1QUIC API Overview 2================= 3 4This document sets out the objectives of the QUIC API design process, describes 5the new and changed APIs, and the design constraints motivating those API 6designs and the relevant design decisions. 7 8- [QUIC API Overview](#quic-api-overview) 9 * [Overview and Implementation Status](#overview-and-implementation-status) 10 * [Objectives](#objectives) 11 * [SSL Objects](#ssl-objects) 12 + [Structure of Documentation](#structure-of-documentation) 13 + [Existing APIs](#existing-apis) 14 - [`SSL_set_connect_state`](#-ssl-set-connect-state-) 15 - [`SSL_set_accept_state`](#-ssl-set-accept-state-) 16 - [`SSL_is_server`](#-ssl-is-server-) 17 - [`SSL_connect`](#-ssl-connect-) 18 - [`SSL_accept`](#-ssl-accept-) 19 - [`SSL_do_handshake`](#-ssl-do-handshake-) 20 - [`SSL_read`, `SSL_read_ex`, `SSL_peek`, `SSL_peek_ex`](#-ssl-read----ssl-read-ex----ssl-peek----ssl-peek-ex-) 21 - [`SSL_write`, `SSL_write_ex`](#-ssl-write----ssl-write-ex-) 22 - [`SSL_pending`](#-ssl-pending-) 23 - [`SSL_has_pending`](#-ssl-has-pending-) 24 - [`SSL_shutdown`](#-ssl-shutdown-) 25 - [`SSL_clear`](#-ssl-clear-) 26 - [`SSL_free`](#-ssl-free-) 27 - [`SSL_set0_rbio`, `SSL_set0_wbio`, `SSL_set_bio`](#-ssl-set0-rbio----ssl-set0-wbio----ssl-set-bio-) 28 - [`SSL_set_[rw]fd`](#-ssl-set--rw-fd-) 29 - [`SSL_get_[rw]fd`](#-ssl-get--rw-fd-) 30 - [`SSL_CTRL_MODE`, `SSL_CTRL_CLEAR_MODE`](#-ssl-ctrl-mode----ssl-ctrl-clear-mode-) 31 - [SSL Modes](#ssl-modes) 32 + [New APIs for Single-Stream Operation](#new-apis-for-single-stream-operation) 33 - [`SSL_handle_events`](#-ssl-handle-events-) 34 - [`SSL_get_event_timeout`](#-ssl-get-event-timeout-) 35 - [`SSL_set_blocking_mode`, `SSL_get_blocking_mode`](#-ssl-set-blocking-mode----ssl-get-blocking-mode-) 36 - [`SSL_get_rpoll_descriptor`, `SSL_get_wpoll_descriptor`](#-ssl-get-rpoll-descriptor----ssl-get-wpoll-descriptor-) 37 - [`SSL_net_read_desired`, `SSL_net_write_desired`](#-ssl-want-net-read----ssl-want-net-write-) 38 - [`SSL_want`, `SSL_want_read`, `SSL_want_write`](#-ssl-want----ssl-want-read----ssl-want-write-) 39 - [`SSL_set1_initial_peer_addr`](#-ssl-set-initial-peer-addr-) 40 - [`SSL_shutdown_ex`](#-ssl-shutdown-ex-) 41 - [`SSL_stream_conclude`](#-ssl-stream-conclude-) 42 - [`SSL_stream_reset`](#-ssl-stream-reset-) 43 - [`SSL_get_stream_state`](#-ssl-get-stream-state-) 44 - [`SSL_get_stream_read_error_code`, `SSL_get_stream_write_error_code`](#-ssl-get-stream-read-error-code----ssl-get-stream-write-error-code-) 45 - [`SSL_get_conn_close_info`](#-ssl-get-conn-close-info-) 46 + [New APIs for Multi-Stream Operation](#new-apis-for-multi-stream-operation) 47 - [Notes on Multi-Threaded Operation](#notes-on-multi-threaded-operation) 48 - [Notes on Blocking](#notes-on-blocking) 49 - [Notes on Application-Level Polling](#notes-on-application-level-polling) 50 - [`SSL_get0_connection`](#-ssl-get0-connection-) 51 - [`SSL_is_connection`](#-ssl-is-connection-) 52 - [`SSL_get_stream_type`](#-ssl-get-stream-type-) 53 - [`SSL_get_stream_id`](#-ssl-get-stream-id-) 54 - [`SSL_is_stream_local`](#-ssl-is-stream-local-) 55 - [`SSL_new_stream`](#-ssl-new-stream-) 56 - [`SSL_accept_stream`](#-ssl-accept-stream-) 57 - [`SSL_get_accept_stream_queue_len`](#-ssl-get-accept-stream-queue-len-) 58 - [`SSL_set_incoming_stream_policy`](#-ssl-set-incoming-stream-policy-) 59 - [`SSL_set_default_stream_mode`](#-ssl-set-default-stream-mode-) 60 + [Future APIs](#future-apis) 61 * [BIO Objects](#bio-objects) 62 + [Existing APIs](#existing-apis-1) 63 - [`BIO_s_connect`, `BIO_new_ssl_connect`, `BIO_set_conn_hostname`](#-bio-s-connect----bio-new-ssl-connect----bio-set-conn-hostname-) 64 - [`BIO_new_bio_pair`](#-bio-new-bio-pair-) 65 - [Interactions with `BIO_f_buffer`](#interactions-with--bio-f-buffer-) 66 - [MTU Signalling](#mtu-signalling) 67 + [New APIs](#new-apis) 68 - [`BIO_sendmmsg` and `BIO_recvmmsg`](#-bio-sendmmsg--and--bio-recvmmsg-) 69 - [Truncation Mode](#truncation-mode) 70 - [Capability Negotiation](#capability-negotiation) 71 - [Local Address Support](#local-address-support) 72 - [`BIO_s_dgram_pair`](#-bio-s-dgram-pair-) 73 - [`BIO_POLL_DESCRIPTOR`](#-bio-poll-descriptor-) 74 - [`BIO_s_dgram_mem`](#-bio-s-dgram-mem-) 75 - [`BIO_err_is_non_fatal`](#-bio-err-is-non-fatal-) 76 * [Q & A](#q---a) 77 78Overview and Implementation Status 79---------------------------------- 80 81A listing of all SSL object APIs and their implications for QUIC, including 82current implementation status, can be found in 83[quic-api-ssl-funcs.md](./quic-api-ssl-funcs.md). 84 85Non-SSL object APIs which are new or changed, or otherwise discussed in this 86document are listed below, along with their implementation status. SSL object 87APIs are not listed here; see [quic-api-ssl-funcs.md](./quic-api-ssl-funcs.md) 88for details on SSL object APIs. 89 90| Semantics | API | Status | 91|-----------|---------------------------------|--------| 92| Changed | `BIO_s_connect` | Done | 93| Unchanged | `BIO_set_conn_hostname` | Done | 94| N/A | `BIO_new_bio_pair` | N/A (see `BIO_new_bio_dgram_pair`) | 95| New | `BIO_s_dgram_pair` | Done | 96| Unchanged | `BIO_dgram_get_mtu` | Done | 97| Unchanged | `BIO_dgram_set_mtu` | Done | 98| New | `BIO_sendmmsg` | Done | 99| New | `BIO_recvmmsg` | Done | 100| New | `BIO_dgram_set_no_trunc` | Done | 101| New | `BIO_dgram_get_no_trunc` | Done | 102| New | `BIO_dgram_set_caps` | Done | 103| New | `BIO_dgram_get_caps` | Done | 104| New | `BIO_dgram_get_effective_caps` | Done | 105| New | `BIO_dgram_get_local_addr_cap` | Done | 106| New | `BIO_dgram_set_local_addr_enable` | Done | 107| New | `BIO_dgram_get_local_addr_enable` | Done | 108| New | `BIO_get_rpoll_descriptor` | Done | 109| New | `BIO_get_wpoll_descriptor` | Done | 110| New | `BIO_err_is_non_fatal` | Done | 111 112Objectives 113---------- 114 115The objectives of the QUIC API design are: 116 117- to provide an API suitable for use with QUIC, now and in the future; 118 119- to reuse the existing libssl APIs to the extent feasible; 120 121- to enable existing applications to adapt to using QUIC with only 122 minimal API changes. 123 124SSL Objects 125----------- 126 127### Structure of Documentation 128 129Each API listed below has an information table with the following fields: 130 131- **Semantics**: This can be one of: 132 133 - **Unchanged**: The semantics of this existing libssl API call are 134 unchanged. 135 - **Changed**: The semantics are changed for QUIC. 136 - **New**: The API is new for QUIC. 137 138- `SSL_get_error`: Can this API, when used with QUIC, change the 139 state returned by `SSL_get_error`? This can be any combination of: 140 141 - **Never**: Does not interact with `SSL_get_error`. 142 - **Error**: Non-`WANT_READ`/`WANT_WRITE` errors can be raised. 143 - **Want**: `WANT_READ`/`WANT_WRITE` can be raised. 144 145- **Can Tick?**: Whether this function is allowed to perform event processing 146 for the QUIC state machine and potentially perform network I/O. 147 148- **CSHL:** Connection/Stream/Handshake Layer classification. 149 This can be one of: 150 151 - **HL:** This is a handshake layer related call. It should be supported 152 on a QUIC connection SSL object, forwarding to the handshake layer 153 SSL object. QUIC stream SSL objects do not allow these calls to be 154 forwarded. 155 156 - **HL-Forbidden:** This is a handshake layer related call, but it is 157 inapplicable to QUIC, so it is not supported. 158 159 - **C:** Not handshake-layer related. QUIC connection SSL object usage only. 160 Fails on a QUIC stream SSL object. 161 162 - **CS:** Not handshake-layer related. Can be used on any QUIC SSL object. 163 164 - **S**: Requires a QUIC stream SSL object or a QUIC connection SSL object 165 with a default stream attached. 166 167### Existing APIs 168 169#### `SSL_set_connect_state` 170 171| Semantics | `SSL_get_error` | Can Tick? | CSHL | 172| --------- | ------------- | --------- | ------------- | 173| Unchanged | Never | No | HL | 174 175#### `SSL_set_accept_state` 176 177| Semantics | `SSL_get_error` | Can Tick? | CSHL | 178| --------- | ------------- | --------- | ------------- | 179| Unchanged | Never | No | HL | 180 181**Note:** Attempting to proceed in this state will not function for now because 182we do not implement server support at this time. However, the semantics of this 183function as such are unchanged. 184 185#### `SSL_is_server` 186 187| Semantics | `SSL_get_error` | Can Tick? | CSHL | 188| --------- | ------------- | --------- | ------------- | 189| Unchanged | Never | No | HL | 190 191#### `SSL_connect` 192 193| Semantics | `SSL_get_error` | Can Tick? | CSHL | 194| --------- | ------------- | --------- | ------------- | 195| Unchanged | Error/Want | Yes | HL | 196 197Simple composition of `SSL_set_connect_state` and `SSL_do_handshake`. 198 199#### `SSL_accept` 200 201| Semantics | `SSL_get_error` | Can Tick? | CSHL | 202| --------- | ------------- | --------- | ------------- | 203| Unchanged | Error/Want | Yes | HL | 204 205Simple composition of `SSL_set_accept_state` and `SSL_do_handshake`. 206 207#### `SSL_do_handshake` 208 209| Semantics | `SSL_get_error` | Can Tick? | CSHL | 210| --------- | ------------- | --------- | ------------- | 211| Unchanged | Error/Want | Yes | HL | 212 213**Note:** Idempotent if handshake already completed. 