luna - curl/lib/vquic/curl

   1/***************************************************************************
   2 *                                  _   _ ____  _
   3 *  Project                     ___| | | |  _ \| |
   4 *                             / __| | | | |_) | |
   5 *                            | (__| |_| |  _ <| |___
   6 *                             \___|\___/|_| \_\_____|
   7 *
   8 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
   9 *
  10 * This software is licensed as described in the file COPYING, which
  11 * you should have received as part of this distribution. The terms
  12 * are also available at https://curl.se/docs/copyright.html.
  13 *
  14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15 * copies of the Software, and permit persons to whom the Software is
  16 * furnished to do so, under the terms of the COPYING file.
  17 *
  18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19 * KIND, either express or implied.
  20 *
  21 * SPDX-License-Identifier: curl
  22 *
  23 ***************************************************************************/
  24#include "curl_setup.h"
  25
  26#if !defined(CURL_DISABLE_HTTP) && defined(USE_NGTCP2) && defined(USE_NGHTTP3)
  27#include <ngtcp2/ngtcp2.h>
  28#include <nghttp3/nghttp3.h>
  29
  30#ifdef USE_OPENSSL
  31#include <openssl/err.h>
  32#if defined(OPENSSL_IS_AWSLC) || defined(OPENSSL_IS_BORINGSSL)
  33#include <ngtcp2/ngtcp2_crypto_boringssl.h>
  34#elif defined(OPENSSL_QUIC_API2)
  35#include <ngtcp2/ngtcp2_crypto_ossl.h>
  36#else
  37#include <ngtcp2/ngtcp2_crypto_quictls.h>
  38#endif
  39#include "vtls/openssl.h"
  40#elif defined(USE_GNUTLS)
  41#include <ngtcp2/ngtcp2_crypto_gnutls.h>
  42#include "vtls/gtls.h"
  43#elif defined(USE_WOLFSSL)
  44#include <ngtcp2/ngtcp2_crypto_wolfssl.h>
  45#include "vtls/wolfssl.h"
  46#endif
  47
  48#include "urldata.h"
  49#include "url.h"
  50#include "uint-hash.h"
  51#include "curl_trc.h"
  52#include "rand.h"
  53#include "multiif.h"
  54#include "cfilters.h"
  55#include "cf-dns.h"
  56#include "cf-socket.h"
  57#include "connect.h"
  58#include "progress.h"
  59#include "curlx/fopen.h"
  60#include "curlx/dynbuf.h"
  61#include "http1.h"
  62#include "select.h"
  63#include "transfer.h"
  64#include "bufref.h"
  65#include "vquic/vquic.h"
  66#include "vquic/vquic_int.h"
  67#include "vquic/vquic-tls.h"
  68#include "vtls/vtls.h"
  69#include "vtls/vtls_scache.h"
  70#include "vquic/curl_ngtcp2.h"
  71
  72
  73#define QUIC_MAX_STREAMS       (256 * 1024)
  74#define QUIC_HANDSHAKE_TIMEOUT (10 * NGTCP2_SECONDS)
  75
  76/* We announce a small window size in transport param to the server,
  77 * and grow that immediately to max when no rate limit is in place.
  78 * We need to start small as we are not able to decrease it. */
  79#define H3_STREAM_WINDOW_SIZE_INITIAL (32 * 1024)
  80#define H3_STREAM_WINDOW_SIZE_MAX     (10 * 1024 * 1024)
  81#define H3_CONN_WINDOW_SIZE_MAX       (100 * H3_STREAM_WINDOW_SIZE_MAX)
  82
  83#define H3_STREAM_CHUNK_SIZE  (64 * 1024)
  84#if H3_STREAM_CHUNK_SIZE < NGTCP2_MAX_UDP_PAYLOAD_SIZE
  85#error H3_STREAM_CHUNK_SIZE smaller than NGTCP2_MAX_UDP_PAYLOAD_SIZE
  86#endif
  87
  88/* The pool keeps spares around and half of a full stream windows
  89 * seems good. More does not seem to improve performance.
  90 * The benefit of the pool is that stream buffer to not keep
  91 * spares. Memory consumption goes down when streams run empty,
  92 * have a large upload done, etc. */
  93#define H3_STREAM_POOL_SPARES      2
  94/* The max amount of un-acked upload data we keep around per stream */
  95#define H3_STREAM_SEND_BUFFER_MAX      (10 * 1024 * 1024)
  96#define H3_STREAM_SEND_CHUNKS \
  97  (H3_STREAM_SEND_BUFFER_MAX / H3_STREAM_CHUNK_SIZE)
  98
  99/*
 100 * Store ngtcp2 version info in this buffer.
 101 */
 102void Curl_ngtcp2_ver(char *p, size_t len)
 103{
 104  const ngtcp2_info *ng2 = ngtcp2_version(0);
 105  const nghttp3_info *ht3 = nghttp3_version(0);
 106  (void)curl_msnprintf(p, len, "ngtcp2/%s nghttp3/%s",
 107                       ng2->version_str, ht3->version_str);
 108}
 109
 110struct cf_ngtcp2_ctx {
 111  struct cf_quic_ctx q;
 112  struct ssl_peer peer;
 113  struct curl_tls_ctx tls;
 114#ifdef OPENSSL_QUIC_API2
 115  ngtcp2_crypto_ossl_ctx *ossl_ctx;
 116#endif
 117  ngtcp2_path connected_path;
 118  ngtcp2_conn *qconn;
 119  ngtcp2_cid dcid;
 120  ngtcp2_cid scid;
 121  uint32_t version;
 122  ngtcp2_settings settings;
 123  ngtcp2_transport_params transport_params;
 124  ngtcp2_ccerr last_error;
 125  ngtcp2_crypto_conn_ref conn_ref;
 126  struct cf_call_data call_data;
 127  nghttp3_conn *h3conn;
 128  nghttp3_settings h3settings;
 129  struct curltime started_at;        /* time the current attempt started */
 130  struct curltime handshake_at;      /* time connect handshake finished */
 131  struct bufc_pool stream_bufcp;     /* chunk pool for streams */
 132  struct dynbuf scratch;             /* temp buffer for header construction */
 133  struct uint_hash streams;          /* hash `data->mid` to `h3_stream_ctx` */
 134  uint64_t used_bidi_streams;        /* bidi streams we have opened */
 135  uint64_t max_bidi_streams;         /* max bidi streams we can open */
 136  size_t earlydata_max;              /* max amount of early data supported by
 137                                        server on session reuse */
 138  size_t earlydata_skip;             /* sending bytes to skip when earlydata
 139                                        is accepted by peer */
 140  CURLcode tls_vrfy_result;          /* result of TLS peer verification */
 141  int qlogfd;
 142  BIT(initialized);
 143  BIT(tls_handshake_complete);       /* TLS handshake is done */
 144  BIT(use_earlydata);                /* Using 0RTT data */
 145  BIT(earlydata_accepted);           /* 0RTT was accepted by server */
 146  BIT(shutdown_started);             /* queued shutdown packets */
 147};
 148
 149/* How to access `call_data` from a cf_ngtcp2 filter */
 150#undef CF_CTX_CALL_DATA
 151#define CF_CTX_CALL_DATA(cf) ((struct cf_ngtcp2_ctx *)(cf)->ctx)->call_data
 152
 153static void h3_stream_hash_free(unsigned int id, void *stream);
 154
 155static void cf_ngtcp2_ctx_init(struct cf_ngtcp2_ctx *ctx)
 156{
 157  DEBUGASSERT(!ctx->initialized);
 158  ctx->qlogfd = -1;
 159  ctx->version = NGTCP2_PROTO_VER_MAX;
 160  Curl_bufcp_init(&ctx->stream_bufcp, H3_STREAM_CHUNK_SIZE,
 161                  H3_STREAM_POOL_SPARES);
 162  curlx_dyn_init(&ctx->scratch, CURL_MAX_HTTP_HEADER);
 163  Curl_uint32_hash_init(&ctx->streams, 63, h3_stream_hash_free);
 164  ctx->initialized = TRUE;
 165}
 166
 167static void cf_ngtcp2_ctx_free(struct cf_ngtcp2_ctx *ctx)
 168{
 169  if(ctx && ctx->initialized) {
 170    Curl_vquic_tls_cleanup(&ctx->tls);
 171    vquic_ctx_free(&ctx->q);
 172    Curl_bufcp_free(&ctx->stream_bufcp);
 173    curlx_dyn_free(&ctx->scratch);
 174    Curl_uint32_hash_destroy(&ctx->streams);
 175    Curl_ssl_peer_cleanup(&ctx->peer);
 176  }
 177  curlx_free(ctx);
 178}
 179
 180static void cf_ngtcp2_setup_keep_alive(struct Curl_cfilter *cf,
 181                                       struct Curl_easy *data)
 182{
 183  struct cf_ngtcp2_ctx *ctx = cf->ctx;
 184  const ngtcp2_transport_params *rp;
 185  /* Peer should have sent us its transport parameters. If it
 186   * announces a positive `max_idle_timeout` it closes the
 187   * connection when it does not hear from us for that time.
 188   *
 189   * Some servers use this as a keep-alive timer at a rather low
 190   * value. We are doing HTTP/3 here and waiting for the response
 191   * to a request may take a considerable amount of time. We need
 192   * to prevent the peer's QUIC stack from closing in this case.
 193   */
 194  if(!ctx->qconn)
 195    return;
 196
 197  rp = ngtcp2_conn_get_remote_transport_params(ctx->qconn);
 198  if(!rp || !rp->max_idle_timeout) {
 199    ngtcp2_conn_set_keep_alive_timeout(ctx->qconn, UINT64_MAX);
 200    CURL_TRC_CF(data, cf, "no peer idle timeout, unset keep-alive");
 201  }
 202  else if(!Curl_uint32_hash_count(&ctx->streams)) {
 203    ngtcp2_conn_set_keep_alive_timeout(ctx->qconn, UINT64_MAX);
 204    CURL_TRC_CF(data, cf, "no active streams, unset keep-alive");
 205  }
 206  else {
 207    ngtcp2_duration keep_ns;
 208    keep_ns = (rp->max_idle_timeout > 1) ? (rp->max_idle_timeout / 2) : 1;
 209    ngtcp2_conn_set_keep_alive_timeout(ctx->qconn, keep_ns);
 210    CURL_TRC_CF(data, cf, "peer idle timeout is %" PRIu64 "ms, "
 211                "set keep-alive to %" PRIu64 " ms.",
 212                (rp->max_idle_timeout / NGTCP2_MILLISECONDS),
 213                (keep_ns / NGTCP2_MILLISECONDS));
 214  }
 215}
 216
 217struct pkt_io_ctx;
 218static CURLcode cf_progress_ingress(struct Curl_cfilter *cf,
 219                                    struct Curl_easy *data,
 220                                    struct pkt_io_ctx *pktx);
 221static CURLcode cf_progress_egress(struct Curl_cfilter *cf,
 222                                   struct Curl_easy *data,
 223                                   struct pkt_io_ctx *pktx);
 224
 225/**
 226 * All about the H3 internals of a stream
 227 */
 228struct h3_stream_ctx {
 229  int64_t id;                   /* HTTP/3 protocol identifier */
 230  struct bufq sendbuf;          /* h3 request body */
 231  struct h1_req_parser h1;      /* h1 request parsing */
 232  size_t sendbuf_len_in_flight; /* sendbuf amount "in flight" */
 233  uint64_t error3;              /* HTTP/3 stream error code */
 234  curl_off_t upload_left;       /* number of request bytes left to upload */
 235  uint64_t rx_offset;           /* current receive offset */
 236  uint64_t rx_offset_max;       /* allowed receive offset */
 237  uint64_t window_size_max;     /* max flow control window set for stream */
 238  int status_code;              /* HTTP status code */
 239  CURLcode xfer_result;         /* result from xfer_resp_write(_hd) */
 240  BIT(resp_hds_complete);       /* we have a complete, final response */
 241  BIT(closed);                  /* TRUE on stream close */
 242  BIT(reset);                   /* TRUE on stream reset */
 243  BIT(send_closed);             /* stream is local closed */
 244  BIT(quic_flow_blocked);       /* stream is blocked by QUIC flow control */
 245};
 246
 247static void h3_stream_ctx_free(struct h3_stream_ctx *stream)
 248{
 249  Curl_bufq_free(&stream->sendbuf);
 250  Curl_h1_req_parse_free(&stream->h1);
 251  curlx_free(stream);
 252}
 253
 254static void h3_stream_hash_free(unsigned int id, void *stream)
 255{
 256  (void)id;
 257  DEBUGASSERT(stream);
 258  h3_stream_ctx_free((struct h3_stream_ctx *)stream);
 259}
 260
 261static CURLcode h3_data_setup(struct Curl_cfilter *cf,
 262                              struct Curl_easy *data)
 263{
 264  struct cf_ngtcp2_ctx *ctx = cf->ctx;
 265  struct h3_stream_ctx *stream = H3_STREAM_CTX(ctx, data);
 266
 267  if(!data)
 268    return CURLE_FAILED_INIT;
 269
 270  if(stream)
 271    return CURLE_OK;
 272
 273  stream = curlx_calloc(1, sizeof(*stream));
 274  if(!stream)
 275    return CURLE_OUT_OF_MEMORY;
 276
 277  stream->id = -1;
 278  stream->rx_offset = 0;
 279  stream->rx_offset_max = H3_STREAM_WINDOW_SIZE_INITIAL;
 280
 281  /* on send, we control how much we put into the buffer */
 282  Curl_bufq_initp(&stream->sendbuf, &ctx->stream_bufcp,
 283                  H3_STREAM_SEND_CHUNKS, BUFQ_OPT_NONE);
 284  stream->sendbuf_len_in_flight = 0;
 285  stream->window_size_max = H3_STREAM_WINDOW_SIZE_INITIAL;
 286  Curl_h1_req_parse_init(&stream->h1, H1_PARSE_DEFAULT_MAX_LINE_LEN);
 287
 288  if(!Curl_uint32_hash_set(&ctx->streams, data->mid, stream)) {
 289    h3_stream_ctx_free(stream);
 290    return CURLE_OUT_OF_MEMORY;
 291  }
 292
 293  if(Curl_uint32_hash_count(&ctx->streams) == 1)
 294    cf_ngtcp2_setup_keep_alive(cf, data);
 295
 296  return CURLE_OK;
 297}
 298
 299#if NGTCP2_VERSION_NUM < 0x011100
 300struct cf_ngtcp2_sfind_ctx {
 301  int64_t stream_id;
 302  struct h3_stream_ctx *stream;
 303  uint32_t mid;
 304};
 305
 306static bool cf_ngtcp2_sfind(uint32_t mid, void *value, void *user_data)
 307{
 308  struct cf_ngtcp2_sfind_ctx *fctx = user_data;
 309  struct h3_stream_ctx *stream = value;
 310
 311  if(fctx->stream_id == stream->id) {
 312    fctx->mid = mid;
 313    fctx->stream = stream;
 314    return FALSE;
 315  }
 316  return TRUE; /* continue */
 317}
 318
 319static struct h3_stream_ctx *cf_ngtcp2_get_stream(struct cf_ngtcp2_ctx *ctx,
 320                                                  int64_t stream_id)
 321{
 322  struct cf_ngtcp2_sfind_ctx fctx;
 323  fctx.stream_id = stream_id;
 324  fctx.stream = NULL;
 325  Curl_uint32_hash_visit(&ctx->streams, cf_ngtcp2_sfind, &fctx);
 326  return fctx.stream;
 327}
 328#else
 329static struct h3_stream_ctx *cf_ngtcp2_get_stream(struct cf_ngtcp2_ctx *ctx,
 330                                                  int64_t stream_id)
 331{
 332  struct Curl_easy *data =
 333    ngtcp2_conn_get_stream_user_data(ctx->qconn, stream_id);
 334
 335  if(!data) {
 336    return NULL;
 337  }
 338
 339  return H3_STREAM_CTX(ctx, data);
 340}
 341#endif
 342
 343static void cf_ngtcp2_stream_close(struct Curl_cfilter *cf,
 344                                   struct Curl_easy *data,
 345                                   struct h3_stream_ctx *stream)
 346{
 347  struct cf_ngtcp2_ctx *ctx = cf->ctx;
 348  DEBUGASSERT(data);
 349  DEBUGASSERT(stream);
 350  if(!stream->closed && ctx->qconn && ctx->h3conn) {
 351    CURLcode result;
 352
 353    nghttp3_conn_set_stream_user_data(ctx->h3conn, stream->id, NULL);
 354    ngtcp2_conn_set_stream_user_data(ctx->qconn, stream->id, NULL);
 355    stream->closed = TRUE;
 356    (void)ngtcp2_conn_shutdown_stream(ctx->qconn, 0, stream->id,
 357                                      NGHTTP3_H3_REQUEST_CANCELLED);
 358    result = cf_progress_egress(cf, data, NULL);
 359    if(result)
 360      CURL_TRC_CF(data, cf, "[%" PRId64 "] cancel stream -> %d",
 361                  stream->id, result);
 362  }
 363}
 364
 365static void h3_data_done(struct Curl_cfilter *cf, struct Curl_easy *data)
 366{
 367  struct cf_ngtcp2_ctx *ctx = cf->ctx;
 368  struct h3_stream_ctx *stream = H3_STREAM_CTX(ctx, data);
 369  (void)cf;
 370  if(stream) {
 371    CURL_TRC_CF(data, cf, "[%" PRId64 "] easy handle is done", stream->id);
 372    cf_ngtcp2_stream_close(cf, data, stream);
 373    Curl_uint32_hash_remove(&ctx->streams, data->mid);
 374    if(!Curl_uint32_hash_count(&ctx->streams))
 375      cf_ngtcp2_setup_keep_alive(cf, data);
 376  }
 377}
 378
 379struct pkt_io_ctx {
 380  struct Curl_cfilter *cf;
 381  struct Curl_easy *data;
 382  ngtcp2_tstamp ts;
 383  ngtcp2_path_storage ps;
 384};
 385
 386static void pktx_update_time(struct Curl_easy *data,
 387                             struct pkt_io_ctx *pktx,
 388                             struct Curl_cfilter *cf)
 389{
 390  struct cf_ngtcp2_ctx *ctx = cf->ctx;
 391  const struct curltime *pnow = Curl_pgrs_now(data);
 392
 393  vquic_ctx_update_time(&ctx->q, pnow);
 394  pktx->ts = ((ngtcp2_tstamp)pnow->tv_sec * NGTCP2_SECONDS) +
 395             ((ngtcp2_tstamp)pnow->tv_usec * NGTCP2_MICROSECONDS);
 396}
 397
 398static void pktx_init(struct pkt_io_ctx *pktx,
 399                      struct Curl_cfilter *cf,
 400                      struct Curl_easy *data)
 401{
 402  struct cf_ngtcp2_ctx *ctx = cf->ctx;
 403  const struct curltime *pnow = Curl_pgrs_now(data);
 404
 405  pktx->cf = cf;
 406  pktx->data = data;
 407  ngtcp2_path_storage_zero(&pktx->ps);
 408  vquic_ctx_set_time(&ctx->q, pnow);
 409  pktx->ts = ((ngtcp2_tstamp)pnow->tv_sec * NGTCP2_SECONDS) +
 410             ((ngtcp2_tstamp)pnow->tv_usec * NGTCP2_MICROSECONDS);
 411}
 412
 413static int cb_h3_acked_req_body(nghttp3_conn *conn, int64_t stream_id,
 414                                uint64_t datalen, void *user_data,
 415                                void *stream_user_data);
 416
 417static ngtcp2_conn *get_conn(ngtcp2_crypto_conn_ref *conn_ref)
 418{
 419  struct Curl_cfilter *cf = conn_ref->user_data;
 420  struct cf_ngtcp2_ctx *ctx = cf->ctx;
 421  return ctx->qconn;
 422}
 423
 424#ifdef DEBUG_NGTCP2
 425static void quic_printf(void *user_data, const char *fmt, ...)
