]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/quic/quic_channel.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
QUIC: Add support for datagram injection
[thirdparty/openssl.git] / ssl / quic / quic_channel.c
1 /*
2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include "internal/quic_channel.h"
11 #include "internal/quic_error.h"
12 #include "internal/quic_rx_depack.h"
13 #include "../ssl_local.h"
14 #include "quic_channel_local.h"
15 #include <openssl/rand.h>
16
17 /*
18 * NOTE: While this channel implementation currently has basic server support,
19 * this functionality has been implemented for internal testing purposes and is
20 * not suitable for network use. In particular, it does not implement address
21 * validation, anti-amplification or retry logic.
22 *
23 * TODO(QUIC): Implement address validation and anti-amplification
24 * TODO(QUIC): Implement retry logic
25 */
26
27 #define INIT_DCID_LEN 8
28 #define INIT_CRYPTO_BUF_LEN 8192
29 #define INIT_APP_BUF_LEN 8192
30
31 static void ch_rx_pre(QUIC_CHANNEL *ch);
32 static int ch_rx(QUIC_CHANNEL *ch);
33 static int ch_tx(QUIC_CHANNEL *ch);
34 static void ch_tick(QUIC_TICK_RESULT *res, void *arg);
35 static void ch_rx_handle_packet(QUIC_CHANNEL *ch);
36 static OSSL_TIME ch_determine_next_tick_deadline(QUIC_CHANNEL *ch);
37 static int ch_retry(QUIC_CHANNEL *ch,
38 const unsigned char *retry_token,
39 size_t retry_token_len,
40 const QUIC_CONN_ID *retry_scid);
41 static void ch_cleanup(QUIC_CHANNEL *ch);
42 static int ch_generate_transport_params(QUIC_CHANNEL *ch);
43 static int ch_on_transport_params(const unsigned char *params,
44 size_t params_len,
45 void *arg);
46 static int ch_on_handshake_alert(void *arg, unsigned char alert_code);
47 static int ch_on_handshake_complete(void *arg);
48 static int ch_on_handshake_yield_secret(uint32_t enc_level, int direction,
49 uint32_t suite_id, EVP_MD *md,
50 const unsigned char *secret,
51 size_t secret_len,
52 void *arg);
53 static int ch_on_crypto_recv(unsigned char *buf, size_t buf_len,
54 size_t *bytes_read, void *arg);
55 static int crypto_ensure_empty(QUIC_RSTREAM *rstream);
56 static int ch_on_crypto_send(const unsigned char *buf, size_t buf_len,
57 size_t *consumed, void *arg);
58 static OSSL_TIME get_time(void *arg);
59 static uint64_t get_stream_limit(int uni, void *arg);
60 static int rx_early_validate(QUIC_PN pn, int pn_space, void *arg);
61 static int ch_retry(QUIC_CHANNEL *ch,
62 const unsigned char *retry_token,
63 size_t retry_token_len,
64 const QUIC_CONN_ID *retry_scid);
65 static void ch_update_idle(QUIC_CHANNEL *ch);
66 static int ch_discard_el(QUIC_CHANNEL *ch,
67 uint32_t enc_level);
68 static void ch_on_idle_timeout(QUIC_CHANNEL *ch);
69 static void ch_update_idle(QUIC_CHANNEL *ch);
70 static void ch_raise_net_error(QUIC_CHANNEL *ch);
71 static void ch_on_terminating_timeout(QUIC_CHANNEL *ch);
72 static void ch_start_terminating(QUIC_CHANNEL *ch,
73 const QUIC_TERMINATE_CAUSE *tcause,
74 int force_immediate);
75 static void ch_default_packet_handler(QUIC_URXE *e, void *arg);
76 static int ch_server_on_new_conn(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
77 const QUIC_CONN_ID *peer_scid,
78 const QUIC_CONN_ID *peer_dcid);
79
80 static int gen_rand_conn_id(OSSL_LIB_CTX *libctx, size_t len, QUIC_CONN_ID *cid)
81 {
82 if (len > QUIC_MAX_CONN_ID_LEN)
83 return 0;
84
85 cid->id_len = (unsigned char)len;
86
87 if (RAND_bytes_ex(libctx, cid->id, len, len * 8) != 1) {
88 cid->id_len = 0;
89 return 0;
90 }
91
92 return 1;
93 }
94
95 /*
96 * QUIC Channel Initialization and Teardown
97 * ========================================
98 */
99 static int ch_init(QUIC_CHANNEL *ch)
100 {
101 OSSL_QUIC_TX_PACKETISER_ARGS txp_args = {0};
102 OSSL_QTX_ARGS qtx_args = {0};
103 OSSL_QRX_ARGS qrx_args = {0};
104 QUIC_TLS_ARGS tls_args = {0};
105 uint32_t pn_space;
106 size_t rx_short_cid_len = ch->is_server ? INIT_DCID_LEN : 0;
107
108 /* For clients, generate our initial DCID. */
109 if (!ch->is_server
110 && !gen_rand_conn_id(ch->libctx, INIT_DCID_LEN, &ch->init_dcid))
111 goto err;
112
113 /* We plug in a network write BIO to the QTX later when we get one. */
114 qtx_args.libctx = ch->libctx;
115 qtx_args.mdpl = QUIC_MIN_INITIAL_DGRAM_LEN;
116 ch->rx_max_udp_payload_size = qtx_args.mdpl;
117
118 ch->qtx = ossl_qtx_new(&qtx_args);
119 if (ch->qtx == NULL)
120 goto err;
121
122 ch->txpim = ossl_quic_txpim_new();
123 if (ch->txpim == NULL)
124 goto err;
125
126 ch->cfq = ossl_quic_cfq_new();
127 if (ch->cfq == NULL)
128 goto err;
129
130 if (!ossl_quic_txfc_init(&ch->conn_txfc, NULL))
131 goto err;
132
133 if (!ossl_quic_rxfc_init(&ch->conn_rxfc, NULL,
134 2 * 1024 * 1024,
135 10 * 1024 * 1024,
136 get_time, NULL))
137 goto err;
138
139 if (!ossl_statm_init(&ch->statm))
140 goto err;
141
142 ch->have_statm = 1;
143 ch->cc_method = &ossl_cc_dummy_method;
144 if ((ch->cc_data = ch->cc_method->new(NULL, NULL, NULL)) == NULL)
145 goto err;
146
147 if ((ch->ackm = ossl_ackm_new(get_time, NULL, &ch->statm,
148 ch->cc_method, ch->cc_data)) == NULL)
149 goto err;
150
151 if (!ossl_quic_stream_map_init(&ch->qsm, get_stream_limit, ch))
152 goto err;
153
154 ch->have_qsm = 1;
155
156 /* We use a zero-length SCID. */
157 txp_args.cur_dcid = ch->init_dcid;
158 txp_args.ack_delay_exponent = 3;
159 txp_args.qtx = ch->qtx;
160 txp_args.txpim = ch->txpim;
161 txp_args.cfq = ch->cfq;
162 txp_args.ackm = ch->ackm;
163 txp_args.qsm = &ch->qsm;
164 txp_args.conn_txfc = &ch->conn_txfc;
165 txp_args.conn_rxfc = &ch->conn_rxfc;
166 txp_args.cc_method = ch->cc_method;
167 txp_args.cc_data = ch->cc_data;
168 txp_args.now = get_time;
169 for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space) {
170 ch->crypto_send[pn_space] = ossl_quic_sstream_new(INIT_CRYPTO_BUF_LEN);
171 if (ch->crypto_send[pn_space] == NULL)
172 goto err;
173
174 txp_args.crypto[pn_space] = ch->crypto_send[pn_space];
175 }
176
177 ch->txp = ossl_quic_tx_packetiser_new(&txp_args);
178 if (ch->txp == NULL)
179 goto err;
180
181 if ((ch->demux = ossl_quic_demux_new(/*BIO=*/NULL,
182 /*Short CID Len=*/rx_short_cid_len,
183 get_time, NULL)) == NULL)
184 goto err;
185
186 /*
187 * If we are a server, setup our handler for packets not corresponding to
188 * any known DCID on our end. This is for handling clients establishing new
189 * connections.
190 */
191 if (ch->is_server)
192 ossl_quic_demux_set_default_handler(ch->demux,
193 ch_default_packet_handler,
194 ch);
195
196 qrx_args.libctx = ch->libctx;
197 qrx_args.demux = ch->demux;
198 qrx_args.short_conn_id_len = rx_short_cid_len;
199 qrx_args.max_deferred = 32;
200
201 if ((ch->qrx = ossl_qrx_new(&qrx_args)) == NULL)
202 goto err;
203
204 if (!ossl_qrx_set_early_validation_cb(ch->qrx,
205 rx_early_validate,
206 ch))
207 goto err;
208
209 if (!ch->is_server && !ossl_qrx_add_dst_conn_id(ch->qrx, &txp_args.cur_scid))
210 goto err;
211
212 for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space) {
213 ch->crypto_recv[pn_space] = ossl_quic_rstream_new(NULL, NULL, 0);
214 if (ch->crypto_recv[pn_space] == NULL)
215 goto err;
216 }
217
218 if ((ch->stream0 = ossl_quic_stream_map_alloc(&ch->qsm, 0,
219 QUIC_STREAM_INITIATOR_CLIENT
220 | QUIC_STREAM_DIR_BIDI)) == NULL)
221 goto err;
222
223 if ((ch->stream0->sstream = ossl_quic_sstream_new(INIT_APP_BUF_LEN)) == NULL)
224 goto err;
225
226 if ((ch->stream0->rstream = ossl_quic_rstream_new(NULL, NULL, 0)) == NULL)
227 goto err;
228
229 if (!ossl_quic_txfc_init(&ch->stream0->txfc, &ch->conn_txfc))
230 goto err;
231
232 if (!ossl_quic_rxfc_init(&ch->stream0->rxfc, &ch->conn_rxfc,
233 1 * 1024 * 1024,
234 5 * 1024 * 1024,
235 get_time, NULL))
236 goto err;
237
238 /* Plug in the TLS handshake layer. */
239 tls_args.s = ch->tls;
240 tls_args.crypto_send_cb = ch_on_crypto_send;
241 tls_args.crypto_send_cb_arg = ch;
242 tls_args.crypto_recv_cb = ch_on_crypto_recv;
243 tls_args.crypto_recv_cb_arg = ch;
244 tls_args.yield_secret_cb = ch_on_handshake_yield_secret;
245 tls_args.yield_secret_cb_arg = ch;
246 tls_args.got_transport_params_cb = ch_on_transport_params;
247 tls_args.got_transport_params_cb_arg= ch;
248 tls_args.handshake_complete_cb = ch_on_handshake_complete;
249 tls_args.handshake_complete_cb_arg = ch;
250 tls_args.alert_cb = ch_on_handshake_alert;
251 tls_args.alert_cb_arg = ch;
252 tls_args.is_server = ch->is_server;
253
254 if ((ch->qtls = ossl_quic_tls_new(&tls_args)) == NULL)
255 goto err;
256
257 /*
258 * Determine the QUIC Transport Parameters and serialize the transport
259 * parameters block. (For servers, we do this later as we must defer
260 * generation until we have received the client's transport parameters.)