214 215**Blocking Considerations:** Blocks until handshake completed if in blocking 216mode. 217 218#### `SSL_read`, `SSL_read_ex`, `SSL_peek`, `SSL_peek_ex` 219 220| Semantics | `SSL_get_error` | Can Tick? | CSHL | 221| --------- | ------------- | --------- | ------------- | 222| Unchanged | Error/Want | Yes | CS | 223 224**Blocking Considerations:** Blocks until at least one byte is available or an 225error occurs if in blocking mode (including the peek functions). 226 227If the read part of the stream has been finished by the peer, calls to 228`SSL_read` will fail with `SSL_ERROR_ZERO_RETURN`. 229 230If a stream has terminated in a non-normal fashion (for example because the 231stream has been reset, or the connection has terminated), calls to `SSL_read` 232will fail with `SSL_ERROR_SSL`. 233 234`SSL_get_stream_read_state` can be used to clarify the stream state when an 235error occurs. 236 237#### `SSL_write`, `SSL_write_ex` 238 239| Semantics | `SSL_get_error` | Can Tick? | CSHL | 240| --------- | ------------- | --------- | ------------- | 241| Unchanged | Error/Want | Yes | CS | 242 243We have to implement all of the following modes: 244 245- `SSL_MODE_ENABLE_PARTIAL_WRITE` on or off 246- `SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER` on or off 247- Blocking mode on or off 248 249**Blocking Considerations:** Blocks until libssl has accepted responsibility for 250(i.e., copied) all data provided, or an error occurs, if in blocking mode. In 251other words, it blocks until it can buffer the data. This does not necessarily 252mean that the data has actually been sent. 253 254`SSL_get_stream_write_state` can be used to clarify the stream state when an 255error occurs. 256 257#### `SSL_pending` 258 259| Semantics | `SSL_get_error` | Can Tick? | CSHL | 260| --------- | ------------- | --------- | ------------- | 261| Unchanged | Never | No | CS | 262 263#### `SSL_has_pending` 264 265| Semantics | `SSL_get_error` | Can Tick? | CSHL | 266| --------- | ------------- | --------- | ------------- | 267| Unchanged | Never | No | CS | 268 269**TBD.** Options: 270 271 - Semantics unchanged or approximated (essentially, `SSL_pending() || any RXE 272 queued || any URXE queued`). 273 - Change semantics to only determine the return value based on if there is 274 data in the stream receive buffer. 275 276#### `SSL_shutdown` 277 278| Semantics | `SSL_get_error` | Can Tick? | CSHL | 279| --------- | ------------- | --------- | ------------- | 280| Unchanged | Error | Yes | CS | 281 282See `SSL_shutdown_ex` below for discussion of how this will work for QUIC. 283 284Calling `SSL_shutdown` is always exactly identical in function to calling 285`SSL_shutdown_ex` with `flags` set to 0 and `args` set to `NULL`. 286 287#### `SSL_clear` 288 289| Semantics | `SSL_get_error` | Can Tick? | CSHL | 290| --------- | ------------- | --------- | ------------- | 291| TBD | TBD | No | C | 292 293There are potential implementation hazards: 294 295>SSL_clear() resets the SSL object to allow for another connection. The reset 296>operation however keeps several settings of the last sessions (some of these 297>settings were made automatically during the last handshake). It only makes sense 298>for a new connection with the exact same peer that shares these settings, and 299>may fail if that peer changes its settings between connections. 300 301**TBD:** How should `SSL_clear` be implemented? Either: 302 303 - Modernised implementation which resets everything, handshake layer 304 re-instantiated (safer); 305 - Preserve `SSL_clear` semantics at the handshake layer, reset all QUIC state 306 (`QUIC_CHANNEL` torn down, CSM reset). 307 308**TBD:** Semantics of this on stream objects. 309 310#### `SSL_free` 311 312| Semantics | `SSL_get_error` | Can Tick? | CSHL | 313| --------- | ------------- | --------- | ------------- | 314| Changed | Never | No | CS | 315 316**QUIC stream SSL objects.** When used on a QUIC stream SSL object, parts of the 317stream state may continue to exist internally, managed inside the QUIC 318connection SSL object, until they can be correctly torn down, or until the QUIC 319connection SSL object is freed. 320 321If a QUIC stream SSL object is freed for a stream which has not reached a 322terminal state for all of its parts (both send and receive, as applicable), the 323stream is automatically reset (non-normal termination) with an application error 324code of 0. To explicitly reset a stream with a different application error code, 325call `SSL_stream_reset` before calling this function. 326 327If the peer continues to send data on the stream before it processes the 328notification of the stream's termination, that incoming data will be discarded. 329However, the peer will be reliably notified of the non-normal termination of the 330stream assuming that the connection remains healthy. 331 332When freeing a QUIC stream SSL object which was terminated in a non-normal 333fashion, or which was terminated automatically due to a call to this function, 334any data which was appended to the stream via `SSL_write` may or may not have 335already been transmitted, and even if already transmitted, may or may not be 336retransmitted in the event of loss. 337 338When freeing a QUIC stream SSL object which was terminated normally (for example 339via `SSL_stream_conclude`), data appended to the stream via `SSL_write` will 340still be transmitted or retransmitted as necessary, assuming that the QUIC 341connection SSL object is not freed and that the connection remains healthy. 342 343**QUIC connection SSL objects.** `SSL_free` is largely unchanged for QUIC 344connection SSL objects on the client side. When freeing a QUIC connection SSL 345object being used in client mode, there is immediate termination of any QUIC 346network I/O processing as the resources needed to handle the connection are 347immediately freed. This means that, if a QUIC connection SSL object which has 348not been shutdown properly is freed using this function: 349 350- Any data which was pending transmission or retransmission will not be 351 transmitted, including in streams which were terminated normally; 352 353- The connection closure process will not function correctly or in an 354 RFC-compliant manner. Connection closure will not be signalled to the peer 355 and the connection will simply disappear from the perspective of the peer. The 356 connection will appear to remain active until the connection's idle timeout 357 (if negotiated) takes effect. 358 359 For further discussion of this issue, see `SSL_shutdown_ex` and the Q&A. 360 361#### `SSL_set0_rbio`, `SSL_set0_wbio`, `SSL_set_bio` 362 363| Semantics | `SSL_get_error` | Can Tick? | CSHL | 364| --------- | ------------- | --------- | ------------- | 365| Changed | Never | No | C | 366 367Sets network-side BIO. 368 369The changes to the semantics of these calls are as follows: 370 371 - The BIO MUST be a BIO with datagram semantics (this is a change relative to 372 TLS, though not to DTLS). 373 374 - If the BIO is non-pollable (see below), application-level blocking mode will 375 be forced off. 376 377#### `SSL_set_[rw]fd` 378 379| Semantics | `SSL_get_error` | Can Tick? | CSHL | 380| --------- | ------------- | --------- | ------------- | 381| Changed | Never | No | C | 382 383Sets network-side socket FD. 384 385Existing behaviour: Instantiates a `BIO_s_socket`, sets an FD on it, and sets it 386as the BIO. 387 388New proposed behaviour: 389 390- Instantiate a `BIO_s_dgram` instead for a QUIC connection SSL object. 391- Fails (no-op) for a QUIC stream SSL object. 392 393#### `SSL_get_[rw]fd` 394 395| Semantics | `SSL_get_error` | Can Tick? | CSHL | 396| --------- | ------------- | --------- | ------------- | 397| Unchanged | Never | No | C | 398 399Should not require any changes. 400 401#### `SSL_CTRL_MODE`, `SSL_CTRL_CLEAR_MODE` 402 403| Semantics | `SSL_get_error` | Can Tick? | CSHL | 404| --------- | ------------- | --------- | ------------- | 405| Unchanged | Never | No | CS | 406 407#### SSL Modes 408 409- `SSL_MODE_ENABLE_PARTIAL_WRITE`: Implemented. If this mode is set during a 410 non-partial-write `SSL_write` operation spanning multiple `SSL_write` calls, 411 this mode does not take effect until the non-partial write operation is 412 completed. 413 414- `SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER`: Implemented. 415 416- `SSL_MODE_AUTO_RETRY`: TBD. 417 418- `SSL_MODE_RELEASE_BUFFERS`: Ignored. This is an optimization and if it has 419 any sensible semantic correspondence to QUIC, this can be considered later. 420 421- `SSL_MODE_SEND_FALLBACK_SCSV`: TBD: Either ignore or fail if the client 422 attempts to set this prior to handshake. The latter is probably safer. 423 424 Ignored if set after handshake (existing behaviour). 425 426- `SSL_MODE_ASYNC`: TBD. 427 428### New APIs for Single-Stream Operation 429 430#### `SSL_handle_events` 431 432| Semantics | `SSL_get_error` | Can Tick? | CSHL | 433| --------- | ------------- | --------- | ------------- | 434| New | Never | Yes | CS | 435 436Advances the QUIC state machine to the extent feasible, potentially performing 437network I/O. Also compatible with DTLSv1 and supersedes `DTLSv1_handle_timeout` 438for all use cases. 439 440#### `SSL_get_event_timeout` 441 442| Semantics | `SSL_get_error` | Can Tick? | CSHL | 443| --------- | ------------- | --------- | ------------- | 444| New | Never | No | CS | 445 446Gets the time until the QUIC state machine next wants to receive a timeout 447event, if any. 448 449This is similar to the existing `DTLSv1_get_timeout` function, but it is not 450specific to DTLSv1. It is also usable for DTLSv1 and can become a 451protocol-agnostic API for this purpose, superseding `DTLSv1_get_timeout` for all 452use cases. 