]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/quic/quic_channel.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
QLOG: Events: Implement transport:packet_received
[thirdparty/openssl.git] / ssl / quic / quic_channel.c
1 /*
2 * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/rand.h>
11 #include <openssl/err.h>
12 #include "internal/quic_channel.h"
13 #include "internal/quic_error.h"
14 #include "internal/quic_rx_depack.h"
15 #include "internal/quic_lcidm.h"
16 #include "internal/quic_srtm.h"
17 #include "internal/qlog_event_helpers.h"
18 #include "../ssl_local.h"
19 #include "quic_channel_local.h"
20 #include "quic_port_local.h"
21 #include "quic_engine_local.h"
22
23 /*
24 * NOTE: While this channel implementation currently has basic server support,
25 * this functionality has been implemented for internal testing purposes and is
26 * not suitable for network use. In particular, it does not implement address
27 * validation, anti-amplification or retry logic.
28 *
29 * TODO(QUIC SERVER): Implement address validation and anti-amplification
30 * TODO(QUIC SERVER): Implement retry logic
31 */
32
33 #define INIT_CRYPTO_RECV_BUF_LEN 16384
34 #define INIT_CRYPTO_SEND_BUF_LEN 16384
35 #define INIT_APP_BUF_LEN 8192
36
37 /*
38 * Interval before we force a PING to ensure NATs don't timeout. This is based
39 * on the lowest commonly seen value of 30 seconds as cited in RFC 9000 s.
40 * 10.1.2.
41 */
42 #define MAX_NAT_INTERVAL (ossl_ms2time(25000))
43
44 /*
45 * Our maximum ACK delay on the TX side. This is up to us to choose. Note that
46 * this could differ from QUIC_DEFAULT_MAX_DELAY in future as that is a protocol
47 * value which determines the value of the maximum ACK delay if the
48 * max_ack_delay transport parameter is not set.
49 */
50 #define DEFAULT_MAX_ACK_DELAY QUIC_DEFAULT_MAX_ACK_DELAY
51
52 DEFINE_LIST_OF_IMPL(ch, QUIC_CHANNEL);
53
54 static void ch_save_err_state(QUIC_CHANNEL *ch);
55 static int ch_rx(QUIC_CHANNEL *ch, int channel_only);
56 static int ch_tx(QUIC_CHANNEL *ch);
57 static int ch_tick_tls(QUIC_CHANNEL *ch, int channel_only);
58 static void ch_rx_handle_packet(QUIC_CHANNEL *ch, int channel_only);
59 static OSSL_TIME ch_determine_next_tick_deadline(QUIC_CHANNEL *ch);
60 static int ch_retry(QUIC_CHANNEL *ch,
61 const unsigned char *retry_token,
62 size_t retry_token_len,
63 const QUIC_CONN_ID *retry_scid);
64 static void ch_cleanup(QUIC_CHANNEL *ch);
65 static int ch_generate_transport_params(QUIC_CHANNEL *ch);
66 static int ch_on_transport_params(const unsigned char *params,
67 size_t params_len,
68 void *arg);
69 static int ch_on_handshake_alert(void *arg, unsigned char alert_code);
70 static int ch_on_handshake_complete(void *arg);
71 static int ch_on_handshake_yield_secret(uint32_t enc_level, int direction,
72 uint32_t suite_id, EVP_MD *md,
73 const unsigned char *secret,
74 size_t secret_len,
75 void *arg);
76 static int ch_on_crypto_recv_record(const unsigned char **buf,
77 size_t *bytes_read, void *arg);
78 static int ch_on_crypto_release_record(size_t bytes_read, void *arg);
79 static int crypto_ensure_empty(QUIC_RSTREAM *rstream);
80 static int ch_on_crypto_send(const unsigned char *buf, size_t buf_len,
81 size_t *consumed, void *arg);
82 static OSSL_TIME get_time(void *arg);
83 static uint64_t get_stream_limit(int uni, void *arg);
84 static int rx_late_validate(QUIC_PN pn, int pn_space, void *arg);
85 static void rxku_detected(QUIC_PN pn, void *arg);
86 static int ch_retry(QUIC_CHANNEL *ch,
87 const unsigned char *retry_token,
88 size_t retry_token_len,
89 const QUIC_CONN_ID *retry_scid);
90 static void ch_update_idle(QUIC_CHANNEL *ch);
91 static int ch_discard_el(QUIC_CHANNEL *ch,
92 uint32_t enc_level);
93 static void ch_on_idle_timeout(QUIC_CHANNEL *ch);
94 static void ch_update_idle(QUIC_CHANNEL *ch);
95 static void ch_update_ping_deadline(QUIC_CHANNEL *ch);
96 static void ch_on_terminating_timeout(QUIC_CHANNEL *ch);
97 static void ch_start_terminating(QUIC_CHANNEL *ch,
98 const QUIC_TERMINATE_CAUSE *tcause,
99 int force_immediate);
100 static void ch_on_txp_ack_tx(const OSSL_QUIC_FRAME_ACK *ack, uint32_t pn_space,
101 void *arg);
102 static void ch_rx_handle_version_neg(QUIC_CHANNEL *ch, OSSL_QRX_PKT *pkt);
103 static void ch_raise_version_neg_failure(QUIC_CHANNEL *ch);
104 static void ch_record_state_transition(QUIC_CHANNEL *ch, uint32_t new_state);
105
106 DEFINE_LHASH_OF_EX(QUIC_SRT_ELEM);
107
108 QUIC_NEEDS_LOCK
109 static QLOG *ch_get_qlog(QUIC_CHANNEL *ch)
110 {
111 #ifndef OPENSSL_NO_QLOG
112 QLOG_TRACE_INFO qti = {0};
113
114 if (ch->qlog != NULL)
115 return ch->qlog;
116
117 if (!ch->use_qlog)
118 return NULL;
119
120 qti.odcid = ch->init_dcid;
121 qti.title = ch->qlog_title;
122 qti.description = NULL;
123 qti.group_id = NULL;
124 qti.is_server = ch->is_server;
125 qti.now_cb = get_time;
126 qti.now_cb_arg = ch;
127 if ((ch->qlog = ossl_qlog_new_from_env(&qti)) == NULL) {
128 ch->use_qlog = 0; /* don't try again */
129 return NULL;
130 }
131
132 return ch->qlog;
133 #else
134 return NULL;
135 #endif
136 }
137
138 /*
139 * QUIC Channel Initialization and Teardown
140 * ========================================
141 */
142 #define DEFAULT_INIT_CONN_RXFC_WND (768 * 1024)
143 #define DEFAULT_CONN_RXFC_MAX_WND_MUL 20
144
145 #define DEFAULT_INIT_STREAM_RXFC_WND (512 * 1024)
146 #define DEFAULT_STREAM_RXFC_MAX_WND_MUL 12
147
148 #define DEFAULT_INIT_CONN_MAX_STREAMS 100
149
150 static int ch_init(QUIC_CHANNEL *ch)
151 {
152 OSSL_QUIC_TX_PACKETISER_ARGS txp_args = {0};
153 OSSL_QTX_ARGS qtx_args = {0};
154 OSSL_QRX_ARGS qrx_args = {0};
155 QUIC_TLS_ARGS tls_args = {0};
156 uint32_t pn_space;
157 size_t rx_short_dcid_len;
158 size_t tx_init_dcid_len;
159
160 if (ch->port == NULL || ch->lcidm == NULL || ch->srtm == NULL)
161 goto err;
162
163 rx_short_dcid_len = ossl_quic_port_get_rx_short_dcid_len(ch->port);
164 tx_init_dcid_len = ossl_quic_port_get_tx_init_dcid_len(ch->port);
165
166 /* For clients, generate our initial DCID. */
167 if (!ch->is_server
168 && !ossl_quic_gen_rand_conn_id(ch->port->engine->libctx, tx_init_dcid_len,
169 &ch->init_dcid))
170 goto err;
171
172 /* We plug in a network write BIO to the QTX later when we get one. */
173 qtx_args.libctx = ch->port->engine->libctx;
174 qtx_args.qlog = ch_get_qlog(ch);
175 qtx_args.mdpl = QUIC_MIN_INITIAL_DGRAM_LEN;
176 ch->rx_max_udp_payload_size = qtx_args.mdpl;
177
178 ch->ping_deadline = ossl_time_infinite();
179
180 ch->qtx = ossl_qtx_new(&qtx_args);
181 if (ch->qtx == NULL)
182 goto err;
183
184 ch->txpim = ossl_quic_txpim_new();
185 if (ch->txpim == NULL)
186 goto err;
187
188 ch->cfq = ossl_quic_cfq_new();
189 if (ch->cfq == NULL)
190 goto err;
191
192 if (!ossl_quic_txfc_init(&ch->conn_txfc, NULL))
193 goto err;
194
195 /*
196 * Note: The TP we transmit governs what the peer can transmit and thus
197 * applies to the RXFC.
198 */
199 ch->tx_init_max_stream_data_bidi_local = DEFAULT_INIT_STREAM_RXFC_WND;
200 ch->tx_init_max_stream_data_bidi_remote = DEFAULT_INIT_STREAM_RXFC_WND;
201 ch->tx_init_max_stream_data_uni = DEFAULT_INIT_STREAM_RXFC_WND;
202
203 if (!ossl_quic_rxfc_init(&ch->conn_rxfc, NULL,
204 DEFAULT_INIT_CONN_RXFC_WND,
205 DEFAULT_CONN_RXFC_MAX_WND_MUL *
206 DEFAULT_INIT_CONN_RXFC_WND,
207 get_time, ch))
208 goto err;
209
210 for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space)
211 if (!ossl_quic_rxfc_init_standalone(&ch->crypto_rxfc[pn_space],
212 INIT_CRYPTO_RECV_BUF_LEN,
213 get_time, ch))
214 goto err;
215
216 if (!ossl_quic_rxfc_init_standalone(&ch->max_streams_bidi_rxfc,
217 DEFAULT_INIT_CONN_MAX_STREAMS,
218 get_time, ch))
219 goto err;
220
221 if (!ossl_quic_rxfc_init_standalone(&ch->max_streams_uni_rxfc,
222 DEFAULT_INIT_CONN_MAX_STREAMS,
223 get_time, ch))
224 goto err;
225
226 if (!ossl_statm_init(&ch->statm))
227 goto err;
228
229 ch->have_statm = 1;
230 ch->cc_method = &ossl_cc_newreno_method;
231 if ((ch->cc_data = ch->cc_method->new(get_time, ch)) == NULL)
232 goto err;
233
234 if ((ch->ackm = ossl_ackm_new(get_time, ch, &ch->statm,
235 ch->cc_method, ch->cc_data)) == NULL)
236 goto err;
237
238 if (!ossl_quic_stream_map_init(&ch->qsm, get_stream_limit, ch,
239 &ch->max_streams_bidi_rxfc,
240 &ch->max_streams_uni_rxfc,
241 ch->is_server))
242 goto err;
243
244 ch->have_qsm = 1;
245
246 if (!ch->is_server
247 && !ossl_quic_lcidm_generate_initial(ch->lcidm, ch, &txp_args.cur_scid))
248 goto err;
249
250 /* We use a zero-length SCID. */
251 txp_args.cur_dcid = ch->init_dcid;
252 txp_args.ack_delay_exponent = 3;
253 txp_args.qtx = ch->qtx;
254 txp_args.txpim = ch->txpim;
255 txp_args.cfq = ch->cfq;
256 txp_args.ackm = ch->ackm;
257 txp_args.qsm = &ch->qsm;
258 txp_args.conn_txfc = &ch->conn_txfc;
259 txp_args.conn_rxfc = &ch->conn_rxfc;
260 txp_args.max_streams_bidi_rxfc = &ch->max_streams_bidi_rxfc;
261 txp_args.max_streams_uni_rxfc = &ch->max_streams_uni_rxfc;
262 txp_args.cc_method = ch->cc_method;
263 txp_args.cc_data = ch->cc_data;
264 txp_args.now = get_time;
265 txp_args.now_arg = ch;
266 txp_args.qlog = ch_get_qlog(ch);
267
268 for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space) {
269 ch->crypto_send[pn_space] = ossl_quic_sstream_new(INIT_CRYPTO_SEND_BUF_LEN);
270 if (ch->crypto_send[pn_space] == NULL)
271 goto err;
272
273 txp_args.crypto[pn_space] = ch->crypto_send[pn_space];
274 }
275
276 ch->txp = ossl_quic_tx_packetiser_new(&txp_args);
277 if (ch->txp == NULL)
278 goto err;
279
280 ossl_quic_tx_packetiser_set_ack_tx_cb(ch->txp, ch_on_txp_ack_tx, ch);
281
282 qrx_args.libctx = ch->port->engine->libctx;
283 qrx_args.demux = ch->port->demux;
284 qrx_args.short_conn_id_len = rx_short_dcid_len;
285 qrx_args.max_deferred = 32;
286
287 if ((ch->qrx = ossl_qrx_new(&qrx_args)) == NULL)
288 goto err;
289
290 if (!ossl_qrx_set_late_validation_cb(ch->qrx,
291 rx_late_validate,
292 ch))
293 goto err;
294
295 if (!ossl_qrx_set_key_update_cb(ch->qrx,
296 rxku_detected,
297 ch))
298 goto err;
299
300 for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space) {
301 ch->crypto_recv[pn_space] = ossl_quic_rstream_new(NULL, NULL, 0);
302 if (ch->crypto_recv[pn_space] == NULL)
303 goto err;
304 }
305
306 /* Plug in the TLS handshake layer. */
307 tls_args.s = ch->tls;
308 tls_args.crypto_send_cb = ch_on_crypto_send;
309 tls_args.crypto_send_cb_arg = ch;
310 tls_args.crypto_recv_rcd_cb = ch_on_crypto_recv_record;
311 tls_args.crypto_recv_rcd_cb_arg = ch;
312 tls_args.crypto_release_rcd_cb = ch_on_crypto_release_record;
313 tls_args.crypto_release_rcd_cb_arg = ch;
314 tls_args.yield_secret_cb = ch_on_handshake_yield_secret;
315 tls_args.yield_secret_cb_arg = ch;
316 tls_args.got_transport_params_cb = ch_on_transport_params;
317 tls_args.got_transport_params_cb_arg= ch;
318 tls_args.handshake_complete_cb = ch_on_handshake_complete;
319 tls_args.handshake_complete_cb_arg = ch;
320 tls_args.alert_cb = ch_on_handshake_alert;
321 tls_args.alert_cb_arg = ch;
322 tls_args.is_server = ch->is_server;
323
324 if ((ch->qtls = ossl_quic_tls_new(&tls_args)) == NULL)
325 goto err;
326
327 ch->tx_max_ack_delay = DEFAULT_MAX_ACK_DELAY;
328 ch->rx_max_ack_delay = QUIC_DEFAULT_MAX_ACK_DELAY;
329 ch->rx_ack_delay_exp = QUIC_DEFAULT_ACK_DELAY_EXP;
330 ch->rx_active_conn_id_limit = QUIC_MIN_ACTIVE_CONN_ID_LIMIT;
331 ch->max_idle_timeout = QUIC_DEFAULT_IDLE_TIMEOUT;
332 ch->tx_enc_level = QUIC_ENC_LEVEL_INITIAL;
333 ch->rx_enc_level = QUIC_ENC_LEVEL_INITIAL;
334 ch->txku_threshold_override = UINT64_MAX;
335
336 ossl_ackm_set_tx_max_ack_delay(ch->ackm, ossl_ms2time(ch->tx_max_ack_delay));
337 ossl_ackm_set_rx_max_ack_delay(ch->ackm, ossl_ms2time(ch->rx_max_ack_delay));
338
339 /*
340 * Determine the QUIC Transport Parameters and serialize the transport
341 * parameters block. (For servers, we do this later as we must defer
342 * generation until we have received the client's transport parameters.)
