Commit Graph

6976 Commits

Author SHA1 Message Date
Sergey Kandaurov
9d46500914 Do not close QUIC sockets in ngx_close_listening_sockets().
This breaks graceful shutdown of QUIC connections in terms of quic-transport.
2020-06-23 11:57:00 +03:00
Sergey Kandaurov
c31e105403 QUIC error SERVER_BUSY renamed to CONNECTION_REFUSED in draft-29. 2020-06-23 11:57:00 +03:00
Vladimir Homutov
f1fdf6901b QUIC: cleaned up quic encryption state tracking.
The patch removes remnants of the old state tracking mechanism, which did
not take into account assimetry of read/write states and was not very
useful.

The encryption state now is entirely tracked using SSL_quic_read/write_level().
2020-06-18 14:29:24 +03:00
Vladimir Homutov
28f1acdb6f QUIC: added ALPN checks.
quic-transport draft 29:

    section 7:

    *  authenticated negotiation of an application protocol (TLS uses
       ALPN [RFC7301] for this purpose)

    ...

    Endpoints MUST explicitly negotiate an application protocol.  This
    avoids situations where there is a disagreement about the protocol
    that is in use.

    section 8.1:

    When using ALPN, endpoints MUST immediately close a connection (see
    Section 10.3 of [QUIC-TRANSPORT]) with a no_application_protocol TLS
    alert (QUIC error code 0x178; see Section 4.10) if an application
    protocol is not negotiated.

Changes in ngx_quic_close_quic() function are required to avoid attempts
to generated and send packets without proper keys, what happens in case
of failed ALPN check.
2020-06-18 13:58:46 +03:00
Vladimir Homutov
a213258b5b QUIC: fixed off-by-one in frame range handler.
The ctx->pnum is incremented after the packet is sent, thus pointing to the
next packet number, which should not be used in comparison.
2020-06-18 11:16:35 +03:00
Vladimir Homutov
3b3264dc25 QUIC: further limiting maximum QUIC packet size.
quic-transport draft 29, section 14:

    QUIC depends upon a minimum IP packet size of at least 1280 bytes.
    This is the IPv6 minimum size [RFC8200] and is also supported by most
    modern IPv4 networks.  Assuming the minimum IP header size, this
    results in a QUIC maximum packet size of 1232 bytes for IPv6 and 1252
    bytes for IPv4.

Since the packet size can change during connection lifetime, the
ngx_quic_max_udp_payload() function is introduced that currently
returns minimal allowed size, depending on address family.
2020-06-16 11:54:05 +03:00
Vladimir Homutov
d6d7838c79 QUIC: raise error on missing transport parameters.
quic-tls, 8.2:

    The quic_transport_parameters extension is carried in the ClientHello
    and the EncryptedExtensions messages during the handshake.  Endpoints
    MUST send the quic_transport_parameters extension; endpoints that
    receive ClientHello or EncryptedExtensions messages without the
    quic_transport_parameters extension MUST close the connection with an
    error of type 0x16d (equivalent to a fatal TLS missing_extension
    alert, see Section 4.10).
2020-06-15 17:06:40 +03:00
Vladimir Homutov
6c2712f781 QUIC: Fixed connection cleanup.
A posted event need to be deleted during the connection close.
2020-06-15 16:59:53 +03:00
Vladimir Homutov
966a867971 Style. 2020-06-10 21:37:48 +03:00
Vladimir Homutov
64c00708fa Limited max udp payload size for outgoing packets.
This allows to avoid problems with packet fragmentation in real networks.
This is a temporary workaround.
2020-06-10 21:37:08 +03:00
Vladimir Homutov
5cef58452d Increased default initial retransmit timeout.
This is a temporary workaround, proper retransmission mechanism based on
quic-recovery rfc draft is yet to be implemented.

