summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHugo Landau <hlandau@openssl.org>2022-11-17 15:00:41 +0000
committerHugo Landau <hlandau@openssl.org>2023-01-13 13:20:14 +0000
commitf538b42155283879d1a55708292105437a96700d (patch)
tree65a381c4af6de61bfa11b6b35db0a835c3a4148e
parent69523214ee5a718a0f24803a93bedf0795578173 (diff)
QUIC_CHANNEL: Implementation
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19703)
Diffstat
-rw-r--r--include/internal/quic_channel.h159
-rw-r--r--ssl/quic/build.info1
-rw-r--r--ssl/quic/quic_channel.c1627
-rw-r--r--ssl/quic/quic_channel_local.h270
4 files changed, 2057 insertions, 0 deletions
diff --git a/include/internal/quic_channel.h b/include/internal/quic_channel.h
new file mode 100644
index 0000000000..6c2364a26f
--- /dev/null
+++ b/include/internal/quic_channel.h
@@ -0,0 +1,159 @@
+/*
+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_QUIC_CHANNEL_H
+# define OSSL_QUIC_CHANNEL_H
+
+# include <openssl/ssl.h>
+# include "internal/quic_types.h"
+# include "internal/quic_stream_map.h"
+# include "internal/quic_reactor.h"
+# include "internal/quic_statm.h"
+# include "internal/time.h"
+
+/*
+ * QUIC Channel
+ * ============
+ *
+ * A QUIC channel (QUIC_CHANNEL) is an object which binds together all of the
+ * various pieces of QUIC into a single top-level object, and handles connection
+ * state which is not specific to the client or server roles. In particular, it
+ * is strictly separated from the libssl front end I/O API personality layer,
+ * and is not an SSL object.
+ *
+ * The name QUIC_CHANNEL is chosen because QUIC_CONNECTION is already in use,
+ * but functionally these relate to the same thing (a QUIC connection). The use
+ * of two separate objects ensures clean separation between the API personality
+ * layer and common code for handling connections, and between the functionality
+ * which is specific to clients and which is specific to servers, and the
+ * functionality which is common to both.
+ *
+ * The API personality layer provides SSL objects (e.g. a QUIC_CONNECTION) which
+ * consume a QUIC channel and implement a specific public API. Things which are
+ * handled by the API personality layer include emulation of blocking semantics,
+ * handling of SSL object mode flags like non-partial write mode, etc.
+ *
+ * Where the QUIC_CHANNEL is used in a server role, there is one QUIC_CHANNEL
+ * per connection. In the future a QUIC Channel Manager will probably be defined
+ * to handle ownership of resources which are shared between connections (e.g.
+ * demuxers). Since we only use server-side functionality for dummy test servers
+ * for now, which only need to handle one connection at a time, this is not
+ * currently modelled.
+ */
+
+#define QUIC_CHANNEL_STATE_IDLE 0
+#define QUIC_CHANNEL_STATE_ACTIVE 1
+#define QUIC_CHANNEL_STATE_TERMINATING_CLOSING 2
+#define QUIC_CHANNEL_STATE_TERMINATING_DRAINING 3
+#define QUIC_CHANNEL_STATE_TERMINATED 4
+
+typedef struct quic_channel_args_st {
+ OSSL_LIB_CTX *libctx;
+ const char *propq;
+ int is_server;
+} QUIC_CHANNEL_ARGS;
+
+typedef struct quic_channel_st QUIC_CHANNEL;
+
+/*
+ * Create a new QUIC channel using the given arguments. The argument structure
+ * does not need to remain allocated. Returns NULL on failure.
+ */
+QUIC_CHANNEL *ossl_quic_channel_new(const QUIC_CHANNEL_ARGS *args);
+
+/* No-op if ch is NULL. */
+void ossl_quic_channel_free(QUIC_CHANNEL *ch);
+
+/*
+ * Connection Lifecycle Events
+ * ===========================
+ *
+ * Various events that can be raised on the channel by other parts of the QUIC
+ * implementation. Some of these are suitable for general use by any part of the
+ * code (e.g. ossl_quic_channel_raise_protocol_error), others are for very
+ * specific use by particular components only (e.g.
+ * ossl_quic_channel_on_handshake_confirmed).
+ *
+ */
+
+/*
+ * To be used by a QUIC connection. Starts the channel. For a client-mode
+ * channel, this starts sending the first handshake layer message, etc. Can only
+ * be called in the idle state; successive calls are ignored.
+ */
+int ossl_quic_channel_start(QUIC_CHANNEL *ch);
+
+/* Start a locally initiated connection shutdown. */
+void ossl_quic_channel_local_close(QUIC_CHANNEL *ch);
+
+/*
+ * Called when the handshake is confirmed.
