Commit Graph

8269 Commits

Author SHA1 Message Date
Sergey Kandaurov
4f60ee789e QUIC: reusing crypto contexts for header protection. 2023-10-20 18:05:07 +04:00
Sergey Kandaurov
52d50714eb QUIC: common code for crypto open and seal operations. 2023-10-20 18:05:07 +04:00
Sergey Kandaurov
80a695add8 QUIC: reusing crypto contexts for packet protection. 2023-10-20 18:05:07 +04:00
Sergey Kandaurov
885a02696e QUIC: renamed protection functions.
Now these functions have names ngx_quic_crypto_XXX():

  - ngx_quic_tls_open() -> ngx_quic_crypto_open()
  - ngx_quic_tls_seal() -> ngx_quic_crypto_seal()
  - ngx_quic_tls_hp() -> ngx_quic_crypto_hp()
2023-10-20 18:05:07 +04:00
Sergey Kandaurov
8e1217c46d QUIC: prevented generating ACK frames with discarded keys.
Previously it was possible to generate ACK frames using formally discarded
protection keys, in particular, when acknowledging a client Handshake packet
used to complete the TLS handshake and to discard handshake protection keys.
As it happens late in packet processing, it could be possible to generate ACK
frames after the keys were already discarded.

ACK frames are generated from ngx_quic_ack_packet(), either using a posted
push event, which envolves ngx_quic_generate_ack() as a part of the final
packet assembling, or directly in ngx_quic_ack_packet(), such as when there
is no room to add a new ACK range or when the received packet is out of order.
The added keys availability check is used to avoid generating late ACK frames
in both cases.
2023-10-20 18:05:07 +04:00
Sergey Kandaurov
fffd2823ba QUIC: added safety belt to prevent using discarded keys.
In addition to triggering alert, it ensures that such packets won't be sent.

With the previous change that marks server keys as discarded by zeroing the
key lengh, it is now an error to send packets with discarded keys.  OpenSSL
based stacks tolerate such behaviour because key length isn't used in packet
protection, but BoringSSL will raise the UNSUPPORTED_KEY_SIZE cipher error.
It won't be possible to use discarded keys with reused crypto contexts as it
happens in subsequent changes.
2023-10-20 18:05:07 +04:00
Sergey Kandaurov
cd5f4cd8d3 QUIC: split keys availability checks to read and write sides.
Keys may be released by TLS stack in different times, so it makes sense
to check this independently as well.  This allows to fine-tune what key
direction is used when checking keys availability.

When discarding, server keys are now marked in addition to client keys.
2023-08-31 19:54:10 +04:00
Maxim Dounin
c93cb45ae3 Core: changed ngx_queue_sort() to use merge sort.
This improves nginx startup times significantly when using very large number
of locations due to computational complexity of the sorting algorithm being
used: insertion sort is O(n*n) on average, while merge sort is O(n*log(n)).
In particular, in a test configuration with 20k locations total startup
time is reduced from 8 seconds to 0.9 seconds.

Prodded by Yusuke Nojima,
https://mailman.nginx.org/pipermail/nginx-devel/2023-September/NUL3Y2FPPFSHMPTFTL65KXSXNTX3NQMK.html
2023-10-18 04:30:11 +03:00
Maxim Dounin
284a0c7377 Core: fixed memory leak on configuration reload with PCRE2.
In ngx_regex_cleanup() allocator wasn't configured when calling
pcre2_compile_context_free() and pcre2_match_data_free(), resulting
in no ngx_free() call and leaked memory.  Fix is ensure that allocator
is configured for global allocations, so that ngx_free() is actually
called to free memory.

Additionally, ngx_regex_compile_context was cleared in
ngx_regex_module_init().  It should be either not cleared, so it will
be freed by ngx_regex_cleanup(), or properly freed.  Fix is to
not clear it, so ngx_regex_cleanup() will be able to free it.