 426{
 427  struct Curl_cfilter *cf = user_data;
 428  struct cf_ngtcp2_ctx *ctx = cf->ctx;
 429
 430  (void)ctx;  /* need an easy handle to infof() message */
 431  va_list ap;
 432  va_start(ap, fmt);
 433  curl_mvfprintf(stderr, fmt, ap);
 434  va_end(ap);
 435  curl_mfprintf(stderr, "\n");
 436}
 437#endif
 438
 439static void qlog_callback(void *user_data, uint32_t flags,
 440                          const void *data, size_t datalen)
 441{
 442  struct Curl_cfilter *cf = user_data;
 443  struct cf_ngtcp2_ctx *ctx = cf->ctx;
 444  (void)flags;
 445  if(ctx->qlogfd != -1) {
 446    ssize_t rc = write(ctx->qlogfd, data, datalen);
 447    if(rc == -1) {
 448      /* on write error, stop further write attempts */
 449      curlx_close(ctx->qlogfd);
 450      ctx->qlogfd = -1;
 451    }
 452  }
 453}
 454
 455static void quic_settings(struct cf_ngtcp2_ctx *ctx,
 456                          struct Curl_easy *data,
 457                          struct pkt_io_ctx *pktx)
 458{
 459  ngtcp2_settings *s = &ctx->settings;
 460  ngtcp2_transport_params *t = &ctx->transport_params;
 461
 462  ngtcp2_settings_default(s);
 463  ngtcp2_transport_params_default(t);
 464#ifdef DEBUG_NGTCP2
 465  s->log_printf = quic_printf;
 466#else
 467  s->log_printf = NULL;
 468#endif
 469
 470  s->initial_ts = pktx->ts;
 471  s->handshake_timeout = (data->set.connecttimeout > 0) ?
 472    data->set.connecttimeout * NGTCP2_MILLISECONDS : QUIC_HANDSHAKE_TIMEOUT;
 473  s->max_window = H3_CONN_WINDOW_SIZE_MAX;
 474  s->max_stream_window = 0; /* disable ngtcp2 auto-tuning of window */
 475  s->no_pmtud = FALSE;
 476#ifdef NGTCP2_SETTINGS_V3
 477  /* try ten times the ngtcp2 defaults here for problems with Caddy */
 478  s->glitch_ratelim_burst = 1000 * 10;
 479  s->glitch_ratelim_rate = 33 * 10;
 480#endif
 481  t->initial_max_data = s->max_window;
 482  t->initial_max_stream_data_bidi_local = H3_STREAM_WINDOW_SIZE_INITIAL;
 483  t->initial_max_stream_data_bidi_remote = H3_STREAM_WINDOW_SIZE_INITIAL;
 484  t->initial_max_stream_data_uni = t->initial_max_data;
 485  t->initial_max_streams_bidi = QUIC_MAX_STREAMS;
 486  t->initial_max_streams_uni = QUIC_MAX_STREAMS;
 487  t->max_idle_timeout = 0; /* no idle timeout from our side */
 488  if(ctx->qlogfd != -1) {
 489    s->qlog_write = qlog_callback;
 490  }
 491}
 492
 493static CURLcode init_ngh3_conn(struct Curl_cfilter *cf,
 494                               struct Curl_easy *data);
 495
 496static int cf_ngtcp2_handshake_completed(ngtcp2_conn *tconn, void *user_data)
 497{
 498  struct Curl_cfilter *cf = user_data;
 499  struct cf_ngtcp2_ctx *ctx = cf ? cf->ctx : NULL;
 500  struct Curl_easy *data;
 501
 502  (void)tconn;
 503  DEBUGASSERT(ctx);
 504  data = CF_DATA_CURRENT(cf);
 505  DEBUGASSERT(data);
 506  if(!ctx || !data)
 507    return NGHTTP3_ERR_CALLBACK_FAILURE;
 508
 509  ctx->handshake_at = *Curl_pgrs_now(data);
 510  ctx->tls_handshake_complete = TRUE;
 511  Curl_vquic_report_handshake(&ctx->tls, cf, data);
 512
 513  ctx->tls_vrfy_result = Curl_vquic_tls_verify_peer(&ctx->tls, cf,
 514                                                    data, &ctx->peer);
 515#ifdef CURLVERBOSE
 516  if(Curl_trc_is_verbose(data)) {
 517    const ngtcp2_transport_params *rp;
 518    rp = ngtcp2_conn_get_remote_transport_params(ctx->qconn);
 519    CURL_TRC_CF(data, cf, "handshake complete after %" FMT_TIMEDIFF_T
 520                "ms, remote transport[max_udp_payload=%" PRIu64
 521                ", initial_max_data=%" PRIu64
 522                "]",
 523               curlx_ptimediff_ms(&ctx->handshake_at, &ctx->started_at),
 524               rp->max_udp_payload_size, rp->initial_max_data);
 525  }
 526#endif
 527
 528  /* In case of earlydata, where we simulate being connected, update
 529   * the handshake time when we really did connect */
 530  if(ctx->use_earlydata)
 531    Curl_pgrsTimeWas(data, TIMER_APPCONNECT, ctx->handshake_at);
 532  if(ctx->use_earlydata) {
 533#if defined(USE_OPENSSL) && defined(HAVE_OPENSSL_EARLYDATA)
 534    ctx->earlydata_accepted =
 535      (SSL_get_early_data_status(ctx->tls.ossl.ssl) !=
 536       SSL_EARLY_DATA_REJECTED);
 537#endif
 538#ifdef USE_GNUTLS
 539    int flags = gnutls_session_get_flags(ctx->tls.gtls.session);
 540    ctx->earlydata_accepted = !!(flags & GNUTLS_SFLAGS_EARLY_DATA);
 541#endif
 542#ifdef USE_WOLFSSL
 543#ifdef WOLFSSL_EARLY_DATA
 544    ctx->earlydata_accepted =
 545      (wolfSSL_get_early_data_status(ctx->tls.wssl.ssl) !=
 546       WOLFSSL_EARLY_DATA_REJECTED);
 547#else
 548    DEBUGASSERT(0); /* should not come here if ED is disabled. */
 549    ctx->earlydata_accepted = FALSE;
 550#endif /* WOLFSSL_EARLY_DATA */
 551#endif
 552    CURL_TRC_CF(data, cf, "server did%s accept %zu bytes of early data",
 553                ctx->earlydata_accepted ? "" : " not", ctx->earlydata_skip);
 554    Curl_pgrsEarlyData(data, ctx->earlydata_accepted ?
 555                              (curl_off_t)ctx->earlydata_skip :
 556                             -(curl_off_t)ctx->earlydata_skip);
 557  }
 558  return 0;
 559}
 560
 561static void cf_ngtcp2_conn_close(struct Curl_cfilter *cf,
 562                                 struct Curl_easy *data);
 563
 564static bool cf_ngtcp2_err_is_fatal(int code)
 565{
 566  return (NGTCP2_ERR_FATAL >= code) ||
 567         (NGTCP2_ERR_DROP_CONN == code) ||
 568         (NGTCP2_ERR_IDLE_CLOSE == code);
 569}
 570
 571static void cf_ngtcp2_err_set(struct Curl_cfilter *cf,
 572                              struct Curl_easy *data, int code)
 573{
 574  struct cf_ngtcp2_ctx *ctx = cf->ctx;
 575  if(!ctx->last_error.error_code) {
 576    if(NGTCP2_ERR_CRYPTO == code) {
 577      ngtcp2_ccerr_set_tls_alert(&ctx->last_error,
 578                                 ngtcp2_conn_get_tls_alert(ctx->qconn),
 579                                 NULL, 0);
 580    }
 581    else {
 582      ngtcp2_ccerr_set_liberr(&ctx->last_error, code, NULL, 0);
 583    }
 584  }
 585  if(cf_ngtcp2_err_is_fatal(code))
 586    cf_ngtcp2_conn_close(cf, data);
 587}
 588
 589static bool cf_ngtcp2_h3_err_is_fatal(int code)
 590{
 591  return (NGHTTP3_ERR_FATAL >= code) ||
 592         (NGHTTP3_ERR_H3_CLOSED_CRITICAL_STREAM == code);
 593}
 594
 595static void cf_ngtcp2_h3_err_set(struct Curl_cfilter *cf,
 596                                 struct Curl_easy *data, int code)
 597{
 598  struct cf_ngtcp2_ctx *ctx = cf->ctx;
 599  if(!ctx->last_error.error_code) {
 600    ngtcp2_ccerr_set_application_error(&ctx->last_error,
 601      nghttp3_err_infer_quic_app_error_code(code), NULL, 0);
 602  }
 603  if(cf_ngtcp2_h3_err_is_fatal(code))
 604    cf_ngtcp2_conn_close(cf, data);
 605}
 606
 607static int cb_recv_stream_data(ngtcp2_conn *tconn, uint32_t flags,
 608                               int64_t stream_id, uint64_t offset,
 609                               const uint8_t *buf, size_t buflen,
 610                               void *user_data, void *stream_user_data)
 611{
 612  struct Curl_cfilter *cf = user_data;
 613  struct cf_ngtcp2_ctx *ctx = cf->ctx;
 614  nghttp3_ssize rc;
 615  uint64_t nconsumed;
 616  int fin = (flags & NGTCP2_STREAM_DATA_FLAG_FIN) ? 1 : 0;
 617  struct Curl_easy *data = stream_user_data;
 618  struct h3_stream_ctx *stream = H3_STREAM_CTX(ctx, data);
 619  (void)offset;
 620
 621  rc = nghttp3_conn_read_stream(ctx->h3conn, stream_id, buf, buflen, fin);
 622  if(rc < 0) {
 623    if(data && stream) {
 624      CURL_TRC_CF(data, cf, "[%" PRId64 "] error on known stream, "
 625                  "reset=%d, closed=%d",
 626                  stream_id, stream->reset, stream->closed);
 627    }
 628    return NGTCP2_ERR_CALLBACK_FAILURE;
 629  }
 630  nconsumed = (uint64_t)rc;
 631  if(nconsumed) {
 632    /* number of bytes inside buflen which consists of framing overhead
 633     * including QPACK HEADERS. In other words, it does not consume payload of
 634     * DATA frame. */
 635    ngtcp2_conn_extend_max_stream_offset(tconn, stream_id, nconsumed);
 636    ngtcp2_conn_extend_max_offset(tconn, nconsumed);
 637    if(stream) {
 638      stream->rx_offset += nconsumed;
 639      stream->rx_offset_max += nconsumed;
 640    }
 641  }
 642  return 0;
 643}
 644
 645static int cb_acked_stream_data_offset(ngtcp2_conn *tconn, int64_t stream_id,
 646                                       uint64_t offset, uint64_t datalen,
 647                                       void *user_data, void *stream_user_data)
 648{
 649  struct Curl_cfilter *cf = user_data;
 650  struct cf_ngtcp2_ctx *ctx = cf->ctx;
 651  int rv;
 652  (void)stream_id;
 653  (void)tconn;
 654  (void)offset;
 655  (void)datalen;
 656  (void)stream_user_data;
 657
 658  rv = nghttp3_conn_add_ack_offset(ctx->h3conn, stream_id, datalen);
 659  if(rv && rv != NGHTTP3_ERR_STREAM_NOT_FOUND) {
 660    return NGTCP2_ERR_CALLBACK_FAILURE;
 661  }
 662
 663  return 0;
 664}
 665
 666static int cb_stream_close(ngtcp2_conn *tconn, uint32_t flags,
 667                           int64_t stream_id, uint64_t app_error_code,
 668                           void *user_data, void *stream_user_data)
 669{
 670  struct Curl_cfilter *cf = user_data;
 671  struct cf_ngtcp2_ctx *ctx = cf->ctx;
 672  struct Curl_easy *data = stream_user_data;
 673  int rv;
 674
 675  (void)tconn;
 676  /* stream is closed... */
 677  if(!data)
 678    data = CF_DATA_CURRENT(cf);
 679  if(!data)
 680    return NGTCP2_ERR_CALLBACK_FAILURE;
 681
 682  if(!(flags & NGTCP2_STREAM_CLOSE_FLAG_APP_ERROR_CODE_SET)) {
 683    app_error_code = NGHTTP3_H3_NO_ERROR;
 684  }
 685
 686  rv = nghttp3_conn_close_stream(ctx->h3conn, stream_id, app_error_code);
 687  CURL_TRC_CF(data, cf, "[%" PRId64 "] quic close(app_error=%"
 688              PRIu64 ") -> %d", stream_id, app_error_code, rv);
 689  if(rv && rv != NGHTTP3_ERR_STREAM_NOT_FOUND) {
 690    cf_ngtcp2_h3_err_set(cf, data, rv);
 691    return NGTCP2_ERR_CALLBACK_FAILURE;
 692  }
 693
 694  return 0;
 695}
 696
 697static int cb_stream_reset(ngtcp2_conn *tconn, int64_t stream_id,
 698                           uint64_t final_size, uint64_t app_error_code,
 699                           void *user_data, void *stream_user_data)
 700{
 701  struct Curl_cfilter *cf = user_data;
 702  struct cf_ngtcp2_ctx *ctx = cf->ctx;
 703  struct Curl_easy *data = stream_user_data;
 704  int rv;
 705  (void)tconn;
 706  (void)final_size;
 707  (void)app_error_code;
 708
 709  rv = nghttp3_conn_shutdown_stream_read(ctx->h3conn, stream_id);
 710  CURL_TRC_CF(data, cf, "[%" PRId64 "] reset -> %d", stream_id, rv);
 711  if(rv && rv != NGHTTP3_ERR_STREAM_NOT_FOUND) {
 712    return NGTCP2_ERR_CALLBACK_FAILURE;
 713  }
 714
 715  return 0;
 716}
 717
 718static int cb_stream_stop_sending(ngtcp2_conn *tconn, int64_t stream_id,
 719                                  uint64_t app_error_code, void *user_data,
 720                                  void *stream_user_data)
 721{
 722  struct Curl_cfilter *cf = user_data;
 723  struct cf_ngtcp2_ctx *ctx = cf->ctx;
 724  int rv;
 725  (void)tconn;
 726  (void)app_error_code;
 727  (void)stream_user_data;
 728
 729  rv = nghttp3_conn_shutdown_stream_read(ctx->h3conn, stream_id);
 730  if(rv && rv != NGHTTP3_ERR_STREAM_NOT_FOUND) {
 731    return NGTCP2_ERR_CALLBACK_FAILURE;
 732  }
 733
 734  return 0;
 735}
 736
 737static int cb_extend_max_local_streams_bidi(ngtcp2_conn *tconn,
 738                                            uint64_t max_streams,