453 454The design is similar to that of `DTLSv1_get_timeout` and uses a `struct 455timeval`. However, this function can also output an infinite timeout using the 456`is_infinite` argument, whereas whereas `DTLSv1_get_timeout` represents an 457infinite timeout using a 0 return value, which does not allow a failure 458condition to be distinguished. 459 460#### `SSL_set_blocking_mode`, `SSL_get_blocking_mode` 461 462| Semantics | `SSL_get_error` | Can Tick? | CSHL | 463| --------- | ------------- | --------- | ------------- | 464| New | Never | No | CS | 465 466Turns blocking mode on or off. This is necessary because up until now libssl has 467operated in blocking or non-blocking mode automatically as an emergent 468consequence of whether the underlying network socket is blocking. For QUIC, this 469is no longer viable, thus blocking semantics at the application level must be 470explicitly configured. 471 472Use on stream objects: It may be feasible to implement this such that different 473QUIC stream SSL objects can have different settings for this option. 474 475Not supported for non-QUIC SSL objects. 476 477#### `SSL_get_rpoll_descriptor`, `SSL_get_wpoll_descriptor` 478 479| Semantics | `SSL_get_error` | Can Tick? | CSHL | 480| --------- | ------------- | --------- | ------------- | 481| New | Never | No | CS | 482 483These functions output poll descriptors which can be used to determine when the 484QUIC state machine next needs to have events handled. `SSL_get_rpoll_descriptor` 485is relevant if `SSL_net_read_desired` returns 1, and `SSL_get_wpoll_descriptor` 486is relevant if `SSL_net_write_desired` returns 1. 487 488The implementation of these functions is a simple forward to 489`BIO_get_rpoll_descriptor` and `BIO_get_wpoll_descriptor` on the underlying 490network BIOs. 491 492TODO: Support these for non-QUIC SSL objects 493 494#### `SSL_net_read_desired`, `SSL_net_write_desired` 495 496| Semantics | `SSL_get_error` | Can Tick? | CSHL | 497| --------- | ------------- | --------- | ------------- | 498| New | Never | No | CS | 499 500These calls return 1 if the QUIC state machine is interested in receiving 501further data from the network, or writing to the network, respectively. The 502return values of these calls should be used to determine which wakeup events 503should cause an application to call `SSL_handle_events`. These functions do not 504mutate any state, and their return values may change after a call to any SSL 505function other than `SSL_net_read_desired`, `SSL_net_write_desired`, 506`SSL_get_rpoll_descriptor`, `SSL_get_wpoll_descriptor` and 507`SSL_get_event_timeout`. 508 509TODO: Support these for non-QUIC SSL objects, turning this into a unified 510replacement for `SSL_want` 511 512#### `SSL_want`, `SSL_want_read`, `SSL_want_write` 513 514The existing API `SSL_want`, and the macros defined in terms of it, are 515traditionally used to determine if the SSL state machine has exited in 516non-blocking mode due to a desire to read from or write to the underlying 517network BIO. However, this API is unsuitable for use with QUIC because the 518return value of `SSL_want` can only express one I/O direction at a time (read or 519write), not both. This call will not be implemented for QUIC (e.g. always 520returns `SSL_NOTHING`) and `SSL_net_read_desired` and `SSL_net_write_desired` 521will be used instead. 522 523#### `SSL_set1_initial_peer_addr` 524 525| Semantics | `SSL_get_error` | Can Tick? | CSHL | 526| --------- | ------------- | --------- | ------------- | 527| New | Never | No | CS | 528 529`SSL_set1_initial_peer_addr` sets the initial L4 UDP peer address for an outgoing 530QUIC connection. 531 532The initial peer address may be autodetected if no peer address has already been 533set explicitly and the QUIC connection SSL object is provided with a 534`BIO_s_dgram` with a peer set. 535 536`SSL_set1_initial_peer_addr` cannot be called after a connection is established. 537 538#### `SSL_shutdown_ex` 539 540| Semantics | `SSL_get_error` | Can Tick? | CSHL | 541| --------- | ------------- | --------- | ------------- | 542| New | Error | Yes | C | 543 544```c 545typedef struct ssl_shutdown_ex_args_st { 546 /* These arguments pertain only to QUIC connections. */ 547 uint64_t quic_error_code; /* [0, 2**62-1] */ 548 const char *quic_reason; 549} SSL_SHUTDOWN_EX_ARGS; 550 551#define SSL_SHUTDOWN_FLAG_RAPID (1U << 0) 552#define SSL_SHUTDOWN_FLAG_IMMEDIATE (1U << 1) 553 554int SSL_shutdown_ex(SSL *ssl, 555 uint64_t flags, 556 const SSL_SHUTDOWN_EX_ARGS *args, 557 size_t args_len); 558``` 559 560`SSL_shutdown_ex` is an extended version of `SSL_shutdown`. 561 562`args` specifies arguments which control how the SSL object is shut down. `args` 563are read only on the first call to `SSL_shutdown_ex` for a given SSL object and 564subsequent calls to `SSL_shutdown_ex` ignore the `args` argument. `args_len` 565should be set to `sizeof(*args)`. This function is idempotent; once the shutdown 566process for an SSL object is complete, further calls are a no-op and return 1. 567 568Calling `SSL_shutdown_ex` on a QUIC connection SSL object causes the immediate 569close of the QUIC connection. “Immediate close” is as defined by RFC 9000. 570 571If no QUIC connection attempt was ever initiated using the given SSL object, the 572QUIC connection transitions immediately to the Terminated state. Otherwise, the 573connection closure process is initiated if it has not already begun. 574 575Any application stream data on a non-terminated or normally terminated stream 576which has yet to be transmitted is flushed to the network before the termination 577process begins. This ensures that where an application which calls `SSL_write` 578and performs a connection closure in a way which is considered normal to the 579application protocol being used, all of the data written is delivered to the 580peer. This behaviour may be skipped by setting the `SSL_SHUTDOWN_FLAG_IMMEDIATE` 581flag, in which case any data appended to streams via `SSL_write` (or any 582end-of-stream conditions) may not be transmitted to the peer. This flag may be 583useful where a non-normal application condition has occurred and the delivery of 584data written to streams via `SSL_write` is no longer relevant. Application 585stream data on streams which were terminated non-normally (for example via 586`SSL_stream_reset`) is not transmitted by this function. 587 588A QUIC connection can be shut down using this function in two different ways: 589 590- **RFC compliant mode.** In this mode, which provides the most robust 591 operation, the shutdown process may take a period of time up to three times 592 the current estimated RTT to the peer. It is possible for the closure process 593 to complete much faster in some circumstances but this cannot be relied upon. 594 595 In blocking mode, the function will return once the closure process is 596 complete. In non-blocking mode, `SSL_shutdown_ex` should be called until it 597 returns 1, indicating the closure process is complete and the connection is 598 now terminated. 599 600- **Rapid mode.** In this mode, a `CONNECTION_CLOSE` frame is sent in a 601 best-effort manner and the connection is terminated immediately. If the 602 `CONNECTION_CLOSE` frame sent is lost, the peer will not know that the 603 connection has terminated until the negotiated idle timeout (if any) expires. 604 605 This will generally return 0 on success, indicating that the connection has 606 not yet reached the Terminating state (unless it has already done so, in which 607 case it will return 1). 608 609 In blocking mode, this blocks until at least one `CONNECTION_CLOSE` frame is 610 sent but does not otherwise block. In non-blocking mode, this should be called 611 until it returns a non-negative value. A negative value indicates failure or 612 an I/O would-block condition. 613 614It is permissible for an application to implement a hybrid approach, for example 615by initiating a rapid or non-blocking shutdown and continuing to call 616`SSL_handle_events` for a duration it chooses. 617 618If `SSL_SHUTDOWN_FLAG_RAPID` is specified in `flags`, a rapid shutdown is 619performed, otherwise an RFC-compliant shutdown is performed. The principal 620effect of this flag is to partially disable blocking behaviour in blocking mode, 621and the QUIC implementation will still attempt to implement the Terminating 622state semantics if the application happens to call `SSL_handle_events`, until it 623reaches the Terminated state or is freed. An application can change its mind 624about performing a rapid shutdown by making a subsequent call to 625`SSL_shutdown_ex` without the flag set. 626 627Calling `SSL_shutdown_ex` on a QUIC stream SSL object is not valid; such a call 628will fail and has no effect. The rationale for this is that an application may 629well want to pass around SSL objects for individual QUIC streams to existing 630parts of its own code which expect something which behaves like a typical SSL 631object (i.e., a single bytestream); those components may well already call 632`SSL_shutdown` and it is not desired for such calls to affect the whole 633connection. 