1
/*
2
 * Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9

10
#include "internal/quic_demux.h"
11
#include "internal/quic_wire_pkt.h"
12
#include "internal/common.h"
13
#include <openssl/lhash.h>
14
#include <openssl/err.h>
15

16
#define URXE_DEMUX_STATE_FREE 0 /* on urx_free list */
17
#define URXE_DEMUX_STATE_PENDING 1 /* on urx_pending list */
18
#define URXE_DEMUX_STATE_ISSUED 2 /* on neither list */
19

20
#define DEMUX_MAX_MSGS_PER_CALL 32
21

22
#define DEMUX_DEFAULT_MTU 1500
23

24
struct quic_demux_st {
25
    /* The underlying transport BIO with datagram semantics. */
26
    BIO *net_bio;
27

28
    /*
29
     * QUIC short packets do not contain the length of the connection ID field,
30
     * therefore it must be known contextually. The demuxer requires connection
31
     * IDs of the same length to be used for all incoming packets.
32
     */
33
    size_t short_conn_id_len;
34

35
    /*
36
     * Our current understanding of the upper bound on an incoming datagram size
37
     * in bytes.
38
     */
39
    size_t mtu;
40

41
    /* The datagram_id to use for the next datagram we receive. */
42
    uint64_t next_datagram_id;
43

44
    /* Time retrieval callback. */
45
    OSSL_TIME (*now)(void *arg);
46
    void *now_arg;
47

48
    /* The default packet handler, if any. */
49
    ossl_quic_demux_cb_fn *default_cb;
50
    void *default_cb_arg;
51

52
    /*
53
     * List of URXEs which are not currently in use (i.e., not filled with
54
     * unconsumed data). These are moved to the pending list as they are filled.
55
     */
56
    QUIC_URXE_LIST urx_free;
57

58
    /*
59
     * List of URXEs which are filled with received encrypted data. These are
60
     * removed from this list as we invoke the callbacks for each of them. They
61
     * are then not on any list managed by us; we forget about them until our
62
     * user calls ossl_quic_demux_release_urxe to return the URXE to us, at
63
     * which point we add it to the free list.
64
     */
65
    QUIC_URXE_LIST urx_pending;
66

67
    /* Whether to use local address support. */
68
    char use_local_addr;
69
};
70

71
QUIC_DEMUX *ossl_quic_demux_new(BIO *net_bio,
72
    size_t short_conn_id_len,
73
    OSSL_TIME (*now)(void *arg),
74
    void *now_arg)
75
{
76
    QUIC_DEMUX *demux;
77

78
    demux = OPENSSL_zalloc(sizeof(QUIC_DEMUX));
79
    if (demux == NULL)
80
        return NULL;
81

82
    demux->net_bio = net_bio;
83
    demux->short_conn_id_len = short_conn_id_len;
84
    /* We update this if possible when we get a BIO. */
85
    demux->mtu = DEMUX_DEFAULT_MTU;
86
    demux->now = now;
87
    demux->now_arg = now_arg;
88

89
    if (net_bio != NULL
90
        && BIO_dgram_get_local_addr_cap(net_bio)
91
        && BIO_dgram_set_local_addr_enable(net_bio, 1))
92
        demux->use_local_addr = 1;
93

94
    return demux;
95
}
96

97
static void demux_free_urxl(QUIC_URXE_LIST *l)
98
{
99
    QUIC_URXE *e, *enext;
100

101
    for (e = ossl_list_urxe_head(l); e != NULL; e = enext) {
102
        enext = ossl_list_urxe_next(e);
103
        ossl_list_urxe_remove(l, e);
104
        OPENSSL_free(e);
105
    }
106
}
107

108
void ossl_quic_demux_free(QUIC_DEMUX *demux)
109
{
110
    if (demux == NULL)
111
        return;
112

113
    /* Free all URXEs we are holding. */
114
    demux_free_urxl(&demux->urx_free);
115
    demux_free_urxl(&demux->urx_pending);
116

117
    OPENSSL_free(demux);
118
}
119

120
void ossl_quic_demux_set_bio(QUIC_DEMUX *demux, BIO *net_bio)
121
{
122
    unsigned int mtu;
123

124
    demux->net_bio = net_bio;
125

126
    if (net_bio != NULL) {
127
        /*
128
         * Try to determine our MTU if possible. The BIO is not required to
129
         * support this, in which case we remain at the last known MTU, or our
130
         * initial default.
131
         */
132
        mtu = BIO_dgram_get_mtu(net_bio);
133
        if (mtu >= QUIC_MIN_INITIAL_DGRAM_LEN)
134
            ossl_quic_demux_set_mtu(demux, mtu); /* best effort */
135
    }
136
}
137

