One Level Up Top Level

src/event/quic/ngx_event_quic_connid.c - nginx source code

Functions defined

Macros defined

Source code


  2. /*
  3. * Copyright (C) Nginx, Inc.
  4. */


  7. #include <ngx_config.h>
  8. #include <ngx_core.h>
  9. #include <ngx_event.h>
  10. #include <ngx_event_quic_connection.h>

  12. #define NGX_QUIC_MAX_SERVER_IDS   8


  15. #if (NGX_QUIC_BPF)
  16. static ngx_int_t ngx_quic_bpf_attach_id(ngx_connection_t *c, u_char *id);
  17. #endif
  18. static ngx_int_t ngx_quic_retire_client_id(ngx_connection_t *c,
  19.     ngx_quic_client_id_t *cid);
  20. static ngx_quic_client_id_t *ngx_quic_alloc_client_id(ngx_connection_t *c,
  21.     ngx_quic_connection_t *qc);
  22. static ngx_int_t ngx_quic_send_server_id(ngx_connection_t *c,
  23.     ngx_quic_server_id_t *sid);


  26. ngx_int_t
  27. ngx_quic_create_server_id(ngx_connection_t *c, u_char *id)
  28. {
  29.     if (RAND_bytes(id, NGX_QUIC_SERVER_CID_LEN) != 1) {
  30.         return NGX_ERROR;
  31.     }

  33. #if (NGX_QUIC_BPF)
  34.     if (ngx_quic_bpf_attach_id(c, id) != NGX_OK) {
  35.         ngx_log_error(NGX_LOG_ERR, c->log, 0,
  36.                       "quic bpf failed to generate socket key");
  37.         /* ignore error, things still may work */
  38.     }
  39. #endif

  41.     return NGX_OK;
  42. }


  45. #if (NGX_QUIC_BPF)

  47. static ngx_int_t
  48. ngx_quic_bpf_attach_id(ngx_connection_t *c, u_char *id)
  49. {
  50.     int        fd;
  51.     uint64_t   cookie;
  52.     socklen_t  optlen;

  54.     fd = c->listening->fd;

  56.     optlen = sizeof(cookie);

  58.     if (getsockopt(fd, SOL_SOCKET, SO_COOKIE, &cookie, &optlen) == -1) {
  59.         ngx_log_error(NGX_LOG_ERR, c->log, ngx_socket_errno,
  60.                       "quic getsockopt(SO_COOKIE) failed");

  62.         return NGX_ERROR;
  63.     }

  65.     ngx_quic_dcid_encode_key(id, cookie);

  67.     return NGX_OK;
  68. }

  70. #endif


  73. ngx_int_t
  74. ngx_quic_handle_new_connection_id_frame(ngx_connection_t *c,
  75.     ngx_quic_new_conn_id_frame_t *f)
  76. {
  77.     ngx_str_t               id;
  78.     ngx_queue_t            *q;
  79.     ngx_quic_frame_t       *frame;
  80.     ngx_quic_client_id_t   *cid, *item;
  81.     ngx_quic_connection_t  *qc;

  83.     qc = ngx_quic_get_connection(c);

  85.     if (f->seqnum < qc->max_retired_seqnum) {
  86.         /*
  87.          * RFC 9000, 19.15.  NEW_CONNECTION_ID Frame
  88.          *
  89.          *  An endpoint that receives a NEW_CONNECTION_ID frame with
  90.          *  a sequence number smaller than the Retire Prior To field
  91.          *  of a previously received NEW_CONNECTION_ID frame MUST send
  92.          *  a corresponding RETIRE_CONNECTION_ID frame that retires
  93.          *  the newly received connection ID, unless it has already
  94.          *  done so for that sequence number.
  95.          */

  97.         frame = ngx_quic_alloc_frame(c);
  98.         if (frame == NULL) {
  99.             return NGX_ERROR;
  100.         }

  102.         frame->level = ssl_encryption_application;
  103.         frame->type = NGX_QUIC_FT_RETIRE_CONNECTION_ID;
  104.         frame->u.retire_cid.sequence_number = f->seqnum;

  106.         ngx_quic_queue_frame(qc, frame);

  108.         goto retire;
  109.     }

  111.     cid = NULL;

  113.     for (q = ngx_queue_head(&qc->client_ids);
  114.          q != ngx_queue_sentinel(&qc->client_ids);
  115.          q = ngx_queue_next(q))
  116.     {
  117.         item = ngx_queue_data(q, ngx_quic_client_id_t, queue);