 739                                            void *user_data)
 740{
 741  struct Curl_cfilter *cf = user_data;
 742  struct cf_ngtcp2_ctx *ctx = cf->ctx;
 743  struct Curl_easy *data = CF_DATA_CURRENT(cf);
 744
 745  (void)tconn;
 746  ctx->max_bidi_streams = max_streams;
 747  if(data)
 748    CURL_TRC_CF(data, cf, "max bidi streams now %" PRIu64 ", used %" PRIu64,
 749                ctx->max_bidi_streams, ctx->used_bidi_streams);
 750  return 0;
 751}
 752
 753static int cb_extend_max_stream_data(ngtcp2_conn *tconn, int64_t stream_id,
 754                                     uint64_t max_data, void *user_data,
 755                                     void *stream_user_data)
 756{
 757  struct Curl_cfilter *cf = user_data;
 758  struct cf_ngtcp2_ctx *ctx = cf->ctx;
 759  struct Curl_easy *s_data = stream_user_data;
 760  struct h3_stream_ctx *stream;
 761  int rv;
 762  (void)tconn;
 763  (void)max_data;
 764
 765  rv = nghttp3_conn_unblock_stream(ctx->h3conn, stream_id);
 766  if(rv && rv != NGHTTP3_ERR_STREAM_NOT_FOUND) {
 767    return NGTCP2_ERR_CALLBACK_FAILURE;
 768  }
 769  stream = H3_STREAM_CTX(ctx, s_data);
 770  if(stream && stream->quic_flow_blocked) {
 771    CURL_TRC_CF(s_data, cf, "[%" PRId64 "] unblock quic flow", stream_id);
 772    stream->quic_flow_blocked = FALSE;
 773    Curl_multi_mark_dirty(s_data);
 774  }
 775  return 0;
 776}
 777
 778static void cb_rand(uint8_t *dest, size_t destlen,
 779                    const ngtcp2_rand_ctx *rand_ctx)
 780{
 781  CURLcode result;
 782  (void)rand_ctx;
 783
 784  result = Curl_rand(NULL, dest, destlen);
 785  if(result) {
 786    /* cb_rand is only used for non-cryptographic context. If Curl_rand
 787       failed, fill 0 and call it *random*. */
 788    memset(dest, 0, destlen);
 789  }
 790}
 791
 792/* for ngtcp2 <v1.22.0 */
 793static int cb_get_new_connection_id(ngtcp2_conn *tconn, ngtcp2_cid *cid,
 794                                    uint8_t *token, size_t cidlen,
 795                                    void *user_data)
 796{
 797  CURLcode result;
 798  (void)tconn;
 799  (void)user_data;
 800
 801  result = Curl_rand(NULL, cid->data, cidlen);
 802  if(result)
 803    return NGTCP2_ERR_CALLBACK_FAILURE;
 804  cid->datalen = cidlen;
 805
 806  result = Curl_rand(NULL, token, NGTCP2_STATELESS_RESET_TOKENLEN);
 807  if(result)
 808    return NGTCP2_ERR_CALLBACK_FAILURE;
 809
 810  return 0;
 811}
 812
 813#ifdef NGTCP2_CALLBACKS_V3  /* ngtcp2 v1.22.0+ */
 814static int cb_get_new_connection_id2(ngtcp2_conn *tconn, ngtcp2_cid *cid,
 815  struct ngtcp2_stateless_reset_token *token, size_t cidlen, void *user_data)
 816{
 817  CURLcode result;
 818  (void)tconn;
 819  (void)user_data;
 820
 821  result = Curl_rand(NULL, cid->data, cidlen);
 822  if(result)
 823    return NGTCP2_ERR_CALLBACK_FAILURE;
 824  cid->datalen = cidlen;
 825
 826  result = Curl_rand(NULL, token->data, sizeof(token->data));
 827  if(result)
 828    return NGTCP2_ERR_CALLBACK_FAILURE;
 829
 830  return 0;
 831}
 832#endif
 833
 834static int cb_recv_rx_key(ngtcp2_conn *tconn, ngtcp2_encryption_level level,
 835                          void *user_data)
 836{
 837  struct Curl_cfilter *cf = user_data;
 838  struct cf_ngtcp2_ctx *ctx = cf ? cf->ctx : NULL;
 839  struct Curl_easy *data = CF_DATA_CURRENT(cf);
 840  (void)tconn;
 841
 842  if(level != NGTCP2_ENCRYPTION_LEVEL_1RTT)
 843    return 0;
 844
 845  DEBUGASSERT(ctx);
 846  DEBUGASSERT(data);
 847  if(ctx && data && !ctx->h3conn) {
 848    if(init_ngh3_conn(cf, data))
 849      return NGTCP2_ERR_CALLBACK_FAILURE;
 850  }
 851  return 0;
 852}
 853
 854#if defined(_MSC_VER) && defined(_DLL)
 855#pragma warning(push)
 856#pragma warning(disable:4232) /* MSVC extension, dllimport identity */
 857#endif
 858
 859static ngtcp2_callbacks ng_callbacks = {
 860  ngtcp2_crypto_client_initial_cb,
 861  NULL, /* recv_client_initial */
 862  ngtcp2_crypto_recv_crypto_data_cb,
 863  cf_ngtcp2_handshake_completed,
 864  NULL, /* recv_version_negotiation */
 865  ngtcp2_crypto_encrypt_cb,
 866  ngtcp2_crypto_decrypt_cb,
 867  ngtcp2_crypto_hp_mask_cb,
 868  cb_recv_stream_data,
 869  cb_acked_stream_data_offset,
 870  NULL, /* stream_open */
 871  cb_stream_close,
 872  NULL, /* recv_stateless_reset */
 873  ngtcp2_crypto_recv_retry_cb,
 874  cb_extend_max_local_streams_bidi,
 875  NULL, /* extend_max_local_streams_uni */
 876  cb_rand,
 877  cb_get_new_connection_id, /* for ngtcp2 <v1.22.0 */
 878  NULL, /* remove_connection_id */
 879  ngtcp2_crypto_update_key_cb, /* update_key */
 880  NULL, /* path_validation */
 881  NULL, /* select_preferred_addr */
 882  cb_stream_reset,
 883  NULL, /* extend_max_remote_streams_bidi */
 884  NULL, /* extend_max_remote_streams_uni */
 885  cb_extend_max_stream_data,
 886  NULL, /* dcid_status */
 887  NULL, /* handshake_confirmed */
 888  NULL, /* recv_new_token */
 889  ngtcp2_crypto_delete_crypto_aead_ctx_cb,
 890  ngtcp2_crypto_delete_crypto_cipher_ctx_cb,
 891  NULL, /* recv_datagram */
 892  NULL, /* ack_datagram */
 893  NULL, /* lost_datagram */
 894  ngtcp2_crypto_get_path_challenge_data_cb,
 895  cb_stream_stop_sending,
 896  NULL, /* version_negotiation */
 897  cb_recv_rx_key,
 898  NULL, /* recv_tx_key */
 899  NULL, /* early_data_rejected */
 900#ifdef NGTCP2_CALLBACKS_V2  /* ngtcp2 v1.14.0+ */
 901  NULL, /* begin_path_validation */
 902#endif
 903#ifdef NGTCP2_CALLBACKS_V3  /* ngtcp2 v1.22.0+ */
 904  NULL, /* recv_stateless_reset2 */
 905  cb_get_new_connection_id2, /* get_new_connection_id2 */
 906  NULL, /* dcid_status2 */
 907  ngtcp2_crypto_get_path_challenge_data2_cb, /* get_path_challenge_data2 */
 908#endif
 909};
 910
 911#if defined(_MSC_VER) && defined(_DLL)
 912#pragma warning(pop)
 913#endif
 914
 915/**
 916 * Connection maintenance like timeouts on packet ACKs etc. are done by us, not
 917 * the OS like for TCP. POLL events on the socket therefore are not
 918 * sufficient.
 919 * ngtcp2 tells us when it wants to be invoked again. We handle that via
 920 * the `Curl_expire()` mechanisms.
 921 */
 922static CURLcode check_and_set_expiry(struct Curl_cfilter *cf,
 923                                     struct Curl_easy *data,
 924                                     struct pkt_io_ctx *pktx)
 925{
 926  struct cf_ngtcp2_ctx *ctx = cf->ctx;
 927  struct pkt_io_ctx local_pktx;
 928  ngtcp2_tstamp expiry;
 929
 930  if(!pktx) {
 931    pktx_init(&local_pktx, cf, data);
 932    pktx = &local_pktx;
 933  }
 934  else {
 935    pktx_update_time(data, pktx, cf);
 936  }
 937
 938  expiry = ngtcp2_conn_get_expiry(ctx->qconn);
 939  if(expiry != UINT64_MAX) {
 940    if(expiry <= pktx->ts) {
 941      CURLcode result;
 942      int rv = ngtcp2_conn_handle_expiry(ctx->qconn, pktx->ts);
 943      if(rv) {
 944        failf(data, "ngtcp2_conn_handle_expiry returned error: %s",
 945              ngtcp2_strerror(rv));
 946        cf_ngtcp2_err_set(cf, data, rv);
 947        return CURLE_SEND_ERROR;
 948      }
 949      result = cf_progress_ingress(cf, data, pktx);
 950      if(result)
 951        return result;
 952      result = cf_progress_egress(cf, data, pktx);
 953      if(result)
 954        return result;
 955      /* ask again, things might have changed */
 956      expiry = ngtcp2_conn_get_expiry(ctx->qconn);
 957    }
 958
 959    if(expiry > pktx->ts) {
 960      ngtcp2_duration timeout = expiry - pktx->ts;
 961      if(timeout % NGTCP2_MILLISECONDS) {
 962        timeout += NGTCP2_MILLISECONDS;
 963      }
 964      Curl_expire(data, (timediff_t)(timeout / NGTCP2_MILLISECONDS),
 965                  EXPIRE_QUIC);
 966    }
 967  }
 968  return CURLE_OK;
 969}
 970
 971static CURLcode cf_ngtcp2_adjust_pollset(struct Curl_cfilter *cf,
 972                                         struct Curl_easy *data,
 973                                         struct easy_pollset *ps)
 974{
 975  struct cf_ngtcp2_ctx *ctx = cf->ctx;
 976  bool want_recv, want_send;
 977  CURLcode result = CURLE_OK;
 978
 979  if(!ctx->qconn)
 980    return CURLE_OK;
 981
 982  Curl_pollset_check(data, ps, ctx->q.sockfd, &want_recv, &want_send);
 983  if(!want_send && !Curl_bufq_is_empty(&ctx->q.sendbuf))
 984    want_send = TRUE;
 985
 986  if(want_recv || want_send) {
 987    struct h3_stream_ctx *stream = H3_STREAM_CTX(ctx, data);
 988    struct cf_call_data save;
 989    bool c_exhaust, s_exhaust;
 990
 991    CF_DATA_SAVE(save, cf, data);
 992    c_exhaust = want_send && (!ngtcp2_conn_get_cwnd_left(ctx->qconn) ||
 993                              !ngtcp2_conn_get_max_data_left(ctx->qconn));
 994    s_exhaust = want_send && stream && stream->id >= 0 &&
 995                stream->quic_flow_blocked;
 996    want_recv = (want_recv || c_exhaust || s_exhaust);
 997    want_send = (!s_exhaust && want_send) ||
 998                 !Curl_bufq_is_empty(&ctx->q.sendbuf);
 999
1000    result = Curl_pollset_set(data, ps, ctx->q.sockfd, want_recv, want_send);
1001    CF_DATA_RESTORE(cf, save);
1002  }
1003  return result;
1004}
1005
1006static int cb_h3_stream_close(nghttp3_conn *conn, int64_t stream_id,
1007                              uint64_t app_error_code, void *user_data,
1008                              void *stream_user_data)
1009{
1010  struct Curl_cfilter *cf = user_data;
1011  struct cf_ngtcp2_ctx *ctx = cf->ctx;
1012  struct Curl_easy *data = stream_user_data;
1013  struct h3_stream_ctx *stream = H3_STREAM_CTX(ctx, data);
1014  (void)conn;
1015  (void)stream_id;
1016
1017  /* we might be called by nghttp3 after we already cleaned up */
1018  if(!stream)
1019    return 0;
1020
1021  stream->closed = TRUE;
1022  stream->error3 = app_error_code;
1023  if(stream->error3 != NGHTTP3_H3_NO_ERROR) {
1024    stream->reset = TRUE;
1025    stream->send_closed = TRUE;
1026    CURL_TRC_CF(data, cf, "[%" PRId64 "] RESET: error %" PRIu64,
1027                stream->id, stream->error3);
1028  }
1029  else {
1030    CURL_TRC_CF(data, cf, "[%" PRId64 "] CLOSED", stream->id);
1031  }
1032  Curl_multi_mark_dirty(data);
1033  return 0;
1034}
1035
1036static void h3_xfer_write_resp_hd(struct Curl_cfilter *cf,
1037                                  struct Curl_easy *data,
1038                                  struct h3_stream_ctx *stream,
1039                                  const char *buf, size_t blen, bool eos)
1040{
1041  /* This function returns no error intentionally, but records
1042   * the result at the stream, skipping further writes once the
1043   * `result` of the transfer is known.
1044   * The stream is subsequently cancelled "higher up" in the filter's
1045   * send/recv callbacks. Closing the stream here leads to SEND/RECV
1046   * errors in other places that then overwrite the transfer's result. */
1047  if(!stream->xfer_result) {
1048    stream->xfer_result = Curl_xfer_write_resp_hd(data, buf, blen, eos);
1049    if(stream->xfer_result)
1050      CURL_TRC_CF(data, cf, "[%" PRId64 "] error %d writing %zu "
1051                  "bytes of headers", stream->id, stream->xfer_result, blen);
1052  }
1053}
1054
1055static void h3_xfer_write_resp(struct Curl_cfilter *cf,
1056                               struct Curl_easy *data,
1057                               struct h3_stream_ctx *stream,
1058                               const char *buf, size_t blen, bool eos)
1059{
1060  /* This function returns no error intentionally, but records
1061   * the result at the stream, skipping further writes once the
1062   * `result` of the transfer is known.
