1 /*
2 * Copyright 2022-2026 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/rand.h>
11 #include <openssl/err.h>
12 #include "internal/ssl_unwrap.h"
13 #include "internal/quic_channel.h"
14 #include "internal/quic_error.h"
15 #include "internal/quic_rx_depack.h"
16 #include "internal/quic_lcidm.h"
17 #include "internal/quic_srtm.h"
18 #include "internal/qlog_event_helpers.h"
19 #include "internal/quic_txp.h"
20 #include "internal/quic_tls.h"
21 #include "internal/quic_ssl.h"
22 #include "../ssl_local.h"
23 #include "quic_channel_local.h"
24 #include "quic_port_local.h"
25 #include "quic_engine_local.h"
26
27 #define INIT_CRYPTO_RECV_BUF_LEN 16384
28 #define INIT_CRYPTO_SEND_BUF_LEN 16384
29 #define INIT_APP_BUF_LEN 8192
30
31 /*
32 * Interval before we force a PING to ensure NATs don't timeout. This is based
33 * on the lowest commonly seen value of 30 seconds as cited in RFC 9000 s.
34 * 10.1.2.
35 */
36 #define MAX_NAT_INTERVAL (ossl_ms2time(25000))
37
38 /*
39 * Our maximum ACK delay on the TX side. This is up to us to choose. Note that
40 * this could differ from QUIC_DEFAULT_MAX_DELAY in future as that is a protocol
41 * value which determines the value of the maximum ACK delay if the
42 * max_ack_delay transport parameter is not set.
43 */
44 #define DEFAULT_MAX_ACK_DELAY QUIC_DEFAULT_MAX_ACK_DELAY
45
46 DEFINE_LIST_OF_IMPL(ch, QUIC_CHANNEL);
47
48 static void ch_save_err_state(QUIC_CHANNEL *ch);
49 static int ch_rx(QUIC_CHANNEL *ch, int channel_only, int *notify_other_threads);
50 static int ch_tx(QUIC_CHANNEL *ch, int *notify_other_threads);
51 static int ch_tick_tls(QUIC_CHANNEL *ch, int channel_only, int *notify_other_threads);
52 static void ch_rx_handle_packet(QUIC_CHANNEL *ch, int channel_only);
53 static OSSL_TIME ch_determine_next_tick_deadline(QUIC_CHANNEL *ch);
54 static int ch_retry(QUIC_CHANNEL *ch,
55 const unsigned char *retry_token,
56 size_t retry_token_len,
57 const QUIC_CONN_ID *retry_scid,
58 int drop_later_pn);
59 static int ch_restart(QUIC_CHANNEL *ch);
60
61 static void ch_cleanup(QUIC_CHANNEL *ch);
62 static int ch_generate_transport_params(QUIC_CHANNEL *ch);
63 static int ch_on_transport_params(const unsigned char *params,
64 size_t params_len,
65 void *arg);
66 static int ch_on_handshake_alert(void *arg, unsigned char alert_code);
67 static int ch_on_handshake_complete(void *arg);
68 static int ch_on_handshake_yield_secret(uint32_t prot_level, int direction,
69 uint32_t suite_id, EVP_MD *md,
70 const unsigned char *secret,
71 size_t secret_len,
72 void *arg);
73 static int ch_on_crypto_recv_record(const unsigned char **buf,
74 size_t *bytes_read, void *arg);
75 static int ch_on_crypto_release_record(size_t bytes_read, void *arg);
76 static int crypto_ensure_empty(QUIC_RSTREAM *rstream);
77 static int ch_on_crypto_send(const unsigned char *buf, size_t buf_len,
78 size_t *consumed, void *arg);
79 static OSSL_TIME get_time(void *arg);
80 static uint64_t get_stream_limit(int uni, void *arg);
81 static int rx_late_validate(QUIC_PN pn, int pn_space, void *arg);
82 static void rxku_detected(QUIC_PN pn, void *arg);
83 static int ch_retry(QUIC_CHANNEL *ch,
84 const unsigned char *retry_token,
85 size_t retry_token_len,
86 const QUIC_CONN_ID *retry_scid,
87 int drop_later_pn);
88 static void ch_update_idle(QUIC_CHANNEL *ch);
89 static int ch_discard_el(QUIC_CHANNEL *ch,
90 uint32_t enc_level);
91 static void ch_on_idle_timeout(QUIC_CHANNEL *ch);
92 static void ch_update_idle(QUIC_CHANNEL *ch);
93 static void ch_update_ping_deadline(QUIC_CHANNEL *ch);
94 static void ch_on_terminating_timeout(QUIC_CHANNEL *ch);
95 static void ch_start_terminating(QUIC_CHANNEL *ch,
96 const QUIC_TERMINATE_CAUSE *tcause,
97 int force_immediate);
98 static void ch_on_txp_ack_tx(const OSSL_QUIC_FRAME_ACK *ack, uint32_t pn_space,
99 void *arg);
100 static void ch_record_state_transition(QUIC_CHANNEL *ch, uint32_t new_state);
101
102 DEFINE_LHASH_OF_EX(QUIC_SRT_ELEM);
103
104 QUIC_NEEDS_LOCK
ch_get_qlog(QUIC_CHANNEL * ch)105 static QLOG *ch_get_qlog(QUIC_CHANNEL *ch)
106 {
107 #ifndef OPENSSL_NO_QLOG
108 QLOG_TRACE_INFO qti = { 0 };
109
110 if (ch->qlog != NULL)
111 return ch->qlog;
112
113 if (!ch->use_qlog)
114 return NULL;
115
116 if (ch->is_server && ch->init_dcid.id_len == 0)
117 return NULL;
118
119 qti.odcid = ch->init_dcid;
120 qti.title = ch->qlog_title;
121 qti.description = NULL;
122 qti.group_id = NULL;
123 qti.is_server = ch->is_server;
124 qti.now_cb = get_time;
125 qti.now_cb_arg = ch;
126 if ((ch->qlog = ossl_qlog_new_from_env(&qti)) == NULL) {
127 ch->use_qlog = 0; /* don't try again */
128 return NULL;
129 }
130
131 return ch->qlog;
132 #else
133 return NULL;
134 #endif
135 }
136
137 QUIC_NEEDS_LOCK
ch_get_qlog_cb(void * arg)138 static QLOG *ch_get_qlog_cb(void *arg)
139 {
140 QUIC_CHANNEL *ch = arg;
141
142 return ch_get_qlog(ch);
143 }
144
145 /*
146 * QUIC Channel Initialization and Teardown
147 * ========================================
148 */
149 #define DEFAULT_INIT_CONN_RXFC_WND (768 * 1024)
150 #define DEFAULT_CONN_RXFC_MAX_WND_MUL 20
151
152 #define DEFAULT_INIT_STREAM_RXFC_WND (512 * 1024)
153 #define DEFAULT_STREAM_RXFC_MAX_WND_MUL 12
154
155 #define DEFAULT_INIT_CONN_MAX_STREAMS 100
156
ch_init(QUIC_CHANNEL * ch)157 static int ch_init(QUIC_CHANNEL *ch)
158 {
159 OSSL_QUIC_TX_PACKETISER_ARGS txp_args = { 0 };
160 OSSL_QTX_ARGS qtx_args = { 0 };
161 OSSL_QRX_ARGS qrx_args = { 0 };
162 QUIC_TLS_ARGS tls_args = { 0 };
163 uint32_t pn_space;
164 size_t rx_short_dcid_len;
165 size_t tx_init_dcid_len;
166
167 if (ch->port == NULL || ch->lcidm == NULL || ch->srtm == NULL)
168 goto err;
169
170 rx_short_dcid_len = ossl_quic_port_get_rx_short_dcid_len(ch->port);
171 tx_init_dcid_len = ossl_quic_port_get_tx_init_dcid_len(ch->port);
172
173 /* For clients, generate our initial DCID. */
174 if (!ch->is_server
175 && !ossl_quic_gen_rand_conn_id(ch->port->engine->libctx, tx_init_dcid_len,
176 &ch->init_dcid))
177 goto err;
178
179 /* We plug in a network write BIO to the QTX later when we get one. */
180 qtx_args.libctx = ch->port->engine->libctx;
181 qtx_args.get_qlog_cb = ch_get_qlog_cb;
182 qtx_args.get_qlog_cb_arg = ch;
183 qtx_args.mdpl = QUIC_MIN_INITIAL_DGRAM_LEN;
184 ch->rx_max_udp_payload_size = qtx_args.mdpl;
185
186 ch->ping_deadline = ossl_time_infinite();
187
188 ch->qtx = ossl_qtx_new(&qtx_args);
189 if (ch->qtx == NULL)
190 goto err;
191
192 ch->txpim = ossl_quic_txpim_new();
193 if (ch->txpim == NULL)
194 goto err;
195
196 ch->cfq = ossl_quic_cfq_new();
197 if (ch->cfq == NULL)
198 goto err;
199
200 if (!ossl_quic_txfc_init(&ch->conn_txfc, NULL))
201 goto err;
202
203 /*
204 * Note: The TP we transmit governs what the peer can transmit and thus
205 * applies to the RXFC.
206 */
207 ch->tx_init_max_stream_data_bidi_local = DEFAULT_INIT_STREAM_RXFC_WND;
208 ch->tx_init_max_stream_data_bidi_remote = DEFAULT_INIT_STREAM_RXFC_WND;
209 ch->tx_init_max_stream_data_uni = DEFAULT_INIT_STREAM_RXFC_WND;
210
211 if (!ossl_quic_rxfc_init(&ch->conn_rxfc, NULL,
212 DEFAULT_INIT_CONN_RXFC_WND,
213 DEFAULT_CONN_RXFC_MAX_WND_MUL * DEFAULT_INIT_CONN_RXFC_WND,
214 get_time, ch))
215 goto err;
216
217 for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space)
218 if (!ossl_quic_rxfc_init_standalone(&ch->crypto_rxfc[pn_space],
219 INIT_CRYPTO_RECV_BUF_LEN,
220 get_time, ch))
221 goto err;
222
223 if (!ossl_quic_rxfc_init_standalone(&ch->max_streams_bidi_rxfc,
224 DEFAULT_INIT_CONN_MAX_STREAMS,
225 get_time, ch))
226 goto err;
227
228 if (!ossl_quic_rxfc_init_standalone(&ch->max_streams_uni_rxfc,
229 DEFAULT_INIT_CONN_MAX_STREAMS,
230 get_time, ch))
231 goto err;
232
233 if (!ossl_statm_init(&ch->statm))
234 goto err;
235
236 ch->have_statm = 1;
237 ch->cc_method = &ossl_cc_newreno_method;
238 if ((ch->cc_data = ch->cc_method->new(get_time, ch)) == NULL)
239 goto err;
240
241 if ((ch->ackm = ossl_ackm_new(get_time, ch, &ch->statm,
242 ch->cc_method, ch->cc_data,
243 ch->is_server))
244 == NULL)
245 goto err;
246
247 if (!ossl_quic_stream_map_init(&ch->qsm, get_stream_limit, ch,
248 &ch->max_streams_bidi_rxfc,
249 &ch->max_streams_uni_rxfc,
250 ch->is_server))
251 goto err;
252
253 ch->have_qsm = 1;
254
255 if (!ch->is_server
256 && !ossl_quic_lcidm_generate_initial(ch->lcidm, ch, &ch->init_scid))
257 goto err;
258
259 txp_args.cur_scid = ch->init_scid;
260 txp_args.cur_dcid = ch->init_dcid;
261 txp_args.ack_delay_exponent = 3;
262 txp_args.qtx = ch->qtx;
263 txp_args.txpim = ch->txpim;
264 txp_args.cfq = ch->cfq;
265 txp_args.ackm = ch->ackm;
266 txp_args.qsm = &ch->qsm;
267 txp_args.conn_txfc = &ch->conn_txfc;
268 txp_args.conn_rxfc = &ch->conn_rxfc;
269 txp_args.max_streams_bidi_rxfc = &ch->max_streams_bidi_rxfc;
270 txp_args.max_streams_uni_rxfc = &ch->max_streams_uni_rxfc;
271 txp_args.cc_method = ch->cc_method;
272 txp_args.cc_data = ch->cc_data;
273 txp_args.now = get_time;
274 txp_args.now_arg = ch;
275 txp_args.get_qlog_cb = ch_get_qlog_cb;
276 txp_args.get_qlog_cb_arg = ch;
277 txp_args.protocol_version = QUIC_VERSION_1;
278
279 for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space) {
280 ch->crypto_send[pn_space] = ossl_quic_sstream_new(INIT_CRYPTO_SEND_BUF_LEN);
281 if (ch->crypto_send[pn_space] == NULL)
282 goto err;
283
284 txp_args.crypto[pn_space] = ch->crypto_send[pn_space];
285 }
286
287 ch->txp = ossl_quic_tx_packetiser_new(&txp_args);
288 if (ch->txp == NULL)
289 goto err;
290
291 /* clients have no amplification limit, so are considered always valid */
292 if (!ch->is_server)
293 ossl_quic_tx_packetiser_set_validated(ch->txp);
294
295 ossl_quic_tx_packetiser_set_ack_tx_cb(ch->txp, ch_on_txp_ack_tx, ch);
296
297 /*
298 * qrx does not exist yet, then we must be dealing with client channel
299 * (QUIC connection initiator).
300 * If qrx exists already, then we are dealing with server channel which
301 * qrx gets created by port_default_packet_handler() before
302 * port_default_packet_handler() accepts connection and creates channel
303 * for it.
304 * The exception here is tserver which always creates channel,
305 * before the first packet is ever seen.
306 */
307 if (ch->qrx == NULL && ch->is_tserver_ch == 0) {
308 /* we are regular client, create channel */
309 qrx_args.libctx = ch->port->engine->libctx;
310 qrx_args.demux = ch->port->demux;
311 qrx_args.short_conn_id_len = rx_short_dcid_len;
312 qrx_args.max_deferred = 32;
313
314 if ((ch->qrx = ossl_qrx_new(&qrx_args)) == NULL)
315 goto err;
316 }
317
318 if (ch->qrx != NULL) {
319 /*
320 * callbacks for channels associated with tserver's port
321 * are set up later when we call ossl_quic_channel_bind_qrx()
322 * in port_default_packet_handler()
323 */
324 if (!ossl_qrx_set_late_validation_cb(ch->qrx,
325 rx_late_validate,
326 ch))
327 goto err;
328
329 if (!ossl_qrx_set_key_update_cb(ch->qrx,
330 rxku_detected,
331 ch))
332 goto err;
333 }
334
335 for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space) {
336 ch->crypto_recv[pn_space] = ossl_quic_rstream_new(NULL, NULL, 0);
337 if (ch->crypto_recv[pn_space] == NULL)
338 goto err;
339 }
340
341 /* Plug in the TLS handshake layer. */
342 tls_args.s = ch->tls;
343 tls_args.crypto_send_cb = ch_on_crypto_send;
344 tls_args.crypto_send_cb_arg = ch;
345 tls_args.crypto_recv_rcd_cb = ch_on_crypto_recv_record;
346 tls_args.crypto_recv_rcd_cb_arg = ch;
347 tls_args.crypto_release_rcd_cb = ch_on_crypto_release_record;
348 tls_args.crypto_release_rcd_cb_arg = ch;
349 tls_args.yield_secret_cb = ch_on_handshake_yield_secret;
350 tls_args.yield_secret_cb_arg = ch;
351 tls_args.got_transport_params_cb = ch_on_transport_params;
352 tls_args.got_transport_params_cb_arg = ch;
353 tls_args.handshake_complete_cb = ch_on_handshake_complete;
354 tls_args.handshake_complete_cb_arg = ch;
355 tls_args.alert_cb = ch_on_handshake_alert;
356 tls_args.alert_cb_arg = ch;
357 tls_args.is_server = ch->is_server;
358 tls_args.ossl_quic = 1;
359
360 if ((ch->qtls = ossl_quic_tls_new(&tls_args)) == NULL)
361 goto err;
362
363 ch->tx_max_ack_delay = DEFAULT_MAX_ACK_DELAY;
364 ch->rx_max_ack_delay = QUIC_DEFAULT_MAX_ACK_DELAY;
365 ch->rx_ack_delay_exp = QUIC_DEFAULT_ACK_DELAY_EXP;
366 ch->rx_active_conn_id_limit = QUIC_MIN_ACTIVE_CONN_ID_LIMIT;
367 ch->tx_enc_level = QUIC_ENC_LEVEL_INITIAL;
368 ch->rx_enc_level = QUIC_ENC_LEVEL_INITIAL;
369 ch->txku_threshold_override = UINT64_MAX;
370
371 ch->max_idle_timeout_local_req = QUIC_DEFAULT_IDLE_TIMEOUT;
372 ch->max_idle_timeout_remote_req = 0;
373 ch->max_idle_timeout = ch->max_idle_timeout_local_req;
374
375 ossl_ackm_set_tx_max_ack_delay(ch->ackm, ossl_ms2time(ch->tx_max_ack_delay));
376 ossl_ackm_set_rx_max_ack_delay(ch->ackm, ossl_ms2time(ch->rx_max_ack_delay));
377
378 ch_update_idle(ch);
379 ossl_list_ch_insert_tail(&ch->port->channel_list, ch);
380 ch->on_port_list = 1;
381 return 1;
382
383 err:
384 ch_cleanup(ch);
385 return 0;
386 }
387
ch_cleanup(QUIC_CHANNEL * ch)388 static void ch_cleanup(QUIC_CHANNEL *ch)
389 {
390 uint32_t pn_space;
391
392 if (ch->ackm != NULL)
393 for (pn_space = QUIC_PN_SPACE_INITIAL;
394 pn_space < QUIC_PN_SPACE_NUM;
395 ++pn_space)
396 ossl_ackm_on_pkt_space_discarded(ch->ackm, pn_space);
397
398 ossl_quic_lcidm_cull(ch->lcidm, ch);
399 ossl_quic_srtm_cull(ch->srtm, ch);
400 ossl_quic_tx_packetiser_free(ch->txp);
401 ossl_quic_txpim_free(ch->txpim);
402 ossl_quic_cfq_free(ch->cfq);
403 ossl_qtx_free(ch->qtx);
404 if (ch->cc_data != NULL)
405 ch->cc_method->free(ch->cc_data);
406 if (ch->have_statm)
407 ossl_statm_destroy(&ch->statm);
408 ossl_ackm_free(ch->ackm);
409
410 if (ch->have_qsm)
411 ossl_quic_stream_map_cleanup(&ch->qsm);
412
413 for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space) {
414 ossl_quic_sstream_free(ch->crypto_send[pn_space]);
415 ossl_quic_rstream_free(ch->crypto_recv[pn_space]);
416 }
417
418 ossl_qrx_pkt_release(ch->qrx_pkt);
419 ch->qrx_pkt = NULL;
420
421 ossl_quic_tls_free(ch->qtls);
422 ossl_qrx_free(ch->qrx);
423 OPENSSL_free(ch->local_transport_params);
424 OPENSSL_free((char *)ch->terminate_cause.reason);
425 OSSL_ERR_STATE_free(ch->err_state);
426 OPENSSL_free(ch->ack_range_scratch);
427 OPENSSL_free(ch->pending_new_token);
428
429 if (ch->on_port_list) {
430 ossl_list_ch_remove(&ch->port->channel_list, ch);
431 ch->on_port_list = 0;
432 }
433
434 #ifndef OPENSSL_NO_QLOG
435 if (ch->qlog != NULL)
436 ossl_qlog_flush(ch->qlog); /* best effort */
437
438 OPENSSL_free(ch->qlog_title);
439 ossl_qlog_free(ch->qlog);
440 #endif
441 }
442
ossl_quic_channel_init(QUIC_CHANNEL * ch)443 int ossl_quic_channel_init(QUIC_CHANNEL *ch)
444 {
445 return ch_init(ch);
446 }
447
ossl_quic_channel_bind_qrx(QUIC_CHANNEL * tserver_ch,OSSL_QRX * qrx)448 void ossl_quic_channel_bind_qrx(QUIC_CHANNEL *tserver_ch, OSSL_QRX *qrx)
449 {
450 if (tserver_ch->qrx == NULL && tserver_ch->is_tserver_ch == 1) {
451 tserver_ch->qrx = qrx;
452 ossl_qrx_set_late_validation_cb(tserver_ch->qrx, rx_late_validate,
453 tserver_ch);
454 ossl_qrx_set_key_update_cb(tserver_ch->qrx, rxku_detected,
455 tserver_ch);
456 }
457 }
458
ossl_quic_channel_alloc(const QUIC_CHANNEL_ARGS * args)459 QUIC_CHANNEL *ossl_quic_channel_alloc(const QUIC_CHANNEL_ARGS *args)
460 {
461 QUIC_CHANNEL *ch = NULL;
462
463 if ((ch = OPENSSL_zalloc(sizeof(*ch))) == NULL)
464 return NULL;
465
466 ch->port = args->port;
467 ch->is_server = args->is_server;
468 ch->tls = args->tls;
469 ch->lcidm = args->lcidm;
470 ch->srtm = args->srtm;
471 ch->qrx = args->qrx;
472 ch->is_tserver_ch = args->is_tserver_ch;
473 #ifndef OPENSSL_NO_QLOG
474 ch->use_qlog = args->use_qlog;
475
476 if (ch->use_qlog && args->qlog_title != NULL) {
477 if ((ch->qlog_title = OPENSSL_strdup(args->qlog_title)) == NULL) {
478 OPENSSL_free(ch);
479 return NULL;
480 }
481 }
482 #endif
483
484 return ch;
485 }
486
ossl_quic_channel_free(QUIC_CHANNEL * ch)487 void ossl_quic_channel_free(QUIC_CHANNEL *ch)
488 {
489 if (ch == NULL)
490 return;
491
492 ch_cleanup(ch);
493 OPENSSL_free(ch);
494 }
495
496 /* Set mutator callbacks for test framework support */
ossl_quic_channel_set_mutator(QUIC_CHANNEL * ch,ossl_mutate_packet_cb mutatecb,ossl_finish_mutate_cb finishmutatecb,void * mutatearg)497 int ossl_quic_channel_set_mutator(QUIC_CHANNEL *ch,
498 ossl_mutate_packet_cb mutatecb,
499 ossl_finish_mutate_cb finishmutatecb,
500 void *mutatearg)
501 {
502 if (ch->qtx == NULL)
503 return 0;
504
505 ossl_qtx_set_mutator(ch->qtx, mutatecb, finishmutatecb, mutatearg);
506 return 1;
507 }
508
