Commit Graph

7038 Commits

Author SHA1 Message Date
Roman Arutyunyan
a305de07e9 QUIC: do not verify the selected ALPN protocol.
The right protocol is selected by the HTTP code.  In the QUIC code only verify
that some protocol was selected and trigger an error otherwise.
2020-07-18 00:08:04 +03:00
Roman Arutyunyan
0f1478706d QUIC: fixed stream read event log.
Previously, the main connection log was there.  Now it's the stream connection
log.
2020-07-18 00:08:29 +03:00
Sergey Kandaurov
8d2d2c5f8f Fixed format specifiers. 2020-07-20 15:19:03 +03:00
Vladimir Homutov
91b6487d8d QUIC: added anti-amplification limit.
According to quic-transport draft 29, section 21.12.1.1:

   Prior to validation, endpoints are limited in what they are able to
   send.  During the handshake, a server cannot send more than three
   times the data it receives; clients that initiate new connections or
   migrate to a new network path are limited.
2020-07-16 16:36:02 +03:00
Vladimir Homutov
e05337214e QUIC: added limit of queued data.
The ngx_quic_queue_frame() functions puts a frame into send queue and
schedules a push timer to actually send data.

The patch adds tracking for data amount in the queue and sends data
immediately if amount of data exceeds limit.
2020-07-16 15:02:38 +03:00
Vladimir Homutov
a5fc86c2a2 QUIC: implemented probe timeout (PTO) calculation. 2020-07-16 16:05:44 +03:00
Vladimir Homutov
782a634e38 QUIC: reworked retransmission mechanism.
Instead of timer-based retransmissions with constant packet lifetime,
this patch implements ack-based loss detection and probe timeout
for the cases, when no ack is received, according to the quic-recovery
draft 29.
2020-07-13 17:31:29 +03:00
Vladimir Homutov
230882ba50 QUIC: reworked ngx_quic_send_frames() function.
Instead of returning NGX_DONE/NGX_OK, the function now itself moves
passed frames range into sent queue and sets PTO timer if required.
2020-07-15 15:10:17 +03:00
Vladimir Homutov
395ec44029 QUIC: renaming.
The c->quic->retransmit timer is now called "pto".
The ngx_quic_retransmit() function is renamed to "ngx_quic_detect_lost()".

This is a preparation for the following patches.
2020-07-13 10:07:15 +03:00
Vladimir Homutov
d7ab1bfb7c QUIC: caching c->quic in the ngx_quic_handle_ack_frame() function.
To minimize difference with the following changes.
2020-07-13 10:07:20 +03:00
Vladimir Homutov
732720f3ca QUIC: delay field of an ACK frame is now calculated. 2020-07-10 15:33:51 +03:00
Vladimir Homutov
32fd0a7b44 QUIC: added rtt estimation.
According to the quic-recovery 29, Section 5: Estimating the Round-Trip Time.

Currently, integer arithmetics is used, which loses sub-millisecond accuracy.
2020-07-16 15:44:06 +03:00
Sergey Kandaurov
2346ee29e1 Merged with the default branch. 2020-07-13 15:34:22 +03:00
Maxim Dounin
1b2f040a1f release-1.19.1 tag 2020-07-07 18:56:06 +03:00
Maxim Dounin
0f648f6875 nginx-1.19.1-RELEASE 2020-07-07 18:56:05 +03:00
Maxim Dounin
5348706fe6 gRPC: generate error when response size is wrong.
As long as the "Content-Length" header is given, we now make sure
it exactly matches the size of the response.  If it doesn't,
the response is considered malformed and must not be forwarded
(https://tools.ietf.org/html/rfc7540#section-8.1.2.6).  While it
is not really possible to "not forward" the response which is already
being forwarded, we generate an error instead, which is the closest
equivalent.

Previous behaviour was to pass everything to the client, but this
seems to be suboptimal and causes issues (ticket #1695).  Also this
directly contradicts HTTP/2 specification requirements.

Note that the new behaviour for the gRPC proxy is more strict than that
applied in other variants of proxying.  This is intentional, as HTTP/2
specification requires us to do so, while in other types of proxying
malformed responses from backends are well known and historically
tolerated.
2020-07-06 18:36:25 +03:00
Maxim Dounin
1194ba36a0 FastCGI: protection from responses with wrong length.
Previous behaviour was to pass everything to the client, but this
seems to be suboptimal and causes issues (ticket #1695).  Fix is to
drop extra data instead, as it naturally happens in most clients.

Additionally, we now also issue a warning if the response is too
short, and make sure the fact it is truncated is propagated to the
client.  The u->error flag is introduced to make it possible to
propagate the error to the client in case of unbuffered proxying.