  119.         if (item->seqnum == f->seqnum) {
  120.             cid = item;
  121.             break;
  122.         }
  123.     }

  125.     if (cid) {
  126.         /*
  127.          * Transmission errors, timeouts, and retransmissions might cause the
  128.          * same NEW_CONNECTION_ID frame to be received multiple times.
  129.          */

  131.         if (cid->len != f->len
  132.             || ngx_strncmp(cid->id, f->cid, f->len) != 0
  133.             || ngx_strncmp(cid->sr_token, f->srt, NGX_QUIC_SR_TOKEN_LEN) != 0)
  134.         {
  135.             /*
  136.              * ..if a sequence number is used for different connection IDs,
  137.              * the endpoint MAY treat that receipt as a connection error
  138.              * of type PROTOCOL_VIOLATION.
  139.              */
  140.             qc->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION;
  141.             qc->error_reason = "seqnum refers to different connection id/token";
  142.             return NGX_ERROR;
  143.         }

  145.     } else {

  147.         id.data = f->cid;
  148.         id.len = f->len;

  150.         if (ngx_quic_create_client_id(c, &id, f->seqnum, f->srt) == NULL) {
  151.             return NGX_ERROR;
  152.         }
  153.     }

  155. retire:

  157.     if (qc->max_retired_seqnum && f->retire <= qc->max_retired_seqnum) {
  158.         /*
  159.          * Once a sender indicates a Retire Prior To value, smaller values sent
  160.          * in subsequent NEW_CONNECTION_ID frames have no effect.  A receiver
  161.          * MUST ignore any Retire Prior To fields that do not increase the
  162.          * largest received Retire Prior To value.
  163.          */
  164.         goto done;
  165.     }

  167.     qc->max_retired_seqnum = f->retire;

  169.     q = ngx_queue_head(&qc->client_ids);

  171.     while (q != ngx_queue_sentinel(&qc->client_ids)) {

  173.         cid = ngx_queue_data(q, ngx_quic_client_id_t, queue);
  174.         q = ngx_queue_next(q);

  176.         if (cid->seqnum >= f->retire) {
  177.             continue;
  178.         }

  180.         if (ngx_quic_retire_client_id(c, cid) != NGX_OK) {
  181.             return NGX_ERROR;
  182.         }
  183.     }

  185. done:

  187.     if (qc->nclient_ids > qc->tp.active_connection_id_limit) {
  188.         /*
  189.          * RFC 9000, 5.1.1.  Issuing Connection IDs
  190.          *
  191.          * After processing a NEW_CONNECTION_ID frame and
  192.          * adding and retiring active connection IDs, if the number of active
  193.          * connection IDs exceeds the value advertised in its
  194.          * active_connection_id_limit transport parameter, an endpoint MUST
  195.          * close the connection with an error of type CONNECTION_ID_LIMIT_ERROR.
  196.          */
  197.         qc->error = NGX_QUIC_ERR_CONNECTION_ID_LIMIT_ERROR;
  198.         qc->error_reason = "too many connection ids received";
  199.         return NGX_ERROR;
  200.     }

  202.     return NGX_OK;
  203. }


  206. static ngx_int_t
  207. ngx_quic_retire_client_id(ngx_connection_t *c, ngx_quic_client_id_t *cid)
  208. {
  209.     ngx_queue_t            *q;
  210.     ngx_quic_path_t        *path;
  211.     ngx_quic_client_id_t   *new_cid;
  212.     ngx_quic_connection_t  *qc;

  214.     qc = ngx_quic_get_connection(c);

  216.     if (!cid->used) {
  217.         return ngx_quic_free_client_id(c, cid);
  218.     }

  220.     /* we are going to retire client id which is in use */

  222.     q = ngx_queue_head(&qc->paths);

  224.     while (q != ngx_queue_sentinel(&qc->paths)) {

  226.         path = ngx_queue_data(q, ngx_quic_path_t, queue);
  227.         q = ngx_queue_next(q);

  229.         if (path->cid != cid) {
  230.             continue;
  231.         }

  233.         if (path == qc->path) {
  234.             /* this is the active path: update it with new CID */
  235.             new_cid = ngx_quic_next_client_id(c);
  236.             if (new_cid == NULL) {
  237.                 return NGX_ERROR;
  238.             }

  240.             qc->path->cid = new_cid;
  241.             new_cid->used = 1;