ossl_quic_channel_get_peer_addr(QUIC_CHANNEL * ch,BIO_ADDR * peer_addr)509 int ossl_quic_channel_get_peer_addr(QUIC_CHANNEL *ch, BIO_ADDR *peer_addr)
510 {
511 if (!ch->addressed_mode)
512 return 0;
513
514 return BIO_ADDR_copy(peer_addr, &ch->cur_peer_addr);
515 }
516
ossl_quic_channel_set_peer_addr(QUIC_CHANNEL * ch,const BIO_ADDR * peer_addr)517 int ossl_quic_channel_set_peer_addr(QUIC_CHANNEL *ch, const BIO_ADDR *peer_addr)
518 {
519 if (ch->state != QUIC_CHANNEL_STATE_IDLE)
520 return 0;
521
522 if (peer_addr == NULL || BIO_ADDR_family(peer_addr) == AF_UNSPEC) {
523 BIO_ADDR_clear(&ch->cur_peer_addr);
524 ch->addressed_mode = 0;
525 return 1;
526 }
527
528 if (!BIO_ADDR_copy(&ch->cur_peer_addr, peer_addr)) {
529 ch->addressed_mode = 0;
530 return 0;
531 }
532 ch->addressed_mode = 1;
533
534 return 1;
535 }
536
ossl_quic_channel_get_reactor(QUIC_CHANNEL * ch)537 QUIC_REACTOR *ossl_quic_channel_get_reactor(QUIC_CHANNEL *ch)
538 {
539 return ossl_quic_port_get0_reactor(ch->port);
540 }
541
ossl_quic_channel_get_qsm(QUIC_CHANNEL * ch)542 QUIC_STREAM_MAP *ossl_quic_channel_get_qsm(QUIC_CHANNEL *ch)
543 {
544 return &ch->qsm;
545 }
546
ossl_quic_channel_get_statm(QUIC_CHANNEL * ch)547 OSSL_STATM *ossl_quic_channel_get_statm(QUIC_CHANNEL *ch)
548 {
549 return &ch->statm;
550 }
551
ossl_quic_channel_get0_tls(QUIC_CHANNEL * ch)552 SSL *ossl_quic_channel_get0_tls(QUIC_CHANNEL *ch)
553 {
554 return ch->tls;
555 }
556
free_buf_mem(unsigned char * buf,size_t buf_len,void * arg)557 static void free_buf_mem(unsigned char *buf, size_t buf_len, void *arg)
558 {
559 BUF_MEM_free((BUF_MEM *)arg);
560 }
561
ossl_quic_channel_schedule_new_token(QUIC_CHANNEL * ch,const unsigned char * token,size_t token_len)562 int ossl_quic_channel_schedule_new_token(QUIC_CHANNEL *ch,
563 const unsigned char *token,
564 size_t token_len)
565 {
566 int rc = 0;
567 QUIC_CFQ_ITEM *cfq_item;
568 WPACKET wpkt;
569 BUF_MEM *buf_mem = NULL;
570 size_t l = 0;
571
572 buf_mem = BUF_MEM_new();
573 if (buf_mem == NULL)
574 goto err;
575
576 if (!WPACKET_init(&wpkt, buf_mem))
577 goto err;
578
579 if (!ossl_quic_wire_encode_frame_new_token(&wpkt, token,
580 token_len)) {
581 WPACKET_cleanup(&wpkt);
582 goto err;
583 }
584
585 WPACKET_finish(&wpkt);
586
587 if (!WPACKET_get_total_written(&wpkt, &l))
588 goto err;
589
590 cfq_item = ossl_quic_cfq_add_frame(ch->cfq, 1,
591 QUIC_PN_SPACE_APP,
592 OSSL_QUIC_FRAME_TYPE_NEW_TOKEN, 0,
593 (unsigned char *)buf_mem->data, l,
594 free_buf_mem,
595 buf_mem);
596 if (cfq_item == NULL)
597 goto err;
598
599 rc = 1;
600 err:
601 if (!rc)
602 BUF_MEM_free(buf_mem);
603 return rc;
604 }
605
ossl_quic_channel_get_short_header_conn_id_len(QUIC_CHANNEL * ch)606 size_t ossl_quic_channel_get_short_header_conn_id_len(QUIC_CHANNEL *ch)
607 {
608 return ossl_quic_port_get_rx_short_dcid_len(ch->port);
609 }
610
ossl_quic_channel_get_stream_by_id(QUIC_CHANNEL * ch,uint64_t stream_id)611 QUIC_STREAM *ossl_quic_channel_get_stream_by_id(QUIC_CHANNEL *ch,
612 uint64_t stream_id)
613 {
614 return ossl_quic_stream_map_get_by_id(&ch->qsm, stream_id);
615 }
616
ossl_quic_channel_is_active(const QUIC_CHANNEL * ch)617 int ossl_quic_channel_is_active(const QUIC_CHANNEL *ch)
618 {
619 return ch != NULL && ch->state == QUIC_CHANNEL_STATE_ACTIVE;
620 }
621
ossl_quic_channel_is_closing(const QUIC_CHANNEL * ch)622 int ossl_quic_channel_is_closing(const QUIC_CHANNEL *ch)
623 {
624 return ch->state == QUIC_CHANNEL_STATE_TERMINATING_CLOSING;
625 }
626
ossl_quic_channel_is_draining(const QUIC_CHANNEL * ch)627 static int ossl_quic_channel_is_draining(const QUIC_CHANNEL *ch)
628 {
629 return ch->state == QUIC_CHANNEL_STATE_TERMINATING_DRAINING;
630 }
631
ossl_quic_channel_is_terminating(const QUIC_CHANNEL * ch)632 static int ossl_quic_channel_is_terminating(const QUIC_CHANNEL *ch)
633 {
634 return ossl_quic_channel_is_closing(ch)
635 || ossl_quic_channel_is_draining(ch);
636 }
637
ossl_quic_channel_is_terminated(const QUIC_CHANNEL * ch)638 int ossl_quic_channel_is_terminated(const QUIC_CHANNEL *ch)
639 {
640 return ch->state == QUIC_CHANNEL_STATE_TERMINATED;
641 }
642
ossl_quic_channel_is_term_any(const QUIC_CHANNEL * ch)643 int ossl_quic_channel_is_term_any(const QUIC_CHANNEL *ch)
644 {
645 return ossl_quic_channel_is_terminating(ch)
646 || ossl_quic_channel_is_terminated(ch);
647 }
648
649 const QUIC_TERMINATE_CAUSE *
ossl_quic_channel_get_terminate_cause(const QUIC_CHANNEL * ch)650 ossl_quic_channel_get_terminate_cause(const QUIC_CHANNEL *ch)
651 {
652 return ossl_quic_channel_is_term_any(ch) ? &ch->terminate_cause : NULL;
653 }
654
ossl_quic_channel_is_handshake_complete(const QUIC_CHANNEL * ch)655 int ossl_quic_channel_is_handshake_complete(const QUIC_CHANNEL *ch)
656 {
657 return ch->handshake_complete;
658 }
659
ossl_quic_channel_is_handshake_confirmed(const QUIC_CHANNEL * ch)660 int ossl_quic_channel_is_handshake_confirmed(const QUIC_CHANNEL *ch)
661 {
662 return ch->handshake_confirmed;
663 }
664
ossl_quic_channel_get0_demux(QUIC_CHANNEL * ch)665 QUIC_DEMUX *ossl_quic_channel_get0_demux(QUIC_CHANNEL *ch)
666 {
667 return ch->port->demux;
668 }
669
ossl_quic_channel_get0_port(QUIC_CHANNEL * ch)670 QUIC_PORT *ossl_quic_channel_get0_port(QUIC_CHANNEL *ch)
671 {
672 return ch->port;
673 }
674
ossl_quic_channel_get0_engine(QUIC_CHANNEL * ch)675 QUIC_ENGINE *ossl_quic_channel_get0_engine(QUIC_CHANNEL *ch)
676 {
677 return ossl_quic_port_get0_engine(ch->port);
678 }
679
ossl_quic_channel_get_mutex(QUIC_CHANNEL * ch)680 CRYPTO_MUTEX *ossl_quic_channel_get_mutex(QUIC_CHANNEL *ch)
681 {
682 return ossl_quic_port_get0_mutex(ch->port);
683 }
684
ossl_quic_channel_has_pending(const QUIC_CHANNEL * ch)685 int ossl_quic_channel_has_pending(const QUIC_CHANNEL *ch)
686 {
687 return ossl_quic_demux_has_pending(ch->port->demux)
688 || ossl_qrx_processed_read_pending(ch->qrx);
689 }
690
691 /*
692 * QUIC Channel: Callbacks from Miscellaneous Subsidiary Components
693 * ================================================================
694 */
695
696 /* Used by various components. */
get_time(void * arg)697 static OSSL_TIME get_time(void *arg)
698 {
699 QUIC_CHANNEL *ch = arg;
700
701 return ossl_quic_port_get_time(ch->port);
702 }
703
704 /* Used by QSM. */
get_stream_limit(int uni,void * arg)705 static uint64_t get_stream_limit(int uni, void *arg)
706 {
707 QUIC_CHANNEL *ch = arg;
708
709 return uni ? ch->max_local_streams_uni : ch->max_local_streams_bidi;
710 }
711
712 /*
713 * Called by QRX to determine if a packet is potentially invalid before trying
714 * to decrypt it.
715 */
rx_late_validate(QUIC_PN pn,int pn_space,void * arg)716 static int rx_late_validate(QUIC_PN pn, int pn_space, void *arg)
717 {
718 QUIC_CHANNEL *ch = arg;
719
720 /* Potential duplicates should not be processed. */
721 if (!ossl_ackm_is_rx_pn_processable(ch->ackm, pn, pn_space))
722 return 0;
723
724 return 1;
725 }
726
727 /*
728 * Triggers a TXKU (whether spontaneous or solicited). Does not check whether
729 * spontaneous TXKU is currently allowed.
730 */
731 QUIC_NEEDS_LOCK
ch_trigger_txku(QUIC_CHANNEL * ch)732 static void ch_trigger_txku(QUIC_CHANNEL *ch)
733 {
734 uint64_t next_pn
735 = ossl_quic_tx_packetiser_get_next_pn(ch->txp, QUIC_PN_SPACE_APP);
736
737 if (!ossl_quic_pn_valid(next_pn)
738 || !ossl_qtx_trigger_key_update(ch->qtx)) {
739 ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_INTERNAL_ERROR, 0,
740 "key update");
741 return;
742 }
743
744 ch->txku_in_progress = 1;
745 ch->txku_pn = next_pn;
746 ch->rxku_expected = ch->ku_locally_initiated;
747 }
748
749 QUIC_NEEDS_LOCK
txku_in_progress(QUIC_CHANNEL * ch)750 static int txku_in_progress(QUIC_CHANNEL *ch)
751 {
752 if (ch->txku_in_progress
753 && ossl_ackm_get_largest_acked(ch->ackm, QUIC_PN_SPACE_APP) >= ch->txku_pn) {
754 OSSL_TIME pto = ossl_ackm_get_pto_duration(ch->ackm);
755
756 /*
757 * RFC 9001 s. 6.5: Endpoints SHOULD wait three times the PTO before
758 * initiating a key update after receiving an acknowledgment that
759 * confirms that the previous key update was received.
760 *
761 * Note that by the above wording, this period starts from when we get
762 * the ack for a TXKU-triggering packet, not when the TXKU is initiated.
763 * So we defer TXKU cooldown deadline calculation to this point.
764 */
765 ch->txku_in_progress = 0;
766 ch->txku_cooldown_deadline = ossl_time_add(get_time(ch),
767 ossl_time_multiply(pto, 3));
768 }
769
770 return ch->txku_in_progress;
771 }
772
773 QUIC_NEEDS_LOCK
txku_allowed(QUIC_CHANNEL * ch)774 static int txku_allowed(QUIC_CHANNEL *ch)
775 {
776 return ch->tx_enc_level == QUIC_ENC_LEVEL_1RTT /* Sanity check. */
777 /* Strict RFC 9001 criterion for TXKU. */
778 && ch->handshake_confirmed
779 && !txku_in_progress(ch);
780 }
781
782 QUIC_NEEDS_LOCK
txku_recommendable(QUIC_CHANNEL * ch)783 static int txku_recommendable(QUIC_CHANNEL *ch)
784 {
785 if (!txku_allowed(ch))
786 return 0;
787
788 return
789 /* Recommended RFC 9001 criterion for TXKU. */
790 ossl_time_compare(get_time(ch), ch->txku_cooldown_deadline) >= 0
791 /* Some additional sensible criteria. */
792 && !ch->rxku_in_progress
793 && !ch->rxku_pending_confirm;
794 }
795
796 QUIC_NEEDS_LOCK
txku_desirable(QUIC_CHANNEL * ch)797 static int txku_desirable(QUIC_CHANNEL *ch)
798 {
799 uint64_t cur_pkt_count, max_pkt_count, thresh_pkt_count;
800 const uint32_t enc_level = QUIC_ENC_LEVEL_1RTT;
801
802 /* Check AEAD limit to determine if we should perform a spontaneous TXKU. */
803 cur_pkt_count = ossl_qtx_get_cur_epoch_pkt_count(ch->qtx, enc_level);
804 max_pkt_count = ossl_qtx_get_max_epoch_pkt_count(ch->qtx, enc_level);
805
806 thresh_pkt_count = max_pkt_count / 2;
807 if (ch->txku_threshold_override != UINT64_MAX)
808 thresh_pkt_count = ch->txku_threshold_override;
809
810 return cur_pkt_count >= thresh_pkt_count;
811 }
812
813 QUIC_NEEDS_LOCK
ch_maybe_trigger_spontaneous_txku(QUIC_CHANNEL * ch)814 static void ch_maybe_trigger_spontaneous_txku(QUIC_CHANNEL *ch)
815 {
816 if (!txku_recommendable(ch) || !txku_desirable(ch))
817 return;
818
819 ch->ku_locally_initiated = 1;
820 ch_trigger_txku(ch);
821 }
822
823 QUIC_NEEDS_LOCK
rxku_allowed(QUIC_CHANNEL * ch)824 static int rxku_allowed(QUIC_CHANNEL *ch)
825 {
826 /*
827 * RFC 9001 s. 6.1: An endpoint MUST NOT initiate a key update prior to
828 * having confirmed the handshake (Section 4.1.2).
829 *
830 * RFC 9001 s. 6.1: An endpoint MUST NOT initiate a subsequent key update
831 * unless it has received an acknowledgment for a packet that was sent
832 * protected with keys from the current key phase.
833 *
834 * RFC 9001 s. 6.2: If an endpoint detects a second update before it has
835 * sent any packets with updated keys containing an acknowledgment for the
836 * packet that initiated the key update, it indicates that its peer has
837 * updated keys twice without awaiting confirmation. An endpoint MAY treat
838 * such consecutive key updates as a connection error of type
839 * KEY_UPDATE_ERROR.
840 */
841 return ch->handshake_confirmed && !ch->rxku_pending_confirm;
842 }
843
844 /*
845 * Called when the QRX detects a new RX key update event.
846 */
847 enum rxku_decision {
848 DECISION_RXKU_ONLY,
849 DECISION_PROTOCOL_VIOLATION,
850 DECISION_SOLICITED_TXKU
851 };
852
853 /* Called when the QRX detects a key update has occurred. */
854 QUIC_NEEDS_LOCK
rxku_detected(QUIC_PN pn,void * arg)855 static void rxku_detected(QUIC_PN pn, void *arg)
856 {
857 QUIC_CHANNEL *ch = arg;
858 enum rxku_decision decision;
859 OSSL_TIME pto;
860
861 /*
862 * Note: rxku_in_progress is always 0 here as an RXKU cannot be detected
863 * when we are still in UPDATING or COOLDOWN (see quic_record_rx.h).
864 */
865 assert(!ch->rxku_in_progress);
866
867 if (!rxku_allowed(ch))
868 /* Is RXKU even allowed at this time? */
869 decision = DECISION_PROTOCOL_VIOLATION;
870
871 else if (ch->ku_locally_initiated)
872 /*
873 * If this key update was locally initiated (meaning that this detected
874 * RXKU event is a result of our own spontaneous TXKU), we do not
875 * trigger another TXKU; after all, to do so would result in an infinite
876 * ping-pong of key updates. We still process it as an RXKU.
877 */
878 decision = DECISION_RXKU_ONLY;
879
880 else
881 /*
882 * Otherwise, a peer triggering a KU means we have to trigger a KU also.
883 */
884 decision = DECISION_SOLICITED_TXKU;
885
886 if (decision == DECISION_PROTOCOL_VIOLATION) {
887 ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_KEY_UPDATE_ERROR,
888 0, "RX key update again too soon");
889 return;
890 }
891
892 pto = ossl_ackm_get_pto_duration(ch->ackm);
893
894 ch->ku_locally_initiated = 0;
895 ch->rxku_in_progress = 1;
896 ch->rxku_pending_confirm = 1;
897 ch->rxku_trigger_pn = pn;
898 ch->rxku_update_end_deadline = ossl_time_add(get_time(ch), pto);
899 ch->rxku_expected = 0;
900
901 if (decision == DECISION_SOLICITED_TXKU)
902 /* NOT gated by usual txku_allowed() */
903 ch_trigger_txku(ch);
904
905 /*
906 * Ordinarily, we only generate ACK when some ACK-eliciting frame has been
907 * received. In some cases, this may not occur for a long time, for example
908 * if transmission of application data is going in only one direction and
909 * nothing else is happening with the connection. However, since the peer
910 * cannot initiate a subsequent (spontaneous) TXKU until its prior
911 * (spontaneous or solicited) TXKU has completed - meaning that prior
912 * TXKU's trigger packet (or subsequent packet) has been acknowledged, this
913 * can lead to very long times before a TXKU is considered 'completed'.
914 * Optimise this by forcing ACK generation after triggering TXKU.
915 * (Basically, we consider a RXKU event something that is 'ACK-eliciting',
916 * which it more or less should be; it is necessarily separate from ordinary
917 * processing of ACK-eliciting frames as key update is not indicated via a
918 * frame.)
919 */
920 ossl_quic_tx_packetiser_schedule_ack(ch->txp, QUIC_PN_SPACE_APP);
921 }
922
923 /* Called per tick to handle RXKU timer events. */
924 QUIC_NEEDS_LOCK
ch_rxku_tick(QUIC_CHANNEL * ch)925 static void ch_rxku_tick(QUIC_CHANNEL *ch)
926 {
927 if (!ch->rxku_in_progress
928 || ossl_time_compare(get_time(ch), ch->rxku_update_end_deadline) < 0)
929 return;
930
931 ch->rxku_update_end_deadline = ossl_time_infinite();
932 ch->rxku_in_progress = 0;
933
934 if (!ossl_qrx_key_update_timeout(ch->qrx, /*normal=*/1))
935 ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_INTERNAL_ERROR, 0,
936 "RXKU cooldown internal error");
937 }
938
939 QUIC_NEEDS_LOCK
ch_on_txp_ack_tx(const OSSL_QUIC_FRAME_ACK * ack,uint32_t pn_space,void * arg)940 static void ch_on_txp_ack_tx(const OSSL_QUIC_FRAME_ACK *ack, uint32_t pn_space,
941 void *arg)
942 {
943 QUIC_CHANNEL *ch = arg;
944
945 if (pn_space != QUIC_PN_SPACE_APP || !ch->rxku_pending_confirm
946 || !ossl_quic_frame_ack_contains_pn(ack, ch->rxku_trigger_pn))
947 return;
948
949 /*
950 * Defer clearing rxku_pending_confirm until TXP generate call returns
951 * successfully.
952 */
953 ch->rxku_pending_confirm_done = 1;
954 }
955
956 /*
957 * QUIC Channel: Handshake Layer Event Handling
958 * ============================================
959 */
ch_on_crypto_send(const unsigned char * buf,size_t buf_len,size_t * consumed,void * arg)960 static int ch_on_crypto_send(const unsigned char *buf, size_t buf_len,
961 size_t *consumed, void *arg)
962 {
963 int ret;
964 QUIC_CHANNEL *ch = arg;
965 uint32_t enc_level = ch->tx_enc_level;
966 uint32_t pn_space = ossl_quic_enc_level_to_pn_space(enc_level);
967 QUIC_SSTREAM *sstream = ch->crypto_send[pn_space];
968
969 if (!ossl_assert(sstream != NULL))
970 return 0;
971
972 ret = ossl_quic_sstream_append(sstream, buf, buf_len, consumed);
973 return ret;
974 }
975
crypto_ensure_empty(QUIC_RSTREAM * rstream)976 static int crypto_ensure_empty(QUIC_RSTREAM *rstream)
977 {
978 size_t avail = 0;
979 int is_fin = 0;
980
981 if (rstream == NULL)
982 return 1;
983
984 if (!ossl_quic_rstream_available(rstream, &avail, &is_fin))
985 return 0;
986
987 return avail == 0;
988 }
989
ch_on_crypto_recv_record(const unsigned char ** buf,size_t * bytes_read,void * arg)990 static int ch_on_crypto_recv_record(const unsigned char **buf,
991 size_t *bytes_read, void *arg)
992 {
993 QUIC_CHANNEL *ch = arg;
994 QUIC_RSTREAM *rstream;
995 int is_fin = 0; /* crypto stream is never finished, so we don't use this */
996 uint32_t i;
997
998 /*
999 * After we move to a later EL we must not allow our peer to send any new
1000 * bytes in the crypto stream on a previous EL. Retransmissions of old bytes
1001 * are allowed.