634 635The `args->quic_error_code` and `args->reason` fields allow the application 636error code and reason string for the closure of a QUIC connection to be 637specified. If `args` or `args->reason` is `NULL`, a zero-length string is used 638for the reason. If `args` is `NULL`, an error code of 0 is used. 639`args->quic_error_code` must be in the range `[0, 2**62-1]`, else this function 640fails. These fields are ignored for SSL objects which do not represent QUIC 641connections. 642 643#### `SSL_stream_conclude` 644 645| Semantics | `SSL_get_error` | Can Tick? | CSHL | 646| --------- | ------------- | --------- | ------------- | 647| New | Error | Yes | S | 648 649```c 650int SSL_stream_conclude(SSL *ssl, uint64_t flags); 651``` 652 653`SSL_stream_conclude` signals the normal end-of-stream condition to the send 654part of a QUIC stream. If called on a QUIC connection SSL object with a default 655stream, it signals the end of that stream to the peer. If called on a QUIC 656stream SSL object, it signals the end of that stream to the peer. 657 658This function may only be called for bidirectional streams and for outgoing 659unidirectional streams. It is a no-op if it has already been called for a given 660stream, or if either the stream or connection have entered an error state. 661 662Any data already queued for transmission via a call to `SSL_write()` will still 663be written in a reliable manner before the end-of-stream is signalled, assuming 664the connection remains healthy. This function can be thought of as appending a 665logical end-of-stream marker after any data which has previously been written to 666the stream via calls to `SSL_write`. Further attempts to call `SSL_write` after 667calling this function will fail. 668 669When calling this on a bidirectional stream, the receive part of the stream 670remains unaffected, and the peer may continue to send data via it until the peer 671also signals the end of the stream. Thus, `SSL_read()` can still be used. 672 673This function is used to conclude the send part of a stream in a normal manner. 674To perform non-normal termination of both the sending and receiving parts of a 675stream, see `SSL_stream_reset`. 676 677`flags` is reserved and should be set to 0. 678 679#### `SSL_stream_reset` 680 681| Semantics | `SSL_get_error` | Can Tick? | CSHL | 682| --------- | ------------- | --------- | ------------- | 683| New | Error | Yes | S | 684 685```c 686typedef struct ssl_stream_reset_args_st { 687 uint64_t quic_error_code; /* [0, 2**62-1] */ 688} SSL_STREAM_RESET_ARGS; 689 690int SSL_stream_reset(SSL *ssl, 691 const SSL_STREAM_RESET_ARGS *args, 692 size_t args_len); 693``` 694 695Conducts a non-normal termination of a bidirectional or outgoing unidirectional 696stream. For QUIC, this corresponds to a stream reset using a `RESET_STREAM` 697frame. 698 699It may be called on either a QUIC stream SSL object or a QUIC connection SSL 700object with a default stream; the given stream is reset. The QUIC connection is 701not affected. 702 703For bidirectional streams, this terminates both sending and receiving parts of 704the stream. It may not be called on an incoming unidirectional stream. 705 706If `args` is `NULL`, an application error code of 0 is used. Otherwise, the 707application error code to use is specified in `args->quic_error_code`, which 708must be in the range `[0, 2**62-1]`. `args_len` must be set to `sizeof(*args)` 709if `args` is non-NULL. 710 711Only the first call to this function has any effect; subsequent calls are 712no-ops. This is considered a success case. 713 714#### `SSL_get_stream_state` 715 716| Semantics | `SSL_get_error` | Can Tick? | CSHL | 717| --------- | ------------- | --------- | ------------- | 718| New | Never | No | S | 719 720```c 721/* 722 * e.g. Non-QUIC SSL object, or QUIC connection SSL object without a default 723 * stream. 724 */ 725#define SSL_STREAM_STATE_NONE 0 726 727/* 728 * The read or write part of the stream is still available and has not been 729 * terminated in a normal or non-normal manner. 730 */ 731#define SSL_STREAM_STATE_OK 1 732 733/* 734 * The stream is a unidirectional stream and this direction cannot be used; for 735 * example, a remotely initiated unidirectional stream where 736 * SSL_get_stream_write_state is called, or a locally initiated unidirectional 737 * stream where SSL_get_stream_read_state is 738 called. 739 */ 740#define SSL_STREAM_STATE_WRONG_DIR 2 741 742/* 743 * The read or write part of the stream has been finished in a normal manner. 744 * 745 * For SSL_get_stream_read_state, this means that there is no more data to read, 746 * and that any future SSL_read calls will return any residual data waiting to 747 * be read followed by an SSL_ERROR_ZERO_RETURN condition. 748 * 749 * For SSL_get_stream_write_state, this means that the local application has 750 * already indicated the end of the stream by calling SSL_stream_conclude, 751 * and that future calls to SSL_write will fail. 752 */ 753#define SSL_STREAM_STATE_FINISHED 3 754 755/* 756 * The stream was reset by the local party. 757 * 758 * For SSL_get_stream_read_state, this means that the stream was aborted using a 759 * locally transmitted STOP_SENDING frame. Attempts to read from the stream via 760 * SSL_read will fail, though SSL_read may allow any residual data waiting to 761 * be read to be read first. 762 * 763 * For SSL_get_stream_write_state, this means that the stream was aborted 764 * using a locally transmitted RESET_STREAM frame. Attempts to write to 765 * the stream will fail. 766 */ 767#define SSL_STREAM_STATE_RESET_LOCAL 4 768 769/* 770 * The stream was reset by the remote party. 771 * 772 * For SSL_get_stream_read_state, this means the peer sent a STREAM_RESET 773 * frame for the stream. 774 * 775 * For SSL_get_stream_write_state, this means the peer sent a STOP_SENDING 776 * frame for the stream. 777 */ 778#define SSL_STREAM_STATE_RESET_REMOTE 5 779 780/* 781 * The underlying connection supporting the stream has closed or otherwise 782 * failed. 783 * 784 * For SSL_get_stream_read_state, this means that attempts to read from the 785 * stream via SSL_read will fail, though SSL_read may allow any residual 786 * data waiting to be read to be read first. 787 * 788 * For SSL_get_stream_write_state, this means that attempts to write to the 789 * stream will fail. 790 */ 791#define SSL_STREAM_STATE_CONN_CLOSED 6 792 793int SSL_get_stream_read_state(SSL *ssl); 794int SSL_get_stream_write_state(SSL *ssl); 795``` 796 797This API allows the current state of a stream to be queried. This allows an 798application to determine whether a stream is still usable and why a stream has 799reached an error state. 800 801#### `SSL_get_stream_read_error_code`, `SSL_get_stream_write_error_code` 802 803| Semantics | `SSL_get_error` | Can Tick? | CSHL | 804| --------- | ------------- | --------- | ------------- | 805| New | Never | No | S | 806 807```c 808int SSL_get_stream_read_error_code(SSL *ssl, uint64_t *app_error_code); 809int SSL_get_stream_write_error_code(SSL *ssl, uint64_t *app_error_code); 810``` 811 812`SSL_get_stream_read_error_code` gets the error code for the read part of the 813stream. 814 815`SSL_get_stream_write_error_code` gets the error code for the write part of 816the stream. 817 818If a stream has been terminated normally, returns 0. 819 820If a stream has been terminated non-normally, returns 1 and writes the 821applicable application error code to `*app_error_code`. 822 823If a stream is still healthy, or was healthy at the time the connection was 824closed, or the respective part of the stream does not exist (e.g. for a 825unidirectional stream), returns -1. 826 827#### `SSL_get_conn_close_info` 828 829| Semantics | `SSL_get_error` | Can Tick? | CSHL | 830| --------- | ------------- | --------- | ------------- | 831| New | Never | No | C | 832 833```c 834#define SSL_CONN_CLOSE_FLAG_LOCAL 835#define SSL_CONN_CLOSE_FLAG_TRANSPORT 836 837typedef struct ssl_conn_close_info_st { 838 uint64_t error_code; 839 char *reason; 840 size_t reason_len; 841 uint32_t flags; 842} SSL_CONN_CLOSE_INFO; 843 844int SSL_get_conn_close_info(SSL *ssl, 845 SSL_CONN_CLOSE_INFO *info, 846 size_t info_len); 847``` 848 849If a connection is still healthy, returns 0. Otherwise, fills `*info` with 850information about the error causing connection termination and returns 1. 851`info_len` must be set to `sizeof(*info)`. Returns -1 if called on a non-QUIC 852SSL object or if the connection status cannot be determined. 853 854`info->reason` is set to point to a buffer containing a reason string. The 855buffer is valid for the lifetime of the SSL object. The reason string will 856always be zero terminated, but since it is received from a potentially untrusted 857peer, may also contain zero bytes. `info->reason_len` is the true length of the 858reason string in bytes. 859 860`info->flags` has `SSL_CONN_CLOSE_FLAG_LOCAL` set if the connection closure was 861locally initiated. 862 863`info->flags` has `SSL_CONN_CLOSE_FLAG_TRANSPORT` if the connection closure was 864initiated by QUIC, and 0 if it was initiated by the application. The namespace 865of `info->error_code` is determined by this parameter. 866 867### New APIs for Multi-Stream Operation 868 869The above new APIs are built on constructively to facilitate multi-stream 870operation. 