343 */
344 if (!ch->is_server && !ch_generate_transport_params(ch))
345 goto err;
346
347 ch_update_idle(ch);
348 ossl_list_ch_insert_tail(&ch->port->channel_list, ch);
349 ch->on_port_list = 1;
350 return 1;
351
352 err:
353 ch_cleanup(ch);
354 return 0;
355 }
356
357 static void ch_cleanup(QUIC_CHANNEL *ch)
358 {
359 uint32_t pn_space;
360
361 if (ch->ackm != NULL)
362 for (pn_space = QUIC_PN_SPACE_INITIAL;
363 pn_space < QUIC_PN_SPACE_NUM;
364 ++pn_space)
365 ossl_ackm_on_pkt_space_discarded(ch->ackm, pn_space);
366
367 ossl_quic_lcidm_cull(ch->lcidm, ch);
368 ossl_quic_srtm_cull(ch->srtm, ch);
369 ossl_quic_tx_packetiser_free(ch->txp);
370 ossl_quic_txpim_free(ch->txpim);
371 ossl_quic_cfq_free(ch->cfq);
372 ossl_qtx_free(ch->qtx);
373 if (ch->cc_data != NULL)
374 ch->cc_method->free(ch->cc_data);
375 if (ch->have_statm)
376 ossl_statm_destroy(&ch->statm);
377 ossl_ackm_free(ch->ackm);
378
379 if (ch->have_qsm)
380 ossl_quic_stream_map_cleanup(&ch->qsm);
381
382 for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space) {
383 ossl_quic_sstream_free(ch->crypto_send[pn_space]);
384 ossl_quic_rstream_free(ch->crypto_recv[pn_space]);
385 }
386
387 ossl_qrx_pkt_release(ch->qrx_pkt);
388 ch->qrx_pkt = NULL;
389
390 ossl_quic_tls_free(ch->qtls);
391 ossl_qrx_free(ch->qrx);
392 OPENSSL_free(ch->local_transport_params);
393 OPENSSL_free((char *)ch->terminate_cause.reason);
394 OSSL_ERR_STATE_free(ch->err_state);
395 OPENSSL_free(ch->ack_range_scratch);
396
397 if (ch->on_port_list) {
398 ossl_list_ch_remove(&ch->port->channel_list, ch);
399 ch->on_port_list = 0;
400 }
401
402 #ifndef OPENSSL_NO_QLOG
403 if (ch->qlog != NULL)
404 ossl_qlog_flush(ch->qlog); /* best effort */
405
406 OPENSSL_free(ch->qlog_title);
407 ossl_qlog_free(ch->qlog);
408 #endif
409 }
410
411 QUIC_CHANNEL *ossl_quic_channel_new(const QUIC_CHANNEL_ARGS *args)
412 {
413 QUIC_CHANNEL *ch = NULL;
414
415 if ((ch = OPENSSL_zalloc(sizeof(*ch))) == NULL)
416 return NULL;
417
418 ch->port = args->port;
419 ch->is_server = args->is_server;
420 ch->tls = args->tls;
421 ch->lcidm = args->lcidm;
422 ch->srtm = args->srtm;
423 #ifndef OPENSSL_NO_QLOG
424 ch->use_qlog = args->use_qlog;
425
426 if (ch->use_qlog && args->qlog_title != NULL) {
427 if ((ch->qlog_title = OPENSSL_strdup(args->qlog_title)) == NULL) {
428 OPENSSL_free(ch);
429 return NULL;
430 }
431 }
432 #endif
433
434 if (!ch_init(ch)) {
435 OPENSSL_free(ch);
436 return NULL;
437 }
438
439 return ch;
440 }
441
442 void ossl_quic_channel_free(QUIC_CHANNEL *ch)
443 {
444 if (ch == NULL)
445 return;
446
447 ch_cleanup(ch);
448 OPENSSL_free(ch);
449 }
450
451 /* Set mutator callbacks for test framework support */
452 int ossl_quic_channel_set_mutator(QUIC_CHANNEL *ch,
453 ossl_mutate_packet_cb mutatecb,
454 ossl_finish_mutate_cb finishmutatecb,
455 void *mutatearg)
456 {
457 if (ch->qtx == NULL)
458 return 0;
459
460 ossl_qtx_set_mutator(ch->qtx, mutatecb, finishmutatecb, mutatearg);
461 return 1;
462 }
463
464 int ossl_quic_channel_get_peer_addr(QUIC_CHANNEL *ch, BIO_ADDR *peer_addr)
465 {
466 if (!ch->addressed_mode)
467 return 0;
468
469 *peer_addr = ch->cur_peer_addr;
470 return 1;
471 }
472
473 int ossl_quic_channel_set_peer_addr(QUIC_CHANNEL *ch, const BIO_ADDR *peer_addr)
474 {
475 if (ch->state != QUIC_CHANNEL_STATE_IDLE)
476 return 0;
477
478 if (peer_addr == NULL || BIO_ADDR_family(peer_addr) == AF_UNSPEC) {
479 BIO_ADDR_clear(&ch->cur_peer_addr);
480 ch->addressed_mode = 0;
481 return 1;
482 }
483
484 ch->cur_peer_addr = *peer_addr;
485 ch->addressed_mode = 1;
486 return 1;
487 }
488
489 QUIC_REACTOR *ossl_quic_channel_get_reactor(QUIC_CHANNEL *ch)
490 {
491 return ossl_quic_port_get0_reactor(ch->port);
492 }
493
494 QUIC_STREAM_MAP *ossl_quic_channel_get_qsm(QUIC_CHANNEL *ch)
495 {
496 return &ch->qsm;
497 }
498
499 OSSL_STATM *ossl_quic_channel_get_statm(QUIC_CHANNEL *ch)
500 {
501 return &ch->statm;
502 }
503
504 QUIC_STREAM *ossl_quic_channel_get_stream_by_id(QUIC_CHANNEL *ch,
505 uint64_t stream_id)
506 {
507 return ossl_quic_stream_map_get_by_id(&ch->qsm, stream_id);
508 }
509
510 int ossl_quic_channel_is_active(const QUIC_CHANNEL *ch)
511 {
512 return ch != NULL && ch->state == QUIC_CHANNEL_STATE_ACTIVE;
513 }
514
515 int ossl_quic_channel_is_closing(const QUIC_CHANNEL *ch)
516 {
517 return ch->state == QUIC_CHANNEL_STATE_TERMINATING_CLOSING;
518 }
519
520 static int ossl_quic_channel_is_draining(const QUIC_CHANNEL *ch)
521 {
522 return ch->state == QUIC_CHANNEL_STATE_TERMINATING_DRAINING;
523 }
524
525 static int ossl_quic_channel_is_terminating(const QUIC_CHANNEL *ch)
526 {
527 return ossl_quic_channel_is_closing(ch)
528 || ossl_quic_channel_is_draining(ch);
529 }
530
531 int ossl_quic_channel_is_terminated(const QUIC_CHANNEL *ch)
532 {
533 return ch->state == QUIC_CHANNEL_STATE_TERMINATED;
534 }
535
536 int ossl_quic_channel_is_term_any(const QUIC_CHANNEL *ch)
537 {
538 return ossl_quic_channel_is_terminating(ch)
539 || ossl_quic_channel_is_terminated(ch);
540 }
541
542 const QUIC_TERMINATE_CAUSE *
543 ossl_quic_channel_get_terminate_cause(const QUIC_CHANNEL *ch)
544 {
545 return ossl_quic_channel_is_term_any(ch) ? &ch->terminate_cause : NULL;
546 }
547
548 int ossl_quic_channel_is_handshake_complete(const QUIC_CHANNEL *ch)
549 {
550 return ch->handshake_complete;
551 }
552
553 int ossl_quic_channel_is_handshake_confirmed(const QUIC_CHANNEL *ch)
554 {
555 return ch->handshake_confirmed;
556 }
557
558 QUIC_DEMUX *ossl_quic_channel_get0_demux(QUIC_CHANNEL *ch)
559 {
560 return ch->port->demux;
561 }
562
563 QUIC_PORT *ossl_quic_channel_get0_port(QUIC_CHANNEL *ch)
564 {
565 return ch->port;
566 }
567
568 QUIC_ENGINE *ossl_quic_channel_get0_engine(QUIC_CHANNEL *ch)
569 {
570 return ossl_quic_port_get0_engine(ch->port);
571 }
572
573 CRYPTO_MUTEX *ossl_quic_channel_get_mutex(QUIC_CHANNEL *ch)
574 {
575 return ossl_quic_port_get0_mutex(ch->port);
576 }
577
578 int ossl_quic_channel_has_pending(const QUIC_CHANNEL *ch)
579 {
580 return ossl_quic_demux_has_pending(ch->port->demux)
581 || ossl_qrx_processed_read_pending(ch->qrx);
582 }
583
584 /*
585 * QUIC Channel: Callbacks from Miscellaneous Subsidiary Components
586 * ================================================================
587 */
588
589 /* Used by various components. */
590 static OSSL_TIME get_time(void *arg)
591 {
592 QUIC_CHANNEL *ch = arg;
593
594 return ossl_quic_port_get_time(ch->port);
595 }
596
597 /* Used by QSM. */
598 static uint64_t get_stream_limit(int uni, void *arg)
599 {
600 QUIC_CHANNEL *ch = arg;
601
602 return uni ? ch->max_local_streams_uni : ch->max_local_streams_bidi;
603 }
604
605 /*
606 * Called by QRX to determine if a packet is potentially invalid before trying
607 * to decrypt it.
608 */
609 static int rx_late_validate(QUIC_PN pn, int pn_space, void *arg)
610 {
611 QUIC_CHANNEL *ch = arg;
612
613 /* Potential duplicates should not be processed. */
614 if (!ossl_ackm_is_rx_pn_processable(ch->ackm, pn, pn_space))
615 return 0;
616
617 return 1;
618 }
619
620 /*
621 * Triggers a TXKU (whether spontaneous or solicited). Does not check whether
622 * spontaneous TXKU is currently allowed.
623 */
624 QUIC_NEEDS_LOCK
625 static void ch_trigger_txku(QUIC_CHANNEL *ch)
626 {
627 uint64_t next_pn
628 = ossl_quic_tx_packetiser_get_next_pn(ch->txp, QUIC_PN_SPACE_APP);
629
630 if (!ossl_quic_pn_valid(next_pn)
631 || !ossl_qtx_trigger_key_update(ch->qtx)) {
632 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_INTERNAL_ERROR, 0,
633 "key update");
634 return;
635 }
636
637 ch->txku_in_progress = 1;
638 ch->txku_pn = next_pn;
639 ch->rxku_expected = ch->ku_locally_initiated;
640 }
641
642 QUIC_NEEDS_LOCK
643 static int txku_in_progress(QUIC_CHANNEL *ch)
644 {
645 if (ch->txku_in_progress
646 && ossl_ackm_get_largest_acked(ch->ackm, QUIC_PN_SPACE_APP) >= ch->txku_pn) {
647 OSSL_TIME pto = ossl_ackm_get_pto_duration(ch->ackm);
648
649 /*
650 * RFC 9001 s. 6.5: Endpoints SHOULD wait three times the PTO before
651 * initiating a key update after receiving an acknowledgment that
652 * confirms that the previous key update was received.
653 *
654 * Note that by the above wording, this period starts from when we get
655 * the ack for a TXKU-triggering packet, not when the TXKU is initiated.
656 * So we defer TXKU cooldown deadline calculation to this point.
657 */
658 ch->txku_in_progress = 0;
659 ch->txku_cooldown_deadline = ossl_time_add(get_time(ch),
660 ossl_time_multiply(pto, 3));
661 }
662
663 return ch->txku_in_progress;
664 }
665
666 QUIC_NEEDS_LOCK
667 static int txku_allowed(QUIC_CHANNEL *ch)
668 {
669 return ch->tx_enc_level == QUIC_ENC_LEVEL_1RTT /* Sanity check. */
670 /* Strict RFC 9001 criterion for TXKU. */
671 && ch->handshake_confirmed
672 && !txku_in_progress(ch);
673 }
674
675 QUIC_NEEDS_LOCK
676 static int txku_recommendable(QUIC_CHANNEL *ch)
677 {
678 if (!txku_allowed(ch))
679 return 0;
680
681 return
682 /* Recommended RFC 9001 criterion for TXKU. */
683 ossl_time_compare(get_time(ch), ch->txku_cooldown_deadline) >= 0
684 /* Some additional sensible criteria. */
685 && !ch->rxku_in_progress
686 && !ch->rxku_pending_confirm;
687 }
688
689 QUIC_NEEDS_LOCK
690 static int txku_desirable(QUIC_CHANNEL *ch)
691 {
692 uint64_t cur_pkt_count, max_pkt_count, thresh_pkt_count;
693 const uint32_t enc_level = QUIC_ENC_LEVEL_1RTT;
694
695 /* Check AEAD limit to determine if we should perform a spontaneous TXKU. */
696 cur_pkt_count = ossl_qtx_get_cur_epoch_pkt_count(ch->qtx, enc_level);
697 max_pkt_count = ossl_qtx_get_max_epoch_pkt_count(ch->qtx, enc_level);
698
699 thresh_pkt_count = max_pkt_count / 2;
700 if (ch->txku_threshold_override != UINT64_MAX)
701 thresh_pkt_count = ch->txku_threshold_override;
702
703 return cur_pkt_count >= thresh_pkt_count;
704 }
705
706 QUIC_NEEDS_LOCK
707 static void ch_maybe_trigger_spontaneous_txku(QUIC_CHANNEL *ch)
708 {
709 if (!txku_recommendable(ch) || !txku_desirable(ch))
710 return;
711
712 ch->ku_locally_initiated = 1;
713 ch_trigger_txku(ch);
714 }
715
716 QUIC_NEEDS_LOCK
717 static int rxku_allowed(QUIC_CHANNEL *ch)
718 {
719 /*
720 * RFC 9001 s. 6.1: An endpoint MUST NOT initiate a key update prior to
721 * having confirmed the handshake (Section 4.1.2).
722 *
723 * RFC 9001 s. 6.1: An endpoint MUST NOT initiate a subsequent key update
724 * unless it has received an acknowledgment for a packet that was sent
725 * protected with keys from the current key phase.
726 *
727 * RFC 9001 s. 6.2: If an endpoint detects a second update before it has
728 * sent any packets with updated keys containing an acknowledgment for the
729 * packet that initiated the key update, it indicates that its peer has
730 * updated keys twice without awaiting confirmation. An endpoint MAY treat
731 * such consecutive key updates as a connection error of type
732 * KEY_UPDATE_ERROR.
733 */
734 return ch->handshake_confirmed && !ch->rxku_pending_confirm;
735 }
736
737 /*
738 * Called when the QRX detects a new RX key update event.
739 */
740 enum rxku_decision {
741 DECISION_RXKU_ONLY,
742 DECISION_PROTOCOL_VIOLATION,
743 DECISION_SOLICITED_TXKU
744 };
745
746 /* Called when the QRX detects a key update has occurred. */
747 QUIC_NEEDS_LOCK
748 static void rxku_detected(QUIC_PN pn, void *arg)
749 {
750 QUIC_CHANNEL *ch = arg;
751 enum rxku_decision decision;
752 OSSL_TIME pto;
753
754 /*
755 * Note: rxku_in_progress is always 0 here as an RXKU cannot be detected
756 * when we are still in UPDATING or COOLDOWN (see quic_record_rx.h).
757 */
758 assert(!ch->rxku_in_progress);
759
760 if (!rxku_allowed(ch))
761 /* Is RXKU even allowed at this time? */
762 decision = DECISION_PROTOCOL_VIOLATION;
763
764 else if (ch->ku_locally_initiated)
765 /*
766 * If this key update was locally initiated (meaning that this detected
767 * RXKU event is a result of our own spontaneous TXKU), we do not
768 * trigger another TXKU; after all, to do so would result in an infinite
769 * ping-pong of key updates. We still process it as an RXKU.
770 */
771 decision = DECISION_RXKU_ONLY;
772
773 else
774 /*
775 * Otherwise, a peer triggering a KU means we have to trigger a KU also.
776 */
777 decision = DECISION_SOLICITED_TXKU;
778
779 if (decision == DECISION_PROTOCOL_VIOLATION) {
780 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_KEY_UPDATE_ERROR,
781 0, "RX key update again too soon");
782 return;
783 }
784
785 pto = ossl_ackm_get_pto_duration(ch->ackm);
786
787 ch->ku_locally_initiated = 0;
788 ch->rxku_in_progress = 1;
789 ch->rxku_pending_confirm = 1;
790 ch->rxku_trigger_pn = pn;
791 ch->rxku_update_end_deadline = ossl_time_add(get_time(ch), pto);
792 ch->rxku_expected = 0;
793
794 if (decision == DECISION_SOLICITED_TXKU)
795 /* NOT gated by usual txku_allowed() */
796 ch_trigger_txku(ch);
797
798 /*
799 * Ordinarily, we only generate ACK when some ACK-eliciting frame has been
800 * received. In some cases, this may not occur for a long time, for example
801 * if transmission of application data is going in only one direction and
802 * nothing else is happening with the connection. However, since the peer
803 * cannot initiate a subsequent (spontaneous) TXKU until its prior
804 * (spontaneous or solicited) TXKU has completed - meaning that prior
805 * TXKU's trigger packet (or subsequent packet) has been acknowledged, this
806 * can lead to very long times before a TXKU is considered 'completed'.
807 * Optimise this by forcing ACK generation after triggering TXKU.
808 * (Basically, we consider a RXKU event something that is 'ACK-eliciting',
809 * which it more or less should be; it is necessarily separate from ordinary
810 * processing of ACK-eliciting frames as key update is not indicated via a
811 * frame.)
812 */
813 ossl_quic_tx_packetiser_schedule_ack(ch->txp, QUIC_PN_SPACE_APP);
814 }
815
816 /* Called per tick to handle RXKU timer events. */
817 QUIC_NEEDS_LOCK
818 static void ch_rxku_tick(QUIC_CHANNEL *ch)
819 {
820 if (!ch->rxku_in_progress
821 || ossl_time_compare(get_time(ch), ch->rxku_update_end_deadline) < 0)
822 return;
823
824 ch->rxku_update_end_deadline = ossl_time_infinite();
825 ch->rxku_in_progress = 0;
826
827 if (!ossl_qrx_key_update_timeout(ch->qrx, /*normal=*/1))
828 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_INTERNAL_ERROR, 0,
829 "RXKU cooldown internal error");
830 }
831
832 QUIC_NEEDS_LOCK
833 static void ch_on_txp_ack_tx(const OSSL_QUIC_FRAME_ACK *ack, uint32_t pn_space,
834 void *arg)
835 {
836 QUIC_CHANNEL *ch = arg;
837
838 if (pn_space != QUIC_PN_SPACE_APP || !ch->rxku_pending_confirm
839 || !ossl_quic_frame_ack_contains_pn(ack, ch->rxku_trigger_pn))
840 return;
841
842 /*
843 * Defer clearing rxku_pending_confirm until TXP generate call returns
844 * successfully.
845 */
846 ch->rxku_pending_confirm_done = 1;
847 }
848
849 /*
850 * QUIC Channel: Handshake Layer Event Handling
851 * ============================================
852 */
853 static int ch_on_crypto_send(const unsigned char *buf, size_t buf_len,
854 size_t *consumed, void *arg)
855 {
856 int ret;
857 QUIC_CHANNEL *ch = arg;
858 uint32_t enc_level = ch->tx_enc_level;
859 uint32_t pn_space = ossl_quic_enc_level_to_pn_space(enc_level);
860 QUIC_SSTREAM *sstream = ch->crypto_send[pn_space];
861
862 if (!ossl_assert(sstream != NULL))
863 return 0;
864
865 ret = ossl_quic_sstream_append(sstream, buf, buf_len, consumed);
866 return ret;
867 }
868
869 static int crypto_ensure_empty(QUIC_RSTREAM *rstream)
870 {
871 size_t avail = 0;
872 int is_fin = 0;
873
874 if (rstream == NULL)
875 return 1;
876
877 if (!ossl_quic_rstream_available(rstream, &avail, &is_fin))
878 return 0;
879
880 return avail == 0;
881 }
882
883 static int ch_on_crypto_recv_record(const unsigned char **buf,
884 size_t *bytes_read, void *arg)
885 {
886 QUIC_CHANNEL *ch = arg;
887 QUIC_RSTREAM *rstream;
888 int is_fin = 0; /* crypto stream is never finished, so we don't use this */
889 uint32_t i;
890
891 /*
892 * After we move to a later EL we must not allow our peer to send any new
893 * bytes in the crypto stream on a previous EL. Retransmissions of old bytes
894 * are allowed.
