2 * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/rand.h>
11 #include <openssl/err.h>
12 #include "internal/quic_channel.h"
13 #include "internal/quic_error.h"
14 #include "internal/quic_rx_depack.h"
15 #include "internal/quic_lcidm.h"
16 #include "internal/quic_srtm.h"
17 #include "internal/qlog_event_helpers.h"
18 #include "../ssl_local.h"
19 #include "quic_channel_local.h"
20 #include "quic_port_local.h"
21 #include "quic_engine_local.h"
24 * NOTE: While this channel implementation currently has basic server support,
25 * this functionality has been implemented for internal testing purposes and is
26 * not suitable for network use. In particular, it does not implement address
27 * validation, anti-amplification or retry logic.
29 * TODO(QUIC SERVER): Implement address validation and anti-amplification
30 * TODO(QUIC SERVER): Implement retry logic
33 #define INIT_CRYPTO_RECV_BUF_LEN 16384
34 #define INIT_CRYPTO_SEND_BUF_LEN 16384
35 #define INIT_APP_BUF_LEN 8192
38 * Interval before we force a PING to ensure NATs don't timeout. This is based
39 * on the lowest commonly seen value of 30 seconds as cited in RFC 9000 s.
42 #define MAX_NAT_INTERVAL (ossl_ms2time(25000))
45 * Our maximum ACK delay on the TX side. This is up to us to choose. Note that
46 * this could differ from QUIC_DEFAULT_MAX_DELAY in future as that is a protocol
47 * value which determines the value of the maximum ACK delay if the
48 * max_ack_delay transport parameter is not set.
50 #define DEFAULT_MAX_ACK_DELAY QUIC_DEFAULT_MAX_ACK_DELAY
52 DEFINE_LIST_OF_IMPL(ch
, QUIC_CHANNEL
);
54 static void ch_save_err_state(QUIC_CHANNEL
*ch
);
55 static int ch_rx(QUIC_CHANNEL
*ch
, int channel_only
);
56 static int ch_tx(QUIC_CHANNEL
*ch
);
57 static int ch_tick_tls(QUIC_CHANNEL
*ch
, int channel_only
);
58 static void ch_rx_handle_packet(QUIC_CHANNEL
*ch
, int channel_only
);
59 static OSSL_TIME
ch_determine_next_tick_deadline(QUIC_CHANNEL
*ch
);
60 static int ch_retry(QUIC_CHANNEL
*ch
,
61 const unsigned char *retry_token
,
62 size_t retry_token_len
,
63 const QUIC_CONN_ID
*retry_scid
);
64 static void ch_cleanup(QUIC_CHANNEL
*ch
);
65 static int ch_generate_transport_params(QUIC_CHANNEL
*ch
);
66 static int ch_on_transport_params(const unsigned char *params
,
69 static int ch_on_handshake_alert(void *arg
, unsigned char alert_code
);
70 static int ch_on_handshake_complete(void *arg
);
71 static int ch_on_handshake_yield_secret(uint32_t enc_level
, int direction
,
72 uint32_t suite_id
, EVP_MD
*md
,
73 const unsigned char *secret
,
76 static int ch_on_crypto_recv_record(const unsigned char **buf
,
77 size_t *bytes_read
, void *arg
);
78 static int ch_on_crypto_release_record(size_t bytes_read
, void *arg
);
79 static int crypto_ensure_empty(QUIC_RSTREAM
*rstream
);
80 static int ch_on_crypto_send(const unsigned char *buf
, size_t buf_len
,
81 size_t *consumed
, void *arg
);
82 static OSSL_TIME
get_time(void *arg
);
83 static uint64_t get_stream_limit(int uni
, void *arg
);
84 static int rx_late_validate(QUIC_PN pn
, int pn_space
, void *arg
);
85 static void rxku_detected(QUIC_PN pn
, void *arg
);
86 static int ch_retry(QUIC_CHANNEL
*ch
,
87 const unsigned char *retry_token
,
88 size_t retry_token_len
,
89 const QUIC_CONN_ID
*retry_scid
);
90 static void ch_update_idle(QUIC_CHANNEL
*ch
);
91 static int ch_discard_el(QUIC_CHANNEL
*ch
,
93 static void ch_on_idle_timeout(QUIC_CHANNEL
*ch
);
94 static void ch_update_idle(QUIC_CHANNEL
*ch
);
95 static void ch_update_ping_deadline(QUIC_CHANNEL
*ch
);
96 static void ch_on_terminating_timeout(QUIC_CHANNEL
*ch
);
97 static void ch_start_terminating(QUIC_CHANNEL
*ch
,
98 const QUIC_TERMINATE_CAUSE
*tcause
,
100 static void ch_on_txp_ack_tx(const OSSL_QUIC_FRAME_ACK
*ack
, uint32_t pn_space
,
102 static void ch_rx_handle_version_neg(QUIC_CHANNEL
*ch
, OSSL_QRX_PKT
*pkt
);
103 static void ch_raise_version_neg_failure(QUIC_CHANNEL
*ch
);
104 static void ch_record_state_transition(QUIC_CHANNEL
*ch
, uint32_t new_state
);
106 DEFINE_LHASH_OF_EX(QUIC_SRT_ELEM
);
109 static QLOG
*ch_get_qlog(QUIC_CHANNEL
*ch
)
111 #ifndef OPENSSL_NO_QLOG
112 QLOG_TRACE_INFO qti
= {0};
114 if (ch
->qlog
!= NULL
)
120 qti
.odcid
= ch
->init_dcid
;
121 qti
.title
= ch
->qlog_title
;
122 qti
.description
= NULL
;
124 qti
.is_server
= ch
->is_server
;
125 qti
.now_cb
= get_time
;
127 if ((ch
->qlog
= ossl_qlog_new_from_env(&qti
)) == NULL
) {
128 ch
->use_qlog
= 0; /* don't try again */
139 * QUIC Channel Initialization and Teardown
140 * ========================================
142 #define DEFAULT_INIT_CONN_RXFC_WND (768 * 1024)
143 #define DEFAULT_CONN_RXFC_MAX_WND_MUL 20
145 #define DEFAULT_INIT_STREAM_RXFC_WND (512 * 1024)
146 #define DEFAULT_STREAM_RXFC_MAX_WND_MUL 12
148 #define DEFAULT_INIT_CONN_MAX_STREAMS 100
150 static int ch_init(QUIC_CHANNEL
*ch
)
152 OSSL_QUIC_TX_PACKETISER_ARGS txp_args
= {0};
153 OSSL_QTX_ARGS qtx_args
= {0};
154 OSSL_QRX_ARGS qrx_args
= {0};
155 QUIC_TLS_ARGS tls_args
= {0};
157 size_t rx_short_dcid_len
;
158 size_t tx_init_dcid_len
;
160 if (ch
->port
== NULL
|| ch
->lcidm
== NULL
|| ch
->srtm
== NULL
)
163 rx_short_dcid_len
= ossl_quic_port_get_rx_short_dcid_len(ch
->port
);
164 tx_init_dcid_len
= ossl_quic_port_get_tx_init_dcid_len(ch
->port
);
166 /* For clients, generate our initial DCID. */
168 && !ossl_quic_gen_rand_conn_id(ch
->port
->engine
->libctx
, tx_init_dcid_len
,
172 /* We plug in a network write BIO to the QTX later when we get one. */
173 qtx_args
.libctx
= ch
->port
->engine
->libctx
;
174 qtx_args
.qlog
= ch_get_qlog(ch
);
175 qtx_args
.mdpl
= QUIC_MIN_INITIAL_DGRAM_LEN
;
176 ch
->rx_max_udp_payload_size
= qtx_args
.mdpl
;
178 ch
->ping_deadline
= ossl_time_infinite();
180 ch
->qtx
= ossl_qtx_new(&qtx_args
);
184 ch
->txpim
= ossl_quic_txpim_new();
185 if (ch
->txpim
== NULL
)
188 ch
->cfq
= ossl_quic_cfq_new();
192 if (!ossl_quic_txfc_init(&ch
->conn_txfc
, NULL
))
196 * Note: The TP we transmit governs what the peer can transmit and thus
197 * applies to the RXFC.
199 ch
->tx_init_max_stream_data_bidi_local
= DEFAULT_INIT_STREAM_RXFC_WND
;
200 ch
->tx_init_max_stream_data_bidi_remote
= DEFAULT_INIT_STREAM_RXFC_WND
;
201 ch
->tx_init_max_stream_data_uni
= DEFAULT_INIT_STREAM_RXFC_WND
;
203 if (!ossl_quic_rxfc_init(&ch
->conn_rxfc
, NULL
,
204 DEFAULT_INIT_CONN_RXFC_WND
,
205 DEFAULT_CONN_RXFC_MAX_WND_MUL
*
206 DEFAULT_INIT_CONN_RXFC_WND
,
210 for (pn_space
= QUIC_PN_SPACE_INITIAL
; pn_space
< QUIC_PN_SPACE_NUM
; ++pn_space
)
211 if (!ossl_quic_rxfc_init_standalone(&ch
->crypto_rxfc
[pn_space
],
212 INIT_CRYPTO_RECV_BUF_LEN
,
216 if (!ossl_quic_rxfc_init_standalone(&ch
->max_streams_bidi_rxfc
,
217 DEFAULT_INIT_CONN_MAX_STREAMS
,
221 if (!ossl_quic_rxfc_init_standalone(&ch
->max_streams_uni_rxfc
,
222 DEFAULT_INIT_CONN_MAX_STREAMS
,
226 if (!ossl_statm_init(&ch
->statm
))
230 ch
->cc_method
= &ossl_cc_newreno_method
;
231 if ((ch
->cc_data
= ch
->cc_method
->new(get_time
, ch
)) == NULL
)
234 if ((ch
->ackm
= ossl_ackm_new(get_time
, ch
, &ch
->statm
,
235 ch
->cc_method
, ch
->cc_data
)) == NULL
)
238 if (!ossl_quic_stream_map_init(&ch
->qsm
, get_stream_limit
, ch
,
239 &ch
->max_streams_bidi_rxfc
,
240 &ch
->max_streams_uni_rxfc
,
247 && !ossl_quic_lcidm_generate_initial(ch
->lcidm
, ch
, &txp_args
.cur_scid
))
250 /* We use a zero-length SCID. */
251 txp_args
.cur_dcid
= ch
->init_dcid
;
252 txp_args
.ack_delay_exponent
= 3;
253 txp_args
.qtx
= ch
->qtx
;
254 txp_args
.txpim
= ch
->txpim
;
255 txp_args
.cfq
= ch
->cfq
;
256 txp_args
.ackm
= ch
->ackm
;
257 txp_args
.qsm
= &ch
->qsm
;
258 txp_args
.conn_txfc
= &ch
->conn_txfc
;
259 txp_args
.conn_rxfc
= &ch
->conn_rxfc
;
260 txp_args
.max_streams_bidi_rxfc
= &ch
->max_streams_bidi_rxfc
;
261 txp_args
.max_streams_uni_rxfc
= &ch
->max_streams_uni_rxfc
;
262 txp_args
.cc_method
= ch
->cc_method
;
263 txp_args
.cc_data
= ch
->cc_data
;
264 txp_args
.now
= get_time
;
265 txp_args
.now_arg
= ch
;
266 txp_args
.qlog
= ch_get_qlog(ch
);
268 for (pn_space
= QUIC_PN_SPACE_INITIAL
; pn_space
< QUIC_PN_SPACE_NUM
; ++pn_space
) {
269 ch
->crypto_send
[pn_space
] = ossl_quic_sstream_new(INIT_CRYPTO_SEND_BUF_LEN
);
270 if (ch
->crypto_send
[pn_space
] == NULL
)
273 txp_args
.crypto
[pn_space
] = ch
->crypto_send
[pn_space
];
276 ch
->txp
= ossl_quic_tx_packetiser_new(&txp_args
);
280 ossl_quic_tx_packetiser_set_ack_tx_cb(ch
->txp
, ch_on_txp_ack_tx
, ch
);
282 qrx_args
.libctx
= ch
->port
->engine
->libctx
;
283 qrx_args
.demux
= ch
->port
->demux
;
284 qrx_args
.short_conn_id_len
= rx_short_dcid_len
;
285 qrx_args
.max_deferred
= 32;
287 if ((ch
->qrx
= ossl_qrx_new(&qrx_args
)) == NULL
)
290 if (!ossl_qrx_set_late_validation_cb(ch
->qrx
,
295 if (!ossl_qrx_set_key_update_cb(ch
->qrx
,
300 for (pn_space
= QUIC_PN_SPACE_INITIAL
; pn_space
< QUIC_PN_SPACE_NUM
; ++pn_space
) {
301 ch
->crypto_recv
[pn_space
] = ossl_quic_rstream_new(NULL
, NULL
, 0);
302 if (ch
->crypto_recv
[pn_space
] == NULL
)
306 /* Plug in the TLS handshake layer. */
307 tls_args
.s
= ch
->tls
;
308 tls_args
.crypto_send_cb
= ch_on_crypto_send
;
309 tls_args
.crypto_send_cb_arg
= ch
;
310 tls_args
.crypto_recv_rcd_cb
= ch_on_crypto_recv_record
;
311 tls_args
.crypto_recv_rcd_cb_arg
= ch
;
312 tls_args
.crypto_release_rcd_cb
= ch_on_crypto_release_record
;
313 tls_args
.crypto_release_rcd_cb_arg
= ch
;
314 tls_args
.yield_secret_cb
= ch_on_handshake_yield_secret
;
315 tls_args
.yield_secret_cb_arg
= ch
;
316 tls_args
.got_transport_params_cb
= ch_on_transport_params
;
317 tls_args
.got_transport_params_cb_arg
= ch
;
318 tls_args
.handshake_complete_cb
= ch_on_handshake_complete
;
319 tls_args
.handshake_complete_cb_arg
= ch
;
320 tls_args
.alert_cb
= ch_on_handshake_alert
;
321 tls_args
.alert_cb_arg
= ch
;
322 tls_args
.is_server
= ch
->is_server
;
324 if ((ch
->qtls
= ossl_quic_tls_new(&tls_args
)) == NULL
)
327 ch
->tx_max_ack_delay
= DEFAULT_MAX_ACK_DELAY
;
328 ch
->rx_max_ack_delay
= QUIC_DEFAULT_MAX_ACK_DELAY
;
329 ch
->rx_ack_delay_exp
= QUIC_DEFAULT_ACK_DELAY_EXP
;
330 ch
->rx_active_conn_id_limit
= QUIC_MIN_ACTIVE_CONN_ID_LIMIT
;
331 ch
->max_idle_timeout
= QUIC_DEFAULT_IDLE_TIMEOUT
;
332 ch
->tx_enc_level
= QUIC_ENC_LEVEL_INITIAL
;
333 ch
->rx_enc_level
= QUIC_ENC_LEVEL_INITIAL
;
334 ch
->txku_threshold_override
= UINT64_MAX
;
336 ossl_ackm_set_tx_max_ack_delay(ch
->ackm
, ossl_ms2time(ch
->tx_max_ack_delay
));
337 ossl_ackm_set_rx_max_ack_delay(ch
->ackm
, ossl_ms2time(ch
->rx_max_ack_delay
));
340 * Determine the QUIC Transport Parameters and serialize the transport
341 * parameters block. (For servers, we do this later as we must defer
342 * generation until we have received the client's transport parameters.)
