2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/rand.h>
11 #include <openssl/err.h>
12 #include "internal/quic_channel.h"
13 #include "internal/quic_error.h"
14 #include "internal/quic_rx_depack.h"
15 #include "../ssl_local.h"
16 #include "quic_channel_local.h"
19 * NOTE: While this channel implementation currently has basic server support,
20 * this functionality has been implemented for internal testing purposes and is
21 * not suitable for network use. In particular, it does not implement address
22 * validation, anti-amplification or retry logic.
24 * TODO(QUIC): Implement address validation and anti-amplification
25 * TODO(QUIC): Implement retry logic
28 #define INIT_DCID_LEN 8
29 #define INIT_CRYPTO_BUF_LEN 8192
30 #define INIT_APP_BUF_LEN 8192
33 * Interval before we force a PING to ensure NATs don't timeout. This is based
34 * on the lowest commonly seen value of 30 seconds as cited in RFC 9000 s.
37 #define MAX_NAT_INTERVAL (ossl_ms2time(25000))
39 static void ch_rx_pre(QUIC_CHANNEL
*ch
);
40 static int ch_rx(QUIC_CHANNEL
*ch
);
41 static int ch_tx(QUIC_CHANNEL
*ch
);
42 static void ch_tick(QUIC_TICK_RESULT
*res
, void *arg
, uint32_t flags
);
43 static void ch_rx_handle_packet(QUIC_CHANNEL
*ch
);
44 static OSSL_TIME
ch_determine_next_tick_deadline(QUIC_CHANNEL
*ch
);
45 static int ch_retry(QUIC_CHANNEL
*ch
,
46 const unsigned char *retry_token
,
47 size_t retry_token_len
,
48 const QUIC_CONN_ID
*retry_scid
);
49 static void ch_cleanup(QUIC_CHANNEL
*ch
);
50 static int ch_generate_transport_params(QUIC_CHANNEL
*ch
);
51 static int ch_on_transport_params(const unsigned char *params
,
54 static int ch_on_handshake_alert(void *arg
, unsigned char alert_code
);
55 static int ch_on_handshake_complete(void *arg
);
56 static int ch_on_handshake_yield_secret(uint32_t enc_level
, int direction
,
57 uint32_t suite_id
, EVP_MD
*md
,
58 const unsigned char *secret
,
61 static int ch_on_crypto_recv_record(const unsigned char **buf
,
62 size_t *bytes_read
, void *arg
);
63 static int ch_on_crypto_release_record(size_t bytes_read
, void *arg
);
64 static int crypto_ensure_empty(QUIC_RSTREAM
*rstream
);
65 static int ch_on_crypto_send(const unsigned char *buf
, size_t buf_len
,
66 size_t *consumed
, void *arg
);
67 static OSSL_TIME
get_time(void *arg
);
68 static uint64_t get_stream_limit(int uni
, void *arg
);
69 static int rx_late_validate(QUIC_PN pn
, int pn_space
, void *arg
);
70 static void rxku_detected(QUIC_PN pn
, void *arg
);
71 static int ch_retry(QUIC_CHANNEL
*ch
,
72 const unsigned char *retry_token
,
73 size_t retry_token_len
,
74 const QUIC_CONN_ID
*retry_scid
);
75 static void ch_update_idle(QUIC_CHANNEL
*ch
);
76 static int ch_discard_el(QUIC_CHANNEL
*ch
,
78 static void ch_on_idle_timeout(QUIC_CHANNEL
*ch
);
79 static void ch_update_idle(QUIC_CHANNEL
*ch
);
80 static void ch_update_ping_deadline(QUIC_CHANNEL
*ch
);
81 static void ch_raise_net_error(QUIC_CHANNEL
*ch
);
82 static void ch_on_terminating_timeout(QUIC_CHANNEL
*ch
);
83 static void ch_start_terminating(QUIC_CHANNEL
*ch
,
84 const QUIC_TERMINATE_CAUSE
*tcause
,
86 static void ch_default_packet_handler(QUIC_URXE
*e
, void *arg
);
87 static int ch_server_on_new_conn(QUIC_CHANNEL
*ch
, const BIO_ADDR
*peer
,
88 const QUIC_CONN_ID
*peer_scid
,
89 const QUIC_CONN_ID
*peer_dcid
);
90 static void ch_on_txp_ack_tx(const OSSL_QUIC_FRAME_ACK
*ack
, uint32_t pn_space
,
93 static int gen_rand_conn_id(OSSL_LIB_CTX
*libctx
, size_t len
, QUIC_CONN_ID
*cid
)
95 if (len
> QUIC_MAX_CONN_ID_LEN
)
98 cid
->id_len
= (unsigned char)len
;
100 if (RAND_bytes_ex(libctx
, cid
->id
, len
, len
* 8) != 1) {
109 * QUIC Channel Initialization and Teardown
110 * ========================================
112 #define DEFAULT_INIT_CONN_RXFC_WND (2 * 1024 * 1024)
113 #define DEFAULT_CONN_RXFC_MAX_WND_MUL 5
115 #define DEFAULT_INIT_STREAM_RXFC_WND (2 * 1024 * 1024)
116 #define DEFAULT_STREAM_RXFC_MAX_WND_MUL 5
118 #define DEFAULT_INIT_CONN_MAX_STREAMS 100
120 static int ch_init(QUIC_CHANNEL
*ch
)
122 OSSL_QUIC_TX_PACKETISER_ARGS txp_args
= {0};
123 OSSL_QTX_ARGS qtx_args
= {0};
124 OSSL_QRX_ARGS qrx_args
= {0};
125 QUIC_TLS_ARGS tls_args
= {0};
127 size_t rx_short_cid_len
= ch
->is_server
? INIT_DCID_LEN
: 0;
129 /* For clients, generate our initial DCID. */
131 && !gen_rand_conn_id(ch
->libctx
, INIT_DCID_LEN
, &ch
->init_dcid
))
134 /* We plug in a network write BIO to the QTX later when we get one. */
135 qtx_args
.libctx
= ch
->libctx
;
136 qtx_args
.mdpl
= QUIC_MIN_INITIAL_DGRAM_LEN
;
137 ch
->rx_max_udp_payload_size
= qtx_args
.mdpl
;
139 ch
->ping_deadline
= ossl_time_infinite();
141 ch
->qtx
= ossl_qtx_new(&qtx_args
);
145 ch
->txpim
= ossl_quic_txpim_new();
146 if (ch
->txpim
== NULL
)
149 ch
->cfq
= ossl_quic_cfq_new();
153 if (!ossl_quic_txfc_init(&ch
->conn_txfc
, NULL
))
157 * Note: The TP we transmit governs what the peer can transmit and thus
158 * applies to the RXFC.
160 ch
->tx_init_max_stream_data_bidi_local
= DEFAULT_INIT_STREAM_RXFC_WND
;
161 ch
->tx_init_max_stream_data_bidi_remote
= DEFAULT_INIT_STREAM_RXFC_WND
;
162 ch
->tx_init_max_stream_data_uni
= DEFAULT_INIT_STREAM_RXFC_WND
;
164 if (!ossl_quic_rxfc_init(&ch
->conn_rxfc
, NULL
,
165 DEFAULT_INIT_CONN_RXFC_WND
,
166 DEFAULT_CONN_RXFC_MAX_WND_MUL
*
167 DEFAULT_INIT_CONN_RXFC_WND
,
171 if (!ossl_quic_rxfc_init_for_stream_count(&ch
->max_streams_bidi_rxfc
,
172 DEFAULT_INIT_CONN_MAX_STREAMS
,
176 if (!ossl_quic_rxfc_init_for_stream_count(&ch
->max_streams_uni_rxfc
,
177 DEFAULT_INIT_CONN_MAX_STREAMS
,
181 if (!ossl_statm_init(&ch
->statm
))
185 ch
->cc_method
= &ossl_cc_newreno_method
;
186 if ((ch
->cc_data
= ch
->cc_method
->new(get_time
, ch
)) == NULL
)
189 if ((ch
->ackm
= ossl_ackm_new(get_time
, ch
, &ch
->statm
,
190 ch
->cc_method
, ch
->cc_data
)) == NULL
)
193 if (!ossl_quic_stream_map_init(&ch
->qsm
, get_stream_limit
, ch
,
194 &ch
->max_streams_bidi_rxfc
,
195 &ch
->max_streams_uni_rxfc
,
201 /* We use a zero-length SCID. */
202 txp_args
.cur_dcid
= ch
->init_dcid
;
203 txp_args
.ack_delay_exponent
= 3;
204 txp_args
.qtx
= ch
->qtx
;
205 txp_args
.txpim
= ch
->txpim
;
206 txp_args
.cfq
= ch
->cfq
;
207 txp_args
.ackm
= ch
->ackm
;
208 txp_args
.qsm
= &ch
->qsm
;
209 txp_args
.conn_txfc
= &ch
->conn_txfc
;
210 txp_args
.conn_rxfc
= &ch
->conn_rxfc
;
211 txp_args
.max_streams_bidi_rxfc
= &ch
->max_streams_bidi_rxfc
;
212 txp_args
.max_streams_uni_rxfc
= &ch
->max_streams_uni_rxfc
;
213 txp_args
.cc_method
= ch
->cc_method
;
214 txp_args
.cc_data
= ch
->cc_data
;
215 txp_args
.now
= get_time
;
216 txp_args
.now_arg
= ch
;
218 for (pn_space
= QUIC_PN_SPACE_INITIAL
; pn_space
< QUIC_PN_SPACE_NUM
; ++pn_space
) {
219 ch
->crypto_send
[pn_space
] = ossl_quic_sstream_new(INIT_CRYPTO_BUF_LEN
);
220 if (ch
->crypto_send
[pn_space
] == NULL
)
223 txp_args
.crypto
[pn_space
] = ch
->crypto_send
[pn_space
];
226 ch
->txp
= ossl_quic_tx_packetiser_new(&txp_args
);
230 ossl_quic_tx_packetiser_set_ack_tx_cb(ch
->txp
, ch_on_txp_ack_tx
, ch
);
232 if ((ch
->demux
= ossl_quic_demux_new(/*BIO=*/NULL
,
233 /*Short CID Len=*/rx_short_cid_len
,
234 get_time
, ch
)) == NULL
)
238 * If we are a server, setup our handler for packets not corresponding to
239 * any known DCID on our end. This is for handling clients establishing new
243 ossl_quic_demux_set_default_handler(ch
->demux
,
244 ch_default_packet_handler
,
247 qrx_args
.libctx
= ch
->libctx
;
248 qrx_args
.demux
= ch
->demux
;
249 qrx_args
.short_conn_id_len
= rx_short_cid_len
;
250 qrx_args
.max_deferred
= 32;
252 if ((ch
->qrx
= ossl_qrx_new(&qrx_args
)) == NULL
)
255 if (!ossl_qrx_set_late_validation_cb(ch
->qrx
,
260 if (!ossl_qrx_set_key_update_cb(ch
->qrx
,
265 if (!ch
->is_server
&& !ossl_qrx_add_dst_conn_id(ch
->qrx
, &txp_args
.cur_scid
))
268 for (pn_space
= QUIC_PN_SPACE_INITIAL
; pn_space
< QUIC_PN_SPACE_NUM
; ++pn_space
) {
269 ch
->crypto_recv
[pn_space
] = ossl_quic_rstream_new(NULL
, NULL
, 0);
270 if (ch
->crypto_recv
[pn_space
] == NULL
)
274 /* Plug in the TLS handshake layer. */
275 tls_args
.s
= ch
->tls
;
276 tls_args
.crypto_send_cb
= ch_on_crypto_send
;
277 tls_args
.crypto_send_cb_arg
= ch
;
278 tls_args
.crypto_recv_rcd_cb
= ch_on_crypto_recv_record
;
279 tls_args
.crypto_recv_rcd_cb_arg
= ch
;
280 tls_args
.crypto_release_rcd_cb
= ch_on_crypto_release_record
;
281 tls_args
.crypto_release_rcd_cb_arg
= ch
;
282 tls_args
.yield_secret_cb
= ch_on_handshake_yield_secret
;
283 tls_args
.yield_secret_cb_arg
= ch
;
284 tls_args
.got_transport_params_cb
= ch_on_transport_params
;
285 tls_args
.got_transport_params_cb_arg
= ch
;
286 tls_args
.handshake_complete_cb
= ch_on_handshake_complete
;
287 tls_args
.handshake_complete_cb_arg
= ch
;
288 tls_args
.alert_cb
= ch_on_handshake_alert
;
289 tls_args
.alert_cb_arg
= ch
;
290 tls_args
.is_server
= ch
->is_server
;
292 if ((ch
->qtls
= ossl_quic_tls_new(&tls_args
)) == NULL
)
295 ch
->rx_max_ack_delay
= QUIC_DEFAULT_MAX_ACK_DELAY
;
296 ch
->rx_ack_delay_exp
= QUIC_DEFAULT_ACK_DELAY_EXP
;
297 ch
->rx_active_conn_id_limit
= QUIC_MIN_ACTIVE_CONN_ID_LIMIT
;
298 ch
->max_idle_timeout
= QUIC_DEFAULT_IDLE_TIMEOUT
;
299 ch
->tx_enc_level
= QUIC_ENC_LEVEL_INITIAL
;
300 ch
->rx_enc_level
= QUIC_ENC_LEVEL_INITIAL
;
301 ch
->txku_threshold_override
= UINT64_MAX
;
304 * Determine the QUIC Transport Parameters and serialize the transport
305 * parameters block. (For servers, we do this later as we must defer
306 * generation until we have received the client's transport parameters.)
