Commit Graph

7806 Commits

Author SHA1 Message Date
Vladimir Homutov
a3163fa4b2 QUIC: fixed GSO packets count.
Thanks to Andrey Kolyshkin <a.kolyshkin@corp.vk.com>
2021-11-09 21:17:05 +03:00
Vladimir Homutov
6f9f8bf96e QUIC: removed dead code.
The function is no longer used since b3d9e57d0f62.
2021-11-10 13:49:01 +03:00
Vladimir Homutov
df22336bfa QUIC: converted client_tp_done to bitfield. 2021-11-08 15:41:12 +03:00
Vladimir Homutov
9ca3a02e68 QUIC: fixed removal of unused client IDs.
If client ID was never used, its refcount is zero.  To keep things simple,
the ngx_quic_unref_client_id() function is now aware of such IDs.

If client ID was used, the ngx_quic_replace_retired_client_id() function
is supposed to find all users and unref the ID, thus ngx_quic_unref_client_id()
should not be called after it.
2021-10-13 14:48:33 +03:00
Vladimir Homutov
0572c2a69f QUIC: connections with wrong ALPN protocols are now rejected.
Previously, it was not enforced in the stream module.
Now, since b9e02e9b2f1d it is possible to specify protocols.

Since ALPN is always required, the 'require_alpn' setting is now obsolete.
2021-11-03 13:36:21 +03:00
Vladimir Homutov
5f9c4e15a3 QUIC: refactored packet creation.
The "min" and "max" arguments refer to UDP datagram size.  Generating payload
requires to account properly for header size, which is variable and depends on
payload size and packet number.
2021-10-07 13:48:29 +03:00
Vladimir Homutov
151985c931 QUIC: removed unused argument in ngx_quic_create_short_header(). 2021-10-07 12:24:47 +03:00
Vladimir Homutov
47caa66489 QUIC: added function to initialize packet. 2021-09-30 12:02:29 +03:00
Vladimir Homutov
dbb59fba8c QUIC: fixed processing of minimum packet size.
If packet needs to be expanded (for example Initial to 1200 bytes),
but path limit is less, such packet should not be created/sent.
2021-10-22 12:59:44 +03:00
Vladimir Homutov
f5d0c6db67 QUIC: added shutdown support in stream proxy. 2021-09-23 16:25:49 +03:00
Sergey Kandaurov
bbd05ae252 Merged with the default branch. 2021-11-03 11:22:07 +03:00
Sergey Kandaurov
8f8cb92e92 QUIC: style. 2021-10-26 18:05:57 +03:00
Sergey Kandaurov
01d27365c6 QUIC: speeding up processing 0-RTT.
After fe919fd63b0b, processing QUIC streams was postponed until after handshake
completion, which means that 0-RTT is effectively off.  With ssl_ocsp enabled,
it could be further delayed.  This differs from how OCSP validation works with
SSL_read_early_data().  With this change, processing QUIC streams is unlocked
when obtaining 0-RTT secret.
2021-10-26 17:43:10 +03:00
Sergey Kandaurov
2f754d5dcf QUIC: refactored OCSP validation in preparation for 0-RTT support. 2021-10-26 17:43:10 +03:00
Vladimir Homutov
12bda330d9 QUIC: switched to integer arithmetic in rtt calculations.
RFC 9002 uses constants implying effective implementation,
i.e. using bit shift operations instead of floating point.
2021-10-19 14:32:50 +03:00
Vladimir Homutov
0cd45dea76 QUIC: optimized ack range processing.
The sent queue is sorted by packet number.  It is possible to avoid
traversing full queue while handling ack ranges.  It makes sense to
start traversing from the queue head (i.e. check oldest packets first).
2021-10-15 12:26:42 +03:00
Roman Arutyunyan
da28a4c626 QUIC: limited the total number of frames.
Exceeding 10000 allocated frames is considered a flood.
2021-10-13 14:46:51 +03:00
Roman Arutyunyan
6e58593a59 QUIC: traffic-based flood detection.
With this patch, all traffic over a QUIC connection is compared to traffic
over QUIC streams.  As long as total traffic is many times larger than stream
traffic, we consider this to be a flood.
2021-10-13 14:41:46 +03:00
Roman Arutyunyan
434f11bf3f HTTP/3: traffic-based flood detection.
With this patch, all traffic over HTTP/3 bidi and uni streams is counted in
the h3c->total_bytes field, and payload traffic is counted in the
h3c->payload_bytes field.  As long as total traffic is many times larger than
payload traffic, we consider this to be a flood.