For responses to HEAD requests there is an exception: we do allow
both responses without body and responses with body matching the
Content-Length header.
2020-07-06 18:36:23 +03:00
Maxim Dounin
dfcfcc5a88 Upstream: drop extra data sent by upstream.
Previous behaviour was to pass everything to the client, but this
seems to be suboptimal and causes issues (ticket #1695).  Fix is to
drop extra data instead, as it naturally happens in most clients.

This change covers generic buffered and unbuffered filters as used
in the scgi and uwsgi modules.  Appropriate input filter init
handlers are provided by the scgi and uwsgi modules to set corresponding
lengths.

Note that for responses to HEAD requests there is an exception:
we do allow any response length.  This is because responses to HEAD
requests might be actual full responses, and it is up to nginx
to remove the response body.  If caching is enabled, only full
responses matching the Content-Length header will be cached
(see b779728b180c).
2020-07-06 18:36:22 +03:00
Maxim Dounin
7f2490c43c Proxy: style. 2020-07-06 18:36:21 +03:00
Maxim Dounin
156e193408 Proxy: detection of data after final chunk.
Previously, additional data after final chunk was either ignored
(in the same buffer, or during unbuffered proxying) or sent to the
client (in the next buffer already if it was already read from the
socket).  Now additional data are properly detected and ignored
in all cases.  Additionally, a warning is now logged and keepalive
is disabled in the connection.
2020-07-06 18:36:20 +03:00
Maxim Dounin
a2abe31a85 Proxy: drop extra data sent by upstream.
Previous behaviour was to pass everything to the client, but this
seems to be suboptimal and causes issues (ticket #1695).  Fix is to
drop extra data instead, as it naturally happens in most clients.
2020-07-06 18:36:19 +03:00
Maxim Dounin
b835b57184 Memcached: protect from too long responses.
If a memcached response was followed by a correct trailer, and then
the NUL character followed by some extra data - this was accepted by
the trailer checking code.  This in turn resulted in ctx->rest underflow
and caused negative size buffer on the next reading from the upstream,
followed by the "negative size buf in writer" alert.

Fix is to always check for too long responses, so a correct trailer cannot
be followed by extra data.
2020-07-06 18:36:17 +03:00
Ruslan Ermilov
829c9d5981 HTTP/2: lingering close after GOAWAY.
After sending the GOAWAY frame, a connection is now closed using
the lingering close mechanism.

This allows for the reliable delivery of the GOAWAY frames, while
also fixing connection resets observed when http2_max_requests is
reached (ticket #1250), or with graceful shutdown (ticket #1544),
when some additional data from the client is received on a fully
closed connection.

For HTTP/2, the settings lingering_close, lingering_timeout, and
lingering_time are taken from the "server" level.
2020-07-03 16:16:47 +03:00
Roman Arutyunyan
3db00b4da7 HTTP/3: simplified handling return codes from parse functions. 2020-07-02 20:07:24 +03:00
Roman Arutyunyan
ac9c1dcad8 HTTP/3: put ngx_http_v3_parse_varlen_int() return code in variable.
This makes calling this function similar to other parse functions.
2020-07-03 12:07:43 +03:00
Roman Arutyunyan
8d1875d39a HTTP/3: simplifed handling ngx_http_v3_parse_literal() return code. 2020-07-03 12:05:05 +03:00
Roman Arutyunyan
3a9874c4ab HTTP/3: limited prefixed integer size by 62 bits. 2020-07-03 09:26:12 +03:00
Roman Arutyunyan
3b2eabde0b HTTP/3: fixed overflow in prefixed integer parser.
Previously, the expression (ch & 0x7f) was promoted to a signed integer.
Depending on the platform, the size of this integer could be less than 8 bytes,
leading to overflow when handling the higher bits of the result.  Also, sign
bit of this integer could be replicated when adding to the 64-bit st->value.
2020-07-03 16:41:31 +03:00
Sergey Kandaurov
0ebcffcf14 HTTP/3: fixed prefix in decoding Section Acknowledgement. 2020-07-02 17:35:57 +03:00
Roman Arutyunyan
d839fee75f HTTP/3: set r->headers_in.chunked flag after parsing headers.
Previously it was set when creating the request object.  The side-effect was
trying to discard the request body in case of header parse error.
2020-06-30 15:32:09 +03:00
Roman Arutyunyan
707117276e HTTP/3: close QUIC connection with HTTP/QPACK errors when needed.
Previously errors led only to closing streams.

To simplify closing QUIC connection from a QUIC stream context, new macro
ngx_http_v3_finalize_connection() is introduced.  It calls
ngx_quic_finalize_connection() for the parent connection.
2020-07-02 16:47:51 +03:00
Roman Arutyunyan
fd35d92232 HTTP/3: error code definitions for HTTP/3 and QPACK. 2020-06-30 12:30:57 +03:00
Roman Arutyunyan
90f5c334f1 QUIC: Introduced ngx_quic_finalize_connection().
The function finalizes QUIC connection with an application protocol error
code and sends a CONNECTION_CLOSE frame with type=0x1d.