+ */
+int ossl_quic_channel_on_handshake_confirmed(QUIC_CHANNEL *ch);
+
+/*
+ * Raises a protocol error. This is intended to be the universal call suitable
+ * for handling of all peer-triggered protocol violations or errors detected by
+ * us. We specify a QUIC transport-scope error code and optional frame type
+ * which was responsible. If a frame type is not applicable, specify zero. The
+ * reason string is not currently handled, but should be a string of static
+ * storage duration. If the connection has already terminated due to a previous
+ * protocol error, this is a no-op; first error wins.
+ */
+void ossl_quic_channel_raise_protocol_error(QUIC_CHANNEL *ch,
+ uint64_t error_code,
+ uint64_t frame_type,
+ const char *reason);
+
+/* For RXDP use. */
+void ossl_quic_channel_on_remote_conn_close(QUIC_CHANNEL *ch,
+ OSSL_QUIC_FRAME_CONN_CLOSE *f);
+
+/*
+ * Queries and Accessors
+ * =====================
+ */
+
+/* Gets the reactor which can be used to tick/poll on the channel. */
+QUIC_REACTOR *ossl_quic_channel_get_reactor(QUIC_CHANNEL *ch);
+
+/* Gets the QSM used with the channel. */
+QUIC_STREAM_MAP *ossl_quic_channel_get_qsm(QUIC_CHANNEL *ch);
+
+/* Gets the statistics manager used with the channel. */
+OSSL_STATM *ossl_quic_channel_get_statm(QUIC_CHANNEL *ch);
+
+/*
+ * Gets/sets the current peer address. Generally this should be used before
+ * starting a channel in client mode.
+ */
+int ossl_quic_channel_get_peer_addr(QUIC_CHANNEL *ch, BIO_ADDR *peer_addr);
+int ossl_quic_channel_set_peer_addr(QUIC_CHANNEL *ch, const BIO_ADDR *peer_addr);
+
+/* Gets/sets the underlying network read and write BIOs. */
+BIO *ossl_quic_channel_get_net_rbio(QUIC_CHANNEL *ch);
+BIO *ossl_quic_channel_get_net_wbio(QUIC_CHANNEL *ch);
+int ossl_quic_channel_set0_net_rbio(QUIC_CHANNEL *ch, BIO *net_rbio);
+int ossl_quic_channel_set0_net_wbio(QUIC_CHANNEL *ch, BIO *net_wbio);
+
+/*
+ * Returns an existing stream by stream ID. Returns NULL if the stream does not
+ * exist.
+ */
+QUIC_STREAM *ossl_quic_channel_get_stream_by_id(QUIC_CHANNEL *ch,
+ uint64_t stream_id);
+
+/* Returns 1 if channel is terminating or terminated. */
+int ossl_quic_channel_is_term_any(const QUIC_CHANNEL *ch);
+int ossl_quic_channel_is_terminating(const QUIC_CHANNEL *ch);
+int ossl_quic_channel_is_terminated(const QUIC_CHANNEL *ch);
+int ossl_quic_channel_is_active(const QUIC_CHANNEL *ch);
+int ossl_quic_channel_is_handshake_complete(const QUIC_CHANNEL *ch);
+
+#endif
diff --git a/ssl/quic/build.info b/ssl/quic/build.info
index 15aa53a359..5f4d761b26 100644
--- a/ssl/quic/build.info
+++ b/ssl/quic/build.info
@@ -10,3 +10,4 @@ SOURCE[$LIBSSL]=quic_stream_map.c
SOURCE[$LIBSSL]=quic_sf_list.c quic_rstream.c quic_sstream.c
SOURCE[$LIBSSL]=quic_dummy_handshake.c
SOURCE[$LIBSSL]=quic_reactor.c
+SOURCE[$LIBSSL]=quic_channel.c
diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c
new file mode 100644
index 0000000000..64ccf162fd
--- /dev/null
+++ b/ssl/quic/quic_channel.c
@@ -0,0 +1,1627 @@
+/*
+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "internal/quic_channel.h"
+#include "internal/quic_error.h"
+#include "internal/quic_rx_depack.h"
+#include "../ssl_local.h"
+#include "quic_channel_local.h"
