx
;
197 qrx_args
.demux
= ch
->demux
;
198 qrx_args
.short_conn_id_len
= rx_short_cid_len
;
199 qrx_args
.max_deferred
= 32;
201 if ((ch
->qrx
= ossl_qrx_new(&qrx_args
)) == NULL
)
204 if (!ossl_qrx_set_early_validation_cb(ch
->qrx
,
209 if (!ch
->is_server
&& !ossl_qrx_add_dst_conn_id(ch
->qrx
, &txp_args
.cur_scid
))
212 for (pn_space
= QUIC_PN_SPACE_INITIAL
; pn_space
< QUIC_PN_SPACE_NUM
; ++pn_space
) {
213 ch
->crypto_recv
[pn_space
] = ossl_quic_rstream_new(NULL
, NULL
, 0);
214 if (ch
->crypto_recv
[pn_space
] == NULL
)
218 if ((ch
->stream0
= ossl_quic_stream_map_alloc(&ch
->qsm
, 0,
219 QUIC_STREAM_INITIATOR_CLIENT
220 | QUIC_STREAM_DIR_BIDI
)) == NULL
)
223 if ((ch
->stream0
->sstream
= ossl_quic_sstream_new(INIT_APP_BUF_LEN
)) == NULL
)
226 if ((ch
->stream0
->rstream
= ossl_quic_rstream_new(NULL
, NULL
, 0)) == NULL
)
229 if (!ossl_quic_txfc_init(&ch
->stream0
->txfc
, &ch
->conn_txfc
))
232 if (!ossl_quic_rxfc_init(&ch
->stream0
->rxfc
, &ch
->conn_rxfc
,
238 /* Plug in the TLS handshake layer. */
239 tls_args
.s
= ch
->tls
;
240 tls_args
.crypto_send_cb
= ch_on_crypto_send
;
241 tls_args
.crypto_send_cb_arg
= ch
;
242 tls_args
.crypto_recv_cb
= ch_on_crypto_recv
;
243 tls_args
.crypto_recv_cb_arg
= ch
;
244 tls_args
.yield_secret_cb
= ch_on_handshake_yield_secret
;
245 tls_args
.yield_secret_cb_arg
= ch
;
246 tls_args
.got_transport_params_cb
= ch_on_transport_params
;
247 tls_args
.got_transport_params_cb_arg
= ch
;
248 tls_args
.handshake_complete_cb
= ch_on_handshake_complete
;
249 tls_args
.handshake_complete_cb_arg
= ch
;
250 tls_args
.alert_cb
= ch_on_handshake_alert
;
251 tls_args
.alert_cb_arg
= ch
;
252 tls_args
.is_server
= ch
->is_server
;
254 if ((ch
->qtls
= ossl_quic_tls_new(&tls_args
)) == NULL
)
258 * Determine the QUIC Transport Parameters and serialize the transport
259 * parameters block. (For servers, we do this later as we must defer
260 * generation until we have received the client's transport parameters.)
262 if (!ch
->is_server
&& !ch_generate_transport_params(ch
))
265 ch
->rx_max_ack_delay
= QUIC_DEFAULT_MAX_ACK_DELAY
;
266 ch
->rx_ack_delay_exp
= QUIC_DEFAULT_ACK_DELAY_EXP
;
267 ch
->rx_active_conn_id_limit
= QUIC_MIN_ACTIVE_CONN_ID_LIMIT
;
268 ch
->max_idle_timeout
= QUIC_DEFAULT_IDLE_TIMEOUT
;
269 ch
->tx_enc_level
= QUIC_ENC_LEVEL_INITIAL
;
270 ch
->rx_enc_level
= QUIC_ENC_LEVEL_INITIAL
;
272 ossl_quic_reactor_init(&ch
->rtor
, ch_tick
, ch
,
273 ch_determine_next_tick_deadline(ch
));
281 static void ch_cleanup(QUIC_CHANNEL
*ch
)
285 if (ch
->ackm
!= NULL
)
286 for (pn_space
= QUIC_PN_SPACE_INITIAL
;
287 pn_space
< QUIC_PN_SPACE_NUM
;
289 ossl_ackm_on_pkt_space_discarded(ch
->ackm
, pn_space
);
291 ossl_quic_tx_packetiser_free(ch
->txp
);
292 ossl_quic_txpim_free(ch
->txpim
);
293 ossl_quic_cfq_free(ch
->cfq
);
294 ossl_qtx_free(ch
->qtx
);
295 if (ch
->cc_data
!= NULL
)
296 ch
->cc_method
->free(ch
->cc_data
);
298 ossl_statm_destroy(&ch
->statm
);
299 ossl_ackm_free(ch
->ackm
);
301 if (ch
->stream0
!= NULL
) {
302 assert(ch
->have_qsm
);
303 ossl_quic_stream_map_release(&ch
->qsm
, ch
->stream0
); /* frees sstream */
307 ossl_quic_stream_map_cleanup(&ch
->qsm
);
309 for (pn_space
= QUIC_PN_SPACE_INITIAL
; pn_space
< QUIC_PN_SPACE_NUM
; ++pn_space
) {
310 ossl_quic_sstream_free(ch
->crypto_send
[pn_space
]);
311 ossl_quic_rstream_free(ch
->crypto_recv
[pn_space
]);
314 ossl_qrx_pkt_release(ch
->qrx_pkt
);
317 ossl_quic_tls_free(ch
->qtls
);
318 ossl_qrx_free(ch
->qrx
);
319 ossl_quic_demux_free(ch
->demux
);
320 OPENSSL_free(ch
->local_transport_params
);
323 QUIC_CHANNEL
*ossl_quic_channel_new(const QUIC_CHANNEL_ARGS
*args
)
325 QUIC_CHANNEL
*ch
= NULL
;
327 if ((ch
= OPENSSL_zalloc(sizeof(*ch
))) == NULL
)
330 ch
->libctx
= args
->libctx
;
331 ch
->propq
= args
->propq
;
332 ch
->is_server
= args
->is_server
;
343 void ossl_quic_channel_free(QUIC_CHANNEL
*ch
)
352 /* Set mutator callbacks for test framework support */
353 int ossl_quic_channel_set_mutator(QUIC_CHANNEL
*ch
,
354 ossl_mutate_packet_cb mutatecb
,
355 ossl_finish_mutate_cb finishmutatecb
,
361 ossl_qtx_set_mutator(ch
->qtx
, mutatecb
, finishmutatecb
, mutatearg
);
365 int ossl_quic_channel_get_peer_addr(QUIC_CHANNEL
*ch
, BIO_ADDR
*peer_addr
)
367 *peer_addr
= ch
->cur_peer_addr
;
371 int ossl_quic_channel_set_peer_addr(QUIC_CHANNEL
*ch
, const BIO_ADDR
*peer_addr
)
373 ch
->cur_peer_addr
= *peer_addr
;
377 QUIC_REACTOR
*ossl_quic_channel_get_reactor(QUIC_CHANNEL
*ch
)
382 QUIC_STREAM_MAP
*ossl_quic_channel_get_qsm(QUIC_CHANNEL
*ch
)
387 OSSL_STATM
*ossl_quic_channel_get_statm(QUIC_CHANNEL
*ch
)
392 QUIC_STREAM
*ossl_quic_channel_get_stream_by_id(QUIC_CHANNEL
*ch
,
395 return ossl_quic_stream_map_get_by_id(&ch
->qsm
, stream_id
);
398 int ossl_quic_channel_is_active(const QUIC_CHANNEL
*ch
)
400 return ch
!= NULL
&& ch
->state
== QUIC_CHANNEL_STATE_ACTIVE
;
403 int ossl_quic_channel_is_terminating(const QUIC_CHANNEL
*ch
)
405 if (ch
->state
== QUIC_CHANNEL_STATE_TERMINATING_CLOSING
406 || ch
->state
== QUIC_CHANNEL_STATE_TERMINATING_DRAINING
)
412 int ossl_quic_channel_is_terminated(const QUIC_CHANNEL
*ch
)
414 if (ch
->state
== QUIC_CHANNEL_STATE_TERMINATED
)
420 int ossl_quic_channel_is_term_any(const QUIC_CHANNEL
*ch
)
422 return ossl_quic_channel_is_terminating(ch
)
