1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
|
=pod
=head1 NAME
SSL_get_conn_close_info, SSL_CONN_CLOSE_FLAG_LOCAL,
SSL_CONN_CLOSE_FLAG_TRANSPORT,
OSSL_QUIC_ERR_NO_ERROR,
OSSL_QUIC_ERR_INTERNAL_ERROR,
OSSL_QUIC_ERR_CONNECTION_REFUSED,
OSSL_QUIC_ERR_FLOW_CONTROL_ERROR,
OSSL_QUIC_ERR_STREAM_LIMIT_ERROR,
OSSL_QUIC_ERR_STREAM_STATE_ERROR,
OSSL_QUIC_ERR_FINAL_SIZE_ERROR,
OSSL_QUIC_ERR_FRAME_ENCODING_ERROR,
OSSL_QUIC_ERR_TRANSPORT_PARAMETER_ERROR,
OSSL_QUIC_ERR_CONNECTION_ID_LIMIT_ERROR,
OSSL_QUIC_ERR_PROTOCOL_VIOLATION,
OSSL_QUIC_ERR_INVALID_TOKEN,
OSSL_QUIC_ERR_APPLICATION_ERROR,
OSSL_QUIC_ERR_CRYPTO_BUFFER_EXCEEDED,
OSSL_QUIC_ERR_KEY_UPDATE_ERROR,
OSSL_QUIC_ERR_AEAD_LIMIT_REACHED,
OSSL_QUIC_ERR_NO_VIABLE_PATH,
OSSL_QUIC_ERR_CRYPTO_ERR_BEGIN,
OSSL_QUIC_ERR_CRYPTO_ERR_END,
OSSL_QUIC_ERR_CRYPTO_ERR,
OSSL_QUIC_LOCAL_ERR_IDLE_TIMEOUT
- get information about why a QUIC connection was closed
=head1 SYNOPSIS
#include <openssl/ssl.h>
#define SSL_CONN_CLOSE_FLAG_LOCAL
#define SSL_CONN_CLOSE_FLAG_TRANSPORT
typedef struct ssl_conn_close_info_st {
uint64_t error_code, frame_type;
char *reason;
size_t reason_len;
uint32_t flags;
} SSL_CONN_CLOSE_INFO;
int SSL_get_conn_close_info(SSL *ssl, SSL_CONN_CLOSE_INFO *info,
size_t info_len);
#define OSSL_QUIC_ERR_NO_ERROR 0x00
#define OSSL_QUIC_ERR_INTERNAL_ERROR 0x01
#define OSSL_QUIC_ERR_CONNECTION_REFUSED 0x02
#define OSSL_QUIC_ERR_FLOW_CONTROL_ERROR 0x03
#define OSSL_QUIC_ERR_STREAM_LIMIT_ERROR 0x04
#define OSSL_QUIC_ERR_STREAM_STATE_ERROR 0x05
#define OSSL_QUIC_ERR_FINAL_SIZE_ERROR 0x06
#define OSSL_QUIC_ERR_FRAME_ENCODING_ERROR 0x07
#define OSSL_QUIC_ERR_TRANSPORT_PARAMETER_ERROR 0x08
#define OSSL_QUIC_ERR_CONNECTION_ID_LIMIT_ERROR 0x09
#define OSSL_QUIC_ERR_PROTOCOL_VIOLATION 0x0A
#define OSSL_QUIC_ERR_INVALID_TOKEN 0x0B
#define OSSL_QUIC_ERR_APPLICATION_ERROR 0x0C
#define OSSL_QUIC_ERR_CRYPTO_BUFFER_EXCEEDED 0x0D
#define OSSL_QUIC_ERR_KEY_UPDATE_ERROR 0x0E
#define OSSL_QUIC_ERR_AEAD_LIMIT_REACHED 0x0F
#define OSSL_QUIC_ERR_NO_VIABLE_PATH 0x10
/* Inclusive range for handshake-specific errors. */
#define OSSL_QUIC_ERR_CRYPTO_ERR_BEGIN 0x0100
#define OSSL_QUIC_ERR_CRYPTO_ERR_END 0x01FF
#define OSSL_QUIC_ERR_CRYPTO_ERR(X)
#define OSSL_QUIC_LOCAL_ERR_IDLE_TIMEOUT
=head1 DESCRIPTION
The SSL_get_conn_close_info() function provides information about why and how a
QUIC connection was closed.