Reported by ZhenZhong Wu,
https://mailman.nginx.org/pipermail/nginx-devel/2023-September/3Z5FIKUDRN2WBSL3JWTZJ7SXDA6YIWPB.html
2023-10-17 02:39:38 +03:00
Maxim Dounin
6ceef192e7 HTTP/2: per-iteration stream handling limit.
To ensure that attempts to flood servers with many streams are detected
early, a limit of no more than 2 * max_concurrent_streams new streams per one
event loop iteration was introduced.  This limit is applied even if
max_concurrent_streams is not yet reached - for example, if corresponding
streams are handled synchronously or reset.

Further, refused streams are now limited to maximum of max_concurrent_streams
and 100, similarly to priority_limit initial value, providing some tolerance
to clients trying to open several streams at the connection start, yet
low tolerance to flooding attempts.
2023-10-10 15:13:39 +03:00
Vladimir Khomutov
c37fdcdd1e QUIC: handle callback errors in compat.
The error may be triggered in add_handhshake_data() by incorrect transport
parameter sent by client.  The expected behaviour in this case is to close
connection complaining about incorrect parameter.  Currently the connection
just times out.
2023-09-22 19:23:57 +04:00
Roman Arutyunyan
027b681688 Modules compatibility: added QUIC to signature (ticket #2539).
Enabling QUIC changes ngx_connection_t layout, which is why it should be
added to the signature.
2023-09-13 17:48:15 +04:00
Roman Arutyunyan
196289ac18 QUIC: simplified setting close timer when closing connection.
Previously, the timer was never reset due to an explicit check.  The check was
added in 36b59521a41c as part of connection close simplification.  The reason
was to retain the earliest timeout.  However, the timeouts are all the same
while QUIC handshake is in progress and resetting the timer for the same value
has no performance implications.  After handshake completion there's only
application level.  The change removes the check.
2023-09-14 14:15:20 +04:00
Roman Arutyunyan
26e606a6bc HTTP/3: postponed session creation to init() callback.
Now the session object is assigned to c->data while ngx_http_connection_t
object is referenced by its http_connection field, similar to
ngx_http_v2_connection_t and ngx_http_request_t.

The change allows to eliminate v3_session field from ngx_http_connection_t.
The field was under NGX_HTTP_V3 macro, which was a source of binary
compatibility problems when nginx/module is build with/without HTTP/3 support.

Postponing is essential since c->data should retain the reference to
ngx_http_connection_t object throughout QUIC handshake, because SSL callbacks
ngx_http_ssl_servername() and ngx_http_ssl_alpn_select() rely on this.
2023-09-14 14:13:43 +04:00
Roman Arutyunyan
6ecf576e34 QUIC: do not call shutdown() when handshake is in progress.
Instead, when worker is shutting down and handshake is not yet completed,
connection is terminated immediately.

Previously the callback could be called while QUIC handshake was in progress
and, what's more important, before the init() callback.  Now it's postponed
after init().

This change is a preparation to postponing HTTP/3 session creation to init().
2023-09-21 19:32:38 +04:00
Roman Arutyunyan
ec37134416 HTTP/3: moved variable initialization. 2023-09-13 17:57:13 +04:00
Roman Arutyunyan
33dca88792 QUIC: "handshake_timeout" configuration parameter.
Previously QUIC did not have such parameter and handshake duration was
controlled by HTTP/3.  However that required creating and storing HTTP/3
session on first client datagram.  Apparently there's no convenient way to
store the session object until QUIC handshake is complete.  In the followup
patches session creation will be postponed to init() callback.
2023-09-13 17:59:37 +04:00
Sergey Kandaurov
b489ba83e9 QUIC: removed use of SSL_quic_read_level and SSL_quic_write_level.
As explained in BoringSSL change[1], levels were introduced in the original
QUIC API to draw a line between when keys are released and when are active.
In the new QUIC API they are released in separate calls when it's needed.
BoringSSL has then a consideration to remove levels API, hence the change.

If not available e.g. from a QUIC packet header, levels can be taken based on
keys availability.  The only real use of levels is to prevent using app keys
before they are active in QuicTLS that provides the old BoringSSL QUIC API,
it is replaced with an equivalent check of c->ssl->handshaked.

This change also removes OpenSSL compat shims since they are no longer used.
The only exception left is caching write level from the keylog callback in
the internal field which is a handy equivalent of checking keys availability.