344 if (!ch
->is_server
&& !ch_generate_transport_params(ch
))
348 ossl_list_ch_insert_tail(&ch
->port
->channel_list
, ch
);
349 ch
->on_port_list
= 1;
357 static void ch_cleanup(QUIC_CHANNEL
*ch
)
361 if (ch
->ackm
!= NULL
)
362 for (pn_space
= QUIC_PN_SPACE_INITIAL
;
363 pn_space
< QUIC_PN_SPACE_NUM
;
365 ossl_ackm_on_pkt_space_discarded(ch
->ackm
, pn_space
);
367 ossl_quic_lcidm_cull(ch
->lcidm
, ch
);
368 ossl_quic_srtm_cull(ch
->srtm
, ch
);
369 ossl_quic_tx_packetiser_free(ch
->txp
);
370 ossl_quic_txpim_free(ch
->txpim
);
371 ossl_quic_cfq_free(ch
->cfq
);
372 ossl_qtx_free(ch
->qtx
);
373 if (ch
->cc_data
!= NULL
)
374 ch
->cc_method
->free(ch
->cc_data
);
376 ossl_statm_destroy(&ch
->statm
);
377 ossl_ackm_free(ch
->ackm
);
380 ossl_quic_stream_map_cleanup(&ch
->qsm
);
382 for (pn_space
= QUIC_PN_SPACE_INITIAL
; pn_space
< QUIC_PN_SPACE_NUM
; ++pn_space
) {
383 ossl_quic_sstream_free(ch
->crypto_send
[pn_space
]);
384 ossl_quic_rstream_free(ch
->crypto_recv
[pn_space
]);
387 ossl_qrx_pkt_release(ch
->qrx_pkt
);
390 ossl_quic_tls_free(ch
->qtls
);
391 ossl_qrx_free(ch
->qrx
);
392 OPENSSL_free(ch
->local_transport_params
);
393 OPENSSL_free((char *)ch
->terminate_cause
.reason
);
394 OSSL_ERR_STATE_free(ch
->err_state
);
395 OPENSSL_free(ch
->ack_range_scratch
);
397 if (ch
->on_port_list
) {
398 ossl_list_ch_remove(&ch
->port
->channel_list
, ch
);
399 ch
->on_port_list
= 0;
402 #ifndef OPENSSL_NO_QLOG
403 if (ch
->qlog
!= NULL
)
404 ossl_qlog_flush(ch
->qlog
); /* best effort */
406 OPENSSL_free(ch
->qlog_title
);
407 ossl_qlog_free(ch
->qlog
);
411 QUIC_CHANNEL
*ossl_quic_channel_new(const QUIC_CHANNEL_ARGS
*args
)
413 QUIC_CHANNEL
*ch
= NULL
;
415 if ((ch
= OPENSSL_zalloc(sizeof(*ch
))) == NULL
)
418 ch
->port
= args
->port
;
419 ch
->is_server
= args
->is_server
;
421 ch
->lcidm
= args
->lcidm
;
422 ch
->srtm
= args
->srtm
;
423 #ifndef OPENSSL_NO_QLOG
424 ch
->use_qlog
= args
->use_qlog
;
426 if (ch
->use_qlog
&& args
->qlog_title
!= NULL
) {
427 if ((ch
->qlog_title
= OPENSSL_strdup(args
->qlog_title
)) == NULL
) {
442 void ossl_quic_channel_free(QUIC_CHANNEL
*ch
)
451 /* Set mutator callbacks for test framework support */
452 int ossl_quic_channel_set_mutator(QUIC_CHANNEL
*ch
,
453 ossl_mutate_packet_cb mutatecb
,
454 ossl_finish_mutate_cb finishmutatecb
,
460 ossl_qtx_set_mutator(ch
->qtx
, mutatecb
, finishmutatecb
, mutatearg
);
464 int ossl_quic_channel_get_peer_addr(QUIC_CHANNEL
*ch
, BIO_ADDR
*peer_addr
)
466 if (!ch
->addressed_mode
)
469 *peer_addr
= ch
->cur_peer_addr
;
473 int ossl_quic_channel_set_peer_addr(QUIC_CHANNEL
*ch
, const BIO_ADDR
*peer_addr
)
475 if (ch
->state
!= QUIC_CHANNEL_STATE_IDLE
)
478 if (peer_addr
== NULL
|| BIO_ADDR_family(peer_addr
) == AF_UNSPEC
) {
479 BIO_ADDR_clear(&ch
->cur_peer_addr
);
480 ch
->addressed_mode
= 0;
484 ch
->cur_peer_addr
= *peer_addr
;
485 ch
->addressed_mode
= 1;
489 QUIC_REACTOR
*ossl_quic_channel_get_reactor(QUIC_CHANNEL
*ch
)
491 return ossl_quic_port_get0_reactor(ch
->port
);
494 QUIC_STREAM_MAP
*ossl_quic_channel_get_qsm(QUIC_CHANNEL
*ch
)
499 OSSL_STATM
*ossl_quic_channel_get_statm(QUIC_CHANNEL
*ch
)
504 QUIC_STREAM
*ossl_quic_channel_get_stream_by_id(QUIC_CHANNEL
*ch
,
507 return ossl_quic_stream_map_get_by_id(&ch
->qsm
, stream_id
);
510 int ossl_quic_channel_is_active(const QUIC_CHANNEL
*ch
)
512 return ch
!= NULL
&& ch
->state
== QUIC_CHANNEL_STATE_ACTIVE
;
515 int ossl_quic_channel_is_closing(const QUIC_CHANNEL
*ch
)
517 return ch
->state
== QUIC_CHANNEL_STATE_TERMINATING_CLOSING
;
520 static int ossl_quic_channel_is_draining(const QUIC_CHANNEL
*ch
)
522 return ch
->state
== QUIC_CHANNEL_STATE_TERMINATING_DRAINING
;
525 static int ossl_quic_channel_is_terminating(const QUIC_CHANNEL
*ch
)
527 return ossl_quic_channel_is_closing(ch
)
528 || ossl_quic_channel_is_draining(ch
);
531 int ossl_quic_channel_is_terminated(const QUIC_CHANNEL
*ch
)
533 return ch
->state
== QUIC_CHANNEL_STATE_TERMINATED
;
536 int ossl_quic_channel_is_term_any(const QUIC_CHANNEL
*ch
)
538 return ossl_quic_channel_is_terminating(ch
)
539 || ossl_quic_channel_is_terminated(ch
);
542 const QUIC_TERMINATE_CAUSE
*
543 ossl_quic_channel_get_terminate_cause(const QUIC_CHANNEL
*ch
)
545 return ossl_quic_channel_is_term_any(ch
) ? &ch
->terminate_cause
: NULL
;
548 int ossl_quic_channel_is_handshake_complete(const QUIC_CHANNEL
*ch
)
550 return ch
->handshake_complete
;
553 int ossl_quic_channel_is_handshake_confirmed(const QUIC_CHANNEL
*ch
)
555 return ch
->handshake_confirmed
;
558 QUIC_DEMUX
*ossl_quic_channel_get0_demux(QUIC_CHANNEL
*ch
)
560 return ch
->port
->demux
;
563 QUIC_PORT
*ossl_quic_channel_get0_port(QUIC_CHANNEL
*ch
)
568 QUIC_ENGINE
*ossl_quic_channel_get0_engine(QUIC_CHANNEL
*ch
)
570 return ossl_quic_port_get0_engine(ch
->port
);
573 CRYPTO_MUTEX
*ossl_quic_channel_get_mutex(QUIC_CHANNEL
*ch
)
575 return ossl_quic_port_get0_mutex(ch
->port
);
578 int ossl_quic_channel_has_pending(const QUIC_CHANNEL
*ch
)
580 return ossl_quic_demux_has_pending(ch
->port
->demux
)
581 || ossl_qrx_processed_read_pending(ch
->qrx
);
585 * QUIC Channel: Callbacks from Miscellaneous Subsidiary Components
586 * ================================================================
589 /* Used by various components. */
590 static OSSL_TIME
get_time(void *arg
)
592 QUIC_CHANNEL
*ch
= arg
;
594 return ossl_quic_port_get_time(ch
->port
);
598 static uint64_t get_stream_limit(int uni
, void *arg
)
600 QUIC_CHANNEL
*ch
= arg
;
602 return uni
? ch
->max_local_streams_uni
: ch
->max_local_streams_bidi
;
606 * Called by QRX to determine if a packet is potentially invalid before trying
609 static int rx_late_validate(QUIC_PN pn
, int pn_space
, void *arg
)
611 QUIC_CHANNEL
*ch
= arg
;
613 /* Potential duplicates should not be processed. */
614 if (!ossl_ackm_is_rx_pn_processable(ch
->ackm
, pn
, pn_space
))
621 * Triggers a TXKU (whether spontaneous or solicited). Does not check whether
622 * spontaneous TXKU is currently allowed.
625 static void ch_trigger_txku(QUIC_CHANNEL
*ch
)
628 = ossl_quic_tx_packetiser_get_next_pn(ch
->txp
, QUIC_PN_SPACE_APP
);
630 if (!ossl_quic_pn_valid(next_pn
)
631 || !ossl_qtx_trigger_key_update(ch
->qtx
)) {
632 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_INTERNAL_ERROR
, 0,
637 ch
->txku_in_progress
= 1;
638 ch
->txku_pn
= next_pn
;
639 ch
->rxku_expected
= ch
->ku_locally_initiated
;
643 static int txku_in_progress(QUIC_CHANNEL
*ch
)
645 if (ch
->txku_in_progress
646 && ossl_ackm_get_largest_acked(ch
->ackm
, QUIC_PN_SPACE_APP
) >= ch
->txku_pn
) {
647 OSSL_TIME pto
= ossl_ackm_get_pto_duration(ch
->ackm
);
650 * RFC 9001 s. 6.5: Endpoints SHOULD wait three times the PTO before
651 * initiating a key update after receiving an acknowledgment that
652 * confirms that the previous key update was received.
654 * Note that by the above wording, this period starts from when we get
655 * the ack for a TXKU-triggering packet, not when the TXKU is initiated.
656 * So we defer TXKU cooldown deadline calculation to this point.
658 ch
->txku_in_progress
= 0;
659 ch
->txku_cooldown_deadline
= ossl_time_add(get_time(ch
),
660 ossl_time_multiply(pto
, 3));
663 return ch
->txku_in_progress
;
667 static int txku_allowed(QUIC_CHANNEL
*ch
)
669 return ch
->tx_enc_level
== QUIC_ENC_LEVEL_1RTT
/* Sanity check. */
670 /* Strict RFC 9001 criterion for TXKU. */
671 && ch
->handshake_confirmed
672 && !txku_in_progress(ch
);
676 static int txku_recommendable(QUIC_CHANNEL
*ch
)
678 if (!txku_allowed(ch
))
682 /* Recommended RFC 9001 criterion for TXKU. */
683 ossl_time_compare(get_time(ch
), ch
->txku_cooldown_deadline
) >= 0
684 /* Some additional sensible criteria. */
685 && !ch
->rxku_in_progress
686 && !ch
->rxku_pending_confirm
;
690 static int txku_desirable(QUIC_CHANNEL
*ch
)
692 uint64_t cur_pkt_count
, max_pkt_count
, thresh_pkt_count
;
693 const uint32_t enc_level
= QUIC_ENC_LEVEL_1RTT
;
695 /* Check AEAD limit to determine if we should perform a spontaneous TXKU. */
696 cur_pkt_count
= ossl_qtx_get_cur_epoch_pkt_count(ch
->qtx
, enc_level
);
697 max_pkt_count
= ossl_qtx_get_max_epoch_pkt_count(ch
->qtx
, enc_level
);
699 thresh_pkt_count
= max_pkt_count
/ 2;
700 if (ch
->txku_threshold_override
!= UINT64_MAX
)
701 thresh_pkt_count
= ch
->txku_threshold_override
;
703 return cur_pkt_count
>= thresh_pkt_count
;
707 static void ch_maybe_trigger_spontaneous_txku(QUIC_CHANNEL
*ch
)
709 if (!txku_recommendable(ch
) || !txku_desirable(ch
))
712 ch
->ku_locally_initiated
= 1;
717 static int rxku_allowed(QUIC_CHANNEL
*ch
)
720 * RFC 9001 s. 6.1: An endpoint MUST NOT initiate a key update prior to
721 * having confirmed the handshake (Section 4.1.2).
723 * RFC 9001 s. 6.1: An endpoint MUST NOT initiate a subsequent key update
724 * unless it has received an acknowledgment for a packet that was sent
725 * protected with keys from the current key phase.
727 * RFC 9001 s. 6.2: If an endpoint detects a second update before it has
728 * sent any packets with updated keys containing an acknowledgment for the
729 * packet that initiated the key update, it indicates that its peer has
730 * updated keys twice without awaiting confirmation. An endpoint MAY treat
731 * such consecutive key updates as a connection error of type
734 return ch
->handshake_confirmed
&& !ch
->rxku_pending_confirm
;
738 * Called when the QRX detects a new RX key update event.
742 DECISION_PROTOCOL_VIOLATION
,
743 DECISION_SOLICITED_TXKU
746 /* Called when the QRX detects a key update has occurred. */
748 static void rxku_detected(QUIC_PN pn
, void *arg
)
750 QUIC_CHANNEL
*ch
= arg
;
751 enum rxku_decision decision
;
755 * Note: rxku_in_progress is always 0 here as an RXKU cannot be detected
756 * when we are still in UPDATING or COOLDOWN (see quic_record_rx.h).
758 assert(!ch
->rxku_in_progress
);
760 if (!rxku_allowed(ch
))
761 /* Is RXKU even allowed at this time? */
762 decision
= DECISION_PROTOCOL_VIOLATION
;
764 else if (ch
->ku_locally_initiated
)
766 * If this key update was locally initiated (meaning that this detected
767 * RXKU event is a result of our own spontaneous TXKU), we do not
768 * trigger another TXKU; after all, to do so would result in an infinite
769 * ping-pong of key updates. We still process it as an RXKU.
771 decision
= DECISION_RXKU_ONLY
;
775 * Otherwise, a peer triggering a KU means we have to trigger a KU also.
777 decision
= DECISION_SOLICITED_TXKU
;
779 if (decision
== DECISION_PROTOCOL_VIOLATION
) {
780 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_KEY_UPDATE_ERROR
,
781 0, "RX key update again too soon");
785 pto
= ossl_ackm_get_pto_duration(ch
->ackm
);
787 ch
->ku_locally_initiated
= 0;
788 ch
->rxku_in_progress
= 1;
789 ch
->rxku_pending_confirm
= 1;
790 ch
->rxku_trigger_pn
= pn
;
791 ch
->rxku_update_end_deadline
= ossl_time_add(get_time(ch
), pto
);
792 ch
->rxku_expected
= 0;
794 if (decision
== DECISION_SOLICITED_TXKU
)
795 /* NOT gated by usual txku_allowed() */
799 * Ordinarily, we only generate ACK when some ACK-eliciting frame has been
800 * received. In some cases, this may not occur for a long time, for example
801 * if transmission of application data is going in only one direction and
802 * nothing else is happening with the connection. However, since the peer
803 * cannot initiate a subsequent (spontaneous) TXKU until its prior
804 * (spontaneous or solicited) TXKU has completed - meaning that prior
805 * TXKU's trigger packet (or subsequent packet) has been acknowledged, this
806 * can lead to very long times before a TXKU is considered 'completed'.
807 * Optimise this by forcing ACK generation after triggering TXKU.