Connection closure information is written to I<*info>, which must be non-NULL.
I<info_len> must be set to C<sizeof(*info)>.
The following fields are set:
=over 4
=item I<error_code>
This is a 62-bit QUIC error code. It is either a 62-bit application error code
(if B<SSL_CONN_CLOSE_FLAG_TRANSPORT> not set in I<flags>) or a 62-bit standard
QUIC transport error code (if B<SSL_CONN_CLOSE_FLAG_TRANSPORT> is set in
I<flags>).
=item I<frame_type>
If B<SSL_CONN_CLOSE_FLAG_TRANSPORT> is set, this may be set to a QUIC frame type
number which caused the connection to be closed. It may also be set to 0 if no
frame type was specified as causing the connection to be closed. If
B<SSL_CONN_CLOSE_FLAG_TRANSPORT> is not set, this is set to 0.
=item I<reason>
If non-NULL, this is intended to be a UTF-8 textual string briefly describing
the reason for connection closure. The length of the reason string in bytes is
given in I<reason_len>. While, if non-NULL, OpenSSL guarantees that this string
will be zero terminated, consider that this buffer may originate from the
(untrusted) peer and thus may also contain zero bytes elsewhere. Therefore, use
of I<reason_len> is recommended.
While it is intended as per the QUIC protocol that this be a UTF-8 string, there
is no guarantee that this is the case for strings received from the peer.
=item B<SSL_CONN_CLOSE_FLAG_LOCAL>
If I<flags> has B<SSL_CONN_CLOSE_FLAG_LOCAL> set, connection closure was locally
triggered. This could be due to an application request (e.g. if
B<SSL_CONN_CLOSE_FLAG_TRANSPORT> is unset), or (if
I<SSL_CONN_CLOSE_FLAG_TRANSPORT> is set) due to logic internal to the QUIC
implementation (for example, if the peer engages in a protocol violation, or an
idle timeout occurs).
If unset, connection closure was remotely triggered.
=item B<SSL_CONN_CLOSE_FLAG_TRANSPORT>
If I<flags> has B<SSL_CONN_CLOSE_FLAG_TRANSPORT> set, connection closure was
triggered for QUIC protocol reasons. Otherwise, connection closure was triggered
by the local or remote application.
=back
The B<OSSL_QUIC_ERR> macro definitions provide the QUIC transport error codes as
defined by RFC 9000. The OSSL_QUIC_ERR_CRYPTO_ERR() macro can be used to convert
a TLS alert code into a QUIC transport error code by mapping it into the range
reserved for such codes by RFC 9000. This range begins at
B<OSSL_QUIC_ERR_CRYPTO_ERR_BEGIN> and ends at B<OSSL_QUIC_ERR_CRYPTO_ERR_END>
inclusive.
=head1 NON-STANDARD TRANSPORT ERROR CODES
Some conditions which can cause QUIC connection termination are not signalled on
the wire and therefore do not have standard error codes. OpenSSL indicates these
errors via SSL_get_conn_close_info() by setting B<SSL_CONN_CLOSE_FLAG_TRANSPORT>
and using one of the following error values. These codes are specific to
OpenSSL, and cannot be sent over the wire, as they are above 2**62.
=over 4
=item B<OSSL_QUIC_LOCAL_ERR_IDLE_TIMEOUT>
The connection was terminated immediately due to the idle timeout expiring.
=back
=head1 RETURN VALUES
SSL_get_conn_close_info() returns 1 on success and 0 on failure. This function
fails if called on a QUIC connection SSL object which has not yet been
terminated. It also fails if called on a QUIC stream SSL object or a non-QUIC
SSL object.
=head1 SEE ALSO
L<SSL_shutdown_ex(3)>
=head1 HISTORY
This function was added in OpenSSL 3.2.
=head1 COPYRIGHT
Copyright 2002-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut
|