871 872The concept of a QUIC stream SSL object is introduced. A QUIC SSL object is 873either a QUIC connection SSL object or a QUIC stream SSL object. A QUIC stream 874SSL object belongs to a QUIC connection SSL object. A QUIC connection SSL object 875may or may not have an associated default stream. There may only be at most one 876default stream for a QUIC connection SSL object. Reading or writing application 877data to a QUIC connection SSL object with a default stream is equivalent to 878reading or writing to that stream. It is an error to attempt to read or write 879application data, or perform other stream-specific operations, on a QUIC 880connection SSL object without a default stream associated. 881 882#### Notes on Multi-Threaded Operation 883 884Initially these APIs will not be thread safe over the same connection, but in 885the longer term we intend to support multiple threads using different QUIC 886stream SSL objects on different threads over the same connection without the 887application having to do any locking. This is referred to as multi-stream 888multi-thread (MSMT) operation. Only APIs explicitly denoted below will 889eventually be MSMT-safe. 890 891#### Notes on Blocking 892 893The blocking mode can be configured on each SSL object individually. When a QUIC 894stream SSL object is created it inherits its blocking state from the currently 895configured blocking state of the QUIC connection SSL object at the time the 896stream is created. This can be changed independently. For example, a QUIC 897connection SSL object can be in blocking mode to allow for blocking 898`SSL_accept_stream` calls, yet have some or all QUIC stream SSL objects be in 899non-blocking mode concurrently. 900 901#### Notes on Application-Level Polling 902 903An API may be added in the future to allow applications to poll multiple QUIC 904connection SSL objects efficiently for new stream and stream readability events. 905This is not yet urgent but will be more relevant for concurrent server 906applications. 907 908#### `SSL_get0_connection` 909 910| Semantics | `SSL_get_error` | Can Tick? | CSHL | 911| --------- | ------------- | --------- | ------------- | 912| New | Never | No | CS | 913 914```c 915/* 916 * Get the SSL object representing the connection associated with this object. 917 * 918 * If the SSL object represents a non-QUIC method or a QUIC connection, this 919 * returns the same object passed. 920 * 921 * If the SSL object represents a QUIC stream returns the QUIC connection 922 * object. 923 */ 924SSL *SSL_get0_connection(SSL *ssl); 925``` 926 927#### `SSL_is_connection` 928 929| Semantics | `SSL_get_error` | Can Tick? | CSHL | 930| --------- | ------------- | --------- | ------------- | 931| New | Never | No | CS | 932 933```c 934/* 935 * Returns 1 if the object represents a connection. This always returns 1 for 936 * non-QUIC methods, but returns 0 for SSL objects for QUIC streams which are 937 * not also the QUIC connection object. 938 * 939 * This is exactly equivalent to (SSL_get0_connection(ssl) == ssl). 940 */ 941int SSL_is_connection(SSL *ssl); 942``` 943 944#### `SSL_get_stream_type` 945 946| Semantics | `SSL_get_error` | Can Tick? | CSHL | 947| --------- | ------------- | --------- | ------------- | 948| New | Never | No | S | 949 950```c 951/* 952 * If the object represents a stream, returns an SSL_STREAM_TYPE value 953 * designating whether the stream can be used for transmission, reception, 954 * or both. 955 * 956 * This always returns SSL_STREAM_TYPE_BIDI for non-QUIC methods. 957 * 958 * It returns SSL_STREAM_TYPE_NONE for a QUIC connection object if it 959 * does not have a default stream. 960 */ 961#define SSL_STREAM_TYPE_NONE 0 962#define SSL_STREAM_TYPE_READ 1 963#define SSL_STREAM_TYPE_WRITE 2 964#define SSL_STREAM_TYPE_BIDI (SSL_STREAM_TYPE_READ | SSL_STREAM_TYPE_WRITE) 965__owur int SSL_get_stream_type(SSL *ssl); 966``` 967 968#### `SSL_get_stream_id` 969 970| Semantics | `SSL_get_error` | Can Tick? | CSHL | 971| --------- | ------------- | --------- | ------------- | 972| New | Never | No | S | 973 974```c 975/* 976 * QUIC: Returns the unique stream ID for the stream, an integer in range [0, 2**62-1], 977 * or UINT64_MAX if the stream ID is not available. If called on a QUIC 978 * connection, returns the unique stream ID for the default stream if there is 979 * one, and otherwise returns UINT64_MAX. 980 * 981 * TLS, DTLS: Returns UINT64_MAX. 982 */ 983__owur uint64_t SSL_get_stream_id(SSL *ssl); 984``` 985 986#### `SSL_is_stream_local` 987 988| Semantics | `SSL_get_error` | Can Tick? | CSHL | 989| --------- | ------------- | --------- | ------------- | 990| New | Never | No | S | 991 992```c 993/* 994 * QUIC: Returns 1 if the stream was locally initiated, or 0 otherwise. 995 * 996 * TLS, DTLS: Returns -1. 997 */ 998__owur int SSL_is_stream_local(SSL *ssl); 999``` 1000 1001#### `SSL_new_stream` 1002 1003| Semantics | `SSL_get_error` | Can Tick? | CSHL | 1004| --------- | ------------- | --------- | ------------- | 1005| New | Never | No | C | 1006 1007```c 1008/* 1009 * Create a new SSL object representing a single additional stream. 1010 * 1011 * There is no need to call SSL_connect on the resulting object, and 1012 * any such call is a no-op. 1013 * 1014 * For QUIC: 1015 * Creates a new stream. Must be called only on a QUIC connection SSL object. 1016 * Can be used on client or server. If the SSL_STREAM_FLAG_UNI flag is set, 1017 * the created stream is unidirectional, otherwise it is bidirectional. 1018 * 1019 * To be MSMT-safe. 1020 * 1021 * For TLS and DTLS SSL objects: 1022 * Always fails. 1023 */ 1024#define SSL_STREAM_FLAG_UNI 1 1025 1026SSL *SSL_new_stream(SSL *ssl, uint64_t flags); 1027``` 1028 1029#### `SSL_accept_stream` 1030 1031| Semantics | `SSL_get_error` | Can Tick? | CSHL | 1032| --------- | ------------- | --------- | ------------- | 1033| New | Never | Yes | C | 1034 1035```c 1036/* 1037 * Create a new SSL object representing an additional stream which was created 1038 * by the peer. 1039 * 1040 * There is no need to call SSL_accept on the resulting object, and 1041 * any such call is a no-op. 1042 * 1043 * For QUIC: 1044 * Must be called only on a QUIC connection SSL object. Fails if called on a 1045 * stream object. Checks if a new stream has been created by the peer. If it 1046 * has, creates a new SSL object to represent it and returns it. Otherwise, 1047 * returns NULL. If multiple streams are available to be accepted, the oldest 1048 * stream (that is, the stream with the lowest stream ID) is accepted. 1049 * 1050 * For all other methods: 1051 * Returns NULL. 1052 * 1053 * The flags argument is unused and should be set to zero. 1054 * 1055 * To be MSMT-safe (i.e., can be called from multiple threads). 1056 * 1057 * If the QUIC connection SSL object is configured in blocking mode, this 1058 * function will block unless the SSL_ACCEPT_STREAM_NO_BLOCK flag is passed. 1059 * 1060 * This function returns NULL if the effective incoming stream reject policy is 1061 * `REJECT`. 1062 */ 1063#define SSL_ACCEPT_STREAM_NO_BLOCK 1 1064 1065SSL *SSL_accept_stream(SSL *ssl, uint64_t flags); 1066``` 1067 1068#### `SSL_get_accept_stream_queue_len` 1069 1070| Semantics | `SSL_get_error` | Can Tick? | CSHL | 1071| --------- | ------------- | --------- | ------------- | 1072| New | Never | No | C | 1073 1074```c 1075/* 1076 * Determine the number of streams waiting to be returned on a subsequent call 1077 * to SSL_accept_stream. If this returns a non-zero value, the next call to 1078 * SSL_accept_stream (on any thread) is guaranteed to work. Returns 0 for 1079 * non-QUIC objects, or for QUIC stream objects. 1080 * 1081 * To be MSMT-safe. 1082 */ 1083size_t SSL_get_accept_stream_queue_len(SSL *ssl); 1084``` 1085 1086#### `SSL_set_incoming_stream_policy` 1087 1088| Semantics | `SSL_get_error` | Can Tick? | CSHL | 1089| --------- | ------------- | --------- | ------------- | 1090| New | Never | No | C | 1091 1092```c 1093/* 1094 * Sets the policy for incoming streams. If `policy` is `AUTO` (the default): 1095 * 1096 * - if the default stream mode is 1097 * `SSL_DEFAULT_STREAM_MODE_AUTO_BIDI` or 1098 * `SSL_DEFAULT_STREAM_MODE_AUTO_UNI`, this is equivalent to `REJECT`; 1099 * 1100 * - otherwise, this is equivalent to `ACCEPT`. 1101 * 1102 * If configured to `ACCEPT`, incoming streams are placed on the accept queue 1103 * for application consumption. `aec` is ignored in this case. 1104 * 1105 * If configured to `REJECT`, incoming streams automatically have both their 1106 * receiving and sending parts handled via non-normal termination. `aec` is an 1107 * application error code used for the `STOP_SENDING` and `RESET_STREAM` frames 1108 * used for the purposes of this termination. The default AEC value used if this 1109 * function is never called is 0. 1110 */ 1111#define SSL_INCOMING_STREAM_POLICY_AUTO 0 1112#define SSL_INCOMING_STREAM_POLICY_ACCEPT 1 1113#define SSL_INCOMING_STREAM_POLICY_REJECT 2 1114 1115int SSL_set_incoming_stream_policy(SSL *ssl, int policy, uint64_t aec); 1116``` 1117 1118#### `SSL_set_default_stream_mode` 1119 1120| Semantics | `SSL_get_error` | Can Tick? | CSHL | 1121| --------- | ------------- | --------- | ------------- | 1122| New | Never | No | C | 1123 1124```c 1125/* 1126 * Used to control single stream operation. Calling this function determines the 1127 * nature of the default stream which will automatically be created on the QUIC 1128 * connection SSL object. 1129 * 1130 * The default mode is `SSL_DEFAULT_STREAM_MODE_AUTO_BIDI`. 1131 * 1132 * The modes are as follows: 1133 * 1134 * - `SSL_DEFAULT_STREAM_MODE_NONE`: No default stream will ever be created. 