308 if (!ch
->is_server
&& !ch_generate_transport_params(ch
))
312 ossl_quic_reactor_init(&ch
->rtor
, ch_tick
, ch
,
313 ch_determine_next_tick_deadline(ch
));
321 static void ch_cleanup(QUIC_CHANNEL
*ch
)
325 if (ch
->ackm
!= NULL
)
326 for (pn_space
= QUIC_PN_SPACE_INITIAL
;
327 pn_space
< QUIC_PN_SPACE_NUM
;
329 ossl_ackm_on_pkt_space_discarded(ch
->ackm
, pn_space
);
331 ossl_quic_tx_packetiser_free(ch
->txp
);
332 ossl_quic_txpim_free(ch
->txpim
);
333 ossl_quic_cfq_free(ch
->cfq
);
334 ossl_qtx_free(ch
->qtx
);
335 if (ch
->cc_data
!= NULL
)
336 ch
->cc_method
->free(ch
->cc_data
);
338 ossl_statm_destroy(&ch
->statm
);
339 ossl_ackm_free(ch
->ackm
);
342 ossl_quic_stream_map_cleanup(&ch
->qsm
);
344 for (pn_space
= QUIC_PN_SPACE_INITIAL
; pn_space
< QUIC_PN_SPACE_NUM
; ++pn_space
) {
345 ossl_quic_sstream_free(ch
->crypto_send
[pn_space
]);
346 ossl_quic_rstream_free(ch
->crypto_recv
[pn_space
]);
349 ossl_qrx_pkt_release(ch
->qrx_pkt
);
352 ossl_quic_tls_free(ch
->qtls
);
353 ossl_qrx_free(ch
->qrx
);
354 ossl_quic_demux_free(ch
->demux
);
355 OPENSSL_free(ch
->local_transport_params
);
356 OSSL_ERR_STATE_free(ch
->err_state
);
359 QUIC_CHANNEL
*ossl_quic_channel_new(const QUIC_CHANNEL_ARGS
*args
)
361 QUIC_CHANNEL
*ch
= NULL
;
363 if ((ch
= OPENSSL_zalloc(sizeof(*ch
))) == NULL
)
366 ch
->libctx
= args
->libctx
;
367 ch
->propq
= args
->propq
;
368 ch
->is_server
= args
->is_server
;
370 ch
->mutex
= args
->mutex
;
371 ch
->now_cb
= args
->now_cb
;
372 ch
->now_cb_arg
= args
->now_cb_arg
;
382 void ossl_quic_channel_free(QUIC_CHANNEL
*ch
)
391 /* Set mutator callbacks for test framework support */
392 int ossl_quic_channel_set_mutator(QUIC_CHANNEL
*ch
,
393 ossl_mutate_packet_cb mutatecb
,
394 ossl_finish_mutate_cb finishmutatecb
,
400 ossl_qtx_set_mutator(ch
->qtx
, mutatecb
, finishmutatecb
, mutatearg
);
404 int ossl_quic_channel_get_peer_addr(QUIC_CHANNEL
*ch
, BIO_ADDR
*peer_addr
)
406 *peer_addr
= ch
->cur_peer_addr
;
410 int ossl_quic_channel_set_peer_addr(QUIC_CHANNEL
*ch
, const BIO_ADDR
*peer_addr
)
412 ch
->cur_peer_addr
= *peer_addr
;
416 QUIC_REACTOR
*ossl_quic_channel_get_reactor(QUIC_CHANNEL
*ch
)
421 QUIC_STREAM_MAP
*ossl_quic_channel_get_qsm(QUIC_CHANNEL
*ch
)
426 OSSL_STATM
*ossl_quic_channel_get_statm(QUIC_CHANNEL
*ch
)
431 QUIC_STREAM
*ossl_quic_channel_get_stream_by_id(QUIC_CHANNEL
*ch
,
434 return ossl_quic_stream_map_get_by_id(&ch
->qsm
, stream_id
);
437 int ossl_quic_channel_is_active(const QUIC_CHANNEL
*ch
)
439 return ch
!= NULL
&& ch
->state
== QUIC_CHANNEL_STATE_ACTIVE
;
442 int ossl_quic_channel_is_terminating(const QUIC_CHANNEL
*ch
)
444 if (ch
->state
== QUIC_CHANNEL_STATE_TERMINATING_CLOSING
445 || ch
->state
== QUIC_CHANNEL_STATE_TERMINATING_DRAINING
)
451 int ossl_quic_channel_is_terminated(const QUIC_CHANNEL
*ch
)
453 if (ch
->state
== QUIC_CHANNEL_STATE_TERMINATED
)
459 int ossl_quic_channel_is_term_any(const QUIC_CHANNEL
*ch
)
461 return ossl_quic_channel_is_terminating(ch
)
462 || ossl_quic_channel_is_terminated(ch
);
465 const QUIC_TERMINATE_CAUSE
*
466 ossl_quic_channel_get_terminate_cause(const QUIC_CHANNEL
*ch
)
468 return ossl_quic_channel_is_term_any(ch
) ? &ch
->terminate_cause
: NULL
;
471 int ossl_quic_channel_is_handshake_complete(const QUIC_CHANNEL
*ch
)
473 return ch
->handshake_complete
;
476 int ossl_quic_channel_is_handshake_confirmed(const QUIC_CHANNEL
*ch
)
478 return ch
->handshake_confirmed
;
481 QUIC_DEMUX
*ossl_quic_channel_get0_demux(QUIC_CHANNEL
*ch
)
486 CRYPTO_MUTEX
*ossl_quic_channel_get_mutex(QUIC_CHANNEL
*ch
)
491 int ossl_quic_channel_has_pending(const QUIC_CHANNEL
*ch
)
493 return ossl_quic_demux_has_pending(ch
->demux
)
494 || ossl_qrx_processed_read_pending(ch
->qrx
);
498 * QUIC Channel: Callbacks from Miscellaneous Subsidiary Components
499 * ================================================================
502 /* Used by various components. */
503 static OSSL_TIME
get_time(void *arg
)
505 QUIC_CHANNEL
*ch
= arg
;
507 if (ch
->now_cb
== NULL
)
508 return ossl_time_now();
510 return ch
->now_cb(ch
->now_cb_arg
);
514 static uint64_t get_stream_limit(int uni
, void *arg
)
516 QUIC_CHANNEL
*ch
= arg
;
518 return uni
? ch
->max_local_streams_uni
: ch
->max_local_streams_bidi
;
522 * Called by QRX to determine if a packet is potentially invalid before trying
525 static int rx_late_validate(QUIC_PN pn
, int pn_space
, void *arg
)
527 QUIC_CHANNEL
*ch
= arg
;
529 /* Potential duplicates should not be processed. */
530 if (!ossl_ackm_is_rx_pn_processable(ch
->ackm
, pn
, pn_space
))
537 * Triggers a TXKU (whether spontaneous or solicited). Does not check whether
538 * spontaneous TXKU is currently allowed.
541 static void ch_trigger_txku(QUIC_CHANNEL
*ch
)
544 = ossl_quic_tx_packetiser_get_next_pn(ch
->txp
, QUIC_PN_SPACE_APP
);
546 if (!ossl_quic_pn_valid(next_pn
)
547 || !ossl_qtx_trigger_key_update(ch
->qtx
)) {
548 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_INTERNAL_ERROR
, 0,
553 ch
->txku_in_progress
= 1;
554 ch
->txku_pn
= next_pn
;
555 ch
->rxku_expected
= ch
->ku_locally_initiated
;
559 static int txku_in_progress(QUIC_CHANNEL
*ch
)
561 if (ch
->txku_in_progress
562 && ossl_ackm_get_largest_acked(ch
->ackm
, QUIC_PN_SPACE_APP
) >= ch
->txku_pn
) {
563 OSSL_TIME pto
= ossl_ackm_get_pto_duration(ch
->ackm
);
566 * RFC 9001 s. 6.5: Endpoints SHOULD wait three times the PTO before
567 * initiating a key update after receiving an acknowledgment that
568 * confirms that the previous key update was received.
570 * Note that by the above wording, this period starts from when we get
571 * the ack for a TXKU-triggering packet, not when the TXKU is initiated.
572 * So we defer TXKU cooldown deadline calculation to this point.
574 ch
->txku_in_progress
= 0;
575 ch
->txku_cooldown_deadline
= ossl_time_add(get_time(ch
),
576 ossl_time_multiply(pto
, 3));
579 return ch
->txku_in_progress
;
583 static int txku_allowed(QUIC_CHANNEL
*ch
)
585 return ch
->tx_enc_level
== QUIC_ENC_LEVEL_1RTT
/* Sanity check. */
586 /* Strict RFC 9001 criterion for TXKU. */
587 && ch
->handshake_confirmed
588 && !txku_in_progress(ch
);
592 static int txku_recommendable(QUIC_CHANNEL
*ch
)
594 if (!txku_allowed(ch
))
598 /* Recommended RFC 9001 criterion for TXKU. */
599 ossl_time_compare(get_time(ch
), ch
->txku_cooldown_deadline
) >= 0
600 /* Some additional sensible criteria. */
601 && !ch
->rxku_in_progress
602 && !ch
->rxku_pending_confirm
;
606 static int txku_desirable(QUIC_CHANNEL
*ch
)
608 uint64_t cur_pkt_count
, max_pkt_count
, thresh_pkt_count
;
609 const uint32_t enc_level
= QUIC_ENC_LEVEL_1RTT
;
611 /* Check AEAD limit to determine if we should perform a spontaneous TXKU. */
612 cur_pkt_count
= ossl_qtx_get_cur_epoch_pkt_count(ch
->qtx
, enc_level
);
613 max_pkt_count
= ossl_qtx_get_max_epoch_pkt_count(ch
->qtx
, enc_level
);
615 thresh_pkt_count
= max_pkt_count
/ 2;
616 if (ch
->txku_threshold_override
!= UINT64_MAX
)
617 thresh_pkt_count
= ch
->txku_threshold_override
;
619 return cur_pkt_count
>= thresh_pkt_count
;
623 static void ch_maybe_trigger_spontaneous_txku(QUIC_CHANNEL
*ch
)
625 if (!txku_recommendable(ch
) || !txku_desirable(ch
))
628 ch
->ku_locally_initiated
= 1;
633 static int rxku_allowed(QUIC_CHANNEL
*ch
)
636 * RFC 9001 s. 6.1: An endpoint MUST NOT initiate a key update prior to
637 * having confirmed the handshake (Section 4.1.2).
639 * RFC 9001 s. 6.1: An endpoint MUST NOT initiate a subsequent key update
640 * unless it has received an acknowledgment for a packet that was sent
641 * protected with keys from the current key phase.
643 * RFC 9001 s. 6.2: If an endpoint detects a second update before it has
644 * sent any packets with updated keys containing an acknowledgment for the
645 * packet that initiated the key update, it indicates that its peer has
646 * updated keys twice without awaiting confirmation. An endpoint MAY treat
647 * such consecutive key updates as a connection error of type
650 return ch
->handshake_confirmed
&& !ch
->rxku_pending_confirm
;
654 * Called when the QRX detects a new RX key update event.
658 DECISION_PROTOCOL_VIOLATION
,
659 DECISION_SOLICITED_TXKU
662 /* Called when the QRX detects a key update has occurred. */
664 static void rxku_detected(QUIC_PN pn
, void *arg
)
666 QUIC_CHANNEL
*ch
= arg
;
667 enum rxku_decision decision
;
671 * Note: rxku_in_progress is always 0 here as an RXKU cannot be detected
672 * when we are still in UPDATING or COOLDOWN (see quic_record_rx.h).
674 assert(!ch
->rxku_in_progress
);
676 if (!rxku_allowed(ch
))
677 /* Is RXKU even allowed at this time? */
678 decision
= DECISION_PROTOCOL_VIOLATION
;
680 else if (ch
->ku_locally_initiated
)
682 * If this key update was locally initiated (meaning that this detected
683 * RXKU event is a result of our own spontaneous TXKU), we do not
684 * trigger another TXKU; after all, to do so would result in an infinite
685 * ping-pong of key updates. We still process it as an RXKU.
687 decision
= DECISION_RXKU_ONLY
;
691 * Otherwise, a peer triggering a KU means we have to trigger a KU also.
693 decision
= DECISION_SOLICITED_TXKU
;
695 if (decision
== DECISION_PROTOCOL_VIOLATION
) {
696 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_KEY_UPDATE_ERROR
,
697 0, "RX key update again too soon");
701 pto
= ossl_ackm_get_pto_duration(ch
->ackm
);
703 ch
->ku_locally_initiated
= 0;
704 ch
->rxku_in_progress
= 1;
705 ch
->rxku_pending_confirm
= 1;
706 ch
->rxku_trigger_pn
= pn
;
707 ch
->rxku_update_end_deadline
= ossl_time_add(get_time(ch
), pto
);
708 ch
->rxku_expected
= 0;
710 if (decision
== DECISION_SOLICITED_TXKU
)
711 /* NOT gated by usual txku_allowed() */
715 * Ordinarily, we only generate ACK when some ACK-eliciting frame has been
716 * received. In some cases, this may not occur for a long time, for example
717 * if transmission of application data is going in only one direction and
718 * nothing else is happening with the connection. However, since the peer
719 * cannot initiate a subsequent (spontaneous) TXKU until its prior
720 * (spontaneous or solicited) TXKU has completed - meaning that prior
721 * TXKU's trigger packet (or subsequent packet) has been acknowledged, this
722 * can lead to very long times before a TXKU is considered 'completed'.