1002 *
1003 * In practice we will only move to a new EL when we have consumed all bytes
1004 * which should be sent on the crypto stream at a previous EL. For example,
1005 * the Handshake EL should not be provisioned until we have completely
1006 * consumed a TLS 1.3 ServerHello. Thus when we provision an EL the output
1007 * of ossl_quic_rstream_available() should be 0 for all lower ELs. Thus if a
1008 * given EL is available we simply ensure we have not received any further
1009 * bytes at a lower EL.
1010 */
1011 for (i = QUIC_ENC_LEVEL_INITIAL; i < ch->rx_enc_level; ++i)
1012 if (i != QUIC_ENC_LEVEL_0RTT && !crypto_ensure_empty(ch->crypto_recv[ossl_quic_enc_level_to_pn_space(i)])) {
1013 /* Protocol violation (RFC 9001 s. 4.1.3) */
1014 ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_PROTOCOL_VIOLATION,
1015 OSSL_QUIC_FRAME_TYPE_CRYPTO,
1016 "crypto stream data in wrong EL");
1017 return 0;
1018 }
1019
1020 rstream = ch->crypto_recv[ossl_quic_enc_level_to_pn_space(ch->rx_enc_level)];
1021 if (rstream == NULL)
1022 return 0;
1023
1024 return ossl_quic_rstream_get_record(rstream, buf, bytes_read,
1025 &is_fin);
1026 }
1027
ch_on_crypto_release_record(size_t bytes_read,void * arg)1028 static int ch_on_crypto_release_record(size_t bytes_read, void *arg)
1029 {
1030 QUIC_CHANNEL *ch = arg;
1031 QUIC_RSTREAM *rstream;
1032 OSSL_RTT_INFO rtt_info;
1033 uint32_t rx_pn_space = ossl_quic_enc_level_to_pn_space(ch->rx_enc_level);
1034
1035 rstream = ch->crypto_recv[rx_pn_space];
1036 if (rstream == NULL)
1037 return 0;
1038
1039 ossl_statm_get_rtt_info(ossl_quic_channel_get_statm(ch), &rtt_info);
1040 if (!ossl_quic_rxfc_on_retire(&ch->crypto_rxfc[rx_pn_space], bytes_read,
1041 rtt_info.smoothed_rtt))
1042 return 0;
1043
1044 return ossl_quic_rstream_release_record(rstream, bytes_read);
1045 }
1046
ch_on_handshake_yield_secret(uint32_t prot_level,int direction,uint32_t suite_id,EVP_MD * md,const unsigned char * secret,size_t secret_len,void * arg)1047 static int ch_on_handshake_yield_secret(uint32_t prot_level, int direction,
1048 uint32_t suite_id, EVP_MD *md,
1049 const unsigned char *secret,
1050 size_t secret_len,
1051 void *arg)
1052 {
1053 QUIC_CHANNEL *ch = arg;
1054 uint32_t i;
1055 uint32_t enc_level;
1056
1057 /* Convert TLS protection level to QUIC encryption level */
1058 switch (prot_level) {
1059 case OSSL_RECORD_PROTECTION_LEVEL_EARLY:
1060 enc_level = QUIC_ENC_LEVEL_0RTT;
1061 break;
1062
1063 case OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE:
1064 enc_level = QUIC_ENC_LEVEL_HANDSHAKE;
1065 break;
1066
1067 case OSSL_RECORD_PROTECTION_LEVEL_APPLICATION:
1068 enc_level = QUIC_ENC_LEVEL_1RTT;
1069 break;
1070
1071 default:
1072 return 0;
1073 }
1074
1075 if (enc_level < QUIC_ENC_LEVEL_HANDSHAKE || enc_level >= QUIC_ENC_LEVEL_NUM)
1076 /* Invalid EL. */
1077 return 0;
1078
1079 if (direction) {
1080 /* TX */
1081 if (enc_level <= ch->tx_enc_level)
1082 /*
1083 * Does not make sense for us to try and provision an EL we have already
1084 * attained.
1085 */
1086 return 0;
1087
1088 if (!ossl_qtx_provide_secret(ch->qtx, enc_level,
1089 suite_id, md,
1090 secret, secret_len))
1091 return 0;
1092
1093 ch->tx_enc_level = enc_level;
1094 } else {
1095 /* RX */
1096 if (enc_level <= ch->rx_enc_level)
1097 /*
1098 * Does not make sense for us to try and provision an EL we have already
1099 * attained.
1100 */
1101 return 0;
1102
1103 /*
1104 * Ensure all crypto streams for previous ELs are now empty of available
1105 * data.
1106 */
1107 for (i = QUIC_ENC_LEVEL_INITIAL; i < enc_level; ++i)
1108 if (!crypto_ensure_empty(ch->crypto_recv[ossl_quic_enc_level_to_pn_space(i)])) {
1109 /* Protocol violation (RFC 9001 s. 4.1.3) */
1110 ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_PROTOCOL_VIOLATION,
1111 OSSL_QUIC_FRAME_TYPE_CRYPTO,
1112 "crypto stream data in wrong EL");
1113 return 0;
1114 }
1115
1116 if (!ossl_qrx_provide_secret(ch->qrx, enc_level,
1117 suite_id, md,
1118 secret, secret_len))
1119 return 0;
1120
1121 ch->have_new_rx_secret = 1;
1122 ch->rx_enc_level = enc_level;
1123 }
1124
1125 return 1;
1126 }
1127
ch_on_handshake_complete(void * arg)1128 static int ch_on_handshake_complete(void *arg)
1129 {
1130 QUIC_CHANNEL *ch = arg;
1131
1132 if (!ossl_assert(!ch->handshake_complete))
1133 return 0; /* this should not happen twice */
1134
1135 if (!ossl_assert(ch->tx_enc_level == QUIC_ENC_LEVEL_1RTT))
1136 return 0;
1137
1138 /*
1139 * When handshake is complete, we no longer need to abide by the
1140 * 3x amplification limit, though we should be validated as soon
1141 * as we see a handshake key encrypted packet (see ossl_quic_handle_packet)
1142 */
1143 ossl_quic_tx_packetiser_set_validated(ch->txp);
1144
1145 if (!ch->got_remote_transport_params) {
1146 /*
1147 * Was not a valid QUIC handshake if we did not get valid transport
1148 * params.
1149 */
1150 ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_CRYPTO_MISSING_EXT,
1151 OSSL_QUIC_FRAME_TYPE_CRYPTO,
1152 "no transport parameters received");
1153 return 0;
1154 }
1155
1156 /* Don't need transport parameters anymore. */
1157 OPENSSL_free(ch->local_transport_params);
1158 ch->local_transport_params = NULL;
1159
1160 /* Tell the QRX it can now process 1-RTT packets. */
1161 ossl_qrx_allow_1rtt_processing(ch->qrx);
1162
1163 /* Tell TXP the handshake is complete. */
1164 ossl_quic_tx_packetiser_notify_handshake_complete(ch->txp);
1165
1166 ch->handshake_complete = 1;
1167
1168 if (ch->pending_new_token != NULL) {
1169 /*
1170 * Note this is a best effort operation here
1171 * If scheduling a new token fails, the worst outcome is that
1172 * a client, not having received it, will just have to go through
1173 * an extra roundtrip on a subsequent connection via the retry frame
1174 * path, at which point we get another opportunity to schedule another
1175 * new token. As a result, we don't need to handle any errors here
1176 */
1177 ossl_quic_channel_schedule_new_token(ch,
1178 ch->pending_new_token,
1179 ch->pending_new_token_len);
1180 OPENSSL_free(ch->pending_new_token);
1181 ch->pending_new_token = NULL;
1182 ch->pending_new_token_len = 0;
1183 }
1184
1185 if (ch->is_server) {
1186 /*
1187 * On the server, the handshake is confirmed as soon as it is complete.
1188 */
1189 ossl_quic_channel_on_handshake_confirmed(ch);
1190
1191 ossl_quic_tx_packetiser_schedule_handshake_done(ch->txp);
1192 }
1193
1194 ch_record_state_transition(ch, ch->state);
1195 return 1;
1196 }
1197
ch_on_handshake_alert(void * arg,unsigned char alert_code)1198 static int ch_on_handshake_alert(void *arg, unsigned char alert_code)
1199 {
1200 QUIC_CHANNEL *ch = arg;
1201
1202 /*
1203 * RFC 9001 s. 4.4: More specifically, servers MUST NOT send post-handshake
1204 * TLS CertificateRequest messages, and clients MUST treat receipt of such
1205 * messages as a connection error of type PROTOCOL_VIOLATION.
1206 */
1207 if (alert_code == SSL_AD_UNEXPECTED_MESSAGE
1208 && ch->handshake_complete
1209 && ossl_quic_tls_is_cert_request(ch->qtls))
1210 ossl_quic_channel_raise_protocol_error(ch,
1211 OSSL_QUIC_ERR_PROTOCOL_VIOLATION,
1212 0,
1213 "Post-handshake TLS "
1214 "CertificateRequest received");
1215 /*
1216 * RFC 9001 s. 4.6.1: Servers MUST NOT send the early_data extension with a
1217 * max_early_data_size field set to any value other than 0xffffffff. A
1218 * client MUST treat receipt of a NewSessionTicket that contains an
1219 * early_data extension with any other value as a connection error of type
1220 * PROTOCOL_VIOLATION.
1221 */
1222 else if (alert_code == SSL_AD_ILLEGAL_PARAMETER
1223 && ch->handshake_complete
1224 && ossl_quic_tls_has_bad_max_early_data(ch->qtls))
1225 ossl_quic_channel_raise_protocol_error(ch,
1226 OSSL_QUIC_ERR_PROTOCOL_VIOLATION,
1227 0,
1228 "Bad max_early_data received");
1229 else
1230 ossl_quic_channel_raise_protocol_error(ch,
1231 OSSL_QUIC_ERR_CRYPTO_ERR_BEGIN
1232 + alert_code,
1233 0, "handshake alert");
1234
1235 return 1;
1236 }
1237
1238 /*
1239 * QUIC Channel: Transport Parameter Handling
1240 * ==========================================
1241 */
1242
1243 /*
1244 * Called by handshake layer when we receive QUIC Transport Parameters from the
1245 * peer. Note that these are not authenticated until the handshake is marked
1246 * as complete.
1247 */
1248 #define TP_REASON_SERVER_ONLY(x) \
1249 x " may not be sent by a client"
1250 #define TP_REASON_DUP(x) \
1251 x " appears multiple times"
1252 #define TP_REASON_MALFORMED(x) \
1253 x " is malformed"
1254 #define TP_REASON_EXPECTED_VALUE(x) \
1255 x " does not match expected value"
1256 #define TP_REASON_NOT_RETRY(x) \
1257 x " sent when not performing a retry"
1258 #define TP_REASON_REQUIRED(x) \
1259 x " was not sent but is required"
1260 #define TP_REASON_INTERNAL_ERROR(x) \
1261 x " encountered internal error"
1262
txfc_bump_cwm_bidi(QUIC_STREAM * s,void * arg)1263 static void txfc_bump_cwm_bidi(QUIC_STREAM *s, void *arg)
1264 {
1265 if (!ossl_quic_stream_is_bidi(s)
1266 || ossl_quic_stream_is_server_init(s))
1267 return;
1268
1269 ossl_quic_txfc_bump_cwm(&s->txfc, *(uint64_t *)arg);
1270 }
1271
txfc_bump_cwm_uni(QUIC_STREAM * s,void * arg)1272 static void txfc_bump_cwm_uni(QUIC_STREAM *s, void *arg)
1273 {
1274 if (ossl_quic_stream_is_bidi(s)
1275 || ossl_quic_stream_is_server_init(s))
1276 return;
1277
1278 ossl_quic_txfc_bump_cwm(&s->txfc, *(uint64_t *)arg);
1279 }
1280
do_update(QUIC_STREAM * s,void * arg)1281 static void do_update(QUIC_STREAM *s, void *arg)
1282 {
1283 QUIC_CHANNEL *ch = arg;
1284
1285 ossl_quic_stream_map_update_state(&ch->qsm, s);
1286 }
1287
min_u64_ignore_0(uint64_t a,uint64_t b)1288 static uint64_t min_u64_ignore_0(uint64_t a, uint64_t b)
1289 {
1290 if (a == 0)
1291 return b;
1292 if (b == 0)
1293 return a;
1294
1295 return a < b ? a : b;
1296 }
1297
ch_on_transport_params(const unsigned char * params,size_t params_len,void * arg)1298 static int ch_on_transport_params(const unsigned char *params,
1299 size_t params_len,
1300 void *arg)
1301 {
1302 QUIC_CHANNEL *ch = arg;
1303 PACKET pkt;
1304 uint64_t id, v;
1305 size_t len;
1306 const unsigned char *body;
1307 int got_orig_dcid = 0;
1308 int got_initial_scid = 0;
1309 int got_retry_scid = 0;
1310 int got_initial_max_data = 0;
1311 int got_initial_max_stream_data_bidi_local = 0;
1312 int got_initial_max_stream_data_bidi_remote = 0;
1313 int got_initial_max_stream_data_uni = 0;
1314 int got_initial_max_streams_bidi = 0;
1315 int got_initial_max_streams_uni = 0;
1316 int got_stateless_reset_token = 0;
1317 int got_preferred_addr = 0;
1318 int got_ack_delay_exp = 0;
1319 int got_max_ack_delay = 0;
1320 int got_max_udp_payload_size = 0;
1321 int got_max_idle_timeout = 0;
1322 int got_active_conn_id_limit = 0;
1323 int got_disable_active_migration = 0;
1324 QUIC_CONN_ID cid;
1325 const char *reason = "bad transport parameter";
1326 ossl_unused uint64_t rx_max_idle_timeout = 0;
1327 ossl_unused const void *stateless_reset_token_p = NULL;
1328 QUIC_PREFERRED_ADDR pfa;
1329 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ch->tls);
1330
1331 /*
1332 * When HRR happens the client sends the transport params in the new client
1333 * hello again. Reset the transport params here and load them again.
1334 */
1335 if (ch->is_server && sc->hello_retry_request != SSL_HRR_NONE
1336 && ch->got_remote_transport_params) {
1337 ch->max_local_streams_bidi = 0;
1338 ch->max_local_streams_uni = 0;
1339 ch->got_local_transport_params = 0;
1340 OPENSSL_free(ch->local_transport_params);
1341 ch->local_transport_params = NULL;
1342 } else if (ch->got_remote_transport_params) {
1343 reason = "multiple transport parameter extensions";
1344 goto malformed;
1345 }
1346
1347 if (!PACKET_buf_init(&pkt, params, params_len)) {
1348 ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_INTERNAL_ERROR, 0,
1349 "internal error (packet buf init)");
1350 return 0;
1351 }
1352
1353 while (PACKET_remaining(&pkt) > 0) {
1354 if (!ossl_quic_wire_peek_transport_param(&pkt, &id))
1355 goto malformed;
1356
1357 switch (id) {
1358 case QUIC_TPARAM_ORIG_DCID:
1359 if (got_orig_dcid) {
1360 reason = TP_REASON_DUP("ORIG_DCID");
1361 goto malformed;
1362 }
1363
1364 if (ch->is_server) {
1365 reason = TP_REASON_SERVER_ONLY("ORIG_DCID");
1366 goto malformed;
1367 }
1368
1369 if (!ossl_quic_wire_decode_transport_param_cid(&pkt, NULL, &cid)) {
1370 reason = TP_REASON_MALFORMED("ORIG_DCID");
1371 goto malformed;
1372 }
1373
1374 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
1375 /* Must match our initial DCID. */
1376 if (!ossl_quic_conn_id_eq(&ch->init_dcid, &cid)) {
1377 reason = TP_REASON_EXPECTED_VALUE("ORIG_DCID");
1378 goto malformed;
1379 }
1380 #endif
1381
1382 got_orig_dcid = 1;
1383 break;
1384
1385 case QUIC_TPARAM_RETRY_SCID:
1386 if (ch->is_server) {
1387 reason = TP_REASON_SERVER_ONLY("RETRY_SCID");
1388 goto malformed;
1389 }
1390
1391 if (got_retry_scid) {
1392 reason = TP_REASON_DUP("RETRY_SCID");
1393 goto malformed;
1394 }
1395
1396 if (!ch->doing_retry) {
1397 reason = TP_REASON_NOT_RETRY("RETRY_SCID");
1398 goto malformed;
1399 }
1400
1401 if (!ossl_quic_wire_decode_transport_param_cid(&pkt, NULL, &cid)) {
1402 reason = TP_REASON_MALFORMED("RETRY_SCID");
1403 goto malformed;
1404 }
1405
1406 /* Must match Retry packet SCID. */
1407 if (!ossl_quic_conn_id_eq(&ch->retry_scid, &cid)) {
1408 reason = TP_REASON_EXPECTED_VALUE("RETRY_SCID");
1409 goto malformed;
1410 }
1411
1412 got_retry_scid = 1;
1413 break;
1414
1415 case QUIC_TPARAM_INITIAL_SCID:
1416 if (got_initial_scid) {
1417 /* must not appear more than once */
1418 reason = TP_REASON_DUP("INITIAL_SCID");
1419 goto malformed;
1420 }
1421
1422 if (!ossl_quic_wire_decode_transport_param_cid(&pkt, NULL, &cid)) {
1423 reason = TP_REASON_MALFORMED("INITIAL_SCID");
1424 goto malformed;
1425 }
1426
1427 if (!ossl_quic_conn_id_eq(&ch->init_scid, &cid)) {
1428 reason = TP_REASON_EXPECTED_VALUE("INITIAL_SCID");
1429 goto malformed;
1430 }
1431
1432 got_initial_scid = 1;
1433 break;
1434
1435 case QUIC_TPARAM_INITIAL_MAX_DATA:
1436 if (got_initial_max_data) {
1437 /* must not appear more than once */
1438 reason = TP_REASON_DUP("INITIAL_MAX_DATA");
1439 goto malformed;
1440 }
1441
1442 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
1443 reason = TP_REASON_MALFORMED("INITIAL_MAX_DATA");
1444 goto malformed;
1445 }
1446
1447 ossl_quic_txfc_bump_cwm(&ch->conn_txfc, v);
1448 got_initial_max_data = 1;
1449 break;
1450
1451 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL:
1452 if (got_initial_max_stream_data_bidi_local) {
1453 /* must not appear more than once */
1454 reason = TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_BIDI_LOCAL");
1455 goto malformed;
1456 }
1457
1458 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
1459 reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_BIDI_LOCAL");
1460 goto malformed;
1461 }
1462
1463 /*
1464 * This is correct; the BIDI_LOCAL TP governs streams created by
1465 * the endpoint which sends the TP, i.e., our peer.
1466 */
1467 ch->rx_init_max_stream_data_bidi_remote = v;
1468 got_initial_max_stream_data_bidi_local = 1;
1469 break;
1470
1471 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE:
1472 if (got_initial_max_stream_data_bidi_remote) {
1473 /* must not appear more than once */
1474 reason = TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_BIDI_REMOTE");
1475 goto malformed;
1476 }
1477
1478 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
1479 reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_BIDI_REMOTE");
1480 goto malformed;
1481 }
1482
1483 /*
1484 * This is correct; the BIDI_REMOTE TP governs streams created
1485 * by the endpoint which receives the TP, i.e., us.