+#include <openssl/rand.h>
+
+#define INIT_DCID_LEN 8
+#define INIT_CRYPTO_BUF_LEN 8192
+#define INIT_APP_BUF_LEN 8192
+
+static int ch_rx(QUIC_CHANNEL *ch);
+static int ch_tx(QUIC_CHANNEL *ch);
+static void ch_tick(QUIC_TICK_RESULT *res, void *arg);
+static void ch_rx_handle_packet(QUIC_CHANNEL *ch);
+static OSSL_TIME ch_determine_next_tick_deadline(QUIC_CHANNEL *ch);
+static int ch_retry(QUIC_CHANNEL *ch,
+ const unsigned char *retry_token,
+ size_t retry_token_len,
+ const QUIC_CONN_ID *retry_scid);
+static void ch_cleanup(QUIC_CHANNEL *ch);
+static int ch_generate_transport_params(QUIC_CHANNEL *ch);
+static int ch_on_transport_params(const unsigned char *params,
+ size_t params_len,
+ void *arg);
+static int ch_on_handshake_alert(void *arg, unsigned char alert_code);
+static int ch_on_handshake_complete(void *arg);
+static int ch_on_handshake_yield_secret(uint32_t enc_level, int direction,
+ uint32_t suite_id, EVP_MD *md,
+ const unsigned char *secret,
+ size_t secret_len,
+ void *arg);
+static int ch_on_crypto_recv(unsigned char *buf, size_t buf_len,
+ size_t *bytes_read, void *arg);
+static int crypto_ensure_empty(QUIC_RSTREAM *rstream);
+static int ch_on_crypto_send(const unsigned char *buf, size_t buf_len,
+ size_t *consumed, void *arg);
+static OSSL_TIME get_time(void *arg);
+static uint64_t get_stream_limit(int uni, void *arg);
+static int rx_early_validate(QUIC_PN pn, int pn_space, void *arg);
+static int ch_retry(QUIC_CHANNEL *ch,
+ const unsigned char *retry_token,
+ size_t retry_token_len,
+ const QUIC_CONN_ID *retry_scid);
+static void ch_update_idle(QUIC_CHANNEL *ch);
+static int ch_discard_el(QUIC_CHANNEL *ch,
+ uint32_t enc_level);
+static void ch_on_idle_timeout(QUIC_CHANNEL *ch);
+static void ch_update_idle(QUIC_CHANNEL *ch);
+static void ch_on_terminating_timeout(QUIC_CHANNEL *ch);
+static void ch_start_terminating(QUIC_CHANNEL *ch,
+ const QUIC_TERMINATE_CAUSE *tcause);
+
+static int gen_rand_conn_id(OSSL_LIB_CTX *libctx, size_t len, QUIC_CONN_ID *cid)
+{
+ if (len > QUIC_MAX_CONN_ID_LEN)
+ return 0;
+
+ cid->id_len = (unsigned char)len;
+
+ if (RAND_bytes_ex(libctx, cid->id, len, len * 8) != 1) {
+ cid->id_len = 0;
+ return 0;
+ }
+
+ return 1;
+}
+
+/*
+ * QUIC Channel Initialization and Teardown
+ * ========================================
+ */
+static int ch_init(QUIC_CHANNEL *ch)
+{
+ OSSL_QUIC_TX_PACKETISER_ARGS txp_args = {0};
+ OSSL_QTX_ARGS qtx_args = {0};
+ OSSL_QRX_ARGS qrx_args = {0};
+ QUIC_DHS_ARGS dhs_args = {0};
+ uint32_t pn_space;
+
+ // TODO CLIENT ONLY
+ if (!gen_rand_conn_id(ch->libctx, INIT_DCID_LEN, &ch->init_dcid))
+ goto err;
+
+ /* We plug in a network write BIO to the QTX later when we get one. */
+ qtx_args.mdpl = QUIC_MIN_INITIAL_DGRAM_LEN;
+ ch->rx_max_udp_payload_size = qtx_args.mdpl;
+
+ ch->qtx = ossl_qtx_new(&qtx_args);
+ if (ch->qtx == NULL)
+ goto err;
+
+ ch->txpim = ossl_quic_txpim_new();
+ if (ch->txpim == NULL)
+ goto err;
+
+ ch->cfq = ossl_quic_cfq_new();
+ if (ch->cfq == NULL)
+ goto err;
+
+ if (!ossl_quic_txfc_init(&ch->conn_txfc, NULL))
+ goto err;
+
+ if (!ossl_quic_rxfc_init(&ch->conn_rxfc, NULL,
+ 2 * 1024 * 1024,
+ 10 * 1024 * 1024,
+ get_time, NULL))
+ goto err;
+
+ if (!ossl_statm_init(&ch->statm))
+ goto err;
