/src/openssl/ssl/quic/quic_channel.c

Source
/*
 * Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <openssl/rand.h>
#include <openssl/err.h>
#include "internal/ssl_unwrap.h"
#include "internal/quic_channel.h"
#include "internal/quic_error.h"
#include "internal/quic_rx_depack.h"
#include "internal/quic_lcidm.h"
#include "internal/quic_srtm.h"
#include "internal/qlog_event_helpers.h"
#include "internal/quic_txp.h"
#include "internal/quic_tls.h"
#include "internal/quic_ssl.h"
#include "../ssl_local.h"
#include "quic_channel_local.h"
#include "quic_port_local.h"
#include "quic_engine_local.h"

#define INIT_CRYPTO_RECV_BUF_LEN 16384
#define INIT_CRYPTO_SEND_BUF_LEN 16384
#define INIT_APP_BUF_LEN 8192

/*
 * Interval before we force a PING to ensure NATs don't timeout. This is based
 * on the lowest commonly seen value of 30 seconds as cited in RFC 9000 s.
 * 10.1.2.
 */
#define MAX_NAT_INTERVAL (ossl_ms2time(25000))

/*
 * Our maximum ACK delay on the TX side. This is up to us to choose. Note that
 * this could differ from QUIC_DEFAULT_MAX_DELAY in future as that is a protocol
 * value which determines the value of the maximum ACK delay if the
 * max_ack_delay transport parameter is not set.
 */
#define DEFAULT_MAX_ACK_DELAY QUIC_DEFAULT_MAX_ACK_DELAY

DEFINE_LIST_OF_IMPL(ch, QUIC_CHANNEL);

static void ch_save_err_state(QUIC_CHANNEL *ch);
static int ch_rx(QUIC_CHANNEL *ch, int channel_only, int *notify_other_threads);
static int ch_tx(QUIC_CHANNEL *ch, int *notify_other_threads);
static int ch_tick_tls(QUIC_CHANNEL *ch, int channel_only, int *notify_other_threads);
static void ch_rx_handle_packet(QUIC_CHANNEL *ch, int channel_only);
static OSSL_TIME ch_determine_next_tick_deadline(QUIC_CHANNEL *ch);
static int ch_retry(QUIC_CHANNEL *ch,
    const unsigned char *retry_token,
    size_t retry_token_len,
    const QUIC_CONN_ID *retry_scid,
    int drop_later_pn);
static int ch_restart(QUIC_CHANNEL *ch);

static void ch_cleanup(QUIC_CHANNEL *ch);
static int ch_generate_transport_params(QUIC_CHANNEL *ch);
static int ch_on_transport_params(const unsigned char *params,
    size_t params_len,
    void *arg);
static int ch_on_handshake_alert(void *arg, unsigned char alert_code);
static int ch_on_handshake_complete(void *arg);
static int ch_on_handshake_yield_secret(uint32_t prot_level, int direction,
    uint32_t suite_id, EVP_MD *md,
    const unsigned char *secret,
    size_t secret_len,
    void *arg);
static int ch_on_crypto_recv_record(const unsigned char **buf,
    size_t *bytes_read, void *arg);
static int ch_on_crypto_release_record(size_t bytes_read, void *arg);
static int crypto_ensure_empty(QUIC_RSTREAM *rstream);
static int ch_on_crypto_send(const unsigned char *buf, size_t buf_len,
    size_t *consumed, void *arg);
static OSSL_TIME get_time(void *arg);
static uint64_t get_stream_limit(int uni, void *arg);
static int rx_late_validate(QUIC_PN pn, int pn_space, void *arg);
static void rxku_detected(QUIC_PN pn, void *arg);
static int ch_retry(QUIC_CHANNEL *ch,
    const unsigned char *retry_token,
    size_t retry_token_len,
    const QUIC_CONN_ID *retry_scid,
    int drop_later_pn);
static void ch_update_idle(QUIC_CHANNEL *ch);
static int ch_discard_el(QUIC_CHANNEL *ch,
    uint32_t enc_level);
static void ch_on_idle_timeout(QUIC_CHANNEL *ch);
static void ch_update_idle(QUIC_CHANNEL *ch);
static void ch_update_ping_deadline(QUIC_CHANNEL *ch);
static void ch_on_terminating_timeout(QUIC_CHANNEL *ch);
static void ch_start_terminating(QUIC_CHANNEL *ch,
    const QUIC_TERMINATE_CAUSE *tcause,
    int force_immediate);
static void ch_on_txp_ack_tx(const OSSL_QUIC_FRAME_ACK *ack, uint32_t pn_space,
    void *arg);
static void ch_rx_handle_version_neg(QUIC_CHANNEL *ch, OSSL_QRX_PKT *pkt);
static void ch_raise_version_neg_failure(QUIC_CHANNEL *ch);
static void ch_record_state_transition(QUIC_CHANNEL *ch, uint32_t new_state);

DEFINE_LHASH_OF_EX(QUIC_SRT_ELEM);

QUIC_NEEDS_LOCK
static QLOG *ch_get_qlog(QUIC_CHANNEL *ch)
{
#ifndef OPENSSL_NO_QLOG
    QLOG_TRACE_INFO qti = { 0 };

    if (ch->qlog != NULL)
        return ch->qlog;

    if (!ch->use_qlog)
        return NULL;

    if (ch->is_server && ch->init_dcid.id_len == 0)
        return NULL;

    qti.odcid = ch->init_dcid;
    qti.title = ch->qlog_title;
    qti.description = NULL;
    qti.group_id = NULL;
    qti.is_server = ch->is_server;
    qti.now_cb = get_time;
    qti.now_cb_arg = ch;
    if ((ch->qlog = ossl_qlog_new_from_env(&qti)) == NULL) {
        ch->use_qlog = 0; /* don't try again */
        return NULL;
    }

    return ch->qlog;
#else
    return NULL;
#endif
}

QUIC_NEEDS_LOCK
static QLOG *ch_get_qlog_cb(void *arg)
{
    QUIC_CHANNEL *ch = arg;

    return ch_get_qlog(ch);
}

/*
 * QUIC Channel Initialization and Teardown
 * ========================================
 */
#define DEFAULT_INIT_CONN_RXFC_WND (768 * 1024)
#define DEFAULT_CONN_RXFC_MAX_WND_MUL 20

#define DEFAULT_INIT_STREAM_RXFC_WND (512 * 1024)
#define DEFAULT_STREAM_RXFC_MAX_WND_MUL 12

#define DEFAULT_INIT_CONN_MAX_STREAMS 100

static int ch_init(QUIC_CHANNEL *ch)
{
    OSSL_QUIC_TX_PACKETISER_ARGS txp_args = { 0 };
    OSSL_QTX_ARGS qtx_args = { 0 };
    OSSL_QRX_ARGS qrx_args = { 0 };
    QUIC_TLS_ARGS tls_args = { 0 };
    uint32_t pn_space;
    size_t rx_short_dcid_len;
    size_t tx_init_dcid_len;

    if (ch->port == NULL || ch->lcidm == NULL || ch->srtm == NULL)
        goto err;

    rx_short_dcid_len = ossl_quic_port_get_rx_short_dcid_len(ch->port);
    tx_init_dcid_len = ossl_quic_port_get_tx_init_dcid_len(ch->port);

    /* For clients, generate our initial DCID. */
    if (!ch->is_server
        && !ossl_quic_gen_rand_conn_id(ch->port->engine->libctx, tx_init_dcid_len,
            &ch->init_dcid))
        goto err;

    /* We plug in a network write BIO to the QTX later when we get one. */
    qtx_args.libctx = ch->port->engine->libctx;
    qtx_args.get_qlog_cb = ch_get_qlog_cb;
    qtx_args.get_qlog_cb_arg = ch;
    qtx_args.mdpl = QUIC_MIN_INITIAL_DGRAM_LEN;
    ch->rx_max_udp_payload_size = qtx_args.mdpl;

    ch->ping_deadline = ossl_time_infinite();

    ch->qtx = ossl_qtx_new(&qtx_args);
    if (ch->qtx == NULL)
        goto err;

    ch->txpim = ossl_quic_txpim_new();
    if (ch->txpim == NULL)
        goto err;

    ch->cfq = ossl_quic_cfq_new();
    if (ch->cfq == NULL)
        goto err;

    if (!ossl_quic_txfc_init(&ch->conn_txfc, NULL))
        goto err;

    /*
     * Note: The TP we transmit governs what the peer can transmit and thus
     * applies to the RXFC.
     */
    ch->tx_init_max_stream_data_bidi_local = DEFAULT_INIT_STREAM_RXFC_WND;
    ch->tx_init_max_stream_data_bidi_remote = DEFAULT_INIT_STREAM_RXFC_WND;
    ch->tx_init_max_stream_data_uni = DEFAULT_INIT_STREAM_RXFC_WND;

    if (!ossl_quic_rxfc_init(&ch->conn_rxfc, NULL,
            DEFAULT_INIT_CONN_RXFC_WND,
            DEFAULT_CONN_RXFC_MAX_WND_MUL * DEFAULT_INIT_CONN_RXFC_WND,
            get_time, ch))
        goto err;

    for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space)
        if (!ossl_quic_rxfc_init_standalone(&ch->crypto_rxfc[pn_space],
                INIT_CRYPTO_RECV_BUF_LEN,
                get_time, ch))
            goto err;

    if (!ossl_quic_rxfc_init_standalone(&ch->max_streams_bidi_rxfc,
            DEFAULT_INIT_CONN_MAX_STREAMS,
            get_time, ch))
        goto err;

    if (!ossl_quic_rxfc_init_standalone(&ch->max_streams_uni_rxfc,
            DEFAULT_INIT_CONN_MAX_STREAMS,
            get_time, ch))
        goto err;

    if (!ossl_statm_init(&ch->statm))
        goto err;

    ch->have_statm = 1;
    ch->cc_method = &ossl_cc_newreno_method;
    if ((ch->cc_data = ch->cc_method->new(get_time, ch)) == NULL)
        goto err;

    if ((ch->ackm = ossl_ackm_new(get_time, ch, &ch->statm,
             ch->cc_method, ch->cc_data,
             ch->is_server))
        == NULL)
        goto err;

    if (!ossl_quic_stream_map_init(&ch->qsm, get_stream_limit, ch,
            &ch->max_streams_bidi_rxfc,
            &ch->max_streams_uni_rxfc,
            ch))
        goto err;

    ch->have_qsm = 1;

    if (!ch->is_server
        && !ossl_quic_lcidm_generate_initial(ch->lcidm, ch, &ch->init_scid))
        goto err;

    txp_args.cur_scid = ch->init_scid;
    txp_args.cur_dcid = ch->init_dcid;
    txp_args.ack_delay_exponent = 3;
    txp_args.qtx = ch->qtx;
    txp_args.txpim = ch->txpim;
    txp_args.cfq = ch->cfq;
    txp_args.ackm = ch->ackm;
    txp_args.qsm = &ch->qsm;
    txp_args.conn_txfc = &ch->conn_txfc;
    txp_args.conn_rxfc = &ch->conn_rxfc;
    txp_args.max_streams_bidi_rxfc = &ch->max_streams_bidi_rxfc;
    txp_args.max_streams_uni_rxfc = &ch->max_streams_uni_rxfc;
    txp_args.cc_method = ch->cc_method;
    txp_args.cc_data = ch->cc_data;
    txp_args.now = get_time;
    txp_args.now_arg = ch;
    txp_args.get_qlog_cb = ch_get_qlog_cb;
    txp_args.get_qlog_cb_arg = ch;
    txp_args.protocol_version = QUIC_VERSION_1;

    for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space) {
        ch->crypto_send[pn_space] = ossl_quic_sstream_new(INIT_CRYPTO_SEND_BUF_LEN);
        if (ch->crypto_send[pn_space] == NULL)
            goto err;

        txp_args.crypto[pn_space] = ch->crypto_send[pn_space];
    }

    ch->txp = ossl_quic_tx_packetiser_new(&txp_args);
    if (ch->txp == NULL)
        goto err;

    /* clients have no amplification limit, so are considered always valid */
    if (!ch->is_server)
        ossl_quic_tx_packetiser_set_validated(ch->txp);

    ossl_quic_tx_packetiser_set_ack_tx_cb(ch->txp, ch_on_txp_ack_tx, ch);

    /*
     * qrx does not exist yet, then we must be dealing with client channel
     * (QUIC connection initiator).
     * If qrx exists already, then we are dealing with server channel which
     * qrx gets created by port_default_packet_handler() before
     * port_default_packet_handler() accepts connection and creates channel
     * for it.
     * The exception here is tserver which always creates channel,
     * before the first packet is ever seen.
     */
    if (ch->qrx == NULL && ch->is_tserver_ch == 0) {
        /* we are regular client, create channel */
        qrx_args.libctx = ch->port->engine->libctx;
        qrx_args.demux = ch->port->demux;
        qrx_args.short_conn_id_len = rx_short_dcid_len;
        qrx_args.max_deferred = 32;

        if ((ch->qrx = ossl_qrx_new(&qrx_args)) == NULL)
            goto err;
    }

    if (ch->qrx != NULL) {
        /*
         * callbacks for channels associated with tserver's port
         * are set up later when we call ossl_quic_channel_bind_qrx()
         * in port_default_packet_handler()
         */
        if (!ossl_qrx_set_late_validation_cb(ch->qrx,
                rx_late_validate,
                ch))
            goto err;

        if (!ossl_qrx_set_key_update_cb(ch->qrx,
                rxku_detected,
                ch))
            goto err;
    }

    for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space) {
        ch->crypto_recv[pn_space] = ossl_quic_rstream_new(NULL, NULL, 0);
        if (ch->crypto_recv[pn_space] == NULL)
            goto err;
    }

    /* Plug in the TLS handshake layer. */
    tls_args.s = ch->tls;
    tls_args.crypto_send_cb = ch_on_crypto_send;
    tls_args.crypto_send_cb_arg = ch;
    tls_args.crypto_recv_rcd_cb = ch_on_crypto_recv_record;
    tls_args.crypto_recv_rcd_cb_arg = ch;
    tls_args.crypto_release_rcd_cb = ch_on_crypto_release_record;
    tls_args.crypto_release_rcd_cb_arg = ch;
    tls_args.yield_secret_cb = ch_on_handshake_yield_secret;
    tls_args.yield_secret_cb_arg = ch;
    tls_args.got_transport_params_cb = ch_on_transport_params;
    tls_args.got_transport_params_cb_arg = ch;
    tls_args.handshake_complete_cb = ch_on_handshake_complete;
    tls_args.handshake_complete_cb_arg = ch;
    tls_args.alert_cb = ch_on_handshake_alert;
    tls_args.alert_cb_arg = ch;
    tls_args.is_server = ch->is_server;
    tls_args.ossl_quic = 1;

    if ((ch->qtls = ossl_quic_tls_new(&tls_args)) == NULL)
        goto err;

    ch->tx_max_ack_delay = DEFAULT_MAX_ACK_DELAY;
    ch->rx_max_ack_delay = QUIC_DEFAULT_MAX_ACK_DELAY;
    ch->rx_ack_delay_exp = QUIC_DEFAULT_ACK_DELAY_EXP;
    ch->rx_active_conn_id_limit = QUIC_MIN_ACTIVE_CONN_ID_LIMIT;
    ch->tx_enc_level = QUIC_ENC_LEVEL_INITIAL;
    ch->rx_enc_level = QUIC_ENC_LEVEL_INITIAL;
    ch->txku_threshold_override = UINT64_MAX;

    ch->max_idle_timeout_local_req = QUIC_DEFAULT_IDLE_TIMEOUT;
    ch->max_idle_timeout_remote_req = 0;
    ch->max_idle_timeout = ch->max_idle_timeout_local_req;

    ossl_ackm_set_tx_max_ack_delay(ch->ackm, ossl_ms2time(ch->tx_max_ack_delay));
    ossl_ackm_set_rx_max_ack_delay(ch->ackm, ossl_ms2time(ch->rx_max_ack_delay));

    ch_update_idle(ch);
    ossl_list_ch_insert_tail(&ch->port->channel_list, ch);
    ch->on_port_list = 1;
    return 1;

err:
    ch_cleanup(ch);
    return 0;
}

static void ch_cleanup(QUIC_CHANNEL *ch)
{
    uint32_t pn_space;

    if (ch->ackm != NULL)
        for (pn_space = QUIC_PN_SPACE_INITIAL;
            pn_space < QUIC_PN_SPACE_NUM;
            ++pn_space)
            ossl_ackm_on_pkt_space_discarded(ch->ackm, pn_space);

    if (ch->lcidm != NULL)
        ossl_quic_lcidm_cull(ch->lcidm, ch);

    if (ch->srtm != NULL)
        ossl_quic_srtm_cull(ch->srtm, ch);

    ossl_quic_tx_packetiser_free(ch->txp);
    ossl_quic_txpim_free(ch->txpim);
    ossl_quic_cfq_free(ch->cfq);
    ossl_qtx_free(ch->qtx);
    if (ch->cc_data != NULL)
        ch->cc_method->free(ch->cc_data);
    if (ch->have_statm)
        ossl_statm_destroy(&ch->statm);
    ossl_ackm_free(ch->ackm);

    if (ch->have_qsm)
        ossl_quic_stream_map_cleanup(&ch->qsm);

    for (pn_space = QUIC_PN_SPACE_INITIAL; pn_space < QUIC_PN_SPACE_NUM; ++pn_space) {
        ossl_quic_sstream_free(ch->crypto_send[pn_space]);
        ossl_quic_rstream_free(ch->crypto_recv[pn_space]);
    }

    ossl_qrx_pkt_release(ch->qrx_pkt);
    ch->qrx_pkt = NULL;

    ossl_quic_tls_free(ch->qtls);
    ossl_qrx_free(ch->qrx);
    OPENSSL_free(ch->local_transport_params);
    OPENSSL_free((char *)ch->terminate_cause.reason);
    OSSL_ERR_STATE_free(ch->err_state);
    OPENSSL_free(ch->ack_range_scratch);
    OPENSSL_free(ch->pending_new_token);

    if (ch->on_port_list) {
        ossl_list_ch_remove(&ch->port->channel_list, ch);
        ch->on_port_list = 0;
    }

#ifndef OPENSSL_NO_QLOG
    if (ch->qlog != NULL)
        ossl_qlog_flush(ch->qlog); /* best effort */