[1] https://boringssl.googlesource.com/boringssl/+/1e859054
2023-09-01 20:31:46 +04:00
Sergey Kandaurov
0d6ea58ebb QUIC: refined sending CONNECTION_CLOSE in various packet types.
As per RFC 9000, section 10.2.3, to ensure that peer successfully removed
packet protection, CONNECTION_CLOSE can be sent in multiple packets using
different packet protection levels.

Now it is sent in all protection levels available.
This roughly corresponds to the following paragraph:

* Prior to confirming the handshake, a peer might be unable to process 1-RTT
  packets, so an endpoint SHOULD send a CONNECTION_CLOSE frame in both Handshake
  and 1-RTT packets.  A server SHOULD also send a CONNECTION_CLOSE frame in an
  Initial packet.

In practice, this change allows to avoid sending an Initial packet when we know
the client has handshake keys, by checking if we have discarded initial keys.
Also, this fixes sending CONNECTION_CLOSE when using QuicTLS with old QUIC API,
where TLS stack releases application read keys before handshake confirmation;
it is fixed by sending CONNECTION_CLOSE additionally in a Handshake packet.
2023-09-01 20:31:46 +04:00
Maxim Dounin
fa46a57199 Upstream: fixed handling of Status headers without reason-phrase.
Status header with an empty reason-phrase, such as "Status: 404 ", is
valid per CGI specification, but looses the trailing space during parsing.
Currently, this results in "HTTP/1.1 404" HTTP status line in the response,
which violates HTTP specification due to missing trailing space.

With this change, only the status code is used from such short Status
header lines, so nginx will generate status line itself, with the space
and appropriate reason phrase if available.

Reported at:
https://mailman.nginx.org/pipermail/nginx/2023-August/EX7G4JUUHJWJE5UOAZMO5UD6OJILCYGX.html
2023-08-31 22:59:17 +03:00
Roman Arutyunyan
ba30ff4c8d QUIC: ignore path validation socket error (ticket #2532).
Previously, a socket error on a path being validated resulted in validation
error and subsequent QUIC connection closure.  Now the error is ignored and
path validation proceeds as usual, with several retries and a timeout.

When validating the old path after an apparent migration, that path may already
be unavailable and sendmsg() may return an error, which should not result in
QUIC connection close.

When validating the new path, it's possible that the new client address is
spoofed (See RFC 9000, 9.3.2. On-Path Address Spoofing).  This address may
as well be unavailable and should not trigger QUIC connection closure.
2023-08-31 10:54:07 +04:00
Roman Arutyunyan
1bc204a3a5 QUIC: use last client dcid to receive initial packets.
Previously, original dcid was used to receive initial client packets in case
server initial response was lost.  However, last dcid should be used instead.
These two are the same unless retry is used.  In case of retry, client resends
initial packet with a new dcid, that is different from the original dcid.  If
server response is lost, the client resends this packet again with the same
dcid.  This is shown in RFC 9000, 7.3. Authenticating Connection IDs, Figure 8.