723 * Optimise this by forcing ACK generation after triggering TXKU.
724 * (Basically, we consider a RXKU event something that is 'ACK-eliciting',
725 * which it more or less should be; it is necessarily separate from ordinary
726 * processing of ACK-eliciting frames as key update is not indicated via a
729 ossl_quic_tx_packetiser_schedule_ack(ch
->txp
, QUIC_PN_SPACE_APP
);
732 /* Called per tick to handle RXKU timer events. */
734 static void ch_rxku_tick(QUIC_CHANNEL
*ch
)
736 if (!ch
->rxku_in_progress
737 || ossl_time_compare(get_time(ch
), ch
->rxku_update_end_deadline
) < 0)
740 ch
->rxku_update_end_deadline
= ossl_time_infinite();
741 ch
->rxku_in_progress
= 0;
743 if (!ossl_qrx_key_update_timeout(ch
->qrx
, /*normal=*/1))
744 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_INTERNAL_ERROR
, 0,
745 "RXKU cooldown internal error");
749 static void ch_on_txp_ack_tx(const OSSL_QUIC_FRAME_ACK
*ack
, uint32_t pn_space
,
752 QUIC_CHANNEL
*ch
= arg
;
754 if (pn_space
!= QUIC_PN_SPACE_APP
|| !ch
->rxku_pending_confirm
755 || !ossl_quic_frame_ack_contains_pn(ack
, ch
->rxku_trigger_pn
))
759 * Defer clearing rxku_pending_confirm until TXP generate call returns
762 ch
->rxku_pending_confirm_done
= 1;
766 * QUIC Channel: Handshake Layer Event Handling
767 * ============================================
769 static int ch_on_crypto_send(const unsigned char *buf
, size_t buf_len
,
770 size_t *consumed
, void *arg
)
773 QUIC_CHANNEL
*ch
= arg
;
774 uint32_t enc_level
= ch
->tx_enc_level
;
775 uint32_t pn_space
= ossl_quic_enc_level_to_pn_space(enc_level
);
776 QUIC_SSTREAM
*sstream
= ch
->crypto_send
[pn_space
];
778 if (!ossl_assert(sstream
!= NULL
))
781 ret
= ossl_quic_sstream_append(sstream
, buf
, buf_len
, consumed
);
785 static int crypto_ensure_empty(QUIC_RSTREAM
*rstream
)
793 if (!ossl_quic_rstream_available(rstream
, &avail
, &is_fin
))
799 static int ch_on_crypto_recv_record(const unsigned char **buf
,
800 size_t *bytes_read
, void *arg
)
802 QUIC_CHANNEL
*ch
= arg
;
803 QUIC_RSTREAM
*rstream
;
804 int is_fin
= 0; /* crypto stream is never finished, so we don't use this */
808 * After we move to a later EL we must not allow our peer to send any new
809 * bytes in the crypto stream on a previous EL. Retransmissions of old bytes
812 * In practice we will only move to a new EL when we have consumed all bytes
813 * which should be sent on the crypto stream at a previous EL. For example,
814 * the Handshake EL should not be provisioned until we have completely
815 * consumed a TLS 1.3 ServerHello. Thus when we provision an EL the output
816 * of ossl_quic_rstream_available() should be 0 for all lower ELs. Thus if a
817 * given EL is available we simply ensure we have not received any further
818 * bytes at a lower EL.
820 for (i
= QUIC_ENC_LEVEL_INITIAL
; i
< ch
->rx_enc_level
; ++i
)
821 if (i
!= QUIC_ENC_LEVEL_0RTT
&&
822 !crypto_ensure_empty(ch
->crypto_recv
[ossl_quic_enc_level_to_pn_space(i
)])) {
823 /* Protocol violation (RFC 9001 s. 4.1.3) */
824 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_PROTOCOL_VIOLATION
,
825 OSSL_QUIC_FRAME_TYPE_CRYPTO
,
826 "crypto stream data in wrong EL");
830 rstream
= ch
->crypto_recv
[ossl_quic_enc_level_to_pn_space(ch
->rx_enc_level
)];
834 return ossl_quic_rstream_get_record(rstream
, buf
, bytes_read
,
838 static int ch_on_crypto_release_record(size_t bytes_read
, void *arg
)
840 QUIC_CHANNEL
*ch
= arg
;
841 QUIC_RSTREAM
*rstream
;
843 rstream
= ch
->crypto_recv
[ossl_quic_enc_level_to_pn_space(ch
->rx_enc_level
)];
847 return ossl_quic_rstream_release_record(rstream
, bytes_read
);
850 static int ch_on_handshake_yield_secret(uint32_t enc_level
, int direction
,
851 uint32_t suite_id
, EVP_MD
*md
,
852 const unsigned char *secret
,
856 QUIC_CHANNEL
*ch
= arg
;
859 if (enc_level
< QUIC_ENC_LEVEL_HANDSHAKE
|| enc_level
>= QUIC_ENC_LEVEL_NUM
)
866 if (enc_level
<= ch
->tx_enc_level
)
868 * Does not make sense for us to try and provision an EL we have already
873 if (!ossl_qtx_provide_secret(ch
->qtx
, enc_level
,
878 ch
->tx_enc_level
= enc_level
;
881 if (enc_level
<= ch
->rx_enc_level
)
883 * Does not make sense for us to try and provision an EL we have already
889 * Ensure all crypto streams for previous ELs are now empty of available
892 for (i
= QUIC_ENC_LEVEL_INITIAL
; i
< enc_level
; ++i
)
893 if (!crypto_ensure_empty(ch
->crypto_recv
[ossl_quic_enc_level_to_pn_space(i
)])) {
894 /* Protocol violation (RFC 9001 s. 4.1.3) */
895 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_PROTOCOL_VIOLATION
,
896 OSSL_QUIC_FRAME_TYPE_CRYPTO
,
897 "crypto stream data in wrong EL");
901 if (!ossl_qrx_provide_secret(ch
->qrx
, enc_level
,
906 ch
->have_new_rx_secret
= 1;
907 ch
->rx_enc_level
= enc_level
;
913 static int ch_on_handshake_complete(void *arg
)
915 QUIC_CHANNEL
*ch
= arg
;
917 if (!ossl_assert(!ch
->handshake_complete
))
918 return 0; /* this should not happen twice */
920 if (!ossl_assert(ch
->tx_enc_level
== QUIC_ENC_LEVEL_1RTT
))
923 if (!ch
->got_remote_transport_params
) {
925 * Was not a valid QUIC handshake if we did not get valid transport
928 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_PROTOCOL_VIOLATION
,
929 OSSL_QUIC_FRAME_TYPE_CRYPTO
,
930 "no transport parameters received");
934 /* Don't need transport parameters anymore. */
935 OPENSSL_free(ch
->local_transport_params
);
936 ch
->local_transport_params
= NULL
;
938 /* Tell TXP the handshake is complete. */
939 ossl_quic_tx_packetiser_notify_handshake_complete(ch
->txp
);
941 ch
->handshake_complete
= 1;
945 * On the server, the handshake is confirmed as soon as it is complete.
947 ossl_quic_channel_on_handshake_confirmed(ch
);
949 ossl_quic_tx_packetiser_schedule_handshake_done(ch
->txp
);
955 static int ch_on_handshake_alert(void *arg
, unsigned char alert_code
)
957 QUIC_CHANNEL
*ch
= arg
;
959 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_CRYPTO_ERR_BEGIN
+ alert_code
,
960 0, "handshake alert");
965 * QUIC Channel: Transport Parameter Handling
966 * ==========================================
970 * Called by handshake layer when we receive QUIC Transport Parameters from the
971 * peer. Note that these are not authenticated until the handshake is marked
974 #define TP_REASON_SERVER_ONLY(x) \
975 x " may not be sent by a client"
976 #define TP_REASON_DUP(x) \
977 x " appears multiple times"
978 #define TP_REASON_MALFORMED(x) \
980 #define TP_REASON_EXPECTED_VALUE(x) \
981 x " does not match expected value"
982 #define TP_REASON_NOT_RETRY(x) \
983 x " sent when not performing a retry"
984 #define TP_REASON_REQUIRED(x) \
985 x " was not sent but is required"
987 static void txfc_bump_cwm_bidi(QUIC_STREAM
*s
, void *arg
)
989 if (!ossl_quic_stream_is_bidi(s
)
990 || ossl_quic_stream_is_server_init(s
))
993 ossl_quic_txfc_bump_cwm(&s
->txfc
, *(uint64_t *)arg
);
996 static void txfc_bump_cwm_uni(QUIC_STREAM
*s
, void *arg
)
998 if (ossl_quic_stream_is_bidi(s
)
999 || ossl_quic_stream_is_server_init(s
))
1002 ossl_quic_txfc_bump_cwm(&s
->txfc
, *(uint64_t *)arg
);
1005 static void do_update(QUIC_STREAM
*s
, void *arg
)
1007 QUIC_CHANNEL
*ch
= arg
;
1009 ossl_quic_stream_map_update_state(&ch
->qsm
, s
);
1012 static int ch_on_transport_params(const unsigned char *params
,
1016 QUIC_CHANNEL
*ch
= arg
;
1020 const unsigned char *body
;
1021 int got_orig_dcid
= 0;
1022 int got_initial_scid
= 0;
1023 int got_retry_scid
= 0;
1024 int got_initial_max_data
= 0;
1025 int got_initial_max_stream_data_bidi_local
= 0;
1026 int got_initial_max_stream_data_bidi_remote
= 0;
1027 int got_initial_max_stream_data_uni
= 0;
1028 int got_initial_max_streams_bidi
= 0;
1029 int got_initial_max_streams_uni
= 0;
1030 int got_ack_delay_exp
= 0;
1031 int got_max_ack_delay
= 0;
1032 int got_max_udp_payload_size
= 0;
1033 int got_max_idle_timeout
= 0;
1034 int got_active_conn_id_limit
= 0;
1035 int got_disable_active_migration
= 0;
1037 const char *reason
= "bad transport parameter";
1039 if (ch
->got_remote_transport_params
)
1042 if (!PACKET_buf_init(&pkt
, params
, params_len
))
1045 while (PACKET_remaining(&pkt
) > 0) {
1046 if (!ossl_quic_wire_peek_transport_param(&pkt
, &id
))
1050 case QUIC_TPARAM_ORIG_DCID
:
1051 if (got_orig_dcid
) {
1052 reason
= TP_REASON_DUP("ORIG_DCID");
1056 if (ch
->is_server
) {
1057 reason
= TP_REASON_SERVER_ONLY("ORIG_DCID");
1061 if (!ossl_quic_wire_decode_transport_param_cid(&pkt
, NULL
, &cid
)) {
1062 reason
= TP_REASON_MALFORMED("ORIG_DCID");
1066 /* Must match our initial DCID. */
1067 if (!ossl_quic_conn_id_eq(&ch
->init_dcid
, &cid
)) {
1068 reason
= TP_REASON_EXPECTED_VALUE("ORIG_DCID");
1075 case QUIC_TPARAM_RETRY_SCID
:
1076 if (ch
->is_server
) {
1077 reason
= TP_REASON_SERVER_ONLY("RETRY_SCID");
1081 if (got_retry_scid
) {
1082 reason
= TP_REASON_DUP("RETRY_SCID");
1086 if (!ch
->doing_retry
) {
1087 reason
= TP_REASON_NOT_RETRY("RETRY_SCID");
1091 if (!ossl_quic_wire_decode_transport_param_cid(&pkt
, NULL
, &cid
)) {
1092 reason
= TP_REASON_MALFORMED("RETRY_SCID");
1096 /* Must match Retry packet SCID. */
1097 if (!ossl_quic_conn_id_eq(&ch
->retry_scid
, &cid
)) {
1098 reason
= TP_REASON_EXPECTED_VALUE("RETRY_SCID");
1105 case QUIC_TPARAM_INITIAL_SCID
:
1106 if (got_initial_scid
) {
1107 /* must not appear more than once */
1108 reason
= TP_REASON_DUP("INITIAL_SCID");
1112 if (!ossl_quic_wire_decode_transport_param_cid(&pkt
, NULL
, &cid
)) {
1113 reason
= TP_REASON_MALFORMED("INITIAL_SCID");
1117 /* Must match SCID of first Initial packet from server. */
1118 if (!ossl_quic_conn_id_eq(&ch
->init_scid
, &cid
)) {
1119 reason
= TP_REASON_EXPECTED_VALUE("INITIAL_SCID");
1123 got_initial_scid
= 1;
1126 case QUIC_TPARAM_INITIAL_MAX_DATA
:
1127 if (got_initial_max_data
) {
1128 /* must not appear more than once */
1129 reason
= TP_REASON_DUP("INITIAL_MAX_DATA");
1133 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)) {
1134 reason
= TP_REASON_MALFORMED("INITIAL_MAX_DATA");
1138 ossl_quic_txfc_bump_cwm(&ch
->conn_txfc
, v
);
1139 got_initial_max_data
= 1;
1142 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL
:
1143 if (got_initial_max_stream_data_bidi_local
) {
1144 /* must not appear more than once */
1145 reason
= TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_BIDI_LOCAL");
1149 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)) {
1150 reason
= TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_BIDI_LOCAL");
1155 * This is correct; the BIDI_LOCAL TP governs streams created by
1156 * the endpoint which sends the TP, i.e., our peer.