1063   * The stream is subsequently cancelled "higher up" in the filter's
1064   * send/recv callbacks. Closing the stream here leads to SEND/RECV
1065   * errors in other places that then overwrite the transfer's result. */
1066  if(!stream->xfer_result) {
1067    stream->xfer_result = Curl_xfer_write_resp(data, buf, blen, eos);
1068    /* If the transfer write is errored, we do not want any more data */
1069    if(stream->xfer_result) {
1070      CURL_TRC_CF(data, cf, "[%" PRId64 "] error %d writing %zu bytes of data",
1071                  stream->id, stream->xfer_result, blen);
1072    }
1073  }
1074}
1075
1076static void cf_ngtcp2_upd_rx_win(struct Curl_cfilter *cf,
1077                                 struct Curl_easy *data,
1078                                 struct h3_stream_ctx *stream)
1079{
1080  struct cf_ngtcp2_ctx *ctx = cf->ctx;
1081  uint64_t cur_win, wanted_win = H3_STREAM_WINDOW_SIZE_MAX;
1082
1083  /* how much does rate limiting allow us to acknowledge? */
1084  if(Curl_rlimit_active(&data->progress.dl.rlimit)) {
1085    int64_t avail;
1086
1087    /* start rate limit updates only after first bytes arrived */
1088    if(!stream->rx_offset)
1089      return;
1090
1091    avail = Curl_rlimit_avail(&data->progress.dl.rlimit,
1092                              Curl_pgrs_now(data));
1093    if(avail <= 0) {
1094      /* nothing available, do not extend the rx offset */
1095      CURL_TRC_CF(data, cf, "[%" PRId64 "] dl rate limit exhausted (%" PRId64
1096                  " tokens)", stream->id, avail);
1097      return;
1098    }
1099    wanted_win = CURLMIN((uint64_t)avail, H3_STREAM_WINDOW_SIZE_MAX);
1100  }
1101
1102  if(stream->rx_offset_max < stream->rx_offset) {
1103    DEBUGASSERT(0);
1104    return;
1105  }
1106  cur_win = stream->rx_offset_max - stream->rx_offset;
1107
1108  if(wanted_win > cur_win) {
1109    uint64_t delta = wanted_win - cur_win;
1110
1111    if(UINT64_MAX - delta < stream->rx_offset_max)
1112      delta = UINT64_MAX - stream->rx_offset_max;
1113    if(delta) {
1114      CURL_TRC_CF(data, cf, "[%" PRId64 "] rx window, extend by %" PRIu64
1115                  " bytes", stream->id, delta);
1116      stream->rx_offset_max += delta;
1117      ngtcp2_conn_extend_max_stream_offset(ctx->qconn, stream->id, delta);
1118    }
1119  }
1120}
1121
1122static int cb_h3_recv_data(nghttp3_conn *conn, int64_t stream3_id,
1123                           const uint8_t *buf, size_t blen,
1124                           void *user_data, void *stream_user_data)
1125{
1126  struct Curl_cfilter *cf = user_data;
1127  struct cf_ngtcp2_ctx *ctx = cf->ctx;
1128  struct Curl_easy *data = stream_user_data;
1129  struct h3_stream_ctx *stream = H3_STREAM_CTX(ctx, data);
1130
1131  (void)conn;
1132  (void)stream3_id;
1133
1134  if(!stream)
1135    return NGHTTP3_ERR_CALLBACK_FAILURE;
1136
1137  h3_xfer_write_resp(cf, data, stream, (const char *)buf, blen, FALSE);
1138
1139  ngtcp2_conn_extend_max_offset(ctx->qconn, blen);
1140  stream->rx_offset += blen;
1141  if(stream->rx_offset_max < stream->rx_offset)
1142    stream->rx_offset_max = stream->rx_offset;
1143
1144  CURL_TRC_CF(data, cf, "[%" PRId64 "] DATA len=%zu, rx win=%" PRIu64,
1145              stream->id, blen, stream->rx_offset_max - stream->rx_offset);
1146  cf_ngtcp2_upd_rx_win(cf, data, stream);
1147  return 0;
1148}
1149
1150static int cb_h3_deferred_consume(nghttp3_conn *conn, int64_t stream3_id,
1151                                  size_t consumed, void *user_data,
1152                                  void *stream_user_data)
1153{
1154  struct Curl_cfilter *cf = user_data;
1155  struct cf_ngtcp2_ctx *ctx = cf->ctx;
1156  struct Curl_easy *data = stream_user_data;
1157  struct h3_stream_ctx *stream = H3_STREAM_CTX(ctx, data);
1158  (void)conn;
1159
1160  /* nghttp3 has consumed bytes on the QUIC stream and we need to
1161   * tell the QUIC connection to increase its flow control */
1162  ngtcp2_conn_extend_max_stream_offset(ctx->qconn, stream3_id, consumed);
1163  ngtcp2_conn_extend_max_offset(ctx->qconn, consumed);
1164  if(stream) {
1165    stream->rx_offset += consumed;
1166    stream->rx_offset_max += consumed;
1167  }
1168  return 0;
1169}
1170
1171static int cb_h3_end_headers(nghttp3_conn *conn, int64_t stream_id,
1172                             int fin, void *user_data, void *stream_user_data)
1173{
1174  struct Curl_cfilter *cf = user_data;
1175  struct cf_ngtcp2_ctx *ctx = cf->ctx;
1176  struct Curl_easy *data = stream_user_data;
1177  struct h3_stream_ctx *stream = H3_STREAM_CTX(ctx, data);
1178  (void)conn;
1179  (void)stream_id;
1180  (void)fin;
1181  (void)cf;
1182
1183  if(!stream)
1184    return 0;
1185  /* add a CRLF only if we have received some headers */
1186  h3_xfer_write_resp_hd(cf, data, stream, STRCONST("\r\n"),
1187                        (bool)stream->closed);
1188
1189  CURL_TRC_CF(data, cf, "[%" PRId64 "] end_headers, status=%d",
1190              stream_id, stream->status_code);
1191  if(stream->status_code / 100 != 1) {
1192    stream->resp_hds_complete = TRUE;
1193  }
1194  Curl_multi_mark_dirty(data);
1195  return 0;
1196}
1197
1198static int cb_h3_recv_header(nghttp3_conn *conn, int64_t stream_id,
1199                             int32_t token, nghttp3_rcbuf *name,
1200                             nghttp3_rcbuf *value, uint8_t flags,
1201                             void *user_data, void *stream_user_data)
1202{
1203  struct Curl_cfilter *cf = user_data;
1204  struct cf_ngtcp2_ctx *ctx = cf->ctx;
1205  nghttp3_vec h3name = nghttp3_rcbuf_get_buf(name);
1206  nghttp3_vec h3val = nghttp3_rcbuf_get_buf(value);
1207  struct Curl_easy *data = stream_user_data;
1208  struct h3_stream_ctx *stream = H3_STREAM_CTX(ctx, data);
1209  CURLcode result = CURLE_OK;
1210  (void)conn;
1211  (void)stream_id;
1212  (void)token;
1213  (void)flags;
1214  (void)cf;
1215
1216  /* we might have cleaned up this transfer already */
1217  if(!stream)
1218    return 0;
1219
1220  if(token == NGHTTP3_QPACK_TOKEN__STATUS) {
1221
1222    result = Curl_http_decode_status(&stream->status_code,
1223                                     (const char *)h3val.base, h3val.len);
1224    if(result)
1225      return NGHTTP3_ERR_CALLBACK_FAILURE;
1226    curlx_dyn_reset(&ctx->scratch);
1227    result = curlx_dyn_addn(&ctx->scratch, STRCONST("HTTP/3 "));
1228    if(!result)
1229      result = curlx_dyn_addn(&ctx->scratch,
1230                              (const char *)h3val.base, h3val.len);
1231    if(!result)
1232      result = curlx_dyn_addn(&ctx->scratch, STRCONST(" \r\n"));
1233    if(!result)
1234      h3_xfer_write_resp_hd(cf, data, stream, curlx_dyn_ptr(&ctx->scratch),
1235                            curlx_dyn_len(&ctx->scratch), FALSE);
1236    CURL_TRC_CF(data, cf, "[%" PRId64 "] status: %s",
1237                stream_id, curlx_dyn_ptr(&ctx->scratch));
1238    if(result) {
1239      return NGHTTP3_ERR_CALLBACK_FAILURE;
1240    }
1241  }
1242  else {
1243    /* store as an HTTP1-style header */
1244    CURL_TRC_CF(data, cf, "[%" PRId64 "] header: %.*s: %.*s",
1245                stream_id, (int)h3name.len, h3name.base,
1246                (int)h3val.len, h3val.base);
1247    curlx_dyn_reset(&ctx->scratch);
1248    result = curlx_dyn_addn(&ctx->scratch,
1249                            (const char *)h3name.base, h3name.len);
1250    if(!result)
1251      result = curlx_dyn_addn(&ctx->scratch, STRCONST(": "));
1252    if(!result)
1253      result = curlx_dyn_addn(&ctx->scratch,
1254                              (const char *)h3val.base, h3val.len);
1255    if(!result)
1256      result = curlx_dyn_addn(&ctx->scratch, STRCONST("\r\n"));
1257    if(!result)
1258      h3_xfer_write_resp_hd(cf, data, stream, curlx_dyn_ptr(&ctx->scratch),
1259                            curlx_dyn_len(&ctx->scratch), FALSE);
1260  }
1261  return 0;
1262}
1263
1264static int cb_h3_stop_sending(nghttp3_conn *conn, int64_t stream_id,
1265                              uint64_t app_error_code, void *user_data,
1266                              void *stream_user_data)
1267{
1268  struct Curl_cfilter *cf = user_data;
1269  struct cf_ngtcp2_ctx *ctx = cf->ctx;
1270  int rv;
1271  (void)conn;
1272  (void)stream_user_data;
1273
1274  rv = ngtcp2_conn_shutdown_stream_read(ctx->qconn, 0, stream_id,
1275                                        app_error_code);
1276  if(rv && rv != NGTCP2_ERR_STREAM_NOT_FOUND) {
1277    return NGHTTP3_ERR_CALLBACK_FAILURE;
1278  }
1279
1280  return 0;
1281}
1282
1283static int cb_h3_reset_stream(nghttp3_conn *conn, int64_t stream_id,
1284                              uint64_t app_error_code, void *user_data,
1285                              void *stream_user_data)
1286{
1287  struct Curl_cfilter *cf = user_data;
1288  struct cf_ngtcp2_ctx *ctx = cf->ctx;
1289  struct Curl_easy *data = stream_user_data;
1290  int rv;
1291  (void)conn;
1292
1293  rv = ngtcp2_conn_shutdown_stream_write(ctx->qconn, 0, stream_id,
1294                                         app_error_code);
1295  CURL_TRC_CF(data, cf, "[%" PRId64 "] reset -> %d", stream_id, rv);
1296  if(rv && rv != NGTCP2_ERR_STREAM_NOT_FOUND) {
1297    return NGHTTP3_ERR_CALLBACK_FAILURE;
1298  }
1299
1300  return 0;
1301}
1302
1303static nghttp3_callbacks ngh3_callbacks = {
1304  cb_h3_acked_req_body, /* acked_stream_data */
1305  cb_h3_stream_close,
1306  cb_h3_recv_data,
1307  cb_h3_deferred_consume,
1308  NULL, /* begin_headers */
1309  cb_h3_recv_header,
1310  cb_h3_end_headers,
1311  NULL, /* begin_trailers */
1312  cb_h3_recv_header,
1313  NULL, /* end_trailers */
1314  cb_h3_stop_sending,
1315  NULL, /* end_stream */
1316  cb_h3_reset_stream,
1317  NULL, /* shutdown */
1318  NULL, /* recv_settings (deprecated) */
1319#ifdef NGHTTP3_CALLBACKS_V2  /* nghttp3 v1.11.0+ */
1320  NULL, /* recv_origin */
1321  NULL, /* end_origin */
1322  NULL, /* rand */
1323#endif
1324#ifdef NGHTTP3_CALLBACKS_V3  /* nghttp3 v1.14.0+ */
1325  NULL, /* recv_settings2 */
1326#endif
1327};
1328
1329static CURLcode init_ngh3_conn(struct Curl_cfilter *cf,
1330                               struct Curl_easy *data)
1331{
1332  struct cf_ngtcp2_ctx *ctx = cf->ctx;
1333  int64_t ctrl_stream_id, qpack_enc_stream_id, qpack_dec_stream_id;
1334  int rc;
1335
1336  if(ngtcp2_conn_get_streams_uni_left(ctx->qconn) < 3) {
1337    failf(data, "QUIC connection lacks 3 uni streams to run HTTP/3");
1338    return CURLE_QUIC_CONNECT_ERROR;
1339  }
1340
1341  nghttp3_settings_default(&ctx->h3settings);
1342
1343  rc = nghttp3_conn_client_new(&ctx->h3conn,
1344                               &ngh3_callbacks,
1345                               &ctx->h3settings,
1346                               Curl_nghttp3_mem(),
1347                               cf);
1348  if(rc) {
1349    failf(data, "error creating nghttp3 connection instance");
1350    return CURLE_OUT_OF_MEMORY;
1351  }
1352
1353  rc = ngtcp2_conn_open_uni_stream(ctx->qconn, &ctrl_stream_id, NULL);
1354  if(rc) {
1355    failf(data, "error creating HTTP/3 control stream: %s",
1356          ngtcp2_strerror(rc));
1357    return CURLE_QUIC_CONNECT_ERROR;
1358  }
1359
1360  rc = nghttp3_conn_bind_control_stream(ctx->h3conn, ctrl_stream_id);
1361  if(rc) {
1362    failf(data, "error binding HTTP/3 control stream: %s",
1363          ngtcp2_strerror(rc));
1364    return CURLE_QUIC_CONNECT_ERROR;
1365  }
1366
1367  rc = ngtcp2_conn_open_uni_stream(ctx->qconn, &qpack_enc_stream_id, NULL);
1368  if(rc) {
1369    failf(data, "error creating HTTP/3 qpack encoding stream: %s",
1370          ngtcp2_strerror(rc));
1371    return CURLE_QUIC_CONNECT_ERROR;
1372  }
1373
1374  rc = ngtcp2_conn_open_uni_stream(ctx->qconn, &qpack_dec_stream_id, NULL);
1375  if(rc) {
1376    failf(data, "error creating HTTP/3 qpack decoding stream: %s",
1377          ngtcp2_strerror(rc));
1378    return CURLE_QUIC_CONNECT_ERROR;
1379  }
1380
1381  rc = nghttp3_conn_bind_qpack_streams(ctx->h3conn, qpack_enc_stream_id,
1382                                       qpack_dec_stream_id);
1383  if(rc) {
1384    failf(data, "error binding HTTP/3 qpack streams: %s",
1385          ngtcp2_strerror(rc));
1386    return CURLE_QUIC_CONNECT_ERROR;
1387  }
1388
1389  return CURLE_OK;
1390}
1391
1392static CURLcode recv_closed_stream(struct Curl_cfilter *cf,
1393                                   struct Curl_easy *data,
1394                                   struct h3_stream_ctx *stream,
1395                                   size_t *pnread)
1396{
1397  (void)cf;
1398  *pnread = 0;
1399  if(stream->reset) {
1400    if(stream->error3 == CURL_H3_ERR_REQUEST_REJECTED) {
1401      infof(data, "HTTP/3 stream %" PRId64 " refused by server, try again "
1402            "on a new connection", stream->id);
1403      connclose(cf->conn, "REFUSED_STREAM"); /* do not use this anymore */
1404      data->state.refused_stream = TRUE;
1405      return CURLE_RECV_ERROR; /* trigger Curl_retry_request() later */
1406    }
1407    else if(stream->resp_hds_complete && data->req.no_body) {
1408        CURL_TRC_CF(data, cf, "[%" PRId64 "] error after response headers, "
1409                    "but we did not want a body anyway, ignore error 0x%"
1410                    PRIx64 " %s", stream->id, stream->error3,
1411                    vquic_h3_err_str(stream->error3));
1412        return CURLE_OK;
1413    }
1414    failf(data, "HTTP/3 stream %" PRId64 " reset by server (error 0x%" PRIx64
1415          " %s)", stream->id, stream->error3,
1416          vquic_h3_err_str(stream->error3));
1417    return data->req.bytecount ? CURLE_PARTIAL_FILE : CURLE_HTTP3;
1418  }
1419  else if(!stream->resp_hds_complete) {
1420    failf(data,
1421          "HTTP/3 stream %" PRId64 " was closed cleanly, but before "
1422          "getting all response header fields, treated as error",
1423          stream->id);
1424    return CURLE_HTTP3;
1425  }
1426  return CURLE_OK;
1427}
1428
1429/* incoming data frames on the h3 stream */
1430static CURLcode cf_ngtcp2_recv(struct Curl_cfilter *cf, struct Curl_easy *data,
1431                               char *buf, size_t blen, size_t *pnread)
1432{
1433  struct cf_ngtcp2_ctx *ctx = cf->ctx;
1434  struct h3_stream_ctx *stream = H3_STREAM_CTX(ctx, data);
1435  struct cf_call_data save;
1436  struct pkt_io_ctx pktx;
1437  CURLcode result = CURLE_OK;
1438  int i;
1439
1440  (void)ctx;
1441  (void)buf;
1442  NOVERBOSE((void)blen);
1443
1444  CF_DATA_SAVE(save, cf, data);
1445  DEBUGASSERT(cf->connected);
1446  DEBUGASSERT(ctx);
1447  DEBUGASSERT(ctx->qconn);
1448  DEBUGASSERT(ctx->h3conn);
1449  *pnread = 0;
1450
1451  /* handshake verification failed in callback, do not recv anything */
1452  if(ctx->tls_vrfy_result) {
1453    result = ctx->tls_vrfy_result;
1454    goto denied;
1455  }
1456
1457  pktx_init(&pktx, cf, data);
1458
1459  if(!stream || ctx->shutdown_started) {
1460    result = CURLE_RECV_ERROR;
1461    goto out;
1462  }
1463
1464  cf_ngtcp2_upd_rx_win(cf, data, stream);
1465
1466  /* first check for results/closed already known without touching
1467   * the connection. For an already failed/closed stream, errors on
1468   * the connection do not count.