261 */
262 if (!ch->is_server && !ch_generate_transport_params(ch))
263 goto err;
264
265 ch->rx_max_ack_delay = QUIC_DEFAULT_MAX_ACK_DELAY;
266 ch->rx_ack_delay_exp = QUIC_DEFAULT_ACK_DELAY_EXP;
267 ch->rx_active_conn_id_limit = QUIC_MIN_ACTIVE_CONN_ID_LIMIT;
268 ch->max_idle_timeout = QUIC_DEFAULT_IDLE_TIMEOUT;
269 ch->tx_enc_level = QUIC_ENC_LEVEL_INITIAL;
270 ch->rx_enc_level = QUIC_ENC_LEVEL_INITIAL;
271 ch_update_idle(ch);
272 ossl_quic_reactor_init(&ch->rtor, ch_tick, ch,
273 ch_determine_next_tick_deadline(ch));
274 return 1;
275
276 err:
277 ch_cleanup(ch);
278 return 0;
279 }
280
281 static void ch_cleanup(QUIC_CHANNEL *ch)
282 {
283 uint32_t pn_space;
284
285 if (ch->ackm != NULL)
286 for (pn_space = QUIC_PN_SPACE_INITIAL;
287 pn_space < QUIC_PN_SPACE_NUM;
288 ++pn_space)
289 ossl_ackm_on_pkt_space_discarded(ch->ackm, pn_space);
290
291 ossl_quic_tx_packetiser_free(ch->txp);
292 ossl_quic_txpim_free(ch->txpim);
293 ossl_quic_cfq_free(ch->cfq);
294 ossl_qtx_free(ch->qtx);
295 if (ch->cc_data != NULL)
296 ch->cc_method->free(ch->cc_data);
297 if (ch->have_statm)
298 ossl_statm_destroy(&ch->statm);
299 ossl_ackm_free(ch->ackm);
300
301 if (ch->stream0 != NULL) {
302 assert(ch->have_qsm);
303 ossl_quic_stream_map_release(&ch->qsm, ch->stream0); /* frees sstream */
304 }
305
306 if (ch->have_qsm)
307 ossl_quic_stream_map_cleanup(&ch->qsm);
308
309 for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space) {
310 ossl_quic_sstream_free(ch->crypto_send[pn_space]);
311 ossl_quic_rstream_free(ch->crypto_recv[pn_space]);
312 }
313
314 ossl_qrx_pkt_release(ch->qrx_pkt);
315 ch->qrx_pkt = NULL;
316
317 ossl_quic_tls_free(ch->qtls);
318 ossl_qrx_free(ch->qrx);
319 ossl_quic_demux_free(ch->demux);
320 OPENSSL_free(ch->local_transport_params);
321 }
322
323 QUIC_CHANNEL *ossl_quic_channel_new(const QUIC_CHANNEL_ARGS *args)
324 {
325 QUIC_CHANNEL *ch = NULL;
326
327 if ((ch = OPENSSL_zalloc(sizeof(*ch))) == NULL)
328 return NULL;
329
330 ch->libctx = args->libctx;
331 ch->propq = args->propq;
332 ch->is_server = args->is_server;
333 ch->tls = args->tls;
334
335 if (!ch_init(ch)) {
336 OPENSSL_free(ch);
337 return NULL;
338 }
339
340 return ch;
341 }
342
343 void ossl_quic_channel_free(QUIC_CHANNEL *ch)
344 {
345 if (ch == NULL)
346 return;
347
348 ch_cleanup(ch);
349 OPENSSL_free(ch);
350 }
351
352 /* Set mutator callbacks for test framework support */
353 int ossl_quic_channel_set_mutator(QUIC_CHANNEL *ch,
354 ossl_mutate_packet_cb mutatecb,
355 ossl_finish_mutate_cb finishmutatecb,
356 void *mutatearg)
357 {
358 if (ch->qtx == NULL)
359 return 0;
360
361 ossl_qtx_set_mutator(ch->qtx, mutatecb, finishmutatecb, mutatearg);
362 return 1;
363 }
364
365 int ossl_quic_channel_get_peer_addr(QUIC_CHANNEL *ch, BIO_ADDR *peer_addr)
366 {
367 *peer_addr = ch->cur_peer_addr;
368 return 1;
369 }
370
371 int ossl_quic_channel_set_peer_addr(QUIC_CHANNEL *ch, const BIO_ADDR *peer_addr)
372 {
373 ch->cur_peer_addr = *peer_addr;
374 return 1;
375 }
376
377 QUIC_REACTOR *ossl_quic_channel_get_reactor(QUIC_CHANNEL *ch)
378 {
379 return &ch->rtor;
380 }
381
382 QUIC_STREAM_MAP *ossl_quic_channel_get_qsm(QUIC_CHANNEL *ch)
383 {
384 return &ch->qsm;
385 }
386
387 OSSL_STATM *ossl_quic_channel_get_statm(QUIC_CHANNEL *ch)
388 {
389 return &ch->statm;
390 }
391
392 QUIC_STREAM *ossl_quic_channel_get_stream_by_id(QUIC_CHANNEL *ch,
393 uint64_t stream_id)
394 {
395 return ossl_quic_stream_map_get_by_id(&ch->qsm, stream_id);
396 }
397
398 int ossl_quic_channel_is_active(const QUIC_CHANNEL *ch)
399 {
400 return ch != NULL && ch->state == QUIC_CHANNEL_STATE_ACTIVE;
401 }
402
403 int ossl_quic_channel_is_terminating(const QUIC_CHANNEL *ch)
404 {
405 if (ch->state == QUIC_CHANNEL_STATE_TERMINATING_CLOSING
406 || ch->state == QUIC_CHANNEL_STATE_TERMINATING_DRAINING)
407 return 1;
408
409 return 0;
410 }
411
412 int ossl_quic_channel_is_terminated(const QUIC_CHANNEL *ch)
413 {
414 if (ch->state == QUIC_CHANNEL_STATE_TERMINATED)
415 return 1;
416
417 return 0;
418 }
419
420 int ossl_quic_channel_is_term_any(const QUIC_CHANNEL *ch)
421 {
422 return ossl_quic_channel_is_terminating(ch)
423 || ossl_quic_channel_is_terminated(ch);
424 }
425
426 QUIC_TERMINATE_CAUSE ossl_quic_channel_get_terminate_cause(const QUIC_CHANNEL *ch)
427 {
428 return ch->terminate_cause;
429 }
430
431 int ossl_quic_channel_is_handshake_complete(const QUIC_CHANNEL *ch)
432 {
433 return ch->handshake_complete;
434 }
435
436 int ossl_quic_channel_is_handshake_confirmed(const QUIC_CHANNEL *ch)
437 {
438 return ch->handshake_confirmed;
439 }
440
441 QUIC_DEMUX *ossl_quic_channel_get0_demux(QUIC_CHANNEL *ch)
442 {
443 return ch->demux;
444 }
445
446 /*
447 * QUIC Channel: Callbacks from Miscellaneous Subsidiary Components
448 * ================================================================
449 */
450
451 /* Used by various components. */
452 static OSSL_TIME get_time(void *arg)
453 {
454 return ossl_time_now();
455 }
456
457 /* Used by QSM. */
458 static uint64_t get_stream_limit(int uni, void *arg)
459 {
460 QUIC_CHANNEL *ch = arg;
461
462 return uni ? ch->max_local_streams_uni : ch->max_local_streams_bidi;
463 }
464
465 /*
466 * Called by QRX to determine if a packet is potentially invalid before trying
467 * to decrypt it.
468 */
469 static int rx_early_validate(QUIC_PN pn, int pn_space, void *arg)
470 {
471 QUIC_CHANNEL *ch = arg;
472
473 /* Potential duplicates should not be processed. */
474 if (!ossl_ackm_is_rx_pn_processable(ch->ackm, pn, pn_space))
475 return 0;
476
477 return 1;
478 }
479
480 /*
481 * QUIC Channel: Handshake Layer Event Handling
482 * ============================================
483 */
484 static int ch_on_crypto_send(const unsigned char *buf, size_t buf_len,
485 size_t *consumed, void *arg)
486 {
487 int ret;
488 QUIC_CHANNEL *ch = arg;
489 uint32_t enc_level = ch->tx_enc_level;
490 uint32_t pn_space = ossl_quic_enc_level_to_pn_space(enc_level);
491 QUIC_SSTREAM *sstream = ch->crypto_send[pn_space];
492
493 if (!ossl_assert(sstream != NULL))
494 return 0;
495
496 ret = ossl_quic_sstream_append(sstream, buf, buf_len, consumed);
497 return ret;
498 }
499
500 static int crypto_ensure_empty(QUIC_RSTREAM *rstream)
501 {
502 size_t avail = 0;
503 int is_fin = 0;
504
505 if (rstream == NULL)
506 return 1;
507
508 if (!ossl_quic_rstream_available(rstream, &avail, &is_fin))
509 return 0;
510
511 return avail == 0;
512 }
513
514 static int ch_on_crypto_recv(unsigned char *buf, size_t buf_len,
515 size_t *bytes_read, void *arg)
516 {
517 QUIC_CHANNEL *ch = arg;
518 QUIC_RSTREAM *rstream;
519 int is_fin = 0; /* crypto stream is never finished, so we don't use this */
520 uint32_t i;
521
522 /*
523 * After we move to a later EL we must not allow our peer to send any new
524 * bytes in the crypto stream on a previous EL. Retransmissions of old bytes
525 * are allowed.