1158 ch
->rx_init_max_stream_data_bidi_remote
= v
;
1159 got_initial_max_stream_data_bidi_local
= 1;
1162 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE
:
1163 if (got_initial_max_stream_data_bidi_remote
) {
1164 /* must not appear more than once */
1165 reason
= TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_BIDI_REMOTE");
1169 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)) {
1170 reason
= TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_BIDI_REMOTE");
1175 * This is correct; the BIDI_REMOTE TP governs streams created
1176 * by the endpoint which receives the TP, i.e., us.
1178 ch
->rx_init_max_stream_data_bidi_local
= v
;
1180 /* Apply to all existing streams. */
1181 ossl_quic_stream_map_visit(&ch
->qsm
, txfc_bump_cwm_bidi
, &v
);
1182 got_initial_max_stream_data_bidi_remote
= 1;
1185 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_UNI
:
1186 if (got_initial_max_stream_data_uni
) {
1187 /* must not appear more than once */
1188 reason
= TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_UNI");
1192 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)) {
1193 reason
= TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_UNI");
1197 ch
->rx_init_max_stream_data_uni
= v
;
1199 /* Apply to all existing streams. */
1200 ossl_quic_stream_map_visit(&ch
->qsm
, txfc_bump_cwm_uni
, &v
);
1201 got_initial_max_stream_data_uni
= 1;
1204 case QUIC_TPARAM_ACK_DELAY_EXP
:
1205 if (got_ack_delay_exp
) {
1206 /* must not appear more than once */
1207 reason
= TP_REASON_DUP("ACK_DELAY_EXP");
1211 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
1212 || v
> QUIC_MAX_ACK_DELAY_EXP
) {
1213 reason
= TP_REASON_MALFORMED("ACK_DELAY_EXP");
1217 ch
->rx_ack_delay_exp
= (unsigned char)v
;
1218 got_ack_delay_exp
= 1;
1221 case QUIC_TPARAM_MAX_ACK_DELAY
:
1222 if (got_max_ack_delay
) {
1223 /* must not appear more than once */
1224 reason
= TP_REASON_DUP("MAX_ACK_DELAY");
1228 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
1229 || v
>= (((uint64_t)1) << 14)) {
1230 reason
= TP_REASON_MALFORMED("MAX_ACK_DELAY");
1234 ch
->rx_max_ack_delay
= v
;
1235 got_max_ack_delay
= 1;
1238 case QUIC_TPARAM_INITIAL_MAX_STREAMS_BIDI
:
1239 if (got_initial_max_streams_bidi
) {
1240 /* must not appear more than once */
1241 reason
= TP_REASON_DUP("INITIAL_MAX_STREAMS_BIDI");
1245 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
1246 || v
> (((uint64_t)1) << 60)) {
1247 reason
= TP_REASON_MALFORMED("INITIAL_MAX_STREAMS_BIDI");
1251 assert(ch
->max_local_streams_bidi
== 0);
1252 ch
->max_local_streams_bidi
= v
;
1253 got_initial_max_streams_bidi
= 1;
1256 case QUIC_TPARAM_INITIAL_MAX_STREAMS_UNI
:
1257 if (got_initial_max_streams_uni
) {
1258 /* must not appear more than once */
1259 reason
= TP_REASON_DUP("INITIAL_MAX_STREAMS_UNI");
1263 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
1264 || v
> (((uint64_t)1) << 60)) {
1265 reason
= TP_REASON_MALFORMED("INITIAL_MAX_STREAMS_UNI");
1269 assert(ch
->max_local_streams_uni
== 0);
1270 ch
->max_local_streams_uni
= v
;
1271 got_initial_max_streams_uni
= 1;
1274 case QUIC_TPARAM_MAX_IDLE_TIMEOUT
:
1275 if (got_max_idle_timeout
) {
1276 /* must not appear more than once */
1277 reason
= TP_REASON_DUP("MAX_IDLE_TIMEOUT");
1281 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)) {
1282 reason
= TP_REASON_MALFORMED("MAX_IDLE_TIMEOUT");
1286 if (v
> 0 && v
< ch
->max_idle_timeout
)
1287 ch
->max_idle_timeout
= v
;
1290 got_max_idle_timeout
= 1;
1293 case QUIC_TPARAM_MAX_UDP_PAYLOAD_SIZE
:
1294 if (got_max_udp_payload_size
) {
1295 /* must not appear more than once */
1296 reason
= TP_REASON_DUP("MAX_UDP_PAYLOAD_SIZE");
1300 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
1301 || v
< QUIC_MIN_INITIAL_DGRAM_LEN
) {
1302 reason
= TP_REASON_MALFORMED("MAX_UDP_PAYLOAD_SIZE");
1306 ch
->rx_max_udp_payload_size
= v
;
1307 got_max_udp_payload_size
= 1;
1310 case QUIC_TPARAM_ACTIVE_CONN_ID_LIMIT
:
1311 if (got_active_conn_id_limit
) {
1312 /* must not appear more than once */
1313 reason
= TP_REASON_DUP("ACTIVE_CONN_ID_LIMIT");
1317 if (!ossl_quic_wire_decode_transport_param_int(&pkt
, &id
, &v
)
1318 || v
< QUIC_MIN_ACTIVE_CONN_ID_LIMIT
) {
1319 reason
= TP_REASON_MALFORMED("ACTIVE_CONN_ID_LIMIT");
1323 ch
->rx_active_conn_id_limit
= v
;
1324 got_active_conn_id_limit
= 1;
1327 case QUIC_TPARAM_STATELESS_RESET_TOKEN
:
1328 /* TODO(QUIC): Handle stateless reset tokens. */
1330 * We ignore these for now, but we must ensure a client doesn't
1333 if (ch
->is_server
) {
1334 reason
= TP_REASON_SERVER_ONLY("STATELESS_RESET_TOKEN");
1338 body
= ossl_quic_wire_decode_transport_param_bytes(&pkt
, &id
, &len
);
1339 if (body
== NULL
|| len
!= QUIC_STATELESS_RESET_TOKEN_LEN
) {
1340 reason
= TP_REASON_MALFORMED("STATELESS_RESET_TOKEN");
1346 case QUIC_TPARAM_PREFERRED_ADDR
:
1348 /* TODO(QUIC): Handle preferred address. */
1349 QUIC_PREFERRED_ADDR pfa
;
1352 * RFC 9000 s. 18.2: "A server that chooses a zero-length
1353 * connection ID MUST NOT provide a preferred address.
1354 * Similarly, a server MUST NOT include a zero-length connection
1355 * ID in this transport parameter. A client MUST treat a
1356 * violation of these requirements as a connection error of type
1357 * TRANSPORT_PARAMETER_ERROR."
1359 if (ch
->is_server
) {
1360 reason
= TP_REASON_SERVER_ONLY("PREFERRED_ADDR");
1364 if (ch
->cur_remote_dcid
.id_len
== 0) {
1365 reason
= "PREFERRED_ADDR provided for zero-length CID";
1369 if (!ossl_quic_wire_decode_transport_param_preferred_addr(&pkt
, &pfa
)) {
1370 reason
= TP_REASON_MALFORMED("PREFERRED_ADDR");
1374 if (pfa
.cid
.id_len
== 0) {
1375 reason
= "zero-length CID in PREFERRED_ADDR";
1381 case QUIC_TPARAM_DISABLE_ACTIVE_MIGRATION
:
1382 /* We do not currently handle migration, so nothing to do. */
1383 if (got_disable_active_migration
) {
1384 /* must not appear more than once */
1385 reason
= TP_REASON_DUP("DISABLE_ACTIVE_MIGRATION");
1389 body
= ossl_quic_wire_decode_transport_param_bytes(&pkt
, &id
, &len
);
1390 if (body
== NULL
|| len
> 0) {
1391 reason
= TP_REASON_MALFORMED("DISABLE_ACTIVE_MIGRATION");
1395 got_disable_active_migration
= 1;
1400 * Skip over and ignore.
1402 * RFC 9000 s. 7.4: We SHOULD treat duplicated transport parameters
1403 * as a connection error, but we are not required to. Currently,
1404 * handle this programmatically by checking for duplicates in the
1405 * parameters that we recognise, as above, but don't bother
1406 * maintaining a list of duplicates for anything we don't recognise.
1408 body
= ossl_quic_wire_decode_transport_param_bytes(&pkt
, &id
,
1417 if (!got_initial_scid
) {
1418 reason
= TP_REASON_REQUIRED("INITIAL_SCID");
1422 if (!ch
->is_server
) {
1423 if (!got_orig_dcid
) {
1424 reason
= TP_REASON_REQUIRED("ORIG_DCID");
1428 if (ch
->doing_retry
&& !got_retry_scid
) {
1429 reason
= TP_REASON_REQUIRED("RETRY_SCID");
1434 ch
->got_remote_transport_params
= 1;
1436 if (got_initial_max_data
|| got_initial_max_stream_data_bidi_remote
1437 || got_initial_max_streams_bidi
|| got_initial_max_streams_uni
)
1439 * If FC credit was bumped, we may now be able to send. Update all
1442 ossl_quic_stream_map_visit(&ch
->qsm
, do_update
, ch
);
1444 /* If we are a server, we now generate our own transport parameters. */
1445 if (ch
->is_server
&& !ch_generate_transport_params(ch
)) {
1446 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_INTERNAL_ERROR
, 0,
1454 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_TRANSPORT_PARAMETER_ERROR
,
1460 * Called when we want to generate transport parameters. This is called
1461 * immediately at instantiation time for a client and after we receive the
1462 * client's transport parameters for a server.
1464 static int ch_generate_transport_params(QUIC_CHANNEL
*ch
)
1467 BUF_MEM
*buf_mem
= NULL
;
1472 if (ch
->local_transport_params
!= NULL
)
1475 if ((buf_mem
= BUF_MEM_new()) == NULL
)
1478 if (!WPACKET_init(&wpkt
, buf_mem
))
1483 if (ossl_quic_wire_encode_transport_param_bytes(&wpkt
, QUIC_TPARAM_DISABLE_ACTIVE_MIGRATION
,
1487 if (ch
->is_server
) {
1488 if (!ossl_quic_wire_encode_transport_param_cid(&wpkt
, QUIC_TPARAM_ORIG_DCID
,
1492 if (!ossl_quic_wire_encode_transport_param_cid(&wpkt
, QUIC_TPARAM_INITIAL_SCID
,
1493 &ch
->cur_local_cid
))
1496 /* Client always uses an empty SCID. */
1497 if (ossl_quic_wire_encode_transport_param_bytes(&wpkt
, QUIC_TPARAM_INITIAL_SCID
,
1502 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_MAX_IDLE_TIMEOUT
,
1503 ch
->max_idle_timeout
))
1506 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_MAX_UDP_PAYLOAD_SIZE
,
1507 QUIC_MIN_INITIAL_DGRAM_LEN
))
1510 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_ACTIVE_CONN_ID_LIMIT
,
1511 QUIC_MIN_ACTIVE_CONN_ID_LIMIT
))
1514 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_DATA
,
1515 ossl_quic_rxfc_get_cwm(&ch
->conn_rxfc
)))
1518 /* Send the default CWM for a new RXFC. */
1519 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL
,
1520 ch
->tx_init_max_stream_data_bidi_local
))
1523 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE
,
1524 ch
->tx_init_max_stream_data_bidi_remote
))
1527 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_UNI
,
1528 ch
->tx_init_max_stream_data_uni
))
1531 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_STREAMS_BIDI
,
1532 ossl_quic_rxfc_get_cwm(&ch
->max_streams_bidi_rxfc
)))
1535 if (!ossl_quic_wire_encode_transport_param_int(&wpkt
, QUIC_TPARAM_INITIAL_MAX_STREAMS_UNI
,
1536 ossl_quic_rxfc_get_cwm(&ch
->max_streams_uni_rxfc
)))
1539 if (!WPACKET_finish(&wpkt
))
1544 if (!WPACKET_get_total_written(&wpkt
, &buf_len
))
1547 ch
->local_transport_params
= (unsigned char *)buf_mem
->data
;
1548 buf_mem
->data
= NULL
;
1551 if (!ossl_quic_tls_set_transport_params(ch
->qtls
, ch
->local_transport_params
,
1558 WPACKET_cleanup(&wpkt
);
1559 BUF_MEM_free(buf_mem
);
1564 * QUIC Channel: Ticker-Mutator
1565 * ============================
1569 * The central ticker function called by the reactor. This does everything, or
1570 * at least everything network I/O related. Best effort - not allowed to fail
1573 static void ch_tick(QUIC_TICK_RESULT
*res
, void *arg
, uint32_t flags
)
1575 OSSL_TIME now
, deadline
;
1576 QUIC_CHANNEL
*ch
= arg
;
1577 int channel_only
= (flags
& QUIC_REACTOR_TICK_FLAG_CHANNEL_ONLY
) != 0;
1580 * When we tick the QUIC connection, we do everything we need to do
1581 * periodically. In order, we:
1583 * - handle any incoming data from the network;
1584 * - handle any timer events which are due to fire (ACKM, etc.)