1469   * Then handle incoming data and check for failed/closed again.
1470   */
1471  for(i = 0; i < 2; ++i) {
1472    if(stream->xfer_result) {
1473      CURL_TRC_CF(data, cf, "[%" PRId64 "] xfer write failed", stream->id);
1474      cf_ngtcp2_stream_close(cf, data, stream);
1475      result = stream->xfer_result;
1476      goto out;
1477    }
1478    else if(stream->closed) {
1479      result = recv_closed_stream(cf, data, stream, pnread);
1480      goto out;
1481    }
1482
1483    if(!i && cf_progress_ingress(cf, data, &pktx)) {
1484      result = CURLE_RECV_ERROR;
1485      goto out;
1486    }
1487  }
1488
1489  result = CURLE_AGAIN;
1490
1491out:
1492  result = Curl_1st_fatal(result, cf_progress_egress(cf, data, &pktx));
1493  result = Curl_1st_fatal(result, check_and_set_expiry(cf, data, &pktx));
1494denied:
1495  CURL_TRC_CF(data, cf, "[%" PRId64 "] cf_recv(blen=%zu) -> %d, %zu",
1496              stream ? stream->id : -1, blen, result, *pnread);
1497  CF_DATA_RESTORE(cf, save);
1498  return result;
1499}
1500
1501static int cb_h3_acked_req_body(nghttp3_conn *conn, int64_t stream_id,
1502                                uint64_t datalen, void *user_data,
1503                                void *stream_user_data)
1504{
1505  struct Curl_cfilter *cf = user_data;
1506  struct cf_ngtcp2_ctx *ctx = cf->ctx;
1507  struct Curl_easy *data = stream_user_data;
1508  struct h3_stream_ctx *stream = H3_STREAM_CTX(ctx, data);
1509  size_t skiplen;
1510
1511  (void)cf;
1512  if(!stream)
1513    return 0;
1514  /* The server acknowledged `datalen` of bytes from our request body.
1515   * This is a delta. We have kept this data in `sendbuf` for
1516   * re-transmissions and can free it now. */
1517  if(datalen >= (uint64_t)stream->sendbuf_len_in_flight)
1518    skiplen = stream->sendbuf_len_in_flight;
1519  else
1520    skiplen = (size_t)datalen;
1521  Curl_bufq_skip(&stream->sendbuf, skiplen);
1522  stream->sendbuf_len_in_flight -= skiplen;
1523
1524  /* Resume upload processing if we have more data to send */
1525  if(stream->sendbuf_len_in_flight < Curl_bufq_len(&stream->sendbuf)) {
1526    int rv = nghttp3_conn_resume_stream(conn, stream_id);
1527    if(rv && rv != NGHTTP3_ERR_STREAM_NOT_FOUND) {
1528      return NGHTTP3_ERR_CALLBACK_FAILURE;
1529    }
1530  }
1531  return 0;
1532}
1533
1534static nghttp3_ssize cb_h3_read_req_body(nghttp3_conn *conn, int64_t stream_id,
1535                                         nghttp3_vec *vec, size_t veccnt,
1536                                         uint32_t *pflags, void *user_data,
1537                                         void *stream_user_data)
1538{
1539  struct Curl_cfilter *cf = user_data;
1540  struct cf_ngtcp2_ctx *ctx = cf->ctx;
1541  struct Curl_easy *data = stream_user_data;
1542  struct h3_stream_ctx *stream = H3_STREAM_CTX(ctx, data);
1543  ssize_t nwritten = 0;
1544  size_t nvecs = 0;
1545  (void)cf;
1546  (void)conn;
1547  (void)stream_id;
1548  (void)user_data;
1549  (void)veccnt;
1550
1551  if(!stream)
1552    return NGHTTP3_ERR_CALLBACK_FAILURE;
1553  /* nghttp3 keeps references to the sendbuf data until it is ACKed
1554   * by the server (see `cb_h3_acked_req_body()` for updates).
1555   * `sendbuf_len_in_flight` is the amount of bytes in `sendbuf`
1556   * that we have already passed to nghttp3, but which have not been
1557   * ACKed yet.
1558   * Any amount beyond `sendbuf_len_in_flight` we need still to pass
1559   * to nghttp3. Do that now, if we can. */
1560  if(stream->sendbuf_len_in_flight < Curl_bufq_len(&stream->sendbuf)) {
1561    nvecs = 0;
1562    while(nvecs < veccnt &&
1563          Curl_bufq_peek_at(&stream->sendbuf,
1564                            stream->sendbuf_len_in_flight,
1565                            CURL_UNCONST(&vec[nvecs].base),
1566                            &vec[nvecs].len)) {
1567      stream->sendbuf_len_in_flight += vec[nvecs].len;
1568      nwritten += vec[nvecs].len;
1569      ++nvecs;
1570    }
1571    DEBUGASSERT(nvecs > 0); /* we SHOULD have been be able to peek */
1572  }
1573
1574  if(nwritten > 0 && stream->upload_left != -1)
1575    stream->upload_left -= nwritten;
1576
1577  /* When we stopped sending and everything in `sendbuf` is "in flight",
1578   * we are at the end of the request body. */
1579  if(stream->upload_left == 0) {
1580    *pflags = NGHTTP3_DATA_FLAG_EOF;
1581    stream->send_closed = TRUE;
1582  }
1583  else if(!nwritten) {
1584    /* Not EOF, and nothing to give, we signal WOULDBLOCK. */
1585    CURL_TRC_CF(data, cf, "[%" PRId64 "] read req body -> AGAIN", stream->id);
1586    return NGHTTP3_ERR_WOULDBLOCK;
1587  }
1588
1589  CURL_TRC_CF(data, cf, "[%" PRId64 "] read req body -> "
1590              "%d vecs%s with %zd (buffered=%zu, left=%" FMT_OFF_T ")",
1591              stream->id, (int)nvecs,
1592              *pflags == NGHTTP3_DATA_FLAG_EOF ? " EOF" : "",
1593              nwritten, Curl_bufq_len(&stream->sendbuf),
1594              stream->upload_left);
1595  return (nghttp3_ssize)nvecs;
1596}
1597
1598static CURLcode h3_stream_open(struct Curl_cfilter *cf,
1599                               struct Curl_easy *data,
1600                               const uint8_t *buf, size_t len,
1601                               size_t *pnwritten)
1602{
1603  struct cf_ngtcp2_ctx *ctx = cf->ctx;
1604  struct h3_stream_ctx *stream = NULL;
1605  int64_t sid;
1606  struct dynhds h2_headers;
1607  size_t nheader;
1608  nghttp3_nv *nva = NULL;
1609  int rc = 0;
1610  unsigned int i;
1611  nghttp3_data_reader reader;
1612  nghttp3_data_reader *preader = NULL;
1613  CURLcode result;
1614
1615  *pnwritten = 0;
1616  Curl_dynhds_init(&h2_headers, 0, DYN_HTTP_REQUEST);
1617
1618  result = h3_data_setup(cf, data);
1619  if(result)
1620    goto out;
1621  stream = H3_STREAM_CTX(ctx, data);
1622  DEBUGASSERT(stream);
1623  if(!stream) {
1624    result = CURLE_FAILED_INIT;
1625    goto out;
1626  }
1627
1628  result = Curl_h1_req_parse_read(&stream->h1, buf, len, NULL,
1629                                  !data->state.http_ignorecustom ?
1630                                  data->set.str[STRING_CUSTOMREQUEST] : NULL,
1631                                  0, pnwritten);
1632  if(result)
1633    goto out;
1634  if(!stream->h1.done) {
1635    /* need more data */
1636    goto out;
1637  }
1638  DEBUGASSERT(stream->h1.req);
1639
1640  result = Curl_http_req_to_h2(&h2_headers, stream->h1.req, data);
1641  if(result)
1642    goto out;
1643
1644  /* no longer needed */
1645  Curl_h1_req_parse_free(&stream->h1);
1646
1647  nheader = Curl_dynhds_count(&h2_headers);
1648  nva = curlx_malloc(sizeof(nghttp3_nv) * nheader);
1649  if(!nva) {
1650    result = CURLE_OUT_OF_MEMORY;
1651    goto out;
1652  }
1653
1654  for(i = 0; i < nheader; ++i) {
1655    struct dynhds_entry *e = Curl_dynhds_getn(&h2_headers, i);
1656    nva[i].name = (unsigned char *)e->name;
1657    nva[i].namelen = e->namelen;
1658    nva[i].value = (unsigned char *)e->value;
1659    nva[i].valuelen = e->valuelen;
1660    nva[i].flags = NGHTTP3_NV_FLAG_NONE;
1661  }
1662
1663  rc = ngtcp2_conn_open_bidi_stream(ctx->qconn, &sid, data);
1664  if(rc) {
1665    failf(data, "can get bidi streams");
1666    result = CURLE_SEND_ERROR;
1667    goto out;
1668  }
1669  stream->id = sid;
1670  ++ctx->used_bidi_streams;
1671
1672  switch(data->state.httpreq) {
1673  case HTTPREQ_POST:
1674  case HTTPREQ_POST_FORM:
1675  case HTTPREQ_POST_MIME:
1676  case HTTPREQ_PUT:
1677    /* known request body size or -1 */
1678    if(data->state.infilesize != -1)
1679      stream->upload_left = data->state.infilesize;
1680    else
1681      /* data sending without specifying the data amount up front */
1682      stream->upload_left = -1; /* unknown */
1683    break;
1684  default:
1685    /* there is not request body */
1686    stream->upload_left = 0; /* no request body */
1687    break;
1688  }
1689
1690  stream->send_closed = (stream->upload_left == 0);
1691  if(!stream->send_closed) {
1692    reader.read_data = cb_h3_read_req_body;
1693    preader = &reader;
1694  }
1695
1696  rc = nghttp3_conn_submit_request(ctx->h3conn, stream->id,
1697                                   nva, nheader, preader, data);
1698  if(rc) {
1699    switch(rc) {
1700    case NGHTTP3_ERR_CONN_CLOSING:
1701      CURL_TRC_CF(data, cf, "h3sid[%" PRId64 "] failed to send, "
1702                  "connection is closing", stream->id);
1703      break;
1704    default:
1705      CURL_TRC_CF(data, cf, "h3sid[%" PRId64 "] failed to send -> "
1706                  "%d (%s)", stream->id, rc, nghttp3_strerror(rc));
1707      break;
1708    }
1709    cf_ngtcp2_stream_close(cf, data, stream);
1710    result = CURLE_SEND_ERROR;
1711    goto out;
1712  }
1713
1714  cf_ngtcp2_upd_rx_win(cf, data, stream);
1715
1716  if(Curl_trc_is_verbose(data)) {
1717    infof(data, "[HTTP/3] [%" PRId64 "] OPENED stream for %s",
1718          stream->id, Curl_bufref_ptr(&data->state.url));
1719    for(i = 0; i < nheader; ++i) {
1720      infof(data, "[HTTP/3] [%" PRId64 "] [%.*s: %.*s]", stream->id,
1721            (int)nva[i].namelen, nva[i].name,
1722            (int)nva[i].valuelen, nva[i].value);
1723    }
1724  }
1725
1726out:
1727  curlx_free(nva);
1728  Curl_dynhds_free(&h2_headers);
1729  return result;
1730}
1731
1732static CURLcode cf_ngtcp2_send(struct Curl_cfilter *cf, struct Curl_easy *data,
1733                               const uint8_t *buf, size_t len, bool eos,
1734                               size_t *pnwritten)
1735{
1736  struct cf_ngtcp2_ctx *ctx = cf->ctx;
1737  struct h3_stream_ctx *stream = H3_STREAM_CTX(ctx, data);
1738  struct cf_call_data save;
1739  struct pkt_io_ctx pktx;
1740  CURLcode result = CURLE_OK;
1741
1742  CF_DATA_SAVE(save, cf, data);
1743  DEBUGASSERT(cf->connected);
1744  DEBUGASSERT(ctx->qconn);
1745  DEBUGASSERT(ctx->h3conn);
1746  pktx_init(&pktx, cf, data);
1747  *pnwritten = 0;
1748
1749  /* handshake verification failed in callback, do not send anything */
1750  if(ctx->tls_vrfy_result) {
1751    result = ctx->tls_vrfy_result;
1752    goto denied;
1753  }
1754
1755  (void)eos; /* use for stream EOF and block handling */
1756  result = cf_progress_ingress(cf, data, &pktx);
1757  if(result)
1758    goto out;
1759
1760  if(!stream || stream->id < 0) {
1761    if(ctx->shutdown_started) {
1762      CURL_TRC_CF(data, cf, "cannot open stream on closed connection");
1763      result = CURLE_SEND_ERROR;
1764      goto out;
1765    }
1766    result = h3_stream_open(cf, data, buf, len, pnwritten);
1767    if(result) {
1768      CURL_TRC_CF(data, cf, "failed to open stream -> %d", result);
1769      goto out;
1770    }
1771    VERBOSE(stream = H3_STREAM_CTX(ctx, data));
1772  }
1773  else if(stream->xfer_result) {
1774    CURL_TRC_CF(data, cf, "[%" PRId64 "] xfer write failed", stream->id);
1775    cf_ngtcp2_stream_close(cf, data, stream);
1776    result = stream->xfer_result;
1777    goto out;
1778  }
1779  else if(stream->closed) {
1780    if(stream->resp_hds_complete) {
1781      /* Server decided to close the stream after having sent us a final
1782       * response. This is valid if it is not interested in the request
1783       * body. This happens on 30x or 40x responses.
1784       * We silently discard the data sent, since this is not a transport
1785       * error situation. */
1786      CURL_TRC_CF(data, cf, "[%" PRId64 "] discarding data"
1787                  "on closed stream with response", stream->id);
1788      result = CURLE_OK;
1789      *pnwritten = len;
1790      goto out;
1791    }
1792    CURL_TRC_CF(data, cf, "[%" PRId64 "] send_body(len=%zu) "
1793                "-> stream closed", stream->id, len);
1794    result = CURLE_HTTP3;
1795    goto out;
1796  }
1797  else if(ctx->shutdown_started) {
1798    CURL_TRC_CF(data, cf, "cannot send on closed connection");
1799    result = CURLE_SEND_ERROR;
1800    goto out;
1801  }
1802  else {
1803    result = Curl_bufq_write(&stream->sendbuf, buf, len, pnwritten);
1804    CURL_TRC_CF(data, cf, "[%" PRId64 "] cf_send, add to "
1805                "sendbuf(len=%zu) -> %d, %zu",
1806                stream->id, len, result, *pnwritten);
1807    if(result)
1808      goto out;
1809    (void)nghttp3_conn_resume_stream(ctx->h3conn, stream->id);
1810  }
1811
1812  if(*pnwritten > 0 && !ctx->tls_handshake_complete && ctx->use_earlydata)
1813    ctx->earlydata_skip += *pnwritten;
1814
1815  DEBUGASSERT(!result);
1816  result = cf_progress_egress(cf, data, &pktx);
1817
1818out:
1819  result = Curl_1st_fatal(result, check_and_set_expiry(cf, data, &pktx));
1820denied:
1821  CURL_TRC_CF(data, cf, "[%" PRId64 "] cf_send(len=%zu) -> %d, %zu",
1822              stream ? stream->id : -1, len, result, *pnwritten);
1823  CF_DATA_RESTORE(cf, save);
1824  return result;
1825}
1826
1827struct cf_ngtcp2_recv_ctx {
1828  struct pkt_io_ctx *pktx;
1829  size_t pkt_count;
1830};
1831
1832static CURLcode cf_ngtcp2_recv_pkts(const unsigned char *buf, size_t buflen,
1833                                    size_t gso_size,
1834                                    struct sockaddr_storage *remote_addr,
1835                                    socklen_t remote_addrlen, int ecn,
1836                                    void *userp)
1837{
1838  struct cf_ngtcp2_recv_ctx *rctx = userp;
1839  struct pkt_io_ctx *pktx = rctx->pktx;
1840  struct cf_ngtcp2_ctx *ctx = pktx->cf->ctx;
1841  ngtcp2_pkt_info pi;
1842  ngtcp2_path path;
1843  size_t offset, pktlen;
1844  int rv;
1845
1846  if(!rctx->pkt_count) {
1847    pktx_update_time(pktx->data, pktx, pktx->cf);
1848    ngtcp2_path_storage_zero(&pktx->ps);
1849  }
1850
1851  if(ecn)
1852    CURL_TRC_CF(pktx->data, pktx->cf, "vquic_recv(len=%zu, gso=%zu, ecn=%x)",
1853                buflen, gso_size, ecn);
1854  ngtcp2_addr_init(&path.local, (struct sockaddr *)&ctx->q.local_addr,
1855                   ctx->q.local_addrlen);
1856  ngtcp2_addr_init(&path.remote, (struct sockaddr *)remote_addr,
1857                   remote_addrlen);
1858  pi.ecn = (uint8_t)ecn;
1859
1860  for(offset = 0; offset < buflen; offset += gso_size) {
1861    rctx->pkt_count++;
1862    pktlen = ((offset + gso_size) <= buflen) ? gso_size : (buflen - offset);
1863    rv = ngtcp2_conn_read_pkt(ctx->qconn, &path, &pi,
1864                              buf + offset, pktlen, pktx->ts);
1865    if(rv) {
1866      CURL_TRC_CF(pktx->data, pktx->cf, "ingress, read_pkt -> %s (%d)",
1867                  ngtcp2_strerror(rv), rv);
1868      cf_ngtcp2_err_set(pktx->cf, pktx->data, rv);
1869
1870      if(rv == NGTCP2_ERR_CRYPTO)
1871        /* this is a "TLS problem", but a failed certificate verification
1872           is a common reason for this */
1873        return CURLE_PEER_FAILED_VERIFICATION;
1874      return CURLE_RECV_ERROR;
1875    }
1876  }
1877  return CURLE_OK;
1878}
1879
1880static CURLcode cf_progress_ingress(struct Curl_cfilter *cf,
1881                                    struct Curl_easy *data,
1882                                    struct pkt_io_ctx *pktx)
1883{
1884  struct cf_ngtcp2_ctx *ctx = cf->ctx;
1885  struct pkt_io_ctx local_pktx;
1886  struct cf_ngtcp2_recv_ctx rctx;
1887  CURLcode result = CURLE_OK;
1888
1889  if(!pktx) {
1890    pktx_init(&local_pktx, cf, data);
1891    pktx = &local_pktx;
1892  }
1893
1894  result = Curl_vquic_tls_before_recv(&ctx->tls, cf, data);
1895  if(result)
1896    return result;
1897
1898  rctx.pktx = pktx;
1899  rctx.pkt_count = 0;
1900  return vquic_recv_packets(cf, data, &ctx->q, 1000,
1901                            cf_ngtcp2_recv_pkts, &rctx);
1902}
1903
1904/**
1905 * Read a network packet to send from ngtcp2 into `buf`.