138
int ossl_quic_demux_set_mtu(QUIC_DEMUX *demux, unsigned int mtu)
139
{
140
    if (mtu < QUIC_MIN_INITIAL_DGRAM_LEN)
141
        return 0;
142

143
    demux->mtu = mtu;
144
    return 1;
145
}
146

147
void ossl_quic_demux_set_default_handler(QUIC_DEMUX *demux,
148
    ossl_quic_demux_cb_fn *cb,
149
    void *cb_arg)
150
{
151
    demux->default_cb = cb;
152
    demux->default_cb_arg = cb_arg;
153
}
154

155
static QUIC_URXE *demux_alloc_urxe(size_t alloc_len)
156
{
157
    QUIC_URXE *e;
158

159
    if (alloc_len >= SIZE_MAX - sizeof(QUIC_URXE))
160
        return NULL;
161

162
    e = OPENSSL_malloc(sizeof(QUIC_URXE) + alloc_len);
163
    if (e == NULL)
164
        return NULL;
165

166
    ossl_list_urxe_init_elem(e);
167
    e->alloc_len = alloc_len;
168
    e->data_len = 0;
169
    return e;
170
}
171

172
static QUIC_URXE *demux_resize_urxe(QUIC_DEMUX *demux, QUIC_URXE *e,
173
    size_t new_alloc_len)
174
{
175
    QUIC_URXE *e2, *prev;
176

177
    if (!ossl_assert(e->demux_state == URXE_DEMUX_STATE_FREE))
178
        /* Never attempt to resize a URXE which is not on the free list. */
179
        return NULL;
180

181
    prev = ossl_list_urxe_prev(e);
182
    ossl_list_urxe_remove(&demux->urx_free, e);
183

184
    if (new_alloc_len >= SIZE_MAX - sizeof(QUIC_URXE))
185
        return NULL;
186

187
    e2 = OPENSSL_realloc(e, sizeof(QUIC_URXE) + new_alloc_len);
188
    if (e2 == NULL) {
189
        /* Failed to resize, abort. */
190
        if (prev == NULL)
191
            ossl_list_urxe_insert_head(&demux->urx_free, e);
192
        else
193
            ossl_list_urxe_insert_after(&demux->urx_free, prev, e);
194

195
        return NULL;
196
    }
197

198
    if (prev == NULL)
199
        ossl_list_urxe_insert_head(&demux->urx_free, e2);
200
    else
201
        ossl_list_urxe_insert_after(&demux->urx_free, prev, e2);
202

203
    e2->alloc_len = new_alloc_len;
204
    return e2;
205
}
206

207
static QUIC_URXE *demux_reserve_urxe(QUIC_DEMUX *demux, QUIC_URXE *e,
208
    size_t alloc_len)
209
{
210
    return e->alloc_len < alloc_len ? demux_resize_urxe(demux, e, alloc_len) : e;
211
}
212

213
static int demux_ensure_free_urxe(QUIC_DEMUX *demux, size_t min_num_free)
214
{
215
    QUIC_URXE *e;
216

217
    while (ossl_list_urxe_num(&demux->urx_free) < min_num_free) {
218
        e = demux_alloc_urxe(demux->mtu);
219
        if (e == NULL)
220
            return 0;
221

222
        ossl_list_urxe_insert_tail(&demux->urx_free, e);
223
        e->demux_state = URXE_DEMUX_STATE_FREE;
224
    }
225

226
    return 1;
227
}
228

229
/*
230
 * Receive datagrams from network, placing them into URXEs.
231
 *
232
 * Returns 1 on success or 0 on failure.
233
 *
234
 * Precondition: at least one URXE is free
235
 * Precondition: there are no pending URXEs
236
 */
237
static int demux_recv(QUIC_DEMUX *demux)
238
{
239
    BIO_MSG msg[DEMUX_MAX_MSGS_PER_CALL];
240
    size_t rd, i;
241
    QUIC_URXE *urxe = ossl_list_urxe_head(&demux->urx_free), *unext;
242
    OSSL_TIME now;
243

244
    /* This should never be called when we have any pending URXE. */
245
    assert(ossl_list_urxe_head(&demux->urx_pending) == NULL);
246
    assert(urxe->demux_state == URXE_DEMUX_STATE_FREE);
247

248
    if (demux->net_bio == NULL)
249
        /*
250
         * If no BIO is plugged in, treat this as no datagram being available.
251
         */
252
        return QUIC_DEMUX_PUMP_RES_TRANSIENT_FAIL;
253

