Mercurial > hg > nginx-quic
annotate src/event/quic/ngx_event_quic_socket.c @ 8728:ddd5e5c0f87d quic
QUIC: improved path validation.
Previously, path was considered valid during arbitrary selected 10m timeout
since validation. This is quite not what RFC 9000 says; the relevant
part is:
An endpoint MAY skip validation of a peer address if that
address has been seen recently.
The patch considers a path to be 'recently seen' if packets were received
during idle timeout. If a packet is received from the path that was seen
not so recently, such path is considered new, and anti-amplification
restrictions apply.
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Mon, 13 Dec 2021 17:27:29 +0300 |
parents | aae8b91e0280 |
children | fb41e37ddeb0 |
rev | line source |
---|---|
8423 | 1 |
2 /* | |
3 * Copyright (C) Nginx, Inc. | |
4 */ | |
5 | |
6 | |
7 #include <ngx_config.h> | |
8 #include <ngx_core.h> | |
9 #include <ngx_event.h> | |
10 #include <ngx_event_quic_connection.h> | |
11 | |
12 | |
13 static ngx_int_t ngx_quic_create_temp_socket(ngx_connection_t *c, | |
14 ngx_quic_connection_t *qc, ngx_str_t *dcid, ngx_quic_path_t *path, | |
15 ngx_quic_client_id_t *cid); | |
16 | |
17 | |
18 ngx_int_t | |
19 ngx_quic_open_sockets(ngx_connection_t *c, ngx_quic_connection_t *qc, | |
20 ngx_quic_header_t *pkt) | |
21 { | |
22 ngx_quic_path_t *path; | |
23 ngx_quic_socket_t *qsock; | |
24 ngx_quic_client_id_t *cid; | |
25 | |
26 /* | |
27 * qc->nclient_ids = 0 | |
28 * qc->nsockets = 0 | |
29 * qc->max_retired_seqnum = 0 | |
30 * qc->client_seqnum = 0 | |
31 */ | |
32 | |
33 ngx_queue_init(&qc->sockets); | |
34 ngx_queue_init(&qc->free_sockets); | |
35 | |
36 ngx_queue_init(&qc->paths); | |
37 ngx_queue_init(&qc->free_paths); | |
38 | |
39 ngx_queue_init(&qc->client_ids); | |
40 ngx_queue_init(&qc->free_client_ids); | |
41 | |
42 qc->tp.original_dcid.len = pkt->odcid.len; | |
43 qc->tp.original_dcid.data = ngx_pstrdup(c->pool, &pkt->odcid); | |
44 if (qc->tp.original_dcid.data == NULL) { | |
45 return NGX_ERROR; | |
46 } | |
47 | |
48 /* socket to use for further processing */ | |
49 qsock = ngx_quic_alloc_socket(c, qc); | |
50 if (qsock == NULL) { | |
51 return NGX_ERROR; | |
52 } | |
53 | |
54 /* socket is listening at new server id (autogenerated) */ | |
55 if (ngx_quic_listen(c, qc, qsock) != NGX_OK) { | |
56 return NGX_ERROR; | |
57 } | |
58 | |
59 qc->tp.initial_scid.len = qsock->sid.len; | |
60 qc->tp.initial_scid.data = ngx_pnalloc(c->pool, qsock->sid.len); | |
61 if (qc->tp.initial_scid.data == NULL) { | |
62 goto failed; | |
63 } | |
64 ngx_memcpy(qc->tp.initial_scid.data, qsock->sid.id, qsock->sid.len); | |
65 | |
66 /* for all packets except first, this is set at udp layer */ | |
67 c->udp = &qsock->udp; | |
68 | |
69 /* ngx_quic_get_connection(c) macro is now usable */ | |
70 | |
71 /* we have a client identified by scid */ | |
72 cid = ngx_quic_create_client_id(c, &pkt->scid, 0, NULL); | |
73 if (cid == NULL) { | |
74 goto failed; | |
75 } | |
76 | |
77 /* the client arrived from this path */ | |
78 path = ngx_quic_add_path(c, c->sockaddr, c->socklen); | |
79 if (path == NULL) { | |
80 goto failed; | |
81 } | |
82 | |
83 if (pkt->validated) { | |
84 path->state = NGX_QUIC_PATH_VALIDATED; | |
85 } | |
86 | |
87 /* now bind socket to client and path */ | |
88 ngx_quic_connect(c, qsock, path, cid); | |