+
+ ch->have_statm = 1;
+ ch->cc_method = &ossl_cc_dummy_method;
+ if ((ch->cc_data = ch->cc_method->new(NULL, NULL, NULL)) == NULL)
+ goto err;
+
+ if ((ch->ackm = ossl_ackm_new(get_time, NULL, &ch->statm,
+ ch->cc_method, ch->cc_data)) == NULL)
+ goto err;
+
+ if (!ossl_quic_stream_map_init(&ch->qsm, get_stream_limit, ch))
+ goto err;
+
+ ch->have_qsm = 1;
+
+ /* We use a zero-length SCID. */
+ txp_args.cur_dcid = ch->init_dcid;
+ txp_args.ack_delay_exponent = 3;
+ txp_args.qtx = ch->qtx;
+ txp_args.txpim = ch->txpim;
+ txp_args.cfq = ch->cfq;
+ txp_args.ackm = ch->ackm;
+ txp_args.qsm = &ch->qsm;
+ txp_args.conn_txfc = &ch->conn_txfc;
+ txp_args.conn_rxfc = &ch->conn_rxfc;
+ txp_args.cc_method = ch->cc_method;
+ txp_args.cc_data = ch->cc_data;
+ txp_args.now = get_time;
+ for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space) {
+ ch->crypto_send[pn_space] = ossl_quic_sstream_new(INIT_CRYPTO_BUF_LEN);
+ if (ch->crypto_send[pn_space] == NULL)
+ goto err;
+
+ txp_args.crypto[pn_space] = ch->crypto_send[pn_space];
+ }
+
+ ch->txp = ossl_quic_tx_packetiser_new(&txp_args);
+ if (ch->txp == NULL)
+ goto err;
+
+ if ((ch->demux = ossl_quic_demux_new(/*BIO=*/NULL, /*Short CID Len=*/0,
+ 1200, get_time, NULL)) == NULL)
+ goto err;
+
+ qrx_args.demux = ch->demux;
+ qrx_args.short_conn_id_len = 0; /* We use a zero-length SCID. */
+ qrx_args.max_deferred = 32;
+
+ if ((ch->qrx = ossl_qrx_new(&qrx_args)) == NULL)
+ goto err;
+
+ if (!ossl_qrx_set_early_validation_cb(ch->qrx,
+ rx_early_validate,
+ ch))
+ goto err;
+
+ if (!ossl_qrx_add_dst_conn_id(ch->qrx, &txp_args.cur_scid))
+ goto err;
+
+ for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space) {
+ ch->crypto_recv[pn_space] = ossl_quic_rstream_new(NULL, NULL);
+ if (ch->crypto_recv[pn_space] == NULL)
+ goto err;
+ }
+
+ if ((ch->stream0 = ossl_quic_stream_map_alloc(&ch->qsm, 0,
+ QUIC_STREAM_INITIATOR_CLIENT
+ | QUIC_STREAM_DIR_BIDI)) == NULL)
+ goto err;
+
+ if ((ch->stream0->sstream = ossl_quic_sstream_new(INIT_APP_BUF_LEN)) == NULL)
+ goto err;
+
+ if ((ch->stream0->rstream = ossl_quic_rstream_new(NULL, NULL)) == NULL)
+ goto err;
+
+ if (!ossl_quic_txfc_init(&ch->stream0->txfc, &ch->conn_txfc))
+ goto err;
+
+ if (!ossl_quic_rxfc_init(&ch->stream0->rxfc, &ch->conn_rxfc,
+ 1 * 1024 * 1024,
+ 5 * 1024 * 1024,
+ get_time, NULL))
+ goto err;
+
+ /* Plug in the dummy handshake layer. */
+ dhs_args.crypto_send_cb = ch_on_crypto_send;
+ dhs_args.crypto_send_cb_arg = ch;
+ dhs_args.crypto_recv_cb = ch_on_crypto_recv;
+ dhs_args.crypto_recv_cb_arg = ch;
+ dhs_args.yield_secret_cb = ch_on_handshake_yield_secret;
+ dhs_args.yield_secret_cb_arg = ch;
+ dhs_args.got_transport_params_cb = ch_on_transport_params;
+ dhs_args.got_transport_params_cb_arg= ch;
+ dhs_args.handshake_complete_cb = ch_on_handshake_complete;
+ dhs_args.handshake_complete_cb_arg = ch;
+ dhs_args.alert_cb = ch_on_handshake_alert;
+ dhs_args.alert_cb_arg = ch;
+
+ if ((ch->dhs = ossl_quic_dhs_new(&dhs_args)) == NULL)
+ goto err;
+
+ /*
+ * Determine the QUIC Transport Parameters and serialize the transport
+ * parameters block. (For servers, we do this later as we must defer
+ * generation until we have received the client's transport parameters.)