  243.             return ngx_quic_free_client_id(c, cid);
  244.         }

  246.         return ngx_quic_free_path(c, path);
  247.     }

  249.     return NGX_OK;
  250. }


  253. static ngx_quic_client_id_t *
  254. ngx_quic_alloc_client_id(ngx_connection_t *c, ngx_quic_connection_t *qc)
  255. {
  256.     ngx_queue_t           *q;
  257.     ngx_quic_client_id_t  *cid;

  259.     if (!ngx_queue_empty(&qc->free_client_ids)) {

  261.         q = ngx_queue_head(&qc->free_client_ids);
  262.         cid = ngx_queue_data(q, ngx_quic_client_id_t, queue);

  264.         ngx_queue_remove(&cid->queue);

  266.         ngx_memzero(cid, sizeof(ngx_quic_client_id_t));

  268.     } else {

  270.         cid = ngx_pcalloc(c->pool, sizeof(ngx_quic_client_id_t));
  271.         if (cid == NULL) {
  272.             return NULL;
  273.         }
  274.     }

  276.     return cid;
  277. }


  280. ngx_quic_client_id_t *
  281. ngx_quic_create_client_id(ngx_connection_t *c, ngx_str_t *id,
  282.     uint64_t seqnum, u_char *token)
  283. {
  284.     ngx_quic_client_id_t   *cid;
  285.     ngx_quic_connection_t  *qc;

  287.     qc = ngx_quic_get_connection(c);

  289.     cid = ngx_quic_alloc_client_id(c, qc);
  290.     if (cid == NULL) {
  291.         return NULL;
  292.     }

  294.     cid->seqnum = seqnum;

  296.     cid->len = id->len;
  297.     ngx_memcpy(cid->id, id->data, id->len);

  299.     if (token) {
  300.         ngx_memcpy(cid->sr_token, token, NGX_QUIC_SR_TOKEN_LEN);
  301.     }

  303.     ngx_queue_insert_tail(&qc->client_ids, &cid->queue);
  304.     qc->nclient_ids++;

  306.     if (seqnum > qc->client_seqnum) {
  307.         qc->client_seqnum = seqnum;
  308.     }

  310.     ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0,
  311.                    "quic cid seq:%uL received id:%uz:%xV:%*xs",
  312.                     cid->seqnum, id->len, id,
  313.                     (size_t) NGX_QUIC_SR_TOKEN_LEN, cid->sr_token);

  315.     return cid;
  316. }


  319. ngx_quic_client_id_t *
  320. ngx_quic_next_client_id(ngx_connection_t *c)
  321. {
  322.     ngx_queue_t            *q;
  323.     ngx_quic_client_id_t   *cid;
  324.     ngx_quic_connection_t  *qc;

  326.     qc = ngx_quic_get_connection(c);

  328.     for (q = ngx_queue_head(&qc->client_ids);
  329.          q != ngx_queue_sentinel(&qc->client_ids);
  330.          q = ngx_queue_next(q))
  331.     {
  332.         cid = ngx_queue_data(q, ngx_quic_client_id_t, queue);

  334.         if (!cid->used) {
  335.             return cid;
  336.         }
  337.     }

  339.     return NULL;
  340. }


  343. ngx_int_t
  344. ngx_quic_handle_retire_connection_id_frame(ngx_connection_t *c,
  345.     ngx_quic_retire_cid_frame_t *f)
  346. {
  347.     ngx_quic_socket_t      *qsock;
  348.     ngx_quic_connection_t  *qc;

  350.     qc = ngx_quic_get_connection(c);

  352.     if (f->sequence_number >= qc->server_seqnum) {
  353.         /*
  354.          * RFC 9000, 19.16.
  355.          *
  356.          *  Receipt of a RETIRE_CONNECTION_ID frame containing a sequence
  357.          *  number greater than any previously sent to the peer MUST be
  358.          *  treated as a connection error of type PROTOCOL_VIOLATION.
  359.          */
  360.         qc->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION;
  361.         qc->error_reason = "sequence number of id to retire was never issued";

  363.         return NGX_ERROR;
  364.     }

  366.     qsock = ngx_quic_get_socket(c);

  368.     if (qsock->sid.seqnum == f->sequence_number) {

  370.         /*
  371.          * RFC 9000, 19.16.
  372.          *
  373.          * The sequence number specified in a RETIRE_CONNECTION_ID frame MUST
  374.          * NOT refer to the Destination Connection ID field of the packet in
  375.          * which the frame is contained.  The peer MAY treat this as a
  376.          * connection error of type PROTOCOL_VIOLATION.
  377.          */