89 | |
90 if (ngx_quic_create_temp_socket(c, qc, &pkt->odcid, path, cid) != NGX_OK) { | |
91 goto failed; | |
92 } | |
93 | |
94 /* use this socket as default destination */ | |
95 qc->socket = qsock; | |
96 | |
97 ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0, | |
98 "quic active socket is #%uL:%uL:%uL (%s)", | |
99 qsock->sid.seqnum, qsock->cid->seqnum, qsock->path->seqnum, | |
100 ngx_quic_path_state_str(qsock->path)); | |
101 | |
102 return NGX_OK; | |
103 | |
104 failed: | |
105 | |
106 ngx_rbtree_delete(&c->listening->rbtree, &qsock->udp.node); | |
107 c->udp = NULL; | |
108 | |
109 return NGX_ERROR; | |
110 } | |
111 | |
112 | |
113 static ngx_int_t | |
114 ngx_quic_create_temp_socket(ngx_connection_t *c, ngx_quic_connection_t *qc, | |
115 ngx_str_t *dcid, ngx_quic_path_t *path, ngx_quic_client_id_t *cid) | |
116 { | |
117 ngx_str_t id; | |
118 ngx_quic_socket_t *qsock; | |
119 ngx_quic_server_id_t *sid; | |
120 | |
121 qsock = ngx_quic_alloc_socket(c, qc); | |
122 if (qsock == NULL) { | |
123 return NGX_ERROR; | |
124 } | |
125 | |
126 sid = &qsock->sid; | |
127 | |
128 sid->seqnum = NGX_QUIC_UNSET_PN; /* mark socket as temporary */ | |
129 | |
130 sid->len = dcid->len; | |
131 ngx_memcpy(sid->id, dcid->data, dcid->len); | |
132 | |
133 id.len = sid->len; | |
134 id.data = sid->id; | |
135 | |
136 ngx_insert_udp_connection(c, &qsock->udp, &id); | |
137 | |
138 ngx_queue_insert_tail(&qc->sockets, &qsock->queue); | |
139 | |
140 qc->nsockets++; | |
141 qsock->quic = qc; | |
142 | |
143 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, | |
144 "quic socket #%L listening at sid:%xV nsock:%ui", | |
145 (int64_t) sid->seqnum, &id, qc->nsockets); | |
146 | |
147 ngx_quic_connect(c, qsock, path, cid); | |
148 | |
149 return NGX_OK; | |
150 } | |
151 | |
152 | |
153 ngx_quic_socket_t * | |
154 ngx_quic_alloc_socket(ngx_connection_t *c, ngx_quic_connection_t *qc) | |
155 { | |
156 ngx_queue_t *q; | |
157 ngx_quic_socket_t *sock; | |
158 | |
159 if (!ngx_queue_empty(&qc->free_sockets)) { | |
160 | |
161 q = ngx_queue_head(&qc->free_sockets); | |
162 sock = ngx_queue_data(q, ngx_quic_socket_t, queue); | |
163 | |
164 ngx_queue_remove(&sock->queue); | |
165 | |
166 ngx_memzero(sock, sizeof(ngx_quic_socket_t)); | |
167 | |
168 } else { | |
169 | |
170 sock = ngx_pcalloc(c->pool, sizeof(ngx_quic_socket_t)); | |
171 if (sock == NULL) { | |
172 return NULL; | |
173 } | |
174 } | |
175 | |
176 return sock; | |
177 } | |
178 | |
179 | |
180 void | |
181 ngx_quic_close_socket(ngx_connection_t *c, ngx_quic_socket_t *qsock) | |
182 { | |
183 ngx_quic_connection_t *qc; | |
184 | |
185 qc = ngx_quic_get_connection(c); | |
186 | |
187 ngx_queue_remove(&qsock->queue); | |
188 ngx_queue_insert_head(&qc->free_sockets, &qsock->queue); | |
189 | |
190 ngx_rbtree_delete(&c->listening->rbtree, &qsock->udp.node); | |
191 qc->nsockets--; | |
192 | |
193 if (qsock->path) { | |
194 ngx_quic_unref_path(c, qsock->path); | |
195 } | |
196 | |
197 if (qsock->cid) { | |
198 ngx_quic_unref_client_id(c, qsock->cid); | |
199 } | |
200 | |
201 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, | |
202 "quic socket #%L closed nsock:%ui", | |
203 (int64_t) qsock->sid.seqnum, qc->nsockets); | |
204 } | |
205 | |
206 | |
8700
b09f055daa4e
QUIC: fixed handling of RETIRE_CONNECTION_ID frame.