1906 * Return number of bytes written or -1 with *err set.
1907 */
1908static CURLcode read_pkt_to_send(void *userp,
1909                                 unsigned char *buf, size_t buflen,
1910                                 size_t *pnread)
1911{
1912  struct pkt_io_ctx *x = userp;
1913  struct cf_ngtcp2_ctx *ctx = x->cf->ctx;
1914  nghttp3_vec vec[16];
1915  nghttp3_ssize veccnt;
1916  ngtcp2_ssize ndatalen;
1917  uint32_t flags;
1918  int64_t stream_id;
1919  int fin;
1920  ssize_t n;
1921
1922  *pnread = 0;
1923  veccnt = 0;
1924  stream_id = -1;
1925  fin = 0;
1926
1927  /* ngtcp2 may want to put several frames from different streams into
1928   * this packet. `NGTCP2_WRITE_STREAM_FLAG_MORE` tells it to do so.
1929   * When `NGTCP2_ERR_WRITE_MORE` is returned, we *need* to make
1930   * another iteration.
1931   * When ngtcp2 is happy (because it has no other frame that would fit
1932   * or it has nothing more to send), it returns the total length
1933   * of the assembled packet. This may be 0 if there was nothing to send. */
1934  for(;;) {
1935
1936    if(ctx->h3conn && ngtcp2_conn_get_max_data_left(ctx->qconn)) {
1937      veccnt = nghttp3_conn_writev_stream(ctx->h3conn, &stream_id, &fin, vec,
1938                                          CURL_ARRAYSIZE(vec));
1939      if(veccnt < 0) {
1940        failf(x->data, "nghttp3_conn_writev_stream returned error: %s",
1941              nghttp3_strerror((int)veccnt));
1942        cf_ngtcp2_h3_err_set(x->cf, x->data, (int)veccnt);
1943        return CURLE_SEND_ERROR;
1944      }
1945    }
1946
1947    flags = NGTCP2_WRITE_STREAM_FLAG_MORE |
1948            (fin ? NGTCP2_WRITE_STREAM_FLAG_FIN : 0);
1949    n = ngtcp2_conn_writev_stream(ctx->qconn, &x->ps.path,
1950                                  NULL, buf, buflen,
1951                                  &ndatalen, flags, stream_id,
1952                                  (const ngtcp2_vec *)vec, veccnt, x->ts);
1953    if(n == 0) {
1954      /* nothing to send */
1955      return CURLE_AGAIN;
1956    }
1957    else if(n < 0) {
1958      switch(n) {
1959      case NGTCP2_ERR_STREAM_DATA_BLOCKED: {
1960        struct h3_stream_ctx *stream;
1961        DEBUGASSERT(ndatalen == -1);
1962        nghttp3_conn_block_stream(ctx->h3conn, stream_id);
1963        CURL_TRC_CF(x->data, x->cf, "[%" PRId64 "] block quic flow",
1964                    stream_id);
1965        stream = cf_ngtcp2_get_stream(ctx, stream_id);
1966        if(stream) /* it might be not one of our h3 streams? */
1967          stream->quic_flow_blocked = TRUE;
1968        n = 0;
1969        break;
1970      }
1971      case NGTCP2_ERR_STREAM_SHUT_WR:
1972        DEBUGASSERT(ndatalen == -1);
1973        nghttp3_conn_shutdown_stream_write(ctx->h3conn, stream_id);
1974        n = 0;
1975        break;
1976      case NGTCP2_ERR_WRITE_MORE:
1977        /* ngtcp2 wants to send more. update the flow of the stream whose data
1978         * is in the buffer and continue */
1979        DEBUGASSERT(ndatalen >= 0);
1980        n = 0;
1981        break;
1982      default:
1983        DEBUGASSERT(ndatalen == -1);
1984        failf(x->data, "ngtcp2_conn_writev_stream returned error: %s",
1985              ngtcp2_strerror((int)n));
1986        cf_ngtcp2_err_set(x->cf, x->data, (int)n);
1987        return CURLE_SEND_ERROR;
1988      }
1989    }
1990
1991    if(ndatalen >= 0) {
1992      /* we add the amount of data bytes to the flow windows */
1993      int rv = nghttp3_conn_add_write_offset(ctx->h3conn, stream_id, ndatalen);
1994      if(rv) {
1995        failf(x->data, "nghttp3_conn_add_write_offset returned error: %s",
1996              nghttp3_strerror(rv));
1997        return CURLE_SEND_ERROR;
1998      }
1999    }
2000
2001    if(n > 0) {
2002      /* packet assembled, leave */
2003      *pnread = (size_t)n;
2004      return CURLE_OK;
2005    }
2006  }
2007}
2008
2009static CURLcode cf_progress_egress(struct Curl_cfilter *cf,
2010                                   struct Curl_easy *data,
2011                                   struct pkt_io_ctx *pktx)
2012{
2013  struct cf_ngtcp2_ctx *ctx = cf->ctx;
2014  size_t nread;
2015  size_t max_payload_size, path_max_payload_size;
2016  size_t pktcnt = 0;
2017  size_t gsolen = 0;  /* this disables gso until we have a clue */
2018  size_t send_quantum;
2019  CURLcode curlcode;
2020  struct pkt_io_ctx local_pktx;
2021
2022  if(!pktx) {
2023    pktx_init(&local_pktx, cf, data);
2024    pktx = &local_pktx;
2025  }
2026  else {
2027    pktx_update_time(data, pktx, cf);
2028    ngtcp2_path_storage_zero(&pktx->ps);
2029  }
2030
2031  curlcode = vquic_flush(cf, data, &ctx->q);
2032  if(curlcode) {
2033    if(curlcode == CURLE_AGAIN) {
2034      Curl_expire(data, 1, EXPIRE_QUIC);
2035      return CURLE_OK;
2036    }
2037    return curlcode;
2038  }
2039
2040  /* In UDP, there is a maximum theoretical packet payload length and
2041   * a minimum payload length that is "guaranteed" to work.
2042   * To detect if this minimum payload can be increased, ngtcp2 sends
2043   * now and then a packet payload larger than the minimum. It that
2044   * is ACKed by the peer, both parties know that it works and
2045   * the subsequent packets can use a larger one.
2046   * This is called PMTUD (Path Maximum Transmission Unit Discovery).
2047   * Since a PMTUD might be rejected right on send, we do not want it
2048   * be followed by other packets of lesser size. Because those would
2049   * also fail then. If we detect a PMTUD while buffering, we flush.
2050   */
2051  max_payload_size = ngtcp2_conn_get_max_tx_udp_payload_size(ctx->qconn);
2052  path_max_payload_size =
2053    ngtcp2_conn_get_path_max_tx_udp_payload_size(ctx->qconn);
2054  send_quantum = ngtcp2_conn_get_send_quantum(ctx->qconn);
2055  CURL_TRC_CF(data, cf, "egress, collect and send packets, quantum=%zu",
2056              send_quantum);
2057  for(;;) {
2058    /* add the next packet to send, if any, to our buffer */
2059    curlcode = Curl_bufq_sipn(&ctx->q.sendbuf, max_payload_size,
2060                              read_pkt_to_send, pktx, &nread);
2061    if(curlcode == CURLE_AGAIN)
2062      break;
2063    else if(curlcode)
2064      return curlcode;
2065    else {
2066      size_t buflen = Curl_bufq_len(&ctx->q.sendbuf);
2067      if((buflen >= send_quantum) ||
2068         ((buflen + gsolen) >= ctx->q.sendbuf.chunk_size))
2069        break;
2070      DEBUGASSERT(nread > 0);
2071      ++pktcnt;
2072      if(pktcnt == 1) {
2073        /* first packet in buffer. This is either of a known, "good"
2074         * payload size or it is a PMTUD. We shall see. */
2075        gsolen = nread;
2076      }
2077      else if(nread > gsolen ||
2078              (gsolen > path_max_payload_size && nread != gsolen)) {
2079        /* The added packet is a PMTUD *or* the one(s) before the
2080         * added were PMTUD and the last one is smaller.
2081         * Flush the buffer before the last add. */
2082        curlcode = vquic_send_tail_split(cf, data, &ctx->q,
2083                                         gsolen, nread, nread);
2084        if(curlcode) {
2085          if(curlcode == CURLE_AGAIN) {
2086            Curl_expire(data, 1, EXPIRE_QUIC);
2087            return CURLE_OK;
2088          }
2089          return curlcode;
2090        }
2091        pktcnt = 0;
2092      }
2093      else if(nread < gsolen) {
2094        /* Reached capacity of our buffer *or*
2095         * last add was shorter than the previous ones, flush */
2096        break;
2097      }
2098    }
2099  }
2100
2101  if(!Curl_bufq_is_empty(&ctx->q.sendbuf)) {
2102    /* time to send */
2103    CURL_TRC_CF(data, cf, "egress, send collected %zu packets in %zu bytes",
2104                pktcnt, Curl_bufq_len(&ctx->q.sendbuf));
2105    curlcode = vquic_send(cf, data, &ctx->q, gsolen);
2106    if(curlcode) {
2107      if(curlcode == CURLE_AGAIN) {
2108        Curl_expire(data, 1, EXPIRE_QUIC);
2109        return CURLE_OK;
2110      }
2111      return curlcode;
2112    }
2113    pktx_update_time(data, pktx, cf);
2114    ngtcp2_conn_update_pkt_tx_time(ctx->qconn, pktx->ts);
2115  }
2116  return CURLE_OK;
2117}
2118
2119static CURLcode h3_data_pause(struct Curl_cfilter *cf,
2120                              struct Curl_easy *data,
2121                              bool pause)
2122{
2123  /* There seems to exist no API in ngtcp2 to shrink/enlarge the streams
2124   * windows. As we do in HTTP/2. */
2125  (void)cf;
2126  if(!pause)
2127    Curl_multi_mark_dirty(data);
2128  return CURLE_OK;
2129}
2130
2131static CURLcode cf_ngtcp2_cntrl(struct Curl_cfilter *cf,
2132                                struct Curl_easy *data,
2133                                int event, int arg1, void *arg2)
2134{
2135  struct cf_ngtcp2_ctx *ctx = cf->ctx;
2136  CURLcode result = CURLE_OK;
2137  struct cf_call_data save;
2138
2139  CF_DATA_SAVE(save, cf, data);
2140  (void)arg1;
2141  (void)arg2;
2142  switch(event) {
2143  case CF_CTRL_DATA_SETUP:
2144    break;
2145  case CF_CTRL_DATA_PAUSE:
2146    result = h3_data_pause(cf, data, (arg1 != 0));
2147    break;
2148  case CF_CTRL_DATA_DONE:
2149    h3_data_done(cf, data);
2150    break;
2151  case CF_CTRL_DATA_DONE_SEND: {
2152    struct h3_stream_ctx *stream = H3_STREAM_CTX(ctx, data);
2153    if(stream && !stream->send_closed) {
2154      stream->send_closed = TRUE;
2155      stream->upload_left = Curl_bufq_len(&stream->sendbuf) -
2156        stream->sendbuf_len_in_flight;
2157      (void)nghttp3_conn_resume_stream(ctx->h3conn, stream->id);
2158    }
2159    break;
2160  }
2161  case CF_CTRL_CONN_INFO_UPDATE:
2162    if(!cf->sockindex && cf->connected) {
2163      cf->conn->httpversion_seen = 30;
2164      Curl_conn_set_multiplex(cf->conn);
2165    }
2166    break;
2167  default:
2168    break;
2169  }
2170  CF_DATA_RESTORE(cf, save);
2171  return result;
2172}
2173
2174static void cf_ngtcp2_ctx_close(struct cf_ngtcp2_ctx *ctx)
2175{
2176  struct cf_call_data save = ctx->call_data;
2177
2178  if(!ctx->initialized)
2179    return;
2180  if(ctx->qlogfd != -1) {
2181    curlx_close(ctx->qlogfd);
2182  }
2183  ctx->qlogfd = -1;
2184  Curl_vquic_tls_cleanup(&ctx->tls);
2185  vquic_ctx_free(&ctx->q);
2186  if(ctx->h3conn) {
2187    nghttp3_conn_del(ctx->h3conn);
2188    ctx->h3conn = NULL;
2189  }
2190  if(ctx->qconn) {
2191    ngtcp2_conn_del(ctx->qconn);
2192    ctx->qconn = NULL;
2193  }
2194#ifdef OPENSSL_QUIC_API2
2195  if(ctx->ossl_ctx) {
2196    ngtcp2_crypto_ossl_ctx_del(ctx->ossl_ctx);
2197    ctx->ossl_ctx = NULL;
2198  }
2199#endif
2200  ctx->call_data = save;
2201}
2202
2203static CURLcode cf_ngtcp2_shutdown(struct Curl_cfilter *cf,
2204                                   struct Curl_easy *data, bool *done)
2205{
2206  struct cf_ngtcp2_ctx *ctx = cf->ctx;
2207  struct cf_call_data save;
2208  struct pkt_io_ctx pktx;
2209  CURLcode result = CURLE_OK;
2210
2211  if(cf->shutdown || !ctx->qconn) {
2212    *done = TRUE;
2213    return CURLE_OK;
2214  }
2215
2216  CF_DATA_SAVE(save, cf, data);
2217  *done = FALSE;
2218  pktx_init(&pktx, cf, data);
2219
2220  if(!ctx->shutdown_started) {
2221    char buffer[NGTCP2_MAX_UDP_PAYLOAD_SIZE];
2222    ngtcp2_ssize nwritten;
2223
2224    if(!Curl_bufq_is_empty(&ctx->q.sendbuf)) {
2225      CURL_TRC_CF(data, cf, "shutdown, flushing sendbuf");
2226      result = cf_progress_egress(cf, data, &pktx);
2227      if(!Curl_bufq_is_empty(&ctx->q.sendbuf)) {
2228        CURL_TRC_CF(data, cf, "sending shutdown packets blocked");
2229        result = CURLE_OK;
2230        goto out;
2231      }
2232      else if(result) {
2233        CURL_TRC_CF(data, cf, "shutdown, error %d flushing sendbuf", result);
2234        *done = TRUE;
2235        goto out;
2236      }
2237    }
2238
2239    DEBUGASSERT(Curl_bufq_is_empty(&ctx->q.sendbuf));
2240    ctx->shutdown_started = TRUE;
2241    nwritten = ngtcp2_conn_write_connection_close(
2242      ctx->qconn, NULL, /* path */
2243      NULL, /* pkt_info */
2244      (uint8_t *)buffer, sizeof(buffer),
2245      &ctx->last_error, pktx.ts);
2246    CURL_TRC_CF(data, cf, "start shutdown(err_type=%d, err_code=%"
2247                PRIu64 ") -> %zd", ctx->last_error.type,
2248                ctx->last_error.error_code, (ssize_t)nwritten);
2249    /* there are cases listed in ngtcp2 documentation where this call
2250     * may fail. Since we are doing a connection shutdown as graceful
2251     * as we can, such an error is ignored here. */
2252    if(nwritten > 0) {
2253      /* Ignore amount written. sendbuf was empty and has always room for
2254       * NGTCP2_MAX_UDP_PAYLOAD_SIZE. It can only completely fail, in which
2255       * case `result` is set non zero. */
2256      size_t n;
2257      result = Curl_bufq_write(&ctx->q.sendbuf, (const unsigned char *)buffer,
2258                               (size_t)nwritten, &n);
2259      if(result) {
2260        CURL_TRC_CF(data, cf, "error %d adding shutdown packets to sendbuf, "
2261                    "aborting shutdown", result);
2262        goto out;
2263      }
2264
2265      ctx->q.no_gso = TRUE;
2266      ctx->q.gsolen = (size_t)nwritten;
2267      ctx->q.split_len = 0;
2268    }
2269  }
2270
2271  if(!Curl_bufq_is_empty(&ctx->q.sendbuf)) {
2272    CURL_TRC_CF(data, cf, "shutdown, flushing egress");
2273    result = vquic_flush(cf, data, &ctx->q);
2274    if(result == CURLE_AGAIN) {
2275      CURL_TRC_CF(data, cf, "sending shutdown packets blocked");
2276      result = CURLE_OK;
2277      goto out;
2278    }
2279    else if(result) {
2280      CURL_TRC_CF(data, cf, "shutdown, error %d flushing sendbuf", result);
2281      *done = TRUE;
2282      goto out;
2283    }
2284  }
2285
2286  if(Curl_bufq_is_empty(&ctx->q.sendbuf)) {
2287    /* Sent everything off. ngtcp2 seems to have no support for graceful
2288     * shutdowns. We are done. */
2289    CURL_TRC_CF(data, cf, "shutdown completely sent off, done");
2290    *done = TRUE;
2291    result = CURLE_OK;
2292  }
2293out:
2294  CF_DATA_RESTORE(cf, save);
2295  return result;
2296}
2297
2298static void cf_ngtcp2_conn_close(struct Curl_cfilter *cf,
2299                                 struct Curl_easy *data)
2300{
2301  bool done;
2302  cf_ngtcp2_shutdown(cf, data, &done);
2303}
2304
2305static void cf_ngtcp2_close(struct Curl_cfilter *cf, struct Curl_easy *data)
2306{
2307  struct cf_ngtcp2_ctx *ctx = cf->ctx;
2308  struct cf_call_data save;
2309
2310  CF_DATA_SAVE(save, cf, data);
2311  if(ctx && ctx->qconn) {
2312    cf_ngtcp2_conn_close(cf, data);
2313    cf_ngtcp2_ctx_close(ctx);
2314    CURL_TRC_CF(data, cf, "close");
2315  }
2316  cf->connected = FALSE;
2317  CF_DATA_RESTORE(cf, save);
2318}
2319
2320static void cf_ngtcp2_destroy(struct Curl_cfilter *cf, struct Curl_easy *data)
2321{
2322  CURL_TRC_CF(data, cf, "destroy");
2323  if(cf->ctx) {
2324    cf_ngtcp2_close(cf, data);
2325    cf_ngtcp2_ctx_free(cf->ctx);
2326    cf->ctx = NULL;
2327  }
2328}
2329
2330#ifdef USE_OPENSSL
2331/* The "new session" callback must return zero if the session can be removed
2332 * or non-zero if the session has been put into the session cache.