+ */
+ if (!ch->is_server && !ch_generate_transport_params(ch))
+ goto err;
+
+ ch->rx_max_ack_delay = QUIC_DEFAULT_MAX_ACK_DELAY;
+ ch->rx_ack_delay_exp = QUIC_DEFAULT_ACK_DELAY_EXP;
+ ch->rx_active_conn_id_limit = QUIC_MIN_ACTIVE_CONN_ID_LIMIT;
+ ch->max_idle_timeout = QUIC_DEFAULT_IDLE_TIMEOUT;
+ ch->tx_enc_level = QUIC_ENC_LEVEL_INITIAL;
+ ch_update_idle(ch);
+ ossl_quic_reactor_init(&ch->rtor, ch_tick, ch,
+ ch_determine_next_tick_deadline(ch));
+ return 1;
+
+err:
+ ch_cleanup(ch);
+ return 0;
+}
+
+static void ch_cleanup(QUIC_CHANNEL *ch)
+{
+ uint32_t pn_space;
+
+ if (ch->ackm != NULL)
+ for (pn_space = QUIC_PN_SPACE_INITIAL;
+ pn_space < QUIC_PN_SPACE_NUM;
+ ++pn_space)
+ ossl_ackm_on_pkt_space_discarded(ch->ackm, pn_space);
+
+ ossl_quic_tx_packetiser_free(ch->txp);
+ ossl_quic_txpim_free(ch->txpim);
+ ossl_quic_cfq_free(ch->cfq);
+ ossl_qtx_free(ch->qtx);
+ if (ch->cc_data != NULL)
+ ch->cc_method->free(ch->cc_data);
+ if (ch->have_statm)
+ ossl_statm_destroy(&ch->statm);
+ ossl_ackm_free(ch->ackm);
+
+ if (ch->stream0 != NULL) {
+ assert(ch->have_qsm);
+ ossl_quic_stream_map_release(&ch->qsm, ch->stream0); /* frees sstream */
+ }
+
+ if (ch->have_qsm)
+ ossl_quic_stream_map_cleanup(&ch->qsm);
+
+ for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space) {
+ ossl_quic_sstream_free(ch->crypto_send[pn_space]);
+ ossl_quic_rstream_free(ch->crypto_recv[pn_space]);
+ }
+
+ ossl_qrx_pkt_release(ch->qrx_pkt);
+ ch->qrx_pkt = NULL;
+
+ ossl_quic_dhs_free(ch->dhs);
+ ossl_qrx_free(ch->qrx);
+ ossl_quic_demux_free(ch->demux);
+ OPENSSL_free(ch->local_transport_params);
+ BIO_free(ch->net_rbio);
+ BIO_free(ch->net_wbio);
+}
+
+QUIC_CHANNEL *ossl_quic_channel_new(const QUIC_CHANNEL_ARGS *args)
+{
+ QUIC_CHANNEL *ch = NULL;
+
+ if ((ch = OPENSSL_zalloc(sizeof(*ch))) == NULL)
+ return NULL;
+
+ ch->libctx = args->libctx;
+ ch->propq = args->propq;
+ ch->is_server = args->is_server;
+
+ if (!ch_init(ch)) {
+ OPENSSL_free(ch);
+ return NULL;
+ }
+
+ return ch;
+}
+
+void ossl_quic_channel_free(QUIC_CHANNEL *ch)
+{
+ if (ch == NULL)
+ return;
+
+ ch_cleanup(ch);
+ OPENSSL_free(ch);
+}
+
+int ossl_quic_channel_get_peer_addr(QUIC_CHANNEL *ch, BIO_ADDR *peer_addr)
+{
+ *peer_addr = ch->cur_peer_addr;
+ return 1;
+}
+
+int ossl_quic_channel_set_peer_addr(QUIC_CHANNEL *ch, const BIO_ADDR *peer_addr)
+{
+ ch->cur_peer_addr = *peer_addr;
+ return 1;
+}
+
+QUIC_REACTOR *ossl_quic_channel_get_reactor(QUIC_CHANNEL *ch)
+{
+ return &ch->rtor;
+}
+
+QUIC_STREAM_MAP *ossl_quic_channel_get_qsm(QUIC_CHANNEL *ch)
+{
+ return &ch->qsm;
+}
+
+OSSL_STATM *ossl_quic_channel_get_statm(QUIC_CHANNEL *ch)
+{
+ return &ch->statm;
+}
+
+QUIC_STREAM *ossl_quic_channel_get_stream_by_id(QUIC_CHANNEL *ch,
+ uint64_t stream_id)
+{
+ return ossl_quic_stream_map_get_by_id(&ch->qsm, stream_id);
+}
+
+int ossl_quic_channel_is_active(const QUIC_CHANNEL *ch)
+{
+ return ch != NULL && ch->state == QUIC_CHANNEL_STATE_ACTIVE;
+}
+
+int ossl_quic_channel_is_terminating(const QUIC_CHANNEL *ch)
+{
+ return ch->state == QUIC_CHANNEL_STATE_TERMINATING_CLOSING
+ || ch->state == QUIC_CHANNEL_STATE_TERMINATING_DRAINING;
+}
+
+int ossl_quic_channel_is_terminated(const QUIC_CHANNEL *ch)
+{
+ return ch->state == QUIC_CHANNEL_STATE_TERMINATED;
+}
+
+int ossl_quic_channel_is_term_any(const QUIC_CHANNEL *ch)
+{
+ return ossl_quic_channel_is_terminating(ch)
+ || ossl_quic_channel_is_terminated(ch);
+}
+
+int ossl_quic_channel_is_handshake_complete(const QUIC_CHANNEL *ch)
+{
+ return ch->handshake_complete;
+}
+
+/*
+ * QUIC Channel: Callbacks from Miscellaneous Subsidiary Components
+ * ================================================================
+ */
+
+/* Used by various components. */
+static OSSL_TIME get_time(void *arg)
+{
+ return ossl_time_now();
+}
+
+/* Used by QSM. */
+static uint64_t get_stream_limit(int uni, void *arg)
+{
+ QUIC_CHANNEL *ch = arg;
+
+ return uni ? ch->max_local_streams_uni : ch->max_local_streams_bidi;
+}
+
+/*
+ * Called by QRX to determine if a packet is potentially invalid before trying
+ * to decrypt it.
