diff src/event/quic/ngx_event_quic_migration.c @ 8763:4117aa7fa38e quic

QUIC: connection migration. The patch adds proper transitions between multiple networking addresses that can be used by a single quic connection. New networking paths are validated using PATH_CHALLENGE/PATH_RESPONSE frames.
author Vladimir Homutov <vl@nginx.com>
date Thu, 29 Apr 2021 15:35:02 +0300
parents c8bda5e1e662
children d5f93733c17d
line wrap: on
line diff
--- a/src/event/quic/ngx_event_quic_migration.c
+++ b/src/event/quic/ngx_event_quic_migration.c
@@ -10,25 +10,71 @@
 #include <ngx_event_quic_connection.h>
 
 
+static void ngx_quic_set_connection_path(ngx_connection_t *c,
+    ngx_quic_path_t *path);
+static ngx_int_t ngx_quic_validate_path(ngx_connection_t *c,
+    ngx_quic_socket_t *qsock);
+static ngx_int_t ngx_quic_send_path_challenge(ngx_connection_t *c,
+    ngx_quic_path_t *path);
+static ngx_int_t ngx_quic_path_restore(ngx_connection_t *c);
+static ngx_quic_path_t *ngx_quic_alloc_path(ngx_connection_t *c);
+
+
 ngx_int_t
 ngx_quic_handle_path_challenge_frame(ngx_connection_t *c,
     ngx_quic_header_t *pkt, ngx_quic_path_challenge_frame_t *f)
 {
-    ngx_quic_frame_t       *frame;
+    off_t                   max, pad;
+    ssize_t                 sent;
+    ngx_quic_path_t        *path;
+    ngx_quic_frame_t        frame, *fp;
+    ngx_quic_socket_t      *qsock;
     ngx_quic_connection_t  *qc;
 
     qc = ngx_quic_get_connection(c);
 
-    frame = ngx_quic_alloc_frame(c);
-    if (frame == NULL) {
+    frame.level = pkt->level;
+    frame.type = NGX_QUIC_FT_PATH_RESPONSE;
+    frame.u.path_response = *f;
+
+    /*
+     * A PATH_RESPONSE frame MUST be sent on the network path where the
+     * PATH_CHALLENGE was received.
+     */
+    qsock = ngx_quic_get_socket(c);
+    path = qsock->path;
+
+    /*
+     *  An endpoint MUST NOT expand the datagram containing the PATH_RESPONSE
+     *  if the resulting data exceeds the anti-amplification limit.
+     */
+    max = path->received * 3;
+    max = (path->sent >= max) ? 0 : max - path->sent;
+    pad = ngx_min(1200, max);
+
+    sent = ngx_quic_frame_sendto(c, &frame, pad, path->sockaddr, path->socklen);
+    if (sent == -1) {
         return NGX_ERROR;
     }
 
-    frame->level = pkt->level;
-    frame->type = NGX_QUIC_FT_PATH_RESPONSE;
-    frame->u.path_response = *f;
+    path->sent += sent;
+
+    if (qsock == qc->socket) {
+        /*
+         * An endpoint that receives a PATH_CHALLENGE on an active path SHOULD
+         * send a non-probing packet in response.
+         */
 
-    ngx_quic_queue_frame(qc, frame);
+        fp = ngx_quic_alloc_frame(c);
+        if (fp == NULL) {
+            return NGX_ERROR;
+        }
+
+        fp->level = pkt->level;
+        fp->type = NGX_QUIC_FT_PING;
+
+        ngx_quic_queue_frame(qc, fp);
+    }
 
     return NGX_OK;
 }
@@ -38,7 +84,648 @@ ngx_int_t
 ngx_quic_handle_path_response_frame(ngx_connection_t *c,
     ngx_quic_header_t *pkt, ngx_quic_path_challenge_frame_t *f)
 {
-    /* TODO */
+    ngx_queue_t            *q;
+    ngx_quic_path_t        *path, *prev;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    /*
+     * A PATH_RESPONSE frame received on any network path validates the path
+     * on which the PATH_CHALLENGE was sent.