2333 */
2334static int quic_ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
2335{
2336  struct Curl_cfilter *cf;
2337  struct cf_ngtcp2_ctx *ctx;
2338  struct Curl_easy *data;
2339  ngtcp2_crypto_conn_ref *cref;
2340
2341  cref = (ngtcp2_crypto_conn_ref *)SSL_get_app_data(ssl);
2342  cf = cref ? cref->user_data : NULL;
2343  ctx = cf ? cf->ctx : NULL;
2344  data = cf ? CF_DATA_CURRENT(cf) : NULL;
2345  if(cf && data && ctx) {
2346    unsigned char *quic_tp = NULL;
2347    size_t quic_tp_len = 0;
2348#ifdef HAVE_OPENSSL_EARLYDATA
2349    ngtcp2_ssize tplen;
2350    uint8_t tpbuf[256];
2351
2352    tplen = ngtcp2_conn_encode_0rtt_transport_params(ctx->qconn, tpbuf,
2353                                                     sizeof(tpbuf));
2354    if(tplen < 0)
2355      CURL_TRC_CF(data, cf, "error encoding 0RTT transport data: %s",
2356                  ngtcp2_strerror((int)tplen));
2357    else {
2358      quic_tp = (unsigned char *)tpbuf;
2359      quic_tp_len = (size_t)tplen;
2360    }
2361#endif
2362    Curl_ossl_add_session(cf, data, ctx->peer.scache_key, ssl_sessionid,
2363                          SSL_version(ssl), "h3", quic_tp, quic_tp_len);
2364  }
2365  return 0;
2366}
2367#endif /* USE_OPENSSL */
2368
2369#ifdef USE_GNUTLS
2370
2371#ifdef CURLVERBOSE
2372static const char *gtls_hs_msg_name(int mtype)
2373{
2374  switch(mtype) {
2375  case 1:
2376    return "ClientHello";
2377  case 2:
2378    return "ServerHello";
2379  case 4:
2380    return "SessionTicket";
2381  case 8:
2382    return "EncryptedExtensions";
2383  case 11:
2384    return "Certificate";
2385  case 13:
2386    return "CertificateRequest";
2387  case 15:
2388    return "CertificateVerify";
2389  case 20:
2390    return "Finished";
2391  case 24:
2392    return "KeyUpdate";
2393  case 254:
2394    return "MessageHash";
2395  }
2396  return "Unknown";
2397}
2398#endif
2399
2400static int quic_gtls_handshake_cb(gnutls_session_t session, unsigned int htype,
2401                                  unsigned when, unsigned int incoming,
2402                                  const gnutls_datum_t *msg)
2403{
2404  ngtcp2_crypto_conn_ref *conn_ref = gnutls_session_get_ptr(session);
2405  struct Curl_cfilter *cf = conn_ref ? conn_ref->user_data : NULL;
2406  struct cf_ngtcp2_ctx *ctx = cf ? cf->ctx : NULL;
2407
2408  (void)msg;
2409  (void)incoming;
2410  if(when && cf && ctx) { /* after message has been processed */
2411    struct Curl_easy *data = CF_DATA_CURRENT(cf);
2412    DEBUGASSERT(data);
2413    if(!data)
2414      return 0;
2415    CURL_TRC_CF(data, cf, "SSL message: %s %s [%u]",
2416                incoming ? "<-" : "->", gtls_hs_msg_name(htype), htype);
2417    switch(htype) {
2418    case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET: {
2419      ngtcp2_ssize tplen;
2420      uint8_t tpbuf[256];
2421      unsigned char *quic_tp = NULL;
2422      size_t quic_tp_len = 0;
2423
2424      tplen = ngtcp2_conn_encode_0rtt_transport_params(ctx->qconn, tpbuf,
2425                                                       sizeof(tpbuf));
2426      if(tplen < 0)
2427        CURL_TRC_CF(data, cf, "error encoding 0RTT transport data: %s",
2428                    ngtcp2_strerror((int)tplen));
2429      else {
2430        quic_tp = (unsigned char *)tpbuf;
2431        quic_tp_len = (size_t)tplen;
2432      }
2433      (void)Curl_gtls_cache_session(cf, data, ctx->peer.scache_key,
2434                                    session, 0, "h3", quic_tp, quic_tp_len);
2435      break;
2436    }
2437    default:
2438      break;
2439    }
2440  }
2441  return 0;
2442}
2443#endif /* USE_GNUTLS */
2444
2445#ifdef USE_WOLFSSL
2446static int wssl_quic_new_session_cb(WOLFSSL *ssl, WOLFSSL_SESSION *session)
2447{
2448  ngtcp2_crypto_conn_ref *conn_ref = wolfSSL_get_app_data(ssl);
2449  struct Curl_cfilter *cf = conn_ref ? conn_ref->user_data : NULL;
2450
2451  DEBUGASSERT(cf != NULL);
2452  if(cf && session) {
2453    struct cf_ngtcp2_ctx *ctx = cf->ctx;
2454    struct Curl_easy *data = CF_DATA_CURRENT(cf);
2455    DEBUGASSERT(data);
2456    if(data && ctx) {
2457      ngtcp2_ssize tplen;
2458      uint8_t tpbuf[256];
2459      unsigned char *quic_tp = NULL;
2460      size_t quic_tp_len = 0;
2461
2462      tplen = ngtcp2_conn_encode_0rtt_transport_params(ctx->qconn, tpbuf,
2463                                                       sizeof(tpbuf));
2464      if(tplen < 0)
2465        CURL_TRC_CF(data, cf, "error encoding 0RTT transport data: %s",
2466                    ngtcp2_strerror((int)tplen));
2467      else {
2468        quic_tp = (unsigned char *)tpbuf;
2469        quic_tp_len = (size_t)tplen;
2470      }
2471      (void)Curl_wssl_cache_session(cf, data, ctx->peer.scache_key,
2472                                    session, wolfSSL_version(ssl),
2473                                    "h3", quic_tp, quic_tp_len);
2474    }
2475  }
2476  return 0;
2477}
2478#endif /* USE_WOLFSSL */
2479
2480static CURLcode cf_ngtcp2_tls_ctx_setup(struct Curl_cfilter *cf,
2481                                        struct Curl_easy *data,
2482                                        void *user_data)
2483{
2484  struct curl_tls_ctx *ctx = user_data;
2485
2486#ifdef USE_OPENSSL
2487#if defined(OPENSSL_IS_AWSLC) || defined(OPENSSL_IS_BORINGSSL)
2488  if(ngtcp2_crypto_boringssl_configure_client_context(ctx->ossl.ssl_ctx)
2489     != 0) {
2490    failf(data, "ngtcp2_crypto_boringssl_configure_client_context failed");
2491    return CURLE_FAILED_INIT;
2492  }
2493#elif defined(OPENSSL_QUIC_API2)
2494  /* nothing to do */
2495#else
2496  if(ngtcp2_crypto_quictls_configure_client_context(ctx->ossl.ssl_ctx) != 0) {
2497    failf(data, "ngtcp2_crypto_quictls_configure_client_context failed");
2498    return CURLE_FAILED_INIT;
2499  }
2500#endif /* !OPENSSL_IS_AWSLC && !OPENSSL_IS_BORINGSSL */
2501  if(Curl_ssl_scache_use(cf, data)) {
2502    /* Enable the session cache because it is a prerequisite for the
2503     * "new session" callback. Use the "external storage" mode to prevent
2504     * OpenSSL from creating an internal session cache.
2505     */
2506    SSL_CTX_set_session_cache_mode(ctx->ossl.ssl_ctx,
2507                                   SSL_SESS_CACHE_CLIENT |
2508                                   SSL_SESS_CACHE_NO_INTERNAL);
2509    SSL_CTX_sess_set_new_cb(ctx->ossl.ssl_ctx, quic_ossl_new_session_cb);
2510  }
2511
2512#elif defined(USE_GNUTLS)
2513  if(ngtcp2_crypto_gnutls_configure_client_session(ctx->gtls.session) != 0) {
2514    failf(data, "ngtcp2_crypto_gnutls_configure_client_session failed");
2515    return CURLE_FAILED_INIT;
2516  }
2517  if(Curl_ssl_scache_use(cf, data)) {
2518    gnutls_handshake_set_hook_function(ctx->gtls.session,
2519                                       GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST,
2520                                       quic_gtls_handshake_cb);
2521  }
2522
2523#elif defined(USE_WOLFSSL)
2524  if(ngtcp2_crypto_wolfssl_configure_client_context(ctx->wssl.ssl_ctx) != 0) {
2525    failf(data, "ngtcp2_crypto_wolfssl_configure_client_context failed");
2526    return CURLE_FAILED_INIT;
2527  }
2528  if(Curl_ssl_scache_use(cf, data)) {
2529    /* Register to get notified when a new session is received */
2530    wolfSSL_CTX_sess_set_new_cb(ctx->wssl.ssl_ctx, wssl_quic_new_session_cb);
2531  }
2532#endif
2533  return CURLE_OK;
2534}
2535
2536static CURLcode cf_ngtcp2_on_session_reuse(struct Curl_cfilter *cf,
2537                                           struct Curl_easy *data,
2538                                           struct alpn_spec *alpns,
2539                                           struct Curl_ssl_session *scs,
2540                                           bool *do_early_data)
2541{
2542  struct cf_ngtcp2_ctx *ctx = cf->ctx;
2543  CURLcode result = CURLE_OK;
2544
2545  *do_early_data = FALSE;
2546#if defined(USE_OPENSSL) && defined(HAVE_OPENSSL_EARLYDATA)
2547  ctx->earlydata_max = scs->earlydata_max;
2548#endif
2549#ifdef USE_GNUTLS
2550  ctx->earlydata_max =
2551    gnutls_record_get_max_early_data_size(ctx->tls.gtls.session);
2552#endif
2553#ifdef USE_WOLFSSL
2554#ifdef WOLFSSL_EARLY_DATA
2555  ctx->earlydata_max = scs->earlydata_max;
2556#else
2557  ctx->earlydata_max = 0;
2558#endif /* WOLFSSL_EARLY_DATA */
2559#endif
2560#if defined(USE_GNUTLS) || defined(USE_WOLFSSL) || \
2561  (defined(USE_OPENSSL) && defined(HAVE_OPENSSL_EARLYDATA))
2562  if(!ctx->earlydata_max) {
2563    CURL_TRC_CF(data, cf, "SSL session does not allow earlydata");
2564  }
2565  else if(!Curl_alpn_contains_proto(alpns, scs->alpn)) {
2566    CURL_TRC_CF(data, cf, "SSL session from different ALPN, no early data");
2567  }
2568  else if(!scs->quic_tp || !scs->quic_tp_len) {
2569    CURL_TRC_CF(data, cf, "no 0RTT transport parameters, no early data, ");
2570  }
2571  else {
2572    int rv;
2573    rv = ngtcp2_conn_decode_and_set_0rtt_transport_params(
2574      ctx->qconn, (const uint8_t *)scs->quic_tp, scs->quic_tp_len);
2575    if(rv)
2576      CURL_TRC_CF(data, cf, "no early data, failed to set 0RTT transport "
2577                  "parameters: %s", ngtcp2_strerror(rv));
2578    else {
2579      infof(data, "SSL session allows %zu bytes of early data, "
2580            "reusing ALPN '%s'", ctx->earlydata_max, scs->alpn);
2581      result = init_ngh3_conn(cf, data);
2582      if(!result) {
2583        ctx->use_earlydata = TRUE;
2584        cf->connected = TRUE;
2585        *do_early_data = TRUE;
2586      }
2587    }
2588  }
2589#else /* not supported in the TLS backend */
2590  (void)data;
2591  (void)ctx;
2592  (void)scs;
2593  (void)alpns;
2594#endif
2595  return result;
2596}
2597
2598static bool cf_ngtcp2_need_httpsrr(struct Curl_easy *data)
2599{
2600#ifdef USE_OPENSSL
2601  return Curl_ossl_need_httpsrr(data);
2602#elif defined(USE_WOLFSSL)
2603  return Curl_wssl_need_httpsrr(data);
2604#else
2605  (void)data;
2606  return FALSE;
2607#endif
2608}
2609
2610/*
2611 * Might be called twice for happy eyeballs.