1486 */
1487 ch->rx_init_max_stream_data_bidi_local = v;
1488
1489 /* Apply to all existing streams. */
1490 ossl_quic_stream_map_visit(&ch->qsm, txfc_bump_cwm_bidi, &v);
1491 got_initial_max_stream_data_bidi_remote = 1;
1492 break;
1493
1494 case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_UNI:
1495 if (got_initial_max_stream_data_uni) {
1496 /* must not appear more than once */
1497 reason = TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_UNI");
1498 goto malformed;
1499 }
1500
1501 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
1502 reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_UNI");
1503 goto malformed;
1504 }
1505
1506 ch->rx_init_max_stream_data_uni = v;
1507
1508 /* Apply to all existing streams. */
1509 ossl_quic_stream_map_visit(&ch->qsm, txfc_bump_cwm_uni, &v);
1510 got_initial_max_stream_data_uni = 1;
1511 break;
1512
1513 case QUIC_TPARAM_ACK_DELAY_EXP:
1514 if (got_ack_delay_exp) {
1515 /* must not appear more than once */
1516 reason = TP_REASON_DUP("ACK_DELAY_EXP");
1517 goto malformed;
1518 }
1519
1520 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
1521 || v > QUIC_MAX_ACK_DELAY_EXP) {
1522 reason = TP_REASON_MALFORMED("ACK_DELAY_EXP");
1523 goto malformed;
1524 }
1525
1526 ch->rx_ack_delay_exp = (unsigned char)v;
1527 got_ack_delay_exp = 1;
1528 break;
1529
1530 case QUIC_TPARAM_MAX_ACK_DELAY:
1531 if (got_max_ack_delay) {
1532 /* must not appear more than once */
1533 reason = TP_REASON_DUP("MAX_ACK_DELAY");
1534 goto malformed;
1535 }
1536
1537 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
1538 || v >= (((uint64_t)1) << 14)) {
1539 reason = TP_REASON_MALFORMED("MAX_ACK_DELAY");
1540 goto malformed;
1541 }
1542
1543 ch->rx_max_ack_delay = v;
1544 ossl_ackm_set_rx_max_ack_delay(ch->ackm,
1545 ossl_ms2time(ch->rx_max_ack_delay));
1546
1547 got_max_ack_delay = 1;
1548 break;
1549
1550 case QUIC_TPARAM_INITIAL_MAX_STREAMS_BIDI:
1551 if (got_initial_max_streams_bidi) {
1552 /* must not appear more than once */
1553 reason = TP_REASON_DUP("INITIAL_MAX_STREAMS_BIDI");
1554 goto malformed;
1555 }
1556
1557 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
1558 || v > (((uint64_t)1) << 60)) {
1559 reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAMS_BIDI");
1560 goto malformed;
1561 }
1562
1563 assert(ch->max_local_streams_bidi == 0);
1564 ch->max_local_streams_bidi = v;
1565 got_initial_max_streams_bidi = 1;
1566 break;
1567
1568 case QUIC_TPARAM_INITIAL_MAX_STREAMS_UNI:
1569 if (got_initial_max_streams_uni) {
1570 /* must not appear more than once */
1571 reason = TP_REASON_DUP("INITIAL_MAX_STREAMS_UNI");
1572 goto malformed;
1573 }
1574
1575 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
1576 || v > (((uint64_t)1) << 60)) {
1577 reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAMS_UNI");
1578 goto malformed;
1579 }
1580
1581 assert(ch->max_local_streams_uni == 0);
1582 ch->max_local_streams_uni = v;
1583 got_initial_max_streams_uni = 1;
1584 break;
1585
1586 case QUIC_TPARAM_MAX_IDLE_TIMEOUT:
1587 if (got_max_idle_timeout) {
1588 /* must not appear more than once */
1589 reason = TP_REASON_DUP("MAX_IDLE_TIMEOUT");
1590 goto malformed;
1591 }
1592
1593 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
1594 reason = TP_REASON_MALFORMED("MAX_IDLE_TIMEOUT");
1595 goto malformed;
1596 }
1597
1598 ch->max_idle_timeout_remote_req = v;
1599
1600 ch->max_idle_timeout = min_u64_ignore_0(ch->max_idle_timeout_local_req,
1601 ch->max_idle_timeout_remote_req);
1602
1603 ch_update_idle(ch);
1604 got_max_idle_timeout = 1;
1605 rx_max_idle_timeout = v;
1606 break;
1607
1608 case QUIC_TPARAM_MAX_UDP_PAYLOAD_SIZE:
1609 if (got_max_udp_payload_size) {
1610 /* must not appear more than once */
1611 reason = TP_REASON_DUP("MAX_UDP_PAYLOAD_SIZE");
1612 goto malformed;
1613 }
1614
1615 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
1616 || v < QUIC_MIN_INITIAL_DGRAM_LEN) {
1617 reason = TP_REASON_MALFORMED("MAX_UDP_PAYLOAD_SIZE");
1618 goto malformed;
1619 }
1620
1621 ch->rx_max_udp_payload_size = v;
1622 got_max_udp_payload_size = 1;
1623 break;
1624
1625 case QUIC_TPARAM_ACTIVE_CONN_ID_LIMIT:
1626 if (got_active_conn_id_limit) {
1627 /* must not appear more than once */
1628 reason = TP_REASON_DUP("ACTIVE_CONN_ID_LIMIT");
1629 goto malformed;
1630 }
1631
1632 if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
1633 || v < QUIC_MIN_ACTIVE_CONN_ID_LIMIT) {
1634 reason = TP_REASON_MALFORMED("ACTIVE_CONN_ID_LIMIT");
1635 goto malformed;
1636 }
1637
1638 ch->rx_active_conn_id_limit = v;
1639 got_active_conn_id_limit = 1;
1640 break;
1641
1642 case QUIC_TPARAM_STATELESS_RESET_TOKEN:
1643 if (got_stateless_reset_token) {
1644 reason = TP_REASON_DUP("STATELESS_RESET_TOKEN");
1645 goto malformed;
1646 }
1647
1648 /*
1649 * RFC 9000 s. 18.2: This transport parameter MUST NOT be sent
1650 * by a client but MAY be sent by a server.
1651 */
1652 if (ch->is_server) {
1653 reason = TP_REASON_SERVER_ONLY("STATELESS_RESET_TOKEN");
1654 goto malformed;
1655 }
1656
1657 body = ossl_quic_wire_decode_transport_param_bytes(&pkt, &id, &len);
1658 if (body == NULL || len != QUIC_STATELESS_RESET_TOKEN_LEN) {
1659 reason = TP_REASON_MALFORMED("STATELESS_RESET_TOKEN");
1660 goto malformed;
1661 }
1662 if (!ossl_quic_srtm_add(ch->srtm, ch, ch->cur_remote_seq_num,
1663 (const QUIC_STATELESS_RESET_TOKEN *)body)) {
1664 reason = TP_REASON_INTERNAL_ERROR("STATELESS_RESET_TOKEN");
1665 goto malformed;
1666 }
1667
1668 stateless_reset_token_p = body;
1669 got_stateless_reset_token = 1;
1670 break;
1671
1672 case QUIC_TPARAM_PREFERRED_ADDR:
1673 /* TODO(QUIC FUTURE): Handle preferred address. */
1674 if (got_preferred_addr) {
1675 reason = TP_REASON_DUP("PREFERRED_ADDR");
1676 goto malformed;
1677 }
1678
1679 /*
1680 * RFC 9000 s. 18.2: "A server that chooses a zero-length
1681 * connection ID MUST NOT provide a preferred address.
1682 * Similarly, a server MUST NOT include a zero-length connection
1683 * ID in this transport parameter. A client MUST treat a
1684 * violation of these requirements as a connection error of type
1685 * TRANSPORT_PARAMETER_ERROR."
1686 */
1687 if (ch->is_server) {
1688 reason = TP_REASON_SERVER_ONLY("PREFERRED_ADDR");
1689 goto malformed;
1690 }
1691
1692 if (ch->cur_remote_dcid.id_len == 0) {
1693 reason = "PREFERRED_ADDR provided for zero-length CID";
1694 goto malformed;
1695 }
1696
1697 if (!ossl_quic_wire_decode_transport_param_preferred_addr(&pkt, &pfa)) {
1698 reason = TP_REASON_MALFORMED("PREFERRED_ADDR");
1699 goto malformed;
1700 }
1701
1702 if (pfa.cid.id_len == 0) {
1703 reason = "zero-length CID in PREFERRED_ADDR";
1704 goto malformed;
1705 }
1706
1707 got_preferred_addr = 1;
1708 break;
1709
1710 case QUIC_TPARAM_DISABLE_ACTIVE_MIGRATION:
1711 /* We do not currently handle migration, so nothing to do. */
1712 if (got_disable_active_migration) {
1713 /* must not appear more than once */
1714 reason = TP_REASON_DUP("DISABLE_ACTIVE_MIGRATION");
1715 goto malformed;
1716 }
1717
1718 body = ossl_quic_wire_decode_transport_param_bytes(&pkt, &id, &len);
1719 if (body == NULL || len > 0) {
1720 reason = TP_REASON_MALFORMED("DISABLE_ACTIVE_MIGRATION");
1721 goto malformed;
1722 }
1723
1724 got_disable_active_migration = 1;
1725 break;
1726
1727 default:
1728 /*
1729 * Skip over and ignore.
1730 *
1731 * RFC 9000 s. 7.4: We SHOULD treat duplicated transport parameters
1732 * as a connection error, but we are not required to. Currently,
1733 * handle this programmatically by checking for duplicates in the
1734 * parameters that we recognise, as above, but don't bother
1735 * maintaining a list of duplicates for anything we don't recognise.
1736 */
1737 body = ossl_quic_wire_decode_transport_param_bytes(&pkt, &id,
1738 &len);
1739 if (body == NULL)
1740 goto malformed;
1741
1742 break;
1743 }
1744 }
1745
1746 if (!got_initial_scid) {
1747 reason = TP_REASON_REQUIRED("INITIAL_SCID");
1748 goto malformed;
1749 }
1750
1751 if (!ch->is_server) {
1752 if (!got_orig_dcid) {
1753 reason = TP_REASON_REQUIRED("ORIG_DCID");
1754 goto malformed;
1755 }
1756
1757 if (ch->doing_retry && !got_retry_scid) {
1758 reason = TP_REASON_REQUIRED("RETRY_SCID");
1759 goto malformed;
1760 }
1761 }
1762
1763 ch->got_remote_transport_params = 1;
1764
1765 #ifndef OPENSSL_NO_QLOG
1766 QLOG_EVENT_BEGIN(ch_get_qlog(ch), transport, parameters_set)
1767 QLOG_STR("owner", "remote");
1768
1769 if (got_orig_dcid)
1770 QLOG_CID("original_destination_connection_id",
1771 &ch->init_dcid);
1772 if (got_initial_scid)
1773 QLOG_CID("original_source_connection_id",
1774 &ch->init_dcid);
1775 if (got_retry_scid)
1776 QLOG_CID("retry_source_connection_id",
1777 &ch->retry_scid);
1778 if (got_initial_max_data)
1779 QLOG_U64("initial_max_data",
1780 ossl_quic_txfc_get_cwm(&ch->conn_txfc));
1781 if (got_initial_max_stream_data_bidi_local)
1782 QLOG_U64("initial_max_stream_data_bidi_local",
1783 ch->rx_init_max_stream_data_bidi_local);
1784 if (got_initial_max_stream_data_bidi_remote)
1785 QLOG_U64("initial_max_stream_data_bidi_remote",
1786 ch->rx_init_max_stream_data_bidi_remote);
1787 if (got_initial_max_stream_data_uni)
1788 QLOG_U64("initial_max_stream_data_uni",
1789 ch->rx_init_max_stream_data_uni);
1790 if (got_initial_max_streams_bidi)
1791 QLOG_U64("initial_max_streams_bidi",
1792 ch->max_local_streams_bidi);
1793 if (got_initial_max_streams_uni)
1794 QLOG_U64("initial_max_streams_uni",
1795 ch->max_local_streams_uni);
1796 if (got_ack_delay_exp)
1797 QLOG_U64("ack_delay_exponent", ch->rx_ack_delay_exp);
1798 if (got_max_ack_delay)
1799 QLOG_U64("max_ack_delay", ch->rx_max_ack_delay);
1800 if (got_max_udp_payload_size)
1801 QLOG_U64("max_udp_payload_size", ch->rx_max_udp_payload_size);
1802 if (got_max_idle_timeout)
1803 QLOG_U64("max_idle_timeout", rx_max_idle_timeout);
1804 if (got_active_conn_id_limit)
1805 QLOG_U64("active_connection_id_limit", ch->rx_active_conn_id_limit);
1806 if (got_stateless_reset_token)
1807 QLOG_BIN("stateless_reset_token", stateless_reset_token_p,
1808 QUIC_STATELESS_RESET_TOKEN_LEN);
1809 if (got_preferred_addr) {
1810 QLOG_BEGIN("preferred_addr")
1811 QLOG_U64("port_v4", pfa.ipv4_port);
1812 QLOG_U64("port_v6", pfa.ipv6_port);
1813 QLOG_BIN("ip_v4", pfa.ipv4, sizeof(pfa.ipv4));
1814 QLOG_BIN("ip_v6", pfa.ipv6, sizeof(pfa.ipv6));
1815 QLOG_BIN("stateless_reset_token", pfa.stateless_reset.token,
1816 sizeof(pfa.stateless_reset.token));
1817 QLOG_CID("connection_id", &pfa.cid);
1818 QLOG_END()
1819 }
1820 QLOG_BOOL("disable_active_migration", got_disable_active_migration);
1821 QLOG_EVENT_END()
1822 #endif
1823
1824 if (got_initial_max_data || got_initial_max_stream_data_bidi_remote
1825 || got_initial_max_streams_bidi || got_initial_max_streams_uni)
1826 /*
1827 * If FC credit was bumped, we may now be able to send. Update all
1828 * streams.
1829 */
1830 ossl_quic_stream_map_visit(&ch->qsm, do_update, ch);
1831
1832 /* If we are a server, we now generate our own transport parameters. */
1833 if (ch->is_server && !ch_generate_transport_params(ch)) {
1834 ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_INTERNAL_ERROR, 0,
1835 "internal error");
1836 return 0;
1837 }
1838
1839 return 1;
1840
1841 malformed:
1842 ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_TRANSPORT_PARAMETER_ERROR,
1843 0, reason);
1844 return 0;
1845 }
1846
1847 /*
1848 * Called when we want to generate transport parameters. This is called
1849 * immediately at instantiation time for a client and after we receive the
1850 * client's transport parameters for a server.
1851 */
ch_generate_transport_params(QUIC_CHANNEL * ch)1852 static int ch_generate_transport_params(QUIC_CHANNEL *ch)
1853 {
1854 int ok = 0;
1855 BUF_MEM *buf_mem = NULL;
1856 WPACKET wpkt;
1857 int wpkt_valid = 0;
1858 size_t buf_len = 0;
1859 QUIC_CONN_ID *id_to_use = NULL;
1860
1861 /*
1862 * We need to select which connection id to encode in the
1863 * QUIC_TPARAM_ORIG_DCID transport parameter
1864 * If we have an odcid, then this connection was established
1865 * in response to a retry request, and we need to use the connection
1866 * id sent in the first initial packet.
1867 * If we don't have an odcid, then this connection was established
1868 * without a retry and the init_dcid is the connection we should use
1869 */
1870 if (ch->odcid.id_len == 0)
1871 id_to_use = &ch->init_dcid;
1872 else
1873 id_to_use = &ch->odcid;
1874
1875 if (ch->local_transport_params != NULL || ch->got_local_transport_params)
1876 goto err;
1877
1878 if ((buf_mem = BUF_MEM_new()) == NULL)
1879 goto err;
1880
1881 if (!WPACKET_init(&wpkt, buf_mem))
1882 goto err;
1883
1884 wpkt_valid = 1;
1885
1886 if (ossl_quic_wire_encode_transport_param_bytes(&wpkt, QUIC_TPARAM_DISABLE_ACTIVE_MIGRATION,
1887 NULL, 0)
1888 == NULL)
1889 goto err;
1890
1891 if (ch->is_server) {
1892 if (!ossl_quic_wire_encode_transport_param_cid(&wpkt, QUIC_TPARAM_ORIG_DCID,
1893 id_to_use))
1894 goto err;
1895
1896 if (!ossl_quic_wire_encode_transport_param_cid(&wpkt, QUIC_TPARAM_INITIAL_SCID,
1897 &ch->cur_local_cid))
1898 goto err;
1899 if (ch->odcid.id_len != 0)
1900 if (!ossl_quic_wire_encode_transport_param_cid(&wpkt,
1901 QUIC_TPARAM_RETRY_SCID,
1902 &ch->init_dcid))
1903 goto err;
1904 } else {
1905 if (!ossl_quic_wire_encode_transport_param_cid(&wpkt, QUIC_TPARAM_INITIAL_SCID,
1906 &ch->init_scid))
1907 goto err;
1908 }
1909
1910 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_MAX_IDLE_TIMEOUT,
1911 ch->max_idle_timeout_local_req))
1912 goto err;
1913
1914 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_MAX_UDP_PAYLOAD_SIZE,
1915 QUIC_MIN_INITIAL_DGRAM_LEN))
1916 goto err;
1917
1918 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_ACTIVE_CONN_ID_LIMIT,
1919 QUIC_MIN_ACTIVE_CONN_ID_LIMIT))
1920 goto err;
1921
1922 if (ch->tx_max_ack_delay != QUIC_DEFAULT_MAX_ACK_DELAY
1923 && !ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_MAX_ACK_DELAY,
1924 ch->tx_max_ack_delay))
1925 goto err;
1926
1927 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_DATA,
1928 ossl_quic_rxfc_get_cwm(&ch->conn_rxfc)))
1929 goto err;
1930
1931 /* Send the default CWM for a new RXFC. */
1932 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL,
1933 ch->tx_init_max_stream_data_bidi_local))
1934 goto err;
1935
1936 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE,
1937 ch->tx_init_max_stream_data_bidi_remote))
1938 goto err;
1939
1940 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_UNI,
1941 ch->tx_init_max_stream_data_uni))
1942 goto err;
1943
1944 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAMS_BIDI,
1945 ossl_quic_rxfc_get_cwm(&ch->max_streams_bidi_rxfc)))
1946 goto err;
1947
1948 if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAMS_UNI,
1949 ossl_quic_rxfc_get_cwm(&ch->max_streams_uni_rxfc)))
1950 goto err;
1951
1952 if (!WPACKET_finish(&wpkt))
1953 goto err;
1954
1955 wpkt_valid = 0;
1956
1957 if (!WPACKET_get_total_written(&wpkt, &buf_len))
1958 goto err;
1959
1960 ch->local_transport_params = (unsigned char *)buf_mem->data;
1961 buf_mem->data = NULL;
1962
1963 if (!ossl_quic_tls_set_transport_params(ch->qtls, ch->local_transport_params,
1964 buf_len))
1965 goto err;
1966
1967 #ifndef OPENSSL_NO_QLOG
1968 QLOG_EVENT_BEGIN(ch_get_qlog(ch), transport, parameters_set)
1969 QLOG_STR("owner", "local");
1970 QLOG_BOOL("disable_active_migration", 1);
1971 if (ch->is_server) {
1972 QLOG_CID("original_destination_connection_id", &ch->init_dcid);
1973 QLOG_CID("initial_source_connection_id", &ch->cur_local_cid);
1974 } else {
1975 QLOG_STR("initial_source_connection_id", "");
1976 }
1977 QLOG_U64("max_idle_timeout", ch->max_idle_timeout);
1978 QLOG_U64("max_udp_payload_size", QUIC_MIN_INITIAL_DGRAM_LEN);
1979 QLOG_U64("active_connection_id_limit", QUIC_MIN_ACTIVE_CONN_ID_LIMIT);
1980 QLOG_U64("max_ack_delay", ch->tx_max_ack_delay);
1981 QLOG_U64("initial_max_data", ossl_quic_rxfc_get_cwm(&ch->conn_rxfc));
1982 QLOG_U64("initial_max_stream_data_bidi_local",
1983 ch->tx_init_max_stream_data_bidi_local);
1984 QLOG_U64("initial_max_stream_data_bidi_remote",
1985 ch->tx_init_max_stream_data_bidi_remote);
1986 QLOG_U64("initial_max_stream_data_uni",
1987 ch->tx_init_max_stream_data_uni);
1988 QLOG_U64("initial_max_streams_bidi",
1989 ossl_quic_rxfc_get_cwm(&ch->max_streams_bidi_rxfc));
1990 QLOG_U64("initial_max_streams_uni",
1991 ossl_quic_rxfc_get_cwm(&ch->max_streams_uni_rxfc));
1992 QLOG_EVENT_END()
1993 #endif
1994
1995 ch->got_local_transport_params = 1;
1996
1997 ok = 1;
1998 err:
1999 if (wpkt_valid)
2000 WPACKET_cleanup(&wpkt);
2001 BUF_MEM_free(buf_mem);
2002 return ok;
2003 }
2004
2005 /*
2006 * QUIC Channel: Ticker-Mutator
2007 * ============================
2008 */
2009
2010 /*
2011 * The central ticker function called by the reactor. This does everything, or
2012 * at least everything network I/O related. Best effort - not allowed to fail
2013 * "loudly".
2014 */
ossl_quic_channel_subtick(QUIC_CHANNEL * ch,QUIC_TICK_RESULT * res,uint32_t flags)2015 void ossl_quic_channel_subtick(QUIC_CHANNEL *ch, QUIC_TICK_RESULT *res,
2016 uint32_t flags)
2017 {
2018 OSSL_TIME now, deadline;
2019 int channel_only = (flags & QUIC_REACTOR_TICK_FLAG_CHANNEL_ONLY) != 0;
2020 int notify_other_threads = 0;
2021
2022 /*
2023 * When we tick the QUIC connection, we do everything we need to do
2024 * periodically. Network I/O handling will already have been performed
2025 * as necessary by the QUIC port. Thus, in order, we:
2026 *
2027 * - handle any packets the DEMUX has queued up for us;
2028 * - handle any timer events which are due to fire (ACKM, etc.);
2029 * - generate any packets which need to be sent;
2030 * - determine the time at which we should next be ticked.
2031 */
2032
2033 /*
2034 * If the connection has not yet started, or we are in the TERMINATED state,
2035 * there is nothing to do.
2036 */
2037 if (ch->state == QUIC_CHANNEL_STATE_IDLE
2038 || ossl_quic_channel_is_terminated(ch)) {
2039 res->net_read_desired = 0;
2040 res->net_write_desired = 0;
2041 res->notify_other_threads = 0;
2042 res->tick_deadline = ossl_time_infinite();
2043 return;
2044 }
2045
2046 /*
2047 * If we are in the TERMINATING state, check if the terminating timer has
2048 * expired.
2049 */
2050 if (ossl_quic_channel_is_terminating(ch)) {
2051 now = get_time(ch);
2052
2053 if (ossl_time_compare(now, ch->terminate_deadline) >= 0) {
2054 ch_on_terminating_timeout(ch);
2055 res->net_read_desired = 0;
2056 res->net_write_desired = 0;
2057 res->notify_other_threads = 1;
2058 res->tick_deadline = ossl_time_infinite();
2059 return; /* abort normal processing, nothing to do */
2060 }
2061 }
2062
2063 if (!ch->port->engine->inhibit_tick) {
2064 /* Handle RXKU timeouts. */
2065 ch_rxku_tick(ch);
2066
2067 do {
2068 /* Process queued incoming packets. */
2069 ch->did_tls_tick = 0;
2070 ch->have_new_rx_secret = 0;
2071 ch_rx(ch, channel_only, ¬ify_other_threads);
2072
2073 /*
2074 * Allow the handshake layer to check for any new incoming data and
2075 * generate new outgoing data.
2076 */
2077 if (!ch->did_tls_tick)
2078 ch_tick_tls(ch, channel_only, ¬ify_other_threads);
2079
2080 /*
2081 * If the handshake layer gave us a new secret, we need to do RX
2082 * again because packets that were not previously processable and
2083 * were deferred might now be processable.