526 *
527 * In practice we will only move to a new EL when we have consumed all bytes
528 * which should be sent on the crypto stream at a previous EL. For example,
529 * the Handshake EL should not be provisioned until we have completely
530 * consumed a TLS 1.3 ServerHello. Thus when we provision an EL the output
531 * of ossl_quic_rstream_available() should be 0 for all lower ELs. Thus if a
532 * given EL is available we simply ensure we have not received any further
533 * bytes at a lower EL.
534 */
535 for (i = QUIC_ENC_LEVEL_INITIAL; i < ch->rx_enc_level; ++i)
536 if (i != QUIC_ENC_LEVEL_0RTT &&
537 !crypto_ensure_empty(ch->crypto_recv[ossl_quic_enc_level_to_pn_space(i)])) {
538 /* Protocol violation (RFC 9001 s. 4.1.3) */
539 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_PROTOCOL_VIOLATION,
540 OSSL_QUIC_FRAME_TYPE_CRYPTO,
541 "crypto stream data in wrong EL");
542 return 0;
543 }
544
545 rstream = ch->crypto_recv[ossl_quic_enc_level_to_pn_space(ch->rx_enc_level)];
546 if (rstream == NULL)
547 return 0;
548
549 return ossl_quic_rstream_read(rstream, buf, buf_len, bytes_read,
550 &is_fin);
551 }
552
553 static int ch_on_handshake_yield_secret(uint32_t enc_level, int direction,
554 uint32_t suite_id, EVP_MD *md,
555 const unsigned char *secret,
556 size_t secret_len,
557 void *arg)
558 {
559 QUIC_CHANNEL *ch = arg;
560 uint32_t i;
561
562 if (enc_level < QUIC_ENC_LEVEL_HANDSHAKE || enc_level >= QUIC_ENC_LEVEL_NUM)
563 /* Invalid EL. */
564 return 0;
565
566
567 if (direction) {
568 /* TX */
569 if (enc_level <= ch->tx_enc_level)
570 /*
571 * Does not make sense for us to try and provision an EL we have already
572 * attained.
573 */
574 return 0;
575
576 if (!ossl_qtx_provide_secret(ch->qtx, enc_level,
577 suite_id, md,
578 secret, secret_len))
579 return 0;
580
581 ch->tx_enc_level = enc_level;
582 } else {
583 /* RX */
584 if (enc_level <= ch->rx_enc_level)
585 /*
586 * Does not make sense for us to try and provision an EL we have already
587 * attained.
588 */
589 return 0;
590
591 /*
592 * Ensure all crypto streams for previous ELs are now empty of available
593 * data.
594 */
595 for (i = QUIC_ENC_LEVEL_INITIAL; i < enc_level; ++i)
596 if (!crypto_ensure_empty(ch->crypto_recv[ossl_quic_enc_level_to_pn_space(i)])) {
597 /* Protocol violation (RFC 9001 s. 4.1.3) */
598 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_PROTOCOL_VIOLATION,
599 OSSL_QUIC_FRAME_TYPE_CRYPTO,
600 "crypto stream data in wrong EL");
601 return 0;
602 }
603
604 if (!ossl_qrx_provide_secret(ch->qrx, enc_level,
605 suite_id, md,
606 secret, secret_len))
607 return 0;
608
609 ch->have_new_rx_secret = 1;
610 ch->rx_enc_level = enc_level;
611 }
612
613 return 1;
614 }
615
616 static int ch_on_handshake_complete(void *arg)
617 {
618 QUIC_CHANNEL *ch = arg;
619
620 if (!ossl_assert(!ch->handshake_complete))
621 return 0; /* this should not happen twice */
622
623 if (!ossl_assert(ch->tx_enc_level == QUIC_ENC_LEVEL_1RTT))
624 return 0;
625
626 if (!ch->got_remote_transport_params) {
627 /*
628 * Was not a valid QUIC handshake if we did not get valid transport
629 * params.
630 */
631 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_PROTOCOL_VIOLATION,
632 OSSL_QUIC_FRAME_TYPE_CRYPTO,
633 "no transport parameters received");
634 return 0;
635 }
636
637 /* Don't need transport parameters anymore. */
638 OPENSSL_free(ch->local_transport_params);
639 ch->local_transport_params = NULL;
640
641 /* Tell TXP the handshake is complete. */
642 ossl_quic_tx_packetiser_notify_handshake_complete(ch->txp);
643
644 ch->handshake_complete = 1;
645
646 if (ch->is_server) {
647 /*
648 * On the server, the handshake is confirmed as soon as it is complete.
649 */
650 ossl_quic_channel_on_handshake_confirmed(ch);
651
652 ossl_quic_tx_packetiser_schedule_handshake_done(ch->txp);
653 }
654
655 return 1;
656 }
657
658 static int ch_on_handshake_alert(void *arg, unsigned char alert_code)
659 {
660 QUIC_CHANNEL *ch = arg;
661
662 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_CRYPTO_ERR_BEGIN + alert_code,
663 0, "handshake alert");
664 return 1;
665 }
666
667 /*
668 * QUIC Channel: Transport Parameter Handling
669 * ==========================================
670 */
671
672 /*
673 * Called by handshake layer when we receive QUIC Transport Parameters from the
674 * peer. Note that these are not authenticated until the handshake is marked
675 * as complete.
676 */
677 #define TP_REASON_SERVER_ONLY(x) \
678 x " may not be sent by a client"
679 #define TP_REASON_DUP(x) \
680 x " appears multiple times"
681 #define TP_REASON_MALFORMED(x) \
682 x " is malformed"
683 #define TP_REASON_EXPECTED_VALUE(x) \
684 x " does not match expected value"
685 #define TP_REASON_NOT_RETRY(x) \
686 x " sent when not performing a retry"
687 #define TP_REASON_REQUIRED(x) \
688 x " was not sent but is required"
689
690 static int ch_on_transport_params(const unsigned char *params,
691 size_t params_len,
692 void *arg)
693 {
694 QUIC_CHANNEL *ch = arg;
695 PACKET pkt;
696 uint64_t id, v;
697 size_t len;
698 const unsigned char *body;
699 int got_orig_dcid = 0;
700 int got_initial_scid = 0;
701 int got_retry_scid = 0;
702 int got_initial_max_data = 0;
703 int got_initial_max_stream_data_bidi_local = 0;
704 int got_initial_max_stream_data_bidi_remote = 0;
705 int got_initial_max_stream_data_uni = 0;
706 int got_initial_max_streams_bidi = 0;
707 int got_initial_max_streams_uni = 0;
708 int got_ack_delay_exp = 0;
709 int got_max_ack_delay = 0;
710 int got_max_udp_payload_size = 0;
711 int got_max_idle_timeout = 0;
712 int got_active_conn_id_limit = 0;
713 QUIC_CONN_ID cid;
714 const char *reason = "bad transport parameter";
715
716 if (ch->got_remote_transport_params)
717 goto malformed;
718
719 if (!PACKET_buf_init(&pkt, params, params_len))
720 return 0;
721
722 while (PACKET_remaining(&pkt) > 0) {
723 if (!ossl_quic_wire_peek_transport_param(&pkt, &id))
724 goto malformed;
725
726 switch (id) {
727 case QUIC_TPARAM_ORIG_DCID:
728 if (got_orig_dcid) {
729 reason = TP_REASON_DUP("ORIG_DCID");
730 goto malformed;
731 }
732
733 if (ch->is_server) {
734 reason = TP_REASON_SERVER_ONLY("ORIG_DCID");
735 goto malformed;
736 }
737
738 if (!ossl_quic_wire_decode_transport_param_cid(&pkt, NULL, &cid)) {
739 reason = TP_REASON_MALFORMED("ORIG_DCID");
740 goto malformed;
741 }
742
743 /* Must match our initial DCID. */
744 if (!ossl_quic_conn_id_eq(&ch->init_dcid, &cid)) {
745 reason = TP_REASON_EXPECTED_VALUE("ORIG_DCID");
746 goto malformed;
747 }
748
749 got_orig_dcid = 1;
750 break;
751
752 case QUIC_TPARAM_RETRY_SCID:
753 if (ch->is_server) {
754 reason = TP_REASON_SERVER_ONLY("RETRY_SCID");
755 goto malformed;
756 }
757
758 if (got_retry_scid) {
759 reason = TP_REASON_DUP("RETRY_SCID");
760 goto malformed;
761 }
762
763 if (!ch->doing_retry) {
764 reason = TP_REASON_NOT_RETRY("RETRY_SCID");
765 goto malformed;
766 }
767
768 if (!ossl_quic_wire_decode_transport_param_cid(&pkt, NULL, &cid)) {
769 reason = TP_REASON_MALFORMED("RETRY_SCID");
770 goto malformed;
771 }
772
773 /* Must match Retry packet SCID. */
774 if (!ossl_quic_conn_id_eq(&ch->retry_scid, &cid)) {
775 reason = TP_REASON_EXPECTED_VALUE("RETRY_SCID");
776 goto malformed;
777 }
778
779 got_retry_scid = 1;
780 break;
781
782 case QUIC_TPARAM_INITIAL_SCID:
783 if (got_initial_scid) {
784 /* must not appear more than once */
785 reason = TP_REASON_DUP("INITIAL_SCID");
786 goto malformed;
787 }
788
789 if (!ossl_quic_wire_decode_transport_param_cid(&pkt, NULL, &cid)) {
790 reason = TP_REASON_MALFORMED("INITIAL_SCID");
791 goto malformed;
792 }
793
794 /* Must match SCID of first Initial packet from server. */
795 if (!ossl_quic_conn_id_eq(&ch->init_scid, &cid)) {
796 reason = TP_REASON_EXPECTED_VALUE("INITIAL_SCID");
797 goto malformed;
798 }
799
800 got_initial_scid = 1;
801 break;
802
803 case QUIC_TPARAM_INITIAL_MAX_DATA:
804 if (got_initial_max_data) {
805 /* must not appear more than once */
806 reason = TP_REASON_DUP("INITIAL_MAX_DATA");
807 goto malformed;
808 }
809
810 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
811 reason = TP_REASON_MALFORMED("INITIAL_MAX_DATA");
812 goto malformed;
813 }
814
815 ossl_quic_txfc_bump_cwm(&ch->conn_txfc, v);
816 got_initial_max_data = 1;
817 break;
818
819 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL:
820 if (got_initial_max_stream_data_bidi_local) {
821 /* must not appear more than once */
822 reason = TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_BIDI_LOCAL");
823 goto malformed;
824 }
825
826 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
827 reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_BIDI_LOCAL");
828 goto malformed;
829 }
830
831 /*
832 * This is correct; the BIDI_LOCAL TP governs streams created by
833 * the endpoint which sends the TP, i.e., our peer.
