Commit Graph

7793 Commits

Author SHA1 Message Date
Vladimir Homutov
cd54c1cab7 Firefox fixes.
+ support for more than one initial packet
 + workaround for trailing zeroes in packet
 + ignore application data packet if no keys yet (issue in draft 27/ff nightly)
 + fixed PING frame parser
 + STREAM frames need to be acknowledged

The following HTTP configuration is used for firefox (v74):

http {

    ssl_certificate_key localhost.key;
    ssl_certificate localhost.crt;
    ssl_protocols TLSv1.2 TLSv1.3;

    server {
        listen 127.0.0.1:10368 reuseport http3;
        ssl_quic on;
        server_name  localhost;

        location / {
            return 200 "This-is-QUICK\n";
        }
    }
    server {
        listen 127.0.0.1:5555 ssl; # point the browser here
        server_name  localhost;
        location / {
            add_header Alt-Svc 'h3-24=":10368";ma=100';
            return 200 "ALT-SVC";
        }
    }
}
2020-03-17 14:10:37 +03:00
Vladimir Homutov
ca7943393e Fixed a typo with OpenSSL. 2020-03-16 19:42:57 +03:00
Vladimir Homutov
d0ebfa4cb9 Split transport and crypto parts into separate files.
New files:
    src/event/ngx_event_quic_protection.h
    src/event/ngx_event_quic_protection.c

The protection.h header provides interface to the crypto part of the QUIC:

2 functions to initialize corresponding secrets:

ngx_quic_set_initial_secret()
ngx_quic_set_encryption_secret()

and 2 functions to deal with packet processing:

ngx_quic_encrypt()
ngx_quic_decrypt()

Also, structures representing secrets are defined there.

All functions require SSL connection and a pool, only crypto operations
inside, no access to nginx connections or events.

Currently pool->log is used for the logging (instead of original c->log).
2020-03-16 19:00:47 +03:00
Vladimir Homutov
0d8984083b Added processing of CONNECTION CLOSE frames.
Contents is parsed and debug is output. No actions are taken.
2020-03-16 13:06:43 +03:00
Roman Arutyunyan
5399670fcc Temporary fix for header null-termination in HTTP/3. 2020-03-14 13:18:55 +03:00
Sergey Kandaurov
1ac31c01b4 Fixed header protection application with pn length > 1. 2020-03-14 03:15:09 +03:00
Roman Arutyunyan
11dfc1c943 Fixed sanitizer errors. 2020-03-13 20:44:32 +03:00
Vladimir Homutov
8f35d300ed Added check for initialized c->ssl before calling SSL shutdown. 2020-03-13 18:55:58 +03:00
Roman Arutyunyan
7739b6073b HTTP/3. 2020-03-13 19:36:33 +03:00
Roman Arutyunyan
365b77b587 Fixed infinite loop in ngx_quic_stream_send_chain(). 2020-03-13 18:30:37 +03:00
Roman Arutyunyan
a1ac82ca0f Implemented tracking offset in STREAM frames. 2020-03-13 18:29:50 +03:00
Roman Arutyunyan
dcb6aab460 Implemented ngx_quic_stream_send_chain() method.
- just call send in a loop
2020-03-13 15:56:10 +03:00
Vladimir Homutov
05d1464c68 Stream "connection" read/write methods. 2020-03-13 14:39:23 +03:00
Ruslan Ermilov
65ae8b3152 Auth basic: explicitly zero out password buffer. 2020-03-13 02:12:10 +03:00
Ruslan Ermilov
1688f575c2 Version bump. 2020-03-16 12:41:41 +03:00
Sergey Kandaurov
5bc8cd4044 Fix build. 2020-03-12 18:08:26 +03:00
Vladimir Homutov
21eaac9a3e Removed hardcoded CRYPTO and ACK frame sizes. 2020-03-12 14:23:27 +03:00
Vladimir Homutov
4f4f56f013 HTTP/QUIC interface reworked.
- events handling moved into src/event/ngx_event_quic.c
 - http invokes once ngx_quic_run() and passes stream callback
 (diff to original http_request.c is now minimal)

 - streams are stored in rbtree using ID as a key
 - when a new stream is registered, appropriate callback is called

 - ngx_quic_stream_t type represents STREAM and stored in c->qs
2020-03-12 16:54:43 +03:00
Vladimir Homutov
6bf6635d86 Initial parsing of STREAM frames. 2020-03-11 15:41:35 +03:00
Vladimir Homutov
0d10672137 Added support of multiple QUIC packets in single datagram.
- now NEW_CONNECTION_ID frames can be received and parsed

The packet structure is created in ngx_quic_input() and passed
to all handlers (initial, handshake and application data).