2084 *
2085 * TODO(QUIC FUTURE): Consider handling this in the yield_secret callback.
2086 */
2087 } while (ch->have_new_rx_secret);
2088 }
2089
2090 /*
2091 * Handle any timer events which are due to fire; namely, the loss
2092 * detection deadline and the idle timeout.
2093 *
2094 * ACKM ACK generation deadline is polled by TXP, so we don't need to
2095 * handle it here.
2096 */
2097 now = get_time(ch);
2098 if (ossl_time_compare(now, ch->idle_deadline) >= 0) {
2099 /*
2100 * Idle timeout differs from normal protocol violation because we do
2101 * not send a CONN_CLOSE frame; go straight to TERMINATED.
2102 */
2103 if (!ch->port->engine->inhibit_tick)
2104 ch_on_idle_timeout(ch);
2105
2106 res->net_read_desired = 0;
2107 res->net_write_desired = 0;
2108 res->notify_other_threads = 1;
2109 res->tick_deadline = ossl_time_infinite();
2110 return;
2111 }
2112
2113 if (!ch->port->engine->inhibit_tick) {
2114 deadline = ossl_ackm_get_loss_detection_deadline(ch->ackm);
2115 if (!ossl_time_is_zero(deadline)
2116 && ossl_time_compare(now, deadline) >= 0)
2117 ossl_ackm_on_timeout(ch->ackm);
2118
2119 /* If a ping is due, inform TXP. */
2120 if (ossl_time_compare(now, ch->ping_deadline) >= 0) {
2121 int pn_space = ossl_quic_enc_level_to_pn_space(ch->tx_enc_level);
2122
2123 ossl_quic_tx_packetiser_schedule_ack_eliciting(ch->txp, pn_space);
2124
2125 /*
2126 * If we have no CC budget at this time we cannot process the above
2127 * PING request immediately. In any case we have scheduled the
2128 * request so bump the ping deadline. If we don't do this we will
2129 * busy-loop endlessly as the above deadline comparison condition
2130 * will still be met.
2131 */
2132 ch_update_ping_deadline(ch);
2133 }
2134
2135 /* Queue any data to be sent for transmission. */
2136 ch_tx(ch, ¬ify_other_threads);
2137
2138 /* Do stream GC. */
2139 ossl_quic_stream_map_gc(&ch->qsm);
2140 }
2141
2142 /* Determine the time at which we should next be ticked. */
2143 res->tick_deadline = ch_determine_next_tick_deadline(ch);
2144
2145 /*
2146 * Always process network input unless we are now terminated. Although we
2147 * had not terminated at the beginning of this tick, network errors in
2148 * ch_tx() may have caused us to transition to the Terminated state.
2149 */
2150 res->net_read_desired = !ossl_quic_channel_is_terminated(ch);
2151
2152 /* We want to write to the network if we have any data in our TX queue. */
2153 res->net_write_desired
2154 = (!ossl_quic_channel_is_terminated(ch)
2155 && ossl_qtx_get_queue_len_datagrams(ch->qtx) > 0);
2156
2157 res->notify_other_threads = notify_other_threads;
2158 }
2159
ch_tick_tls(QUIC_CHANNEL * ch,int channel_only,int * notify_other_threads)2160 static int ch_tick_tls(QUIC_CHANNEL *ch, int channel_only, int *notify_other_threads)
2161 {
2162 uint64_t error_code;
2163 const char *error_msg;
2164 ERR_STATE *error_state = NULL;
2165
2166 if (channel_only)
2167 return 1;
2168
2169 ch->did_tls_tick = 1;
2170 ossl_quic_tls_tick(ch->qtls);
2171
2172 if (ossl_quic_tls_get_error(ch->qtls, &error_code, &error_msg,
2173 &error_state)) {
2174 ossl_quic_channel_raise_protocol_error_state(ch, error_code, 0,
2175 error_msg, error_state);
2176 if (notify_other_threads != NULL)
2177 *notify_other_threads = 1;
2178
2179 return 0;
2180 }
2181
2182 return 1;
2183 }
2184
2185 /* Check incoming forged packet limit and terminate connection if needed. */
ch_rx_check_forged_pkt_limit(QUIC_CHANNEL * ch)2186 static void ch_rx_check_forged_pkt_limit(QUIC_CHANNEL *ch)
2187 {
2188 uint32_t enc_level;
2189 uint64_t limit = UINT64_MAX, l;
2190
2191 for (enc_level = QUIC_ENC_LEVEL_INITIAL;
2192 enc_level < QUIC_ENC_LEVEL_NUM;
2193 ++enc_level) {
2194 /*
2195 * Different ELs can have different AEADs which can in turn impose
2196 * different limits, so use the lowest value of any currently valid EL.
2197 */
2198 if ((ch->el_discarded & (1U << enc_level)) != 0)
2199 continue;
2200
2201 if (enc_level > ch->rx_enc_level)
2202 break;
2203
2204 l = ossl_qrx_get_max_forged_pkt_count(ch->qrx, enc_level);
2205 if (l < limit)
2206 limit = l;
2207 }
2208
2209 if (ossl_qrx_get_cur_forged_pkt_count(ch->qrx) < limit)
2210 return;
2211
2212 ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_AEAD_LIMIT_REACHED, 0,
2213 "forgery limit");
2214 }
2215
2216 /* Process queued incoming packets and handle frames, if any. */
ch_rx(QUIC_CHANNEL * ch,int channel_only,int * notify_other_threads)2217 static int ch_rx(QUIC_CHANNEL *ch, int channel_only, int *notify_other_threads)
2218 {
2219 int handled_any = 0;
2220 const int closing = ossl_quic_channel_is_closing(ch);
2221
2222 if (!ch->is_server && !ch->have_sent_any_pkt)
2223 /*
2224 * We have not sent anything yet, therefore there is no need to check
2225 * for incoming data.
2226 */
2227 return 1;
2228
2229 for (;;) {
2230 assert(ch->qrx_pkt == NULL);
2231
2232 if (!ossl_qrx_read_pkt(ch->qrx, &ch->qrx_pkt))
2233 break;
2234
2235 /* Track the amount of data received while in the closing state */
2236 if (closing)
2237 ossl_quic_tx_packetiser_record_received_closing_bytes(
2238 ch->txp, ch->qrx_pkt->hdr->len);
2239
2240 if (!handled_any) {
2241 ch_update_idle(ch);
2242 ch_update_ping_deadline(ch);
2243 }
2244
2245 ch_rx_handle_packet(ch, channel_only); /* best effort */
2246
2247 /*
2248 * Regardless of the outcome of frame handling, unref the packet.
2249 * This will free the packet unless something added another
2250 * reference to it during frame processing.
2251 */
2252 ossl_qrx_pkt_release(ch->qrx_pkt);
2253 ch->qrx_pkt = NULL;
2254
2255 ch->have_sent_ack_eliciting_since_rx = 0;
2256 handled_any = 1;
2257 }
2258
2259 ch_rx_check_forged_pkt_limit(ch);
2260
2261 if (handled_any && notify_other_threads != NULL)
2262 *notify_other_threads = 1;
2263
2264 /*
2265 * When in TERMINATING - CLOSING, generate a CONN_CLOSE frame whenever we
2266 * process one or more incoming packets.
2267 */
2268 if (handled_any && closing)
2269 ch->conn_close_queued = 1;
2270
2271 return 1;
2272 }
2273
bio_addr_eq(const BIO_ADDR * a,const BIO_ADDR * b)2274 static int bio_addr_eq(const BIO_ADDR *a, const BIO_ADDR *b)
2275 {
2276 if (BIO_ADDR_family(a) != BIO_ADDR_family(b))
2277 return 0;
2278
2279 switch (BIO_ADDR_family(a)) {
2280 case AF_INET:
2281 return !memcmp(&a->s_in.sin_addr,
2282 &b->s_in.sin_addr,
2283 sizeof(a->s_in.sin_addr))
2284 && a->s_in.sin_port == b->s_in.sin_port;
2285 #if OPENSSL_USE_IPV6
2286 case AF_INET6:
2287 return !memcmp(&a->s_in6.sin6_addr,
2288 &b->s_in6.sin6_addr,
2289 sizeof(a->s_in6.sin6_addr))
2290 && a->s_in6.sin6_port == b->s_in6.sin6_port;
2291 #endif
2292 default:
2293 return 0; /* not supported */
2294 }
2295
2296 return 1;
2297 }
2298
2299 /* Handles the packet currently in ch->qrx_pkt->hdr. */
ch_rx_handle_packet(QUIC_CHANNEL * ch,int channel_only)2300 static void ch_rx_handle_packet(QUIC_CHANNEL *ch, int channel_only)
2301 {
2302 uint32_t enc_level;
2303 int old_have_processed_any_pkt = ch->have_processed_any_pkt;
2304 OSSL_QTX_IOVEC iovec;
2305 PACKET vpkt;
2306 unsigned long supported_ver;
2307
2308 assert(ch->qrx_pkt != NULL);
2309
2310 /*
2311 * RFC 9000 s. 10.2.1 Closing Connection State:
2312 * An endpoint that is closing is not required to process any
2313 * received frame.
2314 */
2315 if (!ossl_quic_channel_is_active(ch))
2316 return;
2317
2318 if (ossl_quic_pkt_type_is_encrypted(ch->qrx_pkt->hdr->type)) {
2319 if (!ch->have_received_enc_pkt) {
2320 ch->cur_remote_dcid = ch->init_scid = ch->qrx_pkt->hdr->src_conn_id;
2321 ch->have_received_enc_pkt = 1;
2322
2323 /*
2324 * We change to using the SCID in the first Initial packet as the
2325 * DCID.
2326 */
2327 ossl_quic_tx_packetiser_set_cur_dcid(ch->txp, &ch->init_scid);
2328 }
2329
2330 enc_level = ossl_quic_pkt_type_to_enc_level(ch->qrx_pkt->hdr->type);
2331 if ((ch->el_discarded & (1U << enc_level)) != 0)
2332 /* Do not process packets from ELs we have already discarded. */
2333 return;
2334 }
2335
2336 /*
2337 * RFC 9000 s. 9.6: "If a client receives packets from a new server address
2338 * when the client has not initiated a migration to that address, the client
2339 * SHOULD discard these packets."
2340 *
2341 * We need to be a bit careful here as due to the BIO abstraction layer an
2342 * application is liable to be weird and lie to us about peer addresses.
2343 * Only apply this check if we actually are using a real AF_INET or AF_INET6
2344 * address.
2345 */
2346 if (!ch->is_server
2347 && ch->qrx_pkt->peer != NULL
2348 && (BIO_ADDR_family(&ch->cur_peer_addr) == AF_INET
2349 #if OPENSSL_USE_IPV6
2350 || BIO_ADDR_family(&ch->cur_peer_addr) == AF_INET6
2351 #endif
2352 )
2353 && !bio_addr_eq(ch->qrx_pkt->peer, &ch->cur_peer_addr))
2354 return;
2355
2356 if (!ch->is_server
2357 && ch->have_received_enc_pkt
2358 && ossl_quic_pkt_type_has_scid(ch->qrx_pkt->hdr->type)) {
2359 /*
2360 * RFC 9000 s. 7.2: "Once a client has received a valid Initial packet
2361 * from the server, it MUST discard any subsequent packet it receives on
2362 * that connection with a different SCID."
2363 */
2364 if (!ossl_quic_conn_id_eq(&ch->qrx_pkt->hdr->src_conn_id,
2365 &ch->init_scid))
2366 return;
2367 }
2368
2369 if (ossl_quic_pkt_type_has_version(ch->qrx_pkt->hdr->type)
2370 && ch->qrx_pkt->hdr->version != QUIC_VERSION_1)
2371 /*
2372 * RFC 9000 s. 5.2.1: If a client receives a packet that uses a
2373 * different version than it initially selected, it MUST discard the
2374 * packet. We only ever use v1, so require it.
2375 */
2376 return;
2377
2378 if (ch->qrx_pkt->hdr->type == QUIC_PKT_TYPE_VERSION_NEG) {
2379
2380 /*
2381 * Sanity check. Version negotiation packet MUST have a version
2382 * value of 0 according to the RFC. We must discard such packets
2383 */
2384 if (ch->qrx_pkt->hdr->version != 0)
2385 return;
2386
2387 /*
2388 * RFC 9000 s. 6.2: If a client receives a version negotiation
2389 * packet, we need to do the following:
2390 * a) If the negotiation packet lists the version we initially sent
2391 * then we must abandon this connection attempt
2392 * b) We have to select a version from the list provided in the
2393 * version negotiation packet, and retry the connection attempt
2394 * in much the same way that ch_retry does, but we can reuse the
2395 * connection id values
2396 */
2397
2398 if (old_have_processed_any_pkt == 1) {
2399 /*
2400 * We've gotten previous packets, need to discard this.
2401 */
2402 return;
2403 }
2404
2405 /*
2406 * Indicate that we have processed a packet, as any subsequently
2407 * received version negotiation packet must be discarded above
2408 */
2409 ch->have_processed_any_pkt = 1;
2410
2411 /*
2412 * Following the header, version negotiation packets
2413 * contain an array of 32 bit integers representing
2414 * the supported versions that the server honors
2415 * this array, bounded by the hdr->len field
2416 * needs to be traversed so that we can find a matching
2417 * version
2418 */
2419 if (!PACKET_buf_init(&vpkt, ch->qrx_pkt->hdr->data,
2420 ch->qrx_pkt->hdr->len))
2421 return;
2422
2423 while (PACKET_remaining(&vpkt) > 0) {
2424 /*
2425 * We only support quic version 1 at the moment, so
2426 * look to see if that's offered
2427 */
2428 if (!PACKET_get_net_4(&vpkt, &supported_ver))
2429 return;
2430
2431 if (supported_ver == QUIC_VERSION_1) {
2432 /*
2433 * If the server supports version 1, set it as
2434 * the packetisers version
2435 */
2436 ossl_quic_tx_packetiser_set_protocol_version(ch->txp, QUIC_VERSION_1);
2437
2438 /*
2439 * And then request a restart of the QUIC connection
2440 */
2441 if (!ch_restart(ch))
2442 ossl_quic_channel_raise_protocol_error(ch,
2443 OSSL_QUIC_ERR_INTERNAL_ERROR,
2444 0, "handling ver negotiation packet");
2445 return;
2446 }
2447 }
2448
2449 /*
2450 * If we get here, then the server doesn't support a version of the
2451 * protocol that we can handle, abandon the connection
2452 */
2453 ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_CONNECTION_REFUSED,
2454 0, "unsupported protocol version");
2455 return;
2456 }
2457
2458 ch->have_processed_any_pkt = 1;
2459
2460 /*
2461 * RFC 9000 s. 17.2: "An endpoint MUST treat receipt of a packet that has a
2462 * non-zero value for [the reserved bits] after removing both packet and
2463 * header protection as a connection error of type PROTOCOL_VIOLATION."
2464 */
2465 if (ossl_quic_pkt_type_is_encrypted(ch->qrx_pkt->hdr->type)
2466 && ch->qrx_pkt->hdr->reserved != 0) {
2467 ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_PROTOCOL_VIOLATION,
2468 0, "packet header reserved bits");
2469 return;
2470 }
2471
2472 iovec.buf = ch->qrx_pkt->hdr->data;
2473 iovec.buf_len = ch->qrx_pkt->hdr->len;
2474 ossl_qlog_event_transport_packet_received(ch_get_qlog(ch), ch->qrx_pkt->hdr,
2475 ch->qrx_pkt->pn, &iovec, 1,
2476 ch->qrx_pkt->datagram_id);
2477
2478 /* Handle incoming packet. */
2479 switch (ch->qrx_pkt->hdr->type) {
2480 case QUIC_PKT_TYPE_RETRY:
2481 if (ch->doing_retry || ch->is_server)
2482 /*
2483 * It is not allowed to ask a client to do a retry more than
2484 * once. Clients may not send retries.
2485 */
2486 return;
2487
2488 /*
2489 * RFC 9000 s 17.2.5.2: After the client has received and processed an
2490 * Initial or Retry packet from the server, it MUST discard any
2491 * subsequent Retry packets that it receives.
2492 */
2493 if (ch->have_received_enc_pkt)
2494 return;
2495
2496 if (ch->qrx_pkt->hdr->len <= QUIC_RETRY_INTEGRITY_TAG_LEN)
2497 /* Packets with zero-length Retry Tokens are invalid. */
2498 return;
2499
2500 /*
2501 * TODO(QUIC FUTURE): Theoretically this should probably be in the QRX.
2502 * However because validation is dependent on context (namely the
2503 * client's initial DCID) we can't do this cleanly. In the future we
2504 * should probably add a callback to the QRX to let it call us (via
2505 * the DEMUX) and ask us about the correct original DCID, rather
2506 * than allow the QRX to emit a potentially malformed packet to the
2507 * upper layers. However, special casing this will do for now.
2508 */
2509 if (!ossl_quic_validate_retry_integrity_tag(ch->port->engine->libctx,
2510 ch->port->engine->propq,
2511 ch->qrx_pkt->hdr,
2512 &ch->init_dcid))
2513 /* Malformed retry packet, ignore. */
2514 return;
2515
2516 if (!ch_retry(ch, ch->qrx_pkt->hdr->data,
2517 ch->qrx_pkt->hdr->len - QUIC_RETRY_INTEGRITY_TAG_LEN,
2518 &ch->qrx_pkt->hdr->src_conn_id, old_have_processed_any_pkt))
2519 ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_INTERNAL_ERROR,
2520 0, "handling retry packet");
2521 break;
2522
2523 case QUIC_PKT_TYPE_0RTT:
2524 if (!ch->is_server)
2525 /* Clients should never receive 0-RTT packets. */
2526 return;
2527
2528 /*
2529 * TODO(QUIC 0RTT): Implement 0-RTT on the server side. We currently
2530 * do not need to implement this as a client can only do 0-RTT if we
2531 * have given it permission to in a previous session.
2532 */
2533 break;
2534
2535 case QUIC_PKT_TYPE_INITIAL:
2536 case QUIC_PKT_TYPE_HANDSHAKE:
2537 case QUIC_PKT_TYPE_1RTT:
2538 if (ch->is_server && ch->qrx_pkt->hdr->type == QUIC_PKT_TYPE_HANDSHAKE)
2539 /*
2540 * We automatically drop INITIAL EL keys when first successfully
2541 * decrypting a HANDSHAKE packet, as per the RFC.
2542 */
2543 ch_discard_el(ch, QUIC_ENC_LEVEL_INITIAL);
2544
2545 if (ch->rxku_in_progress
2546 && ch->qrx_pkt->hdr->type == QUIC_PKT_TYPE_1RTT
2547 && ch->qrx_pkt->pn >= ch->rxku_trigger_pn
2548 && ch->qrx_pkt->key_epoch < ossl_qrx_get_key_epoch(ch->qrx)) {
2549 /*
2550 * RFC 9001 s. 6.4: Packets with higher packet numbers MUST be
2551 * protected with either the same or newer packet protection keys
2552 * than packets with lower packet numbers. An endpoint that
2553 * successfully removes protection with old keys when newer keys
2554 * were used for packets with lower packet numbers MUST treat this
2555 * as a connection error of type KEY_UPDATE_ERROR.
2556 */
2557 ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_KEY_UPDATE_ERROR,
2558 0, "new packet with old keys");
2559 break;
2560 }
2561
2562 if (!ch->is_server
2563 && ch->qrx_pkt->hdr->type == QUIC_PKT_TYPE_INITIAL
2564 && ch->qrx_pkt->hdr->token_len > 0) {
2565 /*
2566 * RFC 9000 s. 17.2.2: Clients that receive an Initial packet with a
2567 * non-zero Token Length field MUST either discard the packet or
2568 * generate a connection error of type PROTOCOL_VIOLATION.
2569 *
2570 * TODO(QUIC FUTURE): consider the implications of RFC 9000 s. 10.2.3
2571 * Immediate Close during the Handshake:
2572 * However, at the cost of reducing feedback about
2573 * errors for legitimate peers, some forms of denial of
2574 * service can be made more difficult for an attacker
2575 * if endpoints discard illegal packets rather than
2576 * terminating a connection with CONNECTION_CLOSE. For
2577 * this reason, endpoints MAY discard packets rather
2578 * than immediately close if errors are detected in
2579 * packets that lack authentication.
2580 * I.e. should we drop this packet instead of closing the connection?
2581 */
2582 ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_PROTOCOL_VIOLATION,
2583 0, "client received initial token");
2584 break;
2585 }
2586
2587 /* This packet contains frames, pass to the RXDP. */
2588 ossl_quic_handle_frames(ch, ch->qrx_pkt); /* best effort */
2589
2590 if (ch->did_crypto_frame)
2591 ch_tick_tls(ch, channel_only, NULL);
2592
2593 break;
2594
2595 default:
2596 assert(0);
2597 break;
2598 }
2599 }
2600
2601 /* Try to generate packets and if possible, flush them to the network. */
ch_tx(QUIC_CHANNEL * ch,int * notify_other_threads)2602 static int ch_tx(QUIC_CHANNEL *ch, int *notify_other_threads)
2603 {
2604 QUIC_TXP_STATUS status;
2605 int res;
2606
2607 /*
2608 * RFC 9000 s. 10.2.2: Draining Connection State:
2609 * While otherwise identical to the closing state, an endpoint
2610 * in the draining state MUST NOT send any packets.
2611 * and:
2612 * An endpoint MUST NOT send further packets.
2613 */
2614 if (ossl_quic_channel_is_draining(ch))
2615 return 0;
2616
2617 if (ossl_quic_channel_is_closing(ch)) {
2618 /*
2619 * While closing, only send CONN_CLOSE if we've received more traffic
2620 * from the peer. Once we tell the TXP to generate CONN_CLOSE, all
2621 * future calls to it generate CONN_CLOSE frames, so otherwise we would
2622 * just constantly generate CONN_CLOSE frames.