+ */
+static int rx_early_validate(QUIC_PN pn, int pn_space, void *arg)
+{
+ QUIC_CHANNEL *ch = arg;
+
+ /* Potential duplicates should not be processed. */
+ if (!ossl_ackm_is_rx_pn_processable(ch->ackm, pn, pn_space))
+ return 0;
+
+ return 1;
+}
+
+/*
+ * QUIC Channel: Handshake Layer Event Handling
+ * ============================================
+ */
+static int ch_on_crypto_send(const unsigned char *buf, size_t buf_len,
+ size_t *consumed, void *arg)
+{
+ int ret;
+ QUIC_CHANNEL *ch = arg;
+ uint32_t enc_level = ch->tx_enc_level;
+ uint32_t pn_space = ossl_quic_enc_level_to_pn_space(enc_level);
+ QUIC_SSTREAM *sstream = ch->crypto_send[pn_space];
+
+ if (!ossl_assert(sstream != NULL))
+ return 0;
+
+ ret = ossl_quic_sstream_append(sstream, buf, buf_len, consumed);
+ return ret;
+}
+
+static int crypto_ensure_empty(QUIC_RSTREAM *rstream)
+{
+ size_t avail = 0;
+ int is_fin = 0;
+
+ if (rstream == NULL)
+ return 1;
+
+ if (!ossl_quic_rstream_available(rstream, &avail, &is_fin))
+ return 0;
+
+ return avail == 0;
+}
+
+static int ch_on_crypto_recv(unsigned char *buf, size_t buf_len,
+ size_t *bytes_read, void *arg)
+{
+ QUIC_CHANNEL *ch = arg;
+ QUIC_RSTREAM *rstream;
+ int is_fin = 0; /* crypto stream is never finished, so we don't use this */
+ uint32_t i;
+
+ /*
+ * After we move to a later EL we must not allow our peer to send any new
+ * bytes in the crypto stream on a previous EL. Retransmissions of old bytes
+ * are allowed.
+ *
+ * In practice we will only move to a new EL when we have consumed all bytes
+ * which should be sent on the crypto stream at a previous EL. For example,
+ * the Handshake EL should not be provisioned until we have completely
+ * consumed a TLS 1.3 ServerHello. Thus when we provision an EL the output
+ * of ossl_quic_rstream_available() should be 0 for all lower ELs. Thus if a
+ * given EL is available we simply ensure we have not received any further
+ * bytes at a lower EL.
+ */
+ for (i = QUIC_ENC_LEVEL_INITIAL; i < ch->tx_enc_level; ++i)
+ if (i != QUIC_ENC_LEVEL_0RTT &&
+ !crypto_ensure_empty(ch->crypto_recv[ossl_quic_enc_level_to_pn_space(i)])) {
+ /* Protocol violation (RFC 9001 s. 4.1.3) */
+ ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_PROTOCOL_VIOLATION,
+ OSSL_QUIC_FRAME_TYPE_CRYPTO,
+ "crypto stream data in wrong EL");
+ return 0;
+ }
+
+ rstream = ch->crypto_recv[ossl_quic_enc_level_to_pn_space(ch->tx_enc_level)];
+ if (rstream == NULL)
+ return 0;
+
+ return ossl_quic_rstream_read(rstream, buf, buf_len, bytes_read,
+ &is_fin);
+}
+
+static int ch_on_handshake_yield_secret(uint32_t enc_level, int direction,
+ uint32_t suite_id, EVP_MD *md,
+ const unsigned char *secret,
+ size_t secret_len,
+ void *arg)
+{
+ QUIC_CHANNEL *ch = arg;
+ uint32_t i;
+
+ if (enc_level < QUIC_ENC_LEVEL_HANDSHAKE || enc_level >= QUIC_ENC_LEVEL_NUM)
+ /* Invalid EL. */
+ return 0;
+
+ if (enc_level <= ch->tx_enc_level)
+ /*
+ * Does not make sense for us to try and provision an EL we have already
+ * attained.