+     */
+
+    for (q = ngx_queue_head(&qc->paths);
+         q != ngx_queue_sentinel(&qc->paths);
+         q = ngx_queue_next(q))
+    {
+        path = ngx_queue_data(q, ngx_quic_path_t, queue);
+
+        if (path->state != NGX_QUIC_PATH_VALIDATING) {
+            continue;
+        }
+
+        if (ngx_memcmp(path->challenge1, f->data, sizeof(f->data)) == 0
+            || ngx_memcmp(path->challenge2, f->data, sizeof(f->data)) == 0)
+        {
+            goto valid;
+        }
+    }
+
+    ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                  "quic stale PATH_RESPONSE ignored");
+
+    return NGX_OK;
+
+valid:
+
+    /*
+     * On confirming a peer's ownership of its new address,
+     * an endpoint MUST immediately reset the congestion controller
+     * and round-trip time estimator for the new path
+     * to initial values
+     * ...unless the only change in the peer's address is its port number.
+     */
+
+    prev = qc->backup->path;
+
+    if (ngx_cmp_sockaddr(prev->sockaddr, prev->socklen,
+                         path->sockaddr, path->socklen, 0)
+        != NGX_OK)
+    {
+        /* address has changed */
+        ngx_memzero(&qc->congestion, sizeof(ngx_quic_congestion_t));
+
+        qc->congestion.window = ngx_min(10 * qc->tp.max_udp_payload_size,
+                                   ngx_max(2 * qc->tp.max_udp_payload_size,
+                                           14720));
+        qc->congestion.ssthresh = (size_t) -1;
+        qc->congestion.recovery_start = ngx_current_msec;
+    }
+
+    /*
+     *  After verifying a new client address, the server SHOULD
+     *  send new address validation tokens (Section 8) to the client.
+     */
+
+    if (ngx_quic_send_new_token(c, path) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                   "quic path #%uL successfully validated", path->seqnum);
+
+    path->state = NGX_QUIC_PATH_VALIDATED;
+    path->validated_at = ngx_time();
+
+    return NGX_OK;
+}
+
+
+static ngx_quic_path_t *
+ngx_quic_alloc_path(ngx_connection_t *c)
+{
+    ngx_queue_t            *q;
+    struct sockaddr        *sa;
+    ngx_quic_path_t        *path;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    if (!ngx_queue_empty(&qc->free_paths)) {
+
+        q = ngx_queue_head(&qc->free_paths);
+        path = ngx_queue_data(q, ngx_quic_path_t, queue);
+
+        ngx_queue_remove(&path->queue);
+
+        sa = path->sockaddr;
+        ngx_memzero(path, sizeof(ngx_quic_path_t));
+        path->sockaddr = sa;
+
+    } else {
+
+        path = ngx_pcalloc(c->pool, sizeof(ngx_quic_path_t));
+        if (path == NULL) {
+            return NULL;
+        }
+
+        path->sockaddr = ngx_palloc(c->pool, NGX_SOCKADDRLEN);
+        if (path->sockaddr == NULL) {
+            return NULL;
+        }
+    }
+
+    return path;
+}
+
+
+ngx_quic_path_t *
+ngx_quic_add_path(ngx_connection_t *c, struct sockaddr *sockaddr,
+    socklen_t socklen)
+{
+    ngx_quic_path_t        *path;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    path = ngx_quic_alloc_path(c);
+    if (path == NULL) {
+        return NULL;
+    }
+
+    path->seqnum = qc->path_seqnum++;
+
+    path->socklen = socklen;
+    ngx_memcpy(path->sockaddr, sockaddr, socklen);
+
+    path->addr_text.data = path->text;
+    path->addr_text.len = ngx_sock_ntop(sockaddr, socklen, path->text,
+                                        NGX_SOCKADDR_STRLEN, 1);
+
+    ngx_queue_insert_tail(&qc->paths, &path->queue);
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic path #%uL created src:%V",
+                   path->seqnum, &path->addr_text);
+
+    return path;
+}
+
+
+ngx_quic_path_t *
+ngx_quic_find_path(ngx_connection_t *c, struct sockaddr *sockaddr,
+    socklen_t socklen)
+{
+    ngx_queue_t            *q;
+    ngx_quic_path_t        *path;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    for (q = ngx_queue_head(&qc->paths);
+         q != ngx_queue_sentinel(&qc->paths);
+         q = ngx_queue_next(q))
+    {
+        path = ngx_queue_data(q, ngx_quic_path_t, queue);
+
+        if (ngx_cmp_sockaddr(sockaddr, socklen,
+                             path->sockaddr, path->socklen, 1)
+            == NGX_OK)
+        {
+            return path;
+        }
+    }
+
+    return NULL;
+}
+
+
+ngx_int_t
+ngx_quic_check_migration(ngx_connection_t *c, ngx_quic_header_t *pkt)
+{
+    ngx_quic_path_t        *path;