1135 * The application is assumed to understand multi-stream operation. 1136 * Remotely-initiated streams are placed in the accept queue for application 1137 * consumption. `SSL_read` and `SSL_write` calls must be made on a QUIC 1138 * stream SSL object, not the QUIC connection SSL object, as no default 1139 * stream will be associated with it. 1140 * 1141 * - `SSL_DEFAULT_STREAM_MODE_AUTO_BIDI`: "First stream wins" mode of 1142 * operation for single-stream usage. If `SSL_write` is called before the 1143 * peer opens a remotely-initiated stream, a locally-initiated bidirectional 1144 * stream is created and bound as the default stream. If the peer opens a 1145 * remotely-initiated stream before the local application calls `SSL_write` 1146 * (with `len > 0`) for the first time, that stream is bound as the default 1147 * stream, which may be bidirectional or unidirectional; if it is 1148 * unidirectional, calls to `SSL_write` will fail. Attempts to create 1149 * additional streams by the peer are automatically rejected unless 1150 * the application opts in (API TBD). 1151 * 1152 * - `SSL_DEFAULT_STREAM_MODE_AUTO_UNI`: "First stream wins" mode of 1153 * operation for single-stream usage, with a unidirectional stream. This 1154 * functions identically to `SSL_DEFAULT_STREAM_MODE_AUTO_BIDI`, but if the 1155 * local application calls `SSL_write` prior to the peer creating a 1156 * remotely-initiated stream, a unidirectional TX-only stream is created and 1157 * bound as the default stream. Thereafter, calls to `SSL_read` will fail. 1158 * If the peer creates a remotely-initiated stream prior to the first call 1159 * to `SSL_write` (with `len > 0`), that stream will be bound as the default 1160 * stream; note that a bidirectional stream may be bound in this case. 1161 * Attempts to create additional streams by the peer are automatically 1162 * rejected unless the application opts in (API TBD). 1163 * 1164 * This function must be called before a default stream object is created, for 1165 * example before initiating a connection. If the function is too late to have 1166 * an effect, this function fails and returns 0. 1167 */ 1168#define SSL_DEFAULT_STREAM_MODE_NONE 0 1169#define SSL_DEFAULT_STREAM_MODE_AUTO_BIDI 1 1170#define SSL_DEFAULT_STREAM_MODE_AUTO_UNI 2 1171 1172__owur int SSL_set_default_stream_mode(SSL *ssl, uint32_t mode); 1173``` 1174 1175### Future APIs 1176 1177A custom poller interface may be provided in the future. For more information, 1178see the QUIC I/O Architecture design document. 1179 1180BIO Objects 1181----------- 1182 1183### Existing APIs 1184 1185#### `BIO_s_connect`, `BIO_new_ssl_connect`, `BIO_set_conn_hostname` 1186 1187We are aiming to support use of the existing `BIO_new_ssl_connect` API with only 1188minimal changes. This will require internal changes to `BIO_s_connect`, which 1189should automatically detect when it is being used with a QUIC `SSL_CTX` and act 1190accordingly. 1191 1192#### `BIO_new_bio_pair` 1193 1194Unsuitable for use with QUIC on the network side; instead, applications can 1195make use of the new `BIO_s_dgram_pair` which provides equivalent functionality 1196with datagram semantics. 1197 1198#### Interactions with `BIO_f_buffer` 1199 1200Existing applications sometimes combine a network socket BIO with a 1201`BIO_f_buffer`. This is problematic because the datagram semantics of writes are 1202not preserved, therefore the BIO provided to libssl is, as provided, unusable 1203for the purposes of implementing QUIC. Moreover, output buffering is not a 1204relevant or desirable performance optimisation for the transmission of UDP 1205datagrams and will actually undermine QUIC performance by causing incorrect 1206calculation of ACK delays and consequently inaccurate RTT calculation. 1207 1208Options: 1209 1210 - Require applications to be changed to not use QUIC with a `BIO_f_buffer`. 1211 - Detect when a `BIO_f_buffer` is part of a BIO stack and bypass it 1212 (yucky and surprising). 1213 1214#### MTU Signalling 1215 1216**See also:** 1217[BIO_s_dgram_pair(3)](https://www.openssl.org/docs/manmaster/man3/BIO_s_dgram_pair.html) 1218 1219`BIO_dgram_get_mtu` (`BIO_CTRL_DGRAM_GET_MTU`) and `BIO_dgram_set_mtu` 1220(`BIO_CTRL_DGRAM_SET_MTU`) already exist for `BIO_s_dgram` and are implemented 1221on a `BIO_s_dgram_pair` to allow the MTU to be determined and configured. One 1222side of a pair can configure the MTU to allow the other side to detect it. 1223 1224`BIO_s_dgram` also has pre-existing support for getting the correct MTU value 1225from the OS using `BIO_CTRL_DGRAM_QUERY_MTU`. 1226 1227### New APIs 1228 1229#### `BIO_sendmmsg` and `BIO_recvmmsg` 1230 1231**See also:** 1232[BIO_sendmmsg(3)](https://www.openssl.org/docs/manmaster/man3/BIO_sendmmsg.html) 1233 1234The BIO interface features a new high-performance API for the execution of 1235multiple read or write operations in a single system call, on supported OSes. On 1236other OSes, a compatible fallback implementation is used. 1237 1238Unlike all other BIO APIs, this API is intended for concurrent threaded use and 1239as such operates in a stateless fashion with regards to a BIO. This means, for 1240example, that retry indications are made using explicit API inputs and outputs 1241rather than setting an internal flag on the BIO. 1242 1243This new BIO API includes: 1244 1245- Local address support (getting the destination address of an incoming 1246 packet; setting the source address of an outgoing packet), where support 1247 for this is available; 1248- Peer address support (setting the destination address of an outgoing 1249 packet; getting the source address of an incoming packet), where support 1250 for this is available. 1251 1252The following functionality was intentionally left out of this design because 1253not all OSes can provide support: 1254 1255- Iovecs (which have also been determined not to be necessary for a 1256 performant QUIC implementation); 1257- Features such as `MSG_DONTWAIT`, etc. 1258 1259This BIO API is intended to be extensible. For more information on this API, see 1260BIO_sendmmsg(3) and BIO_recvmmsg(3). 1261 1262Custom BIO implementers may set their own implementation of these APIs via 1263corresponding `BIO_meth` getter/setter functions. 1264 1265#### Truncation Mode 1266 1267**See also:** 1268[BIO_s_dgram_pair(3)](https://www.openssl.org/docs/manmaster/man3/BIO_s_dgram_pair.html) 1269 1270The controls `BIO_dgram_set_no_trunc` (`BIO_CTRL_DGRAM_SET_NO_TRUNC`) and 1271`BIO_dgram_get_no_trunc` (`BIO_CTRL_DGRAM_GET_NO_TRUNC`) are introduced. This is 1272a boolean value which may be implemented by BIOs with datagram semantics. When 1273enabled, attempting to receive a datagram such that the datagram would 1274ordinarily be truncated (as per the design of the Berkeley sockets API) instead 1275results in a failure. This is intended for implementation by `BIO_s_dgram_pair`. 1276For compatibility, the default behaviour is off. 1277 1278#### Capability Negotiation 1279 1280**See also:** 1281[BIO_s_dgram_pair(3)](https://www.openssl.org/docs/manmaster/man3/BIO_s_dgram_pair.html) 1282 1283Where a `BIO_s_dgram_pair` is used, there is the potential for such a memory BIO 1284to be used by existing application code which is being adapted for use with 1285QUIC. A problem arises whereby one end of a `BIO_s_dgram_pair` (for example, the 1286side being used by OpenSSL's QUIC implementation) may assume that the other end 1287supports certain capabilities (for example, specifying a peer address), when in 1288actual fact the opposite end of the `BIO_s_dgram_pair` does not. 1289 1290A capability signalling mechanism is introduced which allows one end of a 1291`BIO_s_dgram_pair` to indicate to the user of the opposite BIO the following 1292capabilities and related information: 1293 1294- Whether source addresses the peer specifies will be processed. 1295- Whether destination addresses the peer specifies will be processed. 1296- Whether source addresses will be provided to the opposite BIO when it 1297 receives datagrams. 1298- Whether destination addresses will be provided to the opposite BIO 1299 when it receives datagrams. 1300 1301The usage is as follows: 1302 1303- One side of a BIO pair calls `BIO_dgram_set_caps` with zero or 1304 more of the following flags to advertise its capabilities: 1305 - `BIO_DGRAM_CAP_HANDLES_SRC_ADDR` 1306 - `BIO_DGRAM_CAP_HANDLES_DST_ADDR` 1307 - `BIO_DGRAM_CAP_PROVIDES_SRC_ADDR` 1308 - `BIO_DGRAM_CAP_PROVIDES_DST_ADDR` 1309- The other side of the BIO pair calls `BIO_dgram_get_effective_caps` 1310 to learn the effective capabilities of the BIO. These are the capabilities set 1311 by the opposite BIO. 1312- The above process can also be repeated in the opposite direction. 1313 1314#### Local Address Support 1315 1316**See also:** 1317[BIO_s_dgram_pair(3)](https://www.openssl.org/docs/manmaster/man3/BIO_s_dgram_pair.html) 1318 1319Support for local addressing (the reception of destination addresses for 1320incoming packets, and the specification of source addresses for outgoing 1321packets) varies by OS. Thus, it may not be available in all circumstances. A 1322feature negotiation mechanism is introduced to facilitate this. 1323 1324`BIO_dgram_get_local_addr_cap` (`BIO_CTRL_DGRAM_GET_LOCAL_ADDR_CAP`) determines 1325if a BIO is potentially capable of supporting local addressing on the current 1326platform. If it determines that support is available, local addressing support 1327must then be explicitly enabled via `BIO_dgram_set_local_addr_enable` 1328(`BIO_CTRL_DGRAM_SET_LOCAL_ADDR_ENABLE`). If local addressing support has not 1329been enabled, attempts to use local addressing (for example via `BIO_sendmmsg` 1330or `BIO_recvmmsg` with a `BIO_MSG` with a non-NULL `local` field) fails. 