808 * (Basically, we consider a RXKU event something that is 'ACK-eliciting',
809 * which it more or less should be; it is necessarily separate from ordinary
810 * processing of ACK-eliciting frames as key update is not indicated via a
813 ossl_quic_tx_packetiser_schedule_ack(ch
->txp
, QUIC_PN_SPACE_APP
);
816 /* Called per tick to handle RXKU timer events. */
818 static void ch_rxku_tick(QUIC_CHANNEL
*ch
)
820 if (!ch
->rxku_in_progress
821 || ossl_time_compare(get_time(ch
), ch
->rxku_update_end_deadline
) < 0)
824 ch
->rxku_update_end_deadline
= ossl_time_infinite();
825 ch
->rxku_in_progress
= 0;
827 if (!ossl_qrx_key_update_timeout(ch
->qrx
, /*normal=*/1))
828 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_INTERNAL_ERROR
, 0,
829 "RXKU cooldown internal error");
833 static void ch_on_txp_ack_tx(const OSSL_QUIC_FRAME_ACK
*ack
, uint32_t pn_space
,
836 QUIC_CHANNEL
*ch
= arg
;
838 if (pn_space
!= QUIC_PN_SPACE_APP
|| !ch
->rxku_pending_confirm
839 || !ossl_quic_frame_ack_contains_pn(ack
, ch
->rxku_trigger_pn
))
843 * Defer clearing rxku_pending_confirm until TXP generate call returns
846 ch
->rxku_pending_confirm_done
= 1;
850 * QUIC Channel: Handshake Layer Event Handling
851 * ============================================
853 static int ch_on_crypto_send(const unsigned char *buf
, size_t buf_len
,
854 size_t *consumed
, void *arg
)
857 QUIC_CHANNEL
*ch
= arg
;
858 uint32_t enc_level
= ch
->tx_enc_level
;
859 uint32_t pn_space
= ossl_quic_enc_level_to_pn_space(enc_level
);
860 QUIC_SSTREAM
*sstream
= ch
->crypto_send
[pn_space
];
862 if (!ossl_assert(sstream
!= NULL
))
865 ret
= ossl_quic_sstream_append(sstream
, buf
, buf_len
, consumed
);
869 static int crypto_ensure_empty(QUIC_RSTREAM
*rstream
)
877 if (!ossl_quic_rstream_available(rstream
, &avail
, &is_fin
))
883 static int ch_on_crypto_recv_record(const unsigned char **buf
,
884 size_t *bytes_read
, void *arg
)
886 QUIC_CHANNEL
*ch
= arg
;
887 QUIC_RSTREAM
*rstream
;
888 int is_fin
= 0; /* crypto stream is never finished, so we don't use this */
892 * After we move to a later EL we must not allow our peer to send any new
893 * bytes in the crypto stream on a previous EL. Retransmissions of old bytes
896 * In practice we will only move to a new EL when we have consumed all bytes
897 * which should be sent on the crypto stream at a previous EL. For example,
898 * the Handshake EL should not be provisioned until we have completely
899 * consumed a TLS 1.3 ServerHello. Thus when we provision an EL the output
900 * of ossl_quic_rstream_available() should be 0 for all lower ELs. Thus if a
901 * given EL is available we simply ensure we have not received any further
902 * bytes at a lower EL.
904 for (i
= QUIC_ENC_LEVEL_INITIAL
; i
< ch
->rx_enc_level
; ++i
)
905 if (i
!= QUIC_ENC_LEVEL_0RTT
&&
906 !crypto_ensure_empty(ch
->crypto_recv
[ossl_quic_enc_level_to_pn_space(i
)])) {
907 /* Protocol violation (RFC 9001 s. 4.1.3) */
908 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_PROTOCOL_VIOLATION
,
909 OSSL_QUIC_FRAME_TYPE_CRYPTO
,
910 "crypto stream data in wrong EL");
914 rstream
= ch
->crypto_recv
[ossl_quic_enc_level_to_pn_space(ch
->rx_enc_level
)];
918 return ossl_quic_rstream_get_record(rstream
, buf
, bytes_read
,
922 static int ch_on_crypto_release_record(size_t bytes_read
, void *arg
)
924 QUIC_CHANNEL
*ch
= arg
;
925 QUIC_RSTREAM
*rstream
;
926 OSSL_RTT_INFO rtt_info
;
927 uint32_t rx_pn_space
= ossl_quic_enc_level_to_pn_space(ch
->rx_enc_level
);
929 rstream
= ch
->crypto_recv
[rx_pn_space
];
933 ossl_statm_get_rtt_info(ossl_quic_channel_get_statm(ch
), &rtt_info
);
934 if (!ossl_quic_rxfc_on_retire(&ch
->crypto_rxfc
[rx_pn_space
], bytes_read
,
935 rtt_info
.smoothed_rtt
))
938 return ossl_quic_rstream_release_record(rstream
, bytes_read
);
941 static int ch_on_handshake_yield_secret(uint32_t enc_level
, int direction
,
942 uint32_t suite_id
, EVP_MD
*md
,
943 const unsigned char *secret
,
947 QUIC_CHANNEL
*ch
= arg
;
950 if (enc_level
< QUIC_ENC_LEVEL_HANDSHAKE
|| enc_level
>= QUIC_ENC_LEVEL_NUM
)
957 if (enc_level
<= ch
->tx_enc_level
)
959 * Does not make sense for us to try and provision an EL we have already
964 if (!ossl_qtx_provide_secret(ch
->qtx
, enc_level
,
969 ch
->tx_enc_level
= enc_level
;
972 if (enc_level
<= ch
->rx_enc_level
)
974 * Does not make sense for us to try and provision an EL we have already
980 * Ensure all crypto streams for previous ELs are now empty of available
983 for (i
= QUIC_ENC_LEVEL_INITIAL
; i
< enc_level
; ++i
)
984 if (!crypto_ensure_empty(ch
->crypto_recv
[ossl_quic_enc_level_to_pn_space(i
)])) {
985 /* Protocol violation (RFC 9001 s. 4.1.3) */
986 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_PROTOCOL_VIOLATION
,
987 OSSL_QUIC_FRAME_TYPE_CRYPTO
,
988 "crypto stream data in wrong EL");
992 if (!ossl_qrx_provide_secret(ch
->qrx
, enc_level
,
997 ch
->have_new_rx_secret
= 1;
998 ch
->rx_enc_level
= enc_level
;
1004 static int ch_on_handshake_complete(void *arg
)
1006 QUIC_CHANNEL
*ch
= arg
;
1008 if (!ossl_assert(!ch
->handshake_complete
))
1009 return 0; /* this should not happen twice */
1011 if (!ossl_assert(ch
->tx_enc_level
== QUIC_ENC_LEVEL_1RTT
))
1014 if (!ch
->got_remote_transport_params
) {
1016 * Was not a valid QUIC handshake if we did not get valid transport
1019 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_CRYPTO_MISSING_EXT
,
1020 OSSL_QUIC_FRAME_TYPE_CRYPTO
,
1021 "no transport parameters received");
1025 /* Don't need transport parameters anymore. */
1026 OPENSSL_free(ch
->local_transport_params
);
1027 ch
->local_transport_params
= NULL
;
1029 /* Tell the QRX it can now process 1-RTT packets. */
1030 ossl_qrx_allow_1rtt_processing(ch
->qrx
);
1032 /* Tell TXP the handshake is complete. */
1033 ossl_quic_tx_packetiser_notify_handshake_complete(ch
->txp
);
1035 ch
->handshake_complete
= 1;
1037 if (ch
->is_server
) {
1039 * On the server, the handshake is confirmed as soon as it is complete.
1041 ossl_quic_channel_on_handshake_confirmed(ch
);
1043 ossl_quic_tx_packetiser_schedule_handshake_done(ch
->txp
);
1046 ch_record_state_transition(ch
, ch
->state
);
1050 static int ch_on_handshake_alert(void *arg
, unsigned char alert_code
)
1052 QUIC_CHANNEL
*ch
= arg
;
1055 * RFC 9001 s. 4.4: More specifically, servers MUST NOT send post-handshake
1056 * TLS CertificateRequest messages, and clients MUST treat receipt of such
1057 * messages as a connection error of type PROTOCOL_VIOLATION.
1059 if (alert_code
== SSL_AD_UNEXPECTED_MESSAGE
1060 && ch
->handshake_complete
1061 && ossl_quic_tls_is_cert_request(ch
->qtls
))
1062 ossl_quic_channel_raise_protocol_error(ch
,
1063 QUIC_ERR_PROTOCOL_VIOLATION
,
1065 "Post-handshake TLS "
1066 "CertificateRequest received");
1068 * RFC 9001 s. 4.6.1: Servers MUST NOT send the early_data extension with a
1069 * max_early_data_size field set to any value other than 0xffffffff. A
1070 * client MUST treat receipt of a NewSessionTicket that contains an
1071 * early_data extension with any other value as a connection error of type
1072 * PROTOCOL_VIOLATION.
1074 else if (alert_code
== SSL_AD_ILLEGAL_PARAMETER
1075 && ch
->handshake_complete
1076 && ossl_quic_tls_has_bad_max_early_data(ch
->qtls
))
1077 ossl_quic_channel_raise_protocol_error(ch
,
1078 QUIC_ERR_PROTOCOL_VIOLATION
,
1080 "Bad max_early_data received");
1082 ossl_quic_channel_raise_protocol_error(ch
,
1083 QUIC_ERR_CRYPTO_ERR_BEGIN
1085 0, "handshake alert");
1091 * QUIC Channel: Transport Parameter Handling
1092 * ==========================================
1096 * Called by handshake layer when we receive QUIC Transport Parameters from the
1097 * peer. Note that these are not authenticated until the handshake is marked
1100 #define TP_REASON_SERVER_ONLY(x) \
1101 x " may not be sent by a client"
1102 #define TP_REASON_DUP(x) \
1103 x " appears multiple times"
1104 #define TP_REASON_MALFORMED(x) \
1106 #define TP_REASON_EXPECTED_VALUE(x) \
1107 x " does not match expected value"
1108 #define TP_REASON_NOT_RETRY(x) \
1109 x " sent when not performing a retry"
1110 #define TP_REASON_REQUIRED(x) \
1111 x " was not sent but is required"
1112 #define TP_REASON_INTERNAL_ERROR(x) \
1113 x " encountered internal error"
1115 static void txfc_bump_cwm_bidi(QUIC_STREAM
*s
, void *arg
)
1117 if (!ossl_quic_stream_is_bidi(s
)
1118 || ossl_quic_stream_is_server_init(s
))
1121 ossl_quic_txfc_bump_cwm(&s
->txfc
, *(uint64_t *)arg
);
1124 static void txfc_bump_cwm_uni(QUIC_STREAM
*s
, void *arg
)
1126 if (ossl_quic_stream_is_bidi(s
)
1127 || ossl_quic_stream_is_server_init(s
))
1130 ossl_quic_txfc_bump_cwm(&s
->txfc
, *(uint64_t *)arg
);
1133 static void do_update(QUIC_STREAM
*s
, void *arg
)
1135 QUIC_CHANNEL
*ch
= arg
;
1137 ossl_quic_stream_map_update_state(&ch
->qsm
, s
);
1140 static int ch_on_transport_params(const unsigned char *params
,
1144 QUIC_CHANNEL
*ch
= arg
;
1148 const unsigned char *body
;
1149 int got_orig_dcid
= 0;
1150 int got_initial_scid
= 0;
1151 int got_retry_scid
= 0;
1152 int got_initial_max_data
= 0;
1153 int got_initial_max_stream_data_bidi_local
= 0;
1154 int got_initial_max_stream_data_bidi_remote
= 0;
1155 int got_initial_max_stream_data_uni
= 0;
1156 int got_initial_max_streams_bidi
= 0;
1157 int got_initial_max_streams_uni
= 0;
1158 int got_stateless_reset_token
= 0;
1159 int got_preferred_addr
= 0;
1160 int got_ack_delay_exp
= 0;
1161 int got_max_ack_delay
= 0;
1162 int got_max_udp_payload_size
= 0;
1163 int got_max_idle_timeout
= 0;
1164 int got_active_conn_id_limit
= 0;
1165 int got_disable_active_migration
= 0;
1167 const char *reason
= "bad transport parameter";
1168 ossl_unused
uint64_t rx_max_idle_timeout
= 0;
1169 ossl_unused
const void *stateless_reset_token_p
= NULL
;
1170 QUIC_PREFERRED_ADDR pfa
;
1172 if (ch
->got_remote_transport_params
) {
1173 reason
= "multiple transport parameter extensions";
1177 if (!PACKET_buf_init(&pkt
, params
, params_len
)) {
1178 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_INTERNAL_ERROR
, 0,
1179 "internal error (packet buf init)");
1183 while (PACKET_remaining(&pkt
) > 0) {
1184 if (!ossl_quic_wire_peek_transport_param(&pkt
, &id
))
1188 case QUIC_TPARAM_ORIG_DCID
:
1189 if (got_orig_dcid
) {
1190 reason
= TP_REASON_DUP("ORIG_DCID");
1194 if (ch
->is_server
) {
1195 reason
= TP_REASON_SERVER_ONLY("ORIG_DCID");
1199 if (!ossl_quic_wire_decode_transport_param_cid(&pkt
, NULL
, &cid
)) {
1200 reason
= TP_REASON_MALFORMED("ORIG_DCID");
1204 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
1205 /* Must match our initial DCID. */
1206 if (!ossl_quic_conn_id_eq(&ch
->init_dcid
, &cid
)) {
1207 reason
= TP_REASON_EXPECTED_VALUE("ORIG_DCID");
1215 case QUIC_TPARAM_RETRY_SCID
:
1216 if (ch
->is_server
) {
1217 reason
= TP_REASON_SERVER_ONLY("RETRY_SCID");
1221 if (got_retry_scid
) {
1222 reason
= TP_REASON_DUP("RETRY_SCID");
1226 if (!ch
->doing_retry
) {
1227 reason
= TP_REASON_NOT_RETRY("RETRY_SCID");
1231 if (!ossl_quic_wire_decode_transport_param_cid(&pkt
, NULL
, &cid
)) {
1232 reason
= TP_REASON_MALFORMED("RETRY_SCID");
1236 /* Must match Retry packet SCID. */
1237 if (!ossl_quic_conn_id_eq(&ch
->retry_scid
, &cid
)) {
1238 reason
= TP_REASON_EXPECTED_VALUE("RETRY_SCID");
1245 case QUIC_TPARAM_INITIAL_SCID
:
1246 if (got_initial_scid
) {
1247 /* must not appear more than once */
1248 reason
= TP_REASON_DUP("INITIAL_SCID");
1252 if (!ossl_quic_wire_decode_transport_param_cid(&pkt
, NULL
, &cid
)) {
1253 reason
= TP_REASON_MALFORMED("INITIAL_SCID");
1257 /* Must match SCID of first Initial packet from server. */
1258 if (!ossl_quic_conn_id_eq(&ch
->init_scid
, &cid
)) {
1259 reason
= TP_REASON_EXPECTED_VALUE("INITIAL_SCID");
1263 got_initial_scid
= 1;
1266 case QUIC_TPARAM_INITIAL_MAX_DATA
:
1267 if (got_initial_max_data
) {
1268 /* must not appear more than once */
1269 reason
= TP_REASON_DUP("INITIAL_MAX_DATA");
1273 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)) {
1274 reason
= TP_REASON_MALFORMED("INITIAL_MAX_DATA");
1278 ossl_quic_txfc_bump_cwm(&ch
->conn_txfc
, v
);
1279 got_initial_max_data
= 1;
1282 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL
:
1283 if (got_initial_max_stream_data_bidi_local
) {
1284 /* must not appear more than once */
1285 reason
= TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_BIDI_LOCAL");
1289 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)) {
1290 reason
= TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_BIDI_LOCAL");
1295 * This is correct; the BIDI_LOCAL TP governs streams created by
1296 * the endpoint which sends the TP, i.e., our peer.
1298 ch
->rx_init_max_stream_data_bidi_remote
= v
;
1299 got_initial_max_stream_data_bidi_local
= 1;
1302 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE
:
1303 if (got_initial_max_stream_data_bidi_remote
) {
1304 /* must not appear more than once */
1305 reason
= TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_BIDI_REMOTE");
1309 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)) {
1310 reason
= TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_BIDI_REMOTE");
1315 * This is correct; the BIDI_REMOTE TP governs streams created
1316 * by the endpoint which receives the TP, i.e., us.