423 || ossl_quic_channel_is_terminated(ch
);
426 QUIC_TERMINATE_CAUSE
ossl_quic_channel_get_terminate_cause(const QUIC_CHANNEL
*ch
)
428 return ch
->terminate_cause
;
431 int ossl_quic_channel_is_handshake_complete(const QUIC_CHANNEL
*ch
)
433 return ch
->handshake_complete
;
436 int ossl_quic_channel_is_handshake_confirmed(const QUIC_CHANNEL
*ch
)
438 return ch
->handshake_confirmed
;
441 QUIC_DEMUX
*ossl_quic_channel_get0_demux(QUIC_CHANNEL
*ch
)
447 * QUIC Channel: Callbacks from Miscellaneous Subsidiary Components
448 * ================================================================
451 /* Used by various components. */
452 static OSSL_TIME
get_time(void *arg
)
454 return ossl_time_now();
458 static uint64_t get_stream_limit(int uni
, void *arg
)
460 QUIC_CHANNEL
*ch
= arg
;
462 return uni
? ch
->max_local_streams_uni
: ch
->max_local_streams_bidi
;
466 * Called by QRX to determine if a packet is potentially invalid before trying
469 static int rx_early_validate(QUIC_PN pn
, int pn_space
, void *arg
)
471 QUIC_CHANNEL
*ch
= arg
;
473 /* Potential duplicates should not be processed. */
474 if (!ossl_ackm_is_rx_pn_processable(ch
->ackm
, pn
, pn_space
))
481 * QUIC Channel: Handshake Layer Event Handling
482 * ============================================
484 static int ch_on_crypto_send(const unsigned char *buf
, size_t buf_len
,
485 size_t *consumed
, void *arg
)
488 QUIC_CHANNEL
*ch
= arg
;
489 uint32_t enc_level
= ch
->tx_enc_level
;
490 uint32_t pn_space
= ossl_quic_enc_level_to_pn_space(enc_level
);
491 QUIC_SSTREAM
*sstream
= ch
->crypto_send
[pn_space
];
493 if (!ossl_assert(sstream
!= NULL
))
496 ret
= ossl_quic_sstream_append(sstream
, buf
, buf_len
, consumed
);
500 static int crypto_ensure_empty(QUIC_RSTREAM
*rstream
)
508 if (!ossl_quic_rstream_available(rstream
, &avail
, &is_fin
))
514 static int ch_on_crypto_recv(unsigned char *buf
, size_t buf_len
,
515 size_t *bytes_read
, void *arg
)
517 QUIC_CHANNEL
*ch
= arg
;
518 QUIC_RSTREAM
*rstream
;
519 int is_fin
= 0; /* crypto stream is never finished, so we don't use this */
523 * After we move to a later EL we must not allow our peer to send any new
524 * bytes in the crypto stream on a previous EL. Retransmissions of old bytes
527 * In practice we will only move to a new EL when we have consumed all bytes
528 * which should be sent on the crypto stream at a previous EL. For example,
529 * the Handshake EL should not be provisioned until we have completely
530 * consumed a TLS 1.3 ServerHello. Thus when we provision an EL the output
531 * of ossl_quic_rstream_available() should be 0 for all lower ELs. Thus if a
532 * given EL is available we simply ensure we have not received any further
533 * bytes at a lower EL.
535 for (i
= QUIC_ENC_LEVEL_INITIAL
; i
< ch
->rx_enc_level
; ++i
)
536 if (i
!= QUIC_ENC_LEVEL_0RTT
&&
537 !crypto_ensure_empty(ch
->crypto_recv
[ossl_quic_enc_level_to_pn_space(i
)])) {
538 /* Protocol violation (RFC 9001 s. 4.1.3) */
539 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_PROTOCOL_VIOLATION
,
540 OSSL_QUIC_FRAME_TYPE_CRYPTO
,
541 "crypto stream data in wrong EL");
545 rstream
= ch
->crypto_recv
[ossl_quic_enc_level_to_pn_space(ch
->rx_enc_level
)];
549 return ossl_quic_rstream_read(rstream
, buf
, buf_len
, bytes_read
,
553 static int ch_on_handshake_yield_secret(uint32_t enc_level
, int direction
,
554 uint32_t suite_id
, EVP_MD
*md
,
555 const unsigned char *secret
,
559 QUIC_CHANNEL
*ch
= arg
;
562 if (enc_level
< QUIC_ENC_LEVEL_HANDSHAKE
|| enc_level
>= QUIC_ENC_LEVEL_NUM
)
569 if (enc_level
<= ch
->tx_enc_level
)
571 * Does not make sense for us to try and provision an EL we have already
576 if (!ossl_qtx_provide_secret(ch
->qtx
, enc_level
,
581 ch
->tx_enc_level
= enc_level
;
584 if (enc_level
<= ch
->rx_enc_level
)
586 * Does not make sense for us to try and provision an EL we have already
592 * Ensure all crypto streams for previous ELs are now empty of available
595 for (i
= QUIC_ENC_LEVEL_INITIAL
; i
< enc_level
; ++i
)
596 if (!crypto_ensure_empty(ch
->crypto_recv
[ossl_quic_enc_level_to_pn_space(i
)])) {
597 /* Protocol violation (RFC 9001 s. 4.1.3) */
598 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_PROTOCOL_VIOLATION
,
599 OSSL_QUIC_FRAME_TYPE_CRYPTO
,
600 "crypto stream data in wrong EL");
604 if (!ossl_qrx_provide_secret(ch
->qrx
, enc_level
,
609 ch
->have_new_rx_secret
= 1;
610 ch
->rx_enc_level
= enc_level
;
616 static int ch_on_handshake_complete(void *arg
)
618 QUIC_CHANNEL
*ch
= arg
;
620 if (!ossl_assert(!ch
->handshake_complete
))
621 return 0; /* this should not happen twice */
623 if (!ossl_assert(ch
->tx_enc_level
== QUIC_ENC_LEVEL_1RTT
))
626 if (!ch
->got_remote_transport_params
) {
628 * Was not a valid QUIC handshake if we did not get valid transport
631 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_PROTOCOL_VIOLATION
,
632 OSSL_QUIC_FRAME_TYPE_CRYPTO
,
633 "no transport parameters received");
637 /* Don't need transport parameters anymore. */
638 OPENSSL_free(ch
->local_transport_params
);
639 ch
->local_transport_params
= NULL
;
641 /* Tell TXP the handshake is complete. */
642 ossl_quic_tx_packetiser_notify_handshake_complete(ch
->txp
);
644 ch
->handshake_complete
= 1;
648 * On the server, the handshake is confirmed as soon as it is complete.