    OPENSSL_free(ch->qlog_title);
    ossl_qlog_free(ch->qlog);
#endif
}

int ossl_quic_channel_init(QUIC_CHANNEL *ch)
{
    return ch_init(ch);
}

void ossl_quic_channel_bind_qrx(QUIC_CHANNEL *tserver_ch, OSSL_QRX *qrx)
{
    if (tserver_ch->qrx == NULL && tserver_ch->is_tserver_ch == 1) {
        tserver_ch->qrx = qrx;
        ossl_qrx_set_late_validation_cb(tserver_ch->qrx, rx_late_validate,
            tserver_ch);
        ossl_qrx_set_key_update_cb(tserver_ch->qrx, rxku_detected,
            tserver_ch);
    }
}

QUIC_CHANNEL *ossl_quic_channel_alloc(const QUIC_CHANNEL_ARGS *args)
{
    QUIC_CHANNEL *ch = NULL;

    if ((ch = OPENSSL_zalloc(sizeof(*ch))) == NULL)
        return NULL;

    ch->port = args->port;
    ch->is_server = args->is_server;
    ch->tls = args->tls;
    ch->lcidm = args->lcidm;
    ch->srtm = args->srtm;
    ch->qrx = args->qrx;
    ch->is_tserver_ch = args->is_tserver_ch;
#ifndef OPENSSL_NO_QLOG
    ch->use_qlog = args->use_qlog;

    if (ch->use_qlog && args->qlog_title != NULL) {
        if ((ch->qlog_title = OPENSSL_strdup(args->qlog_title)) == NULL) {
            OPENSSL_free(ch);
            return NULL;
        }
    }
#endif

    return ch;
}

void ossl_quic_channel_free(QUIC_CHANNEL *ch)
{
    if (ch == NULL)
        return;

    ch_cleanup(ch);
    OPENSSL_free(ch);
}

/* Set mutator callbacks for test framework support */
int ossl_quic_channel_set_mutator(QUIC_CHANNEL *ch,
    ossl_mutate_packet_cb mutatecb,
    ossl_finish_mutate_cb finishmutatecb,
    void *mutatearg)
{
    if (ch->qtx == NULL)
        return 0;

    ossl_qtx_set_mutator(ch->qtx, mutatecb, finishmutatecb, mutatearg);
    return 1;
}

int ossl_quic_channel_get_peer_addr(QUIC_CHANNEL *ch, BIO_ADDR *peer_addr)
{
    if (!ch->addressed_mode)
        return 0;

    return BIO_ADDR_copy(peer_addr, &ch->cur_peer_addr);
}

int ossl_quic_channel_set_peer_addr(QUIC_CHANNEL *ch, const BIO_ADDR *peer_addr)
{
    if (ch->state != QUIC_CHANNEL_STATE_IDLE)
        return 0;

    if (peer_addr == NULL || BIO_ADDR_family(peer_addr) == AF_UNSPEC) {
        BIO_ADDR_clear(&ch->cur_peer_addr);
        ch->addressed_mode = 0;
        return 1;
    }

    if (!BIO_ADDR_copy(&ch->cur_peer_addr, peer_addr)) {
        ch->addressed_mode = 0;
        return 0;
    }
    ch->addressed_mode = 1;

    return 1;
}

QUIC_REACTOR *ossl_quic_channel_get_reactor(QUIC_CHANNEL *ch)
{
    return ossl_quic_port_get0_reactor(ch->port);
}

QUIC_STREAM_MAP *ossl_quic_channel_get_qsm(QUIC_CHANNEL *ch)
{
    return &ch->qsm;
}

OSSL_STATM *ossl_quic_channel_get_statm(QUIC_CHANNEL *ch)
{
    return &ch->statm;
}

SSL *ossl_quic_channel_get0_tls(QUIC_CHANNEL *ch)
{
    return ch->tls;
}

void ossl_quic_channel_set0_tls(QUIC_CHANNEL *ch, SSL *ssl)
{
    SSL_free(ch->tls);
    ch->tls = ssl;
#ifndef OPENSSL_NO_QLOG
    /*
     * If we're using qlog, make sure the tls gets further configured properly
     */
    ch->use_qlog = 1;
    if (ch->tls->ctx->qlog_title != NULL) {
        OPENSSL_free(ch->qlog_title);
        ch->qlog_title = OPENSSL_strdup(ch->tls->ctx->qlog_title);
    }
#endif
}

static void free_buf_mem(unsigned char *buf, size_t buf_len, void *arg)
{
    BUF_MEM_free((BUF_MEM *)arg);
}

int ossl_quic_channel_schedule_new_token(QUIC_CHANNEL *ch,
    const unsigned char *token,
    size_t token_len)
{
    int rc = 0;
    QUIC_CFQ_ITEM *cfq_item;
    WPACKET wpkt;
    BUF_MEM *buf_mem = NULL;
    size_t l = 0;

    buf_mem = BUF_MEM_new();
    if (buf_mem == NULL)
        goto err;

    if (!WPACKET_init(&wpkt, buf_mem))
        goto err;

    if (!ossl_quic_wire_encode_frame_new_token(&wpkt, token,
            token_len)) {
        WPACKET_cleanup(&wpkt);
        goto err;
    }

    WPACKET_finish(&wpkt);

    if (!WPACKET_get_total_written(&wpkt, &l))
        goto err;

    cfq_item = ossl_quic_cfq_add_frame(ch->cfq, 1,
        QUIC_PN_SPACE_APP,
        OSSL_QUIC_FRAME_TYPE_NEW_TOKEN, 0,
        (unsigned char *)buf_mem->data, l,
        free_buf_mem,
        buf_mem);
    if (cfq_item == NULL)
        goto err;

    rc = 1;
err:
    if (!rc)
        BUF_MEM_free(buf_mem);
    return rc;
}

size_t ossl_quic_channel_get_short_header_conn_id_len(QUIC_CHANNEL *ch)
{
    return ossl_quic_port_get_rx_short_dcid_len(ch->port);
}

QUIC_STREAM *ossl_quic_channel_get_stream_by_id(QUIC_CHANNEL *ch,
    uint64_t stream_id)
{
    return ossl_quic_stream_map_get_by_id(&ch->qsm, stream_id);
}

int ossl_quic_channel_is_active(const QUIC_CHANNEL *ch)
{
    return ch != NULL && ch->state == QUIC_CHANNEL_STATE_ACTIVE;
}

int ossl_quic_channel_is_closing(const QUIC_CHANNEL *ch)
{
    return ch->state == QUIC_CHANNEL_STATE_TERMINATING_CLOSING;
}

static int ossl_quic_channel_is_draining(const QUIC_CHANNEL *ch)
{
    return ch->state == QUIC_CHANNEL_STATE_TERMINATING_DRAINING;
}

static int ossl_quic_channel_is_terminating(const QUIC_CHANNEL *ch)
{
    return ossl_quic_channel_is_closing(ch)
        || ossl_quic_channel_is_draining(ch);
}

int ossl_quic_channel_is_terminated(const QUIC_CHANNEL *ch)
{
    return ch->state == QUIC_CHANNEL_STATE_TERMINATED;
}

int ossl_quic_channel_is_term_any(const QUIC_CHANNEL *ch)
{
    return ossl_quic_channel_is_terminating(ch)
        || ossl_quic_channel_is_terminated(ch);
}

int ossl_quic_channel_is_server(const QUIC_CHANNEL *ch)
{
    return ch->is_server;
}

void ossl_quic_channel_notify_flush_done(QUIC_CHANNEL *ch)
{
    ch_record_state_transition(ch, ch->terminate_cause.remote ? QUIC_CHANNEL_STATE_TERMINATING_DRAINING : QUIC_CHANNEL_STATE_TERMINATING_CLOSING);
    /*
     * RFC 9000 s. 10.2 Immediate Close
     *  These states SHOULD persist for at least three times
     *  the current PTO interval as defined in [QUIC-RECOVERY].
     */
    ch->terminate_deadline
        = ossl_time_add(get_time(ch),
            ossl_time_multiply(ossl_ackm_get_pto_duration(ch->ackm), 3));
    if (!ch->terminate_cause.remote) {
        OSSL_QUIC_FRAME_CONN_CLOSE f = { 0 };

        /* best effort */
        f.error_code = ch->terminate_cause.error_code;
        f.frame_type = ch->terminate_cause.frame_type;
        f.is_app = ch->terminate_cause.app;
        f.reason = (char *)ch->terminate_cause.reason;
        f.reason_len = ch->terminate_cause.reason_len;
        ossl_quic_tx_packetiser_schedule_conn_close(ch->txp, &f);
        /*
         * RFC 9000 s. 10.2.2 Draining Connection State:
         *  An endpoint that receives a CONNECTION_CLOSE frame MAY
         *  send a single packet containing a CONNECTION_CLOSE
         *  frame before entering the draining state, using a
         *  NO_ERROR code if appropriate
         */
        ch->conn_close_queued = 1;
    }
}

const QUIC_TERMINATE_CAUSE *
ossl_quic_channel_get_terminate_cause(const QUIC_CHANNEL *ch)
{
    return ossl_quic_channel_is_term_any(ch) ? &ch->terminate_cause : NULL;
}

int ossl_quic_channel_is_handshake_complete(const QUIC_CHANNEL *ch)
{
    return ch->handshake_complete;
}

int ossl_quic_channel_is_handshake_confirmed(const QUIC_CHANNEL *ch)
{
    return ch->handshake_confirmed;
}

QUIC_DEMUX *ossl_quic_channel_get0_demux(QUIC_CHANNEL *ch)
{
    return ch->port->demux;
}

QUIC_PORT *ossl_quic_channel_get0_port(QUIC_CHANNEL *ch)
{
    return ch->port;
}

QUIC_ENGINE *ossl_quic_channel_get0_engine(QUIC_CHANNEL *ch)
{
    return ossl_quic_port_get0_engine(ch->port);
}

CRYPTO_MUTEX *ossl_quic_channel_get_mutex(QUIC_CHANNEL *ch)
{
    return ossl_quic_port_get0_mutex(ch->port);
}

int ossl_quic_channel_has_pending(const QUIC_CHANNEL *ch)
{
    return ossl_quic_demux_has_pending(ch->port->demux)
        || ossl_qrx_processed_read_pending(ch->qrx);
}

/*
 * QUIC Channel: Callbacks from Miscellaneous Subsidiary Components
 * ================================================================
 */

/* Used by various components. */
static OSSL_TIME get_time(void *arg)
{
    QUIC_CHANNEL *ch = arg;

    return ossl_quic_port_get_time(ch->port);
}

/* Used by QSM. */
static uint64_t get_stream_limit(int uni, void *arg)
{
    QUIC_CHANNEL *ch = arg;

    return uni ? ch->max_local_streams_uni : ch->max_local_streams_bidi;
}

/*
 * Called by QRX to determine if a packet is potentially invalid before trying
 * to decrypt it.
 */
static int rx_late_validate(QUIC_PN pn, int pn_space, void *arg)
{
    QUIC_CHANNEL *ch = arg;

    /* Potential duplicates should not be processed. */
    if (!ossl_ackm_is_rx_pn_processable(ch->ackm, pn, pn_space))
        return 0;

    return 1;
}

/*
 * Triggers a TXKU (whether spontaneous or solicited). Does not check whether
 * spontaneous TXKU is currently allowed.
 */
QUIC_NEEDS_LOCK
static void ch_trigger_txku(QUIC_CHANNEL *ch)
{
    uint64_t next_pn
        = ossl_quic_tx_packetiser_get_next_pn(ch->txp, QUIC_PN_SPACE_APP);

    if (!ossl_quic_pn_valid(next_pn)
        || !ossl_qtx_trigger_key_update(ch->qtx)) {
        ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_INTERNAL_ERROR, 0,
            "key update");
        return;
    }

    ch->txku_in_progress = 1;
    ch->txku_pn = next_pn;
    ch->rxku_expected = ch->ku_locally_initiated;
}

QUIC_NEEDS_LOCK
static int txku_in_progress(QUIC_CHANNEL *ch)
{
    if (ch->txku_in_progress
        && ossl_ackm_get_largest_acked(ch->ackm, QUIC_PN_SPACE_APP) >= ch->txku_pn) {
        OSSL_TIME pto = ossl_ackm_get_pto_duration(ch->ackm);

        /*
         * RFC 9001 s. 6.5: Endpoints SHOULD wait three times the PTO before
         * initiating a key update after receiving an acknowledgment that
         * confirms that the previous key update was received.
         *
         * Note that by the above wording, this period starts from when we get
         * the ack for a TXKU-triggering packet, not when the TXKU is initiated.
         * So we defer TXKU cooldown deadline calculation to this point.
         */
        ch->txku_in_progress = 0;
        ch->txku_cooldown_deadline = ossl_time_add(get_time(ch),
            ossl_time_multiply(pto, 3));
    }

    return ch->txku_in_progress;
}

QUIC_NEEDS_LOCK
static int txku_allowed(QUIC_CHANNEL *ch)
{
    return ch->tx_enc_level == QUIC_ENC_LEVEL_1RTT /* Sanity check. */
        /* Strict RFC 9001 criterion for TXKU. */
        && ch->handshake_confirmed
        && !txku_in_progress(ch);
}

QUIC_NEEDS_LOCK
static int txku_recommendable(QUIC_CHANNEL *ch)
{
    if (!txku_allowed(ch))
        return 0;

    return
        /* Recommended RFC 9001 criterion for TXKU. */
        ossl_time_compare(get_time(ch), ch->txku_cooldown_deadline) >= 0
        /* Some additional sensible criteria. */
        && !ch->rxku_in_progress
        && !ch->rxku_pending_confirm;
}

QUIC_NEEDS_LOCK
static int txku_desirable(QUIC_CHANNEL *ch)
{
    uint64_t cur_pkt_count, max_pkt_count, thresh_pkt_count;
    const uint32_t enc_level = QUIC_ENC_LEVEL_1RTT;

    /* Check AEAD limit to determine if we should perform a spontaneous TXKU. */
    cur_pkt_count = ossl_qtx_get_cur_epoch_pkt_count(ch->qtx, enc_level);
    max_pkt_count = ossl_qtx_get_max_epoch_pkt_count(ch->qtx, enc_level);

    thresh_pkt_count = max_pkt_count / 2;
    if (ch->txku_threshold_override != UINT64_MAX)
        thresh_pkt_count = ch->txku_threshold_override;

    return cur_pkt_count >= thresh_pkt_count;
}

QUIC_NEEDS_LOCK
static void ch_maybe_trigger_spontaneous_txku(QUIC_CHANNEL *ch)
{
    if (!txku_recommendable(ch) || !txku_desirable(ch))
        return;

    ch->ku_locally_initiated = 1;
    ch_trigger_txku(ch);
}

QUIC_NEEDS_LOCK
static int rxku_allowed(QUIC_CHANNEL *ch)
{
    /*
     * RFC 9001 s. 6.1: An endpoint MUST NOT initiate a key update prior to
     * having confirmed the handshake (Section 4.1.2).
     *
     * RFC 9001 s. 6.1: An endpoint MUST NOT initiate a subsequent key update
     * unless it has received an acknowledgment for a packet that was sent
     * protected with keys from the current key phase.
     *
     * RFC 9001 s. 6.2: If an endpoint detects a second update before it has
     * sent any packets with updated keys containing an acknowledgment for the
     * packet that initiated the key update, it indicates that its peer has
     * updated keys twice without awaiting confirmation. An endpoint MAY treat
     * such consecutive key updates as a connection error of type
     * KEY_UPDATE_ERROR.
     */
    return ch->handshake_confirmed && !ch->rxku_pending_confirm;
}

/*
 * Called when the QRX detects a new RX key update event.
 */
enum rxku_decision {
    DECISION_RXKU_ONLY,
    DECISION_PROTOCOL_VIOLATION,
    DECISION_SOLICITED_TXKU
};

/* Called when the QRX detects a key update has occurred. */
QUIC_NEEDS_LOCK
static void rxku_detected(QUIC_PN pn, void *arg)
{
    QUIC_CHANNEL *ch = arg;
    enum rxku_decision decision;
    OSSL_TIME pto;

    /*
     * Note: rxku_in_progress is always 0 here as an RXKU cannot be detected
     * when we are still in UPDATING or COOLDOWN (see quic_record_rx.h).
     */
    assert(!ch->rxku_in_progress);

    if (!rxku_allowed(ch))
        /* Is RXKU even allowed at this time? */
        decision = DECISION_PROTOCOL_VIOLATION;

    else if (ch->ku_locally_initiated)
        /*
         * If this key update was locally initiated (meaning that this detected
         * RXKU event is a result of our own spontaneous TXKU), we do not
         * trigger another TXKU; after all, to do so would result in an infinite
         * ping-pong of key updates. We still process it as an RXKU.
         */
        decision = DECISION_RXKU_ONLY;

    else
        /*
         * Otherwise, a peer triggering a KU means we have to trigger a KU also.
         */
        decision = DECISION_SOLICITED_TXKU;

    if (decision == DECISION_PROTOCOL_VIOLATION) {
        ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_KEY_UPDATE_ERROR,
            0, "RX key update again too soon");
        return;
    }

    pto = ossl_ackm_get_pto_duration(ch->ackm);

    ch->ku_locally_initiated = 0;
    ch->rxku_in_progress = 1;
    ch->rxku_pending_confirm = 1;
    ch->rxku_trigger_pn = pn;
    ch->rxku_update_end_deadline = ossl_time_add(get_time(ch), pto);
    ch->rxku_expected = 0;

    if (decision == DECISION_SOLICITED_TXKU)
        /* NOT gated by usual txku_allowed() */
        ch_trigger_txku(ch);

    /*
     * Ordinarily, we only generate ACK when some ACK-eliciting frame has been
     * received. In some cases, this may not occur for a long time, for example
     * if transmission of application data is going in only one direction and
     * nothing else is happening with the connection. However, since the peer
     * cannot initiate a subsequent (spontaneous) TXKU until its prior
     * (spontaneous or solicited) TXKU has completed - meaning that prior
     * TXKU's trigger packet (or subsequent packet) has been acknowledged, this
     * can lead to very long times before a TXKU is considered 'completed'.
     * Optimise this by forcing ACK generation after triggering TXKU.
     * (Basically, we consider a RXKU event something that is 'ACK-eliciting',
     * which it more or less should be; it is necessarily separate from ordinary
     * processing of ACK-eliciting frames as key update is not indicated via a
     * frame.)
     */
    ossl_quic_tx_packetiser_schedule_ack(ch->txp, QUIC_PN_SPACE_APP);
}