+ */
+ return 0;
+
+ /*
+ * Ensure all crypto streams for previous ELs are now empty of available
+ * data.
+ */
+ for (i = QUIC_ENC_LEVEL_INITIAL; i < enc_level; ++i)
+ if (!crypto_ensure_empty(ch->crypto_recv[i])) {
+ /* Protocol violation (RFC 9001 s. 4.1.3) */
+ ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_PROTOCOL_VIOLATION,
+ OSSL_QUIC_FRAME_TYPE_CRYPTO,
+ "crypto stream data in wrong EL");
+ return 0;
+ }
+
+ if (direction) {
+ /* TX */
+ if (!ossl_qtx_provide_secret(ch->qtx, enc_level,
+ suite_id, md,
+ secret, secret_len))
+ return 0;
+
+ ch->tx_enc_level = enc_level;
+ } else {
+ /* RX */
+ if (!ossl_qrx_provide_secret(ch->qrx, enc_level,
+ suite_id, md,
+ secret, secret_len))
+ return 0;
+ }
+
+ return 1;
+}
+
+static int ch_on_handshake_complete(void *arg)
+{
+ QUIC_CHANNEL *ch = arg;
+
+ if (ch->handshake_complete)
+ return 0; /* this should not happen twice */
+
+ if (!ossl_assert(ch->tx_enc_level == QUIC_ENC_LEVEL_1RTT))
+ return 0;
+
+ if (!ch->got_remote_transport_params)
+ /*
+ * Was not a valid QUIC handshake if we did not get valid transport
+ * params.
+ */
+ return 0;
+
+ /* Don't need transport parameters anymore. */
+ OPENSSL_free(ch->local_transport_params);
+ ch->local_transport_params = NULL;
+
+ /* Tell TXP the handshake is complete. */
+ ossl_quic_tx_packetiser_notify_handshake_complete(ch->txp);
+
+ ch->handshake_complete = 1;
+ return 1;
+}
+
+static int ch_on_handshake_alert(void *arg, unsigned char alert_code)
+{
+ QUIC_CHANNEL *ch = arg;
+
+ ossl_quic_channel_raise_protocol_error(ch, QUIC_ERR_CRYPTO_ERR_BEGIN + alert_code,
+ 0, "handshake alert");
+ return 1;
+}
+
+/*
+ * QUIC Channel: Transport Parameter Handling
+ * ==========================================
+ */
+
+/*
+ * Called by handshake layer when we receive QUIC Transport Parameters from the
+ * peer. Note that these are not authenticated until the handshake is marked
+ * as complete.
+ */
+static int ch_on_transport_params(const unsigned char *params,
+ size_t params_len,
+ void *arg)
+{
+ QUIC_CHANNEL *ch = arg;
+ PACKET pkt;
+ uint64_t id, v;
+ size_t len;
+ const unsigned char *body;
+ int got_orig_dcid = 0;
+ int got_initial_scid = 0;
+ int got_retry_scid = 0;
+ int got_initial_max_data = 0;
+ int got_initial_max_stream_data_bidi_local = 0;
+ int got_initial_max_stream_data_bidi_remote = 0;
+ int got_initial_max_stream_data_uni = 0;
+ int got_initial_max_streams_bidi = 0;
+ int got_initial_max_streams_uni = 0;
+ int got_ack_delay_exp = 0;
+ int got_max_ack_delay = 0;
+ int got_max_udp_payload_size = 0;
+ int got_max_idle_timeout = 0;
+ int got_active_conn_id_limit = 0;
+ QUIC_CONN_ID cid;
+
+ if (ch->got_remote_transport_params)
+ goto malformed;
+
+ if (!PACKET_buf_init(&pkt, params, params_len))
+ return 0;
+
+ while (PACKET_remaining(&pkt) > 0) {
+ if (!ossl_quic_wire_peek_transport_param(&pkt, &id))
+ goto malformed;
+
+ switch (id) {
+ case QUIC_TPARAM_ORIG_DCID:
+ if (got_orig_dcid)
+ /* must not appear more than once */
+ goto malformed;
+
+ if (!ossl_quic_wire_decode_transport_param_cid(&pkt, NULL, &cid))
+ goto malformed;
+
+ /* Must match our initial DCID. */
+ if (!ossl_quic_conn_id_eq(&ch->init_dcid, &cid))
+ goto malformed;
+
+ got_orig_dcid = 1;
+ break;
+
+ case QUIC_TPARAM_RETRY_SCID:
+ if (got_retry_scid || !ch->doing_retry)
+ /* must not appear more than once or if retry not done */
+ goto malformed;
+
+ if (!ossl_quic_wire_decode_transport_param_cid(&pkt, NULL, &cid))
+ goto malformed;
+
+ /* Must match Retry packet SCID. */
+ if (!ossl_quic_conn_id_eq(&ch->retry_scid, &cid))
+ goto malformed;
+
+ got_retry_scid = 1;
+ break;
+
+ case QUIC_TPARAM_INITIAL_SCID:
+ if (got_initial_scid)