650 ossl_quic_channel_on_handshake_confirmed(ch
);
652 ossl_quic_tx_packetiser_schedule_handshake_done(ch
->txp
);
658 static int ch_on_handshake_alert(void *arg
, unsigned char alert_code
)
660 QUIC_CHANNEL
*ch
= arg
;
662 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_CRYPTO_ERR_BEGIN
+ alert_code
,
663 0, "handshake alert");
668 * QUIC Channel: Transport Parameter Handling
669 * ==========================================
673 * Called by handshake layer when we receive QUIC Transport Parameters from the
674 * peer. Note that these are not authenticated until the handshake is marked
677 #define TP_REASON_SERVER_ONLY(x) \
678 x " may not be sent by a client"
679 #define TP_REASON_DUP(x) \
680 x " appears multiple times"
681 #define TP_REASON_MALFORMED(x) \
683 #define TP_REASON_EXPECTED_VALUE(x) \
684 x " does not match expected value"
685 #define TP_REASON_NOT_RETRY(x) \
686 x " sent when not performing a retry"
687 #define TP_REASON_REQUIRED(x) \
688 x " was not sent but is required"
690 static int ch_on_transport_params(const unsigned char *params
,
694 QUIC_CHANNEL
*ch
= arg
;
698 const unsigned char *body
;
699 int got_orig_dcid
= 0;
700 int got_initial_scid
= 0;
701 int got_retry_scid
= 0;
702 int got_initial_max_data
= 0;
703 int got_initial_max_stream_data_bidi_local
= 0;
704 int got_initial_max_stream_data_bidi_remote
= 0;
705 int got_initial_max_stream_data_uni
= 0;
706 int got_initial_max_streams_bidi
= 0;
707 int got_initial_max_streams_uni
= 0;
708 int got_ack_delay_exp
= 0;
709 int got_max_ack_delay
= 0;
710 int got_max_udp_payload_size
= 0;
711 int got_max_idle_timeout
= 0;
712 int got_active_conn_id_limit
= 0;
714 const char *reason
= "bad transport parameter";
716 if (ch
->got_remote_transport_params
)
719 if (!PACKET_buf_init(&pkt
, params
, params_len
))
722 while (PACKET_remaining(&pkt
) > 0) {
723 if (!ossl_quic_wire_peek_transport_param(&pkt
, &id
))
727 case QUIC_TPARAM_ORIG_DCID
:
729 reason
= TP_REASON_DUP("ORIG_DCID");
734 reason
= TP_REASON_SERVER_ONLY("ORIG_DCID");
738 if (!ossl_quic_wire_decode_transport_param_cid(&pkt
, NULL
, &cid
)) {
739 reason
= TP_REASON_MALFORMED("ORIG_DCID");
743 /* Must match our initial DCID. */
744 if (!ossl_quic_conn_id_eq(&ch
->init_dcid
, &cid
)) {
745 reason
= TP_REASON_EXPECTED_VALUE("ORIG_DCID");
752 case QUIC_TPARAM_RETRY_SCID
:
754 reason
= TP_REASON_SERVER_ONLY("RETRY_SCID");
758 if (got_retry_scid
) {
759 reason
= TP_REASON_DUP("RETRY_SCID");
763 if (!ch
->doing_retry
) {
764 reason
= TP_REASON_NOT_RETRY("RETRY_SCID");
768 if (!ossl_quic_wire_decode_transport_param_cid(&pkt
, NULL
, &cid
)) {
769 reason
= TP_REASON_MALFORMED("RETRY_SCID");
773 /* Must match Retry packet SCID. */
774 if (!ossl_quic_conn_id_eq(&ch
->retry_scid
, &cid
)) {
775 reason
= TP_REASON_EXPECTED_VALUE("RETRY_SCID");
782 case QUIC_TPARAM_INITIAL_SCID
:
783 if (got_initial_scid
) {
784 /* must not appear more than once */
785 reason
= TP_REASON_DUP("INITIAL_SCID");
789 if (!ossl_quic_wire_decode_transport_param_cid(&pkt
, NULL
, &cid
)) {
790 reason
= TP_REASON_MALFORMED("INITIAL_SCID");
794 /* Must match SCID of first Initial packet from server. */
795 if (!ossl_quic_conn_id_eq(&ch
->init_scid
, &cid
)) {
796 reason
= TP_REASON_EXPECTED_VALUE("INITIAL_SCID");
800 got_initial_scid
= 1;
803 case QUIC_TPARAM_INITIAL_MAX_DATA
:
804 if (got_initial_max_data
) {
805 /* must not appear more than once */
806 reason
= TP_REASON_DUP("INITIAL_MAX_DATA");
810 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)) {
811 reason
= TP_REASON_MALFORMED("INITIAL_MAX_DATA");
815 ossl_quic_txfc_bump_cwm(&ch
->conn_txfc
, v
);
816 got_initial_max_data
= 1;
819 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL
:
820 if (got_initial_max_stream_data_bidi_local
) {
821 /* must not appear more than once */
822 reason
= TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_BIDI_LOCAL");
826 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)) {
827 reason
= TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_BIDI_LOCAL");
832 * This is correct; the BIDI_LOCAL TP governs streams created by
833 * the endpoint which sends the TP, i.e., our peer.
835 ch
->init_max_stream_data_bidi_remote
= v
;
836 got_initial_max_stream_data_bidi_local
= 1;
839 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE
:
840 if (got_initial_max_stream_data_bidi_remote
) {
841 /* must not appear more than once */
842 reason
= TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_BIDI_REMOTE");
846 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)) {
847 reason
= TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_BIDI_REMOTE");
852 * This is correct; the BIDI_REMOTE TP governs streams created
853 * by the endpoint which receives the TP, i.e., us.