1585 * - write any data to the network due to be sent, to the extent
1587 * - determine the time at which we should next be ticked.
1590 /* If we are in the TERMINATED state, there is nothing to do. */
1591 if (ossl_quic_channel_is_terminated(ch
)) {
1592 res
->net_read_desired
= 0;
1593 res
->net_write_desired
= 0;
1594 res
->tick_deadline
= ossl_time_infinite();
1599 * If we are in the TERMINATING state, check if the terminating timer has
1602 if (ossl_quic_channel_is_terminating(ch
)) {
1605 if (ossl_time_compare(now
, ch
->terminate_deadline
) >= 0) {
1606 ch_on_terminating_timeout(ch
);
1607 res
->net_read_desired
= 0;
1608 res
->net_write_desired
= 0;
1609 res
->tick_deadline
= ossl_time_infinite();
1610 return; /* abort normal processing, nothing to do */
1614 /* Handle RXKU timeouts. */
1617 /* Handle any incoming data from network. */
1621 /* Process queued incoming packets. */
1625 * Allow the handshake layer to check for any new incoming data and generate
1626 * new outgoing data.
1628 ch
->have_new_rx_secret
= 0;
1630 ossl_quic_tls_tick(ch
->qtls
);
1633 * If the handshake layer gave us a new secret, we need to do RX again
1634 * because packets that were not previously processable and were
1635 * deferred might now be processable.
1637 * TODO(QUIC): Consider handling this in the yield_secret callback.
1639 } while (ch
->have_new_rx_secret
);
1642 * Handle any timer events which are due to fire; namely, the loss detection
1643 * deadline and the idle timeout.
1645 * ACKM ACK generation deadline is polled by TXP, so we don't need to handle
1649 if (ossl_time_compare(now
, ch
->idle_deadline
) >= 0) {
1651 * Idle timeout differs from normal protocol violation because we do not
1652 * send a CONN_CLOSE frame; go straight to TERMINATED.
1654 ch_on_idle_timeout(ch
);
1655 res
->net_read_desired
= 0;
1656 res
->net_write_desired
= 0;
1657 res
->tick_deadline
= ossl_time_infinite();
1661 deadline
= ossl_ackm_get_loss_detection_deadline(ch
->ackm
);
1662 if (!ossl_time_is_zero(deadline
) && ossl_time_compare(now
, deadline
) >= 0)
1663 ossl_ackm_on_timeout(ch
->ackm
);
1665 /* If a ping is due, inform TXP. */
1666 if (ossl_time_compare(now
, ch
->ping_deadline
) >= 0) {
1667 int pn_space
= ossl_quic_enc_level_to_pn_space(ch
->tx_enc_level
);
1669 ossl_quic_tx_packetiser_schedule_ack_eliciting(ch
->txp
, pn_space
);
1672 /* Write any data to the network due to be sent. */
1676 ossl_quic_stream_map_gc(&ch
->qsm
);
1678 /* Determine the time at which we should next be ticked. */
1679 res
->tick_deadline
= ch_determine_next_tick_deadline(ch
);
1682 * Always process network input unless we are now terminated.
1683 * Although we had not terminated at the beginning of this tick, network
1684 * errors in ch_rx_pre() or ch_tx() may have caused us to transition to the
1687 res
->net_read_desired
= !ossl_quic_channel_is_terminated(ch
);
1689 /* We want to write to the network if we have any in our queue. */
1690 res
->net_write_desired
1691 = (!ossl_quic_channel_is_terminated(ch
)
1692 && ossl_qtx_get_queue_len_datagrams(ch
->qtx
) > 0);
1695 /* Process incoming datagrams, if any. */
1696 static void ch_rx_pre(QUIC_CHANNEL
*ch
)
1700 if (!ch
->is_server
&& !ch
->have_sent_any_pkt
)
1704 * Get DEMUX to BIO_recvmmsg from the network and queue incoming datagrams
1705 * to the appropriate QRX instance.
1707 ret
= ossl_quic_demux_pump(ch
->demux
);
1708 if (ret
== QUIC_DEMUX_PUMP_RES_PERMANENT_FAIL
)
1710 * We don't care about transient failure, but permanent failure means we
1711 * should tear down the connection as though a protocol violation
1712 * occurred. Skip straight to the Terminating state as there is no point
1713 * trying to send CONNECTION_CLOSE frames if the network BIO is not
1714 * operating correctly.
1716 ch_raise_net_error(ch
);
1719 /* Check incoming forged packet limit and terminate connection if needed. */
1720 static void ch_rx_check_forged_pkt_limit(QUIC_CHANNEL
*ch
)
1723 uint64_t limit
= UINT64_MAX
, l
;
1725 for (enc_level
= QUIC_ENC_LEVEL_INITIAL
;
1726 enc_level
< QUIC_ENC_LEVEL_NUM
;
1730 * Different ELs can have different AEADs which can in turn impose
1731 * different limits, so use the lowest value of any currently valid EL.
1733 if ((ch
->el_discarded
& (1U << enc_level
)) != 0)
1736 if (enc_level
> ch
->rx_enc_level
)
1739 l
= ossl_qrx_get_max_forged_pkt_count(ch
->qrx
, enc_level
);
1744 if (ossl_qrx_get_cur_forged_pkt_count(ch
->qrx
) < limit
)
1747 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_AEAD_LIMIT_REACHED
, 0,
1751 /* Process queued incoming packets and handle frames, if any. */
1752 static int ch_rx(QUIC_CHANNEL
*ch
)
1754 int handled_any
= 0;
1756 if (!ch
->is_server
&& !ch
->have_sent_any_pkt
)
1758 * We have not sent anything yet, therefore there is no need to check
1759 * for incoming data.
1764 assert(ch
->qrx_pkt
== NULL
);
1766 if (!ossl_qrx_read_pkt(ch
->qrx
, &ch
->qrx_pkt
))
1772 ch_rx_handle_packet(ch
); /* best effort */
1775 * Regardless of the outcome of frame handling, unref the packet.
1776 * This will free the packet unless something added another
1777 * reference to it during frame processing.
1779 ossl_qrx_pkt_release(ch
->qrx_pkt
);
1782 ch
->have_sent_ack_eliciting_since_rx
= 0;
1786 ch_rx_check_forged_pkt_limit(ch
);
1789 * When in TERMINATING - CLOSING, generate a CONN_CLOSE frame whenever we
1790 * process one or more incoming packets.
1792 if (handled_any
&& ch
->state
== QUIC_CHANNEL_STATE_TERMINATING_CLOSING
)
1793 ch
->conn_close_queued
= 1;
1798 static int bio_addr_eq(const BIO_ADDR
*a
, const BIO_ADDR
*b
)
1800 if (BIO_ADDR_family(a
) != BIO_ADDR_family(b
))
1803 switch (BIO_ADDR_family(a
)) {
1805 return !memcmp(&a
->s_in
.sin_addr
,
1807 sizeof(a
->s_in
.sin_addr
))
1808 && a
->s_in
.sin_port
== b
->s_in
.sin_port
;
1810 return !memcmp(&a
->s_in6
.sin6_addr
,
1811 &b
->s_in6
.sin6_addr
,
1812 sizeof(a
->s_in6
.sin6_addr
))
1813 && a
->s_in6
.sin6_port
== b
->s_in6
.sin6_port
;
1815 return 0; /* not supported */
1821 /* Handles the packet currently in ch->qrx_pkt->hdr. */
1822 static void ch_rx_handle_packet(QUIC_CHANNEL
*ch
)
1826 assert(ch
->qrx_pkt
!= NULL
);
1828 if (!ossl_quic_channel_is_active(ch
))
1829 /* Do not process packets once we are terminating. */
1832 if (ossl_quic_pkt_type_is_encrypted(ch
->qrx_pkt
->hdr
->type
)) {
1833 if (!ch
->have_received_enc_pkt
) {
1834 ch
->cur_remote_dcid
= ch
->init_scid
= ch
->qrx_pkt
->hdr
->src_conn_id
;
1835 ch
->have_received_enc_pkt
= 1;
1838 * We change to using the SCID in the first Initial packet as the
1841 ossl_quic_tx_packetiser_set_cur_dcid(ch
->txp
, &ch
->init_scid
);
1844 enc_level
= ossl_quic_pkt_type_to_enc_level(ch
->qrx_pkt
->hdr
->type
);
1845 if ((ch
->el_discarded
& (1U << enc_level
)) != 0)
1846 /* Do not process packets from ELs we have already discarded. */
1851 * RFC 9000 s. 9.6: "If a client receives packets from a new server address
1852 * when the client has not initiated a migration to that address, the client
1853 * SHOULD discard these packets."
1855 * We need to be a bit careful here as due to the BIO abstraction layer an
1856 * application is liable to be weird and lie to us about peer addresses.
1857 * Only apply this check if we actually are using a real AF_INET or AF_INET6
1861 && ch
->qrx_pkt
->peer
!= NULL
1862 && (BIO_ADDR_family(&ch
->cur_peer_addr
) == AF_INET
1863 || BIO_ADDR_family(&ch
->cur_peer_addr
) == AF_INET6
)
1864 && !bio_addr_eq(ch
->qrx_pkt
->peer
, &ch
->cur_peer_addr
))
1868 && ch
->have_received_enc_pkt
1869 && ossl_quic_pkt_type_has_scid(ch
->qrx_pkt
->hdr
->type
)) {
1871 * RFC 9000 s. 7.2: "Once a client has received a valid Initial packet
1872 * from the server, it MUST discard any subsequent packet it receives on
1873 * that connection with a different SCID."
1875 if (!ossl_quic_conn_id_eq(&ch
->qrx_pkt
->hdr
->src_conn_id
,
1880 if (ossl_quic_pkt_type_has_version(ch
->qrx_pkt
->hdr
->type
)
1881 && ch
->qrx_pkt
->hdr
->version
!= QUIC_VERSION_1
)
1883 * RFC 9000 s. 5.2.1: If a client receives a packet that uses a
1884 * different version than it initially selected, it MUST discard the
1885 * packet. We only ever use v1, so require it.
1890 * RFC 9000 s. 17.2: "An endpoint MUST treat receipt of a packet that has a
1891 * non-zero value for [the reserved bits] after removing both packet and
1892 * header protection as a connection error of type PROTOCOL_VIOLATION."
1894 if (ossl_quic_pkt_type_is_encrypted(ch
->qrx_pkt
->hdr
->type
)
1895 && ch
->qrx_pkt
->hdr
->reserved
!= 0) {
1896 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_PROTOCOL_VIOLATION
,
1897 0, "packet header reserved bits");
1901 /* Handle incoming packet. */
1902 switch (ch
->qrx_pkt
->hdr
->type
) {
1903 case QUIC_PKT_TYPE_RETRY
:
1904 if (ch
->doing_retry
|| ch
->is_server
)
1906 * It is not allowed to ask a client to do a retry more than
1907 * once. Clients may not send retries.
1911 if (ch
->qrx_pkt
->hdr
->len
<= QUIC_RETRY_INTEGRITY_TAG_LEN
)
1912 /* Packets with zero-length Retry Tokens are invalid. */
1916 * TODO(QUIC): Theoretically this should probably be in the QRX.
1917 * However because validation is dependent on context (namely the
1918 * client's initial DCID) we can't do this cleanly. In the future we
1919 * should probably add a callback to the QRX to let it call us (via
1920 * the DEMUX) and ask us about the correct original DCID, rather
1921 * than allow the QRX to emit a potentially malformed packet to the
1922 * upper layers. However, special casing this will do for now.
1924 if (!ossl_quic_validate_retry_integrity_tag(ch
->libctx
,
1928 /* Malformed retry packet, ignore. */
1931 ch_retry(ch
, ch
->qrx_pkt
->hdr
->data
,
1932 ch
->qrx_pkt
->hdr
->len
- QUIC_RETRY_INTEGRITY_TAG_LEN
,
1933 &ch
->qrx_pkt
->hdr
->src_conn_id
);
1936 case QUIC_PKT_TYPE_0RTT
:
1938 /* Clients should never receive 0-RTT packets. */
1942 * TODO(QUIC): Implement 0-RTT on the server side. We currently do
1943 * not need to implement this as a client can only do 0-RTT if we
1944 * have given it permission to in a previous session.
1948 case QUIC_PKT_TYPE_INITIAL
:
1949 case QUIC_PKT_TYPE_HANDSHAKE
:
1950 case QUIC_PKT_TYPE_1RTT
:
1951 if (ch
->qrx_pkt
->hdr
->type
== QUIC_PKT_TYPE_HANDSHAKE
)
1953 * We automatically drop INITIAL EL keys when first successfully
1954 * decrypting a HANDSHAKE packet, as per the RFC.
1956 ch_discard_el(ch
, QUIC_ENC_LEVEL_INITIAL
);
1958 if (ch
->rxku_in_progress
1959 && ch
->qrx_pkt
->hdr
->type
== QUIC_PKT_TYPE_1RTT
1960 && ch
->qrx_pkt
->pn
>= ch
->rxku_trigger_pn
1961 && ch
->qrx_pkt
->key_epoch
< ossl_qrx_get_key_epoch(ch
->qrx
)) {
1963 * RFC 9001 s. 6.4: Packets with higher packet numbers MUST be
1964 * protected with either the same or newer packet protection keys
1965 * than packets with lower packet numbers. An endpoint that
1966 * successfully removes protection with old keys when newer keys
1967 * were used for packets with lower packet numbers MUST treat this
1968 * as a connection error of type KEY_UPDATE_ERROR.