1331 1332An explicit enablement call is required because setting up local addressing 1333support requires system calls on most operating systems prior to sending or 1334receiving packets and we do not wish to do this automatically inside the 1335`BIO_sendmmsg`/`BIO_recvmmsg` fastpaths, particularly since the process of 1336enabling support could fail due to lack of OS support, etc. 1337 1338`BIO_dgram_get_local_addr_enable` (`BIO_CTRL_DGRAM_GET_LOCAL_ADDR_ENABLE`) is 1339also available. 1340 1341It is important to note that `BIO_dgram_get_local_addr_cap` is entirely distinct 1342from the application capability negotiation mechanism discussed above. Whereas 1343the capability negotiation mechanism discussed above allows *applications* to 1344signal what they are capable of handling in their usage of a given BIO, 1345`BIO_dgram_local_addr_cap` allows a *BIO implementation* to indicate to the 1346users of that BIO whether it is able to support local addressing (where 1347enabled). 1348 1349#### `BIO_s_dgram_pair` 1350 1351**See also:** 1352[BIO_s_dgram_pair(3)](https://www.openssl.org/docs/manmaster/man3/BIO_s_dgram_pair.html) 1353 1354A new BIO implementation, `BIO_s_dgram_pair`, is provided. This is similar to 1355the existing BIO pair but provides datagram semantics. It provides full support 1356for the new APIs `BIO_sendmmsg`, `BIO_recvmmsg`, the capability negotiation 1357mechanism described above, local address support and the MTU signalling 1358mechanism described above. 1359 1360It can be instantiated using the new API `BIO_new_dgram_pair`. 1361 1362#### `BIO_POLL_DESCRIPTOR` 1363 1364The concept of *poll descriptors* are introduced. A poll descriptor is a tagged 1365union structure which represents an abstraction over some unspecified kind of OS 1366descriptor which can be used for synchronization and waiting. 1367 1368The most commonly used kind of poll descriptor is one which describes a network 1369socket (i.e., on POSIX-like platforms, a file descriptor), however other kinds 1370of poll descriptor may be defined. 1371 1372A BIO may be queried for whether it has a poll descriptor for read or write 1373operations respectively: 1374 1375- Where `BIO_get_rpoll_descriptor` (`BIO_CTRL_GET_RPOLL_DESCRIPTOR`) is called, 1376 the BIO should output a poll descriptor which describes a resource which can 1377 be used to determine when the BIO will next become readable via a call to 1378 `BIO_read` or, if supported by the BIO, `BIO_recvmmsg`. 1379- Where 1380 `BIO_get_wpoll_descriptor` (`BIO_CTRL_GET_WPOLL_DESCRIPTOR`) is called, the 1381 BIO should output a poll descriptor which describes a resource which can be 1382 used to determine when the BIO will next become writeable via a call to 1383 `BIO_write` or, if supported by the BIO, `BIO_sendmmsg`. 1384 1385A BIO may not necessarily be able to provide a poll descriptor. For example, 1386memory-based BIOs such as `BIO_s_dgram_pair` do not correspond to any OS 1387synchronisation resource, and thus the `BIO_get_rpoll_descriptor` and 1388`BIO_get_wpoll_descriptor` calls are not supported for such BIOs. 1389 1390A BIO which supports these functions is known as pollable, and a BIO which does 1391not is known as non-pollable. `BIO_s_dgram` supports these functions. 1392 1393The implementation of these functions for a `BIO_f_ssl` forwards to 1394`SSL_get_rpoll_descriptor` and `SSL_get_wpoll_descriptor` respectively. The 1395 1396#### `BIO_s_dgram_mem` 1397 1398This is a basic memory buffer BIO with datagram semantics. Unlike 1399`BIO_s_dgram_pair`, it is unidirectional and does not support peer addressing or 1400local addressing. 1401 1402#### `BIO_err_is_non_fatal` 1403 1404A new predicate function `BIO_err_is_non_fatal` is defined which determines if 1405an error code represents a non-fatal or transient error. For details, see 1406[BIO_sendmmsg(3)](https://www.openssl.org/docs/manmaster/man3/BIO_sendmmsg.html). 1407 1408Q & A 1409----- 1410 1411To assist in understanding, when a “TBD” listed above is removed, or when a 1412relevant question is raised, the resolution to the question will be placed here. 1413 1414**Q. Should `SSL_do_handshake` wait until the handshake is completed, or until it 1415is confirmed?** 1416 1417**Note:** [The terms *handshake complete* and *handshake confirmed* are defined 1418in RFC 9001 and have specific 1419meanings.](https://www.rfc-editor.org/rfc/rfc9001.html#name-handshake-complete) 1420 1421A. `SSL_do_handshake` should wait until the handshake is completed, because 1422handshake completion represents the completion of the cryptographic 1423authentication of the connection. When a connection's handshake is completed, 1424TLS 1.3 Finished messages have been exchanged by both parties, even if the 1425handshake has not yet been *confirmed*. Moreover, RFC 9001 s. 4.1.2 states: 1426 1427>Additionally, a client MAY consider the handshake to be confirmed when it 1428>receives an acknowledgment for a 1-RTT packet. 1429 1430This logically implies that it is OK for a client to start transmitting 1-RTT 1431packets prior to handshake confirmation, otherwise there would be no in-flight 14321-RTT packets for the client to receive ACKs for. 1433 1434**Q. Does `ENABLE_PARTIAL_WRITE` interact with blocking mode?** 1435 1436A. No; this mode is only relevant to non-blocking mode. In blocking mode, 1437`SSL_write` always waits until all data is written unless an error occurs. The 1438semantics of `SSL_write` are preserved unchanged. 1439 1440**Q. Does `SSL_write` block until data is written to the network, or simply 1441until it is buffered?** 1442 1443A. `SSL_write` blocks until it has accepted responsibility for the data passed 1444to it, just like `write(2)` or `send(2)`. In other words, it blocks until it can 1445buffer the data. This does not necessarily mean that the data has actually been 1446sent. 1447 1448**Q. How should connection closure work?** 1449 1450A. **RFC requirements.** After we begin terminating the connection by sending a 1451`CONNECTION_CLOSE` frame, QUIC requires that we continue to process network I/O 1452for a certain period of time so that any further traffic from the peer results 1453in generation of a further `CONNECTION_CLOSE` frame. This is necessary to handle 1454the possibility that the `CONNECTION_CLOSE` frame which was initially sent may 1455be lost. 1456 1457**API issues.** This creates a complication because it implies that the 1458connection closure process may take a fair amount of time, whereas existing API 1459users will generally expect to be able to call `SSL_shutdown` and then 1460immediately free the SSL object. 1461 1462However, if the caller immediately frees the SSL object, this precludes 1463our implementing the applicable logic, at least on the client side. Moreover, 1464existing API users are likely to tear down underlying network BIOs immediately 1465after calling `SSL_free` anyway. In other words, any implementation based on 1466secretly keeping QUIC state around after a call to `SSL_free` does not seem 1467particularly workable on the client side. 1468 1469**Server side considerations.** There is more of a prospect here on the server 1470side, since multiple connections will share the same socket, which will 1471presumably be associated with some kind of enduring listener object. Thus when 1472server support is implemented in the future connection teardown could be handled 1473internally by maintaining the state of connections undergoing termination inside 1474the listener object. However, similar caveats to those discussed here arise when 1475the listener object itself is to be town down. (It is also possible we could 1476optionally allow use of the server-style API to make multiple outgoing client 1477connections with a non-zero-length client-side CID on the same underlying 1478network BIO.) 1479 1480There are only really two ways to handle this: 1481 1482- **RFC conformant mode.** `SSL_shutdown` only indicates that shutdown is 1483 complete once the entire connection closure process is complete. 1484 1485 This process consists of the Closing and Draining states. In some cases the 1486 Closing state may last only briefly, namely if the peer chooses to respond to 1487 our `CONNECTION_CLOSE` frame with a `CONNECTION_CLOSE` frame of its own. This 1488 allows immediate progression to the Draining state. However, a peer is *not* 1489 required to respond with such a frame. Thus in the worst case, this state can 1490 be as long as `3*PTO`; for example a peer with a high estimated RTT of 300ms 1491 would have us wait for 900ms. 1492 1493 In the Draining state we simply ignore all incoming traffic and do not 1494 generate outgoing traffic. The purpose of this state is to simply tie up the 1495 socket and ensure any data still in flight is discarded. However, RFC 9000 1496 states: 1497 1498 Disposing of connection state prior to exiting the closing or draining state 1499 could result in an endpoint generating a Stateless Reset unnecessarily when 1500 it receives a late-arriving packet. Endpoints that have some alternative 1501 means to ensure that late-arriving packets do not induce a response, such as 1502 those that are able to close the UDP socket, MAY end these states earlier to 1503 allow for faster resource recovery. Servers that retain an open socket for 1504 accepting new connections SHOULD NOT end the closing or draining state early 1505 1506 Because our client mode implementation uses one socket per connection, it 1507 appears to be reasonable based on the above text to omit the implementation of 1508 the draining state (the same may not be the case for the server role when 1509 implemented in the future). 