/* Called per tick to handle RXKU timer events. */
QUIC_NEEDS_LOCK
static void ch_rxku_tick(QUIC_CHANNEL *ch)
{
    if (!ch->rxku_in_progress
        || ossl_time_compare(get_time(ch), ch->rxku_update_end_deadline) < 0)
        return;

    ch->rxku_update_end_deadline = ossl_time_infinite();
    ch->rxku_in_progress = 0;

    if (!ossl_qrx_key_update_timeout(ch->qrx, /*normal=*/1))
        ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_INTERNAL_ERROR, 0,
            "RXKU cooldown internal error");
}

QUIC_NEEDS_LOCK
static void ch_on_txp_ack_tx(const OSSL_QUIC_FRAME_ACK *ack, uint32_t pn_space,
    void *arg)
{
    QUIC_CHANNEL *ch = arg;

    if (pn_space != QUIC_PN_SPACE_APP || !ch->rxku_pending_confirm
        || !ossl_quic_frame_ack_contains_pn(ack, ch->rxku_trigger_pn))
        return;

    /*
     * Defer clearing rxku_pending_confirm until TXP generate call returns
     * successfully.
     */
    ch->rxku_pending_confirm_done = 1;
}

/*
 * QUIC Channel: Handshake Layer Event Handling
 * ============================================
 */
static int ch_on_crypto_send(const unsigned char *buf, size_t buf_len,
    size_t *consumed, void *arg)
{
    int ret;
    QUIC_CHANNEL *ch = arg;
    uint32_t enc_level = ch->tx_enc_level;
    uint32_t pn_space = ossl_quic_enc_level_to_pn_space(enc_level);
    QUIC_SSTREAM *sstream = ch->crypto_send[pn_space];

    if (!ossl_assert(sstream != NULL))
        return 0;

    ret = ossl_quic_sstream_append(sstream, buf, buf_len, consumed);
    return ret;
}

static int crypto_ensure_empty(QUIC_RSTREAM *rstream)
{
    size_t avail = 0;
    int is_fin = 0;

    if (rstream == NULL)
        return 1;

    if (!ossl_quic_rstream_available(rstream, &avail, &is_fin))
        return 0;

    return avail == 0;
}

static int ch_on_crypto_recv_record(const unsigned char **buf,
    size_t *bytes_read, void *arg)
{
    QUIC_CHANNEL *ch = arg;
    QUIC_RSTREAM *rstream;
    int is_fin = 0; /* crypto stream is never finished, so we don't use this */
    uint32_t i;

    /*
     * After we move to a later EL we must not allow our peer to send any new
     * bytes in the crypto stream on a previous EL. Retransmissions of old bytes
     * are allowed.
     *
     * In practice we will only move to a new EL when we have consumed all bytes
     * which should be sent on the crypto stream at a previous EL. For example,
     * the Handshake EL should not be provisioned until we have completely
     * consumed a TLS 1.3 ServerHello. Thus when we provision an EL the output
     * of ossl_quic_rstream_available() should be 0 for all lower ELs. Thus if a
     * given EL is available we simply ensure we have not received any further
     * bytes at a lower EL.
     */
    for (i = QUIC_ENC_LEVEL_INITIAL; i < ch->rx_enc_level; ++i)
        if (i != QUIC_ENC_LEVEL_0RTT && !crypto_ensure_empty(ch->crypto_recv[ossl_quic_enc_level_to_pn_space(i)])) {
            /* Protocol violation (RFC 9001 s. 4.1.3) */
            ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_PROTOCOL_VIOLATION,
                OSSL_QUIC_FRAME_TYPE_CRYPTO,
                "crypto stream data in wrong EL");
            return 0;
        }

    rstream = ch->crypto_recv[ossl_quic_enc_level_to_pn_space(ch->rx_enc_level)];
    if (rstream == NULL)
        return 0;

    return ossl_quic_rstream_get_record(rstream, buf, bytes_read,
        &is_fin);
}

static int ch_on_crypto_release_record(size_t bytes_read, void *arg)
{
    QUIC_CHANNEL *ch = arg;
    QUIC_RSTREAM *rstream;
    OSSL_RTT_INFO rtt_info;
    uint32_t rx_pn_space = ossl_quic_enc_level_to_pn_space(ch->rx_enc_level);

    rstream = ch->crypto_recv[rx_pn_space];
    if (rstream == NULL)
        return 0;

    ossl_statm_get_rtt_info(ossl_quic_channel_get_statm(ch), &rtt_info);
    if (!ossl_quic_rxfc_on_retire(&ch->crypto_rxfc[rx_pn_space], bytes_read,
            rtt_info.smoothed_rtt))
        return 0;

    return ossl_quic_rstream_release_record(rstream, bytes_read);
}

static int ch_on_handshake_yield_secret(uint32_t prot_level, int direction,
    uint32_t suite_id, EVP_MD *md,
    const unsigned char *secret,
    size_t secret_len,
    void *arg)
{
    QUIC_CHANNEL *ch = arg;
    uint32_t i;
    uint32_t enc_level;

    /* Convert TLS protection level to QUIC encryption level */
    switch (prot_level) {
    case OSSL_RECORD_PROTECTION_LEVEL_EARLY:
        enc_level = QUIC_ENC_LEVEL_0RTT;
        break;

    case OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE:
        enc_level = QUIC_ENC_LEVEL_HANDSHAKE;
        break;

    case OSSL_RECORD_PROTECTION_LEVEL_APPLICATION:
        enc_level = QUIC_ENC_LEVEL_1RTT;
        break;

    default:
        return 0;
    }

    if (enc_level < QUIC_ENC_LEVEL_HANDSHAKE || enc_level >= QUIC_ENC_LEVEL_NUM)
        /* Invalid EL. */
        return 0;

    if (direction) {
        /* TX */
        if (enc_level <= ch->tx_enc_level)
            /*
             * Does not make sense for us to try and provision an EL we have already
             * attained.
             */
            return 0;

        if (!ossl_qtx_provide_secret(ch->qtx, enc_level,
                suite_id, md,
                secret, secret_len))
            return 0;

        ch->tx_enc_level = enc_level;
    } else {
        /* RX */
        if (enc_level <= ch->rx_enc_level)
            /*
             * Does not make sense for us to try and provision an EL we have already
             * attained.
             */
            return 0;

        /*
         * Ensure all crypto streams for previous ELs are now empty of available
         * data.
         */
        for (i = QUIC_ENC_LEVEL_INITIAL; i < enc_level; ++i)
            if (!crypto_ensure_empty(ch->crypto_recv[ossl_quic_enc_level_to_pn_space(i)])) {
                /* Protocol violation (RFC 9001 s. 4.1.3) */
                ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_PROTOCOL_VIOLATION,
                    OSSL_QUIC_FRAME_TYPE_CRYPTO,
                    "crypto stream data in wrong EL");
                return 0;
            }

        if (!ossl_qrx_provide_secret(ch->qrx, enc_level,
                suite_id, md,
                secret, secret_len))
            return 0;

        ch->have_new_rx_secret = 1;
        ch->rx_enc_level = enc_level;
    }

    return 1;
}

static int ch_on_handshake_complete(void *arg)
{
    QUIC_CHANNEL *ch = arg;

    if (!ossl_assert(!ch->handshake_complete))
        return 0; /* this should not happen twice */

    if (!ossl_assert(ch->tx_enc_level == QUIC_ENC_LEVEL_1RTT))
        return 0;

    /*
     * When handshake is complete, we no longer need to abide by the
     * 3x amplification limit, though we should be validated as soon
     * as we see a handshake key encrypted packet (see ossl_quic_handle_packet)
     */
    ossl_quic_tx_packetiser_set_validated(ch->txp);

    if (!ch->got_remote_transport_params) {
        /*
         * Was not a valid QUIC handshake if we did not get valid transport
         * params.
         */
        ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_CRYPTO_MISSING_EXT,
            OSSL_QUIC_FRAME_TYPE_CRYPTO,
            "no transport parameters received");
        return 0;
    }

    /* Don't need transport parameters anymore. */
    OPENSSL_free(ch->local_transport_params);
    ch->local_transport_params = NULL;

    /* Tell the QRX it can now process 1-RTT packets. */
    ossl_qrx_allow_1rtt_processing(ch->qrx);

    /* Tell TXP the handshake is complete. */
    ossl_quic_tx_packetiser_notify_handshake_complete(ch->txp);

    ch->handshake_complete = 1;

    if (ch->pending_new_token != NULL) {
        /*
         * Note this is a best effort operation here
         * If scheduling a new token fails, the worst outcome is that
         * a client, not having received it, will just have to go through
         * an extra roundtrip on a subsequent connection via the retry frame
         * path, at which point we get another opportunity to schedule another
         * new token.  As a result, we don't need to handle any errors here
         */
        ossl_quic_channel_schedule_new_token(ch,
            ch->pending_new_token,
            ch->pending_new_token_len);
        OPENSSL_free(ch->pending_new_token);
        ch->pending_new_token = NULL;
        ch->pending_new_token_len = 0;
    }

    if (ch->is_server) {
        /*
         * On the server, the handshake is confirmed as soon as it is complete.
         */
        ossl_quic_channel_on_handshake_confirmed(ch);

        ossl_quic_tx_packetiser_schedule_handshake_done(ch->txp);
    }

    ch_record_state_transition(ch, ch->state);
    return 1;
}

static int ch_on_handshake_alert(void *arg, unsigned char alert_code)
{
    QUIC_CHANNEL *ch = arg;

    /*
     * RFC 9001 s. 4.4: More specifically, servers MUST NOT send post-handshake
     * TLS CertificateRequest messages, and clients MUST treat receipt of such
     * messages as a connection error of type PROTOCOL_VIOLATION.
     */
    if (alert_code == SSL_AD_UNEXPECTED_MESSAGE
        && ch->handshake_complete
        && ossl_quic_tls_is_cert_request(ch->qtls))
        ossl_quic_channel_raise_protocol_error(ch,
            OSSL_QUIC_ERR_PROTOCOL_VIOLATION,
            0,
            "Post-handshake TLS "
            "CertificateRequest received");
    /*
     * RFC 9001 s. 4.6.1: Servers MUST NOT send the early_data extension with a
     * max_early_data_size field set to any value other than 0xffffffff. A
     * client MUST treat receipt of a NewSessionTicket that contains an
     * early_data extension with any other value as a connection error of type
     * PROTOCOL_VIOLATION.
     */
    else if (alert_code == SSL_AD_ILLEGAL_PARAMETER
        && ch->handshake_complete
        && ossl_quic_tls_has_bad_max_early_data(ch->qtls))
        ossl_quic_channel_raise_protocol_error(ch,
            OSSL_QUIC_ERR_PROTOCOL_VIOLATION,
            0,
            "Bad max_early_data received");
    else
        ossl_quic_channel_raise_protocol_error(ch,
            OSSL_QUIC_ERR_CRYPTO_ERR_BEGIN
                + alert_code,
            0, "handshake alert");

    return 1;
}

/*
 * QUIC Channel: Transport Parameter Handling
 * ==========================================
 */

/*
 * Called by handshake layer when we receive QUIC Transport Parameters from the
 * peer. Note that these are not authenticated until the handshake is marked
 * as complete.
 */
#define TP_REASON_SERVER_ONLY(x) \
    x " may not be sent by a client"
#define TP_REASON_DUP(x) \
    x " appears multiple times"
#define TP_REASON_MALFORMED(x) \
    x " is malformed"
#define TP_REASON_EXPECTED_VALUE(x) \
    x " does not match expected value"
#define TP_REASON_NOT_RETRY(x) \
    x " sent when not performing a retry"
#define TP_REASON_REQUIRED(x) \
    x " was not sent but is required"
#define TP_REASON_INTERNAL_ERROR(x) \
    x " encountered internal error"

static void txfc_bump_cwm_bidi(QUIC_STREAM *s, void *arg)
{
    if (!ossl_quic_stream_is_bidi(s)
        || ossl_quic_stream_is_server_init(s))
        return;

    ossl_quic_txfc_bump_cwm(&s->txfc, *(uint64_t *)arg);
}

static void txfc_bump_cwm_uni(QUIC_STREAM *s, void *arg)
{
    if (ossl_quic_stream_is_bidi(s)
        || ossl_quic_stream_is_server_init(s))
        return;

    ossl_quic_txfc_bump_cwm(&s->txfc, *(uint64_t *)arg);
}

static void do_update(QUIC_STREAM *s, void *arg)
{
    QUIC_CHANNEL *ch = arg;

    ossl_quic_stream_map_update_state(&ch->qsm, s);
}

static uint64_t min_u64_ignore_0(uint64_t a, uint64_t b)
{
    if (a == 0)
        return b;
    if (b == 0)
        return a;

    return a < b ? a : b;
}

static int ch_on_transport_params(const unsigned char *params,
    size_t params_len,
    void *arg)
{
    QUIC_CHANNEL *ch = arg;
    PACKET pkt;
    uint64_t id, v;
    size_t len;
    const unsigned char *body;
    int got_orig_dcid = 0;
    int got_initial_scid = 0;
    int got_retry_scid = 0;
    int got_initial_max_data = 0;
    int got_initial_max_stream_data_bidi_local = 0;
    int got_initial_max_stream_data_bidi_remote = 0;
    int got_initial_max_stream_data_uni = 0;
    int got_initial_max_streams_bidi = 0;
    int got_initial_max_streams_uni = 0;
    int got_stateless_reset_token = 0;
    int got_preferred_addr = 0;
    int got_ack_delay_exp = 0;
    int got_max_ack_delay = 0;
    int got_max_udp_payload_size = 0;
    int got_max_idle_timeout = 0;
    int got_active_conn_id_limit = 0;
    int got_disable_active_migration = 0;
    QUIC_CONN_ID cid;
    const char *reason = "bad transport parameter";
    ossl_unused uint64_t rx_max_idle_timeout = 0;
    ossl_unused const void *stateless_reset_token_p = NULL;
    QUIC_PREFERRED_ADDR pfa;
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ch->tls);

    if (sc == NULL) {
        ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_INTERNAL_ERROR, 0,
            "could not get ssl connection");
        return 0;
    }
    /*
     * When HRR happens the client sends the transport params in the new client
     * hello again. Reset the transport params here and load them again.
     */
    if (ch->is_server && sc->hello_retry_request != SSL_HRR_NONE
        && ch->got_remote_transport_params) {
        ch->max_local_streams_bidi = 0;
        ch->max_local_streams_uni = 0;
        ch->got_local_transport_params = 0;
        OPENSSL_free(ch->local_transport_params);
        ch->local_transport_params = NULL;
    } else if (ch->got_remote_transport_params) {
        reason = "multiple transport parameter extensions";
        goto malformed;
    }

    if (!PACKET_buf_init(&pkt, params, params_len)) {
        ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_INTERNAL_ERROR, 0,
            "internal error (packet buf init)");
        return 0;
    }

    while (PACKET_remaining(&pkt) > 0) {
        if (!ossl_quic_wire_peek_transport_param(&pkt, &id))
            goto malformed;

        switch (id) {
        case QUIC_TPARAM_ORIG_DCID:
            if (got_orig_dcid) {
                reason = TP_REASON_DUP("ORIG_DCID");
                goto malformed;
            }

            if (ch->is_server) {
                reason = TP_REASON_SERVER_ONLY("ORIG_DCID");
                goto malformed;
            }

            if (!ossl_quic_wire_decode_transport_param_cid(&pkt, NULL, &cid)) {
                reason = TP_REASON_MALFORMED("ORIG_DCID");
                goto malformed;
            }

#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
            /* Must match our initial DCID. */
            if (!ossl_quic_conn_id_eq(&ch->init_dcid, &cid)) {
                reason = TP_REASON_EXPECTED_VALUE("ORIG_DCID");
                goto malformed;
            }
#endif

            got_orig_dcid = 1;
            break;

        case QUIC_TPARAM_RETRY_SCID:
            if (ch->is_server) {
                reason = TP_REASON_SERVER_ONLY("RETRY_SCID");
                goto malformed;
            }

            if (got_retry_scid) {
                reason = TP_REASON_DUP("RETRY_SCID");
                goto malformed;
            }

            if (!ch->doing_retry) {
                reason = TP_REASON_NOT_RETRY("RETRY_SCID");
                goto malformed;
            }

            if (!ossl_quic_wire_decode_transport_param_cid(&pkt, NULL, &cid)) {
                reason = TP_REASON_MALFORMED("RETRY_SCID");
                goto malformed;
            }

            /* Must match Retry packet SCID. */
            if (!ossl_quic_conn_id_eq(&ch->retry_scid, &cid)) {
                reason = TP_REASON_EXPECTED_VALUE("RETRY_SCID");
                goto malformed;
            }

            got_retry_scid = 1;
            break;

        case QUIC_TPARAM_INITIAL_SCID:
            if (got_initial_scid) {
                /* must not appear more than once */
                reason = TP_REASON_DUP("INITIAL_SCID");
                goto malformed;
            }

            if (!ossl_quic_wire_decode_transport_param_cid(&pkt, NULL, &cid)) {
                reason = TP_REASON_MALFORMED("INITIAL_SCID");
                goto malformed;
            }

            if (!ossl_quic_conn_id_eq(&ch->init_scid, &cid)) {
                reason = TP_REASON_EXPECTED_VALUE("INITIAL_SCID");
                goto malformed;
            }

            got_initial_scid = 1;
            break;

        case QUIC_TPARAM_INITIAL_MAX_DATA:
            if (got_initial_max_data) {
                /* must not appear more than once */
                reason = TP_REASON_DUP("INITIAL_MAX_DATA");
                goto malformed;
            }

            if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
                reason = TP_REASON_MALFORMED("INITIAL_MAX_DATA");
                goto malformed;
            }

            ossl_quic_txfc_bump_cwm(&ch->conn_txfc, v);
            got_initial_max_data = 1;
            break;

        case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL:
            if (got_initial_max_stream_data_bidi_local) {
                /* must not appear more than once */
                reason = TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_BIDI_LOCAL");
                goto malformed;
            }

            if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
                reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_BIDI_LOCAL");
                goto malformed;
            }

            /*
             * This is correct; the BIDI_LOCAL TP governs streams created by
             * the endpoint which sends the TP, i.e., our peer.
             */
            ch->rx_init_max_stream_data_bidi_remote = v;
            got_initial_max_stream_data_bidi_local = 1;
            break;

        case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE:
            if (got_initial_max_stream_data_bidi_remote) {
                /* must not appear more than once */
                reason = TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_BIDI_REMOTE");
                goto malformed;
            }

            if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
                reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_BIDI_REMOTE");
                goto malformed;
            }