1970 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_KEY_UPDATE_ERROR
,
1971 0, "new packet with old keys");
1976 && ch
->qrx_pkt
->hdr
->type
== QUIC_PKT_TYPE_INITIAL
1977 && ch
->qrx_pkt
->hdr
->token_len
> 0) {
1979 * RFC 9000 s. 17.2.2: Clients that receive an Initial packet with a
1980 * non-zero Token Length field MUST either discard the packet or
1981 * generate a connection error of type PROTOCOL_VIOLATION.
1983 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_PROTOCOL_VIOLATION
,
1984 0, "client received initial token");
1988 /* This packet contains frames, pass to the RXDP. */
1989 ossl_quic_handle_frames(ch
, ch
->qrx_pkt
); /* best effort */
1999 * This is called by the demux when we get a packet not destined for any known
2002 static void ch_default_packet_handler(QUIC_URXE
*e
, void *arg
)
2004 QUIC_CHANNEL
*ch
= arg
;
2008 if (!ossl_assert(ch
->is_server
))
2012 * We only support one connection to our server currently, so if we already
2013 * started one, ignore any new connection attempts.
2015 if (ch
->state
!= QUIC_CHANNEL_STATE_IDLE
)
2019 * We have got a packet for an unknown DCID. This might be an attempt to
2020 * open a new connection.
2022 if (e
->data_len
< QUIC_MIN_INITIAL_DGRAM_LEN
)
2025 if (!PACKET_buf_init(&pkt
, ossl_quic_urxe_data(e
), e
->data_len
))
2029 * We set short_conn_id_len to SIZE_MAX here which will cause the decode
2030 * operation to fail if we get a 1-RTT packet. This is fine since we only
2031 * care about Initial packets.
2033 if (!ossl_quic_wire_decode_pkt_hdr(&pkt
, SIZE_MAX
, 1, 0, &hdr
, NULL
))
2036 switch (hdr
.version
) {
2037 case QUIC_VERSION_1
:
2040 case QUIC_VERSION_NONE
:
2042 /* Unknown version or proactive version negotiation request, bail. */
2043 /* TODO(QUIC): Handle version negotiation on server side */
2048 * We only care about Initial packets which might be trying to establish a
2051 if (hdr
.type
!= QUIC_PKT_TYPE_INITIAL
)
2055 * Assume this is a valid attempt to initiate a connection.
2057 * We do not register the DCID in the initial packet we received and that
2058 * DCID is not actually used again, thus after provisioning the correct
2059 * Initial keys derived from it (which is done in the call below) we pass
2060 * the received packet directly to the QRX so that it can process it as a
2061 * one-time thing, instead of going through the usual DEMUX DCID-based
2064 if (!ch_server_on_new_conn(ch
, &e
->peer
,
2069 ossl_qrx_inject_urxe(ch
->qrx
, e
);
2073 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_INTERNAL_ERROR
, 0,
2076 ossl_quic_demux_release_urxe(ch
->demux
, e
);
2079 /* Try to generate packets and if possible, flush them to the network. */
2080 static int ch_tx(QUIC_CHANNEL
*ch
)
2082 QUIC_TXP_STATUS status
;
2084 if (ch
->state
== QUIC_CHANNEL_STATE_TERMINATING_CLOSING
) {
2086 * While closing, only send CONN_CLOSE if we've received more traffic
2087 * from the peer. Once we tell the TXP to generate CONN_CLOSE, all
2088 * future calls to it generate CONN_CLOSE frames, so otherwise we would
2089 * just constantly generate CONN_CLOSE frames.
2091 if (!ch
->conn_close_queued
)
2094 ch
->conn_close_queued
= 0;
2097 /* Do TXKU if we need to. */
2098 ch_maybe_trigger_spontaneous_txku(ch
);
2100 ch
->rxku_pending_confirm_done
= 0;
2103 * Send a packet, if we need to. Best effort. The TXP consults the CC and
2104 * applies any limitations imposed by it, so we don't need to do it here.
2106 * Best effort. In particular if TXP fails for some reason we should still
2107 * flush any queued packets which we already generated.
2109 switch (ossl_quic_tx_packetiser_generate(ch
->txp
,
2110 TX_PACKETISER_ARCHETYPE_NORMAL
,
2112 case TX_PACKETISER_RES_SENT_PKT
:
2113 ch
->have_sent_any_pkt
= 1; /* Packet was sent */
2116 * RFC 9000 s. 10.1. 'An endpoint also restarts its idle timer when
2117 * sending an ack-eliciting packet if no other ack-eliciting packets
2118 * have been sent since last receiving and processing a packet.'
2120 if (status
.sent_ack_eliciting
&& !ch
->have_sent_ack_eliciting_since_rx
) {
2122 ch
->have_sent_ack_eliciting_since_rx
= 1;
2125 if (ch
->rxku_pending_confirm_done
)
2126 ch
->rxku_pending_confirm
= 0;
2128 ch_update_ping_deadline(ch
);
2131 case TX_PACKETISER_RES_NO_PKT
:
2132 break; /* No packet was sent */
2136 * One case where TXP can fail is if we reach a TX PN of 2**62 - 1. As
2137 * per RFC 9000 s. 12.3, if this happens we MUST close the connection
2138 * without sending a CONNECTION_CLOSE frame. This is actually handled as
2139 * an emergent consequence of our design, as the TX packetiser will
2140 * never transmit another packet when the TX PN reaches the limit.
2142 * Calling the below function terminates the connection; its attempt to
2143 * schedule a CONNECTION_CLOSE frame will not actually cause a packet to
2144 * be transmitted for this reason.
2146 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_INTERNAL_ERROR
, 0,
2148 break; /* Internal failure (e.g. allocation, assertion) */
2151 /* Flush packets to network. */
2152 switch (ossl_qtx_flush_net(ch
->qtx
)) {
2153 case QTX_FLUSH_NET_RES_OK
:
2154 case QTX_FLUSH_NET_RES_TRANSIENT_FAIL
:
2155 /* Best effort, done for now. */
2158 case QTX_FLUSH_NET_RES_PERMANENT_FAIL
:
2160 /* Permanent underlying network BIO, start terminating. */
2161 ch_raise_net_error(ch
);
2168 /* Determine next tick deadline. */
2169 static OSSL_TIME
ch_determine_next_tick_deadline(QUIC_CHANNEL
*ch
)
2174 if (ossl_quic_channel_is_terminated(ch
))
2175 return ossl_time_infinite();
2177 deadline
= ossl_ackm_get_loss_detection_deadline(ch
->ackm
);
2178 if (ossl_time_is_zero(deadline
))
2179 deadline
= ossl_time_infinite();
2182 * If the CC will let us send acks, check the ack deadline for all
2183 * enc_levels that are actually provisioned
2185 if (ch
->cc_method
->get_tx_allowance(ch
->cc_data
) > 0) {
2186 for (i
= 0; i
< QUIC_ENC_LEVEL_NUM
; i
++) {
2187 if (ossl_qtx_is_enc_level_provisioned(ch
->qtx
, i
)) {
2188 deadline
= ossl_time_min(deadline
,
2189 ossl_ackm_get_ack_deadline(ch
->ackm
,
2190 ossl_quic_enc_level_to_pn_space(i
)));
2195 /* When will CC let us send more? */
2196 if (ossl_quic_tx_packetiser_has_pending(ch
->txp
, TX_PACKETISER_ARCHETYPE_NORMAL
,
2197 TX_PACKETISER_BYPASS_CC
))
2198 deadline
= ossl_time_min(deadline
,
2199 ch
->cc_method
->get_wakeup_deadline(ch
->cc_data
));
2201 /* Is the terminating timer armed? */
2202 if (ossl_quic_channel_is_terminating(ch
))
2203 deadline
= ossl_time_min(deadline
,
2204 ch
->terminate_deadline
);
2205 else if (!ossl_time_is_infinite(ch
->idle_deadline
))
2206 deadline
= ossl_time_min(deadline
,
2210 * When do we need to send an ACK-eliciting packet to reset the idle
2211 * deadline timer for the peer?
2213 if (!ossl_time_is_infinite(ch
->ping_deadline
))
2214 deadline
= ossl_time_min(deadline
,
2217 /* When does the RXKU process complete? */
2218 if (ch
->rxku_in_progress
)
2219 deadline
= ossl_time_min(deadline
, ch
->rxku_update_end_deadline
);
2225 * QUIC Channel: Network BIO Configuration
2226 * =======================================
2229 /* Determines whether we can support a given poll descriptor. */
2230 static int validate_poll_descriptor(const BIO_POLL_DESCRIPTOR
*d
)
2232 if (d
->type
== BIO_POLL_DESCRIPTOR_TYPE_SOCK_FD
&& d
->value
.fd
< 0)
2238 BIO
*ossl_quic_channel_get_net_rbio(QUIC_CHANNEL
*ch
)
2240 return ch
->net_rbio
;
2243 BIO
*ossl_quic_channel_get_net_wbio(QUIC_CHANNEL
*ch
)
2245 return ch
->net_wbio
;
2249 * QUIC_CHANNEL does not ref any BIO it is provided with, nor is any ref
2250 * transferred to it. The caller (i.e., QUIC_CONNECTION) is responsible for
2251 * ensuring the BIO lasts until the channel is freed or the BIO is switched out
2252 * for another BIO by a subsequent successful call to this function.
2254 int ossl_quic_channel_set_net_rbio(QUIC_CHANNEL
*ch
, BIO
*net_rbio
)
2256 BIO_POLL_DESCRIPTOR d
= {0};
2258 if (ch
->net_rbio
== net_rbio
)
2261 if (net_rbio
!= NULL
) {
2262 if (!BIO_get_rpoll_descriptor(net_rbio
, &d
))
2263 /* Non-pollable BIO */
2264 d
.type
= BIO_POLL_DESCRIPTOR_TYPE_NONE
;
2266 if (!validate_poll_descriptor(&d
))
2270 ossl_quic_reactor_set_poll_r(&ch
->rtor
, &d
);
2271 ossl_quic_demux_set_bio(ch
->demux
, net_rbio
);
2272 ch
->net_rbio
= net_rbio
;
2276 int ossl_quic_channel_set_net_wbio(QUIC_CHANNEL
*ch
, BIO
*net_wbio
)
2278 BIO_POLL_DESCRIPTOR d
= {0};
2280 if (ch
->net_wbio
== net_wbio
)
2283 if (net_wbio
!= NULL
) {
2284 if (!BIO_get_wpoll_descriptor(net_wbio
, &d
))
2285 /* Non-pollable BIO */
2286 d
.type
= BIO_POLL_DESCRIPTOR_TYPE_NONE
;
2288 if (!validate_poll_descriptor(&d
))
2292 ossl_quic_reactor_set_poll_w(&ch
->rtor
, &d
);
2293 ossl_qtx_set_bio(ch
->qtx
, net_wbio
);
2294 ch
->net_wbio
= net_wbio
;
2299 * QUIC Channel: Lifecycle Events
2300 * ==============================
2302 int ossl_quic_channel_start(QUIC_CHANNEL
*ch
)
2306 * This is not used by the server. The server moves to active
2307 * automatically on receiving an incoming connection.
2311 if (ch
->state
!= QUIC_CHANNEL_STATE_IDLE
)
2312 /* Calls to connect are idempotent */
2315 /* Inform QTX of peer address. */
2316 if (!ossl_quic_tx_packetiser_set_peer(ch
->txp
, &ch
->cur_peer_addr
))
2319 /* Plug in secrets for the Initial EL. */
2320 if (!ossl_quic_provide_initial_secret(ch
->libctx
,
2328 ch
->state
= QUIC_CHANNEL_STATE_ACTIVE
;
2329 ch
->doing_proactive_ver_neg
= 0; /* not currently supported */
2331 /* Handshake layer: start (e.g. send CH). */
2332 if (!ossl_quic_tls_tick(ch
->qtls
))
2335 ossl_quic_reactor_tick(&ch
->rtor
, 0); /* best effort */
2339 /* Start a locally initiated connection shutdown. */
2340 void ossl_quic_channel_local_close(QUIC_CHANNEL
*ch
, uint64_t app_error_code
)
2342 QUIC_TERMINATE_CAUSE tcause
= {0};
2344 if (ossl_quic_channel_is_term_any(ch
))
2348 tcause
.error_code
= app_error_code
;
2349 ch_start_terminating(ch
, &tcause
, 0);
2352 static void free_token(const unsigned char *buf
, size_t buf_len
, void *arg
)
2354 OPENSSL_free((unsigned char *)buf
);
2357 /* Called when a server asks us to do a retry. */
2358 static int ch_retry(QUIC_CHANNEL
*ch
,
2359 const unsigned char *retry_token
,
2360 size_t retry_token_len
,
2361 const QUIC_CONN_ID
*retry_scid
)
2366 * RFC 9000 s. 17.2.5.1: "A client MUST discard a Retry packet that contains
2367 * a SCID field that is identical to the DCID field of its initial packet."