1318 ch
->rx_init_max_stream_data_bidi_local
= v
;
1320 /* Apply to all existing streams. */
1321 ossl_quic_stream_map_visit(&ch
->qsm
, txfc_bump_cwm_bidi
, &v
);
1322 got_initial_max_stream_data_bidi_remote
= 1;
1325 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_UNI
:
1326 if (got_initial_max_stream_data_uni
) {
1327 /* must not appear more than once */
1328 reason
= TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_UNI");
1332 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)) {
1333 reason
= TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_UNI");
1337 ch
->rx_init_max_stream_data_uni
= v
;
1339 /* Apply to all existing streams. */
1340 ossl_quic_stream_map_visit(&ch
->qsm
, txfc_bump_cwm_uni
, &v
);
1341 got_initial_max_stream_data_uni
= 1;
1344 case QUIC_TPARAM_ACK_DELAY_EXP
:
1345 if (got_ack_delay_exp
) {
1346 /* must not appear more than once */
1347 reason
= TP_REASON_DUP("ACK_DELAY_EXP");
1351 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
1352 || v
> QUIC_MAX_ACK_DELAY_EXP
) {
1353 reason
= TP_REASON_MALFORMED("ACK_DELAY_EXP");
1357 ch
->rx_ack_delay_exp
= (unsigned char)v
;
1358 got_ack_delay_exp
= 1;
1361 case QUIC_TPARAM_MAX_ACK_DELAY
:
1362 if (got_max_ack_delay
) {
1363 /* must not appear more than once */
1364 reason
= TP_REASON_DUP("MAX_ACK_DELAY");
1368 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
1369 || v
>= (((uint64_t)1) << 14)) {
1370 reason
= TP_REASON_MALFORMED("MAX_ACK_DELAY");
1374 ch
->rx_max_ack_delay
= v
;
1375 ossl_ackm_set_rx_max_ack_delay(ch
->ackm
,
1376 ossl_ms2time(ch
->rx_max_ack_delay
));
1378 got_max_ack_delay
= 1;
1381 case QUIC_TPARAM_INITIAL_MAX_STREAMS_BIDI
:
1382 if (got_initial_max_streams_bidi
) {
1383 /* must not appear more than once */
1384 reason
= TP_REASON_DUP("INITIAL_MAX_STREAMS_BIDI");
1388 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
1389 || v
> (((uint64_t)1) << 60)) {
1390 reason
= TP_REASON_MALFORMED("INITIAL_MAX_STREAMS_BIDI");
1394 assert(ch
->max_local_streams_bidi
== 0);
1395 ch
->max_local_streams_bidi
= v
;
1396 got_initial_max_streams_bidi
= 1;
1399 case QUIC_TPARAM_INITIAL_MAX_STREAMS_UNI
:
1400 if (got_initial_max_streams_uni
) {
1401 /* must not appear more than once */
1402 reason
= TP_REASON_DUP("INITIAL_MAX_STREAMS_UNI");
1406 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
1407 || v
> (((uint64_t)1) << 60)) {
1408 reason
= TP_REASON_MALFORMED("INITIAL_MAX_STREAMS_UNI");
1412 assert(ch
->max_local_streams_uni
== 0);
1413 ch
->max_local_streams_uni
= v
;
1414 got_initial_max_streams_uni
= 1;
1417 case QUIC_TPARAM_MAX_IDLE_TIMEOUT
:
1418 if (got_max_idle_timeout
) {
1419 /* must not appear more than once */
1420 reason
= TP_REASON_DUP("MAX_IDLE_TIMEOUT");
1424 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)) {
1425 reason
= TP_REASON_MALFORMED("MAX_IDLE_TIMEOUT");
1429 if (v
> 0 && v
< ch
->max_idle_timeout
)
1430 ch
->max_idle_timeout
= v
;
1433 got_max_idle_timeout
= 1;
1434 rx_max_idle_timeout
= v
;
1437 case QUIC_TPARAM_MAX_UDP_PAYLOAD_SIZE
:
1438 if (got_max_udp_payload_size
) {
1439 /* must not appear more than once */
1440 reason
= TP_REASON_DUP("MAX_UDP_PAYLOAD_SIZE");
1444 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
1445 || v
< QUIC_MIN_INITIAL_DGRAM_LEN
) {
1446 reason
= TP_REASON_MALFORMED("MAX_UDP_PAYLOAD_SIZE");
1450 ch
->rx_max_udp_payload_size
= v
;
1451 got_max_udp_payload_size
= 1;
1454 case QUIC_TPARAM_ACTIVE_CONN_ID_LIMIT
:
1455 if (got_active_conn_id_limit
) {
1456 /* must not appear more than once */
1457 reason
= TP_REASON_DUP("ACTIVE_CONN_ID_LIMIT");
1461 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
1462 || v
< QUIC_MIN_ACTIVE_CONN_ID_LIMIT
) {
1463 reason
= TP_REASON_MALFORMED("ACTIVE_CONN_ID_LIMIT");
1467 ch
->rx_active_conn_id_limit
= v
;
1468 got_active_conn_id_limit
= 1;
1471 case QUIC_TPARAM_STATELESS_RESET_TOKEN
:
1472 if (got_stateless_reset_token
) {
1473 reason
= TP_REASON_DUP("STATELESS_RESET_TOKEN");
1478 * We must ensure a client doesn't send them because we don't have
1479 * processing for them.
1481 * TODO(QUIC SERVER): remove this restriction
1483 if (ch
->is_server
) {
1484 reason
= TP_REASON_SERVER_ONLY("STATELESS_RESET_TOKEN");
1488 body
= ossl_quic_wire_decode_transport_param_bytes(&pkt
, &id
, &len
);
1489 if (body
== NULL
|| len
!= QUIC_STATELESS_RESET_TOKEN_LEN
) {
1490 reason
= TP_REASON_MALFORMED("STATELESS_RESET_TOKEN");
1493 if (!ossl_quic_srtm_add(ch
->srtm
, ch
, ch
->cur_remote_seq_num
,
1494 (const QUIC_STATELESS_RESET_TOKEN
*)body
)) {
1495 reason
= TP_REASON_INTERNAL_ERROR("STATELESS_RESET_TOKEN");
1499 stateless_reset_token_p
= body
;
1500 got_stateless_reset_token
= 1;
1503 case QUIC_TPARAM_PREFERRED_ADDR
:
1505 /* TODO(QUIC FUTURE): Handle preferred address. */
1506 if (got_preferred_addr
) {
1507 reason
= TP_REASON_DUP("PREFERRED_ADDR");
1512 * RFC 9000 s. 18.2: "A server that chooses a zero-length
1513 * connection ID MUST NOT provide a preferred address.
1514 * Similarly, a server MUST NOT include a zero-length connection
1515 * ID in this transport parameter. A client MUST treat a
1516 * violation of these requirements as a connection error of type
1517 * TRANSPORT_PARAMETER_ERROR."
1519 if (ch
->is_server
) {
1520 reason
= TP_REASON_SERVER_ONLY("PREFERRED_ADDR");
1524 if (ch
->cur_remote_dcid
.id_len
== 0) {
1525 reason
= "PREFERRED_ADDR provided for zero-length CID";
1529 if (!ossl_quic_wire_decode_transport_param_preferred_addr(&pkt
, &pfa
)) {
1530 reason
= TP_REASON_MALFORMED("PREFERRED_ADDR");
1534 if (pfa
.cid
.id_len
== 0) {
1535 reason
= "zero-length CID in PREFERRED_ADDR";
1539 got_preferred_addr
= 1;
1543 case QUIC_TPARAM_DISABLE_ACTIVE_MIGRATION
:
1544 /* We do not currently handle migration, so nothing to do. */
1545 if (got_disable_active_migration
) {
1546 /* must not appear more than once */
1547 reason
= TP_REASON_DUP("DISABLE_ACTIVE_MIGRATION");
1551 body
= ossl_quic_wire_decode_transport_param_bytes(&pkt
, &id
, &len
);
1552 if (body
== NULL
|| len
> 0) {
1553 reason
= TP_REASON_MALFORMED("DISABLE_ACTIVE_MIGRATION");
1557 got_disable_active_migration
= 1;
1562 * Skip over and ignore.
1564 * RFC 9000 s. 7.4: We SHOULD treat duplicated transport parameters
1565 * as a connection error, but we are not required to. Currently,
1566 * handle this programmatically by checking for duplicates in the
1567 * parameters that we recognise, as above, but don't bother
1568 * maintaining a list of duplicates for anything we don't recognise.
1570 body
= ossl_quic_wire_decode_transport_param_bytes(&pkt
, &id
,
1579 if (!got_initial_scid
) {
1580 reason
= TP_REASON_REQUIRED("INITIAL_SCID");
1584 if (!ch
->is_server
) {
1585 if (!got_orig_dcid
) {
1586 reason
= TP_REASON_REQUIRED("ORIG_DCID");
1590 if (ch
->doing_retry
&& !got_retry_scid
) {
1591 reason
= TP_REASON_REQUIRED("RETRY_SCID");
1596 ch
->got_remote_transport_params
= 1;
1598 #ifndef OPENSSL_NO_QLOG
1599 QLOG_EVENT_BEGIN(ch_get_qlog(ch
), transport
, parameters_set
)
1600 QLOG_STR("owner", "remote");
1603 QLOG_CID("original_destination_connection_id",
1605 if (got_initial_scid
)
1606 QLOG_CID("original_source_connection_id",
1609 QLOG_CID("retry_source_connection_id",
1611 if (got_initial_max_data
)
1612 QLOG_U64("initial_max_data",
1613 ossl_quic_txfc_get_cwm(&ch
->conn_txfc
));
1614 if (got_initial_max_stream_data_bidi_local
)
1615 QLOG_U64("initial_max_stream_data_bidi_local",
1616 ch
->rx_init_max_stream_data_bidi_local
);
1617 if (got_initial_max_stream_data_bidi_remote
)
1618 QLOG_U64("initial_max_stream_data_bidi_remote",
1619 ch
->rx_init_max_stream_data_bidi_remote
);
1620 if (got_initial_max_stream_data_uni
)
1621 QLOG_U64("initial_max_stream_data_uni",
1622 ch
->rx_init_max_stream_data_uni
);
1623 if (got_initial_max_streams_bidi
)
1624 QLOG_U64("initial_max_streams_bidi",
1625 ch
->max_local_streams_bidi
);
1626 if (got_initial_max_streams_uni
)
1627 QLOG_U64("initial_max_streams_uni",
1628 ch
->max_local_streams_uni
);
1629 if (got_ack_delay_exp
)
1630 QLOG_U64("ack_delay_exponent", ch
->rx_ack_delay_exp
);
1631 if (got_max_ack_delay
)
1632 QLOG_U64("max_ack_delay", ch
->rx_max_ack_delay
);
1633 if (got_max_udp_payload_size
)
1634 QLOG_U64("max_udp_payload_size", ch
->rx_max_udp_payload_size
);
1635 if (got_max_idle_timeout
)
1636 QLOG_U64("max_idle_timeout", rx_max_idle_timeout
);
1637 if (got_active_conn_id_limit
)
1638 QLOG_U64("active_connection_id_limit", ch
->rx_active_conn_id_limit
);
1639 if (got_stateless_reset_token
)
1640 QLOG_BIN("stateless_reset_token", stateless_reset_token_p
,
1641 QUIC_STATELESS_RESET_TOKEN_LEN
);
1642 if (got_preferred_addr
) {
1643 QLOG_BEGIN("preferred_addr")
1644 QLOG_U64("port_v4", pfa
.ipv4_port
);
1645 QLOG_U64("port_v6", pfa
.ipv6_port
);
1646 QLOG_BIN("ip_v4", pfa
.ipv4
, sizeof(pfa
.ipv4
));
1647 QLOG_BIN("ip_v6", pfa
.ipv6
, sizeof(pfa
.ipv6
));
1648 QLOG_BIN("stateless_reset_token", pfa
.stateless_reset
.token
,
1649 sizeof(pfa
.stateless_reset
.token
));
1650 QLOG_CID("connection_id", &pfa
.cid
);
1653 QLOG_BOOL("disable_active_migration", got_disable_active_migration
);
1657 if (got_initial_max_data
|| got_initial_max_stream_data_bidi_remote
1658 || got_initial_max_streams_bidi
|| got_initial_max_streams_uni
)
1660 * If FC credit was bumped, we may now be able to send. Update all
1663 ossl_quic_stream_map_visit(&ch
->qsm
, do_update
, ch
);
1665 /* If we are a server, we now generate our own transport parameters. */
1666 if (ch
->is_server
&& !ch_generate_transport_params(ch
)) {
1667 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_INTERNAL_ERROR
, 0,
1675 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_TRANSPORT_PARAMETER_ERROR
,
1681 * Called when we want to generate transport parameters. This is called
1682 * immediately at instantiation time for a client and after we receive the
1683 * client's transport parameters for a server.
1685 static int ch_generate_transport_params(QUIC_CHANNEL
*ch
)
1688 BUF_MEM
*buf_mem
= NULL
;
1693 if (ch
->local_transport_params
!= NULL
)
1696 if ((buf_mem
= BUF_MEM_new()) == NULL
)
1699 if (!WPACKET_init(&wpkt
, buf_mem
))
1704 if (ossl_quic_wire_encode_transport_param_bytes(&wpkt
, QUIC_TPARAM_DISABLE_ACTIVE_MIGRATION
,
1708 if (ch
->is_server
) {
1709 if (!ossl_quic_wire_encode_transport_param_cid(&wpkt
, QUIC_TPARAM_ORIG_DCID
,
1713 if (!ossl_quic_wire_encode_transport_param_cid(&wpkt
, QUIC_TPARAM_INITIAL_SCID
,
1714 &ch
->cur_local_cid
))
1717 /* Client always uses an empty SCID. */
1718 if (ossl_quic_wire_encode_transport_param_bytes(&wpkt
, QUIC_TPARAM_INITIAL_SCID
,
1723 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_MAX_IDLE_TIMEOUT
,
1724 ch
->max_idle_timeout
))
1727 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_MAX_UDP_PAYLOAD_SIZE
,
1728 QUIC_MIN_INITIAL_DGRAM_LEN
))
1731 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_ACTIVE_CONN_ID_LIMIT
,
1732 QUIC_MIN_ACTIVE_CONN_ID_LIMIT
))
1735 if (ch
->tx_max_ack_delay
!= QUIC_DEFAULT_MAX_ACK_DELAY
1736 && !ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_MAX_ACK_DELAY
,
1737 ch
->tx_max_ack_delay
))
1740 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_DATA
,
1741 ossl_quic_rxfc_get_cwm(&ch
->conn_rxfc
)))
1744 /* Send the default CWM for a new RXFC. */
1745 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL
,
1746 ch
->tx_init_max_stream_data_bidi_local
))
1749 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE
,
1750 ch
->tx_init_max_stream_data_bidi_remote
))
1753 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_UNI
,
1754 ch
->tx_init_max_stream_data_uni
))
1757 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_STREAMS_BIDI
,
1758 ossl_quic_rxfc_get_cwm(&ch
->max_streams_bidi_rxfc
)))
1761 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_STREAMS_UNI
,
1762 ossl_quic_rxfc_get_cwm(&ch
->max_streams_uni_rxfc
)))
1765 if (!WPACKET_finish(&wpkt
))
1770 if (!WPACKET_get_total_written(&wpkt
, &buf_len
))
1773 ch
->local_transport_params
= (unsigned char *)buf_mem
->data
;
1774 buf_mem
->data
= NULL
;
1777 if (!ossl_quic_tls_set_transport_params(ch
->qtls
, ch
->local_transport_params
,
1781 #ifndef OPENSSL_NO_QLOG
1782 QLOG_EVENT_BEGIN(ch_get_qlog(ch
), transport
, parameters_set
)
1783 QLOG_STR("owner", "local");
1784 QLOG_BOOL("disable_active_migration", 1);
1785 if (ch
->is_server
) {
1786 QLOG_CID("original_destination_connection_id", &ch
->init_dcid
);
1787 QLOG_CID("initial_source_connection_id", &ch
->cur_local_cid
);
1789 QLOG_STR("initial_source_connection_id", "");
1791 QLOG_U64("max_idle_timeout", ch
->max_idle_timeout
);
1792 QLOG_U64("max_udp_payload_size", QUIC_MIN_INITIAL_DGRAM_LEN
);
1793 QLOG_U64("active_connection_id_limit", QUIC_MIN_ACTIVE_CONN_ID_LIMIT
);
1794 QLOG_U64("max_ack_delay", ch
->tx_max_ack_delay
);
1795 QLOG_U64("initial_max_data", ossl_quic_rxfc_get_cwm(&ch
->conn_rxfc
));
1796 QLOG_U64("initial_max_stream_data_bidi_local",
1797 ch
->tx_init_max_stream_data_bidi_local
);
1798 QLOG_U64("initial_max_stream_data_bidi_remote",
1799 ch
->tx_init_max_stream_data_bidi_remote
);
1800 QLOG_U64("initial_max_stream_data_uni",
1801 ch
->tx_init_max_stream_data_uni
);
1802 QLOG_U64("initial_max_streams_bidi",
1803 ossl_quic_rxfc_get_cwm(&ch
->max_streams_bidi_rxfc
));
1804 QLOG_U64("initial_max_streams_uni",
1805 ossl_quic_rxfc_get_cwm(&ch
->max_streams_uni_rxfc
));
1812 WPACKET_cleanup(&wpkt
);
1813 BUF_MEM_free(buf_mem
);
1818 * QUIC Channel: Ticker-Mutator
1819 * ============================
1823 * The central ticker function called by the reactor. This does everything, or
1824 * at least everything network I/O related. Best effort - not allowed to fail
1827 void ossl_quic_channel_subtick(QUIC_CHANNEL
*ch
, QUIC_TICK_RESULT
*res
,
1830 OSSL_TIME now
, deadline
;
1831 int channel_only
= (flags
& QUIC_REACTOR_TICK_FLAG_CHANNEL_ONLY
) != 0;
1834 * When we tick the QUIC connection, we do everything we need to do
1835 * periodically. Network I/O handling will already have been performed
1836 * as necessary by the QUIC port. Thus, in order, we:
1838 * - handle any packets the DEMUX has queued up for us;
1839 * - handle any timer events which are due to fire (ACKM, etc.);
1840 * - generate any packets which need to be sent;
1841 * - determine the time at which we should next be ticked.
