Commit Graph

7810 Commits

Author SHA1 Message Date
Vladimir Homutov
18ce6d5ebf Added boundaries checks into frame parser.
The ngx_quic_parse_frame() functions now has new 'pkt' argument: the packet
header of a currently processed frame.  This allows to log errors/debug
closer to reasons and perform additional checks regarding possible frame
types.  The handler only performs processing of good frames.


A number of functions like read_uint32(), parse_int[_multi] probably should
be implemented as a macro, but currently it is better to have them as
functions for simpler debugging.
2020-03-19 17:07:12 +03:00
Roman Arutyunyan
4cbfc07394 Send a FIN frame when QUIC stream is closed. 2020-03-19 15:34:35 +03:00
Roman Arutyunyan
8ad2707d4f Fixed header creation for header_only responses in HTTP/3. 2020-03-19 15:03:09 +03:00
Sergey Kandaurov
31e794f0ad MAX_DATA frame parser/handler. 2020-03-18 23:26:26 +03:00
Vladimir Homutov
33d8317dd5 Added parsing of STREAMS BLOCKED frames.
While there, added hex prefix for debug to avoid frame type confusion.
2020-03-19 11:15:43 +03:00
Sergey Kandaurov
6aa611c314 Implemented send_alert callback, CONNECTION_CLOSE writer.
The callback produces a CONNECTION_CLOSE frame, as per quic-tls-24#section-4.9.
2020-03-18 23:07:40 +03:00
Roman Arutyunyan
0561665873 Added copying addr_text to QUIC stream connections.
Now $remote_addr holds client address.
2020-03-18 20:28:28 +03:00
Roman Arutyunyan
e63accd7bd HTTP/3 $request_line variable. 2020-03-18 20:22:16 +03:00
Roman Arutyunyan
5aa8e519c9 Moved setting QUIC methods to runtime.
This allows listening to both https and http3 in the same server.
Also, the change eliminates the ssl_quic directive.
2020-03-18 16:37:16 +03:00
Vladimir Homutov
50f919cec4 Added parsing of RESET_STREAM and STOP_SENDING frames 2020-03-18 16:35:11 +03:00
Roman Arutyunyan
04d037b239 Fixed pointer increment while parsing HTTP/3 header. 2020-03-18 15:28:20 +03:00
Vladimir Homutov
2973465556 Implemented creation of server unidirectional streams.
The ngx_quic_create_stream() function is a generic function extracted from
the ngx_quic_handle_stream_frame() function.
2020-03-18 13:49:39 +03:00
Roman Arutyunyan
d36684447c Fixed HTTP/3 server stream creation. 2020-03-18 14:10:44 +03:00
Roman Arutyunyan
85430505fe Removed comment. 2020-03-18 14:09:50 +03:00
Roman Arutyunyan
01dc7445f0 Refactored HTTP/3 parser. 2020-03-18 13:46:35 +03:00
Vladimir Homutov
023dbc3cfb Style and handlers.
Cleanup in ngx_event_quic.c:
    + reorderded functions, structures
    + added missing prototypes
    + added separate handlers for each frame type
    + numerous indentation/comments/TODO fixes
    + removed non-implemented qc->state and corresponding enum;
        this requires deep thinking, stub was unused.
    + streams inside quic connection are now in own structure
2020-03-18 13:02:19 +03:00
Vladimir Homutov
23dc6a68a4 Extracted transport part of the code into separate file.
All code dealing with serializing/deserializing
is moved int srv/event/ngx_event_quic_transport.c/h file.

All macros for dealing with data are internal to source file.

The header file exposes frame types and error codes.

The exported functions are currently packet header parsers and writers
and frames parser/writer.

The ngx_quic_header_t structure is updated with 'log' member. This avoids
passing extra argument to parsing functions that need to report errors.
2020-03-18 12:58:27 +03:00
Vladimir Homutov
cd54c1cab7 Firefox fixes.
+ support for more than one initial packet
 + workaround for trailing zeroes in packet
 + ignore application data packet if no keys yet (issue in draft 27/ff nightly)
 + fixed PING frame parser
 + STREAM frames need to be acknowledged

The following HTTP configuration is used for firefox (v74):

http {

    ssl_certificate_key localhost.key;
    ssl_certificate localhost.crt;
    ssl_protocols TLSv1.2 TLSv1.3;

    server {
        listen 127.0.0.1:10368 reuseport http3;
        ssl_quic on;
        server_name  localhost;

        location / {
            return 200 "This-is-QUICK\n";
        }
    }
    server {
        listen 127.0.0.1:5555 ssl; # point the browser here
        server_name  localhost;
        location / {
            add_header Alt-Svc 'h3-24=":10368";ma=100';
            return 200 "ALT-SVC";
        }
    }
}
2020-03-17 14:10:37 +03:00
Vladimir Homutov
ca7943393e Fixed a typo with OpenSSL. 2020-03-16 19:42:57 +03:00
Vladimir Homutov
d0ebfa4cb9 Split transport and crypto parts into separate files.
New files:
    src/event/ngx_event_quic_protection.h
    src/event/ngx_event_quic_protection.c

The protection.h header provides interface to the crypto part of the QUIC:

2 functions to initialize corresponding secrets:

ngx_quic_set_initial_secret()
ngx_quic_set_encryption_secret()

and 2 functions to deal with packet processing:

ngx_quic_encrypt()
ngx_quic_decrypt()

Also, structures representing secrets are defined there.

All functions require SSL connection and a pool, only crypto operations
inside, no access to nginx connections or events.