895 *
896 * In practice we will only move to a new EL when we have consumed all bytes
897 * which should be sent on the crypto stream at a previous EL. For example,
898 * the Handshake EL should not be provisioned until we have completely
899 * consumed a TLS 1.3 ServerHello. Thus when we provision an EL the output
900 * of ossl_quic_rstream_available() should be 0 for all lower ELs. Thus if a
901 * given EL is available we simply ensure we have not received any further
902 * bytes at a lower EL.
903 */
904 for (i = QUIC_ENC_LEVEL_INITIAL; i < ch->rx_enc_level; ++i)
905 if (i != QUIC_ENC_LEVEL_0RTT &&
906 !crypto_ensure_empty(ch->crypto_recv[ossl_quic_enc_level_to_pn_space(i)])) {
907 /* Protocol violation (RFC 9001 s. 4.1.3) */
908 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_PROTOCOL_VIOLATION,
909 OSSL_QUIC_FRAME_TYPE_CRYPTO,
910 "crypto stream data in wrong EL");
911 return 0;
912 }
913
914 rstream = ch->crypto_recv[ossl_quic_enc_level_to_pn_space(ch->rx_enc_level)];
915 if (rstream == NULL)
916 return 0;
917
918 return ossl_quic_rstream_get_record(rstream, buf, bytes_read,
919 &is_fin);
920 }
921
922 static int ch_on_crypto_release_record(size_t bytes_read, void *arg)
923 {
924 QUIC_CHANNEL *ch = arg;
925 QUIC_RSTREAM *rstream;
926 OSSL_RTT_INFO rtt_info;
927 uint32_t rx_pn_space = ossl_quic_enc_level_to_pn_space(ch->rx_enc_level);
928
929 rstream = ch->crypto_recv[rx_pn_space];
930 if (rstream == NULL)
931 return 0;
932
933 ossl_statm_get_rtt_info(ossl_quic_channel_get_statm(ch), &rtt_info);
934 if (!ossl_quic_rxfc_on_retire(&ch->crypto_rxfc[rx_pn_space], bytes_read,
935 rtt_info.smoothed_rtt))
936 return 0;
937
938 return ossl_quic_rstream_release_record(rstream, bytes_read);
939 }
940
941 static int ch_on_handshake_yield_secret(uint32_t enc_level, int direction,
942 uint32_t suite_id, EVP_MD *md,
943 const unsigned char *secret,
944 size_t secret_len,
945 void *arg)
946 {
947 QUIC_CHANNEL *ch = arg;
948 uint32_t i;
949
950 if (enc_level < QUIC_ENC_LEVEL_HANDSHAKE || enc_level >= QUIC_ENC_LEVEL_NUM)
951 /* Invalid EL. */
952 return 0;
953
954
955 if (direction) {
956 /* TX */
957 if (enc_level <= ch->tx_enc_level)
958 /*
959 * Does not make sense for us to try and provision an EL we have already
960 * attained.
961 */
962 return 0;
963
964 if (!ossl_qtx_provide_secret(ch->qtx, enc_level,
965 suite_id, md,
966 secret, secret_len))
967 return 0;
968
969 ch->tx_enc_level = enc_level;
970 } else {
971 /* RX */
972 if (enc_level <= ch->rx_enc_level)
973 /*
974 * Does not make sense for us to try and provision an EL we have already
975 * attained.
976 */
977 return 0;
978
979 /*
980 * Ensure all crypto streams for previous ELs are now empty of available
981 * data.
982 */
983 for (i = QUIC_ENC_LEVEL_INITIAL; i < enc_level; ++i)
984 if (!crypto_ensure_empty(ch->crypto_recv[ossl_quic_enc_level_to_pn_space(i)])) {
985 /* Protocol violation (RFC 9001 s. 4.1.3) */
986 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_PROTOCOL_VIOLATION,
987 OSSL_QUIC_FRAME_TYPE_CRYPTO,
988 "crypto stream data in wrong EL");
989 return 0;
990 }
991
992 if (!ossl_qrx_provide_secret(ch->qrx, enc_level,
993 suite_id, md,
994 secret, secret_len))
995 return 0;
996
997 ch->have_new_rx_secret = 1;
998 ch->rx_enc_level = enc_level;
999 }
1000
1001 return 1;
1002 }
1003
1004 static int ch_on_handshake_complete(void *arg)
1005 {
1006 QUIC_CHANNEL *ch = arg;
1007
1008 if (!ossl_assert(!ch->handshake_complete))
1009 return 0; /* this should not happen twice */
1010
1011 if (!ossl_assert(ch->tx_enc_level == QUIC_ENC_LEVEL_1RTT))
1012 return 0;
1013
1014 if (!ch->got_remote_transport_params) {
1015 /*
1016 * Was not a valid QUIC handshake if we did not get valid transport
1017 * params.
1018 */
1019 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_CRYPTO_MISSING_EXT,
1020 OSSL_QUIC_FRAME_TYPE_CRYPTO,
1021 "no transport parameters received");
1022 return 0;
1023 }
1024
1025 /* Don't need transport parameters anymore. */
1026 OPENSSL_free(ch->local_transport_params);
1027 ch->local_transport_params = NULL;
1028
1029 /* Tell the QRX it can now process 1-RTT packets. */
1030 ossl_qrx_allow_1rtt_processing(ch->qrx);
1031
1032 /* Tell TXP the handshake is complete. */
1033 ossl_quic_tx_packetiser_notify_handshake_complete(ch->txp);
1034
1035 ch->handshake_complete = 1;
1036
1037 if (ch->is_server) {
1038 /*
1039 * On the server, the handshake is confirmed as soon as it is complete.
1040 */
1041 ossl_quic_channel_on_handshake_confirmed(ch);
1042
1043 ossl_quic_tx_packetiser_schedule_handshake_done(ch->txp);
1044 }
1045
1046 ch_record_state_transition(ch, ch->state);
1047 return 1;
1048 }
1049
1050 static int ch_on_handshake_alert(void *arg, unsigned char alert_code)
1051 {
1052 QUIC_CHANNEL *ch = arg;
1053
1054 /*
1055 * RFC 9001 s. 4.4: More specifically, servers MUST NOT send post-handshake
1056 * TLS CertificateRequest messages, and clients MUST treat receipt of such
1057 * messages as a connection error of type PROTOCOL_VIOLATION.
1058 */
1059 if (alert_code == SSL_AD_UNEXPECTED_MESSAGE
1060 && ch->handshake_complete
1061 && ossl_quic_tls_is_cert_request(ch->qtls))
1062 ossl_quic_channel_raise_protocol_error(ch,
1063 QUIC_ERR_PROTOCOL_VIOLATION,
1064 0,
1065 "Post-handshake TLS "
1066 "CertificateRequest received");
1067 /*
1068 * RFC 9001 s. 4.6.1: Servers MUST NOT send the early_data extension with a
1069 * max_early_data_size field set to any value other than 0xffffffff. A
1070 * client MUST treat receipt of a NewSessionTicket that contains an
1071 * early_data extension with any other value as a connection error of type
1072 * PROTOCOL_VIOLATION.
1073 */
1074 else if (alert_code == SSL_AD_ILLEGAL_PARAMETER
1075 && ch->handshake_complete
1076 && ossl_quic_tls_has_bad_max_early_data(ch->qtls))
1077 ossl_quic_channel_raise_protocol_error(ch,
1078 QUIC_ERR_PROTOCOL_VIOLATION,
1079 0,
1080 "Bad max_early_data received");
1081 else
1082 ossl_quic_channel_raise_protocol_error(ch,
1083 QUIC_ERR_CRYPTO_ERR_BEGIN
1084 + alert_code,
1085 0, "handshake alert");
1086
1087 return 1;
1088 }
1089
1090 /*
1091 * QUIC Channel: Transport Parameter Handling
1092 * ==========================================
1093 */
1094
1095 /*
1096 * Called by handshake layer when we receive QUIC Transport Parameters from the
1097 * peer. Note that these are not authenticated until the handshake is marked
1098 * as complete.
1099 */
1100 #define TP_REASON_SERVER_ONLY(x) \
1101 x " may not be sent by a client"
1102 #define TP_REASON_DUP(x) \
1103 x " appears multiple times"
1104 #define TP_REASON_MALFORMED(x) \
1105 x " is malformed"
1106 #define TP_REASON_EXPECTED_VALUE(x) \
1107 x " does not match expected value"
1108 #define TP_REASON_NOT_RETRY(x) \
1109 x " sent when not performing a retry"
1110 #define TP_REASON_REQUIRED(x) \
1111 x " was not sent but is required"
1112 #define TP_REASON_INTERNAL_ERROR(x) \
1113 x " encountered internal error"
1114
1115 static void txfc_bump_cwm_bidi(QUIC_STREAM *s, void *arg)
1116 {
1117 if (!ossl_quic_stream_is_bidi(s)
1118 || ossl_quic_stream_is_server_init(s))
1119 return;
1120
1121 ossl_quic_txfc_bump_cwm(&s->txfc, *(uint64_t *)arg);
1122 }
1123
1124 static void txfc_bump_cwm_uni(QUIC_STREAM *s, void *arg)
1125 {
1126 if (ossl_quic_stream_is_bidi(s)
1127 || ossl_quic_stream_is_server_init(s))
1128 return;
1129
1130 ossl_quic_txfc_bump_cwm(&s->txfc, *(uint64_t *)arg);
1131 }
1132
1133 static void do_update(QUIC_STREAM *s, void *arg)
1134 {
1135 QUIC_CHANNEL *ch = arg;
1136
1137 ossl_quic_stream_map_update_state(&ch->qsm, s);
1138 }
1139
1140 static int ch_on_transport_params(const unsigned char *params,
1141 size_t params_len,
1142 void *arg)
1143 {
1144 QUIC_CHANNEL *ch = arg;
1145 PACKET pkt;
1146 uint64_t id, v;
1147 size_t len;
1148 const unsigned char *body;
1149 int got_orig_dcid = 0;
1150 int got_initial_scid = 0;
1151 int got_retry_scid = 0;
1152 int got_initial_max_data = 0;
1153 int got_initial_max_stream_data_bidi_local = 0;
1154 int got_initial_max_stream_data_bidi_remote = 0;
1155 int got_initial_max_stream_data_uni = 0;
1156 int got_initial_max_streams_bidi = 0;
1157 int got_initial_max_streams_uni = 0;
1158 int got_stateless_reset_token = 0;
1159 int got_preferred_addr = 0;
1160 int got_ack_delay_exp = 0;
1161 int got_max_ack_delay = 0;
1162 int got_max_udp_payload_size = 0;
1163 int got_max_idle_timeout = 0;
1164 int got_active_conn_id_limit = 0;
1165 int got_disable_active_migration = 0;
1166 QUIC_CONN_ID cid;
1167 const char *reason = "bad transport parameter";
1168 ossl_unused uint64_t rx_max_idle_timeout = 0;
1169 ossl_unused const void *stateless_reset_token_p = NULL;
1170 QUIC_PREFERRED_ADDR pfa;
1171
1172 if (ch->got_remote_transport_params) {
1173 reason = "multiple transport parameter extensions";
1174 goto malformed;
1175 }
1176
1177 if (!PACKET_buf_init(&pkt, params, params_len)) {
1178 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_INTERNAL_ERROR, 0,
1179 "internal error (packet buf init)");
1180 return 0;
1181 }
1182
1183 while (PACKET_remaining(&pkt) > 0) {
1184 if (!ossl_quic_wire_peek_transport_param(&pkt, &id))
1185 goto malformed;
1186
1187 switch (id) {
1188 case QUIC_TPARAM_ORIG_DCID:
1189 if (got_orig_dcid) {
1190 reason = TP_REASON_DUP("ORIG_DCID");
1191 goto malformed;
1192 }
1193
1194 if (ch->is_server) {
1195 reason = TP_REASON_SERVER_ONLY("ORIG_DCID");
1196 goto malformed;
1197 }
1198
1199 if (!ossl_quic_wire_decode_transport_param_cid(&pkt, NULL, &cid)) {
1200 reason = TP_REASON_MALFORMED("ORIG_DCID");
1201 goto malformed;
1202 }
1203
1204 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
1205 /* Must match our initial DCID. */
1206 if (!ossl_quic_conn_id_eq(&ch->init_dcid, &cid)) {
1207 reason = TP_REASON_EXPECTED_VALUE("ORIG_DCID");
1208 goto malformed;
1209 }
1210 #endif
1211
1212 got_orig_dcid = 1;
1213 break;
1214
1215 case QUIC_TPARAM_RETRY_SCID:
1216 if (ch->is_server) {
1217 reason = TP_REASON_SERVER_ONLY("RETRY_SCID");
1218 goto malformed;
1219 }
1220
1221 if (got_retry_scid) {
1222 reason = TP_REASON_DUP("RETRY_SCID");
1223 goto malformed;
1224 }
1225
1226 if (!ch->doing_retry) {
1227 reason = TP_REASON_NOT_RETRY("RETRY_SCID");
1228 goto malformed;
1229 }
1230
1231 if (!ossl_quic_wire_decode_transport_param_cid(&pkt, NULL, &cid)) {
1232 reason = TP_REASON_MALFORMED("RETRY_SCID");
1233 goto malformed;
1234 }
1235
1236 /* Must match Retry packet SCID. */
1237 if (!ossl_quic_conn_id_eq(&ch->retry_scid, &cid)) {
1238 reason = TP_REASON_EXPECTED_VALUE("RETRY_SCID");
1239 goto malformed;
1240 }
1241
1242 got_retry_scid = 1;
1243 break;
1244
1245 case QUIC_TPARAM_INITIAL_SCID:
1246 if (got_initial_scid) {
1247 /* must not appear more than once */
1248 reason = TP_REASON_DUP("INITIAL_SCID");
1249 goto malformed;
1250 }
1251
1252 if (!ossl_quic_wire_decode_transport_param_cid(&pkt, NULL, &cid)) {
1253 reason = TP_REASON_MALFORMED("INITIAL_SCID");
1254 goto malformed;
1255 }
1256
1257 /* Must match SCID of first Initial packet from server. */
1258 if (!ossl_quic_conn_id_eq(&ch->init_scid, &cid)) {
1259 reason = TP_REASON_EXPECTED_VALUE("INITIAL_SCID");
1260 goto malformed;
1261 }
1262
1263 got_initial_scid = 1;
1264 break;
1265
1266 case QUIC_TPARAM_INITIAL_MAX_DATA:
1267 if (got_initial_max_data) {
1268 /* must not appear more than once */
1269 reason = TP_REASON_DUP("INITIAL_MAX_DATA");
1270 goto malformed;
1271 }
1272
1273 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
1274 reason = TP_REASON_MALFORMED("INITIAL_MAX_DATA");
1275 goto malformed;
1276 }
1277
1278 ossl_quic_txfc_bump_cwm(&ch->conn_txfc, v);
1279 got_initial_max_data = 1;
1280 break;
1281
1282 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL:
1283 if (got_initial_max_stream_data_bidi_local) {
1284 /* must not appear more than once */
1285 reason = TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_BIDI_LOCAL");
1286 goto malformed;
1287 }
1288
1289 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
1290 reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_BIDI_LOCAL");
1291 goto malformed;
1292 }
1293
1294 /*
1295 * This is correct; the BIDI_LOCAL TP governs streams created by
1296 * the endpoint which sends the TP, i.e., our peer.
1297 */
1298 ch->rx_init_max_stream_data_bidi_remote = v;
1299 got_initial_max_stream_data_bidi_local = 1;
1300 break;
1301
1302 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE:
1303 if (got_initial_max_stream_data_bidi_remote) {
1304 /* must not appear more than once */
1305 reason = TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_BIDI_REMOTE");
1306 goto malformed;
1307 }
1308
1309 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
1310 reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_BIDI_REMOTE");
1311 goto malformed;
1312 }
1313
1314 /*
1315 * This is correct; the BIDI_REMOTE TP governs streams created
1316 * by the endpoint which receives the TP, i.e., us.