The UDP datagram buffer is saved as pkt->raw;
The QUIC packet is stored as pkt->data and pkt->len (instead of pkt->buf)
(pkt->len is adjusted after parsing headers to actual length)

The pkt->pos is removed, pkt->raw->pos is used instead.
2020-03-12 14:43:24 +03:00
Vladimir Homutov
0d1c27b580 Added more transport parameters.
Needed for client to start sending streams.
2020-03-11 15:43:23 +03:00
Sergey Kandaurov
9311e59443 Compatibility with BoringSSL revised QUIC encryption secret APIs.
See for details: https://boringssl.googlesource.com/boringssl/+/1e85905%5E!/
2020-03-11 21:53:02 +03:00
Sergey Kandaurov
df544ee47d Chacha20 header protection support with BoringSSL.
BoringSSL lacks EVP for Chacha20.  Here we use CRYPTO_chacha_20() instead.
2020-03-10 19:15:12 +03:00
Sergey Kandaurov
7e417544bb ChaCha20 / Poly1305 initial support. 2020-03-10 19:13:09 +03:00
Sergey Kandaurov
4b59999afe Using SSL cipher suite id to obtain cipher/digest, part 2.
Ciphers negotiation handling refactored into ngx_quic_ciphers().
2020-03-10 19:12:22 +03:00
Sergey Kandaurov
385408732e Fixed nonce in short packet protection. 2020-03-10 18:40:18 +03:00
Vladimir Homutov
c2afb5ec8a Generic payload handler for quic packets.
- added basic parsing of ACK, PING and PADDING frames on input
 - added preliminary parsing of SHORT headers

The ngx_quic_output() is now called after processing of each input packet.
Frames are added into output queue according to their level: inital packets
go ahead of handshake and application data, so they can be merged properly.