834 */
835 ch->init_max_stream_data_bidi_remote = v;
836 got_initial_max_stream_data_bidi_local = 1;
837 break;
838
839 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE:
840 if (got_initial_max_stream_data_bidi_remote) {
841 /* must not appear more than once */
842 reason = TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_BIDI_REMOTE");
843 goto malformed;
844 }
845
846 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
847 reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_BIDI_REMOTE");
848 goto malformed;
849 }
850
851 /*
852 * This is correct; the BIDI_REMOTE TP governs streams created
853 * by the endpoint which receives the TP, i.e., us.
854 */
855 ch->init_max_stream_data_bidi_local = v;
856
857 /* Apply to stream 0. */
858 ossl_quic_txfc_bump_cwm(&ch->stream0->txfc, v);
859 got_initial_max_stream_data_bidi_remote = 1;
860 break;
861
862 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_UNI:
863 if (got_initial_max_stream_data_uni) {
864 /* must not appear more than once */
865 reason = TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_UNI");
866 goto malformed;
867 }
868
869 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
870 reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_UNI");
871 goto malformed;
872 }
873
874 ch->init_max_stream_data_uni_remote = v;
875 got_initial_max_stream_data_uni = 1;
876 break;
877
878 case QUIC_TPARAM_ACK_DELAY_EXP:
879 if (got_ack_delay_exp) {
880 /* must not appear more than once */
881 reason = TP_REASON_DUP("ACK_DELAY_EXP");
882 goto malformed;
883 }
884
885 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
886 || v > QUIC_MAX_ACK_DELAY_EXP) {
887 reason = TP_REASON_MALFORMED("ACK_DELAY_EXP");
888 goto malformed;
889 }
890
891 ch->rx_ack_delay_exp = (unsigned char)v;
892 got_ack_delay_exp = 1;
893 break;
894
895 case QUIC_TPARAM_MAX_ACK_DELAY:
896 if (got_max_ack_delay) {
897 /* must not appear more than once */
898 reason = TP_REASON_DUP("MAX_ACK_DELAY");
899 return 0;
900 }
901
902 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
903 || v >= (((uint64_t)1) << 14)) {
904 reason = TP_REASON_MALFORMED("MAX_ACK_DELAY");
905 goto malformed;
906 }
907
908 ch->rx_max_ack_delay = v;
909 got_max_ack_delay = 1;
910 break;
911
912 case QUIC_TPARAM_INITIAL_MAX_STREAMS_BIDI:
913 if (got_initial_max_streams_bidi) {
914 /* must not appear more than once */
915 reason = TP_REASON_DUP("INITIAL_MAX_STREAMS_BIDI");
916 return 0;
917 }
918
919 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
920 || v > (((uint64_t)1) << 60)) {
921 reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAMS_BIDI");
922 goto malformed;
923 }
924
925 assert(ch->max_local_streams_bidi == 0);
926 ch->max_local_streams_bidi = v;
927 got_initial_max_streams_bidi = 1;
928 break;
929
930 case QUIC_TPARAM_INITIAL_MAX_STREAMS_UNI:
931 if (got_initial_max_streams_uni) {
932 /* must not appear more than once */
933 reason = TP_REASON_DUP("INITIAL_MAX_STREAMS_UNI");
934 goto malformed;
935 }
936
937 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
938 || v > (((uint64_t)1) << 60)) {
939 reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAMS_UNI");
940 goto malformed;
941 }
942
943 assert(ch->max_local_streams_uni == 0);
944 ch->max_local_streams_uni = v;
945 got_initial_max_streams_uni = 1;
946 break;
947
948 case QUIC_TPARAM_MAX_IDLE_TIMEOUT:
949 if (got_max_idle_timeout) {
950 /* must not appear more than once */
951 reason = TP_REASON_DUP("MAX_IDLE_TIMEOUT");
952 goto malformed;
953 }
954
955 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
956 reason = TP_REASON_MALFORMED("MAX_IDLE_TIMEOUT");
957 goto malformed;
958 }
959
960 if (v < ch->max_idle_timeout)
961 ch->max_idle_timeout = v;
962
963 ch_update_idle(ch);
964 got_max_idle_timeout = 1;
965 break;
966
967 case QUIC_TPARAM_MAX_UDP_PAYLOAD_SIZE:
968 if (got_max_udp_payload_size) {
969 /* must not appear more than once */
970 reason = TP_REASON_DUP("MAX_UDP_PAYLOAD_SIZE");
971 goto malformed;
972 }
973
974 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
975 || v < QUIC_MIN_INITIAL_DGRAM_LEN) {
976 reason = TP_REASON_MALFORMED("MAX_UDP_PAYLOAD_SIZE");
977 goto malformed;
978 }
979
980 ch->rx_max_udp_payload_size = v;
981 got_max_udp_payload_size = 1;
982 break;
983
984 case QUIC_TPARAM_ACTIVE_CONN_ID_LIMIT:
985 if (got_active_conn_id_limit) {
986 /* must not appear more than once */
987 reason = TP_REASON_DUP("ACTIVE_CONN_ID_LIMIT");
988 goto malformed;
989 }
990
991 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
992 || v < QUIC_MIN_ACTIVE_CONN_ID_LIMIT) {
993 reason = TP_REASON_MALFORMED("ACTIVE_CONN_ID_LIMIT");
994 goto malformed;
995 }
996
997 ch->rx_active_conn_id_limit = v;
998 got_active_conn_id_limit = 1;
999 break;
1000
1001 case QUIC_TPARAM_STATELESS_RESET_TOKEN:
1002 /* TODO(QUIC): Handle stateless reset tokens. */
1003 /*
1004 * We ignore these for now, but we must ensure a client doesn't
1005 * send them.
1006 */
1007 if (ch->is_server) {
1008 reason = TP_REASON_SERVER_ONLY("STATELESS_RESET_TOKEN");
1009 goto malformed;
1010 }
1011
1012 body = ossl_quic_wire_decode_transport_param_bytes(&pkt, &id, &len);
1013 if (body == NULL || len != QUIC_STATELESS_RESET_TOKEN_LEN) {
1014 reason = TP_REASON_MALFORMED("STATELESS_RESET_TOKEN");
1015 goto malformed;
1016 }
1017
1018 break;
1019
1020 case QUIC_TPARAM_PREFERRED_ADDR:
1021 /* TODO(QUIC): Handle preferred address. */
1022 if (ch->is_server) {
1023 reason = TP_REASON_SERVER_ONLY("PREFERRED_ADDR");
1024 goto malformed;
1025 }
1026
1027 body = ossl_quic_wire_decode_transport_param_bytes(&pkt, &id, &len);
1028 if (body == NULL) {
1029 reason = TP_REASON_MALFORMED("PREFERRED_ADDR");
1030 goto malformed;
1031 }
1032
1033 break;
1034
1035 case QUIC_TPARAM_DISABLE_ACTIVE_MIGRATION:
1036 /* We do not currently handle migration, so nothing to do. */
1037 default:
1038 /* Skip over and ignore. */
1039 body = ossl_quic_wire_decode_transport_param_bytes(&pkt, &id,
1040 &len);
1041 if (body == NULL)
1042 goto malformed;
1043
1044 break;
1045 }
1046 }
1047
1048 if (!got_initial_scid) {
1049 reason = TP_REASON_REQUIRED("INITIAL_SCID");
1050 goto malformed;
1051 }
1052
1053 if (!ch->is_server) {
1054 if (!got_orig_dcid) {
1055 reason = TP_REASON_REQUIRED("ORIG_DCID");
1056 goto malformed;
1057 }
1058
1059 if (ch->doing_retry && !got_retry_scid) {
1060 reason = TP_REASON_REQUIRED("RETRY_SCID");
1061 goto malformed;
1062 }
1063 }
1064
1065 ch->got_remote_transport_params = 1;
1066
1067 if (got_initial_max_data || got_initial_max_stream_data_bidi_remote
1068 || got_initial_max_streams_bidi || got_initial_max_streams_uni)
1069 /* If FC credit was bumped, we may now be able to send. */
1070 ossl_quic_stream_map_update_state(&ch->qsm, ch->stream0);
1071
1072 /* If we are a server, we now generate our own transport parameters. */
1073 if (ch->is_server && !ch_generate_transport_params(ch)) {
1074 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_INTERNAL_ERROR, 0,
1075 "internal error");
1076 return 0;
1077 }
1078
1079 return 1;
1080
1081 malformed:
1082 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_TRANSPORT_PARAMETER_ERROR,
1083 0, reason);
1084 return 0;
1085 }
1086
1087 /*
1088 * Called when we want to generate transport parameters. This is called
1089 * immediately at instantiation time for a client and after we receive the
1090 * client's transport parameters for a server.