855 ch
->init_max_stream_data_bidi_local
= v
;
857 /* Apply to stream 0. */
858 ossl_quic_txfc_bump_cwm(&ch
->stream0
->txfc
, v
);
859 got_initial_max_stream_data_bidi_remote
= 1;
862 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_UNI
:
863 if (got_initial_max_stream_data_uni
) {
864 /* must not appear more than once */
865 reason
= TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_UNI");
869 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)) {
870 reason
= TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_UNI");
874 ch
->init_max_stream_data_uni_remote
= v
;
875 got_initial_max_stream_data_uni
= 1;
878 case QUIC_TPARAM_ACK_DELAY_EXP
:
879 if (got_ack_delay_exp
) {
880 /* must not appear more than once */
881 reason
= TP_REASON_DUP("ACK_DELAY_EXP");
885 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
886 || v
> QUIC_MAX_ACK_DELAY_EXP
) {
887 reason
= TP_REASON_MALFORMED("ACK_DELAY_EXP");
891 ch
->rx_ack_delay_exp
= (unsigned char)v
;
892 got_ack_delay_exp
= 1;
895 case QUIC_TPARAM_MAX_ACK_DELAY
:
896 if (got_max_ack_delay
) {
897 /* must not appear more than once */
898 reason
= TP_REASON_DUP("MAX_ACK_DELAY");
902 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
903 || v
>= (((uint64_t)1) << 14)) {
904 reason
= TP_REASON_MALFORMED("MAX_ACK_DELAY");
908 ch
->rx_max_ack_delay
= v
;
909 got_max_ack_delay
= 1;
912 case QUIC_TPARAM_INITIAL_MAX_STREAMS_BIDI
:
913 if (got_initial_max_streams_bidi
) {
914 /* must not appear more than once */
915 reason
= TP_REASON_DUP("INITIAL_MAX_STREAMS_BIDI");
919 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
920 || v
> (((uint64_t)1) << 60)) {
921 reason
= TP_REASON_MALFORMED("INITIAL_MAX_STREAMS_BIDI");
925 assert(ch
->max_local_streams_bidi
== 0);
926 ch
->max_local_streams_bidi
= v
;
927 got_initial_max_streams_bidi
= 1;
930 case QUIC_TPARAM_INITIAL_MAX_STREAMS_UNI
:
931 if (got_initial_max_streams_uni
) {
932 /* must not appear more than once */
933 reason
= TP_REASON_DUP("INITIAL_MAX_STREAMS_UNI");
937 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
938 || v
> (((uint64_t)1) << 60)) {
939 reason
= TP_REASON_MALFORMED("INITIAL_MAX_STREAMS_UNI");
943 assert(ch
->max_local_streams_uni
== 0);
944 ch
->max_local_streams_uni
= v
;
945 got_initial_max_streams_uni
= 1;
948 case QUIC_TPARAM_MAX_IDLE_TIMEOUT
:
949 if (got_max_idle_timeout
) {
950 /* must not appear more than once */
951 reason
= TP_REASON_DUP("MAX_IDLE_TIMEOUT");
955 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)) {
956 reason
= TP_REASON_MALFORMED("MAX_IDLE_TIMEOUT");
960 if (v
< ch
->max_idle_timeout
)
961 ch
->max_idle_timeout
= v
;
964 got_max_idle_timeout
= 1;
967 case QUIC_TPARAM_MAX_UDP_PAYLOAD_SIZE
:
968 if (got_max_udp_payload_size
) {
969 /* must not appear more than once */
970 reason
= TP_REASON_DUP("MAX_UDP_PAYLOAD_SIZE");
974 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
975 || v
< QUIC_MIN_INITIAL_DGRAM_LEN
) {
976 reason
= TP_REASON_MALFORMED("MAX_UDP_PAYLOAD_SIZE");
980 ch
->rx_max_udp_payload_size
= v
;
981 got_max_udp_payload_size
= 1;
984 case QUIC_TPARAM_ACTIVE_CONN_ID_LIMIT
:
985 if (got_active_conn_id_limit
) {
986 /* must not appear more than once */
987 reason
= TP_REASON_DUP("ACTIVE_CONN_ID_LIMIT");
991 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
992 || v
< QUIC_MIN_ACTIVE_CONN_ID_LIMIT
) {
993 reason
= TP_REASON_MALFORMED("ACTIVE_CONN_ID_LIMIT");
997 ch
->rx_active_conn_id_limit
= v
;
998 got_active_conn_id_limit
= 1;
1001 case QUIC_TPARAM_STATELESS_RESET_TOKEN
:
1002 /* TODO(QUIC): Handle stateless reset tokens. */
1004 * We ignore these for now, but we must ensure a client doesn't
1007 if (ch
->is_server
) {
1008 reason
= TP_REASON_SERVER_ONLY("STATELESS_RESET_TOKEN");
1012 body
= ossl_quic_wire_decode_transport_param_bytes(&pkt
, &id
, &len
);
1013 if (body
== NULL
|| len
!= QUIC_STATELESS_RESET_TOKEN_LEN
) {
1014 reason
= TP_REASON_MALFORMED("STATELESS_RESET_TOKEN");
1020 case QUIC_TPARAM_PREFERRED_ADDR
:
1021 /* TODO(QUIC): Handle preferred address. */
1022 if (ch
->is_server
) {
1023 reason
= TP_REASON_SERVER_ONLY("PREFERRED_ADDR");
1027 body
= ossl_quic_wire_decode_transport_param_bytes(&pkt
, &id
, &len
);
1029 reason
= TP_REASON_MALFORMED("PREFERRED_ADDR");
1035 case QUIC_TPARAM_DISABLE_ACTIVE_MIGRATION
:
1036 /* We do not currently handle migration, so nothing to do. */
1038 /* Skip over and ignore. */
1039 body
= ossl_quic_wire_decode_transport_param_bytes(&pkt
, &id
,
1048 if (!got_initial_scid
) {
1049 reason
= TP_REASON_REQUIRED("INITIAL_SCID");
1053 if (!ch
->is_server
) {
1054 if (!got_orig_dcid
) {
1055 reason
= TP_REASON_REQUIRED("ORIG_DCID");
1059 if (ch
->doing_retry
&& !got_retry_scid
) {
1060 reason
= TP_REASON_REQUIRED("RETRY_SCID");
1065 ch
->got_remote_transport_params
= 1;
1067 if (got_initial_max_data
|| got_initial_max_stream_data_bidi_remote
1068 || got_initial_max_streams_bidi
|| got_initial_max_streams_uni
)
1069 /* If FC credit was bumped, we may now be able to send. */
1070 ossl_quic_stream_map_update_state(&ch
->qsm
, ch
->stream0
);
1072 /* If we are a server, we now generate our own transport parameters. */
1073 if (ch
->is_server
&& !ch_generate_transport_params(ch
)) {
1074 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_INTERNAL_ERROR
, 0,
1082 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_TRANSPORT_PARAMETER_ERROR
,
1088 * Called when we want to generate transport parameters. This is called
1089 * immediately at instantiation time for a client and after we receive the
1090 * client's transport parameters for a server.
1092 static int ch_generate_transport_params(QUIC_CHANNEL
*ch
)
1095 BUF_MEM
*buf_mem
= NULL
;
1100 if (ch
->local_transport_params
!= NULL
)
1103 if ((buf_mem
= BUF_MEM_new()) == NULL
)
1106 if (!WPACKET_init(&wpkt
, buf_mem
))
1111 if (ossl_quic_wire_encode_transport_param_bytes(&wpkt
, QUIC_TPARAM_DISABLE_ACTIVE_MIGRATION
,
1115 if (ch
->is_server
) {
1116 if (!ossl_quic_wire_encode_transport_param_cid(&wpkt
, QUIC_TPARAM_ORIG_DCID
,
1120 if (!ossl_quic_wire_encode_transport_param_cid(&wpkt
, QUIC_TPARAM_INITIAL_SCID
,
1121 &ch
->cur_local_dcid
))
1124 /* Client always uses an empty SCID. */
1125 if (ossl_quic_wire_encode_transport_param_bytes(&wpkt
, QUIC_TPARAM_INITIAL_SCID
,
1130 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_MAX_IDLE_TIMEOUT
,
1131 ch
->max_idle_timeout
))
1134 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_MAX_UDP_PAYLOAD_SIZE
,
1135 QUIC_MIN_INITIAL_DGRAM_LEN
))
1138 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_ACTIVE_CONN_ID_LIMIT
,
1142 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_DATA
,
1143 ossl_quic_rxfc_get_cwm(&ch
->conn_rxfc
)))
1147 * We actually want the default CWM for a new RXFC, but here we just use
1148 * stream0 as a representative specimen. TODO(QUIC): revisit this when we
1149 * support multiple streams.
1151 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL
,
1152 ossl_quic_rxfc_get_cwm(&ch
->stream0
->rxfc
)))
1155 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE
,
1156 ossl_quic_rxfc_get_cwm(&ch
->stream0
->rxfc
)))
1159 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_UNI
,
1160 ossl_quic_rxfc_get_cwm(&ch
->stream0
->rxfc
)))
1163 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_STREAMS_BIDI
,
1164 ch
->is_server
? 1 : 0))
1167 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_STREAMS_UNI
,
1171 if (!WPACKET_get_total_written(&wpkt
, &buf_len
))
1174 ch
->local_transport_params
= (unsigned char *)buf_mem
->data
;
1175 buf_mem
->data
= NULL
;
1177 if (!WPACKET_finish(&wpkt
))
1182 if (!ossl_quic_tls_set_transport_params(ch
->qtls
, ch
->local_transport_params
,
1189 WPACKET_cleanup(&wpkt
);
1190 BUF_MEM_free(buf_mem
);
1195 * QUIC Channel: Ticker-Mutator
1196 * ============================
1200 * The central ticker function called by the reactor. This does everything, or
1201 * at least everything network I/O related. Best effort - not allowed to fail
1204 static void ch_tick(QUIC_TICK_RESULT
*res
, void *arg
)
1206 OSSL_TIME now
, deadline
;
1207 QUIC_CHANNEL
*ch
= arg
;
1210 * When we tick the QUIC connection, we do everything we need to do
1211 * periodically. In order, we:
1213 * - handle any incoming data from the network;
1214 * - handle any timer events which are due to fire (ACKM, etc.)