1317 */
1318 ch->rx_init_max_stream_data_bidi_local = v;
1319
1320 /* Apply to all existing streams. */
1321 ossl_quic_stream_map_visit(&ch->qsm, txfc_bump_cwm_bidi, &v);
1322 got_initial_max_stream_data_bidi_remote = 1;
1323 break;
1324
1325 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_UNI:
1326 if (got_initial_max_stream_data_uni) {
1327 /* must not appear more than once */
1328 reason = TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_UNI");
1329 goto malformed;
1330 }
1331
1332 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
1333 reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_UNI");
1334 goto malformed;
1335 }
1336
1337 ch->rx_init_max_stream_data_uni = v;
1338
1339 /* Apply to all existing streams. */
1340 ossl_quic_stream_map_visit(&ch->qsm, txfc_bump_cwm_uni, &v);
1341 got_initial_max_stream_data_uni = 1;
1342 break;
1343
1344 case QUIC_TPARAM_ACK_DELAY_EXP:
1345 if (got_ack_delay_exp) {
1346 /* must not appear more than once */
1347 reason = TP_REASON_DUP("ACK_DELAY_EXP");
1348 goto malformed;
1349 }
1350
1351 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
1352 || v > QUIC_MAX_ACK_DELAY_EXP) {
1353 reason = TP_REASON_MALFORMED("ACK_DELAY_EXP");
1354 goto malformed;
1355 }
1356
1357 ch->rx_ack_delay_exp = (unsigned char)v;
1358 got_ack_delay_exp = 1;
1359 break;
1360
1361 case QUIC_TPARAM_MAX_ACK_DELAY:
1362 if (got_max_ack_delay) {
1363 /* must not appear more than once */
1364 reason = TP_REASON_DUP("MAX_ACK_DELAY");
1365 goto malformed;
1366 }
1367
1368 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
1369 || v >= (((uint64_t)1) << 14)) {
1370 reason = TP_REASON_MALFORMED("MAX_ACK_DELAY");
1371 goto malformed;
1372 }
1373
1374 ch->rx_max_ack_delay = v;
1375 ossl_ackm_set_rx_max_ack_delay(ch->ackm,
1376 ossl_ms2time(ch->rx_max_ack_delay));
1377
1378 got_max_ack_delay = 1;
1379 break;
1380
1381 case QUIC_TPARAM_INITIAL_MAX_STREAMS_BIDI:
1382 if (got_initial_max_streams_bidi) {
1383 /* must not appear more than once */
1384 reason = TP_REASON_DUP("INITIAL_MAX_STREAMS_BIDI");
1385 goto malformed;
1386 }
1387
1388 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
1389 || v > (((uint64_t)1) << 60)) {
1390 reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAMS_BIDI");
1391 goto malformed;
1392 }
1393
1394 assert(ch->max_local_streams_bidi == 0);
1395 ch->max_local_streams_bidi = v;
1396 got_initial_max_streams_bidi = 1;
1397 break;
1398
1399 case QUIC_TPARAM_INITIAL_MAX_STREAMS_UNI:
1400 if (got_initial_max_streams_uni) {
1401 /* must not appear more than once */
1402 reason = TP_REASON_DUP("INITIAL_MAX_STREAMS_UNI");
1403 goto malformed;
1404 }
1405
1406 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
1407 || v > (((uint64_t)1) << 60)) {
1408 reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAMS_UNI");
1409 goto malformed;
1410 }
1411
1412 assert(ch->max_local_streams_uni == 0);
1413 ch->max_local_streams_uni = v;
1414 got_initial_max_streams_uni = 1;
1415 break;
1416
1417 case QUIC_TPARAM_MAX_IDLE_TIMEOUT:
1418 if (got_max_idle_timeout) {
1419 /* must not appear more than once */
1420 reason = TP_REASON_DUP("MAX_IDLE_TIMEOUT");
1421 goto malformed;
1422 }
1423
1424 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
1425 reason = TP_REASON_MALFORMED("MAX_IDLE_TIMEOUT");
1426 goto malformed;
1427 }
1428
1429 if (v > 0 && v < ch->max_idle_timeout)
1430 ch->max_idle_timeout = v;
1431
1432 ch_update_idle(ch);
1433 got_max_idle_timeout = 1;
1434 rx_max_idle_timeout = v;
1435 break;
1436
1437 case QUIC_TPARAM_MAX_UDP_PAYLOAD_SIZE:
1438 if (got_max_udp_payload_size) {
1439 /* must not appear more than once */
1440 reason = TP_REASON_DUP("MAX_UDP_PAYLOAD_SIZE");
1441 goto malformed;
1442 }
1443
1444 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
1445 || v < QUIC_MIN_INITIAL_DGRAM_LEN) {
1446 reason = TP_REASON_MALFORMED("MAX_UDP_PAYLOAD_SIZE");
1447 goto malformed;
1448 }
1449
1450 ch->rx_max_udp_payload_size = v;
1451 got_max_udp_payload_size = 1;
1452 break;
1453
1454 case QUIC_TPARAM_ACTIVE_CONN_ID_LIMIT:
1455 if (got_active_conn_id_limit) {
1456 /* must not appear more than once */
1457 reason = TP_REASON_DUP("ACTIVE_CONN_ID_LIMIT");
1458 goto malformed;
1459 }
1460
1461 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
1462 || v < QUIC_MIN_ACTIVE_CONN_ID_LIMIT) {
1463 reason = TP_REASON_MALFORMED("ACTIVE_CONN_ID_LIMIT");
1464 goto malformed;
1465 }
1466
1467 ch->rx_active_conn_id_limit = v;
1468 got_active_conn_id_limit = 1;
1469 break;
1470
1471 case QUIC_TPARAM_STATELESS_RESET_TOKEN:
1472 if (got_stateless_reset_token) {
1473 reason = TP_REASON_DUP("STATELESS_RESET_TOKEN");
1474 goto malformed;
1475 }
1476
1477 /*
1478 * We must ensure a client doesn't send them because we don't have
1479 * processing for them.
1480 *
1481 * TODO(QUIC SERVER): remove this restriction
1482 */
1483 if (ch->is_server) {
1484 reason = TP_REASON_SERVER_ONLY("STATELESS_RESET_TOKEN");
1485 goto malformed;
1486 }
1487
1488 body = ossl_quic_wire_decode_transport_param_bytes(&pkt, &id, &len);
1489 if (body == NULL || len != QUIC_STATELESS_RESET_TOKEN_LEN) {
1490 reason = TP_REASON_MALFORMED("STATELESS_RESET_TOKEN");
1491 goto malformed;
1492 }
1493 if (!ossl_quic_srtm_add(ch->srtm, ch, ch->cur_remote_seq_num,
1494 (const QUIC_STATELESS_RESET_TOKEN *)body)) {
1495 reason = TP_REASON_INTERNAL_ERROR("STATELESS_RESET_TOKEN");
1496 goto malformed;
1497 }
1498
1499 stateless_reset_token_p = body;
1500 got_stateless_reset_token = 1;
1501 break;
1502
1503 case QUIC_TPARAM_PREFERRED_ADDR:
1504 {
1505 /* TODO(QUIC FUTURE): Handle preferred address. */
1506 if (got_preferred_addr) {
1507 reason = TP_REASON_DUP("PREFERRED_ADDR");
1508 goto malformed;
1509 }
1510
1511 /*
1512 * RFC 9000 s. 18.2: "A server that chooses a zero-length
1513 * connection ID MUST NOT provide a preferred address.
1514 * Similarly, a server MUST NOT include a zero-length connection
1515 * ID in this transport parameter. A client MUST treat a
1516 * violation of these requirements as a connection error of type
1517 * TRANSPORT_PARAMETER_ERROR."
1518 */
1519 if (ch->is_server) {
1520 reason = TP_REASON_SERVER_ONLY("PREFERRED_ADDR");
1521 goto malformed;
1522 }
1523
1524 if (ch->cur_remote_dcid.id_len == 0) {
1525 reason = "PREFERRED_ADDR provided for zero-length CID";
1526 goto malformed;
1527 }
1528
1529 if (!ossl_quic_wire_decode_transport_param_preferred_addr(&pkt, &pfa)) {
1530 reason = TP_REASON_MALFORMED("PREFERRED_ADDR");
1531 goto malformed;
1532 }
1533
1534 if (pfa.cid.id_len == 0) {
1535 reason = "zero-length CID in PREFERRED_ADDR";
1536 goto malformed;
1537 }
1538
1539 got_preferred_addr = 1;
1540 }
1541 break;
1542
1543 case QUIC_TPARAM_DISABLE_ACTIVE_MIGRATION:
1544 /* We do not currently handle migration, so nothing to do. */
1545 if (got_disable_active_migration) {
1546 /* must not appear more than once */
1547 reason = TP_REASON_DUP("DISABLE_ACTIVE_MIGRATION");
1548 goto malformed;
1549 }
1550
1551 body = ossl_quic_wire_decode_transport_param_bytes(&pkt, &id, &len);
1552 if (body == NULL || len > 0) {
1553 reason = TP_REASON_MALFORMED("DISABLE_ACTIVE_MIGRATION");
1554 goto malformed;
1555 }
1556
1557 got_disable_active_migration = 1;
1558 break;
1559
1560 default:
1561 /*
1562 * Skip over and ignore.
1563 *
1564 * RFC 9000 s. 7.4: We SHOULD treat duplicated transport parameters
1565 * as a connection error, but we are not required to. Currently,
1566 * handle this programmatically by checking for duplicates in the
1567 * parameters that we recognise, as above, but don't bother
1568 * maintaining a list of duplicates for anything we don't recognise.
1569 */
1570 body = ossl_quic_wire_decode_transport_param_bytes(&pkt, &id,
1571 &len);
1572 if (body == NULL)
1573 goto malformed;
1574
1575 break;
1576 }
1577 }
1578
1579 if (!got_initial_scid) {
1580 reason = TP_REASON_REQUIRED("INITIAL_SCID");
1581 goto malformed;
1582 }
1583
1584 if (!ch->is_server) {
1585 if (!got_orig_dcid) {
1586 reason = TP_REASON_REQUIRED("ORIG_DCID");
1587 goto malformed;
1588 }
1589
1590 if (ch->doing_retry && !got_retry_scid) {
1591 reason = TP_REASON_REQUIRED("RETRY_SCID");
1592 goto malformed;
1593 }
1594 }
1595
1596 ch->got_remote_transport_params = 1;
1597
1598 #ifndef OPENSSL_NO_QLOG
1599 QLOG_EVENT_BEGIN(ch_get_qlog(ch), transport, parameters_set)
1600 QLOG_STR("owner", "remote");
1601
1602 if (got_orig_dcid)
1603 QLOG_CID("original_destination_connection_id",
1604 &ch->init_dcid);
1605 if (got_initial_scid)
1606 QLOG_CID("original_source_connection_id",
1607 &ch->init_dcid);
1608 if (got_retry_scid)
1609 QLOG_CID("retry_source_connection_id",
1610 &ch->retry_scid);
1611 if (got_initial_max_data)
1612 QLOG_U64("initial_max_data",
1613 ossl_quic_txfc_get_cwm(&ch->conn_txfc));
1614 if (got_initial_max_stream_data_bidi_local)
1615 QLOG_U64("initial_max_stream_data_bidi_local",
1616 ch->rx_init_max_stream_data_bidi_local);
1617 if (got_initial_max_stream_data_bidi_remote)
1618 QLOG_U64("initial_max_stream_data_bidi_remote",
1619 ch->rx_init_max_stream_data_bidi_remote);
1620 if (got_initial_max_stream_data_uni)
1621 QLOG_U64("initial_max_stream_data_uni",
1622 ch->rx_init_max_stream_data_uni);
1623 if (got_initial_max_streams_bidi)
1624 QLOG_U64("initial_max_streams_bidi",
1625 ch->max_local_streams_bidi);
1626 if (got_initial_max_streams_uni)
1627 QLOG_U64("initial_max_streams_uni",
1628 ch->max_local_streams_uni);
1629 if (got_ack_delay_exp)
1630 QLOG_U64("ack_delay_exponent", ch->rx_ack_delay_exp);
1631 if (got_max_ack_delay)
1632 QLOG_U64("max_ack_delay", ch->rx_max_ack_delay);
1633 if (got_max_udp_payload_size)
1634 QLOG_U64("max_udp_payload_size", ch->rx_max_udp_payload_size);
1635 if (got_max_idle_timeout)
1636 QLOG_U64("max_idle_timeout", rx_max_idle_timeout);
1637 if (got_active_conn_id_limit)
1638 QLOG_U64("active_connection_id_limit", ch->rx_active_conn_id_limit);
1639 if (got_stateless_reset_token)
1640 QLOG_BIN("stateless_reset_token", stateless_reset_token_p,
1641 QUIC_STATELESS_RESET_TOKEN_LEN);
1642 if (got_preferred_addr) {
1643 QLOG_BEGIN("preferred_addr")
1644 QLOG_U64("port_v4", pfa.ipv4_port);
1645 QLOG_U64("port_v6", pfa.ipv6_port);
1646 QLOG_BIN("ip_v4", pfa.ipv4, sizeof(pfa.ipv4));
1647 QLOG_BIN("ip_v6", pfa.ipv6, sizeof(pfa.ipv6));
1648 QLOG_BIN("stateless_reset_token", pfa.stateless_reset.token,
1649 sizeof(pfa.stateless_reset.token));
1650 QLOG_CID("connection_id", &pfa.cid);
1651 QLOG_END()
1652 }
1653 QLOG_BOOL("disable_active_migration", got_disable_active_migration);
1654 QLOG_EVENT_END()
1655 #endif
1656
1657 if (got_initial_max_data || got_initial_max_stream_data_bidi_remote
1658 || got_initial_max_streams_bidi || got_initial_max_streams_uni)
1659 /*
1660 * If FC credit was bumped, we may now be able to send. Update all
1661 * streams.
1662 */
1663 ossl_quic_stream_map_visit(&ch->qsm, do_update, ch);
1664
1665 /* If we are a server, we now generate our own transport parameters. */
1666 if (ch->is_server && !ch_generate_transport_params(ch)) {
1667 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_INTERNAL_ERROR, 0,
1668 "internal error");
1669 return 0;
1670 }
1671
1672 return 1;
1673
1674 malformed:
1675 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_TRANSPORT_PARAMETER_ERROR,
1676 0, reason);
1677 return 0;
1678 }
1679
1680 /*
1681 * Called when we want to generate transport parameters. This is called
1682 * immediately at instantiation time for a client and after we receive the
1683 * client's transport parameters for a server.
1684 */
1685 static int ch_generate_transport_params(QUIC_CHANNEL *ch)
1686 {
1687 int ok = 0;
1688 BUF_MEM *buf_mem = NULL;
1689 WPACKET wpkt;
1690 int wpkt_valid = 0;
1691 size_t buf_len = 0;
1692
1693 if (ch->local_transport_params != NULL)
1694 goto err;
1695
1696 if ((buf_mem = BUF_MEM_new()) == NULL)
1697 goto err;
1698
1699 if (!WPACKET_init(&wpkt, buf_mem))
1700 goto err;
1701
1702 wpkt_valid = 1;
1703
1704 if (ossl_quic_wire_encode_transport_param_bytes(&wpkt, QUIC_TPARAM_DISABLE_ACTIVE_MIGRATION,
1705 NULL, 0) == NULL)
1706 goto err;
1707
1708 if (ch->is_server) {
1709 if (!ossl_quic_wire_encode_transport_param_cid(&wpkt, QUIC_TPARAM_ORIG_DCID,
1710 &ch->init_dcid))
1711 goto err;
1712
1713 if (!ossl_quic_wire_encode_transport_param_cid(&wpkt, QUIC_TPARAM_INITIAL_SCID,
1714 &ch->cur_local_cid))
1715 goto err;
1716 } else {
1717 /* Client always uses an empty SCID. */
1718 if (ossl_quic_wire_encode_transport_param_bytes(&wpkt, QUIC_TPARAM_INITIAL_SCID,
1719 NULL, 0) == NULL)
1720 goto err;
1721 }
1722
1723 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_MAX_IDLE_TIMEOUT,
1724 ch->max_idle_timeout))
1725 goto err;
1726
1727 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_MAX_UDP_PAYLOAD_SIZE,
1728 QUIC_MIN_INITIAL_DGRAM_LEN))
1729 goto err;
1730
1731 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_ACTIVE_CONN_ID_LIMIT,
1732 QUIC_MIN_ACTIVE_CONN_ID_LIMIT))
1733 goto err;
1734
1735 if (ch->tx_max_ack_delay != QUIC_DEFAULT_MAX_ACK_DELAY
1736 && !ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_MAX_ACK_DELAY,
1737 ch->tx_max_ack_delay))
1738 goto err;
1739
1740 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_DATA,
1741 ossl_quic_rxfc_get_cwm(&ch->conn_rxfc)))
1742 goto err;
1743
1744 /* Send the default CWM for a new RXFC. */
1745 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL,
1746 ch->tx_init_max_stream_data_bidi_local))
1747 goto err;
1748
1749 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE,
1750 ch->tx_init_max_stream_data_bidi_remote))
1751 goto err;
1752
1753 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_UNI,
1754 ch->tx_init_max_stream_data_uni))
1755 goto err;
1756
1757 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAMS_BIDI,
1758 ossl_quic_rxfc_get_cwm(&ch->max_streams_bidi_rxfc)))
1759 goto err;
1760
1761 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAMS_UNI,
1762 ossl_quic_rxfc_get_cwm(&ch->max_streams_uni_rxfc)))
1763 goto err;
1764
1765 if (!WPACKET_finish(&wpkt))
1766 goto err;
1767
1768 wpkt_valid = 0;
1769
1770 if (!WPACKET_get_total_written(&wpkt, &buf_len))
1771 goto err;
1772
1773 ch->local_transport_params = (unsigned char *)buf_mem->data;
1774 buf_mem->data = NULL;
1775
1776
1777 if (!ossl_quic_tls_set_transport_params(ch->qtls, ch->local_transport_params,
1778 buf_len))
1779 goto err;
1780
1781 #ifndef OPENSSL_NO_QLOG
1782 QLOG_EVENT_BEGIN(ch_get_qlog(ch), transport, parameters_set)
1783 QLOG_STR("owner", "local");
1784 QLOG_BOOL("disable_active_migration", 1);
1785 if (ch->is_server) {
1786 QLOG_CID("original_destination_connection_id", &ch->init_dcid);
1787 QLOG_CID("initial_source_connection_id", &ch->cur_local_cid);
1788 } else {
1789 QLOG_STR("initial_source_connection_id", "");
1790 }
1791 QLOG_U64("max_idle_timeout", ch->max_idle_timeout);
1792 QLOG_U64("max_udp_payload_size", QUIC_MIN_INITIAL_DGRAM_LEN);
1793 QLOG_U64("active_connection_id_limit", QUIC_MIN_ACTIVE_CONN_ID_LIMIT);
1794 QLOG_U64("max_ack_delay", ch->tx_max_ack_delay);
1795 QLOG_U64("initial_max_data", ossl_quic_rxfc_get_cwm(&ch->conn_rxfc));
1796 QLOG_U64("initial_max_stream_data_bidi_local",
1797 ch->tx_init_max_stream_data_bidi_local);
1798 QLOG_U64("initial_max_stream_data_bidi_remote",
1799 ch->tx_init_max_stream_data_bidi_remote);
1800 QLOG_U64("initial_max_stream_data_uni",
1801 ch->tx_init_max_stream_data_uni);
1802 QLOG_U64("initial_max_streams_bidi",
1803 ossl_quic_rxfc_get_cwm(&ch->max_streams_bidi_rxfc));
1804 QLOG_U64("initial_max_streams_uni",
1805 ossl_quic_rxfc_get_cwm(&ch->max_streams_uni_rxfc));
1806 QLOG_EVENT_END()
1807 #endif
1808
1809 ok = 1;
1810 err:
1811 if (wpkt_valid)
1812 WPACKET_cleanup(&wpkt);
1813 BUF_MEM_free(buf_mem);
1814 return ok;
1815 }
1816
1817 /*
1818 * QUIC Channel: Ticker-Mutator
1819 * ============================
1820 */
1821
1822 /*
1823 * The central ticker function called by the reactor. This does everything, or
1824 * at least everything network I/O related. Best effort - not allowed to fail
1825 * "loudly".