The issue manifested itself with creating multiple server sessions in response
to each post-retry client initial packet, if server response is lost.
2023-08-30 11:09:21 +04:00
Sergey Kandaurov
24f3cb795e QUIC: posted generating TLS Key Update next keys.
Since at least f9fbeb4ee0de and certainly after 924882f42dea, which
TLS Key Update support predates, queued data output is deferred to a
posted push handler.  To address timing signals after these changes,
generating next keys is now posted to run after the push handler.
2023-08-25 13:51:38 +04:00
Sergey Kandaurov
f42519ff54 Version bump. 2023-08-25 16:39:14 +04:00
Maxim Dounin
e5fc65976a release-1.25.2 tag 2023-08-15 20:03:04 +03:00
Maxim Dounin
349c63ec61 nginx-1.25.2-RELEASE 2023-08-15 20:03:04 +03:00
Maxim Dounin
e58d3cdd4e Updated OpenSSL used for win32 builds. 2023-08-15 18:10:50 +03:00
Roman Arutyunyan
eeb8a9f56f QUIC: path MTU discovery.
MTU selection starts by doubling the initial MTU until the first failure.
Then binary search is used to find the path MTU.
2023-08-14 09:21:27 +04:00
Roman Arutyunyan
58fc5e2830 QUIC: allowed ngx_quic_frame_sendto() to return NGX_AGAIN.
Previously, NGX_AGAIN returned by ngx_quic_send() was treated by
ngx_quic_frame_sendto() as error, which triggered errors in its callers.
However, a blocked socket is not an error.  Now NGX_AGAIN is passed as is to
the ngx_quic_frame_sendto() callers, which can safely ignore it.
2023-08-08 10:43:17 +04:00
Roman Arutyunyan
8ab3889073 QUIC: removed explicit packet padding for certain frames.
The frames for which the padding is removed are PATH_CHALLENGE and
PATH_RESPONSE, which are sent separately by ngx_quic_frame_sendto().
2023-07-06 11:30:47 +04:00
Roman Arutyunyan
3990aaaa55 QUIC: removed path->limited flag.
Its value is the opposite of path->validated.
2023-07-06 17:49:01 +04:00
Roman Arutyunyan
4f3707c5c7 QUIC: fixed probe-congestion deadlock.
When probe timeout expired while congestion window was exhausted, probe PINGs
could not be sent.  As a result, lost packets could not be declared lost and
congestion window could not be freed for new packets.  This deadlock
continued until connection idle timeout expiration.

Now PINGs are sent separately from the frame queue without congestion control,
as specified by RFC 9002, Section 7:

  An endpoint MUST NOT send a packet if it would cause bytes_in_flight
  (see Appendix B.2) to be larger than the congestion window, unless the
  packet is sent on a PTO timer expiration (see Section 6.2) or when entering
  recovery (see Section 7.3.2).
2023-08-14 08:28:30 +04:00
Roman Arutyunyan
842a930b88 QUIC: fixed PTO expiration condition.
Previously, PTO handler analyzed the first packet in the sent queue for the
timeout expiration.  However, the last sent packet should be analyzed instead.
An example is timeout calculation in ngx_quic_set_lost_timer().
2023-08-01 11:21:59 +04:00
Roman Arutyunyan
57f87d6163 QUIC: avoid accessing freed frame.
Previously the field pnum of a potentially freed frame was accessed.  Now the
value is copied to a local variable.  The old behavior did not cause any
problems since the frame memory is not freed, but is moved to a free queue
instead.
2023-08-01 11:20:04 +04:00
Roman Arutyunyan
968293d5e7 QUIC: fixed congesion control in GSO mode.
In non-GSO mode, a datagram is sent if congestion window is not exceeded by the
time of send.  The window could be exceeded by a small amount after the send.
In GSO mode, congestion window was checked in a similar way, but for all
concatenated datagrams as a whole.  This could result in exceeding congestion
window by a lot.  Now congestion window is checked for every datagram in GSO
mode as well.
2023-07-27 13:35:42 +04:00
Roman Arutyunyan
6f5f17358e QUIC: always add ACK frame to the queue head.
Previously it was added to the tail as all other frames.  However, if the
amount of queued data is large, it could delay the delivery of ACK, which
could trigger frames retransmissions and slow down the connection.
2023-08-10 20:11:29 +04:00
Roman Arutyunyan
6e60e21ac0 QUIC: optimized ACK delay.
Previously ACK was not generated if max_ack_delay was not yet expired and the
number of unacknowledged ack-eliciting packets was less than two, as allowed by
RFC 9000 13.2.1-13.2.2.  However this only makes sense to avoid sending ACK-only
packets, as explained by the RFC:

  On the other hand, reducing the frequency of packets that carry only
  acknowledgments reduces packet transmission and processing cost at both
  endpoints.

Now ACK is delayed only if output frame queue is empty.  Otherwise ACK is sent
immediately, which significantly improves QUIC performance with certain tests.
2023-07-27 16:37:17 +04:00
Maxim Dounin
bdea5b703f SSL: avoid using OpenSSL config in build directory (ticket #2404).
With this change, the NGX_OPENSSL_NO_CONFIG macro is defined when nginx
is asked to build OpenSSL itself.  And with this macro automatic loading
of OpenSSL configuration (from the build directory) is prevented unless
the OPENSSL_CONF environment variable is explicitly set.