Currently hardcoded value is too small for real networks.  The patch
sets static PTO, considering rtt of ~333ms, what gives about 1s.
2020-06-10 21:33:20 +03:00
Vladimir Homutov
d684a69c68 Fixed usage of own/client transport parameters. 2020-06-10 21:23:10 +03:00
Sergey Kandaurov
7d8a64a862 Stream ID handling in MAX_STREAM_DATA and STREAM_DATA_BLOCKED. 2020-06-05 20:59:27 +03:00
Sergey Kandaurov
d42fadcf29 Stream ID handling in RESET_STREAM and STOP_SENDING frames. 2020-06-05 20:59:27 +03:00
Sergey Kandaurov
d423541360 Reject invalid STREAM ID with STREAM_STATE_ERROR connection error. 2020-06-05 20:59:26 +03:00
Sergey Kandaurov
facf59bd86 Introduced connection error APPLICATION_ERROR from draft-28. 2020-06-05 13:20:03 +03:00
Sergey Kandaurov
ac73dffb57 Receipt of CONNECTION_CLOSE in 0-RTT is permitted in draft-28. 2020-06-05 13:20:02 +03:00
Sergey Kandaurov
d047ecee95 Treat receipt of NEW_TOKEN as connection error PROTOCOL_VIOLATION. 2020-06-05 13:20:02 +03:00
Roman Arutyunyan
c0003539ac Decoupled validation of Host and :authority for HTTP/2 and HTTP/3.
Previously an error was triggered for HTTP/2 when host with port was passed
by client.
2020-06-02 15:59:14 +03:00
Sergey Kandaurov
0a11fdbb28 Compatibility with BoringSSL master branch.
Recently BoringSSL introduced SSL_set_quic_early_data_context()
that serves as an additional constrain to enable 0-RTT in QUIC.

Relevant changes:
 * https://boringssl.googlesource.com/boringssl/+/7c52299%5E!/
 * https://boringssl.googlesource.com/boringssl/+/8519432%5E!/
2020-06-01 19:53:13 +03:00
Sergey Kandaurov
5978225722 Fixed transport parameters on a new connection with a valid token.
Previously, the retry transport parameter was sent regardless.
2020-06-01 19:16:44 +03:00
Roman Arutyunyan
22297afd79 Require ":authority" or "Host" in HTTP/3 and HTTP/2 requests.
Also, if both are present, require that they have the same value.  These
requirements are specified in HTTP/3 draft 28.

Current implementation of HTTP/2 treats ":authority" and "Host"
interchangeably.  New checks only make sure at least one of these values is
present in the request.  A similar check existed earlier and was limited only
to HTTP/1.1 in 38c0898b6df7.
2020-05-29 12:42:23 +03:00
Vladimir Homutov
101113a98f Added propagation of the "wildcard" flag to c->listening.
The flags was originally added by 8f038068f4bc, and is propagated correctly
in the stream module.  With QUIC introduction, http module now uses datagram
sockets as well, thus the fix.
2020-05-29 13:29:24 +03:00
Sergey Kandaurov
f45ec755a5 Made NGX_QUIC_DRAFT_VERSION tunable from configure parameters.
Now it can be switched using --with-cc-opt='-DNGX_QUIC_DRAFT_VERSION=28'.
2020-05-29 15:07:46 +03:00
Sergey Kandaurov
7d41fd85b8 QUIC draft-28 transport parameters support.
Draft-27 and draft-28 support can now be enabled interchangeably,
it's based on the compile-time macro NGX_QUIC_DRAFT_VERSION.
2020-05-29 15:06:33 +03:00
Sergey Kandaurov
25f5ab5e2d Introduced macros for building length-value transport parameters. 2020-05-29 13:05:57 +03:00
Sergey Kandaurov
76bbe70406 Renamed max_packet_size to max_udp_payload_size, from draft-28.
No functional changes.
2020-05-29 12:56:08 +03:00
Sergey Kandaurov
49d7ae444f Rejected forbidden transport parameters with TRANSPORT_PARAMETER_ERROR. 2020-05-29 12:55:39 +03:00
Sergey Kandaurov
a4a641fa6c Fixed return codes in ngx_quic_add_handshake_data() callback. 2020-05-29 12:50:20 +03:00
Sergey Kandaurov
5352a71779 README: update after merging 1.19.0. 2020-05-26 20:41:43 +03:00
Sergey Kandaurov
38091071a8 Merged with the default branch. 2020-05-26 20:26:44 +03:00
Maxim Dounin
bab7ab0477 release-1.19.0 tag 2020-05-26 18:00:20 +03:00
Maxim Dounin
87c8507f20 nginx-1.19.0-RELEASE 2020-05-26 18:00:20 +03:00
Maxim Dounin
f457127cc4 Updated OpenSSL used for win32 builds. 2020-05-25 22:10:37 +03:00
Vladimir Homutov
2360f58a9b Updated README with "Contributing" section and draft details. 2020-05-25 18:37:43 +03:00
Maxim Dounin
4056ce4f4e HTTP/2: invalid connection preface logging (ticket #1981).
Previously, invalid connection preface errors were only logged at debug
level, providing no visible feedback, in particular, when a plain text
HTTP/2 listening socket is erroneously used for HTTP/1.x connections.
Now these are explicitly logged at the info level, much like other
client-related errors.
2020-05-25 18:33:42 +03:00
Sergey Kandaurov
9b87626b0b Fixed format specifiers. 2020-05-23 15:53:08 +03:00
Roman Arutyunyan
5727f9a1e0 OCSP: certificate status cache.
When enabled, certificate status is stored in cache and is used to validate
the certificate in future requests.