+    ngx_quic_socket_t      *qsock;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    qsock = ngx_quic_get_socket(c);
+
+    if (c->udp->dgram == NULL) {
+        /* 2nd QUIC packet in first UDP datagram */
+        return NGX_OK;
+    }
+
+    path = ngx_quic_find_path(c, c->udp->dgram->sockaddr,
+                              c->udp->dgram->socklen);
+    if (path == NULL) {
+        /* packet comes from unknown path, possibly migration */
+
+        if (qc->tp.disable_active_migration) {
+            ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                           "quic migration disabled, dropping packet "
+                           "from unknown path");
+            return NGX_DECLINED;
+        }
+
+        if (pkt->level != ssl_encryption_application) {
+            ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                           "quic too early migration attempt");
+            return NGX_DECLINED;
+        }
+
+        return NGX_OK;
+    }
+
+    /* packet from known path */
+
+    if (qsock->path == NULL) {
+        /* client switched to previously unused server id */
+        return NGX_OK;
+    }
+
+    if (path == qsock->path) {
+        /* regular packet to expected path */
+        return NGX_OK;
+    }
+
+    /* client is trying to use server id already used on other path */
+
+    ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic attempt to use socket #%uL:%uL:%uL with path #%uL",
+                   qsock->sid.seqnum, qsock->cid->seqnum,
+                   qsock->path->seqnum, path->seqnum);
+
+    return NGX_DECLINED;
+}
+
+
+ngx_int_t
+ngx_quic_update_paths(ngx_connection_t *c, ngx_quic_header_t *pkt)
+{
+    off_t                   len;
+    ngx_quic_path_t        *path;
+    ngx_quic_socket_t      *qsock;
+    ngx_quic_client_id_t   *cid;
+    ngx_quic_connection_t  *qc;
+
+    qsock = ngx_quic_get_socket(c);
+    path = qsock->path;
+
+    if (path) {
+        goto update;
+    }
+
+    path = ngx_quic_find_path(c, c->udp->dgram->sockaddr,
+                              c->udp->dgram->socklen);
+
+    if (path == NULL) {
+        path = ngx_quic_add_path(c, c->udp->dgram->sockaddr,
+                                 c->udp->dgram->socklen);
+        if (path == NULL) {
+            return NGX_ERROR;
+        }
+    }
+
+    cid = ngx_quic_next_client_id(c);
+    if (cid == NULL) {
+        qc = ngx_quic_get_connection(c);
+        qc->error = NGX_QUIC_ERR_CONNECTION_ID_LIMIT_ERROR;
+        qc->error_reason = "no available client ids for new path";
+
+        ngx_log_error(NGX_LOG_ERR, c->log, 0,
+                      "no available client ids for new path");
+
+        return NGX_ERROR;
+    }
+
+    ngx_quic_connect(c, qsock, path, cid);
+
+update:
+
+    if (pkt->raw->start == pkt->data) {
+        len = pkt->raw->last - pkt->raw->start;
+
+    } else {
+        len = 0;
+    }
+
+    /* TODO: this may be too late in some cases;
+     *       for example, if error happens during decrypt(), we cannot
+     *       send CC, if error happens in 1st packet, due to amplification
+     *       limit, because path->received = 0
+     *
+     *       should we account garbage as received or only decrypting packets?
+     */
+    path->received += len;
+
+    ngx_log_debug6(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic packet via #%uL:%uL:%uL"
+                   " size:%O path recvd:%O sent:%O",
+                   qsock->sid.seqnum, qsock->cid->seqnum, path->seqnum,
+                   len, path->received, path->sent);
+
     return NGX_OK;
 }
 
+
+static void
+ngx_quic_set_connection_path(ngx_connection_t *c, ngx_quic_path_t *path)
+{
+    size_t  len;
+
+    ngx_memcpy(c->sockaddr, path->sockaddr,  path->socklen);
+    c->socklen = path->socklen;
+
+    if (c->addr_text.data) {
+        len = ngx_min(c->addr_text.len, path->addr_text.len);
+
+        ngx_memcpy(c->addr_text.data, path->addr_text.data, len);
+        c->addr_text.len = len;
+    }
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic send path set to #%uL addr:%V",
+                   path->seqnum, &path->addr_text);
+}
+
+
+ngx_int_t
+ngx_quic_handle_migration(ngx_connection_t *c, ngx_quic_header_t *pkt)
+{
+    ngx_quic_path_t        *next;
+    ngx_quic_socket_t      *qsock;
+    ngx_quic_send_ctx_t    *ctx;
+    ngx_quic_connection_t  *qc;
+
+    /* got non-probing packet via non-active socket with different path */
+
+    qc = ngx_quic_get_connection(c);