1091 */
1092 static int ch_generate_transport_params(QUIC_CHANNEL *ch)
1093 {
1094 int ok = 0;
1095 BUF_MEM *buf_mem = NULL;
1096 WPACKET wpkt;
1097 int wpkt_valid = 0;
1098 size_t buf_len = 0;
1099
1100 if (ch->local_transport_params != NULL)
1101 goto err;
1102
1103 if ((buf_mem = BUF_MEM_new()) == NULL)
1104 goto err;
1105
1106 if (!WPACKET_init(&wpkt, buf_mem))
1107 goto err;
1108
1109 wpkt_valid = 1;
1110
1111 if (ossl_quic_wire_encode_transport_param_bytes(&wpkt, QUIC_TPARAM_DISABLE_ACTIVE_MIGRATION,
1112 NULL, 0) == NULL)
1113 goto err;
1114
1115 if (ch->is_server) {
1116 if (!ossl_quic_wire_encode_transport_param_cid(&wpkt, QUIC_TPARAM_ORIG_DCID,
1117 &ch->init_dcid))
1118 goto err;
1119
1120 if (!ossl_quic_wire_encode_transport_param_cid(&wpkt, QUIC_TPARAM_INITIAL_SCID,
1121 &ch->cur_local_dcid))
1122 goto err;
1123 } else {
1124 /* Client always uses an empty SCID. */
1125 if (ossl_quic_wire_encode_transport_param_bytes(&wpkt, QUIC_TPARAM_INITIAL_SCID,
1126 NULL, 0) == NULL)
1127 goto err;
1128 }
1129
1130 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_MAX_IDLE_TIMEOUT,
1131 ch->max_idle_timeout))
1132 goto err;
1133
1134 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_MAX_UDP_PAYLOAD_SIZE,
1135 QUIC_MIN_INITIAL_DGRAM_LEN))
1136 goto err;
1137
1138 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_ACTIVE_CONN_ID_LIMIT,
1139 4))
1140 goto err;
1141
1142 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_DATA,
1143 ossl_quic_rxfc_get_cwm(&ch->conn_rxfc)))
1144 goto err;
1145
1146 /*
1147 * We actually want the default CWM for a new RXFC, but here we just use
1148 * stream0 as a representative specimen. TODO(QUIC): revisit this when we
1149 * support multiple streams.
1150 */
1151 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL,
1152 ossl_quic_rxfc_get_cwm(&ch->stream0->rxfc)))
1153 goto err;
1154
1155 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE,
1156 ossl_quic_rxfc_get_cwm(&ch->stream0->rxfc)))
1157 goto err;
1158
1159 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_UNI,
1160 ossl_quic_rxfc_get_cwm(&ch->stream0->rxfc)))
1161 goto err;
1162
1163 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAMS_BIDI,
1164 ch->is_server ? 1 : 0))
1165 goto err;
1166
1167 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAMS_UNI,
1168 0))
1169 goto err;
1170
1171 if (!WPACKET_get_total_written(&wpkt, &buf_len))
1172 goto err;
1173
1174 ch->local_transport_params = (unsigned char *)buf_mem->data;
1175 buf_mem->data = NULL;
1176
1177 if (!WPACKET_finish(&wpkt))
1178 goto err;
1179
1180 wpkt_valid = 0;
1181
1182 if (!ossl_quic_tls_set_transport_params(ch->qtls, ch->local_transport_params,
1183 buf_len))
1184 goto err;
1185
1186 ok = 1;
1187 err:
1188 if (wpkt_valid)
1189 WPACKET_cleanup(&wpkt);
1190 BUF_MEM_free(buf_mem);
1191 return ok;
1192 }
1193
1194 /*
1195 * QUIC Channel: Ticker-Mutator
1196 * ============================
1197 */
1198
1199 /*
1200 * The central ticker function called by the reactor. This does everything, or
1201 * at least everything network I/O related. Best effort - not allowed to fail
1202 * "loudly".
1203 */
1204 static void ch_tick(QUIC_TICK_RESULT *res, void *arg)
1205 {
1206 OSSL_TIME now, deadline;
1207 QUIC_CHANNEL *ch = arg;
1208
1209 /*
1210 * When we tick the QUIC connection, we do everything we need to do
1211 * periodically. In order, we:
1212 *
1213 * - handle any incoming data from the network;
1214 * - handle any timer events which are due to fire (ACKM, etc.)
1215 * - write any data to the network due to be sent, to the extent
1216 * possible;
1217 * - determine the time at which we should next be ticked.
1218 */
1219
1220 /* If we are in the TERMINATED state, there is nothing to do. */
1221 if (ossl_quic_channel_is_terminated(ch)) {
1222 res->net_read_desired = 0;
1223 res->net_write_desired = 0;
1224 res->tick_deadline = ossl_time_infinite();
1225 return;
1226 }
1227
1228 /*
1229 * If we are in the TERMINATING state, check if the terminating timer has
1230 * expired.
1231 */
1232 if (ossl_quic_channel_is_terminating(ch)) {
1233 now = ossl_time_now();
1234
1235 if (ossl_time_compare(now, ch->terminate_deadline) >= 0) {
1236 ch_on_terminating_timeout(ch);
1237 res->net_read_desired = 0;
1238 res->net_write_desired = 0;
1239 res->tick_deadline = ossl_time_infinite();
1240 return; /* abort normal processing, nothing to do */
1241 }
1242 }
1243
1244 /* Handle any incoming data from network. */
1245 ch_rx_pre(ch);
1246
1247 do {
1248 /* Process queued incoming packets. */
1249 ch_rx(ch);
1250
1251 /*
1252 * Allow the handshake layer to check for any new incoming data and generate
1253 * new outgoing data.
1254 */
1255 ch->have_new_rx_secret = 0;
1256 ossl_quic_tls_tick(ch->qtls);
1257
1258 /*
1259 * If the handshake layer gave us a new secret, we need to do RX again
1260 * because packets that were not previously processable and were
1261 * deferred might now be processable.
1262 *
1263 * TODO(QUIC): Consider handling this in the yield_secret callback.
1264 */
1265 } while (ch->have_new_rx_secret);
1266
1267 /*
1268 * Handle any timer events which are due to fire; namely, the loss detection
1269 * deadline and the idle timeout.
1270 *
1271 * ACKM ACK generation deadline is polled by TXP, so we don't need to handle
1272 * it here.
1273 */
1274 now = ossl_time_now();
1275 if (ossl_time_compare(now, ch->idle_deadline) >= 0) {
1276 /*
1277 * Idle timeout differs from normal protocol violation because we do not
1278 * send a CONN_CLOSE frame; go straight to TERMINATED.
1279 */
1280 ch_on_idle_timeout(ch);
1281 res->net_read_desired = 0;
1282 res->net_write_desired = 0;
1283 res->tick_deadline = ossl_time_infinite();
1284 return;
1285 }
1286
1287 deadline = ossl_ackm_get_loss_detection_deadline(ch->ackm);
1288 if (!ossl_time_is_zero(deadline) && ossl_time_compare(now, deadline) >= 0)
1289 ossl_ackm_on_timeout(ch->ackm);
1290
1291 /* Write any data to the network due to be sent. */
1292 ch_tx(ch);
1293
1294 /* Determine the time at which we should next be ticked. */
1295 res->tick_deadline = ch_determine_next_tick_deadline(ch);
1296
1297 /*
1298 * Always process network input unless we are now terminated.
1299 * Although we had not terminated at the beginning of this tick, network
1300 * errors in ch_rx_pre() or ch_tx() may have caused us to transition to the
1301 * Terminated state.
1302 */
1303 res->net_read_desired = !ossl_quic_channel_is_terminated(ch);
1304
1305 /* We want to write to the network if we have any in our queue. */
1306 res->net_write_desired
1307 = (!ossl_quic_channel_is_terminated(ch)
1308 && ossl_qtx_get_queue_len_datagrams(ch->qtx) > 0);
1309 }
1310
1311 /* Process incoming datagrams, if any. */
1312 static void ch_rx_pre(QUIC_CHANNEL *ch)
1313 {
1314 int ret;
1315
1316 if (!ch->is_server && !ch->have_sent_any_pkt)
1317 return;
1318
1319 /*
1320 * Get DEMUX to BIO_recvmmsg from the network and queue incoming datagrams
1321 * to the appropriate QRX instance.
1322 */
1323 ret = ossl_quic_demux_pump(ch->demux);
1324 if (ret == QUIC_DEMUX_PUMP_RES_PERMANENT_FAIL)
1325 /*
1326 * We don't care about transient failure, but permanent failure means we
1327 * should tear down the connection as though a protocol violation
1328 * occurred. Skip straight to the Terminating state as there is no point
1329 * trying to send CONNECTION_CLOSE frames if the network BIO is not
1330 * operating correctly.
1331 */
1332 ch_raise_net_error(ch);
1333 }
1334
1335 /* Process queued incoming packets and handle frames, if any. */
1336 static int ch_rx(QUIC_CHANNEL *ch)
1337 {
1338 int handled_any = 0;
1339
1340 if (!ch->is_server && !ch->have_sent_any_pkt)
1341 /*
1342 * We have not sent anything yet, therefore there is no need to check
1343 * for incoming data.