2369 if (ossl_quic_conn_id_eq(&ch
->init_dcid
, retry_scid
))
2372 /* We change to using the SCID in the Retry packet as the DCID. */
2373 if (!ossl_quic_tx_packetiser_set_cur_dcid(ch
->txp
, retry_scid
))
2377 * Now we retry. We will release the Retry packet immediately, so copy
2380 if ((buf
= OPENSSL_memdup(retry_token
, retry_token_len
)) == NULL
)
2383 ossl_quic_tx_packetiser_set_initial_token(ch
->txp
, buf
, retry_token_len
,
2386 ch
->retry_scid
= *retry_scid
;
2387 ch
->doing_retry
= 1;
2390 * We need to stimulate the Initial EL to generate the first CRYPTO frame
2391 * again. We can do this most cleanly by simply forcing the ACKM to consider
2392 * the first Initial packet as lost, which it effectively was as the server
2393 * hasn't processed it. This also maintains the desired behaviour with e.g.
2394 * PNs not resetting and so on.
2396 * The PN we used initially is always zero, because QUIC does not allow
2399 if (!ossl_ackm_mark_packet_pseudo_lost(ch
->ackm
, QUIC_PN_SPACE_INITIAL
,
2404 * Plug in new secrets for the Initial EL. This is the only time we change
2405 * the secrets for an EL after we already provisioned it.
2407 if (!ossl_quic_provide_initial_secret(ch
->libctx
,
2417 /* Called when an EL is to be discarded. */
2418 static int ch_discard_el(QUIC_CHANNEL
*ch
,
2421 if (!ossl_assert(enc_level
< QUIC_ENC_LEVEL_1RTT
))
2424 if ((ch
->el_discarded
& (1U << enc_level
)) != 0)
2428 /* Best effort for all of these. */
2429 ossl_quic_tx_packetiser_discard_enc_level(ch
->txp
, enc_level
);
2430 ossl_qrx_discard_enc_level(ch
->qrx
, enc_level
);
2431 ossl_qtx_discard_enc_level(ch
->qtx
, enc_level
);
2433 if (enc_level
!= QUIC_ENC_LEVEL_0RTT
) {
2434 uint32_t pn_space
= ossl_quic_enc_level_to_pn_space(enc_level
);
2436 ossl_ackm_on_pkt_space_discarded(ch
->ackm
, pn_space
);
2438 /* We should still have crypto streams at this point. */
2439 if (!ossl_assert(ch
->crypto_send
[pn_space
] != NULL
)
2440 || !ossl_assert(ch
->crypto_recv
[pn_space
] != NULL
))
2443 /* Get rid of the crypto stream state for the EL. */
2444 ossl_quic_sstream_free(ch
->crypto_send
[pn_space
]);
2445 ch
->crypto_send
[pn_space
] = NULL
;
2447 ossl_quic_rstream_free(ch
->crypto_recv
[pn_space
]);
2448 ch
->crypto_recv
[pn_space
] = NULL
;
2451 ch
->el_discarded
|= (1U << enc_level
);
2455 /* Intended to be called by the RXDP. */
2456 int ossl_quic_channel_on_handshake_confirmed(QUIC_CHANNEL
*ch
)
2458 if (ch
->handshake_confirmed
)
2461 if (!ch
->handshake_complete
) {
2463 * Does not make sense for handshake to be confirmed before it is
2466 ossl_quic_channel_raise_protocol_error(ch
, QUIC_ERR_PROTOCOL_VIOLATION
,
2467 OSSL_QUIC_FRAME_TYPE_HANDSHAKE_DONE
,
2468 "handshake cannot be confirmed "
2469 "before it is completed");
2473 ch_discard_el(ch
, QUIC_ENC_LEVEL_HANDSHAKE
);
2474 ch
->handshake_confirmed
= 1;
2475 ossl_ackm_on_handshake_confirmed(ch
->ackm
);
2480 * Master function used when we want to start tearing down a connection:
2482 * - If the connection is still IDLE we can go straight to TERMINATED;
2484 * - If we are already TERMINATED this is a no-op.
2486 * - If we are TERMINATING - CLOSING and we have now got a CONNECTION_CLOSE
2487 * from the peer (tcause->remote == 1), we move to TERMINATING - DRAINING.
2489 * - If we are TERMINATING - DRAINING, we remain here until the terminating
2492 * - Otherwise, we are in ACTIVE and move to TERMINATING - CLOSING.
2493 * if we caused the termination (e.g. we have sent a CONNECTION_CLOSE). Note
2494 * that we are considered to have caused a termination if we sent the first
2495 * CONNECTION_CLOSE frame, even if it is caused by a peer protocol
2496 * violation. If the peer sent the first CONNECTION_CLOSE frame, we move to
2497 * TERMINATING - DRAINING.
2499 * We record the termination cause structure passed on the first call only.
2500 * Any successive calls have their termination cause data discarded;
2501 * once we start sending a CONNECTION_CLOSE frame, we don't change the details
2504 static void ch_start_terminating(QUIC_CHANNEL
*ch
,
2505 const QUIC_TERMINATE_CAUSE
*tcause
,
2506 int force_immediate
)
2508 switch (ch
->state
) {
2510 case QUIC_CHANNEL_STATE_IDLE
:
2511 ch
->terminate_cause
= *tcause
;
2512 ch_on_terminating_timeout(ch
);
2515 case QUIC_CHANNEL_STATE_ACTIVE
:
2516 ch
->terminate_cause
= *tcause
;
2518 if (!force_immediate
) {
2519 ch
->state
= tcause
->remote
? QUIC_CHANNEL_STATE_TERMINATING_DRAINING
2520 : QUIC_CHANNEL_STATE_TERMINATING_CLOSING
;
2521 ch
->terminate_deadline
2522 = ossl_time_add(get_time(ch
),
2523 ossl_time_multiply(ossl_ackm_get_pto_duration(ch
->ackm
),
2526 if (!tcause
->remote
) {
2527 OSSL_QUIC_FRAME_CONN_CLOSE f
= {0};
2530 f
.error_code
= ch
->terminate_cause
.error_code
;
2531 f
.frame_type
= ch
->terminate_cause
.frame_type
;
2532 f
.is_app
= ch
->terminate_cause
.app
;
2533 ossl_quic_tx_packetiser_schedule_conn_close(ch
->txp
, &f
);
2534 ch
->conn_close_queued
= 1;
2537 ch_on_terminating_timeout(ch
);
2541 case QUIC_CHANNEL_STATE_TERMINATING_CLOSING
:
2542 if (force_immediate
)
2543 ch_on_terminating_timeout(ch
);
2544 else if (tcause
->remote
)
2545 ch
->state
= QUIC_CHANNEL_STATE_TERMINATING_DRAINING
;
2549 case QUIC_CHANNEL_STATE_TERMINATING_DRAINING
:
2551 * Other than in the force-immediate case, we remain here until the
2554 if (force_immediate
)
2555 ch_on_terminating_timeout(ch
);
2559 case QUIC_CHANNEL_STATE_TERMINATED
:
2566 void ossl_quic_channel_on_remote_conn_close(QUIC_CHANNEL
*ch
,
2567 OSSL_QUIC_FRAME_CONN_CLOSE
*f
)
2569 QUIC_TERMINATE_CAUSE tcause
= {0};
2571 if (!ossl_quic_channel_is_active(ch
))
2575 tcause
.app
= f
->is_app
;
2576 tcause
.error_code
= f
->error_code
;
2577 tcause
.frame_type
= f
->frame_type
;
2579 ch_start_terminating(ch
, &tcause
, 0);
2582 static void free_frame_data(unsigned char *buf
, size_t buf_len
, void *arg
)
2587 static int ch_enqueue_retire_conn_id(QUIC_CHANNEL
*ch
, uint64_t seq_num
)
2593 if ((buf_mem
= BUF_MEM_new()) == NULL
)
2596 if (!WPACKET_init(&wpkt
, buf_mem
))
2599 if (!ossl_quic_wire_encode_frame_retire_conn_id(&wpkt
, seq_num
)) {
2600 WPACKET_cleanup(&wpkt
);
2604 WPACKET_finish(&wpkt
);
2605 if (!WPACKET_get_total_written(&wpkt
, &l
))
2608 if (ossl_quic_cfq_add_frame(ch
->cfq
, 1, QUIC_PN_SPACE_APP
,
2609 OSSL_QUIC_FRAME_TYPE_RETIRE_CONN_ID
,
2610 (unsigned char *)buf_mem
->data
, l
,
2611 free_frame_data
, NULL
) == NULL
)
2614 buf_mem
->data
= NULL
;
2615 BUF_MEM_free(buf_mem
);
2619 ossl_quic_channel_raise_protocol_error(ch
,
2620 QUIC_ERR_INTERNAL_ERROR
,
2621 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID
,
2622 "internal error enqueueing retire conn id");
2623 BUF_MEM_free(buf_mem
);
2627 void ossl_quic_channel_on_new_conn_id(QUIC_CHANNEL
*ch
,
2628 OSSL_QUIC_FRAME_NEW_CONN_ID
*f
)
2630 uint64_t new_remote_seq_num
= ch
->cur_remote_seq_num
;
2631 uint64_t new_retire_prior_to
= ch
->cur_retire_prior_to
;
2633 if (!ossl_quic_channel_is_active(ch
))
2636 /* We allow only two active connection ids; first check some constraints */
2637 if (ch
->cur_remote_dcid
.id_len
== 0) {
2638 /* Changing from 0 length connection id is disallowed */
2639 ossl_quic_channel_raise_protocol_error(ch
,
2640 QUIC_ERR_PROTOCOL_VIOLATION
,
2641 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID
,
2642 "zero length connection id in use");
2647 if (f
->seq_num
> new_remote_seq_num
)
2648 new_remote_seq_num
= f
->seq_num
;
2649 if (f
->retire_prior_to
> new_retire_prior_to
)
2650 new_retire_prior_to
= f
->retire_prior_to
;
2653 * RFC 9000-5.1.1: An endpoint MUST NOT provide more connection IDs
2654 * than the peer's limit.
2656 * After processing a NEW_CONNECTION_ID frame and adding and retiring
2657 * active connection IDs, if the number of active connection IDs exceeds
2658 * the value advertised in its active_connection_id_limit transport
2659 * parameter, an endpoint MUST close the connection with an error of
2660 * type CONNECTION_ID_LIMIT_ERROR.
2662 if (new_remote_seq_num
- new_retire_prior_to
> 1) {
2663 ossl_quic_channel_raise_protocol_error(ch
,
2664 QUIC_ERR_CONNECTION_ID_LIMIT_ERROR
,
2665 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID
,
2666 "active_connection_id limit violated");
2671 * RFC 9000-5.1.1: An endpoint MAY send connection IDs that temporarily
2672 * exceed a peer's limit if the NEW_CONNECTION_ID frame also requires
2673 * the retirement of any excess, by including a sufficiently large
2674 * value in the Retire Prior To field.
2676 * RFC 9000-5.1.2: An endpoint SHOULD allow for sending and tracking
2677 * a number of RETIRE_CONNECTION_ID frames of at least twice the value
2678 * of the active_connection_id_limit transport parameter. An endpoint
2679 * MUST NOT forget a connection ID without retiring it, though it MAY
2680 * choose to treat having connection IDs in need of retirement that
2681 * exceed this limit as a connection error of type CONNECTION_ID_LIMIT_ERROR.
2683 * We are a little bit more liberal than the minimum mandated.
2685 if (new_retire_prior_to
- ch
->cur_retire_prior_to
> 10) {
2686 ossl_quic_channel_raise_protocol_error(ch
,
2687 QUIC_ERR_CONNECTION_ID_LIMIT_ERROR
,
2688 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID
,
2689 "retiring connection id limit violated");
2694 if (new_remote_seq_num
> ch
->cur_remote_seq_num
) {
2695 ch
->cur_remote_seq_num
= new_remote_seq_num
;
2696 ch
->cur_remote_dcid
= f
->conn_id
;
2697 ossl_quic_tx_packetiser_set_cur_dcid(ch
->txp
, &ch
->cur_remote_dcid
);
2701 * RFC 9000-5.1.2: Upon receipt of an increased Retire Prior To
2702 * field, the peer MUST stop using the corresponding connection IDs
2703 * and retire them with RETIRE_CONNECTION_ID frames before adding the
2704 * newly provided connection ID to the set of active connection IDs.
2708 * Note: RFC 9000 s. 19.15 says:
2709 * "An endpoint that receives a NEW_CONNECTION_ID frame with a sequence
2710 * number smaller than the Retire Prior To field of a previously received
2711 * NEW_CONNECTION_ID frame MUST send a correspoonding
2712 * RETIRE_CONNECTION_ID frame that retires the newly received connection
2713 * ID, unless it has already done so for that sequence number."
2715 * Since we currently always queue RETIRE_CONN_ID frames based on the Retire
2716 * Prior To field of a NEW_CONNECTION_ID frame immediately upon receiving
2717 * that NEW_CONNECTION_ID frame, by definition this will always be met.
2718 * This may change in future when we change our CID handling.
2720 while (new_retire_prior_to
> ch
->cur_retire_prior_to
) {
2721 if (!ch_enqueue_retire_conn_id(ch
, ch
->cur_retire_prior_to
))
2723 ++ch
->cur_retire_prior_to
;
2727 static void ch_save_err_state(QUIC_CHANNEL
*ch
)
2729 if (ch
->err_state
== NULL
)
2730 ch
->err_state
= OSSL_ERR_STATE_new();
2732 if (ch
->err_state
== NULL
)
2735 OSSL_ERR_STATE_save(ch
->err_state
);
2738 static void ch_raise_net_error(QUIC_CHANNEL
*ch
)
2740 QUIC_TERMINATE_CAUSE tcause
= {0};
2743 ch_save_err_state(ch
);
2745 tcause
.error_code
= QUIC_ERR_INTERNAL_ERROR
;
2748 * Skip Terminating state and go directly to Terminated, no point trying to
2749 * send CONNECTION_CLOSE if we cannot communicate.
