nginx: src/event/quic/ngx_event

comparison src/event/quic/ngx_event_quic.c @ 8971:1e2f4e9c8195 quic

QUIC: reworked migration handling. The quic connection now holds active, backup and probe paths instead of sockets. The number of migration paths is now limited and cannot be inflated by a bad client or an attacker. The client id is now associated with path rather than socket. This allows to simplify processing of output and connection ids handling. New migration abandons any previously started migrations. This allows to free consumed client ids and request new for use in future migrations and make progress in case when connection id limit is hit during migration. A path now can be revalidated without losing its state. The patch also fixes various issues with NAT rebinding case handling: - paths are now validated (previously, there was no validation and paths were left in limited state) - attempt to reuse id on different path is now again verified (this was broken in 40445fc7c403) - former path is now validated in case of apparent migration

author	Vladimir Homutov <vl@nginx.com>
date	Wed, 19 Jan 2022 22:39:24 +0300
parents	03b40440c13d
children	c37ea624c307

comparison

equal deleted inserted replaced

-:7106a918a277
+:1e2f4e9c8195
 ngx_str_t               scid;
 ngx_quic_connection_t  *qc;
 qc = ngx_quic_get_connection(c);
-scid.data = qc->socket->cid->id;
+scid.data = qc->path->cid->id;
-scid.len = qc->socket->cid->len;
+scid.len = qc->path->cid->len;
 if (scid.len != ctp->initial_scid.len
 || ngx_memcmp(scid.data, ctp->initial_scid.data, scid.len) != 0)
 {
 ngx_log_error(NGX_LOG_INFO, c->log, 0,
 q != ngx_queue_sentinel(&qc->client_ids);
 q = ngx_queue_next(q))
 {
 cid = ngx_queue_data(q, ngx_quic_client_id_t, queue);
-if (cid->seqnum == 0 || cid->refcnt == 0) {
+if (cid->seqnum == 0 || !cid->used) {
 /*
 * No stateless reset token in initial connection id.
 * Don't accept a token from an unused connection id.
 */
 continue;
 {
 size_t                  size;
 u_char                 *p, *start;
 ngx_int_t               rc;
 ngx_uint_t              good;
+ngx_quic_path_t        *path;
 ngx_quic_header_t       pkt;
 ngx_quic_connection_t  *qc;
 good = 0;
+path = NULL;
 size = b->last - b->pos;
 p = start = b->pos;
 pkt.raw = b;
 pkt.data = p;
 pkt.len = b->last - p;
 pkt.log = c->log;
 pkt.first = (p == start) ? 1 : 0;
+pkt.path = path;
 pkt.flags = p[0];
 pkt.raw->pos++;
 rc = ngx_quic_handle_packet(c, conf, &pkt);
 }
 if (rc == NGX_OK) {
 good = 1;
 }
+path = pkt.path; /* preserve packet path from 1st packet */
 /* NGX_OK || NGX_DECLINED */
 /*
 * we get NGX_DECLINED when there are no keys [yet] available
 "quic version mismatch: 0x%xD", pkt->version);
 return NGX_DECLINED;
 }
 if (pkt->first) {
-if (ngx_quic_find_path(c, c->udp->dgram->sockaddr,
+if (ngx_cmp_sockaddr(c->udp->dgram->sockaddr,
-c->udp->dgram->socklen)
+c->udp->dgram->socklen,
-== NULL)
+qc->path->sockaddr, qc->path->socklen, 1)
+!= NGX_OK)
 {
 /* packet comes from unknown path, possibly migration */
 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
 "quic too early migration attempt");
-return NGX_DECLINED;
+return NGX_DONE;
 }
 }
 if (ngx_quic_check_csid(qc, pkt) != NGX_OK) {
 return NGX_DECLINED;
 return rc;
 }
 pkt->decrypted = 1;
-if (pkt->first) {
+c->log->action = "handling decrypted packet";
-if (ngx_quic_update_paths(c, pkt) != NGX_OK) {
-return NGX_ERROR;
+if (pkt->path == NULL) {
+rc = ngx_quic_set_path(c, pkt);
+if (rc != NGX_OK) {
+return rc;
 }
 }
 if (c->ssl == NULL) {
 if (ngx_quic_init_connection(c) != NGX_OK) {
 * The successful use of Handshake packets indicates
 * that no more Initial packets need to be exchanged
 */
 ngx_quic_discard_ctx(c, ssl_encryption_initial);
-if (qc->socket->path->state != NGX_QUIC_PATH_VALIDATED) {
+if (!qc->path->validated) {
-qc->socket->path->state = NGX_QUIC_PATH_VALIDATED;
+qc->path->validated = 1;
-qc->socket->path->limited = 0;
+qc->path->limited = 0;
+ngx_quic_path_dbg(c, "in handshake", qc->path);
 ngx_post_event(&qc->push, &ngx_posted_events);
 }
 }
 if (qc->closing) {
 ssize_t                 len;
 ngx_buf_t               buf;
 ngx_uint_t              do_close, nonprobing;
 ngx_chain_t             chain;
 ngx_quic_frame_t        frame;
-ngx_quic_socket_t      *qsock;
 ngx_quic_connection_t  *qc;
 qc = ngx_quic_get_connection(c);
 p = pkt->payload.data;
 break;
 case NGX_QUIC_FT_PATH_CHALLENGE:
-if (ngx_quic_handle_path_challenge_frame(c, &frame.u.path_challenge)
+if (ngx_quic_handle_path_challenge_frame(c, pkt,
+&frame.u.path_challenge)
 != NGX_OK)
 {
 return NGX_ERROR;
 }
 if (do_close) {
 qc->draining = 1;
 ngx_quic_close_connection(c, NGX_OK);
 }
-qsock = ngx_quic_get_socket(c);
+if (pkt->path != qc->path && nonprobing) {
-if (qsock != qc->socket) {
-if (qsock->path != qc->socket->path && nonprobing) {
-/*
-* RFC 9000, 9.2.  Initiating Connection Migration
-*
-* An endpoint can migrate a connection to a new local
-* address by sending packets containing non-probing frames
-* from that address.
-*/
-if (ngx_quic_handle_migration(c, pkt) != NGX_OK) {
-return NGX_ERROR;
-}
-}
 /*
-* else: packet arrived via non-default socket;
+* RFC 9000, 9.2.  Initiating Connection Migration
-*       no reason to change active path
+*
+* An endpoint can migrate a connection to a new local
+* address by sending packets containing non-probing frames
+* from that address.
 */
+if (ngx_quic_handle_migration(c, pkt) != NGX_OK) {
+return NGX_ERROR;
+}
 }
 if (ngx_quic_ack_packet(c, pkt) != NGX_OK) {
 return NGX_ERROR;
 }

Mercurial > hg > nginx

comparison src/event/quic/ngx_event_quic.c @ 8971:1e2f4e9c8195 quic