            /*
             * This is correct; the BIDI_REMOTE TP governs streams created
             * by the endpoint which receives the TP, i.e., us.
             */
            ch->rx_init_max_stream_data_bidi_local = v;

            /* Apply to all existing streams. */
            ossl_quic_stream_map_visit(&ch->qsm, txfc_bump_cwm_bidi, &v);
            got_initial_max_stream_data_bidi_remote = 1;
            break;

        case QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_UNI:
            if (got_initial_max_stream_data_uni) {
                /* must not appear more than once */
                reason = TP_REASON_DUP("INITIAL_MAX_STREAM_DATA_UNI");
                goto malformed;
            }

            if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
                reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAM_DATA_UNI");
                goto malformed;
            }

            ch->rx_init_max_stream_data_uni = v;

            /* Apply to all existing streams. */
            ossl_quic_stream_map_visit(&ch->qsm, txfc_bump_cwm_uni, &v);
            got_initial_max_stream_data_uni = 1;
            break;

        case QUIC_TPARAM_ACK_DELAY_EXP:
            if (got_ack_delay_exp) {
                /* must not appear more than once */
                reason = TP_REASON_DUP("ACK_DELAY_EXP");
                goto malformed;
            }

            if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
                || v > QUIC_MAX_ACK_DELAY_EXP) {
                reason = TP_REASON_MALFORMED("ACK_DELAY_EXP");
                goto malformed;
            }

            ch->rx_ack_delay_exp = (unsigned char)v;
            got_ack_delay_exp = 1;
            break;

        case QUIC_TPARAM_MAX_ACK_DELAY:
            if (got_max_ack_delay) {
                /* must not appear more than once */
                reason = TP_REASON_DUP("MAX_ACK_DELAY");
                goto malformed;
            }

            if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
                || v >= (((uint64_t)1) << 14)) {
                reason = TP_REASON_MALFORMED("MAX_ACK_DELAY");
                goto malformed;
            }

            ch->rx_max_ack_delay = v;
            ossl_ackm_set_rx_max_ack_delay(ch->ackm,
                ossl_ms2time(ch->rx_max_ack_delay));

            got_max_ack_delay = 1;
            break;

        case QUIC_TPARAM_INITIAL_MAX_STREAMS_BIDI:
            if (got_initial_max_streams_bidi) {
                /* must not appear more than once */
                reason = TP_REASON_DUP("INITIAL_MAX_STREAMS_BIDI");
                goto malformed;
            }

            if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
                || v > (((uint64_t)1) << 60)) {
                reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAMS_BIDI");
                goto malformed;
            }

            assert(ch->max_local_streams_bidi == 0);
            ch->max_local_streams_bidi = v;
            got_initial_max_streams_bidi = 1;
            break;

        case QUIC_TPARAM_INITIAL_MAX_STREAMS_UNI:
            if (got_initial_max_streams_uni) {
                /* must not appear more than once */
                reason = TP_REASON_DUP("INITIAL_MAX_STREAMS_UNI");
                goto malformed;
            }

            if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
                || v > (((uint64_t)1) << 60)) {
                reason = TP_REASON_MALFORMED("INITIAL_MAX_STREAMS_UNI");
                goto malformed;
            }

            assert(ch->max_local_streams_uni == 0);
            ch->max_local_streams_uni = v;
            got_initial_max_streams_uni = 1;
            break;

        case QUIC_TPARAM_MAX_IDLE_TIMEOUT:
            if (got_max_idle_timeout) {
                /* must not appear more than once */
                reason = TP_REASON_DUP("MAX_IDLE_TIMEOUT");
                goto malformed;
            }

            if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)) {
                reason = TP_REASON_MALFORMED("MAX_IDLE_TIMEOUT");
                goto malformed;
            }

            ch->max_idle_timeout_remote_req = v;

            ch->max_idle_timeout = min_u64_ignore_0(ch->max_idle_timeout_local_req,
                ch->max_idle_timeout_remote_req);

            ch_update_idle(ch);
            got_max_idle_timeout = 1;
            rx_max_idle_timeout = v;
            break;

        case QUIC_TPARAM_MAX_UDP_PAYLOAD_SIZE:
            if (got_max_udp_payload_size) {
                /* must not appear more than once */
                reason = TP_REASON_DUP("MAX_UDP_PAYLOAD_SIZE");
                goto malformed;
            }

            if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
                || v < QUIC_MIN_INITIAL_DGRAM_LEN) {
                reason = TP_REASON_MALFORMED("MAX_UDP_PAYLOAD_SIZE");
                goto malformed;
            }

            ch->rx_max_udp_payload_size = v;
            got_max_udp_payload_size = 1;
            break;

        case QUIC_TPARAM_ACTIVE_CONN_ID_LIMIT:
            if (got_active_conn_id_limit) {
                /* must not appear more than once */
                reason = TP_REASON_DUP("ACTIVE_CONN_ID_LIMIT");
                goto malformed;
            }

            if (!ossl_quic_wire_decode_transport_param_int(&pkt, &id, &v)
                || v < QUIC_MIN_ACTIVE_CONN_ID_LIMIT) {
                reason = TP_REASON_MALFORMED("ACTIVE_CONN_ID_LIMIT");
                goto malformed;
            }

            ch->rx_active_conn_id_limit = v;
            got_active_conn_id_limit = 1;
            break;

        case QUIC_TPARAM_STATELESS_RESET_TOKEN:
            if (got_stateless_reset_token) {
                reason = TP_REASON_DUP("STATELESS_RESET_TOKEN");
                goto malformed;
            }

            /*
             * RFC 9000 s. 18.2: This transport parameter MUST NOT be sent
             * by a client but MAY be sent by a server.
             */
            if (ch->is_server) {
                reason = TP_REASON_SERVER_ONLY("STATELESS_RESET_TOKEN");
                goto malformed;
            }

            body = ossl_quic_wire_decode_transport_param_bytes(&pkt, &id, &len);
            if (body == NULL || len != QUIC_STATELESS_RESET_TOKEN_LEN) {
                reason = TP_REASON_MALFORMED("STATELESS_RESET_TOKEN");
                goto malformed;
            }
            if (!ossl_quic_srtm_add(ch->srtm, ch, ch->cur_remote_seq_num,
                    (const QUIC_STATELESS_RESET_TOKEN *)body)) {
                reason = TP_REASON_INTERNAL_ERROR("STATELESS_RESET_TOKEN");
                goto malformed;
            }

            stateless_reset_token_p = body;
            got_stateless_reset_token = 1;
            break;

        case QUIC_TPARAM_PREFERRED_ADDR:
            /* TODO(QUIC FUTURE): Handle preferred address. */
            if (got_preferred_addr) {
                reason = TP_REASON_DUP("PREFERRED_ADDR");
                goto malformed;
            }

            /*
             * RFC 9000 s. 18.2: "A server that chooses a zero-length
             * connection ID MUST NOT provide a preferred address.
             * Similarly, a server MUST NOT include a zero-length connection
             * ID in this transport parameter. A client MUST treat a
             * violation of these requirements as a connection error of type
             * TRANSPORT_PARAMETER_ERROR."
             */
            if (ch->is_server) {
                reason = TP_REASON_SERVER_ONLY("PREFERRED_ADDR");
                goto malformed;
            }

            if (ch->cur_remote_dcid.id_len == 0) {
                reason = "PREFERRED_ADDR provided for zero-length CID";
                goto malformed;
            }

            if (!ossl_quic_wire_decode_transport_param_preferred_addr(&pkt, &pfa)) {
                reason = TP_REASON_MALFORMED("PREFERRED_ADDR");
                goto malformed;
            }

            if (pfa.cid.id_len == 0) {
                reason = "zero-length CID in PREFERRED_ADDR";
                goto malformed;
            }

            got_preferred_addr = 1;
            break;

        case QUIC_TPARAM_DISABLE_ACTIVE_MIGRATION:
            /* We do not currently handle migration, so nothing to do. */
            if (got_disable_active_migration) {
                /* must not appear more than once */
                reason = TP_REASON_DUP("DISABLE_ACTIVE_MIGRATION");
                goto malformed;
            }

            body = ossl_quic_wire_decode_transport_param_bytes(&pkt, &id, &len);
            if (body == NULL || len > 0) {
                reason = TP_REASON_MALFORMED("DISABLE_ACTIVE_MIGRATION");
                goto malformed;
            }

            got_disable_active_migration = 1;
            break;

        default:
            /*
             * Skip over and ignore.
             *
             * RFC 9000 s. 7.4: We SHOULD treat duplicated transport parameters
             * as a connection error, but we are not required to. Currently,
             * handle this programmatically by checking for duplicates in the
             * parameters that we recognise, as above, but don't bother
             * maintaining a list of duplicates for anything we don't recognise.
             */
            body = ossl_quic_wire_decode_transport_param_bytes(&pkt, &id,
                &len);
            if (body == NULL)
                goto malformed;

            break;
        }
    }

    if (!got_initial_scid) {
        reason = TP_REASON_REQUIRED("INITIAL_SCID");
        goto malformed;
    }

    if (!ch->is_server) {
        if (!got_orig_dcid) {
            reason = TP_REASON_REQUIRED("ORIG_DCID");
            goto malformed;
        }

        if (ch->doing_retry && !got_retry_scid) {
            reason = TP_REASON_REQUIRED("RETRY_SCID");
            goto malformed;
        }
    }

    ch->got_remote_transport_params = 1;

#ifndef OPENSSL_NO_QLOG
    QLOG_EVENT_BEGIN(ch_get_qlog(ch), transport, parameters_set)
    QLOG_STR("owner", "remote");

    if (got_orig_dcid)
        QLOG_CID("original_destination_connection_id",
            &ch->init_dcid);
    if (got_initial_scid)
        QLOG_CID("original_source_connection_id",
            &ch->init_dcid);
    if (got_retry_scid)
        QLOG_CID("retry_source_connection_id",
            &ch->retry_scid);
    if (got_initial_max_data)
        QLOG_U64("initial_max_data",
            ossl_quic_txfc_get_cwm(&ch->conn_txfc));
    if (got_initial_max_stream_data_bidi_local)
        QLOG_U64("initial_max_stream_data_bidi_local",
            ch->rx_init_max_stream_data_bidi_local);
    if (got_initial_max_stream_data_bidi_remote)
        QLOG_U64("initial_max_stream_data_bidi_remote",
            ch->rx_init_max_stream_data_bidi_remote);
    if (got_initial_max_stream_data_uni)
        QLOG_U64("initial_max_stream_data_uni",
            ch->rx_init_max_stream_data_uni);
    if (got_initial_max_streams_bidi)
        QLOG_U64("initial_max_streams_bidi",
            ch->max_local_streams_bidi);
    if (got_initial_max_streams_uni)
        QLOG_U64("initial_max_streams_uni",
            ch->max_local_streams_uni);
    if (got_ack_delay_exp)
        QLOG_U64("ack_delay_exponent", ch->rx_ack_delay_exp);
    if (got_max_ack_delay)
        QLOG_U64("max_ack_delay", ch->rx_max_ack_delay);
    if (got_max_udp_payload_size)
        QLOG_U64("max_udp_payload_size", ch->rx_max_udp_payload_size);
    if (got_max_idle_timeout)
        QLOG_U64("max_idle_timeout", rx_max_idle_timeout);
    if (got_active_conn_id_limit)
        QLOG_U64("active_connection_id_limit", ch->rx_active_conn_id_limit);
    if (got_stateless_reset_token)
        QLOG_BIN("stateless_reset_token", stateless_reset_token_p,
            QUIC_STATELESS_RESET_TOKEN_LEN);
    if (got_preferred_addr) {
        QLOG_BEGIN("preferred_addr")
        QLOG_U64("port_v4", pfa.ipv4_port);
        QLOG_U64("port_v6", pfa.ipv6_port);
        QLOG_BIN("ip_v4", pfa.ipv4, sizeof(pfa.ipv4));
        QLOG_BIN("ip_v6", pfa.ipv6, sizeof(pfa.ipv6));
        QLOG_BIN("stateless_reset_token", pfa.stateless_reset.token,
            sizeof(pfa.stateless_reset.token));
        QLOG_CID("connection_id", &pfa.cid);
        QLOG_END()
    }
    QLOG_BOOL("disable_active_migration", got_disable_active_migration);
    QLOG_EVENT_END()
#endif

    if (got_initial_max_data || got_initial_max_stream_data_bidi_remote
        || got_initial_max_streams_bidi || got_initial_max_streams_uni)
        /*
         * If FC credit was bumped, we may now be able to send. Update all
         * streams.
         */
        ossl_quic_stream_map_visit(&ch->qsm, do_update, ch);

    /* If we are a server, we now generate our own transport parameters. */
    if (ch->is_server && !ch_generate_transport_params(ch)) {
        ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_INTERNAL_ERROR, 0,
            "internal error");
        return 0;
    }

    return 1;

malformed:
    ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_TRANSPORT_PARAMETER_ERROR,
        0, reason);
    return 0;
}

/*
 * Called when we want to generate transport parameters. This is called
 * immediately at instantiation time for a client and after we receive the
 * client's transport parameters for a server.
 */
static int ch_generate_transport_params(QUIC_CHANNEL *ch)
{
    int ok = 0;
    BUF_MEM *buf_mem = NULL;
    WPACKET wpkt;
    int wpkt_valid = 0;
    size_t buf_len = 0;
    QUIC_CONN_ID *id_to_use = NULL;

    /*
     * We need to select which connection id to encode in the
     * QUIC_TPARAM_ORIG_DCID transport parameter
     * If we have an odcid, then this connection was established
     * in response to a retry request, and we need to use the connection
     * id sent in the first initial packet.
     * If we don't have an odcid, then this connection was established
     * without a retry and the init_dcid is the connection we should use
     */
    if (ch->odcid.id_len == 0)
        id_to_use = &ch->init_dcid;
    else
        id_to_use = &ch->odcid;

    if (ch->local_transport_params != NULL || ch->got_local_transport_params)
        goto err;

    if ((buf_mem = BUF_MEM_new()) == NULL)
        goto err;

    if (!WPACKET_init(&wpkt, buf_mem))
        goto err;

    wpkt_valid = 1;

    if (ossl_quic_wire_encode_transport_param_bytes(&wpkt, QUIC_TPARAM_DISABLE_ACTIVE_MIGRATION,
            NULL, 0)
        == NULL)
        goto err;

    if (ch->is_server) {
        if (!ossl_quic_wire_encode_transport_param_cid(&wpkt, QUIC_TPARAM_ORIG_DCID,
                id_to_use))
            goto err;

        if (!ossl_quic_wire_encode_transport_param_cid(&wpkt, QUIC_TPARAM_INITIAL_SCID,
                &ch->cur_local_cid))
            goto err;
        if (ch->odcid.id_len != 0)
            if (!ossl_quic_wire_encode_transport_param_cid(&wpkt,
                    QUIC_TPARAM_RETRY_SCID,
                    &ch->init_dcid))
                goto err;
    } else {
        if (!ossl_quic_wire_encode_transport_param_cid(&wpkt, QUIC_TPARAM_INITIAL_SCID,
                &ch->init_scid))
            goto err;
    }

    if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_MAX_IDLE_TIMEOUT,
            ch->max_idle_timeout_local_req))
        goto err;

    if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_MAX_UDP_PAYLOAD_SIZE,
            QUIC_MIN_INITIAL_DGRAM_LEN))
        goto err;

    if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_ACTIVE_CONN_ID_LIMIT,
            QUIC_MIN_ACTIVE_CONN_ID_LIMIT))
        goto err;

    if (ch->tx_max_ack_delay != QUIC_DEFAULT_MAX_ACK_DELAY
        && !ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_MAX_ACK_DELAY,
            ch->tx_max_ack_delay))
        goto err;

    if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_DATA,
            ossl_quic_rxfc_get_cwm(&ch->conn_rxfc)))
        goto err;

    /* Send the default CWM for a new RXFC. */
    if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL,
            ch->tx_init_max_stream_data_bidi_local))
        goto err;

    if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE,
            ch->tx_init_max_stream_data_bidi_remote))
        goto err;

    if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAM_DATA_UNI,
            ch->tx_init_max_stream_data_uni))
        goto err;

    if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAMS_BIDI,
            ossl_quic_rxfc_get_cwm(&ch->max_streams_bidi_rxfc)))
        goto err;

    if (!ossl_quic_wire_encode_transport_param_int(&wpkt, QUIC_TPARAM_INITIAL_MAX_STREAMS_UNI,
            ossl_quic_rxfc_get_cwm(&ch->max_streams_uni_rxfc)))
        goto err;

    if (!WPACKET_finish(&wpkt))
        goto err;

    wpkt_valid = 0;

    if (!WPACKET_get_total_written(&wpkt, &buf_len))
        goto err;

    ch->local_transport_params = (unsigned char *)buf_mem->data;
    buf_mem->data = NULL;

    if (!ossl_quic_tls_set_transport_params(ch->qtls, ch->local_transport_params,
            buf_len))
        goto err;

#ifndef OPENSSL_NO_QLOG
    QLOG_EVENT_BEGIN(ch_get_qlog(ch), transport, parameters_set)
    QLOG_STR("owner", "local");
    QLOG_BOOL("disable_active_migration", 1);
    if (ch->is_server) {
        QLOG_CID("original_destination_connection_id", &ch->init_dcid);
        QLOG_CID("initial_source_connection_id", &ch->cur_local_cid);
    } else {
        QLOG_STR("initial_source_connection_id", "");
    }
    QLOG_U64("max_idle_timeout", ch->max_idle_timeout);
    QLOG_U64("max_udp_payload_size", QUIC_MIN_INITIAL_DGRAM_LEN);
    QLOG_U64("active_connection_id_limit", QUIC_MIN_ACTIVE_CONN_ID_LIMIT);
    QLOG_U64("max_ack_delay", ch->tx_max_ack_delay);
    QLOG_U64("initial_max_data", ossl_quic_rxfc_get_cwm(&ch->conn_rxfc));
    QLOG_U64("initial_max_stream_data_bidi_local",
        ch->tx_init_max_stream_data_bidi_local);
    QLOG_U64("initial_max_stream_data_bidi_remote",
        ch->tx_init_max_stream_data_bidi_remote);
    QLOG_U64("initial_max_stream_data_uni",
        ch->tx_init_max_stream_data_uni);
    QLOG_U64("initial_max_streams_bidi",
        ossl_quic_rxfc_get_cwm(&ch->max_streams_bidi_rxfc));
    QLOG_U64("initial_max_streams_uni",
        ossl_quic_rxfc_get_cwm(&ch->max_streams_uni_rxfc));
    QLOG_EVENT_END()
#endif

    ch->got_local_transport_params = 1;

    ok = 1;
err:
    if (wpkt_valid)
        WPACKET_cleanup(&wpkt);
    BUF_MEM_free(buf_mem);
    return ok;
}