2751 ch_start_terminating(ch
, &tcause
, 1);
2754 int ossl_quic_channel_net_error(QUIC_CHANNEL
*ch
)
2756 return ch
->net_error
;
2759 void ossl_quic_channel_restore_err_state(QUIC_CHANNEL
*ch
)
2764 OSSL_ERR_STATE_restore(ch
->err_state
);
2767 void ossl_quic_channel_raise_protocol_error(QUIC_CHANNEL
*ch
,
2768 uint64_t error_code
,
2769 uint64_t frame_type
,
2772 QUIC_TERMINATE_CAUSE tcause
= {0};
2774 if (error_code
== QUIC_ERR_INTERNAL_ERROR
)
2775 /* Internal errors might leave some errors on the stack. */
2776 ch_save_err_state(ch
);
2778 tcause
.error_code
= error_code
;
2779 tcause
.frame_type
= frame_type
;
2781 ch_start_terminating(ch
, &tcause
, 0);
2785 * Called once the terminating timer expires, meaning we move from TERMINATING
2788 static void ch_on_terminating_timeout(QUIC_CHANNEL
*ch
)
2790 ch
->state
= QUIC_CHANNEL_STATE_TERMINATED
;
2794 * Updates our idle deadline. Called when an event happens which should bump the
2797 static void ch_update_idle(QUIC_CHANNEL
*ch
)
2799 if (ch
->max_idle_timeout
== 0)
2800 ch
->idle_deadline
= ossl_time_infinite();
2802 ch
->idle_deadline
= ossl_time_add(get_time(ch
),
2803 ossl_ms2time(ch
->max_idle_timeout
));
2807 * Updates our ping deadline, which determines when we next generate a ping if
2808 * we don't have any other ACK-eliciting frames to send.
2810 static void ch_update_ping_deadline(QUIC_CHANNEL
*ch
)
2812 if (ch
->max_idle_timeout
> 0) {
2814 * Maximum amount of time without traffic before we send a PING to keep
2815 * the connection open. Usually we use max_idle_timeout/2, but ensure
2816 * the period never exceeds the assumed NAT interval to ensure NAT
2817 * devices don't have their state time out (RFC 9000 s. 10.1.2).
2820 = ossl_time_divide(ossl_ms2time(ch
->max_idle_timeout
), 2);
2822 max_span
= ossl_time_min(max_span
, MAX_NAT_INTERVAL
);
2824 ch
->ping_deadline
= ossl_time_add(get_time(ch
), max_span
);
2826 ch
->ping_deadline
= ossl_time_infinite();
2830 /* Called when the idle timeout expires. */
2831 static void ch_on_idle_timeout(QUIC_CHANNEL
*ch
)
2834 * Idle timeout does not have an error code associated with it because a
2835 * CONN_CLOSE is never sent for it. We shouldn't use this data once we reach
2836 * TERMINATED anyway.
2838 ch
->terminate_cause
.app
= 0;
2839 ch
->terminate_cause
.error_code
= UINT64_MAX
;
2840 ch
->terminate_cause
.frame_type
= 0;
2842 ch
->state
= QUIC_CHANNEL_STATE_TERMINATED
;
2845 /* Called when we, as a server, get a new incoming connection. */
2846 static int ch_server_on_new_conn(QUIC_CHANNEL
*ch
, const BIO_ADDR
*peer
,
2847 const QUIC_CONN_ID
*peer_scid
,
2848 const QUIC_CONN_ID
*peer_dcid
)
2850 if (!ossl_assert(ch
->state
== QUIC_CHANNEL_STATE_IDLE
&& ch
->is_server
))
2853 /* Generate a SCID we will use for the connection. */
2854 if (!gen_rand_conn_id(ch
->libctx
, INIT_DCID_LEN
,
2855 &ch
->cur_local_cid
))
2858 /* Note our newly learnt peer address and CIDs. */
2859 ch
->cur_peer_addr
= *peer
;
2860 ch
->init_dcid
= *peer_dcid
;
2861 ch
->cur_remote_dcid
= *peer_scid
;
2863 /* Inform QTX of peer address. */
2864 if (!ossl_quic_tx_packetiser_set_peer(ch
->txp
, &ch
->cur_peer_addr
))
2867 /* Inform TXP of desired CIDs. */
2868 if (!ossl_quic_tx_packetiser_set_cur_dcid(ch
->txp
, &ch
->cur_remote_dcid
))
2871 if (!ossl_quic_tx_packetiser_set_cur_scid(ch
->txp
, &ch
->cur_local_cid
))
2874 /* Plug in secrets for the Initial EL. */
2875 if (!ossl_quic_provide_initial_secret(ch
->libctx
,
2882 /* Register our local CID in the DEMUX. */
2883 if (!ossl_qrx_add_dst_conn_id(ch
->qrx
, &ch
->cur_local_cid
))
2887 ch
->state
= QUIC_CHANNEL_STATE_ACTIVE
;
2888 ch
->doing_proactive_ver_neg
= 0; /* not currently supported */
2892 SSL
*ossl_quic_channel_get0_ssl(QUIC_CHANNEL
*ch
)
2897 static int ch_init_new_stream(QUIC_CHANNEL
*ch
, QUIC_STREAM
*qs
,
2898 int can_send
, int can_recv
)
2901 int server_init
= ossl_quic_stream_is_server_init(qs
);
2902 int local_init
= (ch
->is_server
== server_init
);
2903 int is_uni
= !ossl_quic_stream_is_bidi(qs
);
2906 if ((qs
->sstream
= ossl_quic_sstream_new(INIT_APP_BUF_LEN
)) == NULL
)
2910 if ((qs
->rstream
= ossl_quic_rstream_new(NULL
, NULL
, 0)) == NULL
)
2914 if (!ossl_quic_txfc_init(&qs
->txfc
, &ch
->conn_txfc
))
2917 if (ch
->got_remote_transport_params
) {
2919 * If we already got peer TPs we need to apply the initial CWM credit
2920 * now. If we didn't already get peer TPs this will be done
2921 * automatically for all extant streams when we do.
2927 cwm
= ch
->rx_init_max_stream_data_uni
;
2928 else if (local_init
)
2929 cwm
= ch
->rx_init_max_stream_data_bidi_local
;
2931 cwm
= ch
->rx_init_max_stream_data_bidi_remote
;
2933 ossl_quic_txfc_bump_cwm(&qs
->txfc
, cwm
);
2941 rxfc_wnd
= ch
->tx_init_max_stream_data_uni
;
2942 else if (local_init
)
2943 rxfc_wnd
= ch
->tx_init_max_stream_data_bidi_local
;
2945 rxfc_wnd
= ch
->tx_init_max_stream_data_bidi_remote
;
2947 if (!ossl_quic_rxfc_init(&qs
->rxfc
, &ch
->conn_rxfc
,
2949 DEFAULT_STREAM_RXFC_MAX_WND_MUL
* rxfc_wnd
,
2956 ossl_quic_sstream_free(qs
->sstream
);
2958 ossl_quic_rstream_free(qs
->rstream
);
2963 QUIC_STREAM
*ossl_quic_channel_new_stream_local(QUIC_CHANNEL
*ch
, int is_uni
)
2967 uint64_t stream_id
, *p_next_ordinal
;
2969 type
= ch
->is_server
? QUIC_STREAM_INITIATOR_SERVER
2970 : QUIC_STREAM_INITIATOR_CLIENT
;
2973 p_next_ordinal
= &ch
->next_local_stream_ordinal_uni
;
2974 type
|= QUIC_STREAM_DIR_UNI
;
2976 p_next_ordinal
= &ch
->next_local_stream_ordinal_bidi
;
2977 type
|= QUIC_STREAM_DIR_BIDI
;
2980 if (*p_next_ordinal
>= ((uint64_t)1) << 62)
2983 stream_id
= ((*p_next_ordinal
) << 2) | type
;
2985 if ((qs
= ossl_quic_stream_map_alloc(&ch
->qsm
, stream_id
, type
)) == NULL
)
2988 /* Locally-initiated stream, so we always want a send buffer. */
2989 if (!ch_init_new_stream(ch
, qs
, /*can_send=*/1, /*can_recv=*/!is_uni
))
2996 ossl_quic_stream_map_release(&ch
->qsm
, qs
);
3000 QUIC_STREAM
*ossl_quic_channel_new_stream_remote(QUIC_CHANNEL
*ch
,
3007 peer_role
= ch
->is_server
3008 ? QUIC_STREAM_INITIATOR_CLIENT
3009 : QUIC_STREAM_INITIATOR_SERVER
;
3011 if ((stream_id
& QUIC_STREAM_INITIATOR_MASK
) != peer_role
)
3014 is_uni
= ((stream_id
& QUIC_STREAM_DIR_MASK
) == QUIC_STREAM_DIR_UNI
);
3016 qs
= ossl_quic_stream_map_alloc(&ch
->qsm
, stream_id
,
3017 stream_id
& (QUIC_STREAM_INITIATOR_MASK
3018 | QUIC_STREAM_DIR_MASK
));
3022 if (!ch_init_new_stream(ch
, qs
, /*can_send=*/!is_uni
, /*can_recv=*/1))
3025 if (ch
->incoming_stream_auto_reject
)
3026 ossl_quic_channel_reject_stream(ch
, qs
);
3028 ossl_quic_stream_map_push_accept_queue(&ch
->qsm
, qs
);
3033 ossl_quic_stream_map_release(&ch
->qsm
, qs
);
3037 void ossl_quic_channel_set_incoming_stream_auto_reject(QUIC_CHANNEL
*ch
,
3041 ch
->incoming_stream_auto_reject
= (enable
!= 0);
3042 ch
->incoming_stream_auto_reject_aec
= aec
;
3045 void ossl_quic_channel_reject_stream(QUIC_CHANNEL
*ch
, QUIC_STREAM
*qs
)
3047 ossl_quic_stream_map_stop_sending_recv_part(&ch
->qsm
, qs
,
3048 ch
->incoming_stream_auto_reject_aec
);
3050 ossl_quic_stream_map_reset_stream_send_part(&ch
->qsm
, qs
,
3051 ch
->incoming_stream_auto_reject_aec
);
3054 ossl_quic_stream_map_update_state(&ch
->qsm
, qs
);
3057 /* Replace local connection ID in TXP and DEMUX for testing purposes. */
3058 int ossl_quic_channel_replace_local_cid(QUIC_CHANNEL
*ch
,
3059 const QUIC_CONN_ID
*conn_id
)
3061 /* Remove the current local CID from the DEMUX. */
3062 if (!ossl_qrx_remove_dst_conn_id(ch
->qrx
, &ch
->cur_local_cid
))
3064 ch
->cur_local_cid
= *conn_id
;
3065 /* Set in the TXP, used only for long header packets. */
3066 if (!ossl_quic_tx_packetiser_set_cur_scid(ch
->txp
, &ch
->cur_local_cid
))
3068 /* Register our new local CID in the DEMUX. */
3069 if (!ossl_qrx_add_dst_conn_id(ch
->qrx
, &ch
->cur_local_cid
))
3074 void ossl_quic_channel_set_msg_callback(QUIC_CHANNEL
*ch
,
3075 ossl_msg_cb msg_callback
,
3076 SSL
*msg_callback_ssl
)
3078 ch
->msg_callback
= msg_callback
;
3079 ch
->msg_callback_ssl
= msg_callback_ssl
;
3080 ossl_qtx_set_msg_callback(ch
->qtx
, msg_callback
, msg_callback_ssl
);
3081 ossl_quic_tx_packetiser_set_msg_callback(ch
->txp
, msg_callback
,
3083 ossl_qrx_set_msg_callback(ch
->qrx
, msg_callback
, msg_callback_ssl
);
3086 void ossl_quic_channel_set_msg_callback_arg(QUIC_CHANNEL
*ch
,
3087 void *msg_callback_arg
)
3089 ch
->msg_callback_arg
= msg_callback_arg
;
3090 ossl_qtx_set_msg_callback_arg(ch
->qtx
, msg_callback_arg
);
3091 ossl_quic_tx_packetiser_set_msg_callback_arg(ch
->txp
, msg_callback_arg
);
3092 ossl_qrx_set_msg_callback_arg(ch
->qrx
, msg_callback_arg
);
3095 void ossl_quic_channel_set_txku_threshold_override(QUIC_CHANNEL
*ch
,
3096 uint64_t tx_pkt_threshold
)
3098 ch
->txku_threshold_override
= tx_pkt_threshold
;
3101 uint64_t ossl_quic_channel_get_tx_key_epoch(QUIC_CHANNEL
*ch
)
3103 return ossl_qtx_get_key_epoch(ch
->qtx
);
3106 uint64_t ossl_quic_channel_get_rx_key_epoch(QUIC_CHANNEL
*ch
)
3108 return ossl_qrx_get_key_epoch(ch
->qrx
);
3111 int ossl_quic_channel_trigger_txku(QUIC_CHANNEL
*ch
)
3113 if (!txku_allowed(ch
))
3116 ch
->ku_locally_initiated
= 1;
3117 ch_trigger_txku(ch
);