+ /* must not appear more than once */
+ goto malformed;
+
+ if (!ossl_quic_wire_decode_transport_param_cid(&pkt, NULL, &cid))
+ goto malformed;
+
+ /* Must match SCID of first Initial packet from server. */
+ if (!ossl_quic_conn_id_eq(&ch->init_scid, &cid))
+ goto malformed;
+
+ got_initial_scid = 1;
+ break;
+
+ case QUIC_TPARAM_INITIAL_MAX_DATA:
+ if (got_initial_max_data)
+ /* must not appear more than once */
+ goto malformed;
+
+ if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v))
+ goto malformed;
+
+ ossl_quic_txfc_bump_cwm(&ch->conn_txfc, v);
+ got_initial_max_data = 1;
+ break;
+
+ case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL:
+ if (got_initial_max_stream_data_bidi_local)
+ /* must not appear more than once */
+ goto malformed;
+
+ if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v))
+ goto malformed;
+
+ /*
+ * This is correct; the BIDI_LOCAL TP governs streams created by
+ * the endpoint which sends the TP, i.e., our peer.
+ */
+ ch->init_max_stream_data_bidi_remote = v;
+ got_initial_max_stream_data_bidi_local = 1;
+ break;
+
+ case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE:
+ if (got_initial_max_stream_data_bidi_remote)
+ /* must not appear more than once */
+ goto malformed;
+
+ if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v))
+ goto malformed;
+
+ /*
+ * This is correct; the BIDI_REMOTE TP governs streams created
+ * by the endpoint which receives the TP, i.e., us.
+ */
+ ch->init_max_stream_data_bidi_local = v;
+
+ /* Apply to stream 0. */
+ ossl_quic_txfc_bump_cwm(&ch->stream0->txfc, v);
+ got_initial_max_stream_data_bidi_remote = 1;
+ break;
+
+ case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_UNI:
+ if (got_initial_max_stream_data_uni)
+ /* must not appear more than once */
+ goto malformed;
+
+ if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v))
+ goto malformed;
+
+ ch->init_max_stream_data_uni_remote = v;
+ got_initial_max_stream_data_uni = 1;
+ break;
+
+ case QUIC_TPARAM_ACK_DELAY_EXP:
+ if (got_ack_delay_exp)
+ /* must not appear more than once */
+ goto malformed;
+
+ if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
+ || v > QUIC_MAX_ACK_DELAY_EXP)
+ goto malformed;
+
+ ch->rx_ack_delay_exp = (unsigned char)v;
+ got_ack_delay_exp = 1;
+ break;
+
+ case QUIC_TPARAM_MAX_ACK_DELAY:
+ if (got_max_ack_delay)
+ /* must not appear more than once */
+ return 0;
+
+ if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
+ || v >= (((uint64_t)1) << 14))
+ goto malformed;
+
+ ch->rx_max_ack_delay = v;
+ got_max_ack_delay = 1;
+ break;
+
+ case QUIC_TPARAM_INITIAL_MAX_STREAMS_BIDI:
+ if (got_initial_max_streams_bidi)
+ /* must not appear more than once */
+ return 0;
+
+ if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
+ || v > (((uint64_t)1) << 60))
+ goto malformed;
+
+ assert(ch->max_local_streams_bidi == 0);
+ ch->max_local_streams_bidi = v;
+ got_initial_max_streams_bidi = 1;
+ break;
+
+ case QUIC_TPARAM_INITIAL_MAX_STREAMS_UNI:
+ if (got_initial_max_streams_uni)
+ /* must not appear more than once */
+ goto malformed;
+
+ if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
+ || v > (((uint64_t)1) << 60))
+ goto malformed;
+
+ assert(ch->max_local_streams_uni == 0);
+ ch->max_local_streams_uni = v;
+ got_initial_max_streams_uni = 1;
+ break;
+
+ case QUIC_TPARAM_MAX_IDLE_TIMEOUT:
+ if (got_max_idle_timeout)
+ /* must not appear more than once */
+ goto malformed;
+
+ if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v))
+ goto malformed;
+
+ if (v < ch->max_idle_timeout)
+ ch->max_idle_timeout = v;
+
+ ch_update_idle(ch);
+ got_max_idle_timeout = 1;
+ break;
+
+ case QUIC_TPARAM_MAX_UDP_PAYLOAD_SIZE:
+ if (go