Vladimir Homutov <vl@nginx.com>
parents:
8650
diff
changeset
|
207 void |
8423 | 208 ngx_quic_unref_path(ngx_connection_t *c, ngx_quic_path_t *path) |
209 { | |
210 ngx_quic_connection_t *qc; | |
211 | |
212 path->refcnt--; | |
213 | |
214 if (path->refcnt) { | |
215 return; | |
216 } | |
217 | |
218 qc = ngx_quic_get_connection(c); | |
219 | |
220 ngx_queue_remove(&path->queue); | |
221 ngx_queue_insert_head(&qc->free_paths, &path->queue); | |
222 | |
223 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, | |
224 "quic path #%uL addr:%V removed", | |
225 path->seqnum, &path->addr_text); | |
226 } | |
227 | |
228 | |
229 ngx_int_t | |
230 ngx_quic_listen(ngx_connection_t *c, ngx_quic_connection_t *qc, | |
231 ngx_quic_socket_t *qsock) | |
232 { | |
233 ngx_str_t id; | |
234 ngx_quic_server_id_t *sid; | |
235 | |
236 sid = &qsock->sid; | |
237 | |
238 sid->len = NGX_QUIC_SERVER_CID_LEN; | |
239 | |
240 if (ngx_quic_create_server_id(c, sid->id) != NGX_OK) { | |
241 return NGX_ERROR; | |
242 } | |
243 | |
244 sid->seqnum = qc->server_seqnum++; | |
245 | |
246 id.data = sid->id; | |
247 id.len = sid->len; | |
248 | |
249 ngx_insert_udp_connection(c, &qsock->udp, &id); | |
250 | |
251 ngx_queue_insert_tail(&qc->sockets, &qsock->queue); | |
252 | |
253 qc->nsockets++; | |
254 qsock->quic = qc; | |
255 | |
256 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, | |
257 "quic socket #%uL listening at sid:%xV nsock:%ui", | |
258 sid->seqnum, &id, qc->nsockets); | |
259 | |
260 return NGX_OK; | |
261 } | |
262 | |
263 | |
264 void | |
265 ngx_quic_connect(ngx_connection_t *c, ngx_quic_socket_t *sock, | |
266 ngx_quic_path_t *path, ngx_quic_client_id_t *cid) | |
267 { | |
268 sock->path = path; | |
269 path->refcnt++; | |
270 | |
271 sock->cid = cid; | |
272 cid->refcnt++; | |
273 | |
274 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, | |
275 "quic socket #%L connected to cid #%uL path:%uL", | |
276 (int64_t) sock->sid.seqnum, | |
277 sock->cid->seqnum, path->seqnum); | |
278 } | |
279 | |
280 | |
281 void | |
282 ngx_quic_close_sockets(ngx_connection_t *c) | |
283 { | |
284 ngx_queue_t *q; | |
285 ngx_quic_socket_t *qsock; | |
286 ngx_quic_connection_t *qc; | |
287 | |
288 qc = ngx_quic_get_connection(c); | |
289 | |
290 while (!ngx_queue_empty(&qc->sockets)) { | |
291 q = ngx_queue_head(&qc->sockets); | |
292 qsock = ngx_queue_data(q, ngx_quic_socket_t, queue); | |
293 | |
294 ngx_quic_close_socket(c, qsock); | |
295 } | |
296 } | |
297 | |
298 | |
299 ngx_quic_socket_t * | |
300 ngx_quic_find_socket(ngx_connection_t *c, uint64_t seqnum) | |
301 { | |
302 ngx_queue_t *q; | |
303 ngx_quic_socket_t *qsock; | |
304 ngx_quic_connection_t *qc; | |
305 | |
306 qc = ngx_quic_get_connection(c); | |
307 | |
308 for (q = ngx_queue_head(&qc->sockets); | |
309 q != ngx_queue_sentinel(&qc->sockets); | |
310 q = ngx_queue_next(q)) | |
311 { | |
312 qsock = ngx_queue_data(q, ngx_quic_socket_t, queue); | |
313 | |
314 if (qsock->sid.seqnum == seqnum) { | |
315 return qsock; | |
316 } | |
317 } | |
318 | |
319 return NULL; | |
320 } | |
321 | |
322 | |
323 ngx_quic_socket_t * | |
324 ngx_quic_get_unconnected_socket(ngx_connection_t *c) | |
325 { | |
326 ngx_queue_t *q; | |
327 ngx_quic_socket_t *sock; | |
328 ngx_quic_connection_t *qc; | |
329 | |
330 qc = ngx_quic_get_connection(c); | |
331 | |
332 for (q = ngx_queue_head(&qc->sockets); | |
333 q != ngx_queue_sentinel(&qc->sockets); | |
334 q = ngx_queue_next(q)) | |
335 { | |
336 sock = ngx_queue_data(q, ngx_quic_socket_t, queue); | |
337 | |
338 if (sock->cid == NULL) { | |
339 return sock; | |
340 } | |
341 } | |
342 | |
343 return NULL; | |
8650 | 344 } |