1344 */
1345 return 1;
1346
1347 for (;;) {
1348 assert(ch->qrx_pkt == NULL);
1349
1350 if (!ossl_qrx_read_pkt(ch->qrx, &ch->qrx_pkt))
1351 break;
1352
1353 if (!handled_any)
1354 ch_update_idle(ch);
1355
1356 ch_rx_handle_packet(ch); /* best effort */
1357
1358 /*
1359 * Regardless of the outcome of frame handling, unref the packet.
1360 * This will free the packet unless something added another
1361 * reference to it during frame processing.
1362 */
1363 ossl_qrx_pkt_release(ch->qrx_pkt);
1364 ch->qrx_pkt = NULL;
1365
1366 handled_any = 1;
1367 }
1368
1369 /*
1370 * When in TERMINATING - CLOSING, generate a CONN_CLOSE frame whenever we
1371 * process one or more incoming packets.
1372 */
1373 if (handled_any && ch->state == QUIC_CHANNEL_STATE_TERMINATING_CLOSING)
1374 ch->conn_close_queued = 1;
1375
1376 return 1;
1377 }
1378
1379 /* Handles the packet currently in ch->qrx_pkt->hdr. */
1380 static void ch_rx_handle_packet(QUIC_CHANNEL *ch)
1381 {
1382 uint32_t enc_level;
1383
1384 assert(ch->qrx_pkt != NULL);
1385
1386 if (ossl_quic_pkt_type_is_encrypted(ch->qrx_pkt->hdr->type)) {
1387 if (!ch->have_received_enc_pkt) {
1388 ch->init_scid = ch->qrx_pkt->hdr->src_conn_id;
1389 ch->have_received_enc_pkt = 1;
1390
1391 /*
1392 * We change to using the SCID in the first Initial packet as the
1393 * DCID.
1394 */
1395 ossl_quic_tx_packetiser_set_cur_dcid(ch->txp, &ch->init_scid);
1396 }
1397
1398 enc_level = ossl_quic_pkt_type_to_enc_level(ch->qrx_pkt->hdr->type);
1399 if ((ch->el_discarded & (1U << enc_level)) != 0)
1400 /* Do not process packets from ELs we have already discarded. */
1401 return;
1402 }
1403
1404 /* Handle incoming packet. */
1405 switch (ch->qrx_pkt->hdr->type) {
1406 case QUIC_PKT_TYPE_RETRY:
1407 if (ch->doing_retry || ch->is_server)
1408 /*
1409 * It is not allowed to ask a client to do a retry more than
1410 * once. Clients may not send retries.
1411 */
1412 return;
1413
1414 if (ch->qrx_pkt->hdr->len <= QUIC_RETRY_INTEGRITY_TAG_LEN)
1415 /* Packets with zero-length Retry Tokens are invalid. */
1416 return;
1417
1418 /*
1419 * TODO(QUIC): Theoretically this should probably be in the QRX.
1420 * However because validation is dependent on context (namely the
1421 * client's initial DCID) we can't do this cleanly. In the future we
1422 * should probably add a callback to the QRX to let it call us (via
1423 * the DEMUX) and ask us about the correct original DCID, rather
1424 * than allow the QRX to emit a potentially malformed packet to the
1425 * upper layers. However, special casing this will do for now.
1426 */
1427 if (!ossl_quic_validate_retry_integrity_tag(ch->libctx,
1428 ch->propq,
1429 ch->qrx_pkt->hdr,
1430 &ch->init_dcid))
1431 /* Malformed retry packet, ignore. */
1432 return;
1433
1434 ch_retry(ch, ch->qrx_pkt->hdr->data,
1435 ch->qrx_pkt->hdr->len - QUIC_RETRY_INTEGRITY_TAG_LEN,
1436 &ch->qrx_pkt->hdr->src_conn_id);
1437 break;
1438
1439 case QUIC_PKT_TYPE_0RTT:
1440 if (!ch->is_server)
1441 /* Clients should never receive 0-RTT packets. */
1442 return;
1443
1444 /*
1445 * TODO(QUIC): Implement 0-RTT on the server side. We currently do
1446 * not need to implement this as a client can only do 0-RTT if we
1447 * have given it permission to in a previous session.
1448 */
1449 break;
1450
1451 case QUIC_PKT_TYPE_INITIAL:
1452 case QUIC_PKT_TYPE_HANDSHAKE:
1453 case QUIC_PKT_TYPE_1RTT:
1454 if (ch->qrx_pkt->hdr->type == QUIC_PKT_TYPE_HANDSHAKE)
1455 /*
1456 * We automatically drop INITIAL EL keys when first successfully
1457 * decrypting a HANDSHAKE packet, as per the RFC.
1458 */
1459 ch_discard_el(ch, QUIC_ENC_LEVEL_INITIAL);
1460
1461 /* This packet contains frames, pass to the RXDP. */
1462 ossl_quic_handle_frames(ch, ch->qrx_pkt); /* best effort */
1463 break;
1464
1465 default:
1466 assert(0);
1467 break;
1468 }
1469 }
1470
1471 /*
1472 * This is called by the demux when we get a packet not destined for any known
1473 * DCID.
1474 */
1475 static void ch_default_packet_handler(QUIC_URXE *e, void *arg)
1476 {
1477 QUIC_CHANNEL *ch = arg;
1478 PACKET pkt;
1479 QUIC_PKT_HDR hdr;
1480
1481 if (!ossl_assert(ch->is_server))
1482 goto undesirable;
1483
1484 /*
1485 * We only support one connection to our server currently, so if we already
1486 * started one, ignore any new connection attempts.
1487 */
1488 if (ch->state != QUIC_CHANNEL_STATE_IDLE)
1489 goto undesirable;
1490
1491 /*
1492 * We have got a packet for an unknown DCID. This might be an attempt to
1493 * open a new connection.
1494 */
1495 if (e->data_len < QUIC_MIN_INITIAL_DGRAM_LEN)
1496 goto undesirable;
1497
1498 if (!PACKET_buf_init(&pkt, ossl_quic_urxe_data(e), e->data_len))
1499 goto err;
1500
1501 /*
1502 * We set short_conn_id_len to SIZE_MAX here which will cause the decode
1503 * operation to fail if we get a 1-RTT packet. This is fine since we only
1504 * care about Initial packets.
1505 */
1506 if (!ossl_quic_wire_decode_pkt_hdr(&pkt, SIZE_MAX, 1, &hdr, NULL))
1507 goto undesirable;
1508
1509 switch (hdr.version) {
1510 case QUIC_VERSION_1:
1511 break;
1512
1513 case QUIC_VERSION_NONE:
1514 default:
1515 /* Unknown version or proactive version negotiation request, bail. */
1516 /* TODO(QUIC): Handle version negotiation on server side */
1517 goto undesirable;
1518 }
1519
1520 /*
1521 * We only care about Initial packets which might be trying to establish a
1522 * connection.
1523 */
1524 if (hdr.type != QUIC_PKT_TYPE_INITIAL)
1525 goto undesirable;
1526
1527 /*
1528 * Assume this is a valid attempt to initiate a connection.
1529 *
1530 * We do not register the DCID in the initial packet we received and that
1531 * DCID is not actually used again, thus after provisioning the correct
1532 * Initial keys derived from it (which is done in the call below) we pass
1533 * the received packet directly to the QRX so that it can process it as a
1534 * one-time thing, instead of going through the usual DEMUX DCID-based
1535 * routing.
1536 */
1537 if (!ch_server_on_new_conn(ch, &e->peer,
1538 &hdr.src_conn_id,
1539 &hdr.dst_conn_id))
1540 goto err;
1541
1542 ossl_qrx_inject_urxe(ch->qrx, e);
1543 return;
1544
1545 err:
1546 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_INTERNAL_ERROR, 0,
1547 "internal error");
1548 undesirable:
1549 ossl_quic_demux_release_urxe(ch->demux, e);
1550 }
1551
1552 /* Try to generate packets and if possible, flush them to the network. */
1553 static int ch_tx(QUIC_CHANNEL *ch)
1554 {
1555 if (ch->state == QUIC_CHANNEL_STATE_TERMINATING_CLOSING) {
1556 /*
1557 * While closing, only send CONN_CLOSE if we've received more traffic
1558 * from the peer. Once we tell the TXP to generate CONN_CLOSE, all
1559 * future calls to it generate CONN_CLOSE frames, so otherwise we would
1560 * just constantly generate CONN_CLOSE frames.
1561 */
1562 if (!ch->conn_close_queued)
1563 return 0;
1564
1565 ch->conn_close_queued = 0;
1566 }
1567
1568 /*
1569 * Send a packet, if we need to. Best effort. The TXP consults the CC and
1570 * applies any limitations imposed by it, so we don't need to do it here.
1571 *
1572 * Best effort. In particular if TXP fails for some reason we should still
1573 * flush any queued packets which we already generated.