Also, renamed NGX_QUIC_FT_CONNECTION_CLOSE2 to NGX_QUIC_FT_CONNECTION_CLOSE_APP.
2020-07-02 16:33:59 +03:00
Roman Arutyunyan
86e287a2de HTTP/3: downgraded literal size error level to NGX_LOG_INFO.
Now it's similar to HTTP/2.
2020-07-02 16:33:36 +03:00
Roman Arutyunyan
a687d08062 HTTP/3: refactored dynamic table implementation.
Previously dynamic table was not functional because of zero limit on its size
set by default.  Now the following changes enable it:

- new directives to set SETTINGS_QPACK_MAX_TABLE_CAPACITY and
  SETTINGS_QPACK_BLOCKED_STREAMS
- send settings with SETTINGS_QPACK_MAX_TABLE_CAPACITY and
  SETTINGS_QPACK_BLOCKED_STREAMS to the client
- send Insert Count Increment to the client
- send Header Acknowledgement to the client
- evict old dynamic table entries on overflow
- decode Required Insert Count from client
- block stream if Required Insert Count is not reached
2020-07-02 15:34:05 +03:00
Roman Arutyunyan
a7ef0da3c8 HTTP/3: fixed prefixed integer encoding and decoding.
Previously bytes were ordered from MSB to LSB, but the right order is the
reverse.
2020-07-02 15:15:55 +03:00
Maxim Dounin
fa2f2e3508 SSL: fixed unexpected certificate requests (ticket #2008).
Using SSL_CTX_set_verify(SSL_VERIFY_PEER) implies that OpenSSL will
send a certificate request during an SSL handshake, leading to unexpected
certificate requests from browsers as long as there are any client
certificates installed.  Given that ngx_ssl_trusted_certificate()
is called unconditionally by the ngx_http_ssl_module, this affected
all HTTPS servers.  Broken by 699f6e55bbb4 (not released yet).

Fix is to set verify callback in the ngx_ssl_trusted_certificate() function
without changing the verify mode.
2020-06-29 17:15:51 +03:00
Roman Arutyunyan
8d41d17a12 HTTP/3: http3_max_field_size directive to limit string size.
Client streams may send literal strings which are now limited in size by the
new directive.  The default value is 4096.

The directive is similar to HTTP/2 directive http2_max_field_size.
2020-06-29 15:56:14 +03:00
Roman Arutyunyan
b7662c0e80 HTTP/3: introduced ngx_http_v3_get_module_srv_conf() macro.
The macro helps to access a module's server configuration from a QUIC
stream context.
2020-06-26 11:58:00 +03:00
Roman Arutyunyan
690e1bc50c HTTP/3: fixed dropping first non-pseudo header. 2020-06-26 10:05:28 +03:00
Sergey Kandaurov
3168f58306 HTTP/3: do not emit a DATA frame header for header_only responses.
This resulted in the frame error due to the invalid DATA frame length.
2020-06-25 20:31:13 +03:00
Vladimir Homutov
9022fc686d Style. 2020-06-19 11:29:30 +03:00
Sergey Kandaurov
cbfecb46fe README: documented draft-28, draft-29 support. 2020-06-23 11:57:00 +03:00
Sergey Kandaurov
439fad4df5 Update Initial salt and Retry secret from quic-tls-29.
See sections 5.2 and 5.8 for the current values.
2020-06-23 11:57:00 +03:00
Sergey Kandaurov
3d27c55ae3 Get rid of hardcoded numbers used for quic handshake errors. 2020-06-23 11:57:00 +03:00
Sergey Kandaurov
fc0036bdd6 Discard short packets which could not be decrypted.
So that connections are protected from failing from on-path attacks.
Decryption failure of long packets used during handshake still leads
to connection close since it barely makes sense to handle them there.
2020-06-23 11:57:00 +03:00
Sergey Kandaurov
d7baead1e8 Close connection with PROTOCOL_VIOLATION on decryption failure.
A previously used undefined error code is now replaced with the generic one.

Note that quic-transport prescribes keeping connection intact, discarding such
QUIC packets individually, in the sense that coalesced packets could be there.
This is selectively handled in the next change.
2020-06-23 11:57:00 +03:00
Sergey Kandaurov
82519e1af2 Define KEY_UPDATE_ERROR from quic-tls-24. 2020-06-23 11:57:00 +03:00
Sergey Kandaurov
157da97d7a Reject new QUIC connection with CONNECTION_REFUSED on shutdown. 2020-06-23 11:57:00 +03:00
Sergey Kandaurov
1cfd67c44a Close QUIC connection with NO_ERROR on c->close.
That way it makes more sense.  Previously it was closed with INTERNAL_ERROR.
2020-06-23 11:57:00 +03:00