2623 *
2624 * Confirming to RFC 9000 s. 10.2.1 Closing Connection State:
2625 * An endpoint SHOULD limit the rate at which it generates
2626 * packets in the closing state.
2627 */
2628 if (!ch->conn_close_queued)
2629 return 0;
2630
2631 ch->conn_close_queued = 0;
2632 }
2633
2634 /* Do TXKU if we need to. */
2635 ch_maybe_trigger_spontaneous_txku(ch);
2636
2637 ch->rxku_pending_confirm_done = 0;
2638
2639 /* Loop until we stop generating packets to send */
2640 do {
2641 /*
2642 * Send packet, if we need to. Best effort. The TXP consults the CC and
2643 * applies any limitations imposed by it, so we don't need to do it here.
2644 *
2645 * Best effort. In particular if TXP fails for some reason we should
2646 * still flush any queued packets which we already generated.
2647 */
2648 res = ossl_quic_tx_packetiser_generate(ch->txp, &status);
2649 if (status.sent_pkt > 0) {
2650 ch->have_sent_any_pkt = 1; /* Packet(s) were sent */
2651 ch->port->have_sent_any_pkt = 1;
2652
2653 /*
2654 * RFC 9000 s. 10.1. 'An endpoint also restarts its idle timer when
2655 * sending an ack-eliciting packet if no other ack-eliciting packets
2656 * have been sent since last receiving and processing a packet.'
2657 */
2658 if (status.sent_ack_eliciting
2659 && !ch->have_sent_ack_eliciting_since_rx) {
2660 ch_update_idle(ch);
2661 ch->have_sent_ack_eliciting_since_rx = 1;
2662 }
2663
2664 if (!ch->is_server && status.sent_handshake)
2665 /*
2666 * RFC 9001 s. 4.9.1: A client MUST discard Initial keys when it
2667 * first sends a Handshake packet.
2668 */
2669 ch_discard_el(ch, QUIC_ENC_LEVEL_INITIAL);
2670
2671 if (ch->rxku_pending_confirm_done)
2672 ch->rxku_pending_confirm = 0;
2673
2674 ch_update_ping_deadline(ch);
2675 }
2676
2677 if (!res) {
2678 /*
2679 * One case where TXP can fail is if we reach a TX PN of 2**62 - 1.
2680 * As per RFC 9000 s. 12.3, if this happens we MUST close the
2681 * connection without sending a CONNECTION_CLOSE frame. This is
2682 * actually handled as an emergent consequence of our design, as the
2683 * TX packetiser will never transmit another packet when the TX PN
2684 * reaches the limit.
2685 *
2686 * Calling the below function terminates the connection; its attempt
2687 * to schedule a CONNECTION_CLOSE frame will not actually cause a
2688 * packet to be transmitted for this reason.
2689 */
2690 ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_INTERNAL_ERROR,
2691 0,
2692 "internal error (txp generate)");
2693 break;
2694 }
2695 } while (status.sent_pkt > 0);
2696
2697 /* Flush packets to network. */
2698 switch (ossl_qtx_flush_net(ch->qtx)) {
2699 case QTX_FLUSH_NET_RES_OK:
2700 case QTX_FLUSH_NET_RES_TRANSIENT_FAIL:
2701 /* Best effort, done for now. */
2702 break;
2703
2704 case QTX_FLUSH_NET_RES_PERMANENT_FAIL:
2705 default:
2706 /* Permanent underlying network BIO, start terminating. */
2707 ossl_quic_port_raise_net_error(ch->port, ch);
2708 break;
2709 }
2710
2711 /*
2712 * If we have datagrams we have yet to successfully transmit, we need to
2713 * notify other threads so that they can switch to polling on POLLOUT as
2714 * well as POLLIN.
2715 */
2716 if (ossl_qtx_get_queue_len_datagrams(ch->qtx) > 0)
2717 *notify_other_threads = 1;
2718
2719 return 1;
2720 }
2721
2722 /* Determine next tick deadline. */
ch_determine_next_tick_deadline(QUIC_CHANNEL * ch)2723 static OSSL_TIME ch_determine_next_tick_deadline(QUIC_CHANNEL *ch)
2724 {
2725 OSSL_TIME deadline;
2726 int i;
2727
2728 if (ossl_quic_channel_is_terminated(ch))
2729 return ossl_time_infinite();
2730
2731 deadline = ossl_ackm_get_loss_detection_deadline(ch->ackm);
2732 if (ossl_time_is_zero(deadline))
2733 deadline = ossl_time_infinite();
2734
2735 /*
2736 * Check the ack deadline for all enc_levels that are actually provisioned.
2737 * ACKs aren't restricted by CC.
2738 */
2739 for (i = 0; i < QUIC_ENC_LEVEL_NUM; i++) {
2740 if (ossl_qtx_is_enc_level_provisioned(ch->qtx, i)) {
2741 deadline = ossl_time_min(deadline,
2742 ossl_ackm_get_ack_deadline(ch->ackm,
2743 ossl_quic_enc_level_to_pn_space(i)));
2744 }
2745 }
2746
2747 /*
2748 * When do we need to send an ACK-eliciting packet to reset the idle
2749 * deadline timer for the peer?
2750 */
2751 if (!ossl_time_is_infinite(ch->ping_deadline))
2752 deadline = ossl_time_min(deadline, ch->ping_deadline);
2753
2754 /* Apply TXP wakeup deadline. */
2755 deadline = ossl_time_min(deadline,
2756 ossl_quic_tx_packetiser_get_deadline(ch->txp));
2757
2758 /* Is the terminating timer armed? */
2759 if (ossl_quic_channel_is_terminating(ch))
2760 deadline = ossl_time_min(deadline,
2761 ch->terminate_deadline);
2762 else if (!ossl_time_is_infinite(ch->idle_deadline))
2763 deadline = ossl_time_min(deadline,
2764 ch->idle_deadline);
2765
2766 /* When does the RXKU process complete? */
2767 if (ch->rxku_in_progress)
2768 deadline = ossl_time_min(deadline, ch->rxku_update_end_deadline);
2769
2770 return deadline;
2771 }
2772
2773 /*
2774 * QUIC Channel: Lifecycle Events
2775 * ==============================
2776 */
2777
2778 /*
2779 * Record a state transition. This is not necessarily a change to ch->state but
2780 * also includes the handshake becoming complete or confirmed, etc.
2781 */
ch_record_state_transition(QUIC_CHANNEL * ch,uint32_t new_state)2782 static void ch_record_state_transition(QUIC_CHANNEL *ch, uint32_t new_state)
2783 {
2784 uint32_t old_state = ch->state;
2785
2786 ch->state = new_state;
2787
2788 ossl_qlog_event_connectivity_connection_state_updated(ch_get_qlog(ch),
2789 old_state,
2790 new_state,
2791 ch->handshake_complete,
2792 ch->handshake_confirmed);
2793 }
2794
free_peer_token(const unsigned char * token,size_t token_len,void * arg)2795 static void free_peer_token(const unsigned char *token,
2796 size_t token_len, void *arg)
2797 {
2798 ossl_quic_free_peer_token((QUIC_TOKEN *)arg);
2799 }
2800
ossl_quic_channel_start(QUIC_CHANNEL * ch)2801 int ossl_quic_channel_start(QUIC_CHANNEL *ch)
2802 {
2803 QUIC_TOKEN *token;
2804
2805 if (ch->is_server)
2806 /*
2807 * This is not used by the server. The server moves to active
2808 * automatically on receiving an incoming connection.
2809 */
2810 return 0;
2811
2812 if (ch->state != QUIC_CHANNEL_STATE_IDLE)
2813 /* Calls to connect are idempotent */
2814 return 1;
2815
2816 /* Inform QTX of peer address. */
2817 if (!ossl_quic_tx_packetiser_set_peer(ch->txp, &ch->cur_peer_addr))
2818 return 0;
2819
2820 /*
2821 * Look to see if we have a token, and if so, set it on the packetiser
2822 */
2823 if (!ch->is_server
2824 && ossl_quic_get_peer_token(ch->port->channel_ctx,
2825 &ch->cur_peer_addr,
2826 &token)
2827 && !ossl_quic_tx_packetiser_set_initial_token(ch->txp, token->token,
2828 token->token_len,
2829 free_peer_token,
2830 token))
2831 free_peer_token(NULL, 0, token);
2832
2833 /* Plug in secrets for the Initial EL. */
2834 if (!ossl_quic_provide_initial_secret(ch->port->engine->libctx,
2835 ch->port->engine->propq,
2836 &ch->init_dcid,
2837 ch->is_server,
2838 ch->qrx, ch->qtx))
2839 return 0;
2840
2841 /*
2842 * Determine the QUIC Transport Parameters and serialize the transport
2843 * parameters block. (For servers, we do this later as we must defer
2844 * generation until we have received the client's transport parameters.)
2845 */
2846 if (!ch->is_server && !ch->got_local_transport_params
2847 && !ch_generate_transport_params(ch))
2848 return 0;
2849
2850 /* Change state. */
2851 ch_record_state_transition(ch, QUIC_CHANNEL_STATE_ACTIVE);
2852 ch->doing_proactive_ver_neg = 0; /* not currently supported */
2853
2854 ossl_qlog_event_connectivity_connection_started(ch_get_qlog(ch),
2855 &ch->init_dcid);
2856
2857 /* Handshake layer: start (e.g. send CH). */
2858 if (!ch_tick_tls(ch, /*channel_only=*/0, NULL))
2859 return 0;
2860
2861 ossl_quic_reactor_tick(ossl_quic_port_get0_reactor(ch->port), 0); /* best effort */
2862 return 1;
2863 }
2864
free_token(const unsigned char * token,size_t token_len,void * arg)2865 static void free_token(const unsigned char *token, size_t token_len, void *arg)
2866 {
2867 OPENSSL_free((char *)token);
2868 }
2869
2870 /* Start a locally initiated connection shutdown. */
ossl_quic_channel_local_close(QUIC_CHANNEL * ch,uint64_t app_error_code,const char * app_reason)2871 void ossl_quic_channel_local_close(QUIC_CHANNEL *ch, uint64_t app_error_code,
2872 const char *app_reason)
2873 {
2874 QUIC_TERMINATE_CAUSE tcause = { 0 };
2875
2876 if (ossl_quic_channel_is_term_any(ch))
2877 return;
2878
2879 tcause.app = 1;
2880 tcause.error_code = app_error_code;
2881 tcause.reason = app_reason;
2882 tcause.reason_len = app_reason != NULL ? strlen(app_reason) : 0;
2883 ch_start_terminating(ch, &tcause, 0);
2884 }
2885
2886 /**
2887 * ch_restart - Restarts the QUIC channel by simulating loss of the initial
2888 * packet. This forces the packet to be regenerated with the updated protocol
2889 * version number.
2890 *
2891 * @ch: Pointer to the QUIC_CHANNEL structure.
2892 *
2893 * Returns 1 on success, 0 on failure.
2894 */
ch_restart(QUIC_CHANNEL * ch)2895 static int ch_restart(QUIC_CHANNEL *ch)
2896 {
2897 /*
2898 * Just pretend we lost our initial packet, so it gets
2899 * regenerated, with our updated protocol version number
2900 */
2901 return ossl_ackm_mark_packet_pseudo_lost(ch->ackm, QUIC_PN_SPACE_INITIAL,
2902 /* PN= */ 0);
2903 }
2904
2905 /* Called when a server asks us to do a retry. */
ch_retry(QUIC_CHANNEL * ch,const unsigned char * retry_token,size_t retry_token_len,const QUIC_CONN_ID * retry_scid,int drop_later_pn)2906 static int ch_retry(QUIC_CHANNEL *ch,
2907 const unsigned char *retry_token,
2908 size_t retry_token_len,
2909 const QUIC_CONN_ID *retry_scid,
2910 int drop_later_pn)
2911 {
2912 void *buf;
2913 QUIC_PN pn = 0;
2914
2915 /*
2916 * RFC 9000 s. 17.2.5.1: "A client MUST discard a Retry packet that contains
2917 * a SCID field that is identical to the DCID field of its initial packet."
2918 */
2919 if (ossl_quic_conn_id_eq(&ch->init_dcid, retry_scid))
2920 return 1;
2921
2922 /* We change to using the SCID in the Retry packet as the DCID. */
2923 if (!ossl_quic_tx_packetiser_set_cur_dcid(ch->txp, retry_scid))
2924 return 0;
2925
2926 /*
2927 * Now we retry. We will release the Retry packet immediately, so copy
2928 * the token.
2929 */
2930 if ((buf = OPENSSL_memdup(retry_token, retry_token_len)) == NULL)
2931 return 0;
2932
2933 if (!ossl_quic_tx_packetiser_set_initial_token(ch->txp, buf,
2934 retry_token_len,
2935 free_token, NULL)) {
2936 /*
2937 * This may fail if the token we receive is too big for us to ever be
2938 * able to transmit in an outgoing Initial packet.
2939 */
2940 ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_INVALID_TOKEN, 0,
2941 "received oversize token");
2942 OPENSSL_free(buf);
2943 return 0;
2944 }
2945
2946 ch->retry_scid = *retry_scid;
2947 ch->doing_retry = 1;
2948
2949 /*
2950 * If a retry isn't our first response, we need to drop packet number
2951 * one instead (i.e. the case where we did version negotiation first
2952 */
2953 if (drop_later_pn == 1)
2954 pn = 1;
2955
2956 /*
2957 * We need to stimulate the Initial EL to generate the first CRYPTO frame
2958 * again. We can do this most cleanly by simply forcing the ACKM to consider
2959 * the first Initial packet as lost, which it effectively was as the server
2960 * hasn't processed it. This also maintains the desired behaviour with e.g.
2961 * PNs not resetting and so on.
2962 *
2963 * The PN we used initially is always zero, because QUIC does not allow
2964 * repeated retries.
2965 */
2966 if (!ossl_ackm_mark_packet_pseudo_lost(ch->ackm, QUIC_PN_SPACE_INITIAL,
2967 pn))
2968 return 0;
2969
2970 /*
2971 * Plug in new secrets for the Initial EL. This is the only time we change
2972 * the secrets for an EL after we already provisioned it.
2973 */
2974 if (!ossl_quic_provide_initial_secret(ch->port->engine->libctx,
2975 ch->port->engine->propq,
2976 &ch->retry_scid,
2977 /*is_server=*/0,
2978 ch->qrx, ch->qtx))
2979 return 0;
2980
2981 return 1;
2982 }
2983
2984 /* Called when an EL is to be discarded. */
ch_discard_el(QUIC_CHANNEL * ch,uint32_t enc_level)2985 static int ch_discard_el(QUIC_CHANNEL *ch,
2986 uint32_t enc_level)
2987 {
2988 if (!ossl_assert(enc_level < QUIC_ENC_LEVEL_1RTT))
2989 return 0;
2990
2991 if ((ch->el_discarded & (1U << enc_level)) != 0)
2992 /* Already done. */
2993 return 1;
2994
2995 /* Best effort for all of these. */
2996 ossl_quic_tx_packetiser_discard_enc_level(ch->txp, enc_level);
2997 ossl_qrx_discard_enc_level(ch->qrx, enc_level);
2998 ossl_qtx_discard_enc_level(ch->qtx, enc_level);
2999
3000 if (enc_level != QUIC_ENC_LEVEL_0RTT) {
3001 uint32_t pn_space = ossl_quic_enc_level_to_pn_space(enc_level);
3002
3003 ossl_ackm_on_pkt_space_discarded(ch->ackm, pn_space);
3004
3005 /* We should still have crypto streams at this point. */
3006 if (!ossl_assert(ch->crypto_send[pn_space] != NULL)
3007 || !ossl_assert(ch->crypto_recv[pn_space] != NULL))
3008 return 0;
3009
3010 /* Get rid of the crypto stream state for the EL. */
3011 ossl_quic_sstream_free(ch->crypto_send[pn_space]);
3012 ch->crypto_send[pn_space] = NULL;
3013
3014 ossl_quic_rstream_free(ch->crypto_recv[pn_space]);
3015 ch->crypto_recv[pn_space] = NULL;
3016 }
3017
3018 ch->el_discarded |= (1U << enc_level);
3019 return 1;
3020 }
3021
3022 /* Intended to be called by the RXDP. */
ossl_quic_channel_on_handshake_confirmed(QUIC_CHANNEL * ch)3023 int ossl_quic_channel_on_handshake_confirmed(QUIC_CHANNEL *ch)
3024 {
3025 if (ch->handshake_confirmed)
3026 return 1;
3027
3028 if (!ch->handshake_complete) {
3029 /*
3030 * Does not make sense for handshake to be confirmed before it is
3031 * completed.
3032 */
3033 ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_PROTOCOL_VIOLATION,
3034 OSSL_QUIC_FRAME_TYPE_HANDSHAKE_DONE,
3035 "handshake cannot be confirmed "
3036 "before it is completed");
3037 return 0;
3038 }
3039
3040 ch_discard_el(ch, QUIC_ENC_LEVEL_HANDSHAKE);
3041 ch->handshake_confirmed = 1;
3042 ch_record_state_transition(ch, ch->state);
3043 ossl_ackm_on_handshake_confirmed(ch->ackm);
3044 return 1;
3045 }
3046
3047 /*
3048 * Master function used when we want to start tearing down a connection:
3049 *
3050 * - If the connection is still IDLE we can go straight to TERMINATED;
3051 *
3052 * - If we are already TERMINATED this is a no-op.
3053 *
3054 * - If we are TERMINATING - CLOSING and we have now got a CONNECTION_CLOSE
3055 * from the peer (tcause->remote == 1), we move to TERMINATING - DRAINING.
3056 *
3057 * - If we are TERMINATING - DRAINING, we remain here until the terminating
3058 * timer expires.
3059 *
3060 * - Otherwise, we are in ACTIVE and move to TERMINATING - CLOSING.
3061 * if we caused the termination (e.g. we have sent a CONNECTION_CLOSE). Note
3062 * that we are considered to have caused a termination if we sent the first
3063 * CONNECTION_CLOSE frame, even if it is caused by a peer protocol
3064 * violation. If the peer sent the first CONNECTION_CLOSE frame, we move to
3065 * TERMINATING - DRAINING.
3066 *
3067 * We record the termination cause structure passed on the first call only.
3068 * Any successive calls have their termination cause data discarded;
3069 * once we start sending a CONNECTION_CLOSE frame, we don't change the details
3070 * in it.
3071 *
3072 * This conforms to RFC 9000 s. 10.2.1: Closing Connection State:
3073 * To minimize the state that an endpoint maintains for a closing
3074 * connection, endpoints MAY send the exact same packet in response
3075 * to any received packet.
3076 *
3077 * We don't drop any connection state (specifically packet protection keys)
3078 * even though we are permitted to. This conforms to RFC 9000 s. 10.2.1:
3079 * Closing Connection State:
3080 * An endpoint MAY retain packet protection keys for incoming
3081 * packets to allow it to read and process a CONNECTION_CLOSE frame.
3082 *
3083 * Note that we do not conform to these two from the same section:
3084 * An endpoint's selected connection ID and the QUIC version
3085 * are sufficient information to identify packets for a closing
3086 * connection; the endpoint MAY discard all other connection state.
3087 * and:
3088 * An endpoint MAY drop packet protection keys when entering the
3089 * closing state and send a packet containing a CONNECTION_CLOSE
3090 * frame in response to any UDP datagram that is received.
3091 */
copy_tcause(QUIC_TERMINATE_CAUSE * dst,const QUIC_TERMINATE_CAUSE * src)3092 static void copy_tcause(QUIC_TERMINATE_CAUSE *dst,
3093 const QUIC_TERMINATE_CAUSE *src)
3094 {
3095 dst->error_code = src->error_code;
3096 dst->frame_type = src->frame_type;
3097 dst->app = src->app;
3098 dst->remote = src->remote;
3099
3100 dst->reason = NULL;
3101 dst->reason_len = 0;
3102
3103 if (src->reason != NULL && src->reason_len > 0) {
3104 size_t l = src->reason_len;
3105 char *r;
3106
3107 if (l >= SIZE_MAX)
3108 --l;
3109
3110 /*
3111 * If this fails, dst->reason becomes NULL and we simply do not use a
3112 * reason. This ensures termination is infallible.
3113 */
3114 dst->reason = r = OPENSSL_memdup(src->reason, l + 1);
3115 if (r == NULL)
3116 return;
3117
3118 r[l] = '\0';
3119 dst->reason_len = l;
3120 }
3121 }
3122
ch_start_terminating(QUIC_CHANNEL * ch,const QUIC_TERMINATE_CAUSE * tcause,int force_immediate)3123 static void ch_start_terminating(QUIC_CHANNEL *ch,
3124 const QUIC_TERMINATE_CAUSE *tcause,
3125 int force_immediate)
3126 {
3127 /* No point sending anything if we haven't sent anything yet. */
3128 if (!ch->have_sent_any_pkt)
3129 force_immediate = 1;
3130
3131 switch (ch->state) {
3132 default:
3133 case QUIC_CHANNEL_STATE_IDLE:
3134 copy_tcause(&ch->terminate_cause, tcause);
3135 ch_on_terminating_timeout(ch);
3136 break;
3137
3138 case QUIC_CHANNEL_STATE_ACTIVE:
3139 copy_tcause(&ch->terminate_cause, tcause);
3140
3141 ossl_qlog_event_connectivity_connection_closed(ch_get_qlog(ch), tcause);
3142
3143 if (!force_immediate) {
3144 ch_record_state_transition(ch, tcause->remote ? QUIC_CHANNEL_STATE_TERMINATING_DRAINING : QUIC_CHANNEL_STATE_TERMINATING_CLOSING);
3145 /*
3146 * RFC 9000 s. 10.2 Immediate Close
3147 * These states SHOULD persist for at least three times
3148 * the current PTO interval as defined in [QUIC-RECOVERY].