Request header traffic is counted as if all fields are literal.  Response
header traffic is counted as is.
2021-10-07 13:22:42 +03:00
Roman Arutyunyan
0c33e484a4 HTTP/3: fixed request length calculation.
Previously, when request was blocked, r->request_length was not updated.
2021-10-06 14:51:16 +03:00
Roman Arutyunyan
ec86cf18fa HTTP/3: removed client-side encoder support.
Dynamic tables are not used when generating responses anyway.
2021-10-06 14:48:59 +03:00
Martin Duke
7b12abb0a8 QUIC: attempt decrypt before checking for stateless reset.
Checking the reset after encryption avoids false positives.  More importantly,
it avoids the check entirely in the usual case where decryption succeeds.

RFC 9000, 10.3.1  Detecting a Stateless Reset

    Endpoints MAY skip this check if any packet from a datagram is
    successfully processed.
2021-10-12 11:57:50 +03:00
Martin Duke
5e37df0bf4 QUIC: Check if CID has been used in stateless reset check
Section 10.3.1 of RFC9000 requires this check.
2021-10-12 11:56:49 +03:00
Roman Arutyunyan
010f974e44 QUIC: send RESET_STREAM in response to STOP_SENDING.
As per RFC 9000:

   An endpoint that receives a STOP_SENDING frame MUST send a RESET_STREAM
   frame if the stream is in the "Ready" or "Send" state.

   An endpoint SHOULD copy the error code from the STOP_SENDING frame to
   the RESET_STREAM frame it sends, but it can use any application error code.
2021-09-21 16:24:33 +03:00
Roman Arutyunyan
22f2dc2a87 QUIC: reset stream only once. 2021-09-22 14:02:56 +03:00
Roman Arutyunyan
38d56f4ccd HTTP/3: reset streams with incomplete responses or timeouts.
This prevents client from closing the QUIC connection due to response parse
error.
2021-09-27 17:08:48 +03:00
Roman Arutyunyan
b6b2a45fb6 Added r->response_sent flag.
The flag indicates that the entire response was sent to the socket up to the
last_buf flag.  The flag is only usable for protocol implementations that call
ngx_http_write_filter() from header filter, such as HTTP/1.x and HTTP/3.
2021-09-30 17:14:42 +03:00
Sergey Kandaurov
3c31d3f421 Stream: fixed segfault when using SSL certificates with variables.
Similar to the previous change, a segmentation fault occurres when evaluating
SSL certificates on a QUIC connection due to an uninitialized stream session.
The fix is to adjust initializing the QUIC part of a connection until after
it has session and variables initialized.

Similarly, this appends logging error context for QUIC connections:
- client 127.0.0.1:54749 connected to 127.0.0.1:8880 while handling frames
- quic client timed out (60: Operation timed out) while handling quic input
2021-09-29 15:06:28 +03:00
Sergey Kandaurov
dab6035d68 HTTP/3: fixed segfault when using SSL certificates with variables.
A QUIC connection doesn't have c->log->data and friends initialized to sensible
values.  Yet, a request can be created in the certificate callback with such an
assumption, which leads to a segmentation fault due to null pointer dereference
in ngx_http_free_request().  The fix is to adjust initializing the QUIC part of
a connection such that it has all of that in place.

Further, this appends logging error context for unsuccessful QUIC handshakes:
- cannot load certificate .. while handling frames
- SSL_do_handshake() failed .. while sending frames
2021-09-29 15:01:59 +03:00
Sergey Kandaurov
1ea6f35fbf Stream: detect "listen .. quic" without TLSv1.3. 2021-09-29 15:01:56 +03:00
Sergey Kandaurov
2765b63216 Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.
In particular, this fixes rejecting "listen .. quic|http3" configurations
without TLSv1.3 configured.
2021-09-29 15:01:53 +03:00
Sergey Kandaurov
4d92aa7957 HTTP/3: fixed server push after ea9b645472b5.
Unlike in HTTP/2, both "host" and ":authority" reside in r->headers_in.server.
2021-09-27 17:42:53 +03:00
Sergey Kandaurov
a5b5b6ca0f QUIC: moved a variable initialization near to its use.
This tends to produce slightly more optimal code with pos == NULL
when built with Clang on low optimization levels.