1844 /* If we are in the TERMINATED state, there is nothing to do. */
1845 if (ossl_quic_channel_is_terminated(ch
)) {
1846 res
->net_read_desired
= 0;
1847 res
->net_write_desired
= 0;
1848 res
->tick_deadline
= ossl_time_infinite();
1853 * If we are in the TERMINATING state, check if the terminating timer has
1856 if (ossl_quic_channel_is_terminating(ch
)) {
1859 if (ossl_time_compare(now
, ch
->terminate_deadline
) >= 0) {
1860 ch_on_terminating_timeout(ch
);
1861 res
->net_read_desired
= 0;
1862 res
->net_write_desired
= 0;
1863 res
->tick_deadline
= ossl_time_infinite();
1864 return; /* abort normal processing, nothing to do */
1868 if (!ch
->port
->engine
->inhibit_tick
) {
1869 /* Handle RXKU timeouts. */
1873 /* Process queued incoming packets. */
1874 ch
->did_tls_tick
= 0;
1875 ch
->have_new_rx_secret
= 0;
1876 ch_rx(ch
, channel_only
);
1879 * Allow the handshake layer to check for any new incoming data and
1880 * generate new outgoing data.
1882 if (!ch
->did_tls_tick
)
1883 ch_tick_tls(ch
, channel_only
);
1886 * If the handshake layer gave us a new secret, we need to do RX
1887 * again because packets that were not previously processable and
1888 * were deferred might now be processable.
1890 * TODO(QUIC FUTURE): Consider handling this in the yield_secret callback.
1892 } while (ch
->have_new_rx_secret
);
1896 * Handle any timer events which are due to fire; namely, the loss
1897 * detection deadline and the idle timeout.
1899 * ACKM ACK generation deadline is polled by TXP, so we don't need to
1903 if (ossl_time_compare(now
, ch
->idle_deadline
) >= 0) {
1905 * Idle timeout differs from normal protocol violation because we do
1906 * not send a CONN_CLOSE frame; go straight to TERMINATED.
1908 if (!ch
->port
->engine
->inhibit_tick
)
1909 ch_on_idle_timeout(ch
);
1911 res
->net_read_desired
= 0;
1912 res
->net_write_desired
= 0;
1913 res
->tick_deadline
= ossl_time_infinite();
1917 if (!ch
->port
->engine
->inhibit_tick
) {
1918 deadline
= ossl_ackm_get_loss_detection_deadline(ch
->ackm
);
1919 if (!ossl_time_is_zero(deadline
)
1920 && ossl_time_compare(now
, deadline
) >= 0)
1921 ossl_ackm_on_timeout(ch
->ackm
);
1923 /* If a ping is due, inform TXP. */
1924 if (ossl_time_compare(now
, ch
->ping_deadline
) >= 0) {
1925 int pn_space
= ossl_quic_enc_level_to_pn_space(ch
->tx_enc_level
);
1927 ossl_quic_tx_packetiser_schedule_ack_eliciting(ch
->txp
, pn_space
);
1930 * If we have no CC budget at this time we cannot process the above
1931 * PING request immediately. In any case we have scheduled the
1932 * request so bump the ping deadline. If we don't do this we will
1933 * busy-loop endlessly as the above deadline comparison condition
1934 * will still be met.
1936 ch_update_ping_deadline(ch
);
1939 /* Queue any data to be sent for transmission. */
1943 ossl_quic_stream_map_gc(&ch
->qsm
);
1946 /* Determine the time at which we should next be ticked. */
1947 res
->tick_deadline
= ch_determine_next_tick_deadline(ch
);
1950 * Always process network input unless we are now terminated. Although we
1951 * had not terminated at the beginning of this tick, network errors in
1952 * ch_tx() may have caused us to transition to the Terminated state.
1954 res
->net_read_desired
= !ossl_quic_channel_is_terminated(ch
);
1956 /* We want to write to the network if we have any data in our TX queue. */
1957 res
->net_write_desired
1958 = (!ossl_quic_channel_is_terminated(ch
)
1959 && ossl_qtx_get_queue_len_datagrams(ch
->qtx
) > 0);
1962 static int ch_tick_tls(QUIC_CHANNEL
*ch
, int channel_only
)
1964 uint64_t error_code
;
1965 const char *error_msg
;
1966 ERR_STATE
*error_state
= NULL
;
1971 ch
->did_tls_tick
= 1;
1972 ossl_quic_tls_tick(ch
->qtls
);
1974 if (ossl_quic_tls_get_error(ch
->qtls
, &error_code
, &error_msg
,
1976 ossl_quic_channel_raise_protocol_error_state(ch
, error_code
, 0,
1977 error_msg
, error_state
);
1984 /* Check incoming forged packet limit and terminate connection if needed. */
1985 static void ch_rx_check_forged_pkt_limit(QUIC_CHANNEL
*ch
)
1988 uint64_t limit
= UINT64_MAX
, l
;
1990 for (enc_level
= QUIC_ENC_LEVEL_INITIAL
;
1991 enc_level
< QUIC_ENC_LEVEL_NUM
;
1995 * Different ELs can have different AEADs which can in turn impose
1996 * different limits, so use the lowest value of any currently valid EL.
1998 if ((ch
->el_discarded
& (1U << enc_level
)) != 0)
2001 if (enc_level
> ch
->rx_enc_level
)
2004 l
= ossl_qrx_get_max_forged_pkt_count(ch
->qrx
, enc_level
);
2009 if (ossl_qrx_get_cur_forged_pkt_count(ch
->qrx
) < limit
)
2012 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_AEAD_LIMIT_REACHED
, 0,
2016 /* Process queued incoming packets and handle frames, if any. */
2017 static int ch_rx(QUIC_CHANNEL
*ch
, int channel_only
)
2019 int handled_any
= 0;
2020 const int closing
= ossl_quic_channel_is_closing(ch
);
2022 if (!ch
->is_server
&& !ch
->have_sent_any_pkt
)
2024 * We have not sent anything yet, therefore there is no need to check
2025 * for incoming data.
2030 assert(ch
->qrx_pkt
== NULL
);
2032 if (!ossl_qrx_read_pkt(ch
->qrx
, &ch
->qrx_pkt
))
2035 /* Track the amount of data received while in the closing state */
2037 ossl_quic_tx_packetiser_record_received_closing_bytes(
2038 ch
->txp
, ch
->qrx_pkt
->hdr
->len
);
2042 ch_update_ping_deadline(ch
);
2045 ch_rx_handle_packet(ch
, channel_only
); /* best effort */
2048 * Regardless of the outcome of frame handling, unref the packet.
2049 * This will free the packet unless something added another
2050 * reference to it during frame processing.
2052 ossl_qrx_pkt_release(ch
->qrx_pkt
);
2055 ch
->have_sent_ack_eliciting_since_rx
= 0;
2059 ch_rx_check_forged_pkt_limit(ch
);
2062 * When in TERMINATING - CLOSING, generate a CONN_CLOSE frame whenever we
2063 * process one or more incoming packets.
2065 if (handled_any
&& closing
)
2066 ch
->conn_close_queued
= 1;
2071 static int bio_addr_eq(const BIO_ADDR
*a
, const BIO_ADDR
*b
)
2073 if (BIO_ADDR_family(a
) != BIO_ADDR_family(b
))
2076 switch (BIO_ADDR_family(a
)) {
2078 return !memcmp(&a
->s_in
.sin_addr
,
2080 sizeof(a
->s_in
.sin_addr
))
2081 && a
->s_in
.sin_port
== b
->s_in
.sin_port
;
2082 #if OPENSSL_USE_IPV6
2084 return !memcmp(&a
->s_in6
.sin6_addr
,
2085 &b
->s_in6
.sin6_addr
,
2086 sizeof(a
->s_in6
.sin6_addr
))
2087 && a
->s_in6
.sin6_port
== b
->s_in6
.sin6_port
;
2090 return 0; /* not supported */
2096 /* Handles the packet currently in ch->qrx_pkt->hdr. */
2097 static void ch_rx_handle_packet(QUIC_CHANNEL
*ch
, int channel_only
)
2100 int old_have_processed_any_pkt
= ch
->have_processed_any_pkt
;
2101 OSSL_QTX_IOVEC iovec
;
2103 assert(ch
->qrx_pkt
!= NULL
);
2106 * RFC 9000 s. 10.2.1 Closing Connection State:
2107 * An endpoint that is closing is not required to process any
2110 if (!ossl_quic_channel_is_active(ch
))
2113 if (ossl_quic_pkt_type_is_encrypted(ch
->qrx_pkt
->hdr
->type
)) {
2114 if (!ch
->have_received_enc_pkt
) {
2115 ch
->cur_remote_dcid
= ch
->init_scid
= ch
->qrx_pkt
->hdr
->src_conn_id
;
2116 ch
->have_received_enc_pkt
= 1;
2119 * We change to using the SCID in the first Initial packet as the
2122 ossl_quic_tx_packetiser_set_cur_dcid(ch
->txp
, &ch
->init_scid
);
2125 enc_level
= ossl_quic_pkt_type_to_enc_level(ch
->qrx_pkt
->hdr
->type
);
2126 if ((ch
->el_discarded
& (1U << enc_level
)) != 0)
2127 /* Do not process packets from ELs we have already discarded. */
2132 * RFC 9000 s. 9.6: "If a client receives packets from a new server address
2133 * when the client has not initiated a migration to that address, the client
2134 * SHOULD discard these packets."
2136 * We need to be a bit careful here as due to the BIO abstraction layer an
2137 * application is liable to be weird and lie to us about peer addresses.
2138 * Only apply this check if we actually are using a real AF_INET or AF_INET6
2142 && ch
->qrx_pkt
->peer
!= NULL
2144 BIO_ADDR_family(&ch
->cur_peer_addr
) == AF_INET
2145 #if OPENSSL_USE_IPV6
2146 || BIO_ADDR_family(&ch
->cur_peer_addr
) == AF_INET6
2149 && !bio_addr_eq(ch
->qrx_pkt
->peer
, &ch
->cur_peer_addr
))
2153 && ch
->have_received_enc_pkt
2154 && ossl_quic_pkt_type_has_scid(ch
->qrx_pkt
->hdr
->type
)) {
2156 * RFC 9000 s. 7.2: "Once a client has received a valid Initial packet
2157 * from the server, it MUST discard any subsequent packet it receives on
2158 * that connection with a different SCID."
2160 if (!ossl_quic_conn_id_eq(&ch
->qrx_pkt
->hdr
->src_conn_id
,
2165 if (ossl_quic_pkt_type_has_version(ch
->qrx_pkt
->hdr
->type
)
2166 && ch
->qrx_pkt
->hdr
->version
!= QUIC_VERSION_1
)
2168 * RFC 9000 s. 5.2.1: If a client receives a packet that uses a
2169 * different version than it initially selected, it MUST discard the
2170 * packet. We only ever use v1, so require it.
2174 ch
->have_processed_any_pkt
= 1;
2177 * RFC 9000 s. 17.2: "An endpoint MUST treat receipt of a packet that has a
2178 * non-zero value for [the reserved bits] after removing both packet and
2179 * header protection as a connection error of type PROTOCOL_VIOLATION."
2181 if (ossl_quic_pkt_type_is_encrypted(ch
->qrx_pkt
->hdr
->type
)
2182 && ch
->qrx_pkt
->hdr
->reserved
!= 0) {
2183 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_PROTOCOL_VIOLATION
,
2184 0, "packet header reserved bits");
2188 iovec
.buf
= ch
->qrx_pkt
->hdr
->data
;
2189 iovec
.buf_len
= ch
->qrx_pkt
->hdr
->len
;
2190 ossl_qlog_event_transport_packet_received(ch_get_qlog(ch
), ch
->qrx_pkt
->hdr
,
2191 ch
->qrx_pkt
->pn
, &iovec
, 1,
2192 ch
->qrx_pkt
->datagram_id
);
2194 /* Handle incoming packet. */
2195 switch (ch
->qrx_pkt
->hdr
->type
) {
2196 case QUIC_PKT_TYPE_RETRY
:
2197 if (ch
->doing_retry
|| ch
->is_server
)
2199 * It is not allowed to ask a client to do a retry more than
2200 * once. Clients may not send retries.
2205 * RFC 9000 s 17.2.5.2: After the client has received and processed an
2206 * Initial or Retry packet from the server, it MUST discard any
2207 * subsequent Retry packets that it receives.
2209 if (ch
->have_received_enc_pkt
)
2212 if (ch
->qrx_pkt
->hdr
->len
<= QUIC_RETRY_INTEGRITY_TAG_LEN
)
2213 /* Packets with zero-length Retry Tokens are invalid. */
2217 * TODO(QUIC FUTURE): Theoretically this should probably be in the QRX.
2218 * However because validation is dependent on context (namely the
2219 * client's initial DCID) we can't do this cleanly. In the future we
2220 * should probably add a callback to the QRX to let it call us (via
2221 * the DEMUX) and ask us about the correct original DCID, rather
2222 * than allow the QRX to emit a potentially malformed packet to the
2223 * upper layers. However, special casing this will do for now.
2225 if (!ossl_quic_validate_retry_integrity_tag(ch
->port
->engine
->libctx
,
2226 ch
->port
->engine
->propq
,
2229 /* Malformed retry packet, ignore. */
2232 if (!ch_retry(ch
, ch
->qrx_pkt
->hdr
->data
,
2233 ch
->qrx_pkt
->hdr
->len
- QUIC_RETRY_INTEGRITY_TAG_LEN
,
2234 &ch
->qrx_pkt
->hdr
->src_conn_id
))
2235 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_INTERNAL_ERROR
,
2236 0, "handling retry packet");
2239 case QUIC_PKT_TYPE_0RTT
:
2241 /* Clients should never receive 0-RTT packets. */
2245 * TODO(QUIC 0RTT): Implement 0-RTT on the server side. We currently
2246 * do not need to implement this as a client can only do 0-RTT if we
2247 * have given it permission to in a previous session.
2251 case QUIC_PKT_TYPE_INITIAL
:
2252 case QUIC_PKT_TYPE_HANDSHAKE
:
2253 case QUIC_PKT_TYPE_1RTT
:
2254 if (ch
->is_server
&& ch
->qrx_pkt
->hdr
->type
== QUIC_PKT_TYPE_HANDSHAKE
)
2256 * We automatically drop INITIAL EL keys when first successfully
2257 * decrypting a HANDSHAKE packet, as per the RFC.