1510 1511 Thus, in general, `SSL_shutdown` can be expected to take about one round 1512 trip's time to complete when dealing with a peer whose QUIC implementation 1513 happens to respond to a `CONNECTION_CLOSE` frame with a `CONNECTION_CLOSE` 1514 frame of its own, and about three round trips otherwise. 1515 1516- **Rapid shutdown mode.** `SSL_shutdown` sends a `CONNECTION_CLOSE` frame once 1517 and completes immediately. The Closing and Draining states are not used, and 1518 if the `CONNECTION_CLOSE` frame was lost, the peer will have to wait for idle 1519 timeout to determine that the connection is gone (there is also the 1520 possibility that, if the socket is closed by the application after teardown, a 1521 peer will make something of ICMP Port Unreachable messages, but this is 1522 unlikely to be reliable and since this message is not authenticated, QUIC 1523 implementations probably shouldn't pay much attention to it anyway.) 1524 1525There is little problem with `SSL_shutdown` taking as long as it needs to for 1526some long-running applications, but for others it poses a real issue. For 1527example, a command-line tool which makes one connection, performs one 1528application-specific transaction, and then tears down the connection. In this 1529case an RFC-conformant connection termination would essentially require the 1530process to hang around for a substantial amount of time after the work of the 1531process is done. 1532 1533For this reason, it is concluded that both of these shutdown modes need to be 1534offered. 1535 1536Where connection closure is initiated remotely rather than locally, only the 1537draining state is relevant. Since we conclude above that we do not need to 1538implement the draining state on the client side, this means that connection 1539closure can be completed immediately in the case of a remote closure. 1540 1541**Q. Should we just map `SSL_handle_events` to `DTLS_CTRL_HANDLE_TIMEOUT` 1542internally?** 1543 1544A. No, since the infinite time representation is different between the two 1545calls. 1546 1547**Q. How should `STOP_SENDING` be supported?** 1548 1549We trigger `STOP_SENDING` automatically if an application frees the associated 1550QUIC stream SSL object. 1551 1552**Q. Can data be received on a locally initiated bidirectional stream before any 1553data is sent on that stream?** 1554 1555This is an interesting question without a clear answer to be found in the QUIC 1556RFCs. A close reading of RFC 9000 suggests that the answer is, in principle, 1557yes; however the RFC also grants explicit permission to make design choices in 1558implementations which would preclude this: 1559 1560>An implementation might choose to defer allocating a stream ID to a stream until 1561>it sends the first STREAM frame and enters this state, which can allow for 1562>better stream prioritization. 1563 1564If an ID has not been allocated to a stream, obviously incoming data cannot be 1565addressed to it. However, supposing that an implementation does not do this, 1566RFC 9000 seems basically clear that it is valid for an application to create a 1567stream locally, then receive data on it before sending anything: 1568 1569>The sending part of a stream that the endpoint initiates (types 0 and 2 for 1570>clients, 1 and 3 for servers) is opened by the application. The "Ready" 1571>state represents a newly created stream that is able to accept data from the 1572>application. 1573> 1574>[...] 1575> 1576>For a bidirectional stream, the receiving part enters the "Recv" state when 1577>the sending part initiated by the endpoint (type 0 for a client, type 1 for 1578>a server) enters the "Ready" state. 1579 1580A peer is not generally notified of the creation of a stream which has not sent 1581any data yet, since the creation of a stream is signalled only implicitly via 1582the transmission of data in `STREAM` frames. However, a zero-length STREAM frame 1583could presumably be used to effect such a notification. RFC 9000 contains no 1584specific discussion of this possibility but does not preclude it. As such, in 1585order to receive data on a locally-initiated bidirectional stream before sending 1586any data on that stream, it would be necessary to either 1587 1588- Use a QUIC implementation which signals a bidirectional stream which has 1589 not yet sent any data via a zero-length stream frame, or 1590 1591- Use an application protocol which can inform the peer of the stream ID 1592 of the created stream in some application protocol-specific way. 1593 This is somewhat less plausible because it would require an API between 1594 the application and its QUIC library to inform the QUIC library 1595 that the peer has in fact created a stream with a given ID and to 1596 take its word for it. This is unlikely to be commonly available, especially as 1597 application errors in usage of such an API would lead to internal 1598 inconsistencies in QUIC connection state. 1599 1600Of course this discussion is somewhat esoteric as it is unclear why an 1601application would want to create a locally-initiated stream and then have the 1602peer transmit on it first, rather than simply use a remotely-initiated stream. 1603Thus this discussion of this edge case is more of a curiosity, however for 1604completeness it needs to be thought about in the API design. 1605 1606**Q. How should single-stream operation support locally and remotely-initiated 1607streams?** 1608 1609Note that the ID of a stream depends on whether it is bidirectional and whether 1610it is initiated by the client or server. Therefore, in single stream operation, 1611it is necessary to know whether single-stream QUIC is being used with 1612client-initiated or server-initiated stream initiation, and whether a 1613bidirectional or unidirectional stream is being used; otherwise, we do not know 1614which stream ID to bind to. 1615 1616The object of single stream operation is to support simple uses cases for simple 1617applications. There seems no need to support esoteric usage of streams such as 1618receiving first on a locally initiated stream here, thus we avoid supporting 1619this to simplify the API. 1620 1621As such, an application which calls `SSL_write` on a QUIC connection SSL object 1622before it calls `SSL_read` by definition is using a locally-initiated stream, 1623and an application which does the opposite is using a remotely-initiated stream. 1624We can use the ordering of initial calls to `SSL_read` and `SSL_write` to infer 1625the desired stream type. 1626 1627Supporting locally-initiated streams (`SSL_write` called first) is simple; 1628we automatically create the stream and queue data for transmission. 1629 1630Supporting remotely-initiated streams (`SSL_read` called first) is a little 1631stranger. We could create the stream with the correct ID when cued to by the 1632initial call to `SSL_read` implying use of a remotely-initiated stream. However, 1633this would mean we are creating state tracking a remotely-initiated stream 1634before the peer has signalled it. This would work in the happy case where the 1635client is connected to a compatible server but may result in strange 1636inconsistencies of QUIC internal state if a client is accidentally connected to 1637an incompatible peer. Since the peer ought to be the authority on the streams it 1638creates, this seems like an undesirable approach. 1639 1640Ergo, creation of a default remotely-initiated stream needs to be deferred 1641until the *peer* signals such a stream. 1642 1643This leads naturally to a "first stream wins" model of implementation: 1644 1645- When a QUIC connection SSL object is created, default stream mode is 1646 enabled, meaning that a default stream will be bound to the QUIC connection 1647 SSL object at the earliest available opportunity. However, no default 1648 stream is bound yet. 1649 1650- One of the following events happened — whichever happens first wins: 1651 1652 - The local application calls `SSL_write()` (`len > 0`). A locally-initiated 1653 stream with ordinal 0 is created. The stream is bidirectional by default but 1654 this can be changed. This stream is bound as the default stream. 1655 1656 - The peer creates a stream. This stream is bound as the default stream. 1657 1658If the local application calls `SSL_read()` before either of the above 1659occur, `SSL_read()` fails as though no data is available until one 1660of the above events occurs. 1661 1662Once one of the above events occurs, any additional stream created by the peer 1663is automatically terminated using both `STOP_SENDING` and `STREAM_RESET` frames 1664(to terminate both the receiving and sending parts respectively) and there is no 1665API-visible effect to the local application (unless the application explicitly 1666opts into supporting additional streams). 1667