/*
 * QUIC Channel: Ticker-Mutator
 * ============================
 */

/*
 * The central ticker function called by the reactor. This does everything, or
 * at least everything network I/O related. Best effort - not allowed to fail
 * "loudly".
 */
void ossl_quic_channel_subtick(QUIC_CHANNEL *ch, QUIC_TICK_RESULT *res,
    uint32_t flags)
{
    OSSL_TIME now, deadline;
    int channel_only = (flags & QUIC_REACTOR_TICK_FLAG_CHANNEL_ONLY) != 0;
    int notify_other_threads = 0;

    /*
     * When we tick the QUIC connection, we do everything we need to do
     * periodically. Network I/O handling will already have been performed
     * as necessary by the QUIC port. Thus, in order, we:
     *
     *   - handle any packets the DEMUX has queued up for us;
     *   - handle any timer events which are due to fire (ACKM, etc.);
     *   - generate any packets which need to be sent;
     *   - determine the time at which we should next be ticked.
     */

    /*
     * If the connection has not yet started, or we are in the TERMINATED state,
     * there is nothing to do.
     */
    if (ch->state == QUIC_CHANNEL_STATE_IDLE
        || ossl_quic_channel_is_terminated(ch)) {
        res->net_read_desired = 0;
        res->net_write_desired = 0;
        res->notify_other_threads = 0;
        res->tick_deadline = ossl_time_infinite();
        return;
    }

    /*
     * If we are in the TERMINATING state, check if the terminating timer has
     * expired.
     */
    if (ossl_quic_channel_is_terminating(ch)) {
        now = get_time(ch);

        if (ossl_time_compare(now, ch->terminate_deadline) >= 0) {
            ch_on_terminating_timeout(ch);
            res->net_read_desired = 0;
            res->net_write_desired = 0;
            res->notify_other_threads = 1;
            res->tick_deadline = ossl_time_infinite();
            return; /* abort normal processing, nothing to do */
        }
    }

    if (!ch->port->engine->inhibit_tick) {
        /* Handle RXKU timeouts. */
        ch_rxku_tick(ch);

        do {
            /* Process queued incoming packets. */
            ch->did_tls_tick = 0;
            ch->have_new_rx_secret = 0;
            ch_rx(ch, channel_only, &notify_other_threads);

            /*
             * Allow the handshake layer to check for any new incoming data and
             * generate new outgoing data.
             */
            if (!ch->did_tls_tick)
                ch_tick_tls(ch, channel_only, &notify_other_threads);

            /*
             * If the handshake layer gave us a new secret, we need to do RX
             * again because packets that were not previously processable and
             * were deferred might now be processable.
             *
             * TODO(QUIC FUTURE): Consider handling this in the yield_secret callback.
             */
        } while (ch->have_new_rx_secret);
    }

    /*
     * Handle any timer events which are due to fire; namely, the loss
     * detection deadline and the idle timeout.
     *
     * ACKM ACK generation deadline is polled by TXP, so we don't need to
     * handle it here.
     */
    now = get_time(ch);
    if (ossl_time_compare(now, ch->idle_deadline) >= 0) {
        /*
         * Idle timeout differs from normal protocol violation because we do
         * not send a CONN_CLOSE frame; go straight to TERMINATED.
         */
        if (!ch->port->engine->inhibit_tick)
            ch_on_idle_timeout(ch);

        res->net_read_desired = 0;
        res->net_write_desired = 0;
        res->notify_other_threads = 1;
        res->tick_deadline = ossl_time_infinite();
        return;
    }

    if (!ch->port->engine->inhibit_tick) {
        deadline = ossl_ackm_get_loss_detection_deadline(ch->ackm);
        if (!ossl_time_is_zero(deadline)
            && ossl_time_compare(now, deadline) >= 0)
            ossl_ackm_on_timeout(ch->ackm);

        /* If a ping is due, inform TXP. */
        if (ossl_time_compare(now, ch->ping_deadline) >= 0) {
            int pn_space = ossl_quic_enc_level_to_pn_space(ch->tx_enc_level);

            ossl_quic_tx_packetiser_schedule_ack_eliciting(ch->txp, pn_space);

            /*
             * If we have no CC budget at this time we cannot process the above
             * PING request immediately. In any case we have scheduled the
             * request so bump the ping deadline. If we don't do this we will
             * busy-loop endlessly as the above deadline comparison condition
             * will still be met.
             */
            ch_update_ping_deadline(ch);
        }

        /* Queue any data to be sent for transmission. */
        ch_tx(ch, &notify_other_threads);

        /* Do stream GC. */
        ossl_quic_stream_map_gc(&ch->qsm);
    }

    /* Determine the time at which we should next be ticked. */
    res->tick_deadline = ch_determine_next_tick_deadline(ch);

    /*
     * Always process network input unless we are now terminated. Although we
     * had not terminated at the beginning of this tick, network errors in
     * ch_tx() may have caused us to transition to the Terminated state.
     */
    res->net_read_desired = !ossl_quic_channel_is_terminated(ch);

    /* We want to write to the network if we have any data in our TX queue. */
    res->net_write_desired
        = (!ossl_quic_channel_is_terminated(ch)
            && ossl_qtx_get_queue_len_datagrams(ch->qtx) > 0);

    res->notify_other_threads = notify_other_threads;
}

static int ch_tick_tls(QUIC_CHANNEL *ch, int channel_only, int *notify_other_threads)
{
    uint64_t error_code;
    const char *error_msg;
    ERR_STATE *error_state = NULL;

    if (channel_only)
        return 1;

    ch->did_tls_tick = 1;
    ossl_quic_tls_tick(ch->qtls);

    if (ossl_quic_tls_get_error(ch->qtls, &error_code, &error_msg,
            &error_state)) {
        ossl_quic_channel_raise_protocol_error_state(ch, error_code, 0,
            error_msg, error_state);
        if (notify_other_threads != NULL)
            *notify_other_threads = 1;

        return 0;
    }

    return 1;
}

/* Check incoming forged packet limit and terminate connection if needed. */
static void ch_rx_check_forged_pkt_limit(QUIC_CHANNEL *ch)
{
    uint32_t enc_level;
    uint64_t limit = UINT64_MAX, l;

    for (enc_level = QUIC_ENC_LEVEL_INITIAL;
        enc_level < QUIC_ENC_LEVEL_NUM;
        ++enc_level) {
        /*
         * Different ELs can have different AEADs which can in turn impose
         * different limits, so use the lowest value of any currently valid EL.
         */
        if ((ch->el_discarded & (1U << enc_level)) != 0)
            continue;

        if (enc_level > ch->rx_enc_level)
            break;

        l = ossl_qrx_get_max_forged_pkt_count(ch->qrx, enc_level);
        if (l < limit)
            limit = l;
    }

    if (ossl_qrx_get_cur_forged_pkt_count(ch->qrx) < limit)
        return;

    ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_AEAD_LIMIT_REACHED, 0,
        "forgery limit");
}

/* Process queued incoming packets and handle frames, if any. */
static int ch_rx(QUIC_CHANNEL *ch, int channel_only, int *notify_other_threads)
{
    int handled_any = 0;
    const int closing = ossl_quic_channel_is_closing(ch);

    if (!ch->is_server && !ch->have_sent_any_pkt)
        /*
         * We have not sent anything yet, therefore there is no need to check
         * for incoming data.
         */
        return 1;

    for (;;) {
        assert(ch->qrx_pkt == NULL);

        if (!ossl_qrx_read_pkt(ch->qrx, &ch->qrx_pkt))
            break;

        /* Track the amount of data received while in the closing state */
        if (closing)
            ossl_quic_tx_packetiser_record_received_closing_bytes(
                ch->txp, ch->qrx_pkt->hdr->len);

        if (!handled_any) {
            ch_update_idle(ch);
            ch_update_ping_deadline(ch);
        }

        ch_rx_handle_packet(ch, channel_only); /* best effort */

        /*
         * Regardless of the outcome of frame handling, unref the packet.
         * This will free the packet unless something added another
         * reference to it during frame processing.
         */
        ossl_qrx_pkt_release(ch->qrx_pkt);
        ch->qrx_pkt = NULL;

        ch->have_sent_ack_eliciting_since_rx = 0;
        handled_any = 1;
    }

    ch_rx_check_forged_pkt_limit(ch);

    if (handled_any && notify_other_threads != NULL)
        *notify_other_threads = 1;

    /*
     * When in TERMINATING - CLOSING, generate a CONN_CLOSE frame whenever we
     * process one or more incoming packets.
     */
    if (handled_any && closing)
        ch->conn_close_queued = 1;

    return 1;
}

static int bio_addr_eq(const BIO_ADDR *a, const BIO_ADDR *b)
{
    if (BIO_ADDR_family(a) != BIO_ADDR_family(b))
        return 0;

    switch (BIO_ADDR_family(a)) {
    case AF_INET:
        return !memcmp(&a->s_in.sin_addr,
                   &b->s_in.sin_addr,
                   sizeof(a->s_in.sin_addr))
            && a->s_in.sin_port == b->s_in.sin_port;
#if OPENSSL_USE_IPV6
    case AF_INET6:
        return !memcmp(&a->s_in6.sin6_addr,
                   &b->s_in6.sin6_addr,
                   sizeof(a->s_in6.sin6_addr))
            && a->s_in6.sin6_port == b->s_in6.sin6_port;
#endif
    default:
        return 0; /* not supported */
    }

    return 1;
}

/* Handles the packet currently in ch->qrx_pkt->hdr. */
static void ch_rx_handle_packet(QUIC_CHANNEL *ch, int channel_only)
{
    uint32_t enc_level;
    int old_have_processed_any_pkt = ch->have_processed_any_pkt;
    OSSL_QTX_IOVEC iovec;
    PACKET vpkt;
    unsigned long supported_ver;

    assert(ch->qrx_pkt != NULL);

    /*
     * RFC 9000 s. 10.2.1 Closing Connection State:
     *      An endpoint that is closing is not required to process any
     *      received frame.
     */
    if (!ossl_quic_channel_is_active(ch))
        return;

    if (ossl_quic_pkt_type_is_encrypted(ch->qrx_pkt->hdr->type)) {
        if (!ch->have_received_enc_pkt) {
            ch->cur_remote_dcid = ch->init_scid = ch->qrx_pkt->hdr->src_conn_id;
            ch->have_received_enc_pkt = 1;

            /*
             * We change to using the SCID in the first Initial packet as the
             * DCID.
             */
            ossl_quic_tx_packetiser_set_cur_dcid(ch->txp, &ch->init_scid);
        }

        enc_level = ossl_quic_pkt_type_to_enc_level(ch->qrx_pkt->hdr->type);
        if ((ch->el_discarded & (1U << enc_level)) != 0)
            /* Do not process packets from ELs we have already discarded. */
            return;
    }

    /*
     * RFC 9000 s. 9.6: "If a client receives packets from a new server address
     * when the client has not initiated a migration to that address, the client
     * SHOULD discard these packets."
     *
     * We need to be a bit careful here as due to the BIO abstraction layer an
     * application is liable to be weird and lie to us about peer addresses.
     * Only apply this check if we actually are using a real AF_INET or AF_INET6
     * address.
     */
    if (!ch->is_server
        && ch->qrx_pkt->peer != NULL
        && (BIO_ADDR_family(&ch->cur_peer_addr) == AF_INET
#if OPENSSL_USE_IPV6
            || BIO_ADDR_family(&ch->cur_peer_addr) == AF_INET6
#endif
            )
        && !bio_addr_eq(ch->qrx_pkt->peer, &ch->cur_peer_addr))
        return;

    if (!ch->is_server
        && ch->have_received_enc_pkt
        && ossl_quic_pkt_type_has_scid(ch->qrx_pkt->hdr->type)) {
        /*
         * RFC 9000 s. 7.2: "Once a client has received a valid Initial packet
         * from the server, it MUST discard any subsequent packet it receives on
         * that connection with a different SCID."
         */
        if (!ossl_quic_conn_id_eq(&ch->qrx_pkt->hdr->src_conn_id,
                &ch->init_scid))
            return;
    }

    if (ossl_quic_pkt_type_has_version(ch->qrx_pkt->hdr->type)
        && ch->qrx_pkt->hdr->version != QUIC_VERSION_1)
        /*
         * RFC 9000 s. 5.2.1: If a client receives a packet that uses a
         * different version than it initially selected, it MUST discard the
         * packet. We only ever use v1, so require it.
         */
        return;

    if (ch->qrx_pkt->hdr->type == QUIC_PKT_TYPE_VERSION_NEG) {

        /*
         * Sanity check.  Version negotiation packet MUST have a version
         * value of 0 according to the RFC.  We must discard such packets
         */
        if (ch->qrx_pkt->hdr->version != 0)
            return;

        /*
         * RFC 9000 s. 6.2: If a client receives a version negotiation
         * packet, we need to do the following:
         * a) If the negotiation packet lists the version we initially sent
         *    then we must abandon this connection attempt
         * b) We have to select a version from the list provided in the
         *    version negotiation packet, and retry the connection attempt
         *    in much the same way that ch_retry does, but we can reuse the
         *    connection id values
         */

        if (old_have_processed_any_pkt == 1) {
            /*
             * We've gotten previous packets, need to discard this.
             */
            return;
        }

        /*
         * Indicate that we have processed a packet, as any subsequently
         * received version negotiation packet must be discarded above
         */
        ch->have_processed_any_pkt = 1;

        /*
         * Following the header, version negotiation packets
         * contain an array of 32 bit integers representing
         * the supported versions that the server honors
         * this array, bounded by the hdr->len field
         * needs to be traversed so that we can find a matching
         * version
         */
        if (!PACKET_buf_init(&vpkt, ch->qrx_pkt->hdr->data,
                ch->qrx_pkt->hdr->len))
            return;

        while (PACKET_remaining(&vpkt) > 0) {
            /*
             * We only support quic version 1 at the moment, so
             * look to see if that's offered
             */
            if (!PACKET_get_net_4(&vpkt, &supported_ver))
                return;

            if (supported_ver == QUIC_VERSION_1) {
                /*
                 * If the server supports version 1, set it as
                 * the packetisers version
                 */
                ossl_quic_tx_packetiser_set_protocol_version(ch->txp, QUIC_VERSION_1);

                /*
                 * And then request a restart of the QUIC connection
                 */
                if (!ch_restart(ch))
                    ossl_quic_channel_raise_protocol_error(ch,
                        OSSL_QUIC_ERR_INTERNAL_ERROR,
                        0, "handling ver negotiation packet");
                return;
            }
        }

        /*
         * If we get here, then the server doesn't support a version of the
         * protocol that we can handle, abandon the connection
         */
        ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_CONNECTION_REFUSED,
            0, "unsupported protocol version");
        return;
    }

    ch->have_processed_any_pkt = 1;

    /*
     * RFC 9000 s. 17.2: "An endpoint MUST treat receipt of a packet that has a
     * non-zero value for [the reserved bits] after removing both packet and
     * header protection as a connection error of type PROTOCOL_VIOLATION."
     */
    if (ossl_quic_pkt_type_is_encrypted(ch->qrx_pkt->hdr->type)
        && ch->qrx_pkt->hdr->reserved != 0) {
        ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_PROTOCOL_VIOLATION,
            0, "packet header reserved bits");
        return;
    }

    iovec.buf = ch->qrx_pkt->hdr->data;
    iovec.buf_len = ch->qrx_pkt->hdr->len;
    ossl_qlog_event_transport_packet_received(ch_get_qlog(ch), ch->qrx_pkt->hdr,
        ch->qrx_pkt->pn, &iovec, 1,
        ch->qrx_pkt->datagram_id);

    /* Handle incoming packet. */
    switch (ch->qrx_pkt->hdr->type) {
    case QUIC_PKT_TYPE_RETRY:
        if (ch->doing_retry || ch->is_server)
            /*
             * It is not allowed to ask a client to do a retry more than
             * once. Clients may not send retries.
             */
            return;

        /*
         * RFC 9000 s 17.2.5.2: After the client has received and processed an
         * Initial or Retry packet from the server, it MUST discard any
         * subsequent Retry packets that it receives.
         */
        if (ch->have_received_enc_pkt)
            return;

        if (ch->qrx_pkt->hdr->len <= QUIC_RETRY_INTEGRITY_TAG_LEN)
            /* Packets with zero-length Retry Tokens are invalid. */
            return;

        /*
         * TODO(QUIC FUTURE): Theoretically this should probably be in the QRX.
         * However because validation is dependent on context (namely the
         * client's initial DCID) we can't do this cleanly. In the future we
         * should probably add a callback to the QRX to let it call us (via
         * the DEMUX) and ask us about the correct original DCID, rather
         * than allow the QRX to emit a potentially malformed packet to the
         * upper layers. However, special casing this will do for now.
         */
        if (!ossl_quic_validate_retry_integrity_tag(ch->port->engine->libctx,
                ch->port->engine->propq,
                ch->qrx_pkt->hdr,
                &ch->init_dcid))
            /* Malformed retry packet, ignore. */
            return;

        if (!ch_retry(ch, ch->qrx_pkt->hdr->data,
                ch->qrx_pkt->hdr->len - QUIC_RETRY_INTEGRITY_TAG_LEN,
                &ch->qrx_pkt->hdr->src_conn_id, old_have_processed_any_pkt))
            ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_INTERNAL_ERROR,
                0, "handling retry packet");
        break;

    case QUIC_PKT_TYPE_0RTT:
        if (!ch->is_server)
            /* Clients should never receive 0-RTT packets. */
            return;