1826 */
1827 void ossl_quic_channel_subtick(QUIC_CHANNEL *ch, QUIC_TICK_RESULT *res,
1828 uint32_t flags)
1829 {
1830 OSSL_TIME now, deadline;
1831 int channel_only = (flags & QUIC_REACTOR_TICK_FLAG_CHANNEL_ONLY) != 0;
1832
1833 /*
1834 * When we tick the QUIC connection, we do everything we need to do
1835 * periodically. Network I/O handling will already have been performed
1836 * as necessary by the QUIC port. Thus, in order, we:
1837 *
1838 * - handle any packets the DEMUX has queued up for us;
1839 * - handle any timer events which are due to fire (ACKM, etc.);
1840 * - generate any packets which need to be sent;
1841 * - determine the time at which we should next be ticked.
1842 */
1843
1844 /* If we are in the TERMINATED state, there is nothing to do. */
1845 if (ossl_quic_channel_is_terminated(ch)) {
1846 res->net_read_desired = 0;
1847 res->net_write_desired = 0;
1848 res->tick_deadline = ossl_time_infinite();
1849 return;
1850 }
1851
1852 /*
1853 * If we are in the TERMINATING state, check if the terminating timer has
1854 * expired.
1855 */
1856 if (ossl_quic_channel_is_terminating(ch)) {
1857 now = get_time(ch);
1858
1859 if (ossl_time_compare(now, ch->terminate_deadline) >= 0) {
1860 ch_on_terminating_timeout(ch);
1861 res->net_read_desired = 0;
1862 res->net_write_desired = 0;
1863 res->tick_deadline = ossl_time_infinite();
1864 return; /* abort normal processing, nothing to do */
1865 }
1866 }
1867
1868 if (!ch->port->engine->inhibit_tick) {
1869 /* Handle RXKU timeouts. */
1870 ch_rxku_tick(ch);
1871
1872 do {
1873 /* Process queued incoming packets. */
1874 ch->did_tls_tick = 0;
1875 ch->have_new_rx_secret = 0;
1876 ch_rx(ch, channel_only);
1877
1878 /*
1879 * Allow the handshake layer to check for any new incoming data and
1880 * generate new outgoing data.
1881 */
1882 if (!ch->did_tls_tick)
1883 ch_tick_tls(ch, channel_only);
1884
1885 /*
1886 * If the handshake layer gave us a new secret, we need to do RX
1887 * again because packets that were not previously processable and
1888 * were deferred might now be processable.
1889 *
1890 * TODO(QUIC FUTURE): Consider handling this in the yield_secret callback.
1891 */
1892 } while (ch->have_new_rx_secret);
1893 }
1894
1895 /*
1896 * Handle any timer events which are due to fire; namely, the loss
1897 * detection deadline and the idle timeout.
1898 *
1899 * ACKM ACK generation deadline is polled by TXP, so we don't need to
1900 * handle it here.
1901 */
1902 now = get_time(ch);
1903 if (ossl_time_compare(now, ch->idle_deadline) >= 0) {
1904 /*
1905 * Idle timeout differs from normal protocol violation because we do
1906 * not send a CONN_CLOSE frame; go straight to TERMINATED.
1907 */
1908 if (!ch->port->engine->inhibit_tick)
1909 ch_on_idle_timeout(ch);
1910
1911 res->net_read_desired = 0;
1912 res->net_write_desired = 0;
1913 res->tick_deadline = ossl_time_infinite();
1914 return;
1915 }
1916
1917 if (!ch->port->engine->inhibit_tick) {
1918 deadline = ossl_ackm_get_loss_detection_deadline(ch->ackm);
1919 if (!ossl_time_is_zero(deadline)
1920 && ossl_time_compare(now, deadline) >= 0)
1921 ossl_ackm_on_timeout(ch->ackm);
1922
1923 /* If a ping is due, inform TXP. */
1924 if (ossl_time_compare(now, ch->ping_deadline) >= 0) {
1925 int pn_space = ossl_quic_enc_level_to_pn_space(ch->tx_enc_level);
1926
1927 ossl_quic_tx_packetiser_schedule_ack_eliciting(ch->txp, pn_space);
1928
1929 /*
1930 * If we have no CC budget at this time we cannot process the above
1931 * PING request immediately. In any case we have scheduled the
1932 * request so bump the ping deadline. If we don't do this we will
1933 * busy-loop endlessly as the above deadline comparison condition
1934 * will still be met.
1935 */
1936 ch_update_ping_deadline(ch);
1937 }
1938
1939 /* Queue any data to be sent for transmission. */
1940 ch_tx(ch);
1941
1942 /* Do stream GC. */
1943 ossl_quic_stream_map_gc(&ch->qsm);
1944 }
1945
1946 /* Determine the time at which we should next be ticked. */
1947 res->tick_deadline = ch_determine_next_tick_deadline(ch);
1948
1949 /*
1950 * Always process network input unless we are now terminated. Although we
1951 * had not terminated at the beginning of this tick, network errors in
1952 * ch_tx() may have caused us to transition to the Terminated state.
1953 */
1954 res->net_read_desired = !ossl_quic_channel_is_terminated(ch);
1955
1956 /* We want to write to the network if we have any data in our TX queue. */
1957 res->net_write_desired
1958 = (!ossl_quic_channel_is_terminated(ch)
1959 && ossl_qtx_get_queue_len_datagrams(ch->qtx) > 0);
1960 }
1961
1962 static int ch_tick_tls(QUIC_CHANNEL *ch, int channel_only)
1963 {
1964 uint64_t error_code;
1965 const char *error_msg;
1966 ERR_STATE *error_state = NULL;
1967
1968 if (channel_only)
1969 return 1;
1970
1971 ch->did_tls_tick = 1;
1972 ossl_quic_tls_tick(ch->qtls);
1973
1974 if (ossl_quic_tls_get_error(ch->qtls, &error_code, &error_msg,
1975 &error_state)) {
1976 ossl_quic_channel_raise_protocol_error_state(ch, error_code, 0,
1977 error_msg, error_state);
1978 return 0;
1979 }
1980
1981 return 1;
1982 }
1983
1984 /* Check incoming forged packet limit and terminate connection if needed. */
1985 static void ch_rx_check_forged_pkt_limit(QUIC_CHANNEL *ch)
1986 {
1987 uint32_t enc_level;
1988 uint64_t limit = UINT64_MAX, l;
1989
1990 for (enc_level = QUIC_ENC_LEVEL_INITIAL;
1991 enc_level < QUIC_ENC_LEVEL_NUM;
1992 ++enc_level)
1993 {
1994 /*
1995 * Different ELs can have different AEADs which can in turn impose
1996 * different limits, so use the lowest value of any currently valid EL.
1997 */
1998 if ((ch->el_discarded & (1U << enc_level)) != 0)
1999 continue;
2000
2001 if (enc_level > ch->rx_enc_level)
2002 break;
2003
2004 l = ossl_qrx_get_max_forged_pkt_count(ch->qrx, enc_level);
2005 if (l < limit)
2006 limit = l;
2007 }
2008
2009 if (ossl_qrx_get_cur_forged_pkt_count(ch->qrx) < limit)
2010 return;
2011
2012 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_AEAD_LIMIT_REACHED, 0,
2013 "forgery limit");
2014 }
2015
2016 /* Process queued incoming packets and handle frames, if any. */
2017 static int ch_rx(QUIC_CHANNEL *ch, int channel_only)
2018 {
2019 int handled_any = 0;
2020 const int closing = ossl_quic_channel_is_closing(ch);
2021
2022 if (!ch->is_server && !ch->have_sent_any_pkt)
2023 /*
2024 * We have not sent anything yet, therefore there is no need to check
2025 * for incoming data.
2026 */
2027 return 1;
2028
2029 for (;;) {
2030 assert(ch->qrx_pkt == NULL);
2031
2032 if (!ossl_qrx_read_pkt(ch->qrx, &ch->qrx_pkt))
2033 break;
2034
2035 /* Track the amount of data received while in the closing state */
2036 if (closing)
2037 ossl_quic_tx_packetiser_record_received_closing_bytes(
2038 ch->txp, ch->qrx_pkt->hdr->len);
2039
2040 if (!handled_any) {
2041 ch_update_idle(ch);
2042 ch_update_ping_deadline(ch);
2043 }
2044
2045 ch_rx_handle_packet(ch, channel_only); /* best effort */
2046
2047 /*
2048 * Regardless of the outcome of frame handling, unref the packet.
2049 * This will free the packet unless something added another
2050 * reference to it during frame processing.
2051 */
2052 ossl_qrx_pkt_release(ch->qrx_pkt);
2053 ch->qrx_pkt = NULL;
2054
2055 ch->have_sent_ack_eliciting_since_rx = 0;
2056 handled_any = 1;
2057 }
2058
2059 ch_rx_check_forged_pkt_limit(ch);
2060
2061 /*
2062 * When in TERMINATING - CLOSING, generate a CONN_CLOSE frame whenever we
2063 * process one or more incoming packets.
2064 */
2065 if (handled_any && closing)
2066 ch->conn_close_queued = 1;
2067
2068 return 1;
2069 }
2070
2071 static int bio_addr_eq(const BIO_ADDR *a, const BIO_ADDR *b)
2072 {
2073 if (BIO_ADDR_family(a) != BIO_ADDR_family(b))
2074 return 0;
2075
2076 switch (BIO_ADDR_family(a)) {
2077 case AF_INET:
2078 return !memcmp(&a->s_in.sin_addr,
2079 &b->s_in.sin_addr,
2080 sizeof(a->s_in.sin_addr))
2081 && a->s_in.sin_port == b->s_in.sin_port;
2082 #if OPENSSL_USE_IPV6
2083 case AF_INET6:
2084 return !memcmp(&a->s_in6.sin6_addr,
2085 &b->s_in6.sin6_addr,
2086 sizeof(a->s_in6.sin6_addr))
2087 && a->s_in6.sin6_port == b->s_in6.sin6_port;
2088 #endif
2089 default:
2090 return 0; /* not supported */
2091 }
2092
2093 return 1;
2094 }
2095
2096 /* Handles the packet currently in ch->qrx_pkt->hdr. */
2097 static void ch_rx_handle_packet(QUIC_CHANNEL *ch, int channel_only)
2098 {
2099 uint32_t enc_level;
2100 int old_have_processed_any_pkt = ch->have_processed_any_pkt;
2101 OSSL_QTX_IOVEC iovec;
2102
2103 assert(ch->qrx_pkt != NULL);
2104
2105 /*
2106 * RFC 9000 s. 10.2.1 Closing Connection State:
2107 * An endpoint that is closing is not required to process any
2108 * received frame.
2109 */
2110 if (!ossl_quic_channel_is_active(ch))
2111 return;
2112
2113 if (ossl_quic_pkt_type_is_encrypted(ch->qrx_pkt->hdr->type)) {
2114 if (!ch->have_received_enc_pkt) {
2115 ch->cur_remote_dcid = ch->init_scid = ch->qrx_pkt->hdr->src_conn_id;
2116 ch->have_received_enc_pkt = 1;
2117
2118 /*
2119 * We change to using the SCID in the first Initial packet as the
2120 * DCID.
2121 */
2122 ossl_quic_tx_packetiser_set_cur_dcid(ch->txp, &ch->init_scid);
2123 }
2124
2125 enc_level = ossl_quic_pkt_type_to_enc_level(ch->qrx_pkt->hdr->type);
2126 if ((ch->el_discarded & (1U << enc_level)) != 0)
2127 /* Do not process packets from ELs we have already discarded. */
2128 return;
2129 }
2130
2131 /*
2132 * RFC 9000 s. 9.6: "If a client receives packets from a new server address
2133 * when the client has not initiated a migration to that address, the client
2134 * SHOULD discard these packets."
2135 *
2136 * We need to be a bit careful here as due to the BIO abstraction layer an
2137 * application is liable to be weird and lie to us about peer addresses.
2138 * Only apply this check if we actually are using a real AF_INET or AF_INET6
2139 * address.
2140 */
2141 if (!ch->is_server
2142 && ch->qrx_pkt->peer != NULL
2143 && (
2144 BIO_ADDR_family(&ch->cur_peer_addr) == AF_INET
2145 #if OPENSSL_USE_IPV6
2146 || BIO_ADDR_family(&ch->cur_peer_addr) == AF_INET6
2147 #endif
2148 )
2149 && !bio_addr_eq(ch->qrx_pkt->peer, &ch->cur_peer_addr))
2150 return;
2151
2152 if (!ch->is_server
2153 && ch->have_received_enc_pkt
2154 && ossl_quic_pkt_type_has_scid(ch->qrx_pkt->hdr->type)) {
2155 /*
2156 * RFC 9000 s. 7.2: "Once a client has received a valid Initial packet
2157 * from the server, it MUST discard any subsequent packet it receives on
2158 * that connection with a different SCID."
2159 */
2160 if (!ossl_quic_conn_id_eq(&ch->qrx_pkt->hdr->src_conn_id,
2161 &ch->init_scid))
2162 return;
2163 }
2164
2165 if (ossl_quic_pkt_type_has_version(ch->qrx_pkt->hdr->type)
2166 && ch->qrx_pkt->hdr->version != QUIC_VERSION_1)
2167 /*
2168 * RFC 9000 s. 5.2.1: If a client receives a packet that uses a
2169 * different version than it initially selected, it MUST discard the
2170 * packet. We only ever use v1, so require it.
2171 */
2172 return;
2173
2174 ch->have_processed_any_pkt = 1;
2175
2176 /*
2177 * RFC 9000 s. 17.2: "An endpoint MUST treat receipt of a packet that has a
2178 * non-zero value for [the reserved bits] after removing both packet and
2179 * header protection as a connection error of type PROTOCOL_VIOLATION."
2180 */
2181 if (ossl_quic_pkt_type_is_encrypted(ch->qrx_pkt->hdr->type)
2182 && ch->qrx_pkt->hdr->reserved != 0) {
2183 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_PROTOCOL_VIOLATION,
2184 0, "packet header reserved bits");
2185 return;
2186 }
2187
2188 iovec.buf = ch->qrx_pkt->hdr->data;
2189 iovec.buf_len = ch->qrx_pkt->hdr->len;
2190 ossl_qlog_event_transport_packet_received(ch_get_qlog(ch), ch->qrx_pkt->hdr,
2191 ch->qrx_pkt->pn, &iovec, 1,
2192 ch->qrx_pkt->datagram_id);
2193
2194 /* Handle incoming packet. */
2195 switch (ch->qrx_pkt->hdr->type) {
2196 case QUIC_PKT_TYPE_RETRY:
2197 if (ch->doing_retry || ch->is_server)
2198 /*
2199 * It is not allowed to ask a client to do a retry more than
2200 * once. Clients may not send retries.
2201 */
2202 return;
2203
2204 /*
2205 * RFC 9000 s 17.2.5.2: After the client has received and processed an
2206 * Initial or Retry packet from the server, it MUST discard any
2207 * subsequent Retry packets that it receives.
2208 */
2209 if (ch->have_received_enc_pkt)
2210 return;
2211
2212 if (ch->qrx_pkt->hdr->len <= QUIC_RETRY_INTEGRITY_TAG_LEN)
2213 /* Packets with zero-length Retry Tokens are invalid. */
2214 return;
2215
2216 /*
2217 * TODO(QUIC FUTURE): Theoretically this should probably be in the QRX.
2218 * However because validation is dependent on context (namely the
2219 * client's initial DCID) we can't do this cleanly. In the future we
2220 * should probably add a callback to the QRX to let it call us (via
2221 * the DEMUX) and ask us about the correct original DCID, rather
2222 * than allow the QRX to emit a potentially malformed packet to the
2223 * upper layers. However, special casing this will do for now.
2224 */
2225 if (!ossl_quic_validate_retry_integrity_tag(ch->port->engine->libctx,
2226 ch->port->engine->propq,
2227 ch->qrx_pkt->hdr,
2228 &ch->init_dcid))
2229 /* Malformed retry packet, ignore. */
2230 return;
2231
2232 if (!ch_retry(ch, ch->qrx_pkt->hdr->data,
2233 ch->qrx_pkt->hdr->len - QUIC_RETRY_INTEGRITY_TAG_LEN,
2234 &ch->qrx_pkt->hdr->src_conn_id))
2235 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_INTERNAL_ERROR,
2236 0, "handling retry packet");
2237 break;
2238
2239 case QUIC_PKT_TYPE_0RTT:
2240 if (!ch->is_server)
2241 /* Clients should never receive 0-RTT packets. */
2242 return;
2243
2244 /*
2245 * TODO(QUIC 0RTT): Implement 0-RTT on the server side. We currently
2246 * do not need to implement this as a client can only do 0-RTT if we
2247 * have given it permission to in a previous session.
2248 */
2249 break;
2250
2251 case QUIC_PKT_TYPE_INITIAL:
2252 case QUIC_PKT_TYPE_HANDSHAKE:
2253 case QUIC_PKT_TYPE_1RTT:
2254 if (ch->is_server && ch->qrx_pkt->hdr->type == QUIC_PKT_TYPE_HANDSHAKE)
2255 /*
2256 * We automatically drop INITIAL EL keys when first successfully
2257 * decrypting a HANDSHAKE packet, as per the RFC.
2258 */
2259 ch_discard_el(ch, QUIC_ENC_LEVEL_INITIAL);
2260
2261 if (ch->rxku_in_progress
2262 && ch->qrx_pkt->hdr->type == QUIC_PKT_TYPE_1RTT
2263 && ch->qrx_pkt->pn >= ch->rxku_trigger_pn
2264 && ch->qrx_pkt->key_epoch < ossl_qrx_get_key_epoch(ch->qrx)) {
2265 /*
2266 * RFC 9001 s. 6.4: Packets with higher packet numbers MUST be
2267 * protected with either the same or newer packet protection keys
2268 * than packets with lower packet numbers. An endpoint that
2269 * successfully removes protection with old keys when newer keys
2270 * were used for packets with lower packet numbers MUST treat this
2271 * as a connection error of type KEY_UPDATE_ERROR.