3149 */
3150 ch->terminate_deadline
3151 = ossl_time_add(get_time(ch),
3152 ossl_time_multiply(ossl_ackm_get_pto_duration(ch->ackm),
3153 3));
3154
3155 if (!tcause->remote) {
3156 OSSL_QUIC_FRAME_CONN_CLOSE f = { 0 };
3157
3158 /* best effort */
3159 f.error_code = ch->terminate_cause.error_code;
3160 f.frame_type = ch->terminate_cause.frame_type;
3161 f.is_app = ch->terminate_cause.app;
3162 f.reason = (char *)ch->terminate_cause.reason;
3163 f.reason_len = ch->terminate_cause.reason_len;
3164 ossl_quic_tx_packetiser_schedule_conn_close(ch->txp, &f);
3165 /*
3166 * RFC 9000 s. 10.2.2 Draining Connection State:
3167 * An endpoint that receives a CONNECTION_CLOSE frame MAY
3168 * send a single packet containing a CONNECTION_CLOSE
3169 * frame before entering the draining state, using a
3170 * NO_ERROR code if appropriate
3171 */
3172 ch->conn_close_queued = 1;
3173 }
3174 } else {
3175 ch_on_terminating_timeout(ch);
3176 }
3177 break;
3178
3179 case QUIC_CHANNEL_STATE_TERMINATING_CLOSING:
3180 if (force_immediate)
3181 ch_on_terminating_timeout(ch);
3182 else if (tcause->remote)
3183 /*
3184 * RFC 9000 s. 10.2.2 Draining Connection State:
3185 * An endpoint MAY enter the draining state from the
3186 * closing state if it receives a CONNECTION_CLOSE frame,
3187 * which indicates that the peer is also closing or draining.
3188 */
3189 ch_record_state_transition(ch, QUIC_CHANNEL_STATE_TERMINATING_DRAINING);
3190
3191 break;
3192
3193 case QUIC_CHANNEL_STATE_TERMINATING_DRAINING:
3194 /*
3195 * Other than in the force-immediate case, we remain here until the
3196 * timeout expires.
3197 */
3198 if (force_immediate)
3199 ch_on_terminating_timeout(ch);
3200
3201 break;
3202
3203 case QUIC_CHANNEL_STATE_TERMINATED:
3204 /* No-op. */
3205 break;
3206 }
3207 }
3208
3209 /* For RXDP use. */
ossl_quic_channel_on_remote_conn_close(QUIC_CHANNEL * ch,OSSL_QUIC_FRAME_CONN_CLOSE * f)3210 void ossl_quic_channel_on_remote_conn_close(QUIC_CHANNEL *ch,
3211 OSSL_QUIC_FRAME_CONN_CLOSE *f)
3212 {
3213 QUIC_TERMINATE_CAUSE tcause = { 0 };
3214
3215 if (!ossl_quic_channel_is_active(ch))
3216 return;
3217
3218 tcause.remote = 1;
3219 tcause.app = f->is_app;
3220 tcause.error_code = f->error_code;
3221 tcause.frame_type = f->frame_type;
3222 tcause.reason = f->reason;
3223 tcause.reason_len = f->reason_len;
3224 ch_start_terminating(ch, &tcause, 0);
3225 }
3226
free_frame_data(unsigned char * buf,size_t buf_len,void * arg)3227 static void free_frame_data(unsigned char *buf, size_t buf_len, void *arg)
3228 {
3229 OPENSSL_free(buf);
3230 }
3231
ch_enqueue_retire_conn_id(QUIC_CHANNEL * ch,uint64_t seq_num)3232 static int ch_enqueue_retire_conn_id(QUIC_CHANNEL *ch, uint64_t seq_num)
3233 {
3234 BUF_MEM *buf_mem = NULL;
3235 WPACKET wpkt;
3236 size_t l;
3237
3238 ossl_quic_srtm_remove(ch->srtm, ch, seq_num);
3239
3240 if ((buf_mem = BUF_MEM_new()) == NULL)
3241 goto err;
3242
3243 if (!WPACKET_init(&wpkt, buf_mem))
3244 goto err;
3245
3246 if (!ossl_quic_wire_encode_frame_retire_conn_id(&wpkt, seq_num)) {
3247 WPACKET_cleanup(&wpkt);
3248 goto err;
3249 }
3250
3251 WPACKET_finish(&wpkt);
3252 if (!WPACKET_get_total_written(&wpkt, &l))
3253 goto err;
3254
3255 if (ossl_quic_cfq_add_frame(ch->cfq, 1, QUIC_PN_SPACE_APP,
3256 OSSL_QUIC_FRAME_TYPE_RETIRE_CONN_ID, 0,
3257 (unsigned char *)buf_mem->data, l,
3258 free_frame_data, NULL)
3259 == NULL)
3260 goto err;
3261
3262 buf_mem->data = NULL;
3263 BUF_MEM_free(buf_mem);
3264 return 1;
3265
3266 err:
3267 ossl_quic_channel_raise_protocol_error(ch,
3268 OSSL_QUIC_ERR_INTERNAL_ERROR,
3269 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID,
3270 "internal error enqueueing retire conn id");
3271 BUF_MEM_free(buf_mem);
3272 return 0;
3273 }
3274
ossl_quic_channel_on_new_conn_id(QUIC_CHANNEL * ch,OSSL_QUIC_FRAME_NEW_CONN_ID * f)3275 void ossl_quic_channel_on_new_conn_id(QUIC_CHANNEL *ch,
3276 OSSL_QUIC_FRAME_NEW_CONN_ID *f)
3277 {
3278 uint64_t new_remote_seq_num = ch->cur_remote_seq_num;
3279 uint64_t new_retire_prior_to = ch->cur_retire_prior_to;
3280
3281 if (!ossl_quic_channel_is_active(ch))
3282 return;
3283
3284 /* We allow only two active connection ids; first check some constraints */
3285 if (ch->cur_remote_dcid.id_len == 0) {
3286 /* Changing from 0 length connection id is disallowed */
3287 ossl_quic_channel_raise_protocol_error(ch,
3288 OSSL_QUIC_ERR_PROTOCOL_VIOLATION,
3289 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID,
3290 "zero length connection id in use");
3291
3292 return;
3293 }
3294
3295 if (f->seq_num > new_remote_seq_num)
3296 new_remote_seq_num = f->seq_num;
3297 if (f->retire_prior_to > new_retire_prior_to)
3298 new_retire_prior_to = f->retire_prior_to;
3299
3300 /*
3301 * RFC 9000-5.1.1: An endpoint MUST NOT provide more connection IDs
3302 * than the peer's limit.
3303 *
3304 * After processing a NEW_CONNECTION_ID frame and adding and retiring
3305 * active connection IDs, if the number of active connection IDs exceeds
3306 * the value advertised in its active_connection_id_limit transport
3307 * parameter, an endpoint MUST close the connection with an error of
3308 * type CONNECTION_ID_LIMIT_ERROR.
3309 */
3310 if (new_remote_seq_num - new_retire_prior_to > 1) {
3311 ossl_quic_channel_raise_protocol_error(ch,
3312 OSSL_QUIC_ERR_CONNECTION_ID_LIMIT_ERROR,
3313 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID,
3314 "active_connection_id limit violated");
3315 return;
3316 }
3317
3318 /*
3319 * RFC 9000-5.1.1: An endpoint MAY send connection IDs that temporarily
3320 * exceed a peer's limit if the NEW_CONNECTION_ID frame also requires
3321 * the retirement of any excess, by including a sufficiently large
3322 * value in the Retire Prior To field.
3323 *
3324 * RFC 9000-5.1.2: An endpoint SHOULD allow for sending and tracking
3325 * a number of RETIRE_CONNECTION_ID frames of at least twice the value
3326 * of the active_connection_id_limit transport parameter. An endpoint
3327 * MUST NOT forget a connection ID without retiring it, though it MAY
3328 * choose to treat having connection IDs in need of retirement that
3329 * exceed this limit as a connection error of type CONNECTION_ID_LIMIT_ERROR.
3330 *
3331 * We are a little bit more liberal than the minimum mandated.
3332 */
3333 if (new_retire_prior_to - ch->cur_retire_prior_to > 10) {
3334 ossl_quic_channel_raise_protocol_error(ch,
3335 OSSL_QUIC_ERR_CONNECTION_ID_LIMIT_ERROR,
3336 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID,
3337 "retiring connection id limit violated");
3338
3339 return;
3340 }
3341
3342 if (new_remote_seq_num > ch->cur_remote_seq_num) {
3343 /* Add new stateless reset token */
3344 if (!ossl_quic_srtm_add(ch->srtm, ch, new_remote_seq_num,
3345 &f->stateless_reset)) {
3346 ossl_quic_channel_raise_protocol_error(
3347 ch, OSSL_QUIC_ERR_CONNECTION_ID_LIMIT_ERROR,
3348 OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID,
3349 "unable to store stateless reset token");
3350
3351 return;
3352 }
3353 ch->cur_remote_seq_num = new_remote_seq_num;
3354 ch->cur_remote_dcid = f->conn_id;
3355 ossl_quic_tx_packetiser_set_cur_dcid(ch->txp, &ch->cur_remote_dcid);
3356 }
3357
3358 /*
3359 * RFC 9000-5.1.2: Upon receipt of an increased Retire Prior To
3360 * field, the peer MUST stop using the corresponding connection IDs
3361 * and retire them with RETIRE_CONNECTION_ID frames before adding the
3362 * newly provided connection ID to the set of active connection IDs.
3363 */
3364
3365 /*
3366 * Note: RFC 9000 s. 19.15 says:
3367 * "An endpoint that receives a NEW_CONNECTION_ID frame with a sequence
3368 * number smaller than the Retire Prior To field of a previously received
3369 * NEW_CONNECTION_ID frame MUST send a corresponding
3370 * RETIRE_CONNECTION_ID frame that retires the newly received connection
3371 * ID, unless it has already done so for that sequence number."
3372 *
3373 * Since we currently always queue RETIRE_CONN_ID frames based on the Retire
3374 * Prior To field of a NEW_CONNECTION_ID frame immediately upon receiving
3375 * that NEW_CONNECTION_ID frame, by definition this will always be met.
3376 * This may change in future when we change our CID handling.
3377 */
3378 while (new_retire_prior_to > ch->cur_retire_prior_to) {
3379 if (!ch_enqueue_retire_conn_id(ch, ch->cur_retire_prior_to))
3380 break;
3381 ++ch->cur_retire_prior_to;
3382 }
3383 }
3384
ch_save_err_state(QUIC_CHANNEL * ch)3385 static void ch_save_err_state(QUIC_CHANNEL *ch)
3386 {
3387 if (ch->err_state == NULL)
3388 ch->err_state = OSSL_ERR_STATE_new();
3389
3390 if (ch->err_state == NULL)
3391 return;
3392
3393 OSSL_ERR_STATE_save(ch->err_state);
3394 }
3395
ossl_quic_channel_inject(QUIC_CHANNEL * ch,QUIC_URXE * e)3396 void ossl_quic_channel_inject(QUIC_CHANNEL *ch, QUIC_URXE *e)
3397 {
3398 ossl_qrx_inject_urxe(ch->qrx, e);
3399 }
3400
ossl_quic_channel_inject_pkt(QUIC_CHANNEL * ch,OSSL_QRX_PKT * qpkt)3401 void ossl_quic_channel_inject_pkt(QUIC_CHANNEL *ch, OSSL_QRX_PKT *qpkt)
3402 {
3403 ossl_qrx_inject_pkt(ch->qrx, qpkt);
3404 }
3405
ossl_quic_channel_on_stateless_reset(QUIC_CHANNEL * ch)3406 void ossl_quic_channel_on_stateless_reset(QUIC_CHANNEL *ch)
3407 {
3408 QUIC_TERMINATE_CAUSE tcause = { 0 };
3409
3410 tcause.error_code = OSSL_QUIC_ERR_NO_ERROR;
3411 tcause.remote = 1;
3412 ch_start_terminating(ch, &tcause, 0);
3413 }
3414
ossl_quic_channel_raise_net_error(QUIC_CHANNEL * ch)3415 void ossl_quic_channel_raise_net_error(QUIC_CHANNEL *ch)
3416 {
3417 QUIC_TERMINATE_CAUSE tcause = { 0 };
3418
3419 if (ch->net_error)
3420 return;
3421
3422 ch->net_error = 1;
3423
3424 tcause.error_code = OSSL_QUIC_ERR_INTERNAL_ERROR;
3425 tcause.reason = "network BIO I/O error";
3426 tcause.reason_len = strlen(tcause.reason);
3427
3428 /*
3429 * Skip Terminating state and go directly to Terminated, no point trying to
3430 * send CONNECTION_CLOSE if we cannot communicate.
3431 */
3432 ch_start_terminating(ch, &tcause, 1);
3433 }
3434
ossl_quic_channel_net_error(QUIC_CHANNEL * ch)3435 int ossl_quic_channel_net_error(QUIC_CHANNEL *ch)
3436 {
3437 return ch->net_error;
3438 }
3439
ossl_quic_channel_restore_err_state(QUIC_CHANNEL * ch)3440 void ossl_quic_channel_restore_err_state(QUIC_CHANNEL *ch)
3441 {
3442 if (ch == NULL)
3443 return;
3444
3445 if (!ossl_quic_port_is_running(ch->port))
3446 ossl_quic_port_restore_err_state(ch->port);
3447 else
3448 OSSL_ERR_STATE_restore(ch->err_state);
3449 }
3450
ossl_quic_channel_raise_protocol_error_loc(QUIC_CHANNEL * ch,uint64_t error_code,uint64_t frame_type,const char * reason,ERR_STATE * err_state,const char * src_file,int src_line,const char * src_func)3451 void ossl_quic_channel_raise_protocol_error_loc(QUIC_CHANNEL *ch,
3452 uint64_t error_code,
3453 uint64_t frame_type,
3454 const char *reason,
3455 ERR_STATE *err_state,
3456 const char *src_file,
3457 int src_line,
3458 const char *src_func)
3459 {
3460 QUIC_TERMINATE_CAUSE tcause = { 0 };
3461 int err_reason = error_code == OSSL_QUIC_ERR_INTERNAL_ERROR
3462 ? ERR_R_INTERNAL_ERROR
3463 : SSL_R_QUIC_PROTOCOL_ERROR;
3464 const char *err_str = ossl_quic_err_to_string(error_code);
3465 const char *err_str_pfx = " (", *err_str_sfx = ")";
3466 const char *ft_str = NULL;
3467 const char *ft_str_pfx = " (", *ft_str_sfx = ")";
3468
3469 if (ch->protocol_error)
3470 /* Only the first call to this function matters. */
3471 return;
3472
3473 if (err_str == NULL) {
3474 err_str = "";
3475 err_str_pfx = "";
3476 err_str_sfx = "";
3477 }
3478
3479 /*
3480 * If we were provided an underlying error state, restore it and then append
3481 * our ERR on top as a "cover letter" error.
3482 */
3483 if (err_state != NULL)
3484 OSSL_ERR_STATE_restore(err_state);
3485
3486 if (frame_type != 0) {
3487 ft_str = ossl_quic_frame_type_to_string(frame_type);
3488 if (ft_str == NULL) {
3489 ft_str = "";
3490 ft_str_pfx = "";
3491 ft_str_sfx = "";
3492 }
3493
3494 ERR_raise_data(ERR_LIB_SSL, err_reason,
3495 "QUIC error code: 0x%llx%s%s%s "
3496 "(triggered by frame type: 0x%llx%s%s%s), reason: \"%s\"",
3497 (unsigned long long)error_code,
3498 err_str_pfx, err_str, err_str_sfx,
3499 (unsigned long long)frame_type,
3500 ft_str_pfx, ft_str, ft_str_sfx,
3501 reason);
3502 } else {
3503 ERR_raise_data(ERR_LIB_SSL, err_reason,
3504 "QUIC error code: 0x%llx%s%s%s, reason: \"%s\"",
3505 (unsigned long long)error_code,
3506 err_str_pfx, err_str, err_str_sfx,
3507 reason);
3508 }
3509
3510 if (src_file != NULL)
3511 ERR_set_debug(src_file, src_line, src_func);
3512
3513 ch_save_err_state(ch);
3514
3515 tcause.error_code = error_code;
3516 tcause.frame_type = frame_type;
3517 tcause.reason = reason;
3518 tcause.reason_len = strlen(reason);
3519
3520 ch->protocol_error = 1;
3521 ch_start_terminating(ch, &tcause, 0);
3522 }
3523
3524 /*
3525 * Called once the terminating timer expires, meaning we move from TERMINATING
3526 * to TERMINATED.
3527 */
ch_on_terminating_timeout(QUIC_CHANNEL * ch)3528 static void ch_on_terminating_timeout(QUIC_CHANNEL *ch)
3529 {
3530 ch_record_state_transition(ch, QUIC_CHANNEL_STATE_TERMINATED);
3531 }
3532
3533 /*
3534 * Determines the effective idle timeout duration. This is based on the idle
3535 * timeout values that we and our peer signalled in transport parameters
3536 * but have some limits applied.
3537 */
ch_get_effective_idle_timeout_duration(QUIC_CHANNEL * ch)3538 static OSSL_TIME ch_get_effective_idle_timeout_duration(QUIC_CHANNEL *ch)
3539 {
3540 OSSL_TIME pto;
3541
3542 if (ch->max_idle_timeout == 0)
3543 return ossl_time_infinite();
3544
3545 /*
3546 * RFC 9000 s. 10.1: Idle Timeout
3547 * To avoid excessively small idle timeout periods, endpoints
3548 * MUST increase the idle timeout period to be at least three
3549 * times the current Probe Timeout (PTO). This allows for
3550 * multiple PTOs to expire, and therefore multiple probes to
3551 * be sent and lost, prior to idle timeout.
3552 */
3553 pto = ossl_ackm_get_pto_duration(ch->ackm);
3554 return ossl_time_max(ossl_ms2time(ch->max_idle_timeout),
3555 ossl_time_multiply(pto, 3));
3556 }
3557
3558 /*
3559 * Updates our idle deadline. Called when an event happens which should bump the
3560 * idle timeout.
3561 */
ch_update_idle(QUIC_CHANNEL * ch)3562 static void ch_update_idle(QUIC_CHANNEL *ch)
3563 {
3564 ch->idle_deadline = ossl_time_add(get_time(ch),
3565 ch_get_effective_idle_timeout_duration(ch));
3566 }
3567
3568 /*
3569 * Updates our ping deadline, which determines when we next generate a ping if
3570 * we don't have any other ACK-eliciting frames to send.
3571 */
ch_update_ping_deadline(QUIC_CHANNEL * ch)3572 static void ch_update_ping_deadline(QUIC_CHANNEL *ch)
3573 {
3574 OSSL_TIME max_span, idle_duration;
3575
3576 idle_duration = ch_get_effective_idle_timeout_duration(ch);
3577 if (ossl_time_is_infinite(idle_duration)) {
3578 ch->ping_deadline = ossl_time_infinite();
3579 return;
3580 }
3581
3582 /*
3583 * Maximum amount of time without traffic before we send a PING to keep
3584 * the connection open. Usually we use max_idle_timeout/2, but ensure
3585 * the period never exceeds the assumed NAT interval to ensure NAT
3586 * devices don't have their state time out (RFC 9000 s. 10.1.2).
3587 */
3588 max_span = ossl_time_divide(idle_duration, 2);
3589 max_span = ossl_time_min(max_span, MAX_NAT_INTERVAL);
3590 ch->ping_deadline = ossl_time_add(get_time(ch), max_span);
3591 }
3592
3593 /* Called when the idle timeout expires. */
ch_on_idle_timeout(QUIC_CHANNEL * ch)3594 static void ch_on_idle_timeout(QUIC_CHANNEL *ch)
3595 {
3596 /*
3597 * Idle timeout does not have an error code associated with it because a
3598 * CONN_CLOSE is never sent for it. We shouldn't use this data once we reach
3599 * TERMINATED anyway.
3600 */
3601 ch->terminate_cause.app = 0;
3602 ch->terminate_cause.error_code = OSSL_QUIC_LOCAL_ERR_IDLE_TIMEOUT;
3603 ch->terminate_cause.frame_type = 0;
3604
3605 ch_record_state_transition(ch, QUIC_CHANNEL_STATE_TERMINATED);
3606 }
3607
3608 /**
3609 * @brief Common handler for initializing a new QUIC connection.
3610 *
3611 * This function configures a QUIC channel (`QUIC_CHANNEL *ch`) for a new
3612 * connection by setting the peer address, connection IDs, and necessary
3613 * callbacks. It establishes initial secrets, sets up logging, and performs
3614 * required transitions for the channel state.
3615 *
3616 * @param ch Pointer to the QUIC channel being initialized.
3617 * @param peer Address of the peer to which the channel connects.
3618 * @param peer_scid Peer-specified source connection ID.
3619 * @param peer_dcid Peer-specified destination connection ID.
3620 * @param peer_odcid Peer-specified original destination connection ID
3621 * may be NULL if retry frame not sent to client
3622 * @return 1 on success, 0 on failure to set required elements.