1215 * - write any data to the network due to be sent, to the extent
1217 * - determine the time at which we should next be ticked.
1220 /* If we are in the TERMINATED state, there is nothing to do. */
1221 if (ossl_quic_channel_is_terminated(ch
)) {
1222 res
->net_read_desired
= 0;
1223 res
->net_write_desired
= 0;
1224 res
->tick_deadline
= ossl_time_infinite();
1229 * If we are in the TERMINATING state, check if the terminating timer has
1232 if (ossl_quic_channel_is_terminating(ch
)) {
1233 now
= ossl_time_now();
1235 if (ossl_time_compare(now
, ch
->terminate_deadline
) >= 0) {
1236 ch_on_terminating_timeout(ch
);
1237 res
->net_read_desired
= 0;
1238 res
->net_write_desired
= 0;
1239 res
->tick_deadline
= ossl_time_infinite();
1240 return; /* abort normal processing, nothing to do */
1244 /* Handle any incoming data from network. */
1248 /* Process queued incoming packets. */
1252 * Allow the handshake layer to check for any new incoming data and generate
1253 * new outgoing data.
1255 ch
->have_new_rx_secret
= 0;
1256 ossl_quic_tls_tick(ch
->qtls
);
1259 * If the handshake layer gave us a new secret, we need to do RX again
1260 * because packets that were not previously processable and were
1261 * deferred might now be processable.
1263 * TODO(QUIC): Consider handling this in the yield_secret callback.
1265 } while (ch
->have_new_rx_secret
);
1268 * Handle any timer events which are due to fire; namely, the loss detection
1269 * deadline and the idle timeout.
1271 * ACKM ACK generation deadline is polled by TXP, so we don't need to handle
1274 now
= ossl_time_now();
1275 if (ossl_time_compare(now
, ch
->idle_deadline
) >= 0) {
1277 * Idle timeout differs from normal protocol violation because we do not
1278 * send a CONN_CLOSE frame; go straight to TERMINATED.
1280 ch_on_idle_timeout(ch
);
1281 res
->net_read_desired
= 0;
1282 res
->net_write_desired
= 0;
1283 res
->tick_deadline
= ossl_time_infinite();
1287 deadline
= ossl_ackm_get_loss_detection_deadline(ch
->ackm
);
1288 if (!ossl_time_is_zero(deadline
) && ossl_time_compare(now
, deadline
) >= 0)
1289 ossl_ackm_on_timeout(ch
->ackm
);
1291 /* Write any data to the network due to be sent. */
1294 /* Determine the time at which we should next be ticked. */
1295 res
->tick_deadline
= ch_determine_next_tick_deadline(ch
);
1298 * Always process network input unless we are now terminated.
1299 * Although we had not terminated at the beginning of this tick, network
1300 * errors in ch_rx_pre() or ch_tx() may have caused us to transition to the
1303 res
->net_read_desired
= !ossl_quic_channel_is_terminated(ch
);
1305 /* We want to write to the network if we have any in our queue. */
1306 res
->net_write_desired
1307 = (!ossl_quic_channel_is_terminated(ch
)
1308 && ossl_qtx_get_queue_len_datagrams(ch
->qtx
) > 0);
1311 /* Process incoming datagrams, if any. */
1312 static void ch_rx_pre(QUIC_CHANNEL
*ch
)
1316 if (!ch
->is_server
&& !ch
->have_sent_any_pkt
)
1320 * Get DEMUX to BIO_recvmmsg from the network and queue incoming datagrams
1321 * to the appropriate QRX instance.
1323 ret
= ossl_quic_demux_pump(ch
->demux
);
1324 if (ret
== QUIC_DEMUX_PUMP_RES_PERMANENT_FAIL
)
1326 * We don't care about transient failure, but permanent failure means we
1327 * should tear down the connection as though a protocol violation
1328 * occurred. Skip straight to the Terminating state as there is no point
1329 * trying to send CONNECTION_CLOSE frames if the network BIO is not
1330 * operating correctly.
1332 ch_raise_net_error(ch
);
1335 /* Process queued incoming packets and handle frames, if any. */
1336 static int ch_rx(QUIC_CHANNEL
*ch
)
1338 int handled_any
= 0;
1340 if (!ch
->is_server
&& !ch
->have_sent_any_pkt
)
1342 * We have not sent anything yet, therefore there is no need to check
1343 * for incoming data.
1348 assert(ch
->qrx_pkt
== NULL
);
1350 if (!ossl_qrx_read_pkt(ch
->qrx
, &ch
->qrx_pkt
))
1356 ch_rx_handle_packet(ch
); /* best effort */
1359 * Regardless of the outcome of frame handling, unref the packet.
1360 * This will free the packet unless something added another
1361 * reference to it during frame processing.
1363 ossl_qrx_pkt_release(ch
->qrx_pkt
);
1370 * When in TERMINATING - CLOSING, generate a CONN_CLOSE frame whenever we
1371 * process one or more incoming packets.
1373 if (handled_any
&& ch
->state
== QUIC_CHANNEL_STATE_TERMINATING_CLOSING
)
1374 ch
->conn_close_queued
= 1;
1379 /* Handles the packet currently in ch->qrx_pkt->hdr. */
1380 static void ch_rx_handle_packet(QUIC_CHANNEL
*ch
)
1384 assert(ch
->qrx_pkt
!= NULL
);
1386 if (ossl_quic_pkt_type_is_encrypted(ch
->qrx_pkt
->hdr
->type
)) {
1387 if (!ch
->have_received_enc_pkt
) {
1388 ch
->init_scid
= ch
->qrx_pkt
->hdr
->src_conn_id
;
1389 ch
->have_received_enc_pkt
= 1;
1392 * We change to using the SCID in the first Initial packet as the
1395 ossl_quic_tx_packetiser_set_cur_dcid(ch
->txp
, &ch
->init_scid
);
1398 enc_level
= ossl_quic_pkt_type_to_enc_level(ch
->qrx_pkt
->hdr
->type
);
1399 if ((ch
->el_discarded
& (1U << enc_level
)) != 0)
1400 /* Do not process packets from ELs we have already discarded. */
1404 /* Handle incoming packet. */
1405 switch (ch
->qrx_pkt
->hdr
->type
) {
1406 case QUIC_PKT_TYPE_RETRY
:
1407 if (ch
->doing_retry
|| ch
->is_server
)
1409 * It is not allowed to ask a client to do a retry more than
1410 * once. Clients may not send retries.
1414 if (ch
->qrx_pkt
->hdr
->len
<= QUIC_RETRY_INTEGRITY_TAG_LEN
)
1415 /* Packets with zero-length Retry Tokens are invalid. */
1419 * TODO(QUIC): Theoretically this should probably be in the QRX.
1420 * However because validation is dependent on context (namely the
1421 * client's initial DCID) we can't do this cleanly. In the future we
1422 * should probably add a callback to the QRX to let it call us (via
1423 * the DEMUX) and ask us about the correct original DCID, rather
1424 * than allow the QRX to emit a potentially malformed packet to the
1425 * upper layers. However, special casing this will do for now.