254
    /*
255
     * Opportunistically receive as many messages as possible in a single
256
     * syscall, determined by how many free URXEs are available.
257
     */
258
    for (i = 0; i < (ossl_ssize_t)OSSL_NELEM(msg);
259
        ++i, urxe = ossl_list_urxe_next(urxe)) {
260
        if (urxe == NULL) {
261
            /* We need at least one URXE to receive into. */
262
            if (!ossl_assert(i > 0))
263
                return QUIC_DEMUX_PUMP_RES_PERMANENT_FAIL;
264

265
            break;
266
        }
267

268
        /* Ensure the URXE is big enough. */
269
        urxe = demux_reserve_urxe(demux, urxe, demux->mtu);
270
        if (urxe == NULL)
271
            /* Allocation error, fail. */
272
            return QUIC_DEMUX_PUMP_RES_PERMANENT_FAIL;
273

274
        /* Ensure we zero any fields added to BIO_MSG at a later date. */
275
        memset(&msg[i], 0, sizeof(BIO_MSG));
276
        msg[i].data = ossl_quic_urxe_data(urxe);
277
        msg[i].data_len = urxe->alloc_len;
278
        msg[i].peer = &urxe->peer;
279
        BIO_ADDR_clear(&urxe->peer);
280
        if (demux->use_local_addr)
281
            msg[i].local = &urxe->local;
282
        else
283
            BIO_ADDR_clear(&urxe->local);
284
    }
285

286
    ERR_set_mark();
287
    if (!BIO_recvmmsg(demux->net_bio, msg, sizeof(BIO_MSG), i, 0, &rd)) {
288
        if (BIO_err_is_non_fatal(ERR_peek_last_error())) {
289
            /* Transient error, clear the error and stop. */
290
            ERR_pop_to_mark();
291
            return QUIC_DEMUX_PUMP_RES_TRANSIENT_FAIL;
292
        } else {
293
            /* Non-transient error, do not clear the error. */
294
            ERR_clear_last_mark();
295
            return QUIC_DEMUX_PUMP_RES_PERMANENT_FAIL;
296
        }
297
    }
298

299
    ERR_clear_last_mark();
300
    now = demux->now != NULL ? demux->now(demux->now_arg) : ossl_time_zero();
301

302
    urxe = ossl_list_urxe_head(&demux->urx_free);
303
    for (i = 0; i < rd; ++i, urxe = unext) {
304
        unext = ossl_list_urxe_next(urxe);
305
        /* Set URXE with actual length of received datagram. */
306
        urxe->data_len = msg[i].data_len;
307
        /* Time we received datagram. */
308
        urxe->time = now;
309
        urxe->datagram_id = demux->next_datagram_id++;
310
        /* Move from free list to pending list. */
311
        ossl_list_urxe_remove(&demux->urx_free, urxe);
312
        ossl_list_urxe_insert_tail(&demux->urx_pending, urxe);
313
        urxe->demux_state = URXE_DEMUX_STATE_PENDING;
314
    }
315

316
    return QUIC_DEMUX_PUMP_RES_OK;
317
}
318

319
/* Extract destination connection ID from the first packet in a datagram. */
320
static int demux_identify_conn_id(QUIC_DEMUX *demux,
321
    QUIC_URXE *e,
322
    QUIC_CONN_ID *dst_conn_id)
323
{
324
    return ossl_quic_wire_get_pkt_hdr_dst_conn_id(ossl_quic_urxe_data(e),
325
        e->data_len,
326
        demux->short_conn_id_len,
327
        dst_conn_id);
328
}
329

330
/*
331
 * Process a single pending URXE.
332
 * Returning 1 on success, 0 on failure.
333
 */
334
static int demux_process_pending_urxe(QUIC_DEMUX *demux, QUIC_URXE *e)
335
{
336
    QUIC_CONN_ID dst_conn_id;
337
    int dst_conn_id_ok = 0;
338

339
    /* The next URXE we process should be at the head of the pending list. */
340
    if (!ossl_assert(e == ossl_list_urxe_head(&demux->urx_pending)))
341
        return 0;
342

343
    assert(e->demux_state == URXE_DEMUX_STATE_PENDING);
344

345
    /* Determine the DCID of the first packet in the datagram. */
346
    dst_conn_id_ok = demux_identify_conn_id(demux, e, &dst_conn_id);
347

348
    ossl_list_urxe_remove(&demux->urx_pending, e);
349
    if (demux->default_cb != NULL) {
350
        /*
351
         * Pass to default handler for routing. The URXE now belongs to the
352
         * callback.
353
         */
354
        e->demux_state = URXE_DEMUX_STATE_ISSUED;
355
        demux->default_cb(e, demux->default_cb_arg,
356
            dst_conn_id_ok ? &dst_conn_id : NULL);
357
    } else {
358
        /* Discard. */
359
        ossl_list_urxe_insert_tail(&demux->urx_free, e);
360
        e->demux_state = URXE_DEMUX_STATE_FREE;
361
    }
362