+
+    /* current socket, different from active */
+    qsock = ngx_quic_get_socket(c);
+
+    next = qsock->path; /* going to migrate to this path... */
+
+    ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                   "quic migration from #%uL:%uL:%uL (%s)"
+                   " to #%uL:%uL:%uL (%s)",
+                   qc->socket->sid.seqnum, qc->socket->cid->seqnum,
+                   qc->socket->path->seqnum,
+                   ngx_quic_path_state_str(qc->socket->path),
+                   qsock->sid.seqnum, qsock->cid->seqnum, next->seqnum,
+                   ngx_quic_path_state_str(next));
+
+    switch (next->state) {
+    case NGX_QUIC_PATH_NEW:
+        if (ngx_quic_validate_path(c, qsock) != NGX_OK) {
+            return NGX_ERROR;
+        }
+        break;
+
+    /* migration to previously known path */
+
+    case NGX_QUIC_PATH_VALIDATING:
+        /* alredy validating, nothing to do */
+        break;
+
+    case NGX_QUIC_PATH_VALIDATED:
+        /* if path is old enough, revalidate */
+        if (ngx_time() - next->validated_at > NGX_QUIC_PATH_VALID_TIME) {
+
+            next->state = NGX_QUIC_PATH_NEW;
+
+            if (ngx_quic_validate_path(c, qsock) != NGX_OK) {
+                return NGX_ERROR;
+            }
+        }
+
+        break;
+    }
+
+    ctx = ngx_quic_get_send_ctx(qc, pkt->level);
+
+    /*
+     * An endpoint only changes the address to which it sends packets in
+     * response to the highest-numbered non-probing packet.
+     */
+    if (pkt->pn != ctx->largest_pn) {
+        return NGX_OK;
+    }
+
+    /* switching connection to new path */
+
+    ngx_quic_set_connection_path(c, next);
+
+    /*
+     * An endpoint MUST NOT reuse a connection ID when sending to
+     * more than one destination address.
+     */
+
+    /* preserve valid path we are migrating from */
+    if (qc->socket->path->state == NGX_QUIC_PATH_VALIDATED) {
+
+        if (qc->backup) {
+            ngx_quic_close_socket(c, qc->backup);
+        }
+
+        qc->backup = qc->socket;
+
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                   "quic backup socket is now #%uL:%uL:%uL (%s)",
+                   qc->backup->sid.seqnum, qc->backup->cid->seqnum,
+                   qc->backup->path->seqnum,
+                   ngx_quic_path_state_str(qc->backup->path));
+    }
+
+    qc->socket = qsock;
+
+    ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                   "quic active socket is now #%uL:%uL:%uL (%s)",
+                   qsock->sid.seqnum, qsock->cid->seqnum,
+                   qsock->path->seqnum, ngx_quic_path_state_str(qsock->path));
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_validate_path(ngx_connection_t *c, ngx_quic_socket_t *qsock)
+{
+    ngx_msec_t              pto;
+    ngx_quic_path_t        *path;
+    ngx_quic_send_ctx_t    *ctx;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    path = qsock->path;
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic initiated validation of new path #%uL",
+                   path->seqnum);
+
+    path->state = NGX_QUIC_PATH_VALIDATING;
+
+    if (RAND_bytes(path->challenge1, 8) != 1) {
+        return NGX_ERROR;
+    }
+
+    if (RAND_bytes(path->challenge2, 8) != 1) {
+        return NGX_ERROR;
+    }
+
+    if (ngx_quic_send_path_challenge(c, path) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application);
+    pto = ngx_quic_pto(c, ctx);
+
+    path->expires = ngx_current_msec + pto;
+    path->tries = NGX_QUIC_PATH_RETRIES;
+
+    if (!qc->path_validation.timer_set) {
+        ngx_add_timer(&qc->path_validation, pto);
+    }
+
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_quic_send_path_challenge(ngx_connection_t *c, ngx_quic_path_t *path)
+{
+    off_t             max, pad;
+    ssize_t           sent;
+    ngx_quic_frame_t  frame;
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic path #%uL send path challenge tries:%ui",
+                   path->seqnum, path->tries);
+
+    frame.level = ssl_encryption_application;
+    frame.type = NGX_QUIC_FT_PATH_CHALLENGE;
+
+    ngx_memcpy(frame.u.path_challenge.data, path->challenge1, 8);
+
+    /*
+     * An endpoint MUST expand datagrams that contain a PATH_CHALLENGE frame
+     * to at least the smallest allowed maximum datagram size of 1200 bytes,
+     * unless the anti-amplification limit for the path does not permit
+     * sending a datagram of this size.