        /*
         * TODO(QUIC 0RTT): Implement 0-RTT on the server side. We currently
         * do not need to implement this as a client can only do 0-RTT if we
         * have given it permission to in a previous session.
         */
        break;

    case QUIC_PKT_TYPE_INITIAL:
    case QUIC_PKT_TYPE_HANDSHAKE:
    case QUIC_PKT_TYPE_1RTT:
        if (ch->is_server && ch->qrx_pkt->hdr->type == QUIC_PKT_TYPE_HANDSHAKE)
            /*
             * We automatically drop INITIAL EL keys when first successfully
             * decrypting a HANDSHAKE packet, as per the RFC.
             */
            ch_discard_el(ch, QUIC_ENC_LEVEL_INITIAL);

        if (ch->rxku_in_progress
            && ch->qrx_pkt->hdr->type == QUIC_PKT_TYPE_1RTT
            && ch->qrx_pkt->pn >= ch->rxku_trigger_pn
            && ch->qrx_pkt->key_epoch < ossl_qrx_get_key_epoch(ch->qrx)) {
            /*
             * RFC 9001 s. 6.4: Packets with higher packet numbers MUST be
             * protected with either the same or newer packet protection keys
             * than packets with lower packet numbers. An endpoint that
             * successfully removes protection with old keys when newer keys
             * were used for packets with lower packet numbers MUST treat this
             * as a connection error of type KEY_UPDATE_ERROR.
             */
            ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_KEY_UPDATE_ERROR,
                0, "new packet with old keys");
            break;
        }

        if (!ch->is_server
            && ch->qrx_pkt->hdr->type == QUIC_PKT_TYPE_INITIAL
            && ch->qrx_pkt->hdr->token_len > 0) {
            /*
             * RFC 9000 s. 17.2.2: Clients that receive an Initial packet with a
             * non-zero Token Length field MUST either discard the packet or
             * generate a connection error of type PROTOCOL_VIOLATION.
             *
             * TODO(QUIC FUTURE): consider the implications of RFC 9000 s. 10.2.3
             * Immediate Close during the Handshake:
             *      However, at the cost of reducing feedback about
             *      errors for legitimate peers, some forms of denial of
             *      service can be made more difficult for an attacker
             *      if endpoints discard illegal packets rather than
             *      terminating a connection with CONNECTION_CLOSE. For
             *      this reason, endpoints MAY discard packets rather
             *      than immediately close if errors are detected in
             *      packets that lack authentication.
             * I.e. should we drop this packet instead of closing the connection?
             */
            ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_PROTOCOL_VIOLATION,
                0, "client received initial token");
            break;
        }

        /* This packet contains frames, pass to the RXDP. */
        ossl_quic_handle_frames(ch, ch->qrx_pkt); /* best effort */

        if (ch->did_crypto_frame)
            ch_tick_tls(ch, channel_only, NULL);

        break;

    case QUIC_PKT_TYPE_VERSION_NEG:
        /*
         * "A client MUST discard any Version Negotiation packet if it has
         * received and successfully processed any other packet."
         */
        if (!old_have_processed_any_pkt)
            ch_rx_handle_version_neg(ch, ch->qrx_pkt);

        break;

    default:
        assert(0);
        break;
    }
}

static void ch_rx_handle_version_neg(QUIC_CHANNEL *ch, OSSL_QRX_PKT *pkt)
{
    /*
     * We do not support version negotiation at this time. As per RFC 9000 s.
     * 6.2., we MUST abandon the connection attempt if we receive a Version
     * Negotiation packet, unless we have already successfully processed another
     * incoming packet, or the packet lists the QUIC version we want to use.
     */
    PACKET vpkt;
    unsigned long v;

    if (!PACKET_buf_init(&vpkt, pkt->hdr->data, pkt->hdr->len))
        return;

    while (PACKET_remaining(&vpkt) > 0) {
        if (!PACKET_get_net_4(&vpkt, &v))
            break;

        if ((uint32_t)v == QUIC_VERSION_1)
            return;
    }

    /* No match, this is a failure case. */
    ch_raise_version_neg_failure(ch);
}

static void ch_raise_version_neg_failure(QUIC_CHANNEL *ch)
{
    QUIC_TERMINATE_CAUSE tcause = { 0 };

    tcause.error_code = OSSL_QUIC_ERR_CONNECTION_REFUSED;
    tcause.reason = "version negotiation failure";
    tcause.reason_len = strlen(tcause.reason);

    /*
     * Skip TERMINATING state; this is not considered a protocol error and we do
     * not send CONNECTION_CLOSE.
     */
    ch_start_terminating(ch, &tcause, 1);
}

/* Try to generate packets and if possible, flush them to the network. */
static int ch_tx(QUIC_CHANNEL *ch, int *notify_other_threads)
{
    QUIC_TXP_STATUS status;
    int res;

    /*
     * RFC 9000 s. 10.2.2: Draining Connection State:
     *      While otherwise identical to the closing state, an endpoint
     *      in the draining state MUST NOT send any packets.
     * and:
     *      An endpoint MUST NOT send further packets.
     */
    if (ossl_quic_channel_is_draining(ch))
        return 0;

    if (ossl_quic_channel_is_closing(ch)) {
        /*
         * While closing, only send CONN_CLOSE if we've received more traffic
         * from the peer. Once we tell the TXP to generate CONN_CLOSE, all
         * future calls to it generate CONN_CLOSE frames, so otherwise we would
         * just constantly generate CONN_CLOSE frames.
         *
         * Confirming to RFC 9000 s. 10.2.1 Closing Connection State:
         *      An endpoint SHOULD limit the rate at which it generates
         *      packets in the closing state.
         */
        if (!ch->conn_close_queued)
            return 0;

        ch->conn_close_queued = 0;
    }

    /* Do TXKU if we need to. */
    ch_maybe_trigger_spontaneous_txku(ch);

    ch->rxku_pending_confirm_done = 0;

    /* Loop until we stop generating packets to send */
    do {
        /*
         * Send packet, if we need to. Best effort. The TXP consults the CC and
         * applies any limitations imposed by it, so we don't need to do it here.
         *
         * Best effort. In particular if TXP fails for some reason we should
         * still flush any queued packets which we already generated.
         */
        res = ossl_quic_tx_packetiser_generate(ch->txp, &status);
        if (status.sent_pkt > 0) {
            ch->have_sent_any_pkt = 1; /* Packet(s) were sent */
            ch->port->have_sent_any_pkt = 1;

            /*
             * RFC 9000 s. 10.1. 'An endpoint also restarts its idle timer when
             * sending an ack-eliciting packet if no other ack-eliciting packets
             * have been sent since last receiving and processing a packet.'
             */
            if (status.sent_ack_eliciting
                && !ch->have_sent_ack_eliciting_since_rx) {
                ch_update_idle(ch);
                ch->have_sent_ack_eliciting_since_rx = 1;
            }

            if (!ch->is_server && status.sent_handshake)
                /*
                 * RFC 9001 s. 4.9.1: A client MUST discard Initial keys when it
                 * first sends a Handshake packet.
                 */
                ch_discard_el(ch, QUIC_ENC_LEVEL_INITIAL);

            if (ch->rxku_pending_confirm_done)
                ch->rxku_pending_confirm = 0;

            ch_update_ping_deadline(ch);
        }

        if (!res) {
            /*
             * One case where TXP can fail is if we reach a TX PN of 2**62 - 1.
             * As per RFC 9000 s. 12.3, if this happens we MUST close the
             * connection without sending a CONNECTION_CLOSE frame. This is
             * actually handled as an emergent consequence of our design, as the
             * TX packetiser will never transmit another packet when the TX PN
             * reaches the limit.
             *
             * Calling the below function terminates the connection; its attempt
             * to schedule a CONNECTION_CLOSE frame will not actually cause a
             * packet to be transmitted for this reason.
             */
            ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_INTERNAL_ERROR,
                0,
                "internal error (txp generate)");
            break;
        }
    } while (status.sent_pkt > 0);

    /* Flush packets to network. */
    switch (ossl_qtx_flush_net(ch->qtx)) {
    case QTX_FLUSH_NET_RES_OK:
    case QTX_FLUSH_NET_RES_TRANSIENT_FAIL:
        /* Best effort, done for now. */
        break;

    case QTX_FLUSH_NET_RES_PERMANENT_FAIL:
    default:
        /* Permanent underlying network BIO, start terminating. */
        ossl_quic_port_raise_net_error(ch->port, ch);
        break;
    }

    /*
     * If we have datagrams we have yet to successfully transmit, we need to
     * notify other threads so that they can switch to polling on POLLOUT as
     * well as POLLIN.
     */
    if (ossl_qtx_get_queue_len_datagrams(ch->qtx) > 0)
        *notify_other_threads = 1;

    return 1;
}

/* Determine next tick deadline. */
static OSSL_TIME ch_determine_next_tick_deadline(QUIC_CHANNEL *ch)
{
    OSSL_TIME deadline;
    int i;

    if (ossl_quic_channel_is_terminated(ch))
        return ossl_time_infinite();

    deadline = ossl_ackm_get_loss_detection_deadline(ch->ackm);
    if (ossl_time_is_zero(deadline))
        deadline = ossl_time_infinite();

    /*
     * Check the ack deadline for all enc_levels that are actually provisioned.
     * ACKs aren't restricted by CC.
     */
    for (i = 0; i < QUIC_ENC_LEVEL_NUM; i++) {
        if (ossl_qtx_is_enc_level_provisioned(ch->qtx, i)) {
            deadline = ossl_time_min(deadline,
                ossl_ackm_get_ack_deadline(ch->ackm,
                    ossl_quic_enc_level_to_pn_space(i)));
        }
    }

    /*
     * When do we need to send an ACK-eliciting packet to reset the idle
     * deadline timer for the peer?
     */
    if (!ossl_time_is_infinite(ch->ping_deadline))
        deadline = ossl_time_min(deadline, ch->ping_deadline);

    /* Apply TXP wakeup deadline. */
    deadline = ossl_time_min(deadline,
        ossl_quic_tx_packetiser_get_deadline(ch->txp));

    /* Is the terminating timer armed? */
    if (ossl_quic_channel_is_terminating(ch))
        deadline = ossl_time_min(deadline,
            ch->terminate_deadline);
    else if (!ossl_time_is_infinite(ch->idle_deadline))
        deadline = ossl_time_min(deadline,
            ch->idle_deadline);

    /* When does the RXKU process complete? */
    if (ch->rxku_in_progress)
        deadline = ossl_time_min(deadline, ch->rxku_update_end_deadline);

    return deadline;
}

/*
 * QUIC Channel: Lifecycle Events
 * ==============================
 */

/*
 * Record a state transition. This is not necessarily a change to ch->state but
 * also includes the handshake becoming complete or confirmed, etc.
 */
static void ch_record_state_transition(QUIC_CHANNEL *ch, uint32_t new_state)
{
    uint32_t old_state = ch->state;

    ch->state = new_state;

    ossl_qlog_event_connectivity_connection_state_updated(ch_get_qlog(ch),
        old_state,
        new_state,
        ch->handshake_complete,
        ch->handshake_confirmed);
}

static void free_peer_token(const unsigned char *token,
    size_t token_len, void *arg)
{
    ossl_quic_free_peer_token((QUIC_TOKEN *)arg);
}

int ossl_quic_channel_start(QUIC_CHANNEL *ch)
{
    QUIC_TOKEN *token;

    if (ch->is_server)
        /*
         * This is not used by the server. The server moves to active
         * automatically on receiving an incoming connection.
         */
        return 0;

    if (ch->state != QUIC_CHANNEL_STATE_IDLE)
        /* Calls to connect are idempotent */
        return 1;

    /* Inform QTX of peer address. */
    if (!ossl_quic_tx_packetiser_set_peer(ch->txp, &ch->cur_peer_addr))
        return 0;

    /*
     * Look to see if we have a token, and if so, set it on the packetiser
     */
    if (!ch->is_server
        && ossl_quic_get_peer_token(ch->port->channel_ctx,
            &ch->cur_peer_addr,
            &token)
        && !ossl_quic_tx_packetiser_set_initial_token(ch->txp, token->token,
            token->token_len,
            free_peer_token,
            token))
        free_peer_token(NULL, 0, token);

    /* Plug in secrets for the Initial EL. */
    if (!ossl_quic_provide_initial_secret(ch->port->engine->libctx,
            ch->port->engine->propq,
            &ch->init_dcid,
            ch->is_server,
            ch->qrx, ch->qtx))
        return 0;

    /*
     * Determine the QUIC Transport Parameters and serialize the transport
     * parameters block. (For servers, we do this later as we must defer
     * generation until we have received the client's transport parameters.)
     */
    if (!ch->is_server && !ch->got_local_transport_params
        && !ch_generate_transport_params(ch))
        return 0;

    /* Change state. */
    ch_record_state_transition(ch, QUIC_CHANNEL_STATE_ACTIVE);
    ch->doing_proactive_ver_neg = 0; /* not currently supported */

    ossl_qlog_event_connectivity_connection_started(ch_get_qlog(ch),
        &ch->init_dcid);

    /* Handshake layer: start (e.g. send CH). */
    if (!ch_tick_tls(ch, /*channel_only=*/0, NULL))
        return 0;

    ossl_quic_reactor_tick(ossl_quic_port_get0_reactor(ch->port), 0); /* best effort */
    return 1;
}

static void free_token(const unsigned char *token, size_t token_len, void *arg)
{
    OPENSSL_free((char *)token);
}

/* Start a locally initiated connection shutdown. */
void ossl_quic_channel_local_close(QUIC_CHANNEL *ch, uint64_t app_error_code,
    const char *app_reason)
{
    QUIC_TERMINATE_CAUSE tcause = { 0 };

    if (ossl_quic_channel_is_term_any(ch))
        return;

    tcause.app = 1;
    tcause.error_code = app_error_code;
    tcause.reason = app_reason;
    tcause.reason_len = app_reason != NULL ? strlen(app_reason) : 0;
    ch_start_terminating(ch, &tcause, 0);
}

/**
 * ch_restart - Restarts the QUIC channel by simulating loss of the initial
 * packet. This forces the packet to be regenerated with the updated protocol
 * version number.
 *
 * @ch: Pointer to the QUIC_CHANNEL structure.
 *
 * Returns 1 on success, 0 on failure.
 */
static int ch_restart(QUIC_CHANNEL *ch)
{
    /*
     * Just pretend we lost our initial packet, so it gets
     * regenerated, with our updated protocol version number
     */
    return ossl_ackm_mark_packet_pseudo_lost(ch->ackm, QUIC_PN_SPACE_INITIAL,
        /* PN= */ 0);
}

/* Called when a server asks us to do a retry. */
static int ch_retry(QUIC_CHANNEL *ch,
    const unsigned char *retry_token,
    size_t retry_token_len,
    const QUIC_CONN_ID *retry_scid,
    int drop_later_pn)
{
    void *buf;
    QUIC_PN pn = 0;

    /*
     * RFC 9000 s. 17.2.5.1: "A client MUST discard a Retry packet that contains
     * a SCID field that is identical to the DCID field of its initial packet."
     */
    if (ossl_quic_conn_id_eq(&ch->init_dcid, retry_scid))
        return 1;

    /* We change to using the SCID in the Retry packet as the DCID. */
    if (!ossl_quic_tx_packetiser_set_cur_dcid(ch->txp, retry_scid))
        return 0;

    /*
     * Now we retry. We will release the Retry packet immediately, so copy
     * the token.
     */
    if ((buf = OPENSSL_memdup(retry_token, retry_token_len)) == NULL)
        return 0;

    if (!ossl_quic_tx_packetiser_set_initial_token(ch->txp, buf,
            retry_token_len,
            free_token, NULL)) {
        /*
         * This may fail if the token we receive is too big for us to ever be
         * able to transmit in an outgoing Initial packet.
         */
        ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_INVALID_TOKEN, 0,
            "received oversize token");
        OPENSSL_free(buf);
        return 0;
    }

    ch->retry_scid = *retry_scid;
    ch->doing_retry = 1;

    /*
     * If a retry isn't our first response, we need to drop packet number
     * one instead (i.e. the case where we did version negotiation first
     */
    if (drop_later_pn == 1)
        pn = 1;

    /*
     * We need to stimulate the Initial EL to generate the first CRYPTO frame
     * again. We can do this most cleanly by simply forcing the ACKM to consider
     * the first Initial packet as lost, which it effectively was as the server
     * hasn't processed it. This also maintains the desired behaviour with e.g.
     * PNs not resetting and so on.
     *
     * The PN we used initially is always zero, because QUIC does not allow
     * repeated retries.
     */
    if (!ossl_ackm_mark_packet_pseudo_lost(ch->ackm, QUIC_PN_SPACE_INITIAL,
            pn))
        return 0;

    /*
     * Plug in new secrets for the Initial EL. This is the only time we change
     * the secrets for an EL after we already provisioned it.
     */
    if (!ossl_quic_provide_initial_secret(ch->port->engine->libctx,
            ch->port->engine->propq,
            &ch->retry_scid,
            /*is_server=*/0,
            ch->qrx, ch->qtx))
        return 0;

    return 1;
}

/* Called when an EL is to be discarded. */
static int ch_discard_el(QUIC_CHANNEL *ch,
    uint32_t enc_level)
{
    if (!ossl_assert(enc_level < QUIC_ENC_LEVEL_1RTT))
        return 0;

    if ((ch->el_discarded & (1U << enc_level)) != 0)
        /* Already done. */
        return 1;

    /* Best effort for all of these. */
    ossl_quic_tx_packetiser_discard_enc_level(ch->txp, enc_level);
    ossl_qrx_discard_enc_level(ch->qrx, enc_level);
    ossl_qtx_discard_enc_level(ch->qtx, enc_level);

    if (enc_level != QUIC_ENC_LEVEL_0RTT) {
        uint32_t pn_space = ossl_quic_enc_level_to_pn_space(enc_level);

        ossl_ackm_on_pkt_space_discarded(ch->ackm, pn_space);

        /* We should still have crypto streams at this point. */
        if (!ossl_assert(ch->crypto_send[pn_space] != NULL)
            || !ossl_assert(ch->crypto_recv[pn_space] != NULL))
            return 0;

        /* Get rid of the crypto stream state for the EL. */
        ossl_quic_sstream_free(ch->crypto_send[pn_space]);
        ch->crypto_send[pn_space] = NULL;

        ossl_quic_rstream_free(ch->crypto_recv[pn_space]);
        ch->crypto_recv[pn_space] = NULL;
    }

    ch->el_discarded |= (1U << enc_level);
    return 1;
}

/* Intended to be called by the RXDP. */
int ossl_quic_channel_on_handshake_confirmed(QUIC_CHANNEL *ch)
{
    if (ch->handshake_confirmed)
        return 1;

    if (!ch->handshake_complete) {
        /*
         * Does not make sense for handshake to be confirmed before it is
         * completed.
         */
        ossl_quic_channel_raise_protocol_error(ch, OSSL_QUIC_ERR_PROTOCOL_VIOLATION,
            OSSL_QUIC_FRAME_TYPE_HANDSHAKE_DONE,
            "handshake cannot be confirmed "
            "before it is completed");
        return 0;
    }

    ch_discard_el(ch, QUIC_ENC_LEVEL_HANDSHAKE);
    ch->handshake_confirmed = 1;
    ch_record_state_transition(ch, ch->state);
    ossl_ackm_on_handshake_confirmed(ch->ackm);
    return 1;
}