2259 ch_discard_el(ch
, QUIC_ENC_LEVEL_INITIAL
);
2261 if (ch
->rxku_in_progress
2262 && ch
->qrx_pkt
->hdr
->type
== QUIC_PKT_TYPE_1RTT
2263 && ch
->qrx_pkt
->pn
>= ch
->rxku_trigger_pn
2264 && ch
->qrx_pkt
->key_epoch
< ossl_qrx_get_key_epoch(ch
->qrx
)) {
2266 * RFC 9001 s. 6.4: Packets with higher packet numbers MUST be
2267 * protected with either the same or newer packet protection keys
2268 * than packets with lower packet numbers. An endpoint that
2269 * successfully removes protection with old keys when newer keys
2270 * were used for packets with lower packet numbers MUST treat this
2271 * as a connection error of type KEY_UPDATE_ERROR.
2273 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_KEY_UPDATE_ERROR
,
2274 0, "new packet with old keys");
2279 && ch
->qrx_pkt
->hdr
->type
== QUIC_PKT_TYPE_INITIAL
2280 && ch
->qrx_pkt
->hdr
->token_len
> 0) {
2282 * RFC 9000 s. 17.2.2: Clients that receive an Initial packet with a
2283 * non-zero Token Length field MUST either discard the packet or
2284 * generate a connection error of type PROTOCOL_VIOLATION.
2286 * TODO(QUIC FUTURE): consider the implications of RFC 9000 s. 10.2.3
2287 * Immediate Close during the Handshake:
2288 * However, at the cost of reducing feedback about
2289 * errors for legitimate peers, some forms of denial of
2290 * service can be made more difficult for an attacker
2291 * if endpoints discard illegal packets rather than
2292 * terminating a connection with CONNECTION_CLOSE. For
2293 * this reason, endpoints MAY discard packets rather
2294 * than immediately close if errors are detected in
2295 * packets that lack authentication.
2296 * I.e. should we drop this packet instead of closing the connection?
2298 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_PROTOCOL_VIOLATION
,
2299 0, "client received initial token");
2303 /* This packet contains frames, pass to the RXDP. */
2304 ossl_quic_handle_frames(ch
, ch
->qrx_pkt
); /* best effort */
2306 if (ch
->did_crypto_frame
)
2307 ch_tick_tls(ch
, channel_only
);
2311 case QUIC_PKT_TYPE_VERSION_NEG
:
2313 * "A client MUST discard any Version Negotiation packet if it has
2314 * received and successfully processed any other packet."
2316 if (!old_have_processed_any_pkt
)
2317 ch_rx_handle_version_neg(ch
, ch
->qrx_pkt
);
2327 static void ch_rx_handle_version_neg(QUIC_CHANNEL
*ch
, OSSL_QRX_PKT
*pkt
)
2330 * We do not support version negotiation at this time. As per RFC 9000 s.
2331 * 6.2., we MUST abandon the connection attempt if we receive a Version
2332 * Negotiation packet, unless we have already successfully processed another
2333 * incoming packet, or the packet lists the QUIC version we want to use.
2338 if (!PACKET_buf_init(&vpkt
, pkt
->hdr
->data
, pkt
->hdr
->len
))
2341 while (PACKET_remaining(&vpkt
) > 0) {
2342 if (!PACKET_get_net_4(&vpkt
, &v
))
2345 if ((uint32_t)v
== QUIC_VERSION_1
)
2349 /* No match, this is a failure case. */
2350 ch_raise_version_neg_failure(ch
);
2353 static void ch_raise_version_neg_failure(QUIC_CHANNEL
*ch
)
2355 QUIC_TERMINATE_CAUSE tcause
= {0};
2357 tcause
.error_code
= QUIC_ERR_CONNECTION_REFUSED
;
2358 tcause
.reason
= "version negotiation failure";
2359 tcause
.reason_len
= strlen(tcause
.reason
);
2362 * Skip TERMINATING state; this is not considered a protocol error and we do
2363 * not send CONNECTION_CLOSE.
2365 ch_start_terminating(ch
, &tcause
, 1);
2368 /* Try to generate packets and if possible, flush them to the network. */
2369 static int ch_tx(QUIC_CHANNEL
*ch
)
2371 QUIC_TXP_STATUS status
;
2375 * RFC 9000 s. 10.2.2: Draining Connection State:
2376 * While otherwise identical to the closing state, an endpoint
2377 * in the draining state MUST NOT send any packets.
2379 * An endpoint MUST NOT send further packets.
2381 if (ossl_quic_channel_is_draining(ch
))
2384 if (ossl_quic_channel_is_closing(ch
)) {
2386 * While closing, only send CONN_CLOSE if we've received more traffic
2387 * from the peer. Once we tell the TXP to generate CONN_CLOSE, all
2388 * future calls to it generate CONN_CLOSE frames, so otherwise we would
2389 * just constantly generate CONN_CLOSE frames.
2391 * Confirming to RFC 9000 s. 10.2.1 Closing Connection State:
2392 * An endpoint SHOULD limit the rate at which it generates
2393 * packets in the closing state.
2395 if (!ch
->conn_close_queued
)
2398 ch
->conn_close_queued
= 0;
2401 /* Do TXKU if we need to. */
2402 ch_maybe_trigger_spontaneous_txku(ch
);
2404 ch
->rxku_pending_confirm_done
= 0;
2406 /* Loop until we stop generating packets to send */
2409 * Send packet, if we need to. Best effort. The TXP consults the CC and
2410 * applies any limitations imposed by it, so we don't need to do it here.
2412 * Best effort. In particular if TXP fails for some reason we should
2413 * still flush any queued packets which we already generated.
2415 res
= ossl_quic_tx_packetiser_generate(ch
->txp
, &status
);
2416 if (status
.sent_pkt
> 0) {
2417 ch
->have_sent_any_pkt
= 1; /* Packet(s) were sent */
2418 ch
->port
->have_sent_any_pkt
= 1;
2421 * RFC 9000 s. 10.1. 'An endpoint also restarts its idle timer when
2422 * sending an ack-eliciting packet if no other ack-eliciting packets
2423 * have been sent since last receiving and processing a packet.'
2425 if (status
.sent_ack_eliciting
2426 && !ch
->have_sent_ack_eliciting_since_rx
) {
2428 ch
->have_sent_ack_eliciting_since_rx
= 1;
2431 if (!ch
->is_server
&& status
.sent_handshake
)
2433 * RFC 9001 s. 4.9.1: A client MUST discard Initial keys when it
2434 * first sends a Handshake packet.
2436 ch_discard_el(ch
, QUIC_ENC_LEVEL_INITIAL
);
2438 if (ch
->rxku_pending_confirm_done
)
2439 ch
->rxku_pending_confirm
= 0;
2441 ch_update_ping_deadline(ch
);
2446 * One case where TXP can fail is if we reach a TX PN of 2**62 - 1.
2447 * As per RFC 9000 s. 12.3, if this happens we MUST close the
2448 * connection without sending a CONNECTION_CLOSE frame. This is
2449 * actually handled as an emergent consequence of our design, as the
2450 * TX packetiser will never transmit another packet when the TX PN
2451 * reaches the limit.
2453 * Calling the below function terminates the connection; its attempt
2454 * to schedule a CONNECTION_CLOSE frame will not actually cause a
2455 * packet to be transmitted for this reason.
2457 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_INTERNAL_ERROR
,
2459 "internal error (txp generate)");
2462 } while (status
.sent_pkt
> 0);
2464 /* Flush packets to network. */
2465 switch (ossl_qtx_flush_net(ch
->qtx
)) {
2466 case QTX_FLUSH_NET_RES_OK
:
2467 case QTX_FLUSH_NET_RES_TRANSIENT_FAIL
:
2468 /* Best effort, done for now. */
2471 case QTX_FLUSH_NET_RES_PERMANENT_FAIL
:
2473 /* Permanent underlying network BIO, start terminating. */
2474 ossl_quic_port_raise_net_error(ch
->port
, ch
);
2481 /* Determine next tick deadline. */
2482 static OSSL_TIME
ch_determine_next_tick_deadline(QUIC_CHANNEL
*ch
)
2487 if (ossl_quic_channel_is_terminated(ch
))
2488 return ossl_time_infinite();
2490 deadline
= ossl_ackm_get_loss_detection_deadline(ch
->ackm
);
2491 if (ossl_time_is_zero(deadline
))
2492 deadline
= ossl_time_infinite();
2495 * Check the ack deadline for all enc_levels that are actually provisioned.
2496 * ACKs aren't restricted by CC.
2498 for (i
= 0; i
< QUIC_ENC_LEVEL_NUM
; i
++) {
2499 if (ossl_qtx_is_enc_level_provisioned(ch
->qtx
, i
)) {
2500 deadline
= ossl_time_min(deadline
,
2501 ossl_ackm_get_ack_deadline(ch
->ackm
,
2502 ossl_quic_enc_level_to_pn_space(i
)));
2507 * When do we need to send an ACK-eliciting packet to reset the idle
2508 * deadline timer for the peer?
2510 if (!ossl_time_is_infinite(ch
->ping_deadline
))
2511 deadline
= ossl_time_min(deadline
, ch
->ping_deadline
);
2513 /* Apply TXP wakeup deadline. */
2514 deadline
= ossl_time_min(deadline
,
2515 ossl_quic_tx_packetiser_get_deadline(ch
->txp
));
2517 /* Is the terminating timer armed? */
2518 if (ossl_quic_channel_is_terminating(ch
))
2519 deadline
= ossl_time_min(deadline
,
2520 ch
->terminate_deadline
);
2521 else if (!ossl_time_is_infinite(ch
->idle_deadline
))
2522 deadline
= ossl_time_min(deadline
,
2525 /* When does the RXKU process complete? */
2526 if (ch
->rxku_in_progress
)
2527 deadline
= ossl_time_min(deadline
, ch
->rxku_update_end_deadline
);
2533 * QUIC Channel: Lifecycle Events
2534 * ==============================
2538 * Record a state transition. This is not necessarily a change to ch->state but
2539 * also includes the handshake becoming complete or confirmed, etc.
2541 static void ch_record_state_transition(QUIC_CHANNEL
*ch
, uint32_t new_state
)
2543 uint32_t old_state
= ch
->state
;
2545 ch
->state
= new_state
;
2547 ossl_qlog_event_connectivity_connection_state_updated(ch_get_qlog(ch
),
2550 ch
->handshake_complete
,
2551 ch
->handshake_confirmed
);
2554 int ossl_quic_channel_start(QUIC_CHANNEL
*ch
)
2558 * This is not used by the server. The server moves to active
2559 * automatically on receiving an incoming connection.
2563 if (ch
->state
!= QUIC_CHANNEL_STATE_IDLE
)
2564 /* Calls to connect are idempotent */
2567 /* Inform QTX of peer address. */
2568 if (!ossl_quic_tx_packetiser_set_peer(ch
->txp
, &ch
->cur_peer_addr
))
2571 /* Plug in secrets for the Initial EL. */
2572 if (!ossl_quic_provide_initial_secret(ch
->port
->engine
->libctx
,
2573 ch
->port
->engine
->propq
,
2580 ch_record_state_transition(ch
, QUIC_CHANNEL_STATE_ACTIVE
);
2581 ch
->doing_proactive_ver_neg
= 0; /* not currently supported */
2583 ossl_qlog_event_connectivity_connection_started(ch_get_qlog(ch
),
2586 /* Handshake layer: start (e.g. send CH). */
2587 if (!ch_tick_tls(ch
, /*channel_only=*/0))
2590 ossl_quic_reactor_tick(ossl_quic_port_get0_reactor(ch
->port
), 0); /* best effort */
2594 /* Start a locally initiated connection shutdown. */
2595 void ossl_quic_channel_local_close(QUIC_CHANNEL
*ch
, uint64_t app_error_code
,
2596 const char *app_reason
)
2598 QUIC_TERMINATE_CAUSE tcause
= {0};
2600 if (ossl_quic_channel_is_term_any(ch
))
2604 tcause
.error_code
= app_error_code
;
2605 tcause
.reason
= app_reason
;
2606 tcause
.reason_len
= app_reason
!= NULL
? strlen(app_reason
) : 0;
2607 ch_start_terminating(ch
, &tcause
, 0);
2610 static void free_token(const unsigned char *buf
, size_t buf_len
, void *arg
)
2612 OPENSSL_free((unsigned char *)buf
);
2615 /* Called when a server asks us to do a retry. */
2616 static int ch_retry(QUIC_CHANNEL
*ch
,
2617 const unsigned char *retry_token
,
2618 size_t retry_token_len
,
2619 const QUIC_CONN_ID
*retry_scid
)
2624 * RFC 9000 s. 17.2.5.1: "A client MUST discard a Retry packet that contains
2625 * a SCID field that is identical to the DCID field of its initial packet."
2627 if (ossl_quic_conn_id_eq(&ch
->init_dcid
, retry_scid
))
2630 /* We change to using the SCID in the Retry packet as the DCID. */
2631 if (!ossl_quic_tx_packetiser_set_cur_dcid(ch
->txp
, retry_scid
))
2635 * Now we retry. We will release the Retry packet immediately, so copy
2638 if ((buf
= OPENSSL_memdup(retry_token
, retry_token_len
)) == NULL
)
2641 if (!ossl_quic_tx_packetiser_set_initial_token(ch
->txp
, buf
,
2643 free_token
, NULL
)) {
2645 * This may fail if the token we receive is too big for us to ever be
2646 * able to transmit in an outgoing Initial packet.
2648 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_INVALID_TOKEN
, 0,
2649 "received oversize token");
2654 ch
->retry_scid
= *retry_scid
;
2655 ch
->doing_retry
= 1;
2658 * We need to stimulate the Initial EL to generate the first CRYPTO frame
2659 * again. We can do this most cleanly by simply forcing the ACKM to consider
2660 * the first Initial packet as lost, which it effectively was as the server
2661 * hasn't processed it. This also maintains the desired behaviour with e.g.
2662 * PNs not resetting and so on.
2664 * The PN we used initially is always zero, because QUIC does not allow
2667 if (!ossl_ackm_mark_packet_pseudo_lost(ch
->ackm
, QUIC_PN_SPACE_INITIAL
,
2672 * Plug in new secrets for the Initial EL. This is the only time we change
2673 * the secrets for an EL after we already provisioned it.
2675 if (!ossl_quic_provide_initial_secret(ch
->port
->engine
->libctx
,
2676 ch
->port
->engine
->propq
,
2685 /* Called when an EL is to be discarded. */
2686 static int ch_discard_el(QUIC_CHANNEL
*ch
,
2689 if (!ossl_assert(enc_level
< QUIC_ENC_LEVEL_1RTT
))
2692 if ((ch
->el_discarded
& (1U << enc_level
)) != 0)
2696 /* Best effort for all of these. */
2697 ossl_quic_tx_packetiser_discard_enc_level(ch
->txp
, enc_level
);
2698 ossl_qrx_discard_enc_level(ch
->qrx
, enc_level
);
2699 ossl_qtx_discard_enc_level(ch
->qtx
, enc_level
);
2701 if (enc_level
!= QUIC_ENC_LEVEL_0RTT
) {
2702 uint32_t pn_space
= ossl_quic_enc_level_to_pn_space(enc_level
);
2704 ossl_ackm_on_pkt_space_discarded(ch
->ackm
, pn_space
);
2706 /* We should still have crypto streams at this point. */
2707 if (!ossl_assert(ch
->crypto_send
[pn_space
] != NULL
)
2708 || !ossl_assert(ch
->crypto_recv
[pn_space
] != NULL
))
2711 /* Get rid of the crypto stream state for the EL. */
2712 ossl_quic_sstream_free(ch
->crypto_send
[pn_space
]);
2713 ch
->crypto_send
[pn_space
] = NULL
;
2715 ossl_quic_rstream_free(ch
->crypto_recv
[pn_space
]);
2716 ch
->crypto_recv
[pn_space
] = NULL
;
2719 ch
->el_discarded
|= (1U << enc_level
);
2723 /* Intended to be called by the RXDP. */
2724 int ossl_quic_channel_on_handshake_confirmed(QUIC_CHANNEL
*ch
)
2726 if (ch
->handshake_confirmed
)
2729 if (!ch
->handshake_complete
) {
2731 * Does not make sense for handshake to be confirmed before it is
2734 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_PROTOCOL_VIOLATION
,
2735 OSSL_QUIC_FRAME_TYPE_HANDSHAKE_DONE
,
2736 "handshake cannot be confirmed "
2737 "before it is completed");
2741 ch_discard_el(ch
, QUIC_ENC_LEVEL_HANDSHAKE
);
2742 ch
->handshake_confirmed
= 1;
2743 ch_record_state_transition(ch
, ch
->state
);
2744 ossl_ackm_on_handshake_confirmed(ch
->ackm
);
2749 * Master function used when we want to start tearing down a connection:
2751 * - If the connection is still IDLE we can go straight to TERMINATED;
2753 * - If we are already TERMINATED this is a no-op.