3623 */
ch_on_new_conn_common(QUIC_CHANNEL * ch,const BIO_ADDR * peer,const QUIC_CONN_ID * peer_scid,const QUIC_CONN_ID * peer_dcid,const QUIC_CONN_ID * peer_odcid)3624 static int ch_on_new_conn_common(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
3625 const QUIC_CONN_ID *peer_scid,
3626 const QUIC_CONN_ID *peer_dcid,
3627 const QUIC_CONN_ID *peer_odcid)
3628 {
3629 /* Note our newly learnt peer address and CIDs. */
3630 if (!BIO_ADDR_copy(&ch->cur_peer_addr, peer))
3631 return 0;
3632
3633 ch->init_dcid = *peer_dcid;
3634 ch->cur_remote_dcid = *peer_scid;
3635 ch->odcid.id_len = 0;
3636
3637 if (peer_odcid != NULL)
3638 ch->odcid = *peer_odcid;
3639
3640 /* Inform QTX of peer address. */
3641 if (!ossl_quic_tx_packetiser_set_peer(ch->txp, &ch->cur_peer_addr))
3642 return 0;
3643
3644 /* Inform TXP of desired CIDs. */
3645 if (!ossl_quic_tx_packetiser_set_cur_dcid(ch->txp, &ch->cur_remote_dcid))
3646 return 0;
3647
3648 if (!ossl_quic_tx_packetiser_set_cur_scid(ch->txp, &ch->cur_local_cid))
3649 return 0;
3650
3651 /* Setup QLOG, which did not happen earlier due to lacking an Initial ODCID. */
3652 ossl_qtx_set_qlog_cb(ch->qtx, ch_get_qlog_cb, ch);
3653 ossl_quic_tx_packetiser_set_qlog_cb(ch->txp, ch_get_qlog_cb, ch);
3654
3655 /*
3656 * Plug in secrets for the Initial EL. secrets for QRX were created in
3657 * port_default_packet_handler() already.
3658 */
3659 if (!ossl_quic_provide_initial_secret(ch->port->engine->libctx,
3660 ch->port->engine->propq,
3661 &ch->init_dcid,
3662 /*is_server=*/1,
3663 NULL, ch->qtx))
3664 return 0;
3665
3666 /* Register the peer ODCID in the LCIDM. */
3667 if (!ossl_quic_lcidm_enrol_odcid(ch->lcidm, ch, peer_odcid == NULL ? &ch->init_dcid : peer_odcid))
3668 return 0;
3669
3670 /* Change state. */
3671 ch_record_state_transition(ch, QUIC_CHANNEL_STATE_ACTIVE);
3672 ch->doing_proactive_ver_neg = 0; /* not currently supported */
3673 return 1;
3674 }
3675
3676 /* Called when we, as a server, get a new incoming connection. */
ossl_quic_channel_on_new_conn(QUIC_CHANNEL * ch,const BIO_ADDR * peer,const QUIC_CONN_ID * peer_scid,const QUIC_CONN_ID * peer_dcid)3677 int ossl_quic_channel_on_new_conn(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
3678 const QUIC_CONN_ID *peer_scid,
3679 const QUIC_CONN_ID *peer_dcid)
3680 {
3681 if (!ossl_assert(ch->state == QUIC_CHANNEL_STATE_IDLE && ch->is_server))
3682 return 0;
3683
3684 /* Generate an Initial LCID we will use for the connection. */
3685 if (!ossl_quic_lcidm_generate_initial(ch->lcidm, ch, &ch->cur_local_cid))
3686 return 0;
3687
3688 return ch_on_new_conn_common(ch, peer, peer_scid, peer_dcid, NULL);
3689 }
3690
3691 /**
3692 * Binds a QUIC channel to a specific peer's address and connection IDs.
3693 *
3694 * This function is used to establish a binding between a QUIC channel and a
3695 * peer's address and connection IDs. The binding is performed only if the
3696 * channel is idle and is on the server side. The peer's destination connection
3697 * ID (`peer_dcid`) is mandatory, and the channel's current local connection ID
3698 * is set to this value.
3699 *
3700 * @param ch Pointer to the QUIC_CHANNEL structure representing the
3701 * channel to be bound.
3702 * @param peer Pointer to a BIO_ADDR structure representing the peer's
3703 * address.
3704 * @param peer_scid Pointer to the peer's source connection ID (QUIC_CONN_ID).
3705 * @param peer_dcid Pointer to the peer's destination connection ID
3706 * (QUIC_CONN_ID). This must not be NULL.
3707 * @param peer_odcid Pointer to the original destination connection ID
3708 * (QUIC_CONN_ID) chosen by the peer in its first initial
3709 * packet received without a token.
3710 *
3711 * @return 1 on success, or 0 on failure if the conditions for binding are not
3712 * met (e.g., channel is not idle or not a server, or binding fails).
3713 */
ossl_quic_bind_channel(QUIC_CHANNEL * ch,const BIO_ADDR * peer,const QUIC_CONN_ID * peer_scid,const QUIC_CONN_ID * peer_dcid,const QUIC_CONN_ID * peer_odcid)3714 int ossl_quic_bind_channel(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
3715 const QUIC_CONN_ID *peer_scid,
3716 const QUIC_CONN_ID *peer_dcid,
3717 const QUIC_CONN_ID *peer_odcid)
3718 {
3719 if (peer_dcid == NULL)
3720 return 0;
3721
3722 if (!ossl_assert(ch->state == QUIC_CHANNEL_STATE_IDLE && ch->is_server))
3723 return 0;
3724
3725 ch->cur_local_cid = *peer_dcid;
3726 if (!ossl_quic_lcidm_bind_channel(ch->lcidm, ch, peer_dcid))
3727 return 0;
3728
3729 /*
3730 * peer_odcid <=> is initial dst conn id chosen by peer in its
3731 * first initial packet we received without token.
3732 */
3733 return ch_on_new_conn_common(ch, peer, peer_scid, peer_dcid, peer_odcid);
3734 }
3735
ossl_quic_channel_get0_ssl(QUIC_CHANNEL * ch)3736 SSL *ossl_quic_channel_get0_ssl(QUIC_CHANNEL *ch)
3737 {
3738 return ch->tls;
3739 }
3740
ch_init_new_stream(QUIC_CHANNEL * ch,QUIC_STREAM * qs,int can_send,int can_recv)3741 static int ch_init_new_stream(QUIC_CHANNEL *ch, QUIC_STREAM *qs,
3742 int can_send, int can_recv)
3743 {
3744 uint64_t rxfc_wnd;
3745 int server_init = ossl_quic_stream_is_server_init(qs);
3746 int local_init = (ch->is_server == server_init);
3747 int is_uni = !ossl_quic_stream_is_bidi(qs);
3748
3749 if (can_send)
3750 if ((qs->sstream = ossl_quic_sstream_new(INIT_APP_BUF_LEN)) == NULL)
3751 goto err;
3752
3753 if (can_recv)
3754 if ((qs->rstream = ossl_quic_rstream_new(NULL, NULL, 0)) == NULL)
3755 goto err;
3756
3757 /* TXFC */
3758 if (!ossl_quic_txfc_init(&qs->txfc, &ch->conn_txfc))
3759 goto err;
3760
3761 if (ch->got_remote_transport_params) {
3762 /*
3763 * If we already got peer TPs we need to apply the initial CWM credit
3764 * now. If we didn't already get peer TPs this will be done
3765 * automatically for all extant streams when we do.
3766 */
3767 if (can_send) {
3768 uint64_t cwm;
3769
3770 if (is_uni)
3771 cwm = ch->rx_init_max_stream_data_uni;
3772 else if (local_init)
3773 cwm = ch->rx_init_max_stream_data_bidi_local;
3774 else
3775 cwm = ch->rx_init_max_stream_data_bidi_remote;
3776
3777 ossl_quic_txfc_bump_cwm(&qs->txfc, cwm);
3778 }
3779 }
3780
3781 /* RXFC */
3782 if (!can_recv)
3783 rxfc_wnd = 0;
3784 else if (is_uni)
3785 rxfc_wnd = ch->tx_init_max_stream_data_uni;
3786 else if (local_init)
3787 rxfc_wnd = ch->tx_init_max_stream_data_bidi_local;
3788 else
3789 rxfc_wnd = ch->tx_init_max_stream_data_bidi_remote;
3790
3791 if (!ossl_quic_rxfc_init(&qs->rxfc, &ch->conn_rxfc,
3792 rxfc_wnd,
3793 DEFAULT_STREAM_RXFC_MAX_WND_MUL * rxfc_wnd,
3794 get_time, ch))
3795 goto err;
3796
3797 return 1;
3798
3799 err:
3800 ossl_quic_sstream_free(qs->sstream);
3801 qs->sstream = NULL;
3802 ossl_quic_rstream_free(qs->rstream);
3803 qs->rstream = NULL;
3804 return 0;
3805 }
3806
ch_get_local_stream_next_ordinal_ptr(QUIC_CHANNEL * ch,int is_uni)3807 static uint64_t *ch_get_local_stream_next_ordinal_ptr(QUIC_CHANNEL *ch,
3808 int is_uni)
3809 {
3810 return is_uni ? &ch->next_local_stream_ordinal_uni
3811 : &ch->next_local_stream_ordinal_bidi;
3812 }
3813
ch_get_local_stream_max_ptr(const QUIC_CHANNEL * ch,int is_uni)3814 static const uint64_t *ch_get_local_stream_max_ptr(const QUIC_CHANNEL *ch,
3815 int is_uni)
3816 {
3817 return is_uni ? &ch->max_local_streams_uni
3818 : &ch->max_local_streams_bidi;
3819 }
3820
ch_get_remote_stream_count_rxfc(const QUIC_CHANNEL * ch,int is_uni)3821 static const QUIC_RXFC *ch_get_remote_stream_count_rxfc(const QUIC_CHANNEL *ch,
3822 int is_uni)
3823 {
3824 return is_uni ? &ch->max_streams_uni_rxfc
3825 : &ch->max_streams_bidi_rxfc;
3826 }
3827
ossl_quic_channel_is_new_local_stream_admissible(QUIC_CHANNEL * ch,int is_uni)3828 int ossl_quic_channel_is_new_local_stream_admissible(QUIC_CHANNEL *ch,
3829 int is_uni)
3830 {
3831 const uint64_t *p_next_ordinal = ch_get_local_stream_next_ordinal_ptr(ch, is_uni);
3832
3833 return ossl_quic_stream_map_is_local_allowed_by_stream_limit(&ch->qsm,
3834 *p_next_ordinal,
3835 is_uni);
3836 }
3837
ossl_quic_channel_get_local_stream_count_avail(const QUIC_CHANNEL * ch,int is_uni)3838 uint64_t ossl_quic_channel_get_local_stream_count_avail(const QUIC_CHANNEL *ch,
3839 int is_uni)
3840 {
3841 const uint64_t *p_next_ordinal, *p_max;
3842
3843 p_next_ordinal = ch_get_local_stream_next_ordinal_ptr((QUIC_CHANNEL *)ch,
3844 is_uni);
3845 p_max = ch_get_local_stream_max_ptr(ch, is_uni);
3846
3847 return *p_max - *p_next_ordinal;
3848 }
3849
ossl_quic_channel_get_remote_stream_count_avail(const QUIC_CHANNEL * ch,int is_uni)3850 uint64_t ossl_quic_channel_get_remote_stream_count_avail(const QUIC_CHANNEL *ch,
3851 int is_uni)
3852 {
3853 return ossl_quic_rxfc_get_credit(ch_get_remote_stream_count_rxfc(ch, is_uni));
3854 }
3855
ossl_quic_channel_new_stream_local(QUIC_CHANNEL * ch,int is_uni)3856 QUIC_STREAM *ossl_quic_channel_new_stream_local(QUIC_CHANNEL *ch, int is_uni)
3857 {
3858 QUIC_STREAM *qs;
3859 int type;
3860 uint64_t stream_id;
3861 uint64_t *p_next_ordinal;
3862
3863 type = ch->is_server ? QUIC_STREAM_INITIATOR_SERVER
3864 : QUIC_STREAM_INITIATOR_CLIENT;
3865
3866 p_next_ordinal = ch_get_local_stream_next_ordinal_ptr(ch, is_uni);
3867
3868 if (is_uni)
3869 type |= QUIC_STREAM_DIR_UNI;
3870 else
3871 type |= QUIC_STREAM_DIR_BIDI;
3872
3873 if (*p_next_ordinal >= ((uint64_t)1) << 62)
3874 return NULL;
3875
3876 stream_id = ((*p_next_ordinal) << 2) | type;
3877
3878 if ((qs = ossl_quic_stream_map_alloc(&ch->qsm, stream_id, type)) == NULL)
3879 return NULL;
3880
3881 /* Locally-initiated stream, so we always want a send buffer. */
3882 if (!ch_init_new_stream(ch, qs, /*can_send=*/1, /*can_recv=*/!is_uni))
3883 goto err;
3884
3885 ++*p_next_ordinal;
3886 return qs;
3887
3888 err:
3889 ossl_quic_stream_map_release(&ch->qsm, qs);
3890 return NULL;
3891 }
3892
ossl_quic_channel_new_stream_remote(QUIC_CHANNEL * ch,uint64_t stream_id)3893 QUIC_STREAM *ossl_quic_channel_new_stream_remote(QUIC_CHANNEL *ch,
3894 uint64_t stream_id)
3895 {
3896 uint64_t peer_role;
3897 int is_uni;
3898 QUIC_STREAM *qs;
3899
3900 peer_role = ch->is_server
3901 ? QUIC_STREAM_INITIATOR_CLIENT
3902 : QUIC_STREAM_INITIATOR_SERVER;
3903
3904 if ((stream_id & QUIC_STREAM_INITIATOR_MASK) != peer_role)
3905 return NULL;
3906
3907 is_uni = ((stream_id & QUIC_STREAM_DIR_MASK) == QUIC_STREAM_DIR_UNI);
3908
3909 qs = ossl_quic_stream_map_alloc(&ch->qsm, stream_id,
3910 stream_id & (QUIC_STREAM_INITIATOR_MASK | QUIC_STREAM_DIR_MASK));
3911 if (qs == NULL)
3912 return NULL;
3913
3914 if (!ch_init_new_stream(ch, qs, /*can_send=*/!is_uni, /*can_recv=*/1))
3915 goto err;
3916
3917 if (ch->incoming_stream_auto_reject)
3918 ossl_quic_channel_reject_stream(ch, qs);
3919 else
3920 ossl_quic_stream_map_push_accept_queue(&ch->qsm, qs);
3921
3922 return qs;
3923
3924 err:
3925 ossl_quic_stream_map_release(&ch->qsm, qs);
3926 return NULL;
3927 }
3928
ossl_quic_channel_set_incoming_stream_auto_reject(QUIC_CHANNEL * ch,int enable,uint64_t aec)3929 void ossl_quic_channel_set_incoming_stream_auto_reject(QUIC_CHANNEL *ch,
3930 int enable,
3931 uint64_t aec)
3932 {
3933 ch->incoming_stream_auto_reject = (enable != 0);
3934 ch->incoming_stream_auto_reject_aec = aec;
3935 }
3936
ossl_quic_channel_reject_stream(QUIC_CHANNEL * ch,QUIC_STREAM * qs)3937 void ossl_quic_channel_reject_stream(QUIC_CHANNEL *ch, QUIC_STREAM *qs)
3938 {
3939 ossl_quic_stream_map_stop_sending_recv_part(&ch->qsm, qs,
3940 ch->incoming_stream_auto_reject_aec);
3941
3942 ossl_quic_stream_map_reset_stream_send_part(&ch->qsm, qs,
3943 ch->incoming_stream_auto_reject_aec);
3944 qs->deleted = 1;
3945
3946 ossl_quic_stream_map_update_state(&ch->qsm, qs);
3947 }
3948
3949 /* Replace local connection ID in TXP and DEMUX for testing purposes. */
ossl_quic_channel_replace_local_cid(QUIC_CHANNEL * ch,const QUIC_CONN_ID * conn_id)3950 int ossl_quic_channel_replace_local_cid(QUIC_CHANNEL *ch,
3951 const QUIC_CONN_ID *conn_id)
3952 {
3953 /* Remove the current LCID from the LCIDM. */
3954 if (!ossl_quic_lcidm_debug_remove(ch->lcidm, &ch->cur_local_cid))
3955 return 0;
3956 ch->cur_local_cid = *conn_id;
3957 /* Set in the TXP, used only for long header packets. */
3958 if (!ossl_quic_tx_packetiser_set_cur_scid(ch->txp, &ch->cur_local_cid))
3959 return 0;
3960 /* Add the new LCID to the LCIDM. */
3961 if (!ossl_quic_lcidm_debug_add(ch->lcidm, ch, &ch->cur_local_cid,
3962 100))
3963 return 0;
3964 return 1;
3965 }
3966
ossl_quic_channel_set_msg_callback(QUIC_CHANNEL * ch,ossl_msg_cb msg_callback,SSL * msg_callback_ssl)3967 void ossl_quic_channel_set_msg_callback(QUIC_CHANNEL *ch,
3968 ossl_msg_cb msg_callback,
3969 SSL *msg_callback_ssl)
3970 {
3971 ch->msg_callback = msg_callback;
3972 ch->msg_callback_ssl = msg_callback_ssl;
3973 ossl_qtx_set_msg_callback(ch->qtx, msg_callback, msg_callback_ssl);
3974 ossl_quic_tx_packetiser_set_msg_callback(ch->txp, msg_callback,
3975 msg_callback_ssl);
3976 /*
3977 * postpone msg callback setting for tserver until port calls
3978 * port_bind_channel().
3979 */
3980 if (ch->is_tserver_ch == 0)
3981 ossl_qrx_set_msg_callback(ch->qrx, msg_callback, msg_callback_ssl);
3982 }
3983
ossl_quic_channel_set_msg_callback_arg(QUIC_CHANNEL * ch,void * msg_callback_arg)3984 void ossl_quic_channel_set_msg_callback_arg(QUIC_CHANNEL *ch,
3985 void *msg_callback_arg)
3986 {
3987 ch->msg_callback_arg = msg_callback_arg;
3988 ossl_qtx_set_msg_callback_arg(ch->qtx, msg_callback_arg);
3989 ossl_quic_tx_packetiser_set_msg_callback_arg(ch->txp, msg_callback_arg);
3990
3991 /*
3992 * postpone msg callback setting for tserver until port calls
3993 * port_bind_channel().
3994 */
3995 if (ch->is_tserver_ch == 0)
3996 ossl_qrx_set_msg_callback_arg(ch->qrx, msg_callback_arg);
3997 }
3998
ossl_quic_channel_set_txku_threshold_override(QUIC_CHANNEL * ch,uint64_t tx_pkt_threshold)3999 void ossl_quic_channel_set_txku_threshold_override(QUIC_CHANNEL *ch,
4000 uint64_t tx_pkt_threshold)
4001 {
4002 ch->txku_threshold_override = tx_pkt_threshold;
4003 }
4004
ossl_quic_channel_get_tx_key_epoch(QUIC_CHANNEL * ch)4005 uint64_t ossl_quic_channel_get_tx_key_epoch(QUIC_CHANNEL *ch)
4006 {
4007 return ossl_qtx_get_key_epoch(ch->qtx);
4008 }
4009
ossl_quic_channel_get_rx_key_epoch(QUIC_CHANNEL * ch)4010 uint64_t ossl_quic_channel_get_rx_key_epoch(QUIC_CHANNEL *ch)
4011 {
4012 return ossl_qrx_get_key_epoch(ch->qrx);
4013 }
4014
ossl_quic_channel_trigger_txku(QUIC_CHANNEL * ch)4015 int ossl_quic_channel_trigger_txku(QUIC_CHANNEL *ch)
4016 {
4017 if (!txku_allowed(ch))
4018 return 0;
4019
4020 ch->ku_locally_initiated = 1;
4021 ch_trigger_txku(ch);
4022 return 1;
4023 }
4024
ossl_quic_channel_ping(QUIC_CHANNEL * ch)4025 int ossl_quic_channel_ping(QUIC_CHANNEL *ch)
4026 {
4027 int pn_space = ossl_quic_enc_level_to_pn_space(ch->tx_enc_level);
4028
4029 ossl_quic_tx_packetiser_schedule_ack_eliciting(ch->txp, pn_space);
4030
4031 return 1;
4032 }
4033
ossl_quic_channel_get_diag_num_rx_ack(QUIC_CHANNEL * ch)4034 uint16_t ossl_quic_channel_get_diag_num_rx_ack(QUIC_CHANNEL *ch)
4035 {
4036 return ch->diag_num_rx_ack;
4037 }
4038
ossl_quic_channel_get_diag_local_cid(QUIC_CHANNEL * ch,QUIC_CONN_ID * cid)4039 void ossl_quic_channel_get_diag_local_cid(QUIC_CHANNEL *ch, QUIC_CONN_ID *cid)
4040 {
4041 *cid = ch->cur_local_cid;
4042 }
4043
ossl_quic_channel_have_generated_transport_params(const QUIC_CHANNEL * ch)4044 int ossl_quic_channel_have_generated_transport_params(const QUIC_CHANNEL *ch)
4045 {
4046 return ch->got_local_transport_params;
4047 }
4048
ossl_quic_channel_set_max_idle_timeout_request(QUIC_CHANNEL * ch,uint64_t ms)4049 void ossl_quic_channel_set_max_idle_timeout_request(QUIC_CHANNEL *ch, uint64_t ms)
4050 {
4051 ch->max_idle_timeout_local_req = ms;
4052 }
ossl_quic_channel_get_max_idle_timeout_request(const QUIC_CHANNEL * ch)4053 uint64_t ossl_quic_channel_get_max_idle_timeout_request(const QUIC_CHANNEL *ch)
4054 {
4055 return ch->max_idle_timeout_local_req;
4056 }
4057
ossl_quic_channel_get_max_idle_timeout_peer_request(const QUIC_CHANNEL * ch)4058 uint64_t ossl_quic_channel_get_max_idle_timeout_peer_request(const QUIC_CHANNEL *ch)
4059 {
4060 return ch->max_idle_timeout_remote_req;
4061 }
4062
ossl_quic_channel_get_max_idle_timeout_actual(const QUIC_CHANNEL * ch)4063 uint64_t ossl_quic_channel_get_max_idle_timeout_actual(const QUIC_CHANNEL *ch)
4064 {
4065 return ch->max_idle_timeout;
4066 }
4067