Spotted by Ruslan Ermilov.
2021-09-27 15:38:55 +03:00
Ruslan Ermilov
f2859767d4 Configure: fixed QUIC support test.
OpenSSL library QUIC support cannot be tested at configure time when
using the --with-openssl option so assume it's present if requested.
While here, fixed the error message in case QUIC support is missing.
2021-09-27 10:10:38 +03:00
Ruslan Ermilov
8ce1c2c7e9 Configure: check for QUIC 0-RTT support at compile time. 2021-09-27 10:10:37 +03:00
Sergey Kandaurov
2cd173d450 HTTP/3: fixed null pointer dereference with server push.
See details for HTTP/2 fix in 8b0553239592 for a complete description.
2021-09-22 14:10:43 +03:00
Roman Arutyunyan
08dcf62f5b HTTP/3: fixed ngx_stat_active counter.
Previously the counter was not incremented for HTTP/3 streams, but still
decremented in ngx_http_close_connection().  There are two solutions here, one
is to increment the counter for HTTP/3 streams, and the other one is not to
decrement the counter for HTTP/3 streams.  The latter solution looks
inconsistent with ngx_stat_reading/ngx_stat_writing, which are incremented on a
per-request basis.  The change adds ngx_stat_active increment for HTTP/3
request and push streams.
2021-09-22 14:08:21 +03:00
Roman Arutyunyan
3ae914c837 HTTP/3: fixed pushed request finalization in case of error.
Previously request could be finalized twice.  For example, this could happen
if "Host" header was invalid.
2021-09-17 15:28:31 +03:00
Sergey Kandaurov
4e2e70b16c QUIC: set NGX_TCP_NODELAY_DISABLED for fake stream connections.
Notably, it is to avoid setting the TCP_NODELAY flag for QUIC streams
in ngx_http_upstream_send_response().  It is an invalid operation on
inherently SOCK_DGRAM sockets, which leads to QUIC connection close.

The change reduces diff to the default branch in stream content phase.
2021-09-22 14:01:18 +03:00
Roman Arutyunyan
b2c8e690ce QUIC: simplified stream fd initialization. 2021-09-21 18:25:26 +03:00
Ruslan Ermilov
af2121267b Configure: USE_OPENSSL_QUIC=YES implies USE_OPENSSL=YES. 2021-09-21 14:46:30 +03:00
Ruslan Ermilov
cafaea71e9 Configure: ordered directories. 2021-09-21 14:46:25 +03:00
Ruslan Ermilov
3321ca0c83 Configure: simplified condition. 2021-09-21 14:46:17 +03:00
Roman Arutyunyan
0f3eb180d2 HTTP/3: make ngx_http_log_error() static again.
This function was only referenced from ngx_http_v3_create_push_request() to
initialize push connection log.  Now the log handler is copied from the parent
request connection.

The change reduces diff to the default branch.
2021-09-17 16:32:23 +03:00
Roman Arutyunyan
00bb4e4b8d QUIC: separate event handling functions.
The functions ngx_quic_handle_read_event() and ngx_quic_handle_write_event()
are added.  Previously this code was a part of ngx_handle_read_event() and
ngx_handle_write_event().

The change simplifies ngx_handle_read_event() and ngx_handle_write_event()
by moving QUIC-related code to a QUIC source file.
2021-09-09 16:55:00 +03:00
Sergey Kandaurov
9d7f2e7917 HTTP/3: added CONNECT and TRACE methods rejection.
It has got lost in e1eb7f4ca9f1, let alone a subsequent update in 63c66b7cc07c.
2021-09-16 13:13:22 +03:00
Ruslan Ermilov
bd89c448b7 Removed NGX_OPENSSL_QUIC macro, NGX_QUIC is enough. 2021-09-14 12:09:13 +03:00
Sergey Kandaurov
10cafa75a4 HTTP/3: added debug logging of response fields.
Because of QPACK compression it's hard to see what fields are actually
sent by the server.
2021-09-13 16:25:37 +03:00
Sergey Kandaurov
bacd7ef0be HTTP/3: Huffman encoding for the Location response field. 2021-09-13 16:25:32 +03:00
Sergey Kandaurov
12cf623bc2 HTTP/3: Huffman encoding for the Last-Modified response field. 2021-09-13 16:25:31 +03:00