2755 * - If we are TERMINATING - CLOSING and we have now got a CONNECTION_CLOSE
2756 * from the peer (tcause->remote == 1), we move to TERMINATING - DRAINING.
2758 * - If we are TERMINATING - DRAINING, we remain here until the terminating
2761 * - Otherwise, we are in ACTIVE and move to TERMINATING - CLOSING.
2762 * if we caused the termination (e.g. we have sent a CONNECTION_CLOSE). Note
2763 * that we are considered to have caused a termination if we sent the first
2764 * CONNECTION_CLOSE frame, even if it is caused by a peer protocol
2765 * violation. If the peer sent the first CONNECTION_CLOSE frame, we move to
2766 * TERMINATING - DRAINING.
2768 * We record the termination cause structure passed on the first call only.
2769 * Any successive calls have their termination cause data discarded;
2770 * once we start sending a CONNECTION_CLOSE frame, we don't change the details
2773 * This conforms to RFC 9000 s. 10.2.1: Closing Connection State:
2774 * To minimize the state that an endpoint maintains for a closing
2775 * connection, endpoints MAY send the exact same packet in response
2776 * to any received packet.
2778 * We don't drop any connection state (specifically packet protection keys)
2779 * even though we are permitted to. This conforms to RFC 9000 s. 10.2.1:
2780 * Closing Connection State:
2781 * An endpoint MAY retain packet protection keys for incoming
2782 * packets to allow it to read and process a CONNECTION_CLOSE frame.
2784 * Note that we do not conform to these two from the same section:
2785 * An endpoint's selected connection ID and the QUIC version
2786 * are sufficient information to identify packets for a closing
2787 * connection; the endpoint MAY discard all other connection state.
2789 * An endpoint MAY drop packet protection keys when entering the
2790 * closing state and send a packet containing a CONNECTION_CLOSE
2791 * frame in response to any UDP datagram that is received.
2793 static void copy_tcause(QUIC_TERMINATE_CAUSE
*dst
,
2794 const QUIC_TERMINATE_CAUSE
*src
)
2796 dst
->error_code
= src
->error_code
;
2797 dst
->frame_type
= src
->frame_type
;
2798 dst
->app
= src
->app
;
2799 dst
->remote
= src
->remote
;
2802 dst
->reason_len
= 0;
2804 if (src
->reason
!= NULL
&& src
->reason_len
> 0) {
2805 size_t l
= src
->reason_len
;
2812 * If this fails, dst->reason becomes NULL and we simply do not use a
2813 * reason. This ensures termination is infallible.
2815 dst
->reason
= r
= OPENSSL_memdup(src
->reason
, l
+ 1);
2820 dst
->reason_len
= l
;
2824 static void ch_start_terminating(QUIC_CHANNEL
*ch
,
2825 const QUIC_TERMINATE_CAUSE
*tcause
,
2826 int force_immediate
)
2828 /* No point sending anything if we haven't sent anything yet. */
2829 if (!ch
->have_sent_any_pkt
)
2830 force_immediate
= 1;
2832 switch (ch
->state
) {
2834 case QUIC_CHANNEL_STATE_IDLE
:
2835 copy_tcause(&ch
->terminate_cause
, tcause
);
2836 ch_on_terminating_timeout(ch
);
2839 case QUIC_CHANNEL_STATE_ACTIVE
:
2840 copy_tcause(&ch
->terminate_cause
, tcause
);
2842 ossl_qlog_event_connectivity_connection_closed(ch_get_qlog(ch
), tcause
);
2844 if (!force_immediate
) {
2845 ch_record_state_transition(ch
, tcause
->remote
2846 ? QUIC_CHANNEL_STATE_TERMINATING_DRAINING
2847 : QUIC_CHANNEL_STATE_TERMINATING_CLOSING
);
2849 * RFC 9000 s. 10.2 Immediate Close
2850 * These states SHOULD persist for at least three times
2851 * the current PTO interval as defined in [QUIC-RECOVERY].
2853 ch
->terminate_deadline
2854 = ossl_time_add(get_time(ch
),
2855 ossl_time_multiply(ossl_ackm_get_pto_duration(ch
->ackm
),
2858 if (!tcause
->remote
) {
2859 OSSL_QUIC_FRAME_CONN_CLOSE f
= {0};
2862 f
.error_code
= ch
->terminate_cause
.error_code
;
2863 f
.frame_type
= ch
->terminate_cause
.frame_type
;
2864 f
.is_app
= ch
->terminate_cause
.app
;
2865 f
.reason
= (char *)ch
->terminate_cause
.reason
;
2866 f
.reason_len
= ch
->terminate_cause
.reason_len
;
2867 ossl_quic_tx_packetiser_schedule_conn_close(ch
->txp
, &f
);
2869 * RFC 9000 s. 10.2.2 Draining Connection State:
2870 * An endpoint that receives a CONNECTION_CLOSE frame MAY
2871 * send a single packet containing a CONNECTION_CLOSE
2872 * frame before entering the draining state, using a
2873 * NO_ERROR code if appropriate
2875 ch
->conn_close_queued
= 1;
2878 ch_on_terminating_timeout(ch
);
2882 case QUIC_CHANNEL_STATE_TERMINATING_CLOSING
:
2883 if (force_immediate
)
2884 ch_on_terminating_timeout(ch
);
2885 else if (tcause
->remote
)
2887 * RFC 9000 s. 10.2.2 Draining Connection State:
2888 * An endpoint MAY enter the draining state from the
2889 * closing state if it receives a CONNECTION_CLOSE frame,
2890 * which indicates that the peer is also closing or draining.
2892 ch_record_state_transition(ch
, QUIC_CHANNEL_STATE_TERMINATING_DRAINING
);
2896 case QUIC_CHANNEL_STATE_TERMINATING_DRAINING
:
2898 * Other than in the force-immediate case, we remain here until the
2901 if (force_immediate
)
2902 ch_on_terminating_timeout(ch
);
2906 case QUIC_CHANNEL_STATE_TERMINATED
:
2913 void ossl_quic_channel_on_remote_conn_close(QUIC_CHANNEL
*ch
,
2914 OSSL_QUIC_FRAME_CONN_CLOSE
*f
)
2916 QUIC_TERMINATE_CAUSE tcause
= {0};
2918 if (!ossl_quic_channel_is_active(ch
))
2922 tcause
.app
= f
->is_app
;
2923 tcause
.error_code
= f
->error_code
;
2924 tcause
.frame_type
= f
->frame_type
;
2925 tcause
.reason
= f
->reason
;
2926 tcause
.reason_len
= f
->reason_len
;
2927 ch_start_terminating(ch
, &tcause
, 0);
2930 static void free_frame_data(unsigned char *buf
, size_t buf_len
, void *arg
)
2935 static int ch_enqueue_retire_conn_id(QUIC_CHANNEL
*ch
, uint64_t seq_num
)
2937 BUF_MEM
*buf_mem
= NULL
;
2941 ossl_quic_srtm_remove(ch
->srtm
, ch
, seq_num
);
2943 if ((buf_mem
= BUF_MEM_new()) == NULL
)
2946 if (!WPACKET_init(&wpkt
, buf_mem
))
2949 if (!ossl_quic_wire_encode_frame_retire_conn_id(&wpkt
, seq_num
)) {
2950 WPACKET_cleanup(&wpkt
);
2954 WPACKET_finish(&wpkt
);
2955 if (!WPACKET_get_total_written(&wpkt
, &l
))
2958 if (ossl_quic_cfq_add_frame(ch
->cfq
, 1, QUIC_PN_SPACE_APP
,
2959 OSSL_QUIC_FRAME_TYPE_RETIRE_CONN_ID
, 0,
2960 (unsigned char *)buf_mem
->data
, l
,
2961 free_frame_data
, NULL
) == NULL
)
2964 buf_mem
->data
= NULL
;
2965 BUF_MEM_free(buf_mem
);
2969 ossl_quic_channel_raise_protocol_error(ch
,
2970 QUIC_ERR_INTERNAL_ERROR
,
2971 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID
,
2972 "internal error enqueueing retire conn id");
2973 BUF_MEM_free(buf_mem
);
2977 void ossl_quic_channel_on_new_conn_id(QUIC_CHANNEL
*ch
,
2978 OSSL_QUIC_FRAME_NEW_CONN_ID
*f
)
2980 uint64_t new_remote_seq_num
= ch
->cur_remote_seq_num
;
2981 uint64_t new_retire_prior_to
= ch
->cur_retire_prior_to
;
2983 if (!ossl_quic_channel_is_active(ch
))
2986 /* We allow only two active connection ids; first check some constraints */
2987 if (ch
->cur_remote_dcid
.id_len
== 0) {
2988 /* Changing from 0 length connection id is disallowed */
2989 ossl_quic_channel_raise_protocol_error(ch
,
2990 QUIC_ERR_PROTOCOL_VIOLATION
,
2991 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID
,
2992 "zero length connection id in use");
2997 if (f
->seq_num
> new_remote_seq_num
)
2998 new_remote_seq_num
= f
->seq_num
;
2999 if (f
->retire_prior_to
> new_retire_prior_to
)
3000 new_retire_prior_to
= f
->retire_prior_to
;
3003 * RFC 9000-5.1.1: An endpoint MUST NOT provide more connection IDs
3004 * than the peer's limit.
3006 * After processing a NEW_CONNECTION_ID frame and adding and retiring
3007 * active connection IDs, if the number of active connection IDs exceeds
3008 * the value advertised in its active_connection_id_limit transport
3009 * parameter, an endpoint MUST close the connection with an error of
3010 * type CONNECTION_ID_LIMIT_ERROR.
3012 if (new_remote_seq_num
- new_retire_prior_to
> 1) {
3013 ossl_quic_channel_raise_protocol_error(ch
,
3014 QUIC_ERR_CONNECTION_ID_LIMIT_ERROR
,
3015 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID
,
3016 "active_connection_id limit violated");
3021 * RFC 9000-5.1.1: An endpoint MAY send connection IDs that temporarily
3022 * exceed a peer's limit if the NEW_CONNECTION_ID frame also requires
3023 * the retirement of any excess, by including a sufficiently large
3024 * value in the Retire Prior To field.
3026 * RFC 9000-5.1.2: An endpoint SHOULD allow for sending and tracking
3027 * a number of RETIRE_CONNECTION_ID frames of at least twice the value
3028 * of the active_connection_id_limit transport parameter. An endpoint
3029 * MUST NOT forget a connection ID without retiring it, though it MAY
3030 * choose to treat having connection IDs in need of retirement that
3031 * exceed this limit as a connection error of type CONNECTION_ID_LIMIT_ERROR.
3033 * We are a little bit more liberal than the minimum mandated.
3035 if (new_retire_prior_to
- ch
->cur_retire_prior_to
> 10) {
3036 ossl_quic_channel_raise_protocol_error(ch
,
3037 QUIC_ERR_CONNECTION_ID_LIMIT_ERROR
,
3038 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID
,
3039 "retiring connection id limit violated");
3044 if (new_remote_seq_num
> ch
->cur_remote_seq_num
) {
3045 /* Add new stateless reset token */
3046 if (!ossl_quic_srtm_add(ch
->srtm
, ch
, new_remote_seq_num
,
3047 &f
->stateless_reset
)) {
3048 ossl_quic_channel_raise_protocol_error(
3049 ch
, QUIC_ERR_CONNECTION_ID_LIMIT_ERROR
,
3050 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID
,
3051 "unable to store stateless reset token");
3055 ch
->cur_remote_seq_num
= new_remote_seq_num
;
3056 ch
->cur_remote_dcid
= f
->conn_id
;
3057 ossl_quic_tx_packetiser_set_cur_dcid(ch
->txp
, &ch
->cur_remote_dcid
);
3061 * RFC 9000-5.1.2: Upon receipt of an increased Retire Prior To
3062 * field, the peer MUST stop using the corresponding connection IDs
3063 * and retire them with RETIRE_CONNECTION_ID frames before adding the
3064 * newly provided connection ID to the set of active connection IDs.
3068 * Note: RFC 9000 s. 19.15 says:
3069 * "An endpoint that receives a NEW_CONNECTION_ID frame with a sequence
3070 * number smaller than the Retire Prior To field of a previously received
3071 * NEW_CONNECTION_ID frame MUST send a corresponding
3072 * RETIRE_CONNECTION_ID frame that retires the newly received connection
3073 * ID, unless it has already done so for that sequence number."
3075 * Since we currently always queue RETIRE_CONN_ID frames based on the Retire
3076 * Prior To field of a NEW_CONNECTION_ID frame immediately upon receiving
3077 * that NEW_CONNECTION_ID frame, by definition this will always be met.
3078 * This may change in future when we change our CID handling.
3080 while (new_retire_prior_to
> ch
->cur_retire_prior_to
) {
3081 if (!ch_enqueue_retire_conn_id(ch
, ch
->cur_retire_prior_to
))
3083 ++ch
->cur_retire_prior_to
;
3087 static void ch_save_err_state(QUIC_CHANNEL
*ch
)
3089 if (ch
->err_state
== NULL
)
3090 ch
->err_state
= OSSL_ERR_STATE_new();
3092 if (ch
->err_state
== NULL
)
3095 OSSL_ERR_STATE_save(ch
->err_state
);
3098 void ossl_quic_channel_inject(QUIC_CHANNEL
*ch
, QUIC_URXE
*e
)
3100 ossl_qrx_inject_urxe(ch
->qrx
, e
);
3103 void ossl_quic_channel_on_stateless_reset(QUIC_CHANNEL
*ch
)
3105 QUIC_TERMINATE_CAUSE tcause
= {0};
3107 tcause
.error_code
= QUIC_ERR_NO_ERROR
;
3109 ch_start_terminating(ch
, &tcause
, 0);
3112 void ossl_quic_channel_raise_net_error(QUIC_CHANNEL
*ch
)
3114 QUIC_TERMINATE_CAUSE tcause
= {0};
3121 tcause
.error_code
= QUIC_ERR_INTERNAL_ERROR
;
3122 tcause
.reason
= "network BIO I/O error";
3123 tcause
.reason_len
= strlen(tcause
.reason
);
3126 * Skip Terminating state and go directly to Terminated, no point trying to
3127 * send CONNECTION_CLOSE if we cannot communicate.
3129 ch_start_terminating(ch
, &tcause
, 1);
3132 int ossl_quic_channel_net_error(QUIC_CHANNEL
*ch
)
3134 return ch
->net_error
;
3137 void ossl_quic_channel_restore_err_state(QUIC_CHANNEL
*ch
)
3142 if (!ossl_quic_port_is_running(ch
->port
))
3143 ossl_quic_port_restore_err_state(ch
->port
);
3145 OSSL_ERR_STATE_restore(ch
->err_state
);
3148 void ossl_quic_channel_raise_protocol_error_loc(QUIC_CHANNEL
*ch
,
3149 uint64_t error_code
,
3150 uint64_t frame_type
,
3152 ERR_STATE
*err_state
,
3153 const char *src_file
,
3155 const char *src_func
)
3157 QUIC_TERMINATE_CAUSE tcause
= {0};
3158 int err_reason
= error_code
== QUIC_ERR_INTERNAL_ERROR
3159 ? ERR_R_INTERNAL_ERROR
: SSL_R_QUIC_PROTOCOL_ERROR
;
3160 const char *err_str
= ossl_quic_err_to_string(error_code
);
3161 const char *err_str_pfx
= " (", *err_str_sfx
= ")";
3162 const char *ft_str
= NULL
;
3163 const char *ft_str_pfx
= " (", *ft_str_sfx
= ")";
3165 if (ch
->protocol_error
)
3166 /* Only the first call to this function matters. */
3169 if (err_str
== NULL
) {
3176 * If we were provided an underlying error state, restore it and then append
3177 * our ERR on top as a "cover letter" error.