2272 */
2273 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_KEY_UPDATE_ERROR,
2274 0, "new packet with old keys");
2275 break;
2276 }
2277
2278 if (!ch->is_server
2279 && ch->qrx_pkt->hdr->type == QUIC_PKT_TYPE_INITIAL
2280 && ch->qrx_pkt->hdr->token_len > 0) {
2281 /*
2282 * RFC 9000 s. 17.2.2: Clients that receive an Initial packet with a
2283 * non-zero Token Length field MUST either discard the packet or
2284 * generate a connection error of type PROTOCOL_VIOLATION.
2285 *
2286 * TODO(QUIC FUTURE): consider the implications of RFC 9000 s. 10.2.3
2287 * Immediate Close during the Handshake:
2288 * However, at the cost of reducing feedback about
2289 * errors for legitimate peers, some forms of denial of
2290 * service can be made more difficult for an attacker
2291 * if endpoints discard illegal packets rather than
2292 * terminating a connection with CONNECTION_CLOSE. For
2293 * this reason, endpoints MAY discard packets rather
2294 * than immediately close if errors are detected in
2295 * packets that lack authentication.
2296 * I.e. should we drop this packet instead of closing the connection?
2297 */
2298 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_PROTOCOL_VIOLATION,
2299 0, "client received initial token");
2300 break;
2301 }
2302
2303 /* This packet contains frames, pass to the RXDP. */
2304 ossl_quic_handle_frames(ch, ch->qrx_pkt); /* best effort */
2305
2306 if (ch->did_crypto_frame)
2307 ch_tick_tls(ch, channel_only);
2308
2309 break;
2310
2311 case QUIC_PKT_TYPE_VERSION_NEG:
2312 /*
2313 * "A client MUST discard any Version Negotiation packet if it has
2314 * received and successfully processed any other packet."
2315 */
2316 if (!old_have_processed_any_pkt)
2317 ch_rx_handle_version_neg(ch, ch->qrx_pkt);
2318
2319 break;
2320
2321 default:
2322 assert(0);
2323 break;
2324 }
2325 }
2326
2327 static void ch_rx_handle_version_neg(QUIC_CHANNEL *ch, OSSL_QRX_PKT *pkt)
2328 {
2329 /*
2330 * We do not support version negotiation at this time. As per RFC 9000 s.
2331 * 6.2., we MUST abandon the connection attempt if we receive a Version
2332 * Negotiation packet, unless we have already successfully processed another
2333 * incoming packet, or the packet lists the QUIC version we want to use.
2334 */
2335 PACKET vpkt;
2336 unsigned long v;
2337
2338 if (!PACKET_buf_init(&vpkt, pkt->hdr->data, pkt->hdr->len))
2339 return;
2340
2341 while (PACKET_remaining(&vpkt) > 0) {
2342 if (!PACKET_get_net_4(&vpkt, &v))
2343 break;
2344
2345 if ((uint32_t)v == QUIC_VERSION_1)
2346 return;
2347 }
2348
2349 /* No match, this is a failure case. */
2350 ch_raise_version_neg_failure(ch);
2351 }
2352
2353 static void ch_raise_version_neg_failure(QUIC_CHANNEL *ch)
2354 {
2355 QUIC_TERMINATE_CAUSE tcause = {0};
2356
2357 tcause.error_code = QUIC_ERR_CONNECTION_REFUSED;
2358 tcause.reason = "version negotiation failure";
2359 tcause.reason_len = strlen(tcause.reason);
2360
2361 /*
2362 * Skip TERMINATING state; this is not considered a protocol error and we do
2363 * not send CONNECTION_CLOSE.
2364 */
2365 ch_start_terminating(ch, &tcause, 1);
2366 }
2367
2368 /* Try to generate packets and if possible, flush them to the network. */
2369 static int ch_tx(QUIC_CHANNEL *ch)
2370 {
2371 QUIC_TXP_STATUS status;
2372 int res;
2373
2374 /*
2375 * RFC 9000 s. 10.2.2: Draining Connection State:
2376 * While otherwise identical to the closing state, an endpoint
2377 * in the draining state MUST NOT send any packets.
2378 * and:
2379 * An endpoint MUST NOT send further packets.
2380 */
2381 if (ossl_quic_channel_is_draining(ch))
2382 return 0;
2383
2384 if (ossl_quic_channel_is_closing(ch)) {
2385 /*
2386 * While closing, only send CONN_CLOSE if we've received more traffic
2387 * from the peer. Once we tell the TXP to generate CONN_CLOSE, all
2388 * future calls to it generate CONN_CLOSE frames, so otherwise we would
2389 * just constantly generate CONN_CLOSE frames.
2390 *
2391 * Confirming to RFC 9000 s. 10.2.1 Closing Connection State:
2392 * An endpoint SHOULD limit the rate at which it generates
2393 * packets in the closing state.
2394 */
2395 if (!ch->conn_close_queued)
2396 return 0;
2397
2398 ch->conn_close_queued = 0;
2399 }
2400
2401 /* Do TXKU if we need to. */
2402 ch_maybe_trigger_spontaneous_txku(ch);
2403
2404 ch->rxku_pending_confirm_done = 0;
2405
2406 /* Loop until we stop generating packets to send */
2407 do {
2408 /*
2409 * Send packet, if we need to. Best effort. The TXP consults the CC and
2410 * applies any limitations imposed by it, so we don't need to do it here.
2411 *
2412 * Best effort. In particular if TXP fails for some reason we should
2413 * still flush any queued packets which we already generated.
2414 */
2415 res = ossl_quic_tx_packetiser_generate(ch->txp, &status);
2416 if (status.sent_pkt > 0) {
2417 ch->have_sent_any_pkt = 1; /* Packet(s) were sent */
2418 ch->port->have_sent_any_pkt = 1;
2419
2420 /*
2421 * RFC 9000 s. 10.1. 'An endpoint also restarts its idle timer when
2422 * sending an ack-eliciting packet if no other ack-eliciting packets
2423 * have been sent since last receiving and processing a packet.'
2424 */
2425 if (status.sent_ack_eliciting
2426 && !ch->have_sent_ack_eliciting_since_rx) {
2427 ch_update_idle(ch);
2428 ch->have_sent_ack_eliciting_since_rx = 1;
2429 }
2430
2431 if (!ch->is_server && status.sent_handshake)
2432 /*
2433 * RFC 9001 s. 4.9.1: A client MUST discard Initial keys when it
2434 * first sends a Handshake packet.
2435 */
2436 ch_discard_el(ch, QUIC_ENC_LEVEL_INITIAL);
2437
2438 if (ch->rxku_pending_confirm_done)
2439 ch->rxku_pending_confirm = 0;
2440
2441 ch_update_ping_deadline(ch);
2442 }
2443
2444 if (!res) {
2445 /*
2446 * One case where TXP can fail is if we reach a TX PN of 2**62 - 1.
2447 * As per RFC 9000 s. 12.3, if this happens we MUST close the
2448 * connection without sending a CONNECTION_CLOSE frame. This is
2449 * actually handled as an emergent consequence of our design, as the
2450 * TX packetiser will never transmit another packet when the TX PN
2451 * reaches the limit.
2452 *
2453 * Calling the below function terminates the connection; its attempt
2454 * to schedule a CONNECTION_CLOSE frame will not actually cause a
2455 * packet to be transmitted for this reason.
2456 */
2457 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_INTERNAL_ERROR,
2458 0,
2459 "internal error (txp generate)");
2460 break;
2461 }
2462 } while (status.sent_pkt > 0);
2463
2464 /* Flush packets to network. */
2465 switch (ossl_qtx_flush_net(ch->qtx)) {
2466 case QTX_FLUSH_NET_RES_OK:
2467 case QTX_FLUSH_NET_RES_TRANSIENT_FAIL:
2468 /* Best effort, done for now. */
2469 break;
2470
2471 case QTX_FLUSH_NET_RES_PERMANENT_FAIL:
2472 default:
2473 /* Permanent underlying network BIO, start terminating. */
2474 ossl_quic_port_raise_net_error(ch->port, ch);
2475 break;
2476 }
2477
2478 return 1;
2479 }
2480
2481 /* Determine next tick deadline. */
2482 static OSSL_TIME ch_determine_next_tick_deadline(QUIC_CHANNEL *ch)
2483 {
2484 OSSL_TIME deadline;
2485 int i;
2486
2487 if (ossl_quic_channel_is_terminated(ch))
2488 return ossl_time_infinite();
2489
2490 deadline = ossl_ackm_get_loss_detection_deadline(ch->ackm);
2491 if (ossl_time_is_zero(deadline))
2492 deadline = ossl_time_infinite();
2493
2494 /*
2495 * Check the ack deadline for all enc_levels that are actually provisioned.
2496 * ACKs aren't restricted by CC.
2497 */
2498 for (i = 0; i < QUIC_ENC_LEVEL_NUM; i++) {
2499 if (ossl_qtx_is_enc_level_provisioned(ch->qtx, i)) {
2500 deadline = ossl_time_min(deadline,
2501 ossl_ackm_get_ack_deadline(ch->ackm,
2502 ossl_quic_enc_level_to_pn_space(i)));
2503 }
2504 }
2505
2506 /*
2507 * When do we need to send an ACK-eliciting packet to reset the idle
2508 * deadline timer for the peer?
2509 */
2510 if (!ossl_time_is_infinite(ch->ping_deadline))
2511 deadline = ossl_time_min(deadline, ch->ping_deadline);
2512
2513 /* Apply TXP wakeup deadline. */
2514 deadline = ossl_time_min(deadline,
2515 ossl_quic_tx_packetiser_get_deadline(ch->txp));
2516
2517 /* Is the terminating timer armed? */
2518 if (ossl_quic_channel_is_terminating(ch))
2519 deadline = ossl_time_min(deadline,
2520 ch->terminate_deadline);
2521 else if (!ossl_time_is_infinite(ch->idle_deadline))
2522 deadline = ossl_time_min(deadline,
2523 ch->idle_deadline);
2524
2525 /* When does the RXKU process complete? */
2526 if (ch->rxku_in_progress)
2527 deadline = ossl_time_min(deadline, ch->rxku_update_end_deadline);
2528
2529 return deadline;
2530 }
2531
2532 /*
2533 * QUIC Channel: Lifecycle Events
2534 * ==============================
2535 */
2536
2537 /*
2538 * Record a state transition. This is not necessarily a change to ch->state but
2539 * also includes the handshake becoming complete or confirmed, etc.
2540 */
2541 static void ch_record_state_transition(QUIC_CHANNEL *ch, uint32_t new_state)
2542 {
2543 uint32_t old_state = ch->state;
2544
2545 ch->state = new_state;
2546
2547 ossl_qlog_event_connectivity_connection_state_updated(ch_get_qlog(ch),
2548 old_state,
2549 new_state,
2550 ch->handshake_complete,
2551 ch->handshake_confirmed);
2552 }
2553
2554 int ossl_quic_channel_start(QUIC_CHANNEL *ch)
2555 {
2556 if (ch->is_server)
2557 /*
2558 * This is not used by the server. The server moves to active
2559 * automatically on receiving an incoming connection.
2560 */
2561 return 0;
2562
2563 if (ch->state != QUIC_CHANNEL_STATE_IDLE)
2564 /* Calls to connect are idempotent */
2565 return 1;
2566
2567 /* Inform QTX of peer address. */
2568 if (!ossl_quic_tx_packetiser_set_peer(ch->txp, &ch->cur_peer_addr))
2569 return 0;
2570
2571 /* Plug in secrets for the Initial EL. */
2572 if (!ossl_quic_provide_initial_secret(ch->port->engine->libctx,
2573 ch->port->engine->propq,
2574 &ch->init_dcid,
2575 ch->is_server,
2576 ch->qrx, ch->qtx))
2577 return 0;
2578
2579 /* Change state. */
2580 ch_record_state_transition(ch, QUIC_CHANNEL_STATE_ACTIVE);
2581 ch->doing_proactive_ver_neg = 0; /* not currently supported */
2582
2583 ossl_qlog_event_connectivity_connection_started(ch_get_qlog(ch),
2584 &ch->init_dcid);
2585
2586 /* Handshake layer: start (e.g. send CH). */
2587 if (!ch_tick_tls(ch, /*channel_only=*/0))
2588 return 0;
2589
2590 ossl_quic_reactor_tick(ossl_quic_port_get0_reactor(ch->port), 0); /* best effort */
2591 return 1;
2592 }
2593
2594 /* Start a locally initiated connection shutdown. */
2595 void ossl_quic_channel_local_close(QUIC_CHANNEL *ch, uint64_t app_error_code,
2596 const char *app_reason)
2597 {
2598 QUIC_TERMINATE_CAUSE tcause = {0};
2599
2600 if (ossl_quic_channel_is_term_any(ch))
2601 return;
2602
2603 tcause.app = 1;
2604 tcause.error_code = app_error_code;
2605 tcause.reason = app_reason;
2606 tcause.reason_len = app_reason != NULL ? strlen(app_reason) : 0;
2607 ch_start_terminating(ch, &tcause, 0);
2608 }
2609
2610 static void free_token(const unsigned char *buf, size_t buf_len, void *arg)
2611 {
2612 OPENSSL_free((unsigned char *)buf);
2613 }
2614
2615 /* Called when a server asks us to do a retry. */
2616 static int ch_retry(QUIC_CHANNEL *ch,
2617 const unsigned char *retry_token,
2618 size_t retry_token_len,
2619 const QUIC_CONN_ID *retry_scid)
2620 {
2621 void *buf;
2622
2623 /*
2624 * RFC 9000 s. 17.2.5.1: "A client MUST discard a Retry packet that contains
2625 * a SCID field that is identical to the DCID field of its initial packet."
2626 */
2627 if (ossl_quic_conn_id_eq(&ch->init_dcid, retry_scid))
2628 return 1;
2629
2630 /* We change to using the SCID in the Retry packet as the DCID. */
2631 if (!ossl_quic_tx_packetiser_set_cur_dcid(ch->txp, retry_scid))
2632 return 0;
2633
2634 /*
2635 * Now we retry. We will release the Retry packet immediately, so copy
2636 * the token.
2637 */
2638 if ((buf = OPENSSL_memdup(retry_token, retry_token_len)) == NULL)
2639 return 0;
2640
2641 if (!ossl_quic_tx_packetiser_set_initial_token(ch->txp, buf,
2642 retry_token_len,
2643 free_token, NULL)) {
2644 /*
2645 * This may fail if the token we receive is too big for us to ever be
2646 * able to transmit in an outgoing Initial packet.
2647 */
2648 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_INVALID_TOKEN, 0,
2649 "received oversize token");
2650 OPENSSL_free(buf);
2651 return 0;
2652 }
2653
2654 ch->retry_scid = *retry_scid;
2655 ch->doing_retry = 1;
2656
2657 /*
2658 * We need to stimulate the Initial EL to generate the first CRYPTO frame
2659 * again. We can do this most cleanly by simply forcing the ACKM to consider
2660 * the first Initial packet as lost, which it effectively was as the server
2661 * hasn't processed it. This also maintains the desired behaviour with e.g.
2662 * PNs not resetting and so on.
2663 *
2664 * The PN we used initially is always zero, because QUIC does not allow
2665 * repeated retries.
2666 */
2667 if (!ossl_ackm_mark_packet_pseudo_lost(ch->ackm, QUIC_PN_SPACE_INITIAL,
2668 /*PN=*/0))
2669 return 0;
2670
2671 /*
2672 * Plug in new secrets for the Initial EL. This is the only time we change
2673 * the secrets for an EL after we already provisioned it.
2674 */
2675 if (!ossl_quic_provide_initial_secret(ch->port->engine->libctx,
2676 ch->port->engine->propq,
2677 &ch->retry_scid,
2678 /*is_server=*/0,
2679 ch->qrx, ch->qtx))
2680 return 0;
2681
2682 return 1;
2683 }
2684
2685 /* Called when an EL is to be discarded. */
2686 static int ch_discard_el(QUIC_CHANNEL *ch,
2687 uint32_t enc_level)
2688 {
2689 if (!ossl_assert(enc_level < QUIC_ENC_LEVEL_1RTT))
2690 return 0;
2691
2692 if ((ch->el_discarded & (1U << enc_level)) != 0)
2693 /* Already done. */
2694 return 1;
2695
2696 /* Best effort for all of these. */
2697 ossl_quic_tx_packetiser_discard_enc_level(ch->txp, enc_level);
2698 ossl_qrx_discard_enc_level(ch->qrx, enc_level);
2699 ossl_qtx_discard_enc_level(ch->qtx, enc_level);
2700
2701 if (enc_level != QUIC_ENC_LEVEL_0RTT) {
2702 uint32_t pn_space = ossl_quic_enc_level_to_pn_space(enc_level);
2703
2704 ossl_ackm_on_pkt_space_discarded(ch->ackm, pn_space);
2705
2706 /* We should still have crypto streams at this point. */
2707 if (!ossl_assert(ch->crypto_send[pn_space] != NULL)
2708 || !ossl_assert(ch->crypto_recv[pn_space] != NULL))
2709 return 0;
2710
2711 /* Get rid of the crypto stream state for the EL. */
2712 ossl_quic_sstream_free(ch->crypto_send[pn_space]);
2713 ch->crypto_send[pn_space] = NULL;
2714
2715 ossl_quic_rstream_free(ch->crypto_recv[pn_space]);
2716 ch->crypto_recv[pn_space] = NULL;
2717 }
2718
2719 ch->el_discarded |= (1U << enc_level);
2720 return 1;
2721 }
2722
2723 /* Intended to be called by the RXDP. */
2724 int ossl_quic_channel_on_handshake_confirmed(QUIC_CHANNEL *ch)
2725 {
2726 if (ch->handshake_confirmed)
2727 return 1;
2728
2729 if (!ch->handshake_complete) {
2730 /*
2731 * Does not make sense for handshake to be confirmed before it is
2732 * completed.