2612 */
2613static CURLcode cf_connect_start(struct Curl_cfilter *cf,
2614                                 struct Curl_easy *data,
2615                                 struct pkt_io_ctx *pktx)
2616{
2617  struct cf_ngtcp2_ctx *ctx = cf->ctx;
2618  int rc;
2619  int rv;
2620  CURLcode result;
2621  const struct Curl_sockaddr_ex *sockaddr = NULL;
2622  int qfd;
2623  static const struct alpn_spec ALPN_SPEC_H3 = { { "h3", "h3-29" }, 2 };
2624
2625  DEBUGASSERT(ctx->initialized);
2626  ctx->dcid.datalen = NGTCP2_MAX_CIDLEN;
2627  result = Curl_rand(data, ctx->dcid.data, NGTCP2_MAX_CIDLEN);
2628  if(result)
2629    return result;
2630
2631  ctx->scid.datalen = NGTCP2_MAX_CIDLEN;
2632  result = Curl_rand(data, ctx->scid.data, NGTCP2_MAX_CIDLEN);
2633  if(result)
2634    return result;
2635
2636  (void)Curl_qlogdir(data, ctx->scid.data, NGTCP2_MAX_CIDLEN, &qfd);
2637  ctx->qlogfd = qfd; /* -1 if failure above */
2638  quic_settings(ctx, data, pktx);
2639
2640  result = vquic_ctx_init(data, &ctx->q);
2641  if(result)
2642    return result;
2643
2644  if(Curl_cf_socket_peek(cf->next, data, &ctx->q.sockfd, &sockaddr, NULL))
2645    return CURLE_QUIC_CONNECT_ERROR;
2646  ctx->q.local_addrlen = sizeof(ctx->q.local_addr);
2647  rv = getsockname(ctx->q.sockfd, (struct sockaddr *)&ctx->q.local_addr,
2648                   &ctx->q.local_addrlen);
2649  if(rv == -1)
2650    return CURLE_QUIC_CONNECT_ERROR;
2651
2652  ngtcp2_addr_init(&ctx->connected_path.local,
2653                   (struct sockaddr *)&ctx->q.local_addr,
2654                   ctx->q.local_addrlen);
2655  ngtcp2_addr_init(&ctx->connected_path.remote,
2656                   &sockaddr->curl_sa_addr, (socklen_t)sockaddr->addrlen);
2657
2658  rc = ngtcp2_conn_client_new(&ctx->qconn, &ctx->dcid, &ctx->scid,
2659                              &ctx->connected_path,
2660                              NGTCP2_PROTO_VER_V1, &ng_callbacks,
2661                              &ctx->settings, &ctx->transport_params,
2662                              Curl_ngtcp2_mem(), cf);
2663  if(rc)
2664    return CURLE_QUIC_CONNECT_ERROR;
2665
2666  ctx->conn_ref.get_conn = get_conn;
2667  ctx->conn_ref.user_data = cf;
2668
2669  result = Curl_vquic_tls_init(&ctx->tls, cf, data, &ctx->peer, &ALPN_SPEC_H3,
2670                               cf_ngtcp2_tls_ctx_setup, &ctx->tls,
2671                               &ctx->conn_ref,
2672                               cf_ngtcp2_on_session_reuse);
2673  if(result)
2674    return result;
2675
2676#if defined(USE_OPENSSL) && defined(OPENSSL_QUIC_API2)
2677  if(ngtcp2_crypto_ossl_ctx_new(&ctx->ossl_ctx, ctx->tls.ossl.ssl) != 0) {
2678    failf(data, "ngtcp2_crypto_ossl_ctx_new failed");
2679    return CURLE_FAILED_INIT;
2680  }
2681  ngtcp2_conn_set_tls_native_handle(ctx->qconn, ctx->ossl_ctx);
2682  if(ngtcp2_crypto_ossl_configure_client_session(ctx->tls.ossl.ssl) != 0) {
2683    failf(data, "ngtcp2_crypto_ossl_configure_client_session failed");
2684    return CURLE_FAILED_INIT;
2685  }
2686#elif defined(USE_OPENSSL)
2687  SSL_set_quic_use_legacy_codepoint(ctx->tls.ossl.ssl, 0);
2688  ngtcp2_conn_set_tls_native_handle(ctx->qconn, ctx->tls.ossl.ssl);
2689#elif defined(USE_GNUTLS)
2690  ngtcp2_conn_set_tls_native_handle(ctx->qconn, ctx->tls.gtls.session);
2691#elif defined(USE_WOLFSSL)
2692  ngtcp2_conn_set_tls_native_handle(ctx->qconn, ctx->tls.wssl.ssl);
2693#else
2694#error "ngtcp2 TLS backend not defined"
2695#endif
2696
2697  ngtcp2_ccerr_default(&ctx->last_error);
2698
2699  return CURLE_OK;
2700}
2701
2702static CURLcode cf_ngtcp2_connect(struct Curl_cfilter *cf,
2703                                  struct Curl_easy *data,
2704                                  bool *done)
2705{
2706  struct cf_ngtcp2_ctx *ctx = cf->ctx;
2707  CURLcode result = CURLE_OK;
2708  struct cf_call_data save;
2709  struct pkt_io_ctx pktx;
2710
2711  if(cf->connected) {
2712    *done = TRUE;
2713    return CURLE_OK;
2714  }
2715
2716  /* Connect the UDP filter first */
2717  if(!cf->next->connected) {
2718    result = Curl_conn_cf_connect(cf->next, data, done);
2719    if(result || !*done)
2720      return result;
2721  }
2722
2723  *done = FALSE;
2724
2725  if(cf_ngtcp2_need_httpsrr(data) &&
2726     !Curl_conn_dns_resolved_https(data, cf->sockindex)) {
2727    CURL_TRC_CF(data, cf, "need HTTPS-RR, delaying connect");
2728    return CURLE_OK;
2729  }
2730
2731  pktx_init(&pktx, cf, data);
2732  CF_DATA_SAVE(save, cf, data);
2733
2734  if(!ctx->qconn) {
2735    ctx->started_at = *Curl_pgrs_now(data);
2736    result = cf_connect_start(cf, data, &pktx);
2737    if(result)
2738      goto out;
2739    if(cf->connected) {
2740      *done = TRUE;
2741      goto out;
2742    }
2743    result = cf_progress_egress(cf, data, &pktx);
2744    /* we do not expect to be able to recv anything yet */
2745    goto out;
2746  }
2747
2748  result = cf_progress_ingress(cf, data, &pktx);
2749  if(result)
2750    goto out;
2751
2752  result = cf_progress_egress(cf, data, &pktx);
2753  if(result)
2754    goto out;
2755
2756  if(ngtcp2_conn_get_handshake_completed(ctx->qconn)) {
2757    result = ctx->tls_vrfy_result;
2758    if(!result) {
2759      CURL_TRC_CF(data, cf, "peer verified");
2760      cf->connected = TRUE;
2761      *done = TRUE;
2762    }
2763  }
2764
2765out:
2766  if(ctx->qconn &&
2767     ((result == CURLE_RECV_ERROR) || (result == CURLE_SEND_ERROR)) &&
2768     ngtcp2_conn_in_draining_period(ctx->qconn)) {
2769    const ngtcp2_ccerr *cerr = ngtcp2_conn_get_ccerr(ctx->qconn);
2770
2771    result = CURLE_COULDNT_CONNECT;
2772    if(cerr) {
2773      CURL_TRC_CF(data, cf, "connect error, type=%d, code=%" PRIu64,
2774                  cerr->type, cerr->error_code);
2775      switch(cerr->type) {
2776      case NGTCP2_CCERR_TYPE_VERSION_NEGOTIATION:
2777        CURL_TRC_CF(data, cf, "error in version negotiation");
2778        break;
2779      default:
2780        if(cerr->error_code >= NGTCP2_CRYPTO_ERROR) {
2781          CURL_TRC_CF(data, cf, "crypto error, tls alert=%u",
2782                      (unsigned int)(cerr->error_code & 0xffU));
2783        }
2784        else if(cerr->error_code == NGTCP2_CONNECTION_REFUSED) {
2785          CURL_TRC_CF(data, cf, "connection refused by server");
2786          /* When a QUIC server instance is shutting down, it may send us a
2787           * CONNECTION_CLOSE with this code right away. We want
2788           * to keep on trying in this case. */
2789          result = CURLE_WEIRD_SERVER_REPLY;
2790        }
2791      }
2792    }
2793  }
2794
2795#ifdef CURLVERBOSE
2796  if(result) {
2797    struct ip_quadruple ip;
2798
2799    if(!Curl_cf_socket_peek(cf->next, data, NULL, NULL, &ip))
2800      infof(data, "QUIC connect to %s port %u failed: %s",
2801            ip.remote_ip, ip.remote_port, curl_easy_strerror(result));
2802  }
2803#endif
2804  if(!result && ctx->qconn) {
2805    result = check_and_set_expiry(cf, data, &pktx);
2806  }
2807  if(result || *done)
2808    CURL_TRC_CF(data, cf, "connect -> %d, done=%d", result, *done);
2809  CF_DATA_RESTORE(cf, save);
2810  return result;
2811}
2812
2813static CURLcode cf_ngtcp2_query(struct Curl_cfilter *cf,
2814                                struct Curl_easy *data,
2815                                int query, int *pres1, void *pres2)
2816{
2817  struct cf_ngtcp2_ctx *ctx = cf->ctx;
2818  struct cf_call_data save;
2819
2820  switch(query) {
2821  case CF_QUERY_MAX_CONCURRENT: {
2822    DEBUGASSERT(pres1);
2823    CF_DATA_SAVE(save, cf, data);
2824    /* Set after transport params arrived and continually updated
2825     * by callback. QUIC counts the number over the lifetime of the
2826     * connection, ever increasing.
2827     * We count the *open* transfers plus the budget for new ones. */
2828    if(!ctx->qconn || ctx->shutdown_started) {
2829      *pres1 = 0;
2830    }
2831    else if(ctx->max_bidi_streams) {
2832      uint64_t avail_bidi_streams = 0;
2833      uint64_t max_streams = cf->conn->attached_xfers;
2834      if(ctx->max_bidi_streams > ctx->used_bidi_streams)
2835        avail_bidi_streams = ctx->max_bidi_streams - ctx->used_bidi_streams;
2836      max_streams += avail_bidi_streams;
2837      *pres1 = (max_streams > INT_MAX) ? INT_MAX : (int)max_streams;
2838    }
2839    else  /* transport params not arrived yet? take our default. */
2840      *pres1 = (int)Curl_multi_max_concurrent_streams(data->multi);
2841    CURL_TRC_CF(data, cf, "query conn[%" FMT_OFF_T "]: "
2842                "MAX_CONCURRENT -> %d (%u in use)",
2843                cf->conn->connection_id, *pres1, cf->conn->attached_xfers);
2844    CF_DATA_RESTORE(cf, save);
2845    return CURLE_OK;
2846  }
2847  case CF_QUERY_CONNECT_REPLY_MS:
2848    if(ctx->q.got_first_byte) {
2849      timediff_t ms = curlx_ptimediff_ms(&ctx->q.first_byte_at,
2850                                         &ctx->started_at);
2851      *pres1 = (ms < INT_MAX) ? (int)ms : INT_MAX;
2852    }
2853    else
2854      *pres1 = -1;
2855    return CURLE_OK;
2856  case CF_QUERY_TIMER_CONNECT: {
2857    struct curltime *when = pres2;
2858    if(ctx->q.got_first_byte)
2859      *when = ctx->q.first_byte_at;
2860    return CURLE_OK;
2861  }
2862  case CF_QUERY_TIMER_APPCONNECT: {
2863    struct curltime *when = pres2;
2864    if(cf->connected)
2865      *when = ctx->handshake_at;
2866    return CURLE_OK;
2867  }
2868  case CF_QUERY_HTTP_VERSION:
2869    *pres1 = 30;
2870    return CURLE_OK;
2871  case CF_QUERY_SSL_INFO:
2872  case CF_QUERY_SSL_CTX_INFO: {
2873    struct curl_tlssessioninfo *info = pres2;
2874    if(Curl_vquic_tls_get_ssl_info(&ctx->tls,
2875                                   (query == CF_QUERY_SSL_CTX_INFO), info))
2876      return CURLE_OK;
2877    break;
2878  }
2879  case CF_QUERY_ALPN_NEGOTIATED: {
2880    const char **palpn = pres2;
2881    DEBUGASSERT(palpn);
2882    *palpn = cf->connected ? "h3" : NULL;
2883    return CURLE_OK;
2884  }
2885  default:
2886    break;
2887  }
2888  return cf->next ?
2889    cf->next->cft->query(cf->next, data, query, pres1, pres2) :
2890    CURLE_UNKNOWN_OPTION;
2891}
2892
2893static bool cf_ngtcp2_conn_is_alive(struct Curl_cfilter *cf,
2894                                    struct Curl_easy *data,
2895                                    bool *input_pending)
2896{
2897  struct cf_ngtcp2_ctx *ctx = cf->ctx;
2898  bool alive = FALSE;
2899  const ngtcp2_transport_params *rp;
2900  struct cf_call_data save;
2901
2902  CF_DATA_SAVE(save, cf, data);
2903  *input_pending = FALSE;
2904  if(!ctx->qconn || ctx->shutdown_started)
2905    goto out;
2906
2907  /* We do not announce a max idle timeout, but when the peer does
2908   * it closes the connection when it expires. */
2909  rp = ngtcp2_conn_get_remote_transport_params(ctx->qconn);
2910  if(rp && rp->max_idle_timeout) {
2911    timediff_t idletime_ms =
2912      curlx_ptimediff_ms(Curl_pgrs_now(data), &ctx->q.last_io);
2913    if(idletime_ms > 0) {
2914      uint64_t max_idle_ms =
2915        (uint64_t)(rp->max_idle_timeout / NGTCP2_MILLISECONDS);
2916      if((uint64_t)idletime_ms > max_idle_ms)
2917        goto out;
2918    }
2919  }
2920
2921  if(!cf->next || !cf->next->cft->is_alive(cf->next, data, input_pending))
2922    goto out;
2923
2924  alive = TRUE;
2925  if(*input_pending) {
2926    CURLcode result;
2927    /* This happens before we have sent off a request and the connection is
2928       not in use by any other transfer, there should not be any data here,
2929       only "protocol frames" */
2930    *input_pending = FALSE;
2931    result = cf_progress_ingress(cf, data, NULL);
2932    CURL_TRC_CF(data, cf, "is_alive, progress ingress -> %d", result);
2933    alive = result ? FALSE : TRUE;
2934  }
2935
2936out:
2937  CF_DATA_RESTORE(cf, save);
2938  return alive;
2939}
2940
2941struct Curl_cftype Curl_cft_http3 = {
2942  "HTTP/3",
2943  CF_TYPE_IP_CONNECT | CF_TYPE_SSL | CF_TYPE_MULTIPLEX | CF_TYPE_HTTP,
2944  0,
2945  cf_ngtcp2_destroy,
2946  cf_ngtcp2_connect,
2947  cf_ngtcp2_close,
2948  cf_ngtcp2_shutdown,
2949  cf_ngtcp2_adjust_pollset,
2950  Curl_cf_def_data_pending,
2951  cf_ngtcp2_send,
2952  cf_ngtcp2_recv,
2953  cf_ngtcp2_cntrl,
2954  cf_ngtcp2_conn_is_alive,
2955  Curl_cf_def_conn_keep_alive,
2956  cf_ngtcp2_query,
2957};
2958
2959CURLcode Curl_cf_ngtcp2_create(struct Curl_cfilter **pcf,
2960                               struct Curl_easy *data,
2961                               struct connectdata *conn,
2962                               struct Curl_sockaddr_ex *addr)
2963{
2964  struct cf_ngtcp2_ctx *ctx = NULL;
2965  struct Curl_cfilter *cf = NULL;
2966  CURLcode result;
2967
2968  ctx = curlx_calloc(1, sizeof(*ctx));
2969  if(!ctx) {
2970    result = CURLE_OUT_OF_MEMORY;
2971    goto out;
2972  }
2973  cf_ngtcp2_ctx_init(ctx);
2974
2975  result = Curl_cf_create(&cf, &Curl_cft_http3, ctx);
2976  if(result)
2977    goto out;
2978  cf->conn = conn;
2979
2980  result = Curl_cf_udp_create(&cf->next, data, conn, addr, TRNSPRT_QUIC);
2981  if(result)
2982    goto out;
2983  cf->next->conn = cf->conn;
2984  cf->next->sockindex = cf->sockindex;
2985
2986out:
2987  *pcf = (!result) ? cf : NULL;
2988  if(result) {
2989    if(cf)
2990      Curl_conn_cf_discard_chain(&cf, data);
2991    else if(ctx)
2992      cf_ngtcp2_ctx_free(ctx);
2993  }
2994  return result;
2995}
2996
2997#endif