3179 if (err_state
!= NULL
)
3180 OSSL_ERR_STATE_restore(err_state
);
3182 if (frame_type
!= 0) {
3183 ft_str
= ossl_quic_frame_type_to_string(frame_type
);
3184 if (ft_str
== NULL
) {
3190 ERR_raise_data(ERR_LIB_SSL
, err_reason
,
3191 "QUIC error code: 0x%llx%s%s%s "
3192 "(triggered by frame type: 0x%llx%s%s%s), reason: \"%s\"",
3193 (unsigned long long) error_code
,
3194 err_str_pfx
, err_str
, err_str_sfx
,
3195 (unsigned long long) frame_type
,
3196 ft_str_pfx
, ft_str
, ft_str_sfx
,
3199 ERR_raise_data(ERR_LIB_SSL
, err_reason
,
3200 "QUIC error code: 0x%llx%s%s%s, reason: \"%s\"",
3201 (unsigned long long) error_code
,
3202 err_str_pfx
, err_str
, err_str_sfx
,
3206 if (src_file
!= NULL
)
3207 ERR_set_debug(src_file
, src_line
, src_func
);
3209 ch_save_err_state(ch
);
3211 tcause
.error_code
= error_code
;
3212 tcause
.frame_type
= frame_type
;
3213 tcause
.reason
= reason
;
3214 tcause
.reason_len
= strlen(reason
);
3216 ch
->protocol_error
= 1;
3217 ch_start_terminating(ch
, &tcause
, 0);
3221 * Called once the terminating timer expires, meaning we move from TERMINATING
3224 static void ch_on_terminating_timeout(QUIC_CHANNEL
*ch
)
3226 ch_record_state_transition(ch
, QUIC_CHANNEL_STATE_TERMINATED
);
3230 * Determines the effective idle timeout duration. This is based on the idle
3231 * timeout values that we and our peer signalled in transport parameters
3232 * but have some limits applied.
3234 static OSSL_TIME
ch_get_effective_idle_timeout_duration(QUIC_CHANNEL
*ch
)
3238 if (ch
->max_idle_timeout
== 0)
3239 return ossl_time_infinite();
3242 * RFC 9000 s. 10.1: Idle Timeout
3243 * To avoid excessively small idle timeout periods, endpoints
3244 * MUST increase the idle timeout period to be at least three
3245 * times the current Probe Timeout (PTO). This allows for
3246 * multiple PTOs to expire, and therefore multiple probes to
3247 * be sent and lost, prior to idle timeout.
3249 pto
= ossl_ackm_get_pto_duration(ch
->ackm
);
3250 return ossl_time_max(ossl_ms2time(ch
->max_idle_timeout
),
3251 ossl_time_multiply(pto
, 3));
3255 * Updates our idle deadline. Called when an event happens which should bump the
3258 static void ch_update_idle(QUIC_CHANNEL
*ch
)
3260 ch
->idle_deadline
= ossl_time_add(get_time(ch
),
3261 ch_get_effective_idle_timeout_duration(ch
));
3265 * Updates our ping deadline, which determines when we next generate a ping if
3266 * we don't have any other ACK-eliciting frames to send.
3268 static void ch_update_ping_deadline(QUIC_CHANNEL
*ch
)
3270 OSSL_TIME max_span
, idle_duration
;
3272 idle_duration
= ch_get_effective_idle_timeout_duration(ch
);
3273 if (ossl_time_is_infinite(idle_duration
)) {
3274 ch
->ping_deadline
= ossl_time_infinite();
3279 * Maximum amount of time without traffic before we send a PING to keep
3280 * the connection open. Usually we use max_idle_timeout/2, but ensure
3281 * the period never exceeds the assumed NAT interval to ensure NAT
3282 * devices don't have their state time out (RFC 9000 s. 10.1.2).
3284 max_span
= ossl_time_divide(idle_duration
, 2);
3285 max_span
= ossl_time_min(max_span
, MAX_NAT_INTERVAL
);
3286 ch
->ping_deadline
= ossl_time_add(get_time(ch
), max_span
);
3289 /* Called when the idle timeout expires. */
3290 static void ch_on_idle_timeout(QUIC_CHANNEL
*ch
)
3293 * Idle timeout does not have an error code associated with it because a
3294 * CONN_CLOSE is never sent for it. We shouldn't use this data once we reach
3295 * TERMINATED anyway.
3297 ch
->terminate_cause
.app
= 0;
3298 ch
->terminate_cause
.error_code
= UINT64_MAX
;
3299 ch
->terminate_cause
.frame_type
= 0;
3301 ch_record_state_transition(ch
, QUIC_CHANNEL_STATE_TERMINATED
);
3304 /* Called when we, as a server, get a new incoming connection. */
3305 int ossl_quic_channel_on_new_conn(QUIC_CHANNEL
*ch
, const BIO_ADDR
*peer
,
3306 const QUIC_CONN_ID
*peer_scid
,
3307 const QUIC_CONN_ID
*peer_dcid
)
3309 if (!ossl_assert(ch
->state
== QUIC_CHANNEL_STATE_IDLE
&& ch
->is_server
))
3312 /* Generate an Initial LCID we will use for the connection. */
3313 if (!ossl_quic_lcidm_generate_initial(ch
->lcidm
, ch
, &ch
->cur_local_cid
))
3316 /* Note our newly learnt peer address and CIDs. */
3317 ch
->cur_peer_addr
= *peer
;
3318 ch
->init_dcid
= *peer_dcid
;
3319 ch
->cur_remote_dcid
= *peer_scid
;
3321 /* Inform QTX of peer address. */
3322 if (!ossl_quic_tx_packetiser_set_peer(ch
->txp
, &ch
->cur_peer_addr
))
3325 /* Inform TXP of desired CIDs. */
3326 if (!ossl_quic_tx_packetiser_set_cur_dcid(ch
->txp
, &ch
->cur_remote_dcid
))
3329 if (!ossl_quic_tx_packetiser_set_cur_scid(ch
->txp
, &ch
->cur_local_cid
))
3332 /* Plug in secrets for the Initial EL. */
3333 if (!ossl_quic_provide_initial_secret(ch
->port
->engine
->libctx
,
3334 ch
->port
->engine
->propq
,
3340 /* Register the peer ODCID in the LCIDM. */
3341 if (!ossl_quic_lcidm_enrol_odcid(ch
->lcidm
, ch
, &ch
->init_dcid
))
3345 ch_record_state_transition(ch
, QUIC_CHANNEL_STATE_ACTIVE
);
3346 ch
->doing_proactive_ver_neg
= 0; /* not currently supported */
3350 SSL
*ossl_quic_channel_get0_ssl(QUIC_CHANNEL
*ch
)
3355 static int ch_init_new_stream(QUIC_CHANNEL
*ch
, QUIC_STREAM
*qs
,
3356 int can_send
, int can_recv
)
3359 int server_init
= ossl_quic_stream_is_server_init(qs
);
3360 int local_init
= (ch
->is_server
== server_init
);
3361 int is_uni
= !ossl_quic_stream_is_bidi(qs
);
3364 if ((qs
->sstream
= ossl_quic_sstream_new(INIT_APP_BUF_LEN
)) == NULL
)
3368 if ((qs
->rstream
= ossl_quic_rstream_new(NULL
, NULL
, 0)) == NULL
)
3372 if (!ossl_quic_txfc_init(&qs
->txfc
, &ch
->conn_txfc
))
3375 if (ch
->got_remote_transport_params
) {
3377 * If we already got peer TPs we need to apply the initial CWM credit
3378 * now. If we didn't already get peer TPs this will be done
3379 * automatically for all extant streams when we do.
3385 cwm
= ch
->rx_init_max_stream_data_uni
;
3386 else if (local_init
)
3387 cwm
= ch
->rx_init_max_stream_data_bidi_local
;
3389 cwm
= ch
->rx_init_max_stream_data_bidi_remote
;
3391 ossl_quic_txfc_bump_cwm(&qs
->txfc
, cwm
);
3399 rxfc_wnd
= ch
->tx_init_max_stream_data_uni
;
3400 else if (local_init
)
3401 rxfc_wnd
= ch
->tx_init_max_stream_data_bidi_local
;
3403 rxfc_wnd
= ch
->tx_init_max_stream_data_bidi_remote
;
3405 if (!ossl_quic_rxfc_init(&qs
->rxfc
, &ch
->conn_rxfc
,
3407 DEFAULT_STREAM_RXFC_MAX_WND_MUL
* rxfc_wnd
,
3414 ossl_quic_sstream_free(qs
->sstream
);
3416 ossl_quic_rstream_free(qs
->rstream
);
3421 static uint64_t *ch_get_local_stream_next_ordinal_ptr(QUIC_CHANNEL
*ch
,
3424 return is_uni
? &ch
->next_local_stream_ordinal_uni
3425 : &ch
->next_local_stream_ordinal_bidi
;
3428 int ossl_quic_channel_is_new_local_stream_admissible(QUIC_CHANNEL
*ch
,
3431 uint64_t *p_next_ordinal
= ch_get_local_stream_next_ordinal_ptr(ch
, is_uni
);
3433 return ossl_quic_stream_map_is_local_allowed_by_stream_limit(&ch
->qsm
,
3438 QUIC_STREAM
*ossl_quic_channel_new_stream_local(QUIC_CHANNEL
*ch
, int is_uni
)
3442 uint64_t stream_id
, *p_next_ordinal
;
3444 type
= ch
->is_server
? QUIC_STREAM_INITIATOR_SERVER
3445 : QUIC_STREAM_INITIATOR_CLIENT
;
3447 p_next_ordinal
= ch_get_local_stream_next_ordinal_ptr(ch
, is_uni
);
3450 type
|= QUIC_STREAM_DIR_UNI
;
3452 type
|= QUIC_STREAM_DIR_BIDI
;
3454 if (*p_next_ordinal
>= ((uint64_t)1) << 62)
3457 stream_id
= ((*p_next_ordinal
) << 2) | type
;
3459 if ((qs
= ossl_quic_stream_map_alloc(&ch
->qsm
, stream_id
, type
)) == NULL
)
3462 /* Locally-initiated stream, so we always want a send buffer. */
3463 if (!ch_init_new_stream(ch
, qs
, /*can_send=*/1, /*can_recv=*/!is_uni
))
3470 ossl_quic_stream_map_release(&ch
->qsm
, qs
);
3474 QUIC_STREAM
*ossl_quic_channel_new_stream_remote(QUIC_CHANNEL
*ch
,
3481 peer_role
= ch
->is_server
3482 ? QUIC_STREAM_INITIATOR_CLIENT
3483 : QUIC_STREAM_INITIATOR_SERVER
;
3485 if ((stream_id
& QUIC_STREAM_INITIATOR_MASK
) != peer_role
)
3488 is_uni
= ((stream_id
& QUIC_STREAM_DIR_MASK
) == QUIC_STREAM_DIR_UNI
);
3490 qs
= ossl_quic_stream_map_alloc(&ch
->qsm
, stream_id
,
3491 stream_id
& (QUIC_STREAM_INITIATOR_MASK
3492 | QUIC_STREAM_DIR_MASK
));
3496 if (!ch_init_new_stream(ch
, qs
, /*can_send=*/!is_uni
, /*can_recv=*/1))
3499 if (ch
->incoming_stream_auto_reject
)
3500 ossl_quic_channel_reject_stream(ch
, qs
);
3502 ossl_quic_stream_map_push_accept_queue(&ch
->qsm
, qs
);
3507 ossl_quic_stream_map_release(&ch
->qsm
, qs
);
3511 void ossl_quic_channel_set_incoming_stream_auto_reject(QUIC_CHANNEL
*ch
,
3515 ch
->incoming_stream_auto_reject
= (enable
!= 0);
3516 ch
->incoming_stream_auto_reject_aec
= aec
;
3519 void ossl_quic_channel_reject_stream(QUIC_CHANNEL
*ch
, QUIC_STREAM
*qs
)
3521 ossl_quic_stream_map_stop_sending_recv_part(&ch
->qsm
, qs
,
3522 ch
->incoming_stream_auto_reject_aec
);
3524 ossl_quic_stream_map_reset_stream_send_part(&ch
->qsm
, qs
,
3525 ch
->incoming_stream_auto_reject_aec
);
3528 ossl_quic_stream_map_update_state(&ch
->qsm
, qs
);
3531 /* Replace local connection ID in TXP and DEMUX for testing purposes. */
3532 int ossl_quic_channel_replace_local_cid(QUIC_CHANNEL
*ch
,
3533 const QUIC_CONN_ID
*conn_id
)
3535 /* Remove the current LCID from the LCIDM. */
3536 if (!ossl_quic_lcidm_debug_remove(ch
->lcidm
, &ch
->cur_local_cid
))
3538 ch
->cur_local_cid
= *conn_id
;
3539 /* Set in the TXP, used only for long header packets. */
3540 if (!ossl_quic_tx_packetiser_set_cur_scid(ch
->txp
, &ch
->cur_local_cid
))
3542 /* Add the new LCID to the LCIDM. */
3543 if (!ossl_quic_lcidm_debug_add(ch
->lcidm
, ch
, &ch
->cur_local_cid
,
3549 void ossl_quic_channel_set_msg_callback(QUIC_CHANNEL
*ch
,
3550 ossl_msg_cb msg_callback
,
3551 SSL
*msg_callback_ssl
)
3553 ch
->msg_callback
= msg_callback
;
3554 ch
->msg_callback_ssl
= msg_callback_ssl
;
3555 ossl_qtx_set_msg_callback(ch
->qtx
, msg_callback
, msg_callback_ssl
);
3556 ossl_quic_tx_packetiser_set_msg_callback(ch
->txp
, msg_callback
,
3558 ossl_qrx_set_msg_callback(ch
->qrx
, msg_callback
, msg_callback_ssl
);
3561 void ossl_quic_channel_set_msg_callback_arg(QUIC_CHANNEL
*ch
,
3562 void *msg_callback_arg
)
3564 ch
->msg_callback_arg
= msg_callback_arg
;
3565 ossl_qtx_set_msg_callback_arg(ch
->qtx
, msg_callback_arg
);
3566 ossl_quic_tx_packetiser_set_msg_callback_arg(ch
->txp
, msg_callback_arg
);
3567 ossl_qrx_set_msg_callback_arg(ch
->qrx
, msg_callback_arg
);
3570 void ossl_quic_channel_set_txku_threshold_override(QUIC_CHANNEL
*ch
,
3571 uint64_t tx_pkt_threshold
)
3573 ch
->txku_threshold_override
= tx_pkt_threshold
;
3576 uint64_t ossl_quic_channel_get_tx_key_epoch(QUIC_CHANNEL
*ch
)
3578 return ossl_qtx_get_key_epoch(ch
->qtx
);
3581 uint64_t ossl_quic_channel_get_rx_key_epoch(QUIC_CHANNEL
*ch
)
3583 return ossl_qrx_get_key_epoch(ch
->qrx
);
3586 int ossl_quic_channel_trigger_txku(QUIC_CHANNEL
*ch
)
3588 if (!txku_allowed(ch
))
3591 ch
->ku_locally_initiated
= 1;
3592 ch_trigger_txku(ch
);
3596 int ossl_quic_channel_ping(QUIC_CHANNEL
*ch
)
3598 int pn_space
= ossl_quic_enc_level_to_pn_space(ch
->tx_enc_level
);
3600 ossl_quic_tx_packetiser_schedule_ack_eliciting(ch
->txp
, pn_space
);
3605 uint16_t ossl_quic_channel_get_diag_num_rx_ack(QUIC_CHANNEL
*ch
)
3607 return ch
->diag_num_rx_ack
;
3610 void ossl_quic_channel_get_diag_local_cid(QUIC_CHANNEL
*ch
, QUIC_CONN_ID
*cid
)
3612 *cid
= ch
->cur_local_cid
;