Mercurial > hg > nginx

changeset 8223:61f9b873e2e7 quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Firefox fixes. + support for more than one initial packet + workaround for trailing zeroes in packet + ignore application data packet if no keys yet (issue in draft 27/ff nightly) + fixed PING frame parser + STREAM frames need to be acknowledged The following HTTP configuration is used for firefox (v74): http { ssl_certificate_key localhost.key; ssl_certificate localhost.crt; ssl_protocols TLSv1.2 TLSv1.3; server { listen 127.0.0.1:10368 reuseport http3; ssl_quic on; server_name localhost; location / { return 200 "This-is-QUICK\n"; } } server { listen 127.0.0.1:5555 ssl; # point the browser here server_name localhost; location / { add_header Alt-Svc 'h3-24=":10368";ma=100'; return 200 "ALT-SVC"; } } }
author Vladimir Homutov <vl@nginx.com>
date Tue, 17 Mar 2020 14:10:37 +0300
parents bec4cd55361e
children ae35ccba7aa6
files src/event/ngx_event_quic.c src/event/ngx_event_quic.h
diffstat 2 files changed, 63 insertions(+), 9 deletions(-) [+]
line wrap: on
line diff
--- a/src/event/ngx_event_quic.c
+++ b/src/event/ngx_event_quic.c
@@ -205,6 +205,8 @@ static void ngx_quic_rbtree_insert_strea
 static void ngx_quic_handshake_handler(ngx_event_t *rev);
 static ngx_int_t ngx_quic_handshake_input(ngx_connection_t *c,
     ngx_quic_header_t *pkt);
+static ngx_int_t ngx_quic_initial_input(ngx_connection_t *c,
+    ngx_quic_header_t *pkt);
 static ngx_int_t ngx_quic_app_input(ngx_connection_t *c,
     ngx_quic_header_t *pkt);
 
@@ -389,6 +391,7 @@ static ngx_int_t
 ngx_quic_input(ngx_connection_t *c, ngx_buf_t *b)
 {
     u_char             *p;
+    ngx_int_t           rc;
     ngx_quic_header_t   pkt;
 
     if (c->quic == NULL) {
@@ -405,16 +408,33 @@ ngx_quic_input(ngx_connection_t *c, ngx_
         pkt.data = p;
         pkt.len = b->last - p;
 
+        if (p[0] == 0) {
+            /* XXX: no idea WTF is this, just ignore */
+            ngx_log_error(NGX_LOG_ALERT, c->log, 0, "FIREFOX: ZEROES");
+            break;
+        }
+
+        // TODO: check current state
         if (p[0] & NGX_QUIC_PKT_LONG) {
-            // TODO: check current state
-            if (ngx_quic_handshake_input(c, &pkt) != NGX_OK) {
+
+            if ((p[0] & 0xf0) == NGX_QUIC_PKT_INITIAL) {
+                rc = ngx_quic_initial_input(c, &pkt);
+
+            } else if ((p[0] & 0xf0) == NGX_QUIC_PKT_HANDSHAKE) {
+                rc = ngx_quic_handshake_input(c, &pkt);
+
+            } else {
+                ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                              "BUG: unknown quic state");
                 return NGX_ERROR;
             }
-        } else {
 
-            if (ngx_quic_app_input(c, &pkt) != NGX_OK) {
-                return NGX_ERROR;
-            }
+        } else {
+            rc = ngx_quic_app_input(c, &pkt);
+        }
+
+        if (rc == NGX_ERROR) {
+            return NGX_ERROR;
         }
 
         /* b->pos is at header end, adjust by actual packet length */
@@ -1073,7 +1093,6 @@ ngx_quic_read_frame(ngx_connection_t *c,
 
     case NGX_QUIC_FT_PING:
         ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "PING frame");
-        p++;
         break;
 
     case NGX_QUIC_FT_NEW_CONNECTION_ID:
@@ -1489,6 +1508,8 @@ ngx_quic_payload_handler(ngx_connection_
         case NGX_QUIC_FT_STREAM6:
         case NGX_QUIC_FT_STREAM7:
 
+            ack_this = 1;
+
             ngx_log_debug7(NGX_LOG_DEBUG_EVENT, c->log, 0,
                            "STREAM frame 0x%xi id 0x%xi offset 0x%xi len 0x%xi bits:off=%d len=%d fin=%d",
                            frame.type,
@@ -1775,6 +1796,34 @@ ngx_quic_new_connection(ngx_connection_t
 
 
 static ngx_int_t
+ngx_quic_initial_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
+{
+    ngx_ssl_conn_t         *ssl_conn;
+    ngx_quic_connection_t  *qc;
+
+    qc = c->quic;
+    ssl_conn = c->ssl->connection;
+
+    if (ngx_quic_process_long_header(c, pkt) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    if (ngx_quic_process_initial_header(c, pkt) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    pkt->secret = &qc->secrets.client.in;
+    pkt->level = ssl_encryption_initial;
+
+    if (ngx_quic_decrypt(c->pool, ssl_conn, pkt) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    return ngx_quic_payload_handler(c, pkt);
+}
+
+
+static ngx_int_t
 ngx_quic_handshake_input(ngx_connection_t *c, ngx_quic_header_t *pkt)
 {
     ngx_ssl_conn_t         *ssl_conn;
@@ -1836,7 +1885,11 @@ ngx_quic_app_input(ngx_connection_t *c, 
 
     qc = c->quic;
 
-    /* TODO: this is a stub, untested */
+    if (qc->secrets.client.ad.key.len == 0) {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "no read keys yet, packet ignored");
+        return NGX_DECLINED;
+    }
 
     if (ngx_quic_process_short_header(c, pkt) != NGX_OK) {
         return NGX_ERROR;
--- a/src/event/ngx_event_quic.h
+++ b/src/event/ngx_event_quic.h
@@ -11,7 +11,8 @@
 #include <ngx_event_openssl.h>
 
 
-#define quic_version                       0xff000018  /* draft-24 */
+#define quic_version                       0xff000018  /* draft-24 (ngtcp2) */
+//#define quic_version                       0xff00001b  /* draft-27 (FFN 76) */
 
 /* 17.2.  Long Header Packets */