/*
 * Master function used when we want to start tearing down a connection:
 *
 *   - If the connection is still IDLE we can go straight to TERMINATED;
 *
 *   - If we are already TERMINATED this is a no-op.
 *
 *   - If we are TERMINATING - CLOSING and we have now got a CONNECTION_CLOSE
 *     from the peer (tcause->remote == 1), we move to TERMINATING - DRAINING.
 *
 *   - If we are TERMINATING - DRAINING, we remain here until the terminating
 *     timer expires.
 *
 *   - Otherwise, we are in ACTIVE and move to TERMINATING - CLOSING.
 *     if we caused the termination (e.g. we have sent a CONNECTION_CLOSE). Note
 *     that we are considered to have caused a termination if we sent the first
 *     CONNECTION_CLOSE frame, even if it is caused by a peer protocol
 *     violation. If the peer sent the first CONNECTION_CLOSE frame, we move to
 *     TERMINATING - DRAINING.
 *
 * We record the termination cause structure passed on the first call only.
 * Any successive calls have their termination cause data discarded;
 * once we start sending a CONNECTION_CLOSE frame, we don't change the details
 * in it.
 *
 * This conforms to RFC 9000 s. 10.2.1: Closing Connection State:
 *      To minimize the state that an endpoint maintains for a closing
 *      connection, endpoints MAY send the exact same packet in response
 *      to any received packet.
 *
 * We don't drop any connection state (specifically packet protection keys)
 * even though we are permitted to.  This conforms to RFC 9000 s. 10.2.1:
 * Closing Connection State:
 *       An endpoint MAY retain packet protection keys for incoming
 *       packets to allow it to read and process a CONNECTION_CLOSE frame.
 *
 * Note that we do not conform to these two from the same section:
 *      An endpoint's selected connection ID and the QUIC version
 *      are sufficient information to identify packets for a closing
 *      connection; the endpoint MAY discard all other connection state.
 * and:
 *      An endpoint MAY drop packet protection keys when entering the
 *      closing state and send a packet containing a CONNECTION_CLOSE
 *      frame in response to any UDP datagram that is received.
 */
static void copy_tcause(QUIC_TERMINATE_CAUSE *dst,
    const QUIC_TERMINATE_CAUSE *src)
{
    /*
     * do not override reason once it got set.
     */
    if (dst->reason != NULL)
        return;

    dst->error_code = src->error_code;
    dst->frame_type = src->frame_type;
    dst->app = src->app;
    dst->remote = src->remote;

    if (src->reason != NULL && src->reason_len > 0) {
        size_t l = src->reason_len;
        char *r;

        if (l >= SIZE_MAX)
            --l;

        /*
         * If this fails, dst->reason becomes NULL and we simply do not use a
         * reason. This ensures termination is infallible.
         */
        dst->reason = r = OPENSSL_memdup(src->reason, l + 1);
        if (r == NULL)
            return;

        r[l] = '\0';
        dst->reason_len = l;
    }
}

void ossl_quic_channel_set_tcause(QUIC_CHANNEL *ch, uint64_t app_error_code,
    const char *app_reason)
{
    QUIC_TERMINATE_CAUSE tcause = { 0 };

    tcause.app = 1;
    tcause.error_code = app_error_code;
    tcause.reason = app_reason;
    tcause.reason_len = app_reason != NULL ? strlen(app_reason) : 0;
    copy_tcause(&ch->terminate_cause, &tcause);
}

static void ch_start_terminating(QUIC_CHANNEL *ch,
    const QUIC_TERMINATE_CAUSE *tcause,
    int force_immediate)
{
    /* No point sending anything if we haven't sent anything yet. */
    if (!ch->have_sent_any_pkt)
        force_immediate = 1;

    switch (ch->state) {
    default:
    case QUIC_CHANNEL_STATE_IDLE:
        copy_tcause(&ch->terminate_cause, tcause);
        ch_on_terminating_timeout(ch);
        break;

    case QUIC_CHANNEL_STATE_ACTIVE:
        copy_tcause(&ch->terminate_cause, tcause);

        ossl_qlog_event_connectivity_connection_closed(ch_get_qlog(ch), tcause);

        if (!force_immediate) {
            ossl_quic_channel_notify_flush_done(ch);
        } else {
            ch_on_terminating_timeout(ch);
        }
        break;

    case QUIC_CHANNEL_STATE_TERMINATING_CLOSING:
        if (force_immediate)
            ch_on_terminating_timeout(ch);
        else if (tcause->remote)
            /*
             * RFC 9000 s. 10.2.2 Draining Connection State:
             *  An endpoint MAY enter the draining state from the
             *  closing state if it receives a CONNECTION_CLOSE frame,
             *  which indicates that the peer is also closing or draining.
             */
            ch_record_state_transition(ch, QUIC_CHANNEL_STATE_TERMINATING_DRAINING);

        break;

    case QUIC_CHANNEL_STATE_TERMINATING_DRAINING:
        /*
         * Other than in the force-immediate case, we remain here until the
         * timeout expires.
         */
        if (force_immediate)
            ch_on_terminating_timeout(ch);

        break;

    case QUIC_CHANNEL_STATE_TERMINATED:
        /* No-op. */
        break;
    }
}

/* For RXDP use. */
void ossl_quic_channel_on_remote_conn_close(QUIC_CHANNEL *ch,
    OSSL_QUIC_FRAME_CONN_CLOSE *f)
{
    QUIC_TERMINATE_CAUSE tcause = { 0 };

    if (!ossl_quic_channel_is_active(ch))
        return;

    tcause.remote = 1;
    tcause.app = f->is_app;
    tcause.error_code = f->error_code;
    tcause.frame_type = f->frame_type;
    tcause.reason = f->reason;
    tcause.reason_len = f->reason_len;
    ch_start_terminating(ch, &tcause, 0);
}

static void free_frame_data(unsigned char *buf, size_t buf_len, void *arg)
{
    OPENSSL_free(buf);
}

static int ch_enqueue_retire_conn_id(QUIC_CHANNEL *ch, uint64_t seq_num)
{
    BUF_MEM *buf_mem = NULL;
    WPACKET wpkt;
    size_t l;

    ossl_quic_srtm_remove(ch->srtm, ch, seq_num);

    if ((buf_mem = BUF_MEM_new()) == NULL)
        goto err;

    if (!WPACKET_init(&wpkt, buf_mem))
        goto err;

    if (!ossl_quic_wire_encode_frame_retire_conn_id(&wpkt, seq_num)) {
        WPACKET_cleanup(&wpkt);
        goto err;
    }

    WPACKET_finish(&wpkt);
    if (!WPACKET_get_total_written(&wpkt, &l))
        goto err;

    if (ossl_quic_cfq_add_frame(ch->cfq, 1, QUIC_PN_SPACE_APP,
            OSSL_QUIC_FRAME_TYPE_RETIRE_CONN_ID, 0,
            (unsigned char *)buf_mem->data, l,
            free_frame_data, NULL)
        == NULL)
        goto err;

    buf_mem->data = NULL;
    BUF_MEM_free(buf_mem);
    return 1;

err:
    ossl_quic_channel_raise_protocol_error(ch,
        OSSL_QUIC_ERR_INTERNAL_ERROR,
        OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID,
        "internal error enqueueing retire conn id");
    BUF_MEM_free(buf_mem);
    return 0;
}

void ossl_quic_channel_on_new_conn_id(QUIC_CHANNEL *ch,
    OSSL_QUIC_FRAME_NEW_CONN_ID *f)
{
    uint64_t new_remote_seq_num = ch->cur_remote_seq_num;
    uint64_t new_retire_prior_to = ch->cur_retire_prior_to;

    if (!ossl_quic_channel_is_active(ch))
        return;

    /* We allow only two active connection ids; first check some constraints */
    if (ch->cur_remote_dcid.id_len == 0) {
        /* Changing from 0 length connection id is disallowed */
        ossl_quic_channel_raise_protocol_error(ch,
            OSSL_QUIC_ERR_PROTOCOL_VIOLATION,
            OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID,
            "zero length connection id in use");

        return;
    }

    if (f->seq_num > new_remote_seq_num)
        new_remote_seq_num = f->seq_num;
    if (f->retire_prior_to > new_retire_prior_to)
        new_retire_prior_to = f->retire_prior_to;

    /*
     * RFC 9000-5.1.1: An endpoint MUST NOT provide more connection IDs
     * than the peer's limit.
     *
     * After processing a NEW_CONNECTION_ID frame and adding and retiring
     * active connection IDs, if the number of active connection IDs exceeds
     * the value advertised in its active_connection_id_limit transport
     * parameter, an endpoint MUST close the connection with an error of
     * type CONNECTION_ID_LIMIT_ERROR.
     */
    if (new_remote_seq_num - new_retire_prior_to > 1) {
        ossl_quic_channel_raise_protocol_error(ch,
            OSSL_QUIC_ERR_CONNECTION_ID_LIMIT_ERROR,
            OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID,
            "active_connection_id limit violated");
        return;
    }

    /*
     * RFC 9000-5.1.1: An endpoint MAY send connection IDs that temporarily
     * exceed a peer's limit if the NEW_CONNECTION_ID frame also requires
     * the retirement of any excess, by including a sufficiently large
     * value in the Retire Prior To field.
     *
     * RFC 9000-5.1.2: An endpoint SHOULD allow for sending and tracking
     * a number of RETIRE_CONNECTION_ID frames of at least twice the value
     * of the active_connection_id_limit transport parameter.  An endpoint
     * MUST NOT forget a connection ID without retiring it, though it MAY
     * choose to treat having connection IDs in need of retirement that
     * exceed this limit as a connection error of type CONNECTION_ID_LIMIT_ERROR.
     *
     * We are a little bit more liberal than the minimum mandated.
     */
    if (new_retire_prior_to - ch->cur_retire_prior_to > 10) {
        ossl_quic_channel_raise_protocol_error(ch,
            OSSL_QUIC_ERR_CONNECTION_ID_LIMIT_ERROR,
            OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID,
            "retiring connection id limit violated");

        return;
    }

    if (new_remote_seq_num > ch->cur_remote_seq_num) {
        /* Add new stateless reset token */
        if (!ossl_quic_srtm_add(ch->srtm, ch, new_remote_seq_num,
                &f->stateless_reset)) {
            ossl_quic_channel_raise_protocol_error(
                ch, OSSL_QUIC_ERR_CONNECTION_ID_LIMIT_ERROR,
                OSSL_QUIC_FRAME_TYPE_NEW_CONN_ID,
                "unable to store stateless reset token");

            return;
        }
        ch->cur_remote_seq_num = new_remote_seq_num;
        ch->cur_remote_dcid = f->conn_id;
        ossl_quic_tx_packetiser_set_cur_dcid(ch->txp, &ch->cur_remote_dcid);
    }

    /*
     * RFC 9000-5.1.2: Upon receipt of an increased Retire Prior To
     * field, the peer MUST stop using the corresponding connection IDs
     * and retire them with RETIRE_CONNECTION_ID frames before adding the
     * newly provided connection ID to the set of active connection IDs.
     */

    /*
     * Note: RFC 9000 s. 19.15 says:
     *   "An endpoint that receives a NEW_CONNECTION_ID frame with a sequence
     *    number smaller than the Retire Prior To field of a previously received
     *    NEW_CONNECTION_ID frame MUST send a corresponding
     *    RETIRE_CONNECTION_ID frame that retires the newly received connection
     *    ID, unless it has already done so for that sequence number."
     *
     * Since we currently always queue RETIRE_CONN_ID frames based on the Retire
     * Prior To field of a NEW_CONNECTION_ID frame immediately upon receiving
     * that NEW_CONNECTION_ID frame, by definition this will always be met.
     * This may change in future when we change our CID handling.
     */
    while (new_retire_prior_to > ch->cur_retire_prior_to) {
        if (!ch_enqueue_retire_conn_id(ch, ch->cur_retire_prior_to))
            break;
        ++ch->cur_retire_prior_to;
    }
}

static void ch_save_err_state(QUIC_CHANNEL *ch)
{
    if (ch->err_state == NULL)
        ch->err_state = OSSL_ERR_STATE_new();

    if (ch->err_state == NULL)
        return;

    OSSL_ERR_STATE_save(ch->err_state);
}

void ossl_quic_channel_inject(QUIC_CHANNEL *ch, QUIC_URXE *e)
{
    ossl_qrx_inject_urxe(ch->qrx, e);
}

void ossl_quic_channel_inject_pkt(QUIC_CHANNEL *ch, OSSL_QRX_PKT *qpkt)
{
    ossl_qrx_inject_pkt(ch->qrx, qpkt);
}

void ossl_quic_channel_on_stateless_reset(QUIC_CHANNEL *ch)
{
    QUIC_TERMINATE_CAUSE tcause = { 0 };

    tcause.error_code = OSSL_QUIC_ERR_NO_ERROR;
    tcause.remote = 1;
    ch_start_terminating(ch, &tcause, 0);
}

void ossl_quic_channel_raise_net_error(QUIC_CHANNEL *ch)
{
    QUIC_TERMINATE_CAUSE tcause = { 0 };

    if (ch->net_error)
        return;

    ch->net_error = 1;

    tcause.error_code = OSSL_QUIC_ERR_INTERNAL_ERROR;
    tcause.reason = "network BIO I/O error";
    tcause.reason_len = strlen(tcause.reason);

    /*
     * Skip Terminating state and go directly to Terminated, no point trying to
     * send CONNECTION_CLOSE if we cannot communicate.
     */
    ch_start_terminating(ch, &tcause, 1);
}

int ossl_quic_channel_net_error(QUIC_CHANNEL *ch)
{
    return ch->net_error;
}

void ossl_quic_channel_restore_err_state(QUIC_CHANNEL *ch)
{
    if (ch == NULL)
        return;

    if (!ossl_quic_port_is_running(ch->port))
        ossl_quic_port_restore_err_state(ch->port);
    else
        OSSL_ERR_STATE_restore(ch->err_state);
}

void ossl_quic_channel_raise_protocol_error_loc(QUIC_CHANNEL *ch,
    uint64_t error_code,
    uint64_t frame_type,
    const char *reason,
    ERR_STATE *err_state,
    const char *src_file,
    int src_line,
    const char *src_func)
{
    QUIC_TERMINATE_CAUSE tcause = { 0 };
    int err_reason = error_code == OSSL_QUIC_ERR_INTERNAL_ERROR
        ? ERR_R_INTERNAL_ERROR
        : SSL_R_QUIC_PROTOCOL_ERROR;
    const char *err_str = ossl_quic_err_to_string(error_code);
    const char *err_str_pfx = " (", *err_str_sfx = ")";
    const char *ft_str = NULL;
    const char *ft_str_pfx = " (", *ft_str_sfx = ")";

    if (ch->protocol_error)
        /* Only the first call to this function matters. */
        return;

    if (err_str == NULL) {
        err_str = "";
        err_str_pfx = "";
        err_str_sfx = "";
    }

    /*
     * If we were provided an underlying error state, restore it and then append
     * our ERR on top as a "cover letter" error.
     */
    if (err_state != NULL)
        OSSL_ERR_STATE_restore(err_state);

    if (frame_type != 0) {
        ft_str = ossl_quic_frame_type_to_string(frame_type);
        if (ft_str == NULL) {
            ft_str = "";
            ft_str_pfx = "";
            ft_str_sfx = "";
        }

        ERR_raise_data(ERR_LIB_SSL, err_reason,
            "QUIC error code: 0x%llx%s%s%s "
            "(triggered by frame type: 0x%llx%s%s%s), reason: \"%s\"",
            (unsigned long long)error_code,
            err_str_pfx, err_str, err_str_sfx,
            (unsigned long long)frame_type,
            ft_str_pfx, ft_str, ft_str_sfx,
            reason);
    } else {
        ERR_raise_data(ERR_LIB_SSL, err_reason,
            "QUIC error code: 0x%llx%s%s%s, reason: \"%s\"",
            (unsigned long long)error_code,
            err_str_pfx, err_str, err_str_sfx,
            reason);
    }

    if (src_file != NULL)
        ERR_set_debug(src_file, src_line, src_func);

    ch_save_err_state(ch);

    tcause.error_code = error_code;
    tcause.frame_type = frame_type;
    tcause.reason = reason;
    tcause.reason_len = strlen(reason);

    ch->protocol_error = 1;
    ch_start_terminating(ch, &tcause, 0);
}

/*
 * Called once the terminating timer expires, meaning we move from TERMINATING
 * to TERMINATED.
 */
static void ch_on_terminating_timeout(QUIC_CHANNEL *ch)
{
    ch_record_state_transition(ch, QUIC_CHANNEL_STATE_TERMINATED);
}

/*
 * Determines the effective idle timeout duration. This is based on the idle
 * timeout values that we and our peer signalled in transport parameters
 * but have some limits applied.
 */
static OSSL_TIME ch_get_effective_idle_timeout_duration(QUIC_CHANNEL *ch)
{
    OSSL_TIME pto;

    if (ch->max_idle_timeout == 0)
        return ossl_time_infinite();

    /*
     * RFC 9000 s. 10.1: Idle Timeout
     *  To avoid excessively small idle timeout periods, endpoints
     *  MUST increase the idle timeout period to be at least three
     *  times the current Probe Timeout (PTO). This allows for
     *  multiple PTOs to expire, and therefore multiple probes to
     *  be sent and lost, prior to idle timeout.
     */
    pto = ossl_ackm_get_pto_duration(ch->ackm);
    return ossl_time_max(ossl_ms2time(ch->max_idle_timeout),
        ossl_time_multiply(pto, 3));
}

/*
 * Updates our idle deadline. Called when an event happens which should bump the
 * idle timeout.
 */
static void ch_update_idle(QUIC_CHANNEL *ch)
{
    ch->idle_deadline = ossl_time_add(get_time(ch),
        ch_get_effective_idle_timeout_duration(ch));
}

/*
 * Updates our ping deadline, which determines when we next generate a ping if
 * we don't have any other ACK-eliciting frames to send.
 */
static void ch_update_ping_deadline(QUIC_CHANNEL *ch)
{
    OSSL_TIME max_span, idle_duration;

    idle_duration = ch_get_effective_idle_timeout_duration(ch);
    if (ossl_time_is_infinite(idle_duration)) {
        ch->ping_deadline = ossl_time_infinite();
        return;
    }