Note that not loading configuration is broken in OpenSSL 1.1.1 and 1.1.1a
(fixed in OpenSSL 1.1.1b, see https://github.com/openssl/openssl/issues/7350).
If nginx is used to compile these OpenSSL versions, configuring nginx with
NGX_OPENSSL_NO_CONFIG explicitly set to 0 might be used as a workaround.
2023-06-21 01:29:53 +03:00
Maxim Dounin
2038b46e25 SSL: provided "nginx" appname when loading OpenSSL configs.
Following OpenSSL 0.9.8f, OpenSSL tries to load application-specific
configuration section first, and then falls back to the "openssl_conf"
default section if application-specific section is not found, by using
CONF_modules_load_file(CONF_MFLAGS_DEFAULT_SECTION).  Therefore this
change is not expected to introduce any compatibility issues with existing
configurations.  It does, however, make it easier to configure specific
OpenSSL settings for nginx in system-wide OpenSSL configuration
(ticket #2449).

Instead of checking OPENSSL_VERSION_NUMBER when using the OPENSSL_init_ssl()
interface, the code now tests for OPENSSL_INIT_LOAD_CONFIG to be defined and
true, and also explicitly excludes LibreSSL.  This ensures that this interface
is not used with BoringSSL and LibreSSL, which do not provide additional
library initialization settings, notably the OPENSSL_INIT_set_config_appname()
call.
2023-06-21 01:29:55 +03:00
Gena Makhomed
1c61837252 Contrib: vim syntax, update core and 3rd party module directives.
List of 3rd party modules github repositories was obtained from
https://github.com/freebsd/freebsd-ports/blob/main/www/nginx-devel/Makefile.extmod
2023-07-24 18:04:41 +03:00
Maxim Dounin
9e1a000f2b Core: fixed environment variables on exit.
Similarly to 6822:c045b4926b2c, environment variables introduced with
the "env" directive (and "NGINX_BPF_MAPS" added by QUIC) are now allocated
via ngx_alloc(), and explicitly freed by a cleanup handler if no longer used.

In collaboration with Sergey Kandaurov.
2023-07-19 05:09:23 +03:00
Sergey Kandaurov
4d3a9cc11f HTTP/3: fixed $body_bytes_sent. 2023-07-12 15:27:35 +04:00
Roman Arutyunyan
6bdfd58f26 QUIC: use AEAD to encrypt address validation tokens.
Previously used AES256-CBC is now substituted with AES256-GCM.  Although there
seem to be no tangible consequences of token integrity loss.
2023-06-08 14:58:01 +04:00
Sergey Kandaurov
b051754d9d QUIC: removed TLS1_3_CK_* macros wrap up.
They were preserved in 172705615d04 to ease transition from older BoringSSL.
2023-06-16 17:13:29 +04:00
Sergey Kandaurov
dc9017ee48 QUIC: style. 2023-06-20 17:59:02 +04:00
Sergey Kandaurov
68690b0345 QUIC: unified ngx_quic_tls_open() and ngx_quic_tls_seal(). 2023-06-20 17:59:01 +04:00
Roman Arutyunyan
69826dd4f7 QUIC: TLS_AES_128_CCM_SHA256 cipher suite support. 2023-06-20 16:10:49 +04:00
Roman Arutyunyan
3ee1051912 QUIC: common cipher control constants instead of GCM-related.
The constants are used for both GCM and CHACHAPOLY.
2023-06-09 10:23:22 +04:00
Roman Arutyunyan
58c11ee714 QUIC: a new constant for AEAD tag length.
Previously used constant EVP_GCM_TLS_TAG_LEN had misleading name since it was
used not only with GCM, but also with CHACHAPOLY.  Now a new constant
NGX_QUIC_TAG_LEN introduced.  Luckily all AEAD algorithms used by QUIC have
the same tag length of 16.
2023-06-09 10:25:54 +04:00
Roman Arutyunyan
8b28fd7f26 Version bump. 2023-06-20 17:01:00 +04:00