The payload handler is called from both new, handshake and applicataion data
handlers (latter is a stub).
2020-03-10 18:24:39 +03:00
Sergey Kandaurov
547a1a0159 Fixed header protection with negotiated cipher suite. 2020-03-05 20:05:40 +03:00
Sergey Kandaurov
ed0533c2c2 Initial packets are protected with AEAD_AES_128_GCM. 2020-03-05 19:49:49 +03:00
Sergey Kandaurov
b0f1302e7d Fixed write secret logging in set_encryption_secrets callback. 2020-03-05 18:01:18 +03:00
Vladimir Homutov
08691ef3d4 Fixed format specifiers. 2020-03-05 17:51:22 +03:00
Vladimir Homutov
fe30a167d2 Style. 2020-03-05 17:24:04 +03:00
Vladimir Homutov
32b2728ebb Added functions to decrypt long packets. 2020-03-05 17:18:33 +03:00
Sergey Kandaurov
12fc8a8bac Fixed ngx_quic_varint_len misuse in the previous change. 2020-03-05 15:26:15 +03:00
Vladimir Homutov
e3e5e21ed5 Macro for calculating size of varint. 2020-03-04 23:24:51 +03:00
Sergey Kandaurov
941d4f1c2e Fixed packet "input" debug log message. 2020-03-05 13:10:01 +03:00
Sergey Kandaurov
0bc9857b47 Using SSL cipher suite id to obtain cipher/digest, part 1.
While here, log the negotiated cipher just once, - after handshake.
2020-03-05 13:00:59 +03:00
Sergey Kandaurov
46bd853801 Using cached ssl_conn in ngx_quic_handshake_input(), NFC. 2020-03-05 12:51:49 +03:00
Sergey Kandaurov
9fa29e4043 Adjusted transport parameters stub for active_connection_id_limit.
As was objserved with ngtcp2 client, Finished CRYPTO frame within Handshake
packet may not be sent for some reason if there's nothing to append on 1-RTT.
This results in unnecessary retransmit.  To avoid this edge case, a non-zero
active_connection_id_limit transport parameter is now used to append datagram
with NEW_CONNECTION_ID 1-RTT frames.
2020-03-04 16:05:39 +03:00
Vladimir Homutov
309cdf496d Implemented improved version of quic_output().
Now handshake generates frames, and they are queued in c->quic->frames.
The ngx_quic_output() is called from ngx_quic_flush_flight() or manually,
processes the queue and encrypts all frames according to required encryption
level.
2020-03-04 15:52:12 +03:00
Maxim Dounin
585f08ed0b release-1.17.9 tag 2020-03-03 18:04:21 +03:00
Maxim Dounin
ea3a6c2057 nginx-1.17.9-RELEASE 2020-03-03 18:04:21 +03:00
Maxim Dounin
7bff824878 Updated PCRE used for win32 builds. 2020-03-03 18:03:28 +03:00
Sergey Kandaurov
3c17072122 QUIC handshake final bits.
Added handling of client Finished, both feeding and acknowledgement.
This includes sending NST in 1-RTT triggered by a handshake process.
2020-03-03 17:25:02 +03:00
Vladimir Homutov
d2deb6d6b4 Split frame and packet generation into separate steps.
While there, a number of QUIC constants from spec defined and magic numbers
were replaced.
2020-03-03 13:30:30 +03:00
Vladimir Homutov
820be1b846 Aded the "ngx_quic_hexdump" macro.
ngx_quic_hexdump0(log, format, buffer, buffer_size);
    - logs hexdump of buffer to specified error log

    ngx_quic_hexdump0(c->log, "this is foo:", foo.data, foo.len);

ngx_quic_hexdump(log, format, buffer, buffer_size, ...)
    - same as hexdump0, but more format/args possible:

    ngx_quic_hexdump(c->log, "a=%d b=%d, foo is:", foo.data, foo.len, a, b);
2020-03-02 21:38:03 +03:00
Roman Arutyunyan
76ac67b36f Simplified subrequest finalization.
Now it looks similar to what it was before background subrequests were
introduced in 9552758a786e.
2020-02-28 19:54:13 +03:00
Dmitry Volyntsev
3733c6fd70 Fixed premature background subrequest finalization.
When "aio" or "aio threads" is used while processing the response body of an
in-memory background subrequest, the subrequest could be finalized with an aio
operation still in progress.  Upon aio completion either parent request is
woken or the old r->write_event_handler is called again.  The latter may result
in request errors.  In either case post_subrequest handler is never called with
the full response body, which is typically expected when using in-memory
subrequests.

Currently in nginx background subrequests are created by the upstream module
and the mirror module.  The issue does not manifest itself with these
subrequests because they are header-only.  But it can manifest itself with
third-party modules which create in-memory background subrequests.
2020-03-02 20:07:36 +03:00
Maxim Dounin
6ba18bc35e Added default overwrite in error_page 494.
We used to have default error_page overwrite for 495, 496, and 497, so
a configuration like

    error_page 495 /error;

will result in error 400, much like without any error_page configured.

The 494 status code was introduced later (in 3848:de59ad6bf557, nginx 0.9.4),
and relevant changes to ngx_http_core_error_page() were missed, resulting
in inconsistent behaviour of "error_page 494" - with error_page configured
it results in 494 being returned instead of 400.

Reported by Frank Liu,
http://mailman.nginx.org/pipermail/nginx/2020-February/058957.html.
2020-02-28 17:21:18 +03:00
Vladimir Homutov
b20ed8f7f1 Moved all QUIC code into ngx_event_quic.c
Introduced ngx_quic_input() and ngx_quic_output() as interface between
nginx and protocol.  They are the only functions that are exported.

While there, added copyrights.
2020-02-28 16:23:25 +03:00