    /*
     * Maximum amount of time without traffic before we send a PING to keep
     * the connection open. Usually we use max_idle_timeout/2, but ensure
     * the period never exceeds the assumed NAT interval to ensure NAT
     * devices don't have their state time out (RFC 9000 s. 10.1.2).
     */
    max_span = ossl_time_divide(idle_duration, 2);
    max_span = ossl_time_min(max_span, MAX_NAT_INTERVAL);
    ch->ping_deadline = ossl_time_add(get_time(ch), max_span);
}

/* Called when the idle timeout expires. */
static void ch_on_idle_timeout(QUIC_CHANNEL *ch)
{
    /*
     * Idle timeout does not have an error code associated with it because a
     * CONN_CLOSE is never sent for it. We shouldn't use this data once we reach
     * TERMINATED anyway.
     */
    ch->terminate_cause.app = 0;
    ch->terminate_cause.error_code = OSSL_QUIC_LOCAL_ERR_IDLE_TIMEOUT;
    ch->terminate_cause.frame_type = 0;

    ch_record_state_transition(ch, QUIC_CHANNEL_STATE_TERMINATED);
}

/**
 * @brief Common handler for initializing a new QUIC connection.
 *
 * This function configures a QUIC channel (`QUIC_CHANNEL *ch`) for a new
 * connection by setting the peer address, connection IDs, and necessary
 * callbacks. It establishes initial secrets, sets up logging, and performs
 * required transitions for the channel state.
 *
 * @param ch       Pointer to the QUIC channel being initialized.
 * @param peer     Address of the peer to which the channel connects.
 * @param peer_scid Peer-specified source connection ID.
 * @param peer_dcid Peer-specified destination connection ID.
 * @param peer_odcid Peer-specified original destination connection ID
 *                   may be NULL if retry frame not sent to client
 * @return         1 on success, 0 on failure to set required elements.
 */
static int ch_on_new_conn_common(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
    const QUIC_CONN_ID *peer_scid,
    const QUIC_CONN_ID *peer_dcid,
    const QUIC_CONN_ID *peer_odcid)
{
    /* Note our newly learnt peer address and CIDs. */
    if (!ossl_quic_channel_set_peer_addr(ch, peer))
        return 0;

    ch->init_dcid = *peer_dcid;
    ch->cur_remote_dcid = *peer_scid;
    ch->odcid.id_len = 0;

    if (peer_odcid != NULL)
        ch->odcid = *peer_odcid;

    /* Inform QTX of peer address. */
    if (!ossl_quic_tx_packetiser_set_peer(ch->txp, &ch->cur_peer_addr))
        return 0;

    /* Inform TXP of desired CIDs. */
    if (!ossl_quic_tx_packetiser_set_cur_dcid(ch->txp, &ch->cur_remote_dcid))
        return 0;

    if (!ossl_quic_tx_packetiser_set_cur_scid(ch->txp, &ch->cur_local_cid))
        return 0;

    /* Setup QLOG, which did not happen earlier due to lacking an Initial ODCID. */
    ossl_qtx_set_qlog_cb(ch->qtx, ch_get_qlog_cb, ch);
    ossl_quic_tx_packetiser_set_qlog_cb(ch->txp, ch_get_qlog_cb, ch);

    /*
     * Plug in secrets for the Initial EL. secrets for QRX were created in
     * port_default_packet_handler() already.
     */
    if (!ossl_quic_provide_initial_secret(ch->port->engine->libctx,
            ch->port->engine->propq,
            &ch->init_dcid,
            /*is_server=*/1,
            NULL, ch->qtx))
        return 0;

    /* Register the peer ODCID in the LCIDM. */
    if (!ossl_quic_lcidm_enrol_odcid(ch->lcidm, ch, peer_odcid == NULL ? &ch->init_dcid : peer_odcid))
        return 0;

    /* Change state. */
    ch_record_state_transition(ch, QUIC_CHANNEL_STATE_ACTIVE);
    ch->doing_proactive_ver_neg = 0; /* not currently supported */
    return 1;
}

/* Called when we, as a server, get a new incoming connection. */
int ossl_quic_channel_on_new_conn(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
    const QUIC_CONN_ID *peer_scid,
    const QUIC_CONN_ID *peer_dcid)
{
    if (!ossl_assert(ch->state == QUIC_CHANNEL_STATE_IDLE && ch->is_server))
        return 0;

    /* Generate an Initial LCID we will use for the connection. */
    if (!ossl_quic_lcidm_generate_initial(ch->lcidm, ch, &ch->cur_local_cid))
        return 0;

    return ch_on_new_conn_common(ch, peer, peer_scid, peer_dcid, NULL);
}

/**
 * Binds a QUIC channel to a specific peer's address and connection IDs.
 *
 * This function is used to establish a binding between a QUIC channel and a
 * peer's address and connection IDs. The binding is performed only if the
 * channel is idle and is on the server side. The peer's destination connection
 * ID (`peer_dcid`) is mandatory, and the channel's current local connection ID
 * is set to this value.
 *
 * @param ch          Pointer to the QUIC_CHANNEL structure representing the
 *                    channel to be bound.
 * @param peer        Pointer to a BIO_ADDR structure representing the peer's
 *                    address.
 * @param peer_scid   Pointer to the peer's source connection ID (QUIC_CONN_ID).
 * @param peer_dcid   Pointer to the peer's destination connection ID
 *                    (QUIC_CONN_ID). This must not be NULL.
 * @param peer_odcid  Pointer to the original destination connection ID
 *                    (QUIC_CONN_ID) chosen by the peer in its first initial
 *                    packet received without a token.
 *
 * @return 1 on success, or 0 on failure if the conditions for binding are not
 *         met (e.g., channel is not idle or not a server, or binding fails).
 */
int ossl_quic_bind_channel(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
    const QUIC_CONN_ID *peer_scid,
    const QUIC_CONN_ID *peer_dcid,
    const QUIC_CONN_ID *peer_odcid)
{
    if (peer_dcid == NULL)
        return 0;

    if (!ossl_assert(ch->state == QUIC_CHANNEL_STATE_IDLE && ch->is_server))
        return 0;

    if (!ossl_quic_lcidm_bind_channel(ch->lcidm, ch, peer_dcid))
        return 0;

    ch->cur_local_cid = *peer_dcid;

    /*
     * peer_odcid <=> is initial dst conn id chosen by peer in its
     * first initial packet we received without token.
     */
    return ch_on_new_conn_common(ch, peer, peer_scid, peer_dcid, peer_odcid);
}

SSL *ossl_quic_channel_get0_ssl(QUIC_CHANNEL *ch)
{
    return ch->tls;
}

static int ch_init_new_stream(QUIC_CHANNEL *ch, QUIC_STREAM *qs,
    int can_send, int can_recv)
{
    uint64_t rxfc_wnd;
    int server_init = ossl_quic_stream_is_server_init(qs);
    int local_init = (ch->is_server == server_init);
    int is_uni = !ossl_quic_stream_is_bidi(qs);

    if (can_send)
        if ((qs->sstream = ossl_quic_sstream_new(INIT_APP_BUF_LEN)) == NULL)
            goto err;

    if (can_recv)
        if ((qs->rstream = ossl_quic_rstream_new(NULL, NULL, 0)) == NULL)
            goto err;

    /* TXFC */
    if (!ossl_quic_txfc_init(&qs->txfc, &ch->conn_txfc))
        goto err;

    if (ch->got_remote_transport_params) {
        /*
         * If we already got peer TPs we need to apply the initial CWM credit
         * now. If we didn't already get peer TPs this will be done
         * automatically for all extant streams when we do.
         */
        if (can_send) {
            uint64_t cwm;

            if (is_uni)
                cwm = ch->rx_init_max_stream_data_uni;
            else if (local_init)
                cwm = ch->rx_init_max_stream_data_bidi_local;
            else
                cwm = ch->rx_init_max_stream_data_bidi_remote;

            ossl_quic_txfc_bump_cwm(&qs->txfc, cwm);
        }
    }

    /* RXFC */
    if (!can_recv)
        rxfc_wnd = 0;
    else if (is_uni)
        rxfc_wnd = ch->tx_init_max_stream_data_uni;
    else if (local_init)
        rxfc_wnd = ch->tx_init_max_stream_data_bidi_local;
    else
        rxfc_wnd = ch->tx_init_max_stream_data_bidi_remote;

    if (!ossl_quic_rxfc_init(&qs->rxfc, &ch->conn_rxfc,
            rxfc_wnd,
            DEFAULT_STREAM_RXFC_MAX_WND_MUL * rxfc_wnd,
            get_time, ch))
        goto err;

    return 1;

err:
    ossl_quic_sstream_free(qs->sstream);
    qs->sstream = NULL;
    ossl_quic_rstream_free(qs->rstream);
    qs->rstream = NULL;
    return 0;
}

static uint64_t *ch_get_local_stream_next_ordinal_ptr(QUIC_CHANNEL *ch,
    int is_uni)
{
    return is_uni ? &ch->next_local_stream_ordinal_uni
                  : &ch->next_local_stream_ordinal_bidi;
}

static const uint64_t *ch_get_local_stream_max_ptr(const QUIC_CHANNEL *ch,
    int is_uni)
{
    return is_uni ? &ch->max_local_streams_uni
                  : &ch->max_local_streams_bidi;
}

static const QUIC_RXFC *ch_get_remote_stream_count_rxfc(const QUIC_CHANNEL *ch,
    int is_uni)
{
    return is_uni ? &ch->max_streams_uni_rxfc
                  : &ch->max_streams_bidi_rxfc;
}

int ossl_quic_channel_is_new_local_stream_admissible(QUIC_CHANNEL *ch,
    int is_uni)
{
    const uint64_t *p_next_ordinal = ch_get_local_stream_next_ordinal_ptr(ch, is_uni);

    return ossl_quic_stream_map_is_local_allowed_by_stream_limit(&ch->qsm,
        *p_next_ordinal,
        is_uni);
}

uint64_t ossl_quic_channel_get_local_stream_count_avail(const QUIC_CHANNEL *ch,
    int is_uni)
{
    const uint64_t *p_next_ordinal, *p_max;

    p_next_ordinal = ch_get_local_stream_next_ordinal_ptr((QUIC_CHANNEL *)ch,
        is_uni);
    p_max = ch_get_local_stream_max_ptr(ch, is_uni);

    return *p_max - *p_next_ordinal;
}

uint64_t ossl_quic_channel_get_remote_stream_count_avail(const QUIC_CHANNEL *ch,
    int is_uni)
{
    return ossl_quic_rxfc_get_credit(ch_get_remote_stream_count_rxfc(ch, is_uni));
}

QUIC_STREAM *ossl_quic_channel_new_stream_local(QUIC_CHANNEL *ch, int is_uni)
{
    QUIC_STREAM *qs;
    int type;
    uint64_t stream_id;
    uint64_t *p_next_ordinal;

    type = ch->is_server ? QUIC_STREAM_INITIATOR_SERVER
                         : QUIC_STREAM_INITIATOR_CLIENT;

    p_next_ordinal = ch_get_local_stream_next_ordinal_ptr(ch, is_uni);

    if (is_uni)
        type |= QUIC_STREAM_DIR_UNI;
    else
        type |= QUIC_STREAM_DIR_BIDI;

    if (*p_next_ordinal >= ((uint64_t)1) << 62)
        return NULL;

    stream_id = ((*p_next_ordinal) << 2) | type;

    if ((qs = ossl_quic_stream_map_alloc(&ch->qsm, stream_id, type)) == NULL)
        return NULL;

    /* Locally-initiated stream, so we always want a send buffer. */
    if (!ch_init_new_stream(ch, qs, /*can_send=*/1, /*can_recv=*/!is_uni))
        goto err;

    ++*p_next_ordinal;
    return qs;

err:
    ossl_quic_stream_map_release(&ch->qsm, qs);
    return NULL;
}

QUIC_STREAM *ossl_quic_channel_new_stream_remote(QUIC_CHANNEL *ch,
    uint64_t stream_id)
{
    uint64_t peer_role;
    int is_uni;
    QUIC_STREAM *qs;

    peer_role = ch->is_server
        ? QUIC_STREAM_INITIATOR_CLIENT
        : QUIC_STREAM_INITIATOR_SERVER;

    if ((stream_id & QUIC_STREAM_INITIATOR_MASK) != peer_role)
        return NULL;

    is_uni = ((stream_id & QUIC_STREAM_DIR_MASK) == QUIC_STREAM_DIR_UNI);

    qs = ossl_quic_stream_map_alloc(&ch->qsm, stream_id,
        stream_id & (QUIC_STREAM_INITIATOR_MASK | QUIC_STREAM_DIR_MASK));
    if (qs == NULL)
        return NULL;

    if (!ch_init_new_stream(ch, qs, /*can_send=*/!is_uni, /*can_recv=*/1))
        goto err;

    if (ch->incoming_stream_auto_reject)
        ossl_quic_channel_reject_stream(ch, qs);
    else
        ossl_quic_stream_map_push_accept_queue(&ch->qsm, qs);

    return qs;

err:
    ossl_quic_stream_map_release(&ch->qsm, qs);
    return NULL;
}

void ossl_quic_channel_set_incoming_stream_auto_reject(QUIC_CHANNEL *ch,
    int enable,
    uint64_t aec)
{
    ch->incoming_stream_auto_reject = (enable != 0);
    ch->incoming_stream_auto_reject_aec = aec;
}

void ossl_quic_channel_reject_stream(QUIC_CHANNEL *ch, QUIC_STREAM *qs)
{
    ossl_quic_stream_map_stop_sending_recv_part(&ch->qsm, qs,
        ch->incoming_stream_auto_reject_aec);

    ossl_quic_stream_map_reset_stream_send_part(&ch->qsm, qs,
        ch->incoming_stream_auto_reject_aec);
    qs->deleted = 1;

    ossl_quic_stream_map_update_state(&ch->qsm, qs);
}

/* Replace local connection ID in TXP and DEMUX for testing purposes. */
int ossl_quic_channel_replace_local_cid(QUIC_CHANNEL *ch,
    const QUIC_CONN_ID *conn_id)
{
    /* Remove the current LCID from the LCIDM. */
    if (!ossl_quic_lcidm_debug_remove(ch->lcidm, &ch->cur_local_cid))
        return 0;
    ch->cur_local_cid = *conn_id;
    /* Set in the TXP, used only for long header packets. */
    if (!ossl_quic_tx_packetiser_set_cur_scid(ch->txp, &ch->cur_local_cid))
        return 0;
    /* Add the new LCID to the LCIDM. */
    if (!ossl_quic_lcidm_debug_add(ch->lcidm, ch, &ch->cur_local_cid,
            100))
        return 0;
    return 1;
}

void ossl_quic_channel_set_msg_callback(QUIC_CHANNEL *ch,
    ossl_msg_cb msg_callback,
    SSL *msg_callback_ssl)
{
    ch->msg_callback = msg_callback;
    ch->msg_callback_ssl = msg_callback_ssl;
    ossl_qtx_set_msg_callback(ch->qtx, msg_callback, msg_callback_ssl);
    ossl_quic_tx_packetiser_set_msg_callback(ch->txp, msg_callback,
        msg_callback_ssl);
    /*
     * postpone msg callback setting for tserver until port calls
     * port_bind_channel().
     */
    if (ch->is_tserver_ch == 0)
        ossl_qrx_set_msg_callback(ch->qrx, msg_callback, msg_callback_ssl);
}

void ossl_quic_channel_set_msg_callback_arg(QUIC_CHANNEL *ch,
    void *msg_callback_arg)
{
    ch->msg_callback_arg = msg_callback_arg;
    ossl_qtx_set_msg_callback_arg(ch->qtx, msg_callback_arg);
    ossl_quic_tx_packetiser_set_msg_callback_arg(ch->txp, msg_callback_arg);

    /*
     * postpone msg callback setting for tserver until port calls
     * port_bind_channel().
     */
    if (ch->is_tserver_ch == 0)
        ossl_qrx_set_msg_callback_arg(ch->qrx, msg_callback_arg);
}

void ossl_quic_channel_set_txku_threshold_override(QUIC_CHANNEL *ch,
    uint64_t tx_pkt_threshold)
{
    ch->txku_threshold_override = tx_pkt_threshold;
}

uint64_t ossl_quic_channel_get_tx_key_epoch(QUIC_CHANNEL *ch)
{
    return ossl_qtx_get_key_epoch(ch->qtx);
}

uint64_t ossl_quic_channel_get_rx_key_epoch(QUIC_CHANNEL *ch)
{
    return ossl_qrx_get_key_epoch(ch->qrx);
}

int ossl_quic_channel_trigger_txku(QUIC_CHANNEL *ch)
{
    if (!txku_allowed(ch))
        return 0;

    ch->ku_locally_initiated = 1;
    ch_trigger_txku(ch);
    return 1;
}

int ossl_quic_channel_ping(QUIC_CHANNEL *ch)
{
    int pn_space = ossl_quic_enc_level_to_pn_space(ch->tx_enc_level);

    ossl_quic_tx_packetiser_schedule_ack_eliciting(ch->txp, pn_space);

    return 1;
}

uint16_t ossl_quic_channel_get_diag_num_rx_ack(QUIC_CHANNEL *ch)
{
    return ch->diag_num_rx_ack;
}

void ossl_quic_channel_get_diag_local_cid(QUIC_CHANNEL *ch, QUIC_CONN_ID *cid)
{
    *cid = ch->cur_local_cid;
}

int ossl_quic_channel_have_generated_transport_params(const QUIC_CHANNEL *ch)
{
    return ch->got_local_transport_params;
}

void ossl_quic_channel_set_max_idle_timeout_request(QUIC_CHANNEL *ch, uint64_t ms)
{
    ch->max_idle_timeout_local_req = ms;
}
uint64_t ossl_quic_channel_get_max_idle_timeout_request(const QUIC_CHANNEL *ch)
{
    return ch->max_idle_timeout_local_req;
}

uint64_t ossl_quic_channel_get_max_idle_timeout_peer_request(const QUIC_CHANNEL *ch)
{
    return ch->max_idle_timeout_remote_req;
}

uint64_t ossl_quic_channel_get_max_idle_timeout_actual(const QUIC_CHANNEL *ch)
{
    return ch->max_idle_timeout;
}

Coverage Report

Created: 2025-12-14 06:48