1427 if (!ossl_quic_validate_retry_integrity_tag(ch
->libctx
,
1431 /* Malformed retry packet, ignore. */
1434 ch_retry(ch
, ch
->qrx_pkt
->hdr
->data
,
1435 ch
->qrx_pkt
->hdr
->len
- QUIC_RETRY_INTEGRITY_TAG_LEN
,
1436 &ch
->qrx_pkt
->hdr
->src_conn_id
);
1439 case QUIC_PKT_TYPE_0RTT
:
1441 /* Clients should never receive 0-RTT packets. */
1445 * TODO(QUIC): Implement 0-RTT on the server side. We currently do
1446 * not need to implement this as a client can only do 0-RTT if we
1447 * have given it permission to in a previous session.
1451 case QUIC_PKT_TYPE_INITIAL
:
1452 case QUIC_PKT_TYPE_HANDSHAKE
:
1453 case QUIC_PKT_TYPE_1RTT
:
1454 if (ch
->qrx_pkt
->hdr
->type
== QUIC_PKT_TYPE_HANDSHAKE
)
1456 * We automatically drop INITIAL EL keys when first successfully
1457 * decrypting a HANDSHAKE packet, as per the RFC.
1459 ch_discard_el(ch
, QUIC_ENC_LEVEL_INITIAL
);
1461 /* This packet contains frames, pass to the RXDP. */
1462 ossl_quic_handle_frames(ch
, ch
->qrx_pkt
); /* best effort */
1472 * This is called by the demux when we get a packet not destined for any known
1475 static void ch_default_packet_handler(QUIC_URXE
*e
, void *arg
)
1477 QUIC_CHANNEL
*ch
= arg
;
1481 if (!ossl_assert(ch
->is_server
))
1485 * We only support one connection to our server currently, so if we already
1486 * started one, ignore any new connection attempts.
1488 if (ch
->state
!= QUIC_CHANNEL_STATE_IDLE
)
1492 * We have got a packet for an unknown DCID. This might be an attempt to
1493 * open a new connection.
1495 if (e
->data_len
< QUIC_MIN_INITIAL_DGRAM_LEN
)
1498 if (!PACKET_buf_init(&pkt
, ossl_quic_urxe_data(e
), e
->data_len
))
1502 * We set short_conn_id_len to SIZE_MAX here which will cause the decode
1503 * operation to fail if we get a 1-RTT packet. This is fine since we only
1504 * care about Initial packets.
1506 if (!ossl_quic_wire_decode_pkt_hdr(&pkt
, SIZE_MAX
, 1, &hdr
, NULL
))
1509 switch (hdr
.version
) {
1510 case QUIC_VERSION_1
:
1513 case QUIC_VERSION_NONE
:
1515 /* Unknown version or proactive version negotiation request, bail. */
1516 /* TODO(QUIC): Handle version negotiation on server side */
1521 * We only care about Initial packets which might be trying to establish a
1524 if (hdr
.type
!= QUIC_PKT_TYPE_INITIAL
)
1528 * Assume this is a valid attempt to initiate a connection.
1530 * We do not register the DCID in the initial packet we received and that
1531 * DCID is not actually used again, thus after provisioning the correct
1532 * Initial keys derived from it (which is done in the call below) we pass
1533 * the received packet directly to the QRX so that it can process it as a
1534 * one-time thing, instead of going through the usual DEMUX DCID-based
1537 if (!ch_server_on_new_conn(ch
, &e
->peer
,
1542 ossl_qrx_inject_urxe(ch
->qrx
, e
);
1546 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_INTERNAL_ERROR
, 0,
1549 ossl_quic_demux_release_urxe(ch
->demux
, e
);
1552 /* Try to generate packets and if possible, flush them to the network. */
1553 static int ch_tx(QUIC_CHANNEL
*ch
)
1555 if (ch
->state
== QUIC_CHANNEL_STATE_TERMINATING_CLOSING
) {
1557 * While closing, only send CONN_CLOSE if we've received more traffic
1558 * from the peer. Once we tell the TXP to generate CONN_CLOSE, all
1559 * future calls to it generate CONN_CLOSE frames, so otherwise we would
1560 * just constantly generate CONN_CLOSE frames.
1562 if (!ch
->conn_close_queued
)
1565 ch
->conn_close_queued
= 0;
1569 * Send a packet, if we need to. Best effort. The TXP consults the CC and
1570 * applies any limitations imposed by it, so we don't need to do it here.
1572 * Best effort. In particular if TXP fails for some reason we should still
1573 * flush any queued packets which we already generated.
1575 switch (ossl_quic_tx_packetiser_generate(ch
->txp
,
1576 TX_PACKETISER_ARCHETYPE_NORMAL
)) {
1577 case TX_PACKETISER_RES_SENT_PKT
:
1578 ch
->have_sent_any_pkt
= 1; /* Packet was sent */
1580 case TX_PACKETISER_RES_NO_PKT
:
1581 break; /* No packet was sent */
1583 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_INTERNAL_ERROR
, 0,
1585 break; /* Internal failure (e.g. allocation, assertion) */
1588 /* Flush packets to network. */
1589 switch (ossl_qtx_flush_net(ch
->qtx
)) {
1590 case QTX_FLUSH_NET_RES_OK
:
1591 case QTX_FLUSH_NET_RES_TRANSIENT_FAIL
:
1592 /* Best effort, done for now. */
1595 case QTX_FLUSH_NET_RES_PERMANENT_FAIL
:
1597 /* Permanent underlying network BIO, start terminating. */
1598 ch_raise_net_error(ch
);
1605 /* Determine next tick deadline. */
1606 static OSSL_TIME
ch_determine_next_tick_deadline(QUIC_CHANNEL
*ch
)
1611 if (ossl_quic_channel_is_terminated(ch
))
1612 return ossl_time_infinite();
1614 deadline
= ossl_ackm_get_loss_detection_deadline(ch
->ackm
);
1615 if (ossl_time_is_zero(deadline
))
1616 deadline
= ossl_time_infinite();
1618 for (pn_space
= QUIC_PN_SPACE_INITIAL
; pn_space
< QUIC_PN_SPACE_NUM
; ++pn_space
)
1619 deadline
= ossl_time_min(deadline
,
1620 ossl_ackm_get_ack_deadline(ch
->ackm
, pn_space
));
1622 /* When will CC let us send more? */
1623 if (ossl_quic_tx_packetiser_has_pending(ch
->txp
, TX_PACKETISER_ARCHETYPE_NORMAL
,
1624 TX_PACKETISER_BYPASS_CC
))
1625 deadline
= ossl_time_min(deadline
,
1626 ch
->cc_method
->get_next_credit_time(ch
->cc_data
));
1628 /* Is the terminating timer armed? */
1629 if (ossl_quic_channel_is_terminating(ch
))
1630 deadline
= ossl_time_min(deadline
,
1631 ch
->terminate_deadline
);
1632 else if (!ossl_time_is_infinite(ch
->idle_deadline
))
1633 deadline
= ossl_time_min(deadline
,
1640 * QUIC Channel: Network BIO Configuration
1641 * =======================================
1644 /* Determines whether we can support a given poll descriptor. */
1645 static int validate_poll_descriptor(const BIO_POLL_DESCRIPTOR
*d
)
1647 if (d
->type
== BIO_POLL_DESCRIPTOR_TYPE_SOCK_FD
&& d
->value
.fd
< 0)
1653 BIO
*ossl_quic_channel_get_net_rbio(QUIC_CHANNEL
*ch
)
1655 return ch
->net_rbio
;
1658 BIO
*ossl_quic_channel_get_net_wbio(QUIC_CHANNEL
*ch
)
1660 return ch
->net_wbio
;
1664 * QUIC_CHANNEL does not ref any BIO it is provided with, nor is any ref
1665 * transferred to it. The caller (i.e., QUIC_CONNECTION) is responsible for
1666 * ensuring the BIO lasts until the channel is freed or the BIO is switched out
1667 * for another BIO by a subsequent successful call to this function.
