/* * QUIC transport layer over SOCK_DGRAM sockets. * * Copyright 2020 HAProxy Technologies, Frédéric Lécaille * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version * 2 of the License, or (at your option) any later version. * */ #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* This is the values of some QUIC transport parameters when absent. * Should be used to initialize any transport parameters (local or remote) * before updating them with customized values. */ struct quic_transport_params quic_dflt_transport_params = { .max_udp_payload_size = QUIC_PACKET_MAXLEN, .ack_delay_exponent = QUIC_DFLT_ACK_DELAY_COMPONENT, .max_ack_delay = QUIC_DFLT_MAX_ACK_DELAY, .active_connection_id_limit = QUIC_ACTIVE_CONNECTION_ID_LIMIT, }; /* trace source and events */ static void quic_trace(enum trace_level level, uint64_t mask, \ const struct trace_source *src, const struct ist where, const struct ist func, const void *a1, const void *a2, const void *a3, const void *a4); static const struct trace_event quic_trace_events[] = { { .mask = QUIC_EV_CONN_NEW, .name = "new_conn", .desc = "new QUIC connection" }, { .mask = QUIC_EV_CONN_INIT, .name = "new_conn_init", .desc = "new QUIC connection initialization" }, { .mask = QUIC_EV_CONN_ISEC, .name = "init_secs", .desc = "initial secrets derivation" }, { .mask = QUIC_EV_CONN_RSEC, .name = "read_secs", .desc = "read secrets derivation" }, { .mask = QUIC_EV_CONN_WSEC, .name = "write_secs", .desc = "write secrets derivation" }, { .mask = QUIC_EV_CONN_LPKT, .name = "lstnr_packet", .desc = "new listener received packet" }, { .mask = QUIC_EV_CONN_SPKT, .name = "srv_packet", .desc = "new server received packet" }, { .mask = QUIC_EV_CONN_ENCPKT, .name = "enc_hdshk_pkt", .desc = "handhshake packet encryption" }, { .mask = QUIC_EV_CONN_HPKT, .name = "hdshk_pkt", .desc = "handhshake packet building" }, { .mask = QUIC_EV_CONN_PAPKT, .name = "phdshk_apkt", .desc = "post handhshake application packet preparation" }, { .mask = QUIC_EV_CONN_PAPKTS, .name = "phdshk_apkts", .desc = "post handhshake application packets preparation" }, { .mask = QUIC_EV_CONN_HDSHK, .name = "hdshk", .desc = "SSL handhshake processing" }, { .mask = QUIC_EV_CONN_RMHP, .name = "rm_hp", .desc = "Remove header protection" }, { .mask = QUIC_EV_CONN_PRSHPKT, .name = "parse_hpkt", .desc = "parse handshake packet" }, { .mask = QUIC_EV_CONN_PRSAPKT, .name = "parse_apkt", .desc = "parse application packet" }, { .mask = QUIC_EV_CONN_PRSFRM, .name = "parse_frm", .desc = "parse frame" }, { .mask = QUIC_EV_CONN_PRSAFRM, .name = "parse_ack_frm", .desc = "parse ACK frame" }, { .mask = QUIC_EV_CONN_BFRM, .name = "build_frm", .desc = "build frame" }, { .mask = QUIC_EV_CONN_PHPKTS, .name = "phdshk_pkts", .desc = "handhshake packets preparation" }, { .mask = QUIC_EV_CONN_TRMHP, .name = "rm_hp_try", .desc = "header protection removing try" }, { .mask = QUIC_EV_CONN_ELRMHP, .name = "el_rm_hp", .desc = "handshake enc. level header protection removing" }, { .mask = QUIC_EV_CONN_ELRXPKTS, .name = "el_treat_rx_pkts", .desc = "handshake enc. level rx packets treatment" }, { .mask = QUIC_EV_CONN_SSLDATA, .name = "ssl_provide_data", .desc = "CRYPTO data provision to TLS stack" }, { .mask = QUIC_EV_CONN_RXCDATA, .name = "el_treat_rx_cfrms",.desc = "enc. level RX CRYPTO frames processing"}, { .mask = QUIC_EV_CONN_ADDDATA, .name = "add_hdshk_data", .desc = "TLS stack ->add_handshake_data() call"}, { .mask = QUIC_EV_CONN_FFLIGHT, .name = "flush_flight", .desc = "TLS stack ->flush_flight() call"}, { .mask = QUIC_EV_CONN_SSLALERT, .name = "send_alert", .desc = "TLS stack ->send_alert() call"}, { .mask = QUIC_EV_CONN_RTTUPDT, .name = "rtt_updt", .desc = "RTT sampling" }, { .mask = QUIC_EV_CONN_SPPKTS, .name = "sppkts", .desc = "send prepared packets" }, { .mask = QUIC_EV_CONN_PKTLOSS, .name = "pktloss", .desc = "detect packet loss" }, { .mask = QUIC_EV_CONN_STIMER, .name = "stimer", .desc = "set timer" }, { .mask = QUIC_EV_CONN_PTIMER, .name = "ptimer", .desc = "process timer" }, { .mask = QUIC_EV_CONN_SPTO, .name = "spto", .desc = "set PTO" }, { .mask = QUIC_EV_CONN_BCFRMS, .name = "bcfrms", .desc = "build CRYPTO data frames" }, { .mask = QUIC_EV_CONN_XPRTSEND, .name = "xprt_send", .desc = "sending XRPT subscription" }, { .mask = QUIC_EV_CONN_XPRTRECV, .name = "xprt_recv", .desc = "receiving XRPT subscription" }, { /* end */ } }; static const struct name_desc quic_trace_lockon_args[4] = { /* arg1 */ { /* already used by the connection */ }, /* arg2 */ { .name="quic", .desc="QUIC transport" }, /* arg3 */ { }, /* arg4 */ { } }; static const struct name_desc quic_trace_decoding[] = { #define QUIC_VERB_CLEAN 1 { .name="clean", .desc="only user-friendly stuff, generally suitable for level \"user\"" }, { /* end */ } }; struct trace_source trace_quic = { .name = IST("quic"), .desc = "QUIC xprt", .arg_def = TRC_ARG1_CONN, /* TRACE()'s first argument is always a connection */ .default_cb = quic_trace, .known_events = quic_trace_events, .lockon_args = quic_trace_lockon_args, .decoding = quic_trace_decoding, .report_events = ~0, /* report everything by default */ }; #define TRACE_SOURCE &trace_quic INITCALL1(STG_REGISTER, trace_register_source, TRACE_SOURCE); static BIO_METHOD *ha_quic_meth; DECLARE_POOL(pool_head_quic_tx_ring, "quic_tx_ring_pool", QUIC_TX_RING_BUFSZ); DECLARE_POOL(pool_head_quic_rxbuf, "quic_rxbuf_pool", QUIC_RX_BUFSZ); DECLARE_POOL(pool_head_quic_conn_rxbuf, "quic_conn_rxbuf", QUIC_CONN_RX_BUFSZ); DECLARE_STATIC_POOL(pool_head_quic_conn_ctx, "quic_conn_ctx_pool", sizeof(struct ssl_sock_ctx)); DECLARE_STATIC_POOL(pool_head_quic_conn, "quic_conn", sizeof(struct quic_conn)); DECLARE_POOL(pool_head_quic_connection_id, "quic_connnection_id_pool", sizeof(struct quic_connection_id)); DECLARE_POOL(pool_head_quic_rx_packet, "quic_rx_packet_pool", sizeof(struct quic_rx_packet)); DECLARE_POOL(pool_head_quic_tx_packet, "quic_tx_packet_pool", sizeof(struct quic_tx_packet)); DECLARE_STATIC_POOL(pool_head_quic_rx_crypto_frm, "quic_rx_crypto_frm_pool", sizeof(struct quic_rx_crypto_frm)); DECLARE_POOL(pool_head_quic_rx_strm_frm, "quic_rx_strm_frm", sizeof(struct quic_rx_strm_frm)); DECLARE_STATIC_POOL(pool_head_quic_crypto_buf, "quic_crypto_buf_pool", sizeof(struct quic_crypto_buf)); DECLARE_POOL(pool_head_quic_frame, "quic_frame_pool", sizeof(struct quic_frame)); DECLARE_STATIC_POOL(pool_head_quic_arng, "quic_arng_pool", sizeof(struct quic_arng_node)); static struct quic_tx_packet *qc_build_pkt(unsigned char **pos, const unsigned char *buf_end, struct quic_enc_level *qel, struct quic_conn *qc, int pkt_type, int ack, int nb_pto_dgrams, int *err); /* Add traces to depending on TX frame type. */ static inline void chunk_tx_frm_appendf(struct buffer *buf, const struct quic_frame *frm) { switch (frm->type) { case QUIC_FT_CRYPTO: chunk_appendf(buf, " cfoff=%llu cflen=%llu", (unsigned long long)frm->crypto.offset, (unsigned long long)frm->crypto.len); break; default: chunk_appendf(buf, " %s", quic_frame_type_string(frm->type)); } } /* Only for debug purpose */ struct enc_debug_info { unsigned char *payload; size_t payload_len; unsigned char *aad; size_t aad_len; uint64_t pn; }; /* Initializes a enc_debug_info struct (only for debug purpose) */ static inline void enc_debug_info_init(struct enc_debug_info *edi, unsigned char *payload, size_t payload_len, unsigned char *aad, size_t aad_len, uint64_t pn) { edi->payload = payload; edi->payload_len = payload_len; edi->aad = aad; edi->aad_len = aad_len; edi->pn = pn; } /* Trace callback for QUIC. * These traces always expect that arg1, if non-null, is of type connection. */ static void quic_trace(enum trace_level level, uint64_t mask, const struct trace_source *src, const struct ist where, const struct ist func, const void *a1, const void *a2, const void *a3, const void *a4) { const struct connection *conn = a1; if (conn) { struct quic_tls_secrets *secs; struct quic_conn *qc; qc = conn->qc; chunk_appendf(&trace_buf, " : conn@%p", conn); if ((mask & QUIC_EV_CONN_INIT) && qc) { chunk_appendf(&trace_buf, "\n odcid"); quic_cid_dump(&trace_buf, &qc->odcid); chunk_appendf(&trace_buf, "\n dcid"); quic_cid_dump(&trace_buf, &qc->dcid); chunk_appendf(&trace_buf, "\n scid"); quic_cid_dump(&trace_buf, &qc->scid); } if (mask & QUIC_EV_CONN_ADDDATA) { const enum ssl_encryption_level_t *level = a2; const size_t *len = a3; if (level) { enum quic_tls_enc_level lvl = ssl_to_quic_enc_level(*level); chunk_appendf(&trace_buf, " el=%c(%d)", quic_enc_level_char(lvl), lvl); } if (len) chunk_appendf(&trace_buf, " len=%llu", (unsigned long long)*len); } if ((mask & QUIC_EV_CONN_ISEC) && qc) { /* Initial read & write secrets. */ enum quic_tls_enc_level level = QUIC_TLS_ENC_LEVEL_INITIAL; const unsigned char *rx_sec = a2; const unsigned char *tx_sec = a3; secs = &qc->els[level].tls_ctx.rx; if (secs->flags & QUIC_FL_TLS_SECRETS_SET) { chunk_appendf(&trace_buf, "\n RX el=%c", quic_enc_level_char(level)); if (rx_sec) quic_tls_secret_hexdump(&trace_buf, rx_sec, 32); quic_tls_keys_hexdump(&trace_buf, secs); } secs = &qc->els[level].tls_ctx.tx; if (secs->flags & QUIC_FL_TLS_SECRETS_SET) { chunk_appendf(&trace_buf, "\n TX el=%c", quic_enc_level_char(level)); if (tx_sec) quic_tls_secret_hexdump(&trace_buf, tx_sec, 32); quic_tls_keys_hexdump(&trace_buf, secs); } } if (mask & (QUIC_EV_CONN_RSEC|QUIC_EV_CONN_RWSEC)) { const enum ssl_encryption_level_t *level = a2; const unsigned char *secret = a3; const size_t *secret_len = a4; if (level) { enum quic_tls_enc_level lvl = ssl_to_quic_enc_level(*level); chunk_appendf(&trace_buf, "\n RX el=%c", quic_enc_level_char(lvl)); if (secret && secret_len) quic_tls_secret_hexdump(&trace_buf, secret, *secret_len); secs = &qc->els[lvl].tls_ctx.rx; if (secs->flags & QUIC_FL_TLS_SECRETS_SET) quic_tls_keys_hexdump(&trace_buf, secs); } } if (mask & (QUIC_EV_CONN_WSEC|QUIC_EV_CONN_RWSEC)) { const enum ssl_encryption_level_t *level = a2; const unsigned char *secret = a3; const size_t *secret_len = a4; if (level) { enum quic_tls_enc_level lvl = ssl_to_quic_enc_level(*level); chunk_appendf(&trace_buf, "\n TX el=%c", quic_enc_level_char(lvl)); if (secret && secret_len) quic_tls_secret_hexdump(&trace_buf, secret, *secret_len); secs = &qc->els[lvl].tls_ctx.tx; if (secs->flags & QUIC_FL_TLS_SECRETS_SET) quic_tls_keys_hexdump(&trace_buf, secs); } } if (mask & (QUIC_EV_CONN_HPKT|QUIC_EV_CONN_PAPKT)) { const struct quic_tx_packet *pkt = a2; const struct quic_enc_level *qel = a3; const ssize_t *room = a4; if (qel) { struct quic_pktns *pktns; pktns = qc->pktns; chunk_appendf(&trace_buf, " qel=%c cwnd=%llu ppif=%lld pif=%llu " "if=%llu pp=%u pdg=%d", quic_enc_level_char_from_qel(qel, qc), (unsigned long long)qc->path->cwnd, (unsigned long long)qc->path->prep_in_flight, (unsigned long long)qc->path->in_flight, (unsigned long long)pktns->tx.in_flight, pktns->tx.pto_probe, qc->tx.nb_pto_dgrams); } if (pkt) { const struct quic_frame *frm; chunk_appendf(&trace_buf, " pn=%llu cdlen=%u", (unsigned long long)pkt->pn_node.key, pkt->cdata_len); list_for_each_entry(frm, &pkt->frms, list) chunk_tx_frm_appendf(&trace_buf, frm); chunk_appendf(&trace_buf, " tx.bytes=%llu", (unsigned long long)qc->tx.