Currently pool->log is used for the logging (instead of original c->log).
2020-03-16 19:00:47 +03:00
Vladimir Homutov
0d8984083b Added processing of CONNECTION CLOSE frames.
Contents is parsed and debug is output. No actions are taken.
2020-03-16 13:06:43 +03:00
Roman Arutyunyan
5399670fcc Temporary fix for header null-termination in HTTP/3. 2020-03-14 13:18:55 +03:00
Sergey Kandaurov
1ac31c01b4 Fixed header protection application with pn length > 1. 2020-03-14 03:15:09 +03:00
Roman Arutyunyan
11dfc1c943 Fixed sanitizer errors. 2020-03-13 20:44:32 +03:00
Vladimir Homutov
8f35d300ed Added check for initialized c->ssl before calling SSL shutdown. 2020-03-13 18:55:58 +03:00
Roman Arutyunyan
7739b6073b HTTP/3. 2020-03-13 19:36:33 +03:00
Roman Arutyunyan
365b77b587 Fixed infinite loop in ngx_quic_stream_send_chain(). 2020-03-13 18:30:37 +03:00
Roman Arutyunyan
a1ac82ca0f Implemented tracking offset in STREAM frames. 2020-03-13 18:29:50 +03:00
Roman Arutyunyan
dcb6aab460 Implemented ngx_quic_stream_send_chain() method.
- just call send in a loop
2020-03-13 15:56:10 +03:00
Vladimir Homutov
05d1464c68 Stream "connection" read/write methods. 2020-03-13 14:39:23 +03:00
Ruslan Ermilov
65ae8b3152 Auth basic: explicitly zero out password buffer. 2020-03-13 02:12:10 +03:00
Ruslan Ermilov
1688f575c2 Version bump. 2020-03-16 12:41:41 +03:00
Sergey Kandaurov
5bc8cd4044 Fix build. 2020-03-12 18:08:26 +03:00
Vladimir Homutov
21eaac9a3e Removed hardcoded CRYPTO and ACK frame sizes. 2020-03-12 14:23:27 +03:00
Vladimir Homutov
4f4f56f013 HTTP/QUIC interface reworked.
- events handling moved into src/event/ngx_event_quic.c
 - http invokes once ngx_quic_run() and passes stream callback
 (diff to original http_request.c is now minimal)

 - streams are stored in rbtree using ID as a key
 - when a new stream is registered, appropriate callback is called

 - ngx_quic_stream_t type represents STREAM and stored in c->qs
2020-03-12 16:54:43 +03:00
Vladimir Homutov
6bf6635d86 Initial parsing of STREAM frames. 2020-03-11 15:41:35 +03:00
Vladimir Homutov
0d10672137 Added support of multiple QUIC packets in single datagram.
- now NEW_CONNECTION_ID frames can be received and parsed

The packet structure is created in ngx_quic_input() and passed
to all handlers (initial, handshake and application data).

The UDP datagram buffer is saved as pkt->raw;
The QUIC packet is stored as pkt->data and pkt->len (instead of pkt->buf)
(pkt->len is adjusted after parsing headers to actual length)

The pkt->pos is removed, pkt->raw->pos is used instead.
2020-03-12 14:43:24 +03:00
Vladimir Homutov
0d1c27b580 Added more transport parameters.
Needed for client to start sending streams.
2020-03-11 15:43:23 +03:00
Sergey Kandaurov
9311e59443 Compatibility with BoringSSL revised QUIC encryption secret APIs.
See for details: https://boringssl.googlesource.com/boringssl/+/1e85905%5E!/
2020-03-11 21:53:02 +03:00
Sergey Kandaurov
df544ee47d Chacha20 header protection support with BoringSSL.
BoringSSL lacks EVP for Chacha20.  Here we use CRYPTO_chacha_20() instead.
2020-03-10 19:15:12 +03:00
Sergey Kandaurov
7e417544bb ChaCha20 / Poly1305 initial support. 2020-03-10 19:13:09 +03:00
Sergey Kandaurov
4b59999afe Using SSL cipher suite id to obtain cipher/digest, part 2.
Ciphers negotiation handling refactored into ngx_quic_ciphers().
2020-03-10 19:12:22 +03:00
Sergey Kandaurov
385408732e Fixed nonce in short packet protection. 2020-03-10 18:40:18 +03:00
Vladimir Homutov
c2afb5ec8a Generic payload handler for quic packets.
- added basic parsing of ACK, PING and PADDING frames on input
 - added preliminary parsing of SHORT headers

The ngx_quic_output() is now called after processing of each input packet.
Frames are added into output queue according to their level: inital packets
go ahead of handshake and application data, so they can be merged properly.

The payload handler is called from both new, handshake and applicataion data
handlers (latter is a stub).
2020-03-10 18:24:39 +03:00
Sergey Kandaurov
547a1a0159 Fixed header protection with negotiated cipher suite. 2020-03-05 20:05:40 +03:00
Sergey Kandaurov
ed0533c2c2 Initial packets are protected with AEAD_AES_128_GCM. 2020-03-05 19:49:49 +03:00
Sergey Kandaurov
b0f1302e7d Fixed write secret logging in set_encryption_secrets callback. 2020-03-05 18:01:18 +03:00
Vladimir Homutov
08691ef3d4 Fixed format specifiers. 2020-03-05 17:51:22 +03:00
Vladimir Homutov
fe30a167d2 Style. 2020-03-05 17:24:04 +03:00
Vladimir Homutov
32b2728ebb Added functions to decrypt long packets. 2020-03-05 17:18:33 +03:00