  379.         qc->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION;
  380.         qc->error_reason = "sequence number of id to retire refers DCID";

  382.         return NGX_ERROR;
  383.     }

  385.     qsock = ngx_quic_find_socket(c, f->sequence_number);
  386.     if (qsock == NULL) {
  387.         return NGX_OK;
  388.     }

  390.     ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
  391.                    "quic socket seq:%uL is retired", qsock->sid.seqnum);

  393.     ngx_quic_close_socket(c, qsock);

  395.     /* restore socket count up to a limit after deletion */
  396.     if (ngx_quic_create_sockets(c) != NGX_OK) {
  397.         return NGX_ERROR;
  398.     }

  400.     return NGX_OK;
  401. }


  404. ngx_int_t
  405. ngx_quic_create_sockets(ngx_connection_t *c)
  406. {
  407.     ngx_uint_t              n;
  408.     ngx_quic_socket_t      *qsock;
  409.     ngx_quic_connection_t  *qc;

  411.     qc = ngx_quic_get_connection(c);

  413.     n = ngx_min(NGX_QUIC_MAX_SERVER_IDS, qc->ctp.active_connection_id_limit);

  415.     ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
  416.                    "quic create sockets has:%ui max:%ui", qc->nsockets, n);

  418.     while (qc->nsockets < n) {

  420.         qsock = ngx_quic_create_socket(c, qc);
  421.         if (qsock == NULL) {
  422.             return NGX_ERROR;
  423.         }

  425.         if (ngx_quic_listen(c, qc, qsock) != NGX_OK) {
  426.             return NGX_ERROR;
  427.         }

  429.         if (ngx_quic_send_server_id(c, &qsock->sid) != NGX_OK) {
  430.             return NGX_ERROR;
  431.         }
  432.     }

  434.     return NGX_OK;
  435. }


  438. static ngx_int_t
  439. ngx_quic_send_server_id(ngx_connection_t *c, ngx_quic_server_id_t *sid)
  440. {
  441.     ngx_str_t               dcid;
  442.     ngx_quic_frame_t       *frame;
  443.     ngx_quic_connection_t  *qc;

  445.     qc = ngx_quic_get_connection(c);

  447.     dcid.len = sid->len;
  448.     dcid.data = sid->id;

  450.     frame = ngx_quic_alloc_frame(c);
  451.     if (frame == NULL) {
  452.         return NGX_ERROR;
  453.     }

  455.     frame->level = ssl_encryption_application;
  456.     frame->type = NGX_QUIC_FT_NEW_CONNECTION_ID;
  457.     frame->u.ncid.seqnum = sid->seqnum;
  458.     frame->u.ncid.retire = 0;
  459.     frame->u.ncid.len = NGX_QUIC_SERVER_CID_LEN;
  460.     ngx_memcpy(frame->u.ncid.cid, sid->id, NGX_QUIC_SERVER_CID_LEN);

  462.     if (ngx_quic_new_sr_token(c, &dcid, qc->conf->sr_token_key,
  463.                               frame->u.ncid.srt)
  464.         != NGX_OK)
  465.     {
  466.         return NGX_ERROR;
  467.     }

  469.     ngx_quic_queue_frame(qc, frame);

  471.     return NGX_OK;
  472. }


  475. ngx_int_t
  476. ngx_quic_free_client_id(ngx_connection_t *c, ngx_quic_client_id_t *cid)
  477. {
  478.     ngx_quic_frame_t       *frame;
  479.     ngx_quic_connection_t  *qc;

  481.     qc = ngx_quic_get_connection(c);

  483.     frame = ngx_quic_alloc_frame(c);
  484.     if (frame == NULL) {
  485.         return NGX_ERROR;
  486.     }

  488.     frame->level = ssl_encryption_application;
  489.     frame->type = NGX_QUIC_FT_RETIRE_CONNECTION_ID;
  490.     frame->u.retire_cid.sequence_number = cid->seqnum;

  492.     ngx_quic_queue_frame(qc, frame);

  494.     /* we are no longer going to use this client id */

  496.     ngx_queue_remove(&cid->queue);
  497.     ngx_queue_insert_head(&qc->free_client_ids, &cid->queue);

  499.     qc->nclient_ids--;

  501.     return NGX_OK;
  502. }

One Level Up Top Level