363
    return 1; /* keep processing pending URXEs */
364
}
365

366
/* Process pending URXEs to generate callbacks. */
367
static int demux_process_pending_urxl(QUIC_DEMUX *demux)
368
{
369
    QUIC_URXE *e;
370
    int ret;
371

372
    while ((e = ossl_list_urxe_head(&demux->urx_pending)) != NULL)
373
        if ((ret = demux_process_pending_urxe(demux, e)) <= 0)
374
            return ret;
375

376
    return 1;
377
}
378

379
/*
380
 * Drain the pending URXE list, processing any pending URXEs by making their
381
 * callbacks. If no URXEs are pending, a network read is attempted first.
382
 */
383
int ossl_quic_demux_pump(QUIC_DEMUX *demux)
384
{
385
    int ret;
386

387
    if (ossl_list_urxe_head(&demux->urx_pending) == NULL) {
388
        ret = demux_ensure_free_urxe(demux, DEMUX_MAX_MSGS_PER_CALL);
389
        if (ret != 1)
390
            return QUIC_DEMUX_PUMP_RES_PERMANENT_FAIL;
391

392
        ret = demux_recv(demux);
393
        if (ret != QUIC_DEMUX_PUMP_RES_OK)
394
            return ret;
395

396
        /*
397
         * If demux_recv returned successfully, we should always have something.
398
         */
399
        assert(ossl_list_urxe_head(&demux->urx_pending) != NULL);
400
    }
401

402
    if ((ret = demux_process_pending_urxl(demux)) <= 0)
403
        return QUIC_DEMUX_PUMP_RES_PERMANENT_FAIL;
404

405
    return QUIC_DEMUX_PUMP_RES_OK;
406
}
407

408
/* Artificially inject a packet into the demuxer for testing purposes. */
409
int ossl_quic_demux_inject(QUIC_DEMUX *demux,
410
    const unsigned char *buf,
411
    size_t buf_len,
412
    const BIO_ADDR *peer,
413
    const BIO_ADDR *local)
414
{
415
    int ret;
416
    QUIC_URXE *urxe;
417

418
    ret = demux_ensure_free_urxe(demux, 1);
419
    if (ret != 1)
420
        return 0;
421

422
    urxe = ossl_list_urxe_head(&demux->urx_free);
423

424
    assert(urxe->demux_state == URXE_DEMUX_STATE_FREE);
425

426
    urxe = demux_reserve_urxe(demux, urxe, buf_len);
427
    if (urxe == NULL)
428
        return 0;
429

430
    memcpy(ossl_quic_urxe_data(urxe), buf, buf_len);
431
    urxe->data_len = buf_len;
432

433
    if (peer != NULL)
434
        urxe->peer = *peer;
435
    else
436
        BIO_ADDR_clear(&urxe->peer);
437

438
    if (local != NULL)
439
        urxe->local = *local;
440
    else
441
        BIO_ADDR_clear(&urxe->local);
442

443
    urxe->time
444
        = demux->now != NULL ? demux->now(demux->now_arg) : ossl_time_zero();
445

446
    /* Move from free list to pending list. */
447
    ossl_list_urxe_remove(&demux->urx_free, urxe);
448
    urxe->datagram_id = demux->next_datagram_id++;
449
    ossl_list_urxe_insert_tail(&demux->urx_pending, urxe);
450
    urxe->demux_state = URXE_DEMUX_STATE_PENDING;
451

452
    return demux_process_pending_urxl(demux) > 0;
453
}
454

455
/* Called by our user to return a URXE to the free list. */
456
void ossl_quic_demux_release_urxe(QUIC_DEMUX *demux,
457
    QUIC_URXE *e)
458
{
459
    assert(ossl_list_urxe_prev(e) == NULL && ossl_list_urxe_next(e) == NULL);
460
    assert(e->demux_state == URXE_DEMUX_STATE_ISSUED);
461
    ossl_list_urxe_insert_tail(&demux->urx_free, e);
462
    e->demux_state = URXE_DEMUX_STATE_FREE;
463
}
464

465
void ossl_quic_demux_reinject_urxe(QUIC_DEMUX *demux,
466
    QUIC_URXE *e)
467
{
468
    assert(ossl_list_urxe_prev(e) == NULL && ossl_list_urxe_next(e) == NULL);
469
    assert(e->demux_state == URXE_DEMUX_STATE_ISSUED);
470
    ossl_list_urxe_insert_head(&demux->urx_pending, e);
471
    e->demux_state = URXE_DEMUX_STATE_PENDING;
472
}
473

474
int ossl_quic_demux_has_pending(const QUIC_DEMUX *demux)
475
{
476
    return ossl_list_urxe_head(&demux->urx_pending) != NULL;
477
}
478

479