New directive ssl_ocsp_cache is added to configure the cache.
2020-05-22 17:25:27 +03:00
Roman Arutyunyan
60438ae395 SSL: client certificate validation with OCSP (ticket #1534).
OCSP validation for client certificates is enabled by the "ssl_ocsp" directive.
OCSP responder can be optionally specified by "ssl_ocsp_responder".

When session is reused, peer chain is not available for validation.
If the verified chain contains certificates from the peer chain not available
at the server, validation will fail.
2020-05-22 17:30:12 +03:00
Roman Arutyunyan
aa94ee82f6 OCSP stapling: iterate over all responder addresses.
Previously only the first responder address was used per each stapling update.
Now, in case of a network or parsing error, next address is used.

This also fixes the issue with unsupported responder address families
(ticket #1330).
2020-05-22 20:35:05 +03:00
Roman Arutyunyan
abdb9aebc6 OCSP stapling: keep extra chain in the staple object. 2020-05-17 14:24:35 +03:00
Roman Arutyunyan
097d8a87b3 HTTP/3: reallocate strings inserted into the dynamic table.
They should always be allocated from the main QUIC connection pool.
2020-05-14 16:02:32 +03:00
Roman Arutyunyan
94764fda6e Fixed client buffer reallocation for HTTP/3.
Preserving pointers within the client buffer is not needed for HTTP/3 because
all data is either allocated from pool or static.  Unlike with HTTP/1, data
typically cannot be referenced directly within the client buffer.  Trying to
preserve NULLs or external pointers lead to broken pointers.

Also, reverted changes in ngx_http_alloc_large_header_buffer() not relevant
for HTTP/3 to minimize diff to mainstream.
2020-05-19 16:20:33 +03:00
Roman Arutyunyan
d6b6b6dfc5 Fixed $request_length for HTTP/3.
New field r->parse_start is introduced to substitute r->request_start and
r->header_name_start for request length accounting.  These fields only work for
this purpose in HTTP/1 because HTTP/1 request line and header line start with
these values.

Also, error logging is now fixed to output the right part of the request.
2020-05-19 15:47:37 +03:00
Roman Arutyunyan
d25937c2b5 HTTP/3: restricted symbols in header names.
As per HTTP/3 draft 27, a request or response containing uppercase header
field names MUST be treated as malformed.  Also, existing rules applied
when parsing HTTP/1 header names are also applied to HTTP/3 header names:

- null character is not allowed
- underscore character may or may not be treated as invalid depending on the
  value of "underscores_in_headers"
- all non-alphanumeric characters with the exception of '-' are treated as
  invalid

Also, the r->locase_header field is now filled while parsing an HTTP/3
header.

Error logging for invalid headers is fixed as well.
2020-05-19 15:34:00 +03:00
Roman Arutyunyan
6abb50658f HTTP/3: split header parser in two functions.
The first one parses pseudo-headers and is analagous to the request line
parser in HTTP/1.  The second one parses regular headers and is analogous to
the header parser in HTTP/1.

Additionally, error handling of client passing malformed uri is now fixed.
2020-05-19 15:29:10 +03:00
Roman Arutyunyan
d69f678e9c HTTP/3: move body parser call out of ngx_http_parse_chunked().
The function ngx_http_parse_chunked() is also called from the proxy module to
parse the upstream response.  It should always parse HTTP/1 body in this case.
2020-05-14 14:49:53 +03:00
Roman Arutyunyan
1c54340e0a HTTP/3: prevent array access by negative index for unknown streams.
Currently there are no such streams, but the function
ngx_http_v3_get_uni_stream() supports them.
2020-05-19 15:41:41 +03:00
Sergey Kandaurov
e0eb261b83 README: documented Retry, 0-RTT, TLSv1.3 configuration. 2020-05-23 14:41:08 +03:00
Vladimir Homutov
74564bdd0d Style.
Rephrased error message and removed trailing space.  Long comments were
shortened/rephrased.
2020-05-21 15:48:39 +03:00