1574 */
1575 switch (ossl_quic_tx_packetiser_generate(ch->txp,
1576 TX_PACKETISER_ARCHETYPE_NORMAL)) {
1577 case TX_PACKETISER_RES_SENT_PKT:
1578 ch->have_sent_any_pkt = 1; /* Packet was sent */
1579 break;
1580 case TX_PACKETISER_RES_NO_PKT:
1581 break; /* No packet was sent */
1582 default:
1583 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_INTERNAL_ERROR, 0,
1584 "internal error");
1585 break; /* Internal failure (e.g. allocation, assertion) */
1586 }
1587
1588 /* Flush packets to network. */
1589 switch (ossl_qtx_flush_net(ch->qtx)) {
1590 case QTX_FLUSH_NET_RES_OK:
1591 case QTX_FLUSH_NET_RES_TRANSIENT_FAIL:
1592 /* Best effort, done for now. */
1593 break;
1594
1595 case QTX_FLUSH_NET_RES_PERMANENT_FAIL:
1596 default:
1597 /* Permanent underlying network BIO, start terminating. */
1598 ch_raise_net_error(ch);
1599 break;
1600 }
1601
1602 return 1;
1603 }
1604
1605 /* Determine next tick deadline. */
1606 static OSSL_TIME ch_determine_next_tick_deadline(QUIC_CHANNEL *ch)
1607 {
1608 OSSL_TIME deadline;
1609 uint32_t pn_space;
1610
1611 if (ossl_quic_channel_is_terminated(ch))
1612 return ossl_time_infinite();
1613
1614 deadline = ossl_ackm_get_loss_detection_deadline(ch->ackm);
1615 if (ossl_time_is_zero(deadline))
1616 deadline = ossl_time_infinite();
1617
1618 for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space)
1619 deadline = ossl_time_min(deadline,
1620 ossl_ackm_get_ack_deadline(ch->ackm, pn_space));
1621
1622 /* When will CC let us send more? */
1623 if (ossl_quic_tx_packetiser_has_pending(ch->txp, TX_PACKETISER_ARCHETYPE_NORMAL,
1624 TX_PACKETISER_BYPASS_CC))
1625 deadline = ossl_time_min(deadline,
1626 ch->cc_method->get_next_credit_time(ch->cc_data));
1627
1628 /* Is the terminating timer armed? */
1629 if (ossl_quic_channel_is_terminating(ch))
1630 deadline = ossl_time_min(deadline,
1631 ch->terminate_deadline);
1632 else if (!ossl_time_is_infinite(ch->idle_deadline))
1633 deadline = ossl_time_min(deadline,
1634 ch->idle_deadline);
1635
1636 return deadline;
1637 }
1638
1639 /*
1640 * QUIC Channel: Network BIO Configuration
1641 * =======================================
1642 */
1643
1644 /* Determines whether we can support a given poll descriptor. */
1645 static int validate_poll_descriptor(const BIO_POLL_DESCRIPTOR *d)
1646 {
1647 if (d->type == BIO_POLL_DESCRIPTOR_TYPE_SOCK_FD && d->value.fd < 0)
1648 return 0;
1649
1650 return 1;
1651 }
1652
1653 BIO *ossl_quic_channel_get_net_rbio(QUIC_CHANNEL *ch)
1654 {
1655 return ch->net_rbio;
1656 }
1657
1658 BIO *ossl_quic_channel_get_net_wbio(QUIC_CHANNEL *ch)
1659 {
1660 return ch->net_wbio;
1661 }
1662
1663 /*
1664 * QUIC_CHANNEL does not ref any BIO it is provided with, nor is any ref
1665 * transferred to it. The caller (i.e., QUIC_CONNECTION) is responsible for
1666 * ensuring the BIO lasts until the channel is freed or the BIO is switched out
1667 * for another BIO by a subsequent successful call to this function.
1668 */
1669 int ossl_quic_channel_set_net_rbio(QUIC_CHANNEL *ch, BIO *net_rbio)
1670 {
1671 BIO_POLL_DESCRIPTOR d = {0};
1672
1673 if (ch->net_rbio == net_rbio)
1674 return 1;
1675
1676 if (net_rbio != NULL) {
1677 if (!BIO_get_rpoll_descriptor(net_rbio, &d))
1678 /* Non-pollable BIO */
1679 d.type = BIO_POLL_DESCRIPTOR_TYPE_NONE;
1680
1681 if (!validate_poll_descriptor(&d))
1682 return 0;
1683 }
1684
1685 ossl_quic_reactor_set_poll_r(&ch->rtor, &d);
1686 ossl_quic_demux_set_bio(ch->demux, net_rbio);
1687 ch->net_rbio = net_rbio;
1688 return 1;
1689 }
1690
1691 int ossl_quic_channel_set_net_wbio(QUIC_CHANNEL *ch, BIO *net_wbio)
1692 {
1693 BIO_POLL_DESCRIPTOR d = {0};
1694
1695 if (ch->net_wbio == net_wbio)
1696 return 1;
1697
1698 if (net_wbio != NULL) {
1699 if (!BIO_get_wpoll_descriptor(net_wbio, &d))
1700 /* Non-pollable BIO */
1701 d.type = BIO_POLL_DESCRIPTOR_TYPE_NONE;
1702
1703 if (!validate_poll_descriptor(&d))
1704 return 0;
1705 }
1706
1707 ossl_quic_reactor_set_poll_w(&ch->rtor, &d);
1708 ossl_qtx_set_bio(ch->qtx, net_wbio);
1709 ch->net_wbio = net_wbio;
1710 return 1;
1711 }
1712
1713 /*
1714 * QUIC Channel: Lifecycle Events
1715 * ==============================
1716 */
1717 int ossl_quic_channel_start(QUIC_CHANNEL *ch)
1718 {
1719 if (ch->is_server)
1720 /*
1721 * This is not used by the server. The server moves to active
1722 * automatically on receiving an incoming connection.
1723 */
1724 return 0;
1725
1726 if (ch->state != QUIC_CHANNEL_STATE_IDLE)
1727 /* Calls to connect are idempotent */
1728 return 1;
1729
1730 /* Inform QTX of peer address. */
1731 if (!ossl_quic_tx_packetiser_set_peer(ch->txp, &ch->cur_peer_addr))
1732 return 0;
1733
1734 /* Plug in secrets for the Initial EL. */
1735 if (!ossl_quic_provide_initial_secret(ch->libctx,
1736 ch->propq,
1737 &ch->init_dcid,
1738 ch->is_server,
1739 ch->qrx, ch->qtx))
1740 return 0;
1741
1742 /* Change state. */
1743 ch->state = QUIC_CHANNEL_STATE_ACTIVE;
1744 ch->doing_proactive_ver_neg = 0; /* not currently supported */
1745
1746 /* Handshake layer: start (e.g. send CH). */
1747 if (!ossl_quic_tls_tick(ch->qtls))
1748 return 0;
1749
1750 ossl_quic_reactor_tick(&ch->rtor); /* best effort */
1751 return 1;
1752 }
1753
1754 /* Start a locally initiated connection shutdown. */
1755 void ossl_quic_channel_local_close(QUIC_CHANNEL *ch, uint64_t app_error_code)
1756 {
1757 QUIC_TERMINATE_CAUSE tcause = {0};
1758
1759 if (ossl_quic_channel_is_term_any(ch))
1760 return;
1761
1762 tcause.app = 1;
1763 tcause.error_code = app_error_code;
1764 ch_start_terminating(ch, &tcause, 0);
1765 }
1766
1767 static void free_token(const unsigned char *buf, size_t buf_len, void *arg)
1768 {
1769 OPENSSL_free((unsigned char *)buf);
1770 }
1771
1772 /* Called when a server asks us to do a retry. */
1773 static int ch_retry(QUIC_CHANNEL *ch,
1774 const unsigned char *retry_token,
1775 size_t retry_token_len,
1776 const QUIC_CONN_ID *retry_scid)
1777 {
1778 void *buf;
1779
1780 /* We change to using the SCID in the Retry packet as the DCID. */
1781 if (!ossl_quic_tx_packetiser_set_cur_dcid(ch->txp, retry_scid))
1782 return 0;
1783
1784 /*
1785 * Now we retry. We will release the Retry packet immediately, so copy
1786 * the token.
1787 */
1788 if ((buf = OPENSSL_memdup(retry_token, retry_token_len)) == NULL)
1789 return 0;
1790
1791 ossl_quic_tx_packetiser_set_initial_token(ch->txp, buf, retry_token_len,
1792 free_token, NULL);
1793
1794 ch->retry_scid = *retry_scid;
1795 ch->doing_retry = 1;
1796
1797 /*
1798 * We need to stimulate the Initial EL to generate the first CRYPTO frame
1799 * again. We can do this most cleanly by simply forcing the ACKM to consider
1800 * the first Initial packet as lost, which it effectively was as the server
1801 * hasn't processed it. This also maintains the desired behaviour with e.g.
1802 * PNs not resetting and so on.
1803 *
1804 * The PN we used initially is always zero, because QUIC does not allow
1805 * repeated retries.
1806 */
1807 if (!ossl_ackm_mark_packet_pseudo_lost(ch->ackm, QUIC_PN_SPACE_INITIAL,
1808 /*PN=*/0))
1809 return 0;
1810
1811 /*
1812 * Plug in new secrets for the Initial EL. This is the only time we change
1813 * the secrets for an EL after we already provisioned it.
1814 */
1815 if (!ossl_quic_provide_initial_secret(ch->libctx,
1816 ch->propq,
1817 &ch->retry_scid,
1818 /*is_server=*/0,
1819 ch->qrx, ch->qtx))
1820 return 0;
1821
1822 return 1;
1823 }
1824
1825 /* Called when an EL is to be discarded. */
1826 static int ch_discard_el(QUIC_CHANNEL *ch,
1827 uint32_t enc_level)
1828 {
1829 if (!ossl_assert(enc_level < QUIC_ENC_LEVEL_1RTT))
1830 return 0;
1831
1832 if ((ch->el_discarded & (1U << enc_level)) != 0)
1833 /* Already done. */
1834 return 1;
1835
1836 /* Best effort for all of these. */
1837 ossl_quic_tx_packetiser_discard_enc_level(ch->txp, enc_level);
1838 ossl_qrx_discard_enc_level(ch->qrx, enc_level);
1839 ossl_qtx_discard_enc_level(ch->qtx, enc_level);
1840
1841 if (enc_level != QUIC_ENC_LEVEL_0RTT) {
1842 uint32_t pn_space = ossl_quic_enc_level_to_pn_space(enc_level);
1843
1844 ossl_ackm_on_pkt_space_discarded(ch->ackm, pn_space);
1845
1846 /* We should still have crypto streams at this point. */
1847 if (!ossl_assert(ch->crypto_send[pn_space] != NULL)
1848 || !ossl_assert(ch->crypto_recv[pn_space] != NULL))
1849 return 0;
1850
1851 /* Get rid of the crypto stream state for the EL. */
1852 ossl_quic_sstream_free(ch->crypto_send[pn_space]);
1853 ch->crypto_send[pn_space] = NULL;
1854
1855 ossl_quic_rstream_free(ch->crypto_recv[pn_space]);
1856 ch->crypto_recv[pn_space] = NULL;
1857 }
1858
1859 ch->el_discarded |= (1U << enc_level);
1860 return 1;
1861 }
1862
1863 /* Intended to be called by the RXDP. */
1864 int ossl_quic_channel_on_handshake_confirmed(QUIC_CHANNEL *ch)
1865 {
1866 if (ch->handshake_confirmed)
1867 return 1;
1868
1869 if (!ch->handshake_complete) {
1870 /*
1871 * Does not make sense for handshake to be confirmed before it is
1872 * completed.