2733 */
2734 ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_PROTOCOL_VIOLATION,
2735 OSSL_QUIC_FRAME_TYPE_HANDSHAKE_DONE,
2736 "handshake cannot be confirmed "
2737 "before it is completed");
2738 return 0;
2739 }
2740
2741 ch_discard_el(ch, QUIC_ENC_LEVEL_HANDSHAKE);
2742 ch->handshake_confirmed = 1;
2743 ch_record_state_transition(ch, ch->state);
2744 ossl_ackm_on_handshake_confirmed(ch->ackm);
2745 return 1;
2746 }
2747
2748 /*
2749 * Master function used when we want to start tearing down a connection:
2750 *
2751 * - If the connection is still IDLE we can go straight to TERMINATED;
2752 *
2753 * - If we are already TERMINATED this is a no-op.
2754 *
2755 * - If we are TERMINATING - CLOSING and we have now got a CONNECTION_CLOSE
2756 * from the peer (tcause->remote == 1), we move to TERMINATING - DRAINING.
2757 *
2758 * - If we are TERMINATING - DRAINING, we remain here until the terminating
2759 * timer expires.
2760 *
2761 * - Otherwise, we are in ACTIVE and move to TERMINATING - CLOSING.
2762 * if we caused the termination (e.g. we have sent a CONNECTION_CLOSE). Note
2763 * that we are considered to have caused a termination if we sent the first
2764 * CONNECTION_CLOSE frame, even if it is caused by a peer protocol
2765 * violation. If the peer sent the first CONNECTION_CLOSE frame, we move to
2766 * TERMINATING - DRAINING.
2767 *
2768 * We record the termination cause structure passed on the first call only.
2769 * Any successive calls have their termination cause data discarded;
2770 * once we start sending a CONNECTION_CLOSE frame, we don't change the details
2771 * in it.
2772 *
2773 * This conforms to RFC 9000 s. 10.2.1: Closing Connection State:
2774 * To minimize the state that an endpoint maintains for a closing
2775 * connection, endpoints MAY send the exact same packet in response
2776 * to any received packet.
2777 *
2778 * We don't drop any connection state (specifically packet protection keys)
2779 * even though we are permitted to. This conforms to RFC 9000 s. 10.2.1:
2780 * Closing Connection State:
2781 * An endpoint MAY retain packet protection keys for incoming
2782 * packets to allow it to read and process a CONNECTION_CLOSE frame.
2783 *
2784 * Note that we do not conform to these two from the same section:
2785 * An endpoint's selected connection ID and the QUIC version
2786 * are sufficient information to identify packets for a closing
2787 * connection; the endpoint MAY discard all other connection state.
2788 * and:
2789 * An endpoint MAY drop packet protection keys when entering the
2790 * closing state and send a packet containing a CONNECTION_CLOSE
2791 * frame in response to any UDP datagram that is received.
2792 */
2793 static void copy_tcause(QUIC_TERMINATE_CAUSE *dst,
2794 const QUIC_TERMINATE_CAUSE *src)
2795 {
2796 dst->error_code = src->error_code;
2797 dst->frame_type = src->frame_type;
2798 dst->app = src->app;
2799 dst->remote = src->remote;
2800
2801 dst->reason = NULL;
2802 dst->reason_len = 0;
2803
2804 if (src->reason != NULL && src->reason_len > 0) {
2805 size_t l = src->reason_len;
2806 char *r;
2807
2808 if (l >= SIZE_MAX)
2809 --l;
2810
2811 /*
2812 * If this fails, dst->reason becomes NULL and we simply do not use a
2813 * reason. This ensures termination is infallible.
2814 */
2815 dst->reason = r = OPENSSL_memdup(src->reason, l + 1);
2816 if (r == NULL)
2817 return;
2818
2819 r[l] = '\0';
2820 dst->reason_len = l;
2821 }
2822 }
2823
2824 static void ch_start_terminating(QUIC_CHANNEL *ch,
2825 const QUIC_TERMINATE_CAUSE *tcause,
2826 int force_immediate)
2827 {
2828 /* No point sending anything if we haven't sent anything yet. */
2829 if (!ch->have_sent_any_pkt)
2830 force_immediate = 1;
2831
2832 switch (ch->state) {
2833 default:
2834 case QUIC_CHANNEL_STATE_IDLE:
2835 copy_tcause(&ch->terminate_cause, tcause);
2836 ch_on_terminating_timeout(ch);
2837 break;
2838
2839 case QUIC_CHANNEL_STATE_ACTIVE:
2840 copy_tcause(&ch->terminate_cause, tcause);
2841
2842 ossl_qlog_event_connectivity_connection_closed(ch_get_qlog(ch), tcause);
2843
2844 if (!force_immediate) {
2845 ch_record_state_transition(ch, tcause->remote
2846 ? QUIC_CHANNEL_STATE_TERMINATING_DRAINING
2847 : QUIC_CHANNEL_STATE_TERMINATING_CLOSING);
2848 /*
2849 * RFC 9000 s. 10.2 Immediate Close
2850 * These states SHOULD persist for at least three times
2851 * the current PTO interval as defined in [QUIC-RECOVERY].
2852 */
2853 ch->terminate_deadline
2854 = ossl_time_add(get_time(ch),
2855 ossl_time_multiply(ossl_ackm_get_pto_duration(ch->ackm),
2856 3));
2857
2858 if (!tcause->remote) {
2859 OSSL_QUIC_FRAME_CONN_CLOSE f = {0};
2860
2861 /* best effort */
2862 f.error_code = ch->terminate_cause.error_code;
2863 f.frame_type = ch->terminate_cause.frame_type;
2864 f.is_app = ch->terminate_cause.app;
2865 f.reason = (char *)ch->terminate_cause.reason;
2866 f.reason_len = ch->terminate_cause.reason_len;
2867 ossl_quic_tx_packetiser_schedule_conn_close(ch->txp, &f);
2868 /*
2869 * RFC 9000 s. 10.2.2 Draining Connection State:
2870 * An endpoint that receives a CONNECTION_CLOSE frame MAY
2871 * send a single packet containing a CONNECTION_CLOSE
2872 * frame before entering the draining state, using a
2873 * NO_ERROR code if appropriate
2874 */
2875 ch->conn_close_queued = 1;
2876 }
2877 } else {
2878 ch_on_terminating_timeout(ch);
2879 }
2880 break;
2881
2882 case QUIC_CHANNEL_STATE_TERMINATING_CLOSING:
2883 if (force_immediate)
2884 ch_on_terminating_timeout(ch);
2885 else if (tcause->remote)
2886 /*
2887 * RFC 9000 s. 10.2.2 Draining Connection State:
2888 * An endpoint MAY enter the draining state from the
2889 * closing state if it receives a CONNECTION_CLOSE frame,
2890 * which indicates that the peer is also closing or draining.
2891 */
2892 ch_record_state_transition(ch, QUIC_CHANNEL_STATE_TERMINATING_DRAINING);
2893
2894 break;
2895
2896 case QUIC_CHANNEL_STATE_TERMINATING_DRAINING:
2897 /*
2898 * Other than in the force-immediate case, we remain here until the
2899 * timeout expires.
2900 */
2901 if (force_immediate)
2902 ch_on_terminating_timeout(ch);
2903
2904 break;
2905
2906 case QUIC_CHANNEL_STATE_TERMINATED:
2907 /* No-op. */
2908 break;
2909 }
2910 }
2911
2912 /* For RXDP use. */
2913 void ossl_quic_channel_on_remote_conn_close(QUIC_CHANNEL *ch,
2914 OSSL_QUIC_FRAME_CONN_CLOSE *f)
2915 {
2916 QUIC_TERMINATE_CAUSE tcause = {0};
2917
2918 if (!ossl_quic_channel_is_active(ch))
2919 return;
2920
2921 tcause.remote = 1;
2922 tcause.app = f->is_app;
2923 tcause.error_code = f->error_code;
2924 tcause.frame_type = f->frame_type;
2925 tcause.reason = f->reason;
2926 tcause.reason_len = f->reason_len;
2927 ch_start_terminating(ch, &tcause, 0);
2928 }
2929
2930 static void free_frame_data(unsigned char *buf, size_t buf_len, void *arg)
2931 {
2932 OPENSSL_free(buf);
2933 }
2934
2935 static int ch_enqueue_retire_conn_id(QUIC_CHANNEL *ch, uint64_t seq_num)
2936 {
2937 BUF_MEM *buf_mem = NULL;
2938 WPACKET wpkt;
2939 size_t l;
2940
2941 ossl_quic_srtm_remove(ch->srtm, ch, seq_num);
2942
2943 if ((buf_mem = BUF_MEM_new()) == NULL)
2944 goto err;
2945
2946 if (!WPACKET_init(&wpkt, buf_mem))
2947 goto err;
2948
2949 if (!ossl_quic_wire_encode_frame_retire_conn_id(&wpkt, seq_num)) {
2950 WPACKET_cleanup(&wpkt);
2951 goto err;
2952 }
2953
2954 WPACKET_finish(&wpkt);
2955 if (!WPACKET_get_total_written(&wpkt, &l))
2956 goto err;
2957
2958 if (ossl_quic_cfq_add_frame(ch->cfq, 1, QUIC_PN_SPACE_APP,
2959 OSSL_QUIC_FRAME_TYPE_RETIRE_CONN_ID, 0,
2960 (unsigned char *)buf_mem->data, l,
2961 free_frame_data, NULL) == NULL)
2962 goto err;
2963
2964 buf_mem->data = NULL;
2965 BUF_MEM_free(buf_mem);
2966 return 1;
2967
2968 err:
2969 ossl_quic_channel_raise_protocol_error(ch,
2970 QUIC_ERR_INTERNAL_ERROR,
2971 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID,
2972 "internal error enqueueing retire conn id");
2973 BUF_MEM_free(buf_mem);
2974 return 0;
2975 }
2976
2977 void ossl_quic_channel_on_new_conn_id(QUIC_CHANNEL *ch,
2978 OSSL_QUIC_FRAME_NEW_CONN_ID *f)
2979 {
2980 uint64_t new_remote_seq_num = ch->cur_remote_seq_num;
2981 uint64_t new_retire_prior_to = ch->cur_retire_prior_to;
2982
2983 if (!ossl_quic_channel_is_active(ch))
2984 return;
2985
2986 /* We allow only two active connection ids; first check some constraints */
2987 if (ch->cur_remote_dcid.id_len == 0) {
2988 /* Changing from 0 length connection id is disallowed */
2989 ossl_quic_channel_raise_protocol_error(ch,
2990 QUIC_ERR_PROTOCOL_VIOLATION,
2991 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID,
2992 "zero length connection id in use");
2993
2994 return;
2995 }
2996
2997 if (f->seq_num > new_remote_seq_num)
2998 new_remote_seq_num = f->seq_num;
2999 if (f->retire_prior_to > new_retire_prior_to)
3000 new_retire_prior_to = f->retire_prior_to;
3001
3002 /*
3003 * RFC 9000-5.1.1: An endpoint MUST NOT provide more connection IDs
3004 * than the peer's limit.
3005 *
3006 * After processing a NEW_CONNECTION_ID frame and adding and retiring
3007 * active connection IDs, if the number of active connection IDs exceeds
3008 * the value advertised in its active_connection_id_limit transport
3009 * parameter, an endpoint MUST close the connection with an error of
3010 * type CONNECTION_ID_LIMIT_ERROR.
3011 */
3012 if (new_remote_seq_num - new_retire_prior_to > 1) {
3013 ossl_quic_channel_raise_protocol_error(ch,
3014 QUIC_ERR_CONNECTION_ID_LIMIT_ERROR,
3015 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID,
3016 "active_connection_id limit violated");
3017 return;
3018 }
3019
3020 /*
3021 * RFC 9000-5.1.1: An endpoint MAY send connection IDs that temporarily
3022 * exceed a peer's limit if the NEW_CONNECTION_ID frame also requires
3023 * the retirement of any excess, by including a sufficiently large
3024 * value in the Retire Prior To field.
3025 *
3026 * RFC 9000-5.1.2: An endpoint SHOULD allow for sending and tracking
3027 * a number of RETIRE_CONNECTION_ID frames of at least twice the value
3028 * of the active_connection_id_limit transport parameter. An endpoint
3029 * MUST NOT forget a connection ID without retiring it, though it MAY
3030 * choose to treat having connection IDs in need of retirement that
3031 * exceed this limit as a connection error of type CONNECTION_ID_LIMIT_ERROR.
3032 *
3033 * We are a little bit more liberal than the minimum mandated.
3034 */
3035 if (new_retire_prior_to - ch->cur_retire_prior_to > 10) {
3036 ossl_quic_channel_raise_protocol_error(ch,
3037 QUIC_ERR_CONNECTION_ID_LIMIT_ERROR,
3038 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID,
3039 "retiring connection id limit violated");
3040
3041 return;
3042 }
3043
3044 if (new_remote_seq_num > ch->cur_remote_seq_num) {
3045 /* Add new stateless reset token */
3046 if (!ossl_quic_srtm_add(ch->srtm, ch, new_remote_seq_num,
3047 &f->stateless_reset)) {
3048 ossl_quic_channel_raise_protocol_error(
3049 ch, QUIC_ERR_CONNECTION_ID_LIMIT_ERROR,
3050 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID,
3051 "unable to store stateless reset token");
3052
3053 return;
3054 }
3055 ch->cur_remote_seq_num = new_remote_seq_num;
3056 ch->cur_remote_dcid = f->conn_id;
3057 ossl_quic_tx_packetiser_set_cur_dcid(ch->txp, &ch->cur_remote_dcid);
3058 }
3059
3060 /*
3061 * RFC 9000-5.1.2: Upon receipt of an increased Retire Prior To
3062 * field, the peer MUST stop using the corresponding connection IDs
3063 * and retire them with RETIRE_CONNECTION_ID frames before adding the
3064 * newly provided connection ID to the set of active connection IDs.
3065 */
3066
3067 /*
3068 * Note: RFC 9000 s. 19.15 says:
3069 * "An endpoint that receives a NEW_CONNECTION_ID frame with a sequence
3070 * number smaller than the Retire Prior To field of a previously received
3071 * NEW_CONNECTION_ID frame MUST send a corresponding
3072 * RETIRE_CONNECTION_ID frame that retires the newly received connection
3073 * ID, unless it has already done so for that sequence number."
3074 *
3075 * Since we currently always queue RETIRE_CONN_ID frames based on the Retire
3076 * Prior To field of a NEW_CONNECTION_ID frame immediately upon receiving
3077 * that NEW_CONNECTION_ID frame, by definition this will always be met.
3078 * This may change in future when we change our CID handling.
3079 */
3080 while (new_retire_prior_to > ch->cur_retire_prior_to) {
3081 if (!ch_enqueue_retire_conn_id(ch, ch->cur_retire_prior_to))
3082 break;
3083 ++ch->cur_retire_prior_to;
3084 }
3085 }
3086
3087 static void ch_save_err_state(QUIC_CHANNEL *ch)
3088 {
3089 if (ch->err_state == NULL)
3090 ch->err_state = OSSL_ERR_STATE_new();
3091
3092 if (ch->err_state == NULL)
3093 return;
3094
3095 OSSL_ERR_STATE_save(ch->err_state);
3096 }
3097
3098 void ossl_quic_channel_inject(QUIC_CHANNEL *ch, QUIC_URXE *e)
3099 {
3100 ossl_qrx_inject_urxe(ch->qrx, e);
3101 }
3102
3103 void ossl_quic_channel_on_stateless_reset(QUIC_CHANNEL *ch)
3104 {
3105 QUIC_TERMINATE_CAUSE tcause = {0};
3106
3107 tcause.error_code = QUIC_ERR_NO_ERROR;
3108 tcause.remote = 1;
3109 ch_start_terminating(ch, &tcause, 0);
3110 }
3111
3112 void ossl_quic_channel_raise_net_error(QUIC_CHANNEL *ch)
3113 {
3114 QUIC_TERMINATE_CAUSE tcause = {0};
3115
3116 if (ch->net_error)
3117 return;
3118
3119 ch->net_error = 1;
3120
3121 tcause.error_code = QUIC_ERR_INTERNAL_ERROR;
3122 tcause.reason = "network BIO I/O error";
3123 tcause.reason_len = strlen(tcause.reason);
3124
3125 /*
3126 * Skip Terminating state and go directly to Terminated, no point trying to
3127 * send CONNECTION_CLOSE if we cannot communicate.
3128 */
3129 ch_start_terminating(ch, &tcause, 1);
3130 }
3131
3132 int ossl_quic_channel_net_error(QUIC_CHANNEL *ch)
3133 {
3134 return ch->net_error;
3135 }
3136
3137 void ossl_quic_channel_restore_err_state(QUIC_CHANNEL *ch)
3138 {
3139 if (ch == NULL)
3140 return;
3141
3142 if (!ossl_quic_port_is_running(ch->port))
3143 ossl_quic_port_restore_err_state(ch->port);
3144 else
3145 OSSL_ERR_STATE_restore(ch->err_state);
3146 }
3147
3148 void ossl_quic_channel_raise_protocol_error_loc(QUIC_CHANNEL *ch,
3149 uint64_t error_code,
3150 uint64_t frame_type,
3151 const char *reason,
3152 ERR_STATE *err_state,
3153 const char *src_file,
3154 int src_line,
3155 const char *src_func)
3156 {
3157 QUIC_TERMINATE_CAUSE tcause = {0};
3158 int err_reason = error_code == QUIC_ERR_INTERNAL_ERROR
3159 ? ERR_R_INTERNAL_ERROR : SSL_R_QUIC_PROTOCOL_ERROR;
3160 const char *err_str = ossl_quic_err_to_string(error_code);
3161 const char *err_str_pfx = " (", *err_str_sfx = ")";
3162 const char *ft_str = NULL;
3163 const char *ft_str_pfx = " (", *ft_str_sfx = ")";
3164
3165 if (ch->protocol_error)
3166 /* Only the first call to this function matters. */
3167 return;
3168
3169 if (err_str == NULL) {
3170 err_str = "";
3171 err_str_pfx = "";
3172 err_str_sfx = "";
3173 }
3174
3175 /*
3176 * If we were provided an underlying error state, restore it and then append
3177 * our ERR on top as a "cover letter" error.