+     */
+
+     /* same applies to PATH_RESPONSE frames */
+
+    max = path->received * 3;
+    max = (path->sent >= max) ? 0 : max - path->sent;
+    pad = ngx_min(1200, max);
+
+    sent = ngx_quic_frame_sendto(c, &frame, pad, path->sockaddr, path->socklen);
+    if (sent == -1) {
+        return NGX_ERROR;
+    }
+
+    path->sent += sent;
+
+    ngx_memcpy(frame.u.path_challenge.data, path->challenge2, 8);
+
+    max = (path->sent >= max) ? 0 : max - path->sent;
+    pad = ngx_min(1200, max);
+
+    sent = ngx_quic_frame_sendto(c, &frame, pad, path->sockaddr, path->socklen);
+    if (sent == -1) {
+        return NGX_ERROR;
+    }
+
+    path->sent += sent;
+
+    return NGX_OK;
+}
+
+
+void
+ngx_quic_path_validation_handler(ngx_event_t *ev)
+{
+    ngx_msec_t              now;
+    ngx_queue_t            *q;
+    ngx_msec_int_t          left, next, pto;
+    ngx_quic_path_t        *path;
+    ngx_connection_t       *c;
+    ngx_quic_send_ctx_t    *ctx;
+    ngx_quic_connection_t  *qc;
+
+    c = ev->data;
+    qc = ngx_quic_get_connection(c);
+
+    ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application);
+    pto = ngx_quic_pto(c, ctx);
+
+    next = -1;
+    now = ngx_current_msec;
+
+    for (q = ngx_queue_head(&qc->paths);
+         q != ngx_queue_sentinel(&qc->paths);
+         q = ngx_queue_next(q))
+    {
+        path = ngx_queue_data(q, ngx_quic_path_t, queue);
+
+        if (path->state != NGX_QUIC_PATH_VALIDATING) {
+            continue;
+        }
+
+        left = path->expires - now;
+
+        if (left > 0) {
+
+            if (next == -1 || left < next) {
+                next = path->expires;
+            }
+
+            continue;
+        }
+
+        if (--path->tries) {
+            path->expires = ngx_current_msec + pto;
+
+            if (next == -1 || pto < next) {
+                next = pto;
+            }
+
+            /* retransmit */
+            (void) ngx_quic_send_path_challenge(c, path);
+
+            continue;
+        }
+
+        ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ev->log, 0,
+                       "quic path #%uL validation failed", path->seqnum);
+
+        /* found expired path */
+
+        path->state = NGX_QUIC_PATH_NEW;
+
+        /*
+         * If the timer fires before the PATH_RESPONSE is received, the
+         * endpoint might send a new PATH_CHALLENGE, and restart the timer for
+         * a longer period of time. This timer SHOULD be set as described in
+         * Section 6.2.1 of [QUIC-RECOVERY] and MUST NOT be more aggressive.
+         */
+
+        if (qc->socket->path != path) {
+            /* the path was not actually used */
+            continue;
+        }
+
+        if (ngx_quic_path_restore(c) != NGX_OK) {
+            qc->error = NGX_QUIC_ERR_NO_VIABLE_PATH;
+            qc->error_reason = "no viable path";
+            ngx_quic_close_connection(c, NGX_ERROR);
+            return;
+        }
+    }
+
+    if (next != -1) {
+        ngx_add_timer(&qc->path_validation, next);
+    }
+}
+
+
+static ngx_int_t
+ngx_quic_path_restore(ngx_connection_t *c)
+{
+    ngx_quic_socket_t      *qsock;
+    ngx_quic_connection_t  *qc;
+
+    qc = ngx_quic_get_connection(c);
+
+    /* Failure to validate a path does not cause the connection to end */
+
+    /*
+     * To protect the connection from failing due to such a spurious
+     * migration, an endpoint MUST revert to using the last validated
+     * peer address when validation of a new peer address fails.
+     */
+
+    if (qc->backup == NULL) {
+        return NGX_ERROR;
+    }
+
+    qc->socket = qc->backup;
+    qc->backup = NULL;
+
+    qsock = qc->socket;
+
+    ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                   "quic active socket is restored to #%uL:%uL:%uL"
+                   " (%s), no backup",
+                   qsock->sid.seqnum, qsock->cid->seqnum, qsock->path->seqnum,
+                   ngx_quic_path_state_str(qsock->path));
+
+    ngx_quic_set_connection_path(c, qsock->path);
+
+    return NGX_OK;
+}