1873 */
1874 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_PROTOCOL_VIOLATION,
1875 OSSL_QUIC_FRAME_TYPE_HANDSHAKE_DONE,
1876 "handshake cannot be confirmed "
1877 "before it is completed");
1878 return 0;
1879 }
1880
1881 ch_discard_el(ch, QUIC_ENC_LEVEL_HANDSHAKE);
1882 ch->handshake_confirmed = 1;
1883 return 1;
1884 }
1885
1886 /*
1887 * Master function used when we want to start tearing down a connection:
1888 *
1889 * - If the connection is still IDLE we can go straight to TERMINATED;
1890 *
1891 * - If we are already TERMINATED this is a no-op.
1892 *
1893 * - If we are TERMINATING - CLOSING and we have now got a CONNECTION_CLOSE
1894 * from the peer (tcause->remote == 1), we move to TERMINATING - DRAINING.
1895 *
1896 * - If we are TERMINATING - DRAINING, we remain here until the terminating
1897 * timer expires.
1898 *
1899 * - Otherwise, we are in ACTIVE and move to TERMINATING - CLOSING.
1900 * if we caused the termination (e.g. we have sent a CONNECTION_CLOSE). Note
1901 * that we are considered to have caused a termination if we sent the first
1902 * CONNECTION_CLOSE frame, even if it is caused by a peer protocol
1903 * violation. If the peer sent the first CONNECTION_CLOSE frame, we move to
1904 * TERMINATING - DRAINING.
1905 *
1906 * We record the termination cause structure passed on the first call only.
1907 * Any successive calls have their termination cause data discarded;
1908 * once we start sending a CONNECTION_CLOSE frame, we don't change the details
1909 * in it.
1910 */
1911 static void ch_start_terminating(QUIC_CHANNEL *ch,
1912 const QUIC_TERMINATE_CAUSE *tcause,
1913 int force_immediate)
1914 {
1915 switch (ch->state) {
1916 default:
1917 case QUIC_CHANNEL_STATE_IDLE:
1918 ch->terminate_cause = *tcause;
1919 ch_on_terminating_timeout(ch);
1920 break;
1921
1922 case QUIC_CHANNEL_STATE_ACTIVE:
1923 ch->terminate_cause = *tcause;
1924
1925 if (!force_immediate) {
1926 ch->state = tcause->remote ? QUIC_CHANNEL_STATE_TERMINATING_DRAINING
1927 : QUIC_CHANNEL_STATE_TERMINATING_CLOSING;
1928 ch->terminate_deadline
1929 = ossl_time_add(ossl_time_now(),
1930 ossl_time_multiply(ossl_ackm_get_pto_duration(ch->ackm),
1931 3));
1932
1933 if (!tcause->remote) {
1934 OSSL_QUIC_FRAME_CONN_CLOSE f = {0};
1935
1936 /* best effort */
1937 f.error_code = ch->terminate_cause.error_code;
1938 f.frame_type = ch->terminate_cause.frame_type;
1939 f.is_app = ch->terminate_cause.app;
1940 ossl_quic_tx_packetiser_schedule_conn_close(ch->txp, &f);
1941 ch->conn_close_queued = 1;
1942 }
1943 } else {
1944 ch_on_terminating_timeout(ch);
1945 }
1946 break;
1947
1948 case QUIC_CHANNEL_STATE_TERMINATING_CLOSING:
1949 if (force_immediate)
1950 ch_on_terminating_timeout(ch);
1951 else if (tcause->remote)
1952 ch->state = QUIC_CHANNEL_STATE_TERMINATING_DRAINING;
1953
1954 break;
1955
1956 case QUIC_CHANNEL_STATE_TERMINATING_DRAINING:
1957 /*
1958 * Other than in the force-immediate case, we remain here until the
1959 * timout expires.
1960 */
1961 if (force_immediate)
1962 ch_on_terminating_timeout(ch);
1963
1964 break;
1965
1966 case QUIC_CHANNEL_STATE_TERMINATED:
1967 /* No-op. */
1968 break;
1969 }
1970 }
1971
1972 /* For RXDP use. */
1973 void ossl_quic_channel_on_remote_conn_close(QUIC_CHANNEL *ch,
1974 OSSL_QUIC_FRAME_CONN_CLOSE *f)
1975 {
1976 QUIC_TERMINATE_CAUSE tcause = {0};
1977
1978 if (!ossl_quic_channel_is_active(ch))
1979 return;
1980
1981 tcause.remote = 1;
1982 tcause.app = f->is_app;
1983 tcause.error_code = f->error_code;
1984 tcause.frame_type = f->frame_type;
1985
1986 ch_start_terminating(ch, &tcause, 0);
1987 }
1988
1989 static void ch_raise_net_error(QUIC_CHANNEL *ch)
1990 {
1991 QUIC_TERMINATE_CAUSE tcause = {0};
1992
1993 tcause.error_code = QUIC_ERR_INTERNAL_ERROR;
1994
1995 /*
1996 * Skip Terminating state and go directly to Terminated, no point trying to
1997 * send CONNECTION_CLOSE if we cannot communicate.
1998 */
1999 ch_start_terminating(ch, &tcause, 1);
2000 }
2001
2002 void ossl_quic_channel_raise_protocol_error(QUIC_CHANNEL *ch,
2003 uint64_t error_code,
2004 uint64_t frame_type,
2005 const char *reason)
2006 {
2007 QUIC_TERMINATE_CAUSE tcause = {0};
2008
2009 tcause.error_code = error_code;
2010 tcause.frame_type = frame_type;
2011
2012 ch_start_terminating(ch, &tcause, 0);
2013 }
2014
2015 /*
2016 * Called once the terminating timer expires, meaning we move from TERMINATING
2017 * to TERMINATED.
2018 */
2019 static void ch_on_terminating_timeout(QUIC_CHANNEL *ch)
2020 {
2021 ch->state = QUIC_CHANNEL_STATE_TERMINATED;
2022 }
2023
2024 /*
2025 * Updates our idle deadline. Called when an event happens which should bump the
2026 * idle timeout.
2027 */
2028 static void ch_update_idle(QUIC_CHANNEL *ch)
2029 {
2030 if (ch->max_idle_timeout == 0)
2031 ch->idle_deadline = ossl_time_infinite();
2032 else
2033 ch->idle_deadline = ossl_time_add(ossl_time_now(),
2034 ossl_ms2time(ch->max_idle_timeout));
2035 }
2036
2037 /* Called when the idle timeout expires. */
2038 static void ch_on_idle_timeout(QUIC_CHANNEL *ch)
2039 {
2040 /*
2041 * Idle timeout does not have an error code associated with it because a
2042 * CONN_CLOSE is never sent for it. We shouldn't use this data once we reach
2043 * TERMINATED anyway.
2044 */
2045 ch->terminate_cause.app = 0;
2046 ch->terminate_cause.error_code = UINT64_MAX;
2047 ch->terminate_cause.frame_type = 0;
2048
2049 ch->state = QUIC_CHANNEL_STATE_TERMINATED;
2050 }
2051
2052 /* Called when we, as a server, get a new incoming connection. */
2053 static int ch_server_on_new_conn(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
2054 const QUIC_CONN_ID *peer_scid,
2055 const QUIC_CONN_ID *peer_dcid)
2056 {
2057 if (!ossl_assert(ch->state == QUIC_CHANNEL_STATE_IDLE && ch->is_server))
2058 return 0;
2059
2060 /* Generate a SCID we will use for the connection. */
2061 if (!gen_rand_conn_id(ch->libctx, INIT_DCID_LEN,
2062 &ch->cur_local_dcid))
2063 return 0;
2064
2065 /* Note our newly learnt peer address and CIDs. */
2066 ch->cur_peer_addr = *peer;
2067 ch->init_dcid = *peer_dcid;
2068 ch->cur_remote_dcid = *peer_scid;
2069
2070 /* Inform QTX of peer address. */
2071 if (!ossl_quic_tx_packetiser_set_peer(ch->txp, &ch->cur_peer_addr))
2072 return 0;
2073
2074 /* Inform TXP of desired CIDs. */
2075 if (!ossl_quic_tx_packetiser_set_cur_dcid(ch->txp, &ch->cur_remote_dcid))
2076 return 0;
2077
2078 if (!ossl_quic_tx_packetiser_set_cur_scid(ch->txp, &ch->cur_local_dcid))
2079 return 0;
2080
2081 /* Plug in secrets for the Initial EL. */
2082 if (!ossl_quic_provide_initial_secret(ch->libctx,
2083 ch->propq,
2084 &ch->init_dcid,
2085 /*is_server=*/1,
2086 ch->qrx, ch->qtx))
2087 return 0;
2088
2089 /* Register our local DCID in the DEMUX. */
2090 if (!ossl_qrx_add_dst_conn_id(ch->qrx, &ch->cur_local_dcid))
2091 return 0;
2092
2093 /* Change state. */
2094 ch->state = QUIC_CHANNEL_STATE_ACTIVE;
2095 ch->doing_proactive_ver_neg = 0; /* not currently supported */
2096 return 1;
2097 }
2098
2099 SSL *ossl_quic_channel_get0_ssl(QUIC_CHANNEL *ch)
2100 {
2101 return ch->tls;
2102 }
A mirror of the official openssl repository