3178 */
3179 if (err_state != NULL)
3180 OSSL_ERR_STATE_restore(err_state);
3181
3182 if (frame_type != 0) {
3183 ft_str = ossl_quic_frame_type_to_string(frame_type);
3184 if (ft_str == NULL) {
3185 ft_str = "";
3186 ft_str_pfx = "";
3187 ft_str_sfx = "";
3188 }
3189
3190 ERR_raise_data(ERR_LIB_SSL, err_reason,
3191 "QUIC error code: 0x%llx%s%s%s "
3192 "(triggered by frame type: 0x%llx%s%s%s), reason: \"%s\"",
3193 (unsigned long long) error_code,
3194 err_str_pfx, err_str, err_str_sfx,
3195 (unsigned long long) frame_type,
3196 ft_str_pfx, ft_str, ft_str_sfx,
3197 reason);
3198 } else {
3199 ERR_raise_data(ERR_LIB_SSL, err_reason,
3200 "QUIC error code: 0x%llx%s%s%s, reason: \"%s\"",
3201 (unsigned long long) error_code,
3202 err_str_pfx, err_str, err_str_sfx,
3203 reason);
3204 }
3205
3206 if (src_file != NULL)
3207 ERR_set_debug(src_file, src_line, src_func);
3208
3209 ch_save_err_state(ch);
3210
3211 tcause.error_code = error_code;
3212 tcause.frame_type = frame_type;
3213 tcause.reason = reason;
3214 tcause.reason_len = strlen(reason);
3215
3216 ch->protocol_error = 1;
3217 ch_start_terminating(ch, &tcause, 0);
3218 }
3219
3220 /*
3221 * Called once the terminating timer expires, meaning we move from TERMINATING
3222 * to TERMINATED.
3223 */
3224 static void ch_on_terminating_timeout(QUIC_CHANNEL *ch)
3225 {
3226 ch_record_state_transition(ch, QUIC_CHANNEL_STATE_TERMINATED);
3227 }
3228
3229 /*
3230 * Determines the effective idle timeout duration. This is based on the idle
3231 * timeout values that we and our peer signalled in transport parameters
3232 * but have some limits applied.
3233 */
3234 static OSSL_TIME ch_get_effective_idle_timeout_duration(QUIC_CHANNEL *ch)
3235 {
3236 OSSL_TIME pto;
3237
3238 if (ch->max_idle_timeout == 0)
3239 return ossl_time_infinite();
3240
3241 /*
3242 * RFC 9000 s. 10.1: Idle Timeout
3243 * To avoid excessively small idle timeout periods, endpoints
3244 * MUST increase the idle timeout period to be at least three
3245 * times the current Probe Timeout (PTO). This allows for
3246 * multiple PTOs to expire, and therefore multiple probes to
3247 * be sent and lost, prior to idle timeout.
3248 */
3249 pto = ossl_ackm_get_pto_duration(ch->ackm);
3250 return ossl_time_max(ossl_ms2time(ch->max_idle_timeout),
3251 ossl_time_multiply(pto, 3));
3252 }
3253
3254 /*
3255 * Updates our idle deadline. Called when an event happens which should bump the
3256 * idle timeout.
3257 */
3258 static void ch_update_idle(QUIC_CHANNEL *ch)
3259 {
3260 ch->idle_deadline = ossl_time_add(get_time(ch),
3261 ch_get_effective_idle_timeout_duration(ch));
3262 }
3263
3264 /*
3265 * Updates our ping deadline, which determines when we next generate a ping if
3266 * we don't have any other ACK-eliciting frames to send.
3267 */
3268 static void ch_update_ping_deadline(QUIC_CHANNEL *ch)
3269 {
3270 OSSL_TIME max_span, idle_duration;
3271
3272 idle_duration = ch_get_effective_idle_timeout_duration(ch);
3273 if (ossl_time_is_infinite(idle_duration)) {
3274 ch->ping_deadline = ossl_time_infinite();
3275 return;
3276 }
3277
3278 /*
3279 * Maximum amount of time without traffic before we send a PING to keep
3280 * the connection open. Usually we use max_idle_timeout/2, but ensure
3281 * the period never exceeds the assumed NAT interval to ensure NAT
3282 * devices don't have their state time out (RFC 9000 s. 10.1.2).
3283 */
3284 max_span = ossl_time_divide(idle_duration, 2);
3285 max_span = ossl_time_min(max_span, MAX_NAT_INTERVAL);
3286 ch->ping_deadline = ossl_time_add(get_time(ch), max_span);
3287 }
3288
3289 /* Called when the idle timeout expires. */
3290 static void ch_on_idle_timeout(QUIC_CHANNEL *ch)
3291 {
3292 /*
3293 * Idle timeout does not have an error code associated with it because a
3294 * CONN_CLOSE is never sent for it. We shouldn't use this data once we reach
3295 * TERMINATED anyway.
3296 */
3297 ch->terminate_cause.app = 0;
3298 ch->terminate_cause.error_code = UINT64_MAX;
3299 ch->terminate_cause.frame_type = 0;
3300
3301 ch_record_state_transition(ch, QUIC_CHANNEL_STATE_TERMINATED);
3302 }
3303
3304 /* Called when we, as a server, get a new incoming connection. */
3305 int ossl_quic_channel_on_new_conn(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
3306 const QUIC_CONN_ID *peer_scid,
3307 const QUIC_CONN_ID *peer_dcid)
3308 {
3309 if (!ossl_assert(ch->state == QUIC_CHANNEL_STATE_IDLE && ch->is_server))
3310 return 0;
3311
3312 /* Generate an Initial LCID we will use for the connection. */
3313 if (!ossl_quic_lcidm_generate_initial(ch->lcidm, ch, &ch->cur_local_cid))
3314 return 0;
3315
3316 /* Note our newly learnt peer address and CIDs. */
3317 ch->cur_peer_addr = *peer;
3318 ch->init_dcid = *peer_dcid;
3319 ch->cur_remote_dcid = *peer_scid;
3320
3321 /* Inform QTX of peer address. */
3322 if (!ossl_quic_tx_packetiser_set_peer(ch->txp, &ch->cur_peer_addr))
3323 return 0;
3324
3325 /* Inform TXP of desired CIDs. */
3326 if (!ossl_quic_tx_packetiser_set_cur_dcid(ch->txp, &ch->cur_remote_dcid))
3327 return 0;
3328
3329 if (!ossl_quic_tx_packetiser_set_cur_scid(ch->txp, &ch->cur_local_cid))
3330 return 0;
3331
3332 /* Plug in secrets for the Initial EL. */
3333 if (!ossl_quic_provide_initial_secret(ch->port->engine->libctx,
3334 ch->port->engine->propq,
3335 &ch->init_dcid,
3336 /*is_server=*/1,
3337 ch->qrx, ch->qtx))
3338 return 0;
3339
3340 /* Register the peer ODCID in the LCIDM. */
3341 if (!ossl_quic_lcidm_enrol_odcid(ch->lcidm, ch, &ch->init_dcid))
3342 return 0;
3343
3344 /* Change state. */
3345 ch_record_state_transition(ch, QUIC_CHANNEL_STATE_ACTIVE);
3346 ch->doing_proactive_ver_neg = 0; /* not currently supported */
3347 return 1;
3348 }
3349
3350 SSL *ossl_quic_channel_get0_ssl(QUIC_CHANNEL *ch)
3351 {
3352 return ch->tls;
3353 }
3354
3355 static int ch_init_new_stream(QUIC_CHANNEL *ch, QUIC_STREAM *qs,
3356 int can_send, int can_recv)
3357 {
3358 uint64_t rxfc_wnd;
3359 int server_init = ossl_quic_stream_is_server_init(qs);
3360 int local_init = (ch->is_server == server_init);
3361 int is_uni = !ossl_quic_stream_is_bidi(qs);
3362
3363 if (can_send)
3364 if ((qs->sstream = ossl_quic_sstream_new(INIT_APP_BUF_LEN)) == NULL)
3365 goto err;
3366
3367 if (can_recv)
3368 if ((qs->rstream = ossl_quic_rstream_new(NULL, NULL, 0)) == NULL)
3369 goto err;
3370
3371 /* TXFC */
3372 if (!ossl_quic_txfc_init(&qs->txfc, &ch->conn_txfc))
3373 goto err;
3374
3375 if (ch->got_remote_transport_params) {
3376 /*
3377 * If we already got peer TPs we need to apply the initial CWM credit
3378 * now. If we didn't already get peer TPs this will be done
3379 * automatically for all extant streams when we do.
3380 */
3381 if (can_send) {
3382 uint64_t cwm;
3383
3384 if (is_uni)
3385 cwm = ch->rx_init_max_stream_data_uni;
3386 else if (local_init)
3387 cwm = ch->rx_init_max_stream_data_bidi_local;
3388 else
3389 cwm = ch->rx_init_max_stream_data_bidi_remote;
3390
3391 ossl_quic_txfc_bump_cwm(&qs->txfc, cwm);
3392 }
3393 }
3394
3395 /* RXFC */
3396 if (!can_recv)
3397 rxfc_wnd = 0;
3398 else if (is_uni)
3399 rxfc_wnd = ch->tx_init_max_stream_data_uni;
3400 else if (local_init)
3401 rxfc_wnd = ch->tx_init_max_stream_data_bidi_local;
3402 else
3403 rxfc_wnd = ch->tx_init_max_stream_data_bidi_remote;
3404
3405 if (!ossl_quic_rxfc_init(&qs->rxfc, &ch->conn_rxfc,
3406 rxfc_wnd,
3407 DEFAULT_STREAM_RXFC_MAX_WND_MUL * rxfc_wnd,
3408 get_time, ch))
3409 goto err;
3410
3411 return 1;
3412
3413 err:
3414 ossl_quic_sstream_free(qs->sstream);
3415 qs->sstream = NULL;
3416 ossl_quic_rstream_free(qs->rstream);
3417 qs->rstream = NULL;
3418 return 0;
3419 }
3420
3421 static uint64_t *ch_get_local_stream_next_ordinal_ptr(QUIC_CHANNEL *ch,
3422 int is_uni)
3423 {
3424 return is_uni ? &ch->next_local_stream_ordinal_uni
3425 : &ch->next_local_stream_ordinal_bidi;
3426 }
3427
3428 int ossl_quic_channel_is_new_local_stream_admissible(QUIC_CHANNEL *ch,
3429 int is_uni)
3430 {
3431 uint64_t *p_next_ordinal = ch_get_local_stream_next_ordinal_ptr(ch, is_uni);
3432
3433 return ossl_quic_stream_map_is_local_allowed_by_stream_limit(&ch->qsm,
3434 *p_next_ordinal,
3435 is_uni);
3436 }
3437
3438 QUIC_STREAM *ossl_quic_channel_new_stream_local(QUIC_CHANNEL *ch, int is_uni)
3439 {
3440 QUIC_STREAM *qs;
3441 int type;
3442 uint64_t stream_id, *p_next_ordinal;
3443
3444 type = ch->is_server ? QUIC_STREAM_INITIATOR_SERVER
3445 : QUIC_STREAM_INITIATOR_CLIENT;
3446
3447 p_next_ordinal = ch_get_local_stream_next_ordinal_ptr(ch, is_uni);
3448
3449 if (is_uni)
3450 type |= QUIC_STREAM_DIR_UNI;
3451 else
3452 type |= QUIC_STREAM_DIR_BIDI;
3453
3454 if (*p_next_ordinal >= ((uint64_t)1) << 62)
3455 return NULL;
3456
3457 stream_id = ((*p_next_ordinal) << 2) | type;
3458
3459 if ((qs = ossl_quic_stream_map_alloc(&ch->qsm, stream_id, type)) == NULL)
3460 return NULL;
3461
3462 /* Locally-initiated stream, so we always want a send buffer. */
3463 if (!ch_init_new_stream(ch, qs, /*can_send=*/1, /*can_recv=*/!is_uni))
3464 goto err;
3465
3466 ++*p_next_ordinal;
3467 return qs;
3468
3469 err:
3470 ossl_quic_stream_map_release(&ch->qsm, qs);
3471 return NULL;
3472 }
3473
3474 QUIC_STREAM *ossl_quic_channel_new_stream_remote(QUIC_CHANNEL *ch,
3475 uint64_t stream_id)
3476 {
3477 uint64_t peer_role;
3478 int is_uni;
3479 QUIC_STREAM *qs;
3480
3481 peer_role = ch->is_server
3482 ? QUIC_STREAM_INITIATOR_CLIENT
3483 : QUIC_STREAM_INITIATOR_SERVER;
3484
3485 if ((stream_id & QUIC_STREAM_INITIATOR_MASK) != peer_role)
3486 return NULL;
3487
3488 is_uni = ((stream_id & QUIC_STREAM_DIR_MASK) == QUIC_STREAM_DIR_UNI);
3489
3490 qs = ossl_quic_stream_map_alloc(&ch->qsm, stream_id,
3491 stream_id & (QUIC_STREAM_INITIATOR_MASK
3492 | QUIC_STREAM_DIR_MASK));
3493 if (qs == NULL)
3494 return NULL;
3495
3496 if (!ch_init_new_stream(ch, qs, /*can_send=*/!is_uni, /*can_recv=*/1))
3497 goto err;
3498
3499 if (ch->incoming_stream_auto_reject)
3500 ossl_quic_channel_reject_stream(ch, qs);
3501 else
3502 ossl_quic_stream_map_push_accept_queue(&ch->qsm, qs);
3503
3504 return qs;
3505
3506 err:
3507 ossl_quic_stream_map_release(&ch->qsm, qs);
3508 return NULL;
3509 }
3510
3511 void ossl_quic_channel_set_incoming_stream_auto_reject(QUIC_CHANNEL *ch,
3512 int enable,
3513 uint64_t aec)
3514 {
3515 ch->incoming_stream_auto_reject = (enable != 0);
3516 ch->incoming_stream_auto_reject_aec = aec;
3517 }
3518
3519 void ossl_quic_channel_reject_stream(QUIC_CHANNEL *ch, QUIC_STREAM *qs)
3520 {
3521 ossl_quic_stream_map_stop_sending_recv_part(&ch->qsm, qs,
3522 ch->incoming_stream_auto_reject_aec);
3523
3524 ossl_quic_stream_map_reset_stream_send_part(&ch->qsm, qs,
3525 ch->incoming_stream_auto_reject_aec);
3526 qs->deleted = 1;
3527
3528 ossl_quic_stream_map_update_state(&ch->qsm, qs);
3529 }
3530
3531 /* Replace local connection ID in TXP and DEMUX for testing purposes. */
3532 int ossl_quic_channel_replace_local_cid(QUIC_CHANNEL *ch,
3533 const QUIC_CONN_ID *conn_id)
3534 {
3535 /* Remove the current LCID from the LCIDM. */
3536 if (!ossl_quic_lcidm_debug_remove(ch->lcidm, &ch->cur_local_cid))
3537 return 0;
3538 ch->cur_local_cid = *conn_id;
3539 /* Set in the TXP, used only for long header packets. */
3540 if (!ossl_quic_tx_packetiser_set_cur_scid(ch->txp, &ch->cur_local_cid))
3541 return 0;
3542 /* Add the new LCID to the LCIDM. */
3543 if (!ossl_quic_lcidm_debug_add(ch->lcidm, ch, &ch->cur_local_cid,
3544 100))
3545 return 0;
3546 return 1;
3547 }
3548
3549 void ossl_quic_channel_set_msg_callback(QUIC_CHANNEL *ch,
3550 ossl_msg_cb msg_callback,
3551 SSL *msg_callback_ssl)
3552 {
3553 ch->msg_callback = msg_callback;
3554 ch->msg_callback_ssl = msg_callback_ssl;
3555 ossl_qtx_set_msg_callback(ch->qtx, msg_callback, msg_callback_ssl);
3556 ossl_quic_tx_packetiser_set_msg_callback(ch->txp, msg_callback,
3557 msg_callback_ssl);
3558 ossl_qrx_set_msg_callback(ch->qrx, msg_callback, msg_callback_ssl);
3559 }
3560
3561 void ossl_quic_channel_set_msg_callback_arg(QUIC_CHANNEL *ch,
3562 void *msg_callback_arg)
3563 {
3564 ch->msg_callback_arg = msg_callback_arg;
3565 ossl_qtx_set_msg_callback_arg(ch->qtx, msg_callback_arg);
3566 ossl_quic_tx_packetiser_set_msg_callback_arg(ch->txp, msg_callback_arg);
3567 ossl_qrx_set_msg_callback_arg(ch->qrx, msg_callback_arg);
3568 }
3569
3570 void ossl_quic_channel_set_txku_threshold_override(QUIC_CHANNEL *ch,
3571 uint64_t tx_pkt_threshold)
3572 {
3573 ch->txku_threshold_override = tx_pkt_threshold;
3574 }
3575
3576 uint64_t ossl_quic_channel_get_tx_key_epoch(QUIC_CHANNEL *ch)
3577 {
3578 return ossl_qtx_get_key_epoch(ch->qtx);
3579 }
3580
3581 uint64_t ossl_quic_channel_get_rx_key_epoch(QUIC_CHANNEL *ch)
3582 {
3583 return ossl_qrx_get_key_epoch(ch->qrx);
3584 }
3585
3586 int ossl_quic_channel_trigger_txku(QUIC_CHANNEL *ch)
3587 {
3588 if (!txku_allowed(ch))
3589 return 0;
3590
3591 ch->ku_locally_initiated = 1;
3592 ch_trigger_txku(ch);
3593 return 1;
3594 }
3595
3596 int ossl_quic_channel_ping(QUIC_CHANNEL *ch)
3597 {
3598 int pn_space = ossl_quic_enc_level_to_pn_space(ch->tx_enc_level);
3599
3600 ossl_quic_tx_packetiser_schedule_ack_eliciting(ch->txp, pn_space);
3601
3602 return 1;
3603 }
3604
3605 uint16_t ossl_quic_channel_get_diag_num_rx_ack(QUIC_CHANNEL *ch)
3606 {
3607 return ch->diag_num_rx_ack;
3608 }
3609
3610 void ossl_quic_channel_get_diag_local_cid(QUIC_CHANNEL *ch, QUIC_CONN_ID *cid)
3611 {
3612 *cid = ch->cur_local_cid;
3613 }
A mirror of the official openssl repository