QUIC: Define error code for stateless reset

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23598)

4 files changed, 33 insertions, 2 deletions

diff --git a/doc/man3/SSL_get_conn_close_info.pod b/doc/man3/SSL_get_conn_close_info.pod
index bb5bc72b7a..badb3bf7a6 100644
--- a/doc/man3/SSL_get_conn_close_info.pod
+++ b/doc/man3/SSL_get_conn_close_info.pod
@@ -23,7 +23,8 @@ OSSL_QUIC_ERR_AEAD_LIMIT_REACHED,
 OSSL_QUIC_ERR_NO_VIABLE_PATH,
 OSSL_QUIC_ERR_CRYPTO_ERR_BEGIN,
 OSSL_QUIC_ERR_CRYPTO_ERR_END,
-OSSL_QUIC_ERR_CRYPTO_ERR
+OSSL_QUIC_ERR_CRYPTO_ERR,
+OSSL_QUIC_LOCAL_ERR_IDLE_TIMEOUT
 - get information about why a QUIC connection was closed
 
 =head1 SYNOPSIS
@@ -67,6 +68,8 @@ OSSL_QUIC_ERR_CRYPTO_ERR
 
  #define OSSL_QUIC_ERR_CRYPTO_ERR(X)
 
+ #define OSSL_QUIC_LOCAL_ERR_IDLE_TIMEOUT
+
 =head1 DESCRIPTION
 
 The SSL_get_conn_close_info() function provides information about why and how a
@@ -124,6 +127,29 @@ by the local or remote application.
 
 =back
 
+The B<OSSL_QUIC_ERR> macro definitions provide the QUIC transport error codes as
+defined by RFC 9000. The OSSL_QUIC_ERR_CRYPTO_ERR() macro can be used to convert
+a TLS alert code into a QUIC transport error code by mapping it into the range
+reserved for such codes by RFC 9000. This range begins at
+B<OSSL_QUIC_ERR_CRYPTO_ERR_BEGIN> and ends at B<OSSL_QUIC_ERR_CRYPTO_ERR_END>
+inclusive.
+
+=head1 NON-STANDARD TRANSPORT ERROR CODES
+
+Some conditions which can cause QUIC connection termination are not signalled on
+the wire and therefore do not have standard error codes. OpenSSL indicates these
+errors via SSL_get_conn_close_info() by setting B<SSL_CONN_CLOSE_FLAG_TRANSPORT>
+and using one of the following error values. These codes are specific to
+OpenSSL, and cannot be sent over the wire, as they are above 2**62.
+
+=over 4
+
+=item B<OSSL_QUIC_LOCAL_ERR_IDLE_TIMEOUT>
+
+The connection was terminated immediately due to the idle timeout expiring.
+
+=back
+
 =head1 RETURN VALUES
 
 SSL_get_conn_close_info() returns 1 on success and 0 on failure. This function
diff --git a/include/openssl/quic.h b/include/openssl/quic.h
index 853b944316..f66d643261 100644
--- a/include/openssl/quic.h
+++ b/include/openssl/quic.h
@@ -58,6 +58,10 @@ __owur const SSL_METHOD *OSSL_QUIC_client_thread_method(void);
 #  define OSSL_QUIC_ERR_CRYPTO_ERR(X) \
     (OSSL_QUIC_ERR_CRYPTO_ERR_BEGIN + (X))
 
+/* Local errors. */
+#  define OSSL_QUIC_LOCAL_ERR_IDLE_TIMEOUT        \
+    ((uint64_t)0xFFFFFFFFFFFFFFFFULL)
+
 #  ifdef __cplusplus
 }
 #  endif
diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c
index 9bab5d005b..5bc08fad91 100644
--- a/ssl/quic/quic_channel.c
+++ b/ssl/quic/quic_channel.c
@@ -3325,7 +3325,7 @@ static void ch_on_idle_timeout(QUIC_CHANNEL *ch)
      * TERMINATED anyway.
      */
     ch->terminate_cause.app         = 0;
-    ch->terminate_cause.error_code  = UINT64_MAX;
+    ch->terminate_cause.error_code  = OSSL_QUIC_LOCAL_ERR_IDLE_TIMEOUT;
     ch->terminate_cause.frame_type  = 0;
 
     ch_record_state_transition(ch, QUIC_CHANNEL_STATE_TERMINATED);
diff --git a/util/other.syms b/util/other.syms
index b12aba44e6..e8a813c9bb 100644
--- a/util/other.syms
+++ b/util/other.syms
@@ -510,6 +510,7 @@ OSSL_QUIC_ERR_NO_VIABLE_PATH            define
 OSSL_QUIC_ERR_CRYPTO_ERR_BEGIN          define
 OSSL_QUIC_ERR_CRYPTO_ERR_END            define
 OSSL_QUIC_ERR_CRYPTO_ERR                define
+OSSL_QUIC_LOCAL_ERR_IDLE_TIMEOUT        define
 PEM_FLAG_EAY_COMPATIBLE                 define
 PEM_FLAG_ONLY_B64                       define
 PEM_FLAG_SECURE                         define