1669 int ossl_quic_channel_set_net_rbio(QUIC_CHANNEL
*ch
, BIO
*net_rbio
)
1671 BIO_POLL_DESCRIPTOR d
= {0};
1673 if (ch
->net_rbio
== net_rbio
)
1676 if (net_rbio
!= NULL
) {
1677 if (!BIO_get_rpoll_descriptor(net_rbio
, &d
))
1678 /* Non-pollable BIO */
1679 d
.type
= BIO_POLL_DESCRIPTOR_TYPE_NONE
;
1681 if (!validate_poll_descriptor(&d
))
1685 ossl_quic_reactor_set_poll_r(&ch
->rtor
, &d
);
1686 ossl_quic_demux_set_bio(ch
->demux
, net_rbio
);
1687 ch
->net_rbio
= net_rbio
;
1691 int ossl_quic_channel_set_net_wbio(QUIC_CHANNEL
*ch
, BIO
*net_wbio
)
1693 BIO_POLL_DESCRIPTOR d
= {0};
1695 if (ch
->net_wbio
== net_wbio
)
1698 if (net_wbio
!= NULL
) {
1699 if (!BIO_get_wpoll_descriptor(net_wbio
, &d
))
1700 /* Non-pollable BIO */
1701 d
.type
= BIO_POLL_DESCRIPTOR_TYPE_NONE
;
1703 if (!validate_poll_descriptor(&d
))
1707 ossl_quic_reactor_set_poll_w(&ch
->rtor
, &d
);
1708 ossl_qtx_set_bio(ch
->qtx
, net_wbio
);
1709 ch
->net_wbio
= net_wbio
;
1714 * QUIC Channel: Lifecycle Events
1715 * ==============================
1717 int ossl_quic_channel_start(QUIC_CHANNEL
*ch
)
1721 * This is not used by the server. The server moves to active
1722 * automatically on receiving an incoming connection.
1726 if (ch
->state
!= QUIC_CHANNEL_STATE_IDLE
)
1727 /* Calls to connect are idempotent */
1730 /* Inform QTX of peer address. */
1731 if (!ossl_quic_tx_packetiser_set_peer(ch
->txp
, &ch
->cur_peer_addr
))
1734 /* Plug in secrets for the Initial EL. */
1735 if (!ossl_quic_provide_initial_secret(ch
->libctx
,
1743 ch
->state
= QUIC_CHANNEL_STATE_ACTIVE
;
1744 ch
->doing_proactive_ver_neg
= 0; /* not currently supported */
1746 /* Handshake layer: start (e.g. send CH). */
1747 if (!ossl_quic_tls_tick(ch
->qtls
))
1750 ossl_quic_reactor_tick(&ch
->rtor
); /* best effort */
1754 /* Start a locally initiated connection shutdown. */
1755 void ossl_quic_channel_local_close(QUIC_CHANNEL
*ch
, uint64_t app_error_code
)
1757 QUIC_TERMINATE_CAUSE tcause
= {0};
1759 if (ossl_quic_channel_is_term_any(ch
))
1763 tcause
.error_code
= app_error_code
;
1764 ch_start_terminating(ch
, &tcause
, 0);
1767 static void free_token(const unsigned char *buf
, size_t buf_len
, void *arg
)
1769 OPENSSL_free((unsigned char *)buf
);
1772 /* Called when a server asks us to do a retry. */
1773 static int ch_retry(QUIC_CHANNEL
*ch
,
1774 const unsigned char *retry_token
,
1775 size_t retry_token_len
,
1776 const QUIC_CONN_ID
*retry_scid
)
1780 /* We change to using the SCID in the Retry packet as the DCID. */
1781 if (!ossl_quic_tx_packetiser_set_cur_dcid(ch
->txp
, retry_scid
))
1785 * Now we retry. We will release the Retry packet immediately, so copy
1788 if ((buf
= OPENSSL_memdup(retry_token
, retry_token_len
)) == NULL
)
1791 ossl_quic_tx_packetiser_set_initial_token(ch
->txp
, buf
, retry_token_len
,
1794 ch
->retry_scid
= *retry_scid
;
1795 ch
->doing_retry
= 1;
1798 * We need to stimulate the Initial EL to generate the first CRYPTO frame
1799 * again. We can do this most cleanly by simply forcing the ACKM to consider
1800 * the first Initial packet as lost, which it effectively was as the server
1801 * hasn't processed it. This also maintains the desired behaviour with e.g.
1802 * PNs not resetting and so on.
1804 * The PN we used initially is always zero, because QUIC does not allow
1807 if (!ossl_ackm_mark_packet_pseudo_lost(ch
->ackm
, QUIC_PN_SPACE_INITIAL
,
1812 * Plug in new secrets for the Initial EL. This is the only time we change
1813 * the secrets for an EL after we already provisioned it.
1815 if (!ossl_quic_provide_initial_secret(ch
->libctx
,
1825 /* Called when an EL is to be discarded. */
1826 static int ch_discard_el(QUIC_CHANNEL
*ch
,
1829 if (!ossl_assert(enc_level
< QUIC_ENC_LEVEL_1RTT
))
1832 if ((ch
->el_discarded
& (1U << enc_level
)) != 0)
1836 /* Best effort for all of these. */
1837 ossl_quic_tx_packetiser_discard_enc_level(ch
->txp
, enc_level
);
1838 ossl_qrx_discard_enc_level(ch
->qrx
, enc_level
);
1839 ossl_qtx_discard_enc_level(ch
->qtx
, enc_level
);
1841 if (enc_level
!= QUIC_ENC_LEVEL_0RTT
) {
1842 uint32_t pn_space
= ossl_quic_enc_level_to_pn_space(enc_level
);
1844 ossl_ackm_on_pkt_space_discarded(ch
->ackm
, pn_space
);
1846 /* We should still have crypto streams at this point. */
1847 if (!ossl_assert(ch
->crypto_send
[pn_space
] != NULL
)
1848 || !ossl_assert(ch
->crypto_recv
[pn_space
] != NULL
))
1851 /* Get rid of the crypto stream state for the EL. */
1852 ossl_quic_sstream_free(ch
->crypto_send
[pn_space
]);
1853 ch
->crypto_send
[pn_space
] = NULL
;
1855 ossl_quic_rstream_free(ch
->crypto_recv
[pn_space
]);
1856 ch
->crypto_recv
[pn_space
] = NULL
;
1859 ch
->el_discarded
|= (1U << enc_level
);
1863 /* Intended to be called by the RXDP. */
1864 int ossl_quic_channel_on_handshake_confirmed(QUIC_CHANNEL
*ch
)
1866 if (ch
->handshake_confirmed
)
1869 if (!ch
->handshake_complete
) {
1871 * Does not make sense for handshake to be confirmed before it is
1874 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_PROTOCOL_VIOLATION
,
1875 OSSL_QUIC_FRAME_TYPE_HANDSHAKE_DONE
,
1876 "handshake cannot be confirmed "
1877 "before it is completed");
1881 ch_discard_el(ch
, QUIC_ENC_LEVEL_HANDSHAKE
);
1882 ch
->handshake_confirmed
= 1;
1887 * Master function used when we want to start tearing down a connection:
1889 * - If the connection is still IDLE we can go straight to TERMINATED;
1891 * - If we are already TERMINATED this is a no-op.
1893 * - If we are TERMINATING - CLOSING and we have now got a CONNECTION_CLOSE
1894 * from the peer (tcause->remote == 1), we move to TERMINATING - DRAINING.
1896 * - If we are TERMINATING - DRAINING, we remain here until the terminating
1899 * - Otherwise, we are in ACTIVE and move to TERMINATING - CLOSING.
1900 * if we caused the termination (e.g. we have sent a CONNECTION_CLOSE). Note
1901 * that we are considered to have caused a termination if we sent the first
1902 * CONNECTION_CLOSE frame, even if it is caused by a peer protocol
1903 * violation. If the peer sent the first CONNECTION_CLOSE frame, we move to
1904 * TERMINATING - DRAINING.
1906 * We record the termination cause structure passed on the first call only.
1907 * Any successive calls have their termination cause data discarded;
1908 * once we start sending a CONNECTION_CLOSE frame, we don't change the details
1911 static void ch_start_terminating(QUIC_CHANNEL
*ch
,
1912 const QUIC_TERMINATE_CAUSE
*tcause
,
1913 int force_immediate
)
1915 switch (ch
->state
) {
1917 case QUIC_CHANNEL_STATE_IDLE
:
1918 ch
->terminate_cause
= *tcause
;
1919 ch_on_terminating_timeout(ch
);
1922 case QUIC_CHANNEL_STATE_ACTIVE
:
1923 ch
->terminate_cause
= *tcause
;
1925 if (!force_immediate
) {
1926 ch
->state
= tcause
->remote
? QUIC_CHANNEL_STATE_TERMINATING_DRAINING
1927 : QUIC_CHANNEL_STATE_TERMINATING_CLOSING
;
1928 ch
->terminate_deadline
1929 = ossl_time_add(ossl_time_now(),
1930 ossl_time_multiply(ossl_ackm_get_pto_duration(ch
->ackm
),
1933 if (!tcause
->remote
) {
1934 OSSL_QUIC_FRAME_CONN_CLOSE f
= {0};
1937 f
.error_code
= ch
->terminate_cause
.error_code
;
1938 f
.frame_type
= ch
->terminate_cause
.frame_type
;
1939 f
.is_app
= ch
->terminate_cause
.app
;
1940 ossl_quic_tx_packetiser_schedule_conn_close(ch
->txp
, &f
);
1941 ch
->conn_close_queued
= 1;
1944 ch_on_terminating_timeout(ch
);
1948 case QUIC_CHANNEL_STATE_TERMINATING_CLOSING
:
1949 if (force_immediate
)
1950 ch_on_terminating_timeout(ch
);
1951 else if (tcause
->remote
)
1952 ch
->state
= QUIC_CHANNEL_STATE_TERMINATING_DRAINING
;
1956 case QUIC_CHANNEL_STATE_TERMINATING_DRAINING
:
1958 * Other than in the force-immediate case, we remain here until the
1961 if (force_immediate
)
1962 ch_on_terminating_timeout(ch
);
1966 case QUIC_CHANNEL_STATE_TERMINATED
:
1973 void ossl_quic_channel_on_remote_conn_close(QUIC_CHANNEL
*ch
,
1974 OSSL_QUIC_FRAME_CONN_CLOSE
*f
)
1976 QUIC_TERMINATE_CAUSE tcause
= {0};
1978 if (!ossl_quic_channel_is_active(ch
))
1982 tcause
.app
= f
->is_app
;
1983 tcause
.error_code
= f
->error_code
;
1984 tcause
.frame_type
= f
->frame_type
;
1986 ch_start_terminating(ch
, &tcause
, 0);
1989 static void ch_raise_net_error(QUIC_CHANNEL
*ch
)
1991 QUIC_TERMINATE_CAUSE tcause
= {0};
1993 tcause
.error_code
= QUIC_ERR_INTERNAL_ERROR
;
1996 * Skip Terminating state and go directly to Terminated, no point trying to
1997 * send CONNECTION_CLOSE if we cannot communicate.
1999 ch_start_terminating(ch
, &tcause
, 1);
2002 void ossl_quic_channel_raise_protocol_error(QUIC_CHANNEL
*ch
,
2003 uint64_t error_code
,
2004 uint64_t frame_type
,
2007 QUIC_TERMINATE_CAUSE tcause
= {0};
2009 tcause
.error_code
= error_code
;
2010 tcause
.frame_type
= frame_type
;
2012 ch_start_terminating(ch
, &tcause
, 0);
2016 * Called once the terminating timer expires, meaning we move from TERMINATING
2019 static void ch_on_terminating_timeout(QUIC_CHANNEL
*ch
)
2021 ch
->state
= QUIC_CHANNEL_STATE_TERMINATED
;
2025 * Updates our idle deadline. Called when an event happens which should bump the
2028 static void ch_update_idle(QUIC_CHANNEL
*ch
)
2030 if (ch
->max_idle_timeout
== 0)
2031 ch
->idle_deadline
= ossl_time_infinite();
2033 ch
->idle_deadline
= ossl_time_add(ossl_time_now(),
2034 ossl_ms2time(ch
->max_idle_timeout
));
2037 /* Called when the idle timeout expires. */
2038 static void ch_on_idle_timeout(QUIC_CHANNEL
*ch
)
2041 * Idle timeout does not have an error code associated with it because a
2042 * CONN_CLOSE is never sent for it. We shouldn't use this data once we reach
2043 * TERMINATED anyway.
2045 ch
->terminate_cause
.app
= 0;
2046 ch
->terminate_cause
.error_code
= UINT64_MAX
;
2047 ch
->terminate_cause
.frame_type
= 0;
2049 ch
->state
= QUIC_CHANNEL_STATE_TERMINATED
;
2052 /* Called when we, as a server, get a new incoming connection. */
2053 static int ch_server_on_new_conn(QUIC_CHANNEL
*ch
, const BIO_ADDR
*peer
,
2054 const QUIC_CONN_ID
*peer_scid
,
2055 const QUIC_CONN_ID
*peer_dcid
)
2057 if (!ossl_assert(ch
->state
== QUIC_CHANNEL_STATE_IDLE
&& ch
->is_server
))
2060 /* Generate a SCID we will use for the connection. */
2061 if (!gen_rand_conn_id(ch
->libctx
, INIT_DCID_LEN
,
2062 &ch
->cur_local_dcid
))
2065 /* Note our newly learnt peer address and CIDs. */
2066 ch
->cur_peer_addr
= *peer
;
2067 ch
->init_dcid
= *peer_dcid
;
2068 ch
->cur_remote_dcid
= *peer_scid
;
2070 /* Inform QTX of peer address. */
2071 if (!ossl_quic_tx_packetiser_set_peer(ch
->txp
, &ch
->cur_peer_addr
))
2074 /* Inform TXP of desired CIDs. */
2075 if (!ossl_quic_tx_packetiser_set_cur_dcid(ch
->txp
, &ch
->cur_remote_dcid
))
2078 if (!ossl_quic_tx_packetiser_set_cur_scid(ch
->txp
, &ch
->cur_local_dcid
))
2081 /* Plug in secrets for the Initial EL. */
2082 if (!ossl_quic_provide_initial_secret(ch
->libctx
,
2089 /* Register our local DCID in the DEMUX. */
2090 if (!ossl_qrx_add_dst_conn_id(ch
->qrx
, &ch
->cur_local_dcid
))
2094 ch
->state
= QUIC_CHANNEL_STATE_ACTIVE
;
2095 ch
->doing_proactive_ver_neg
= 0; /* not currently supported */
2099 SSL
*ossl_quic_channel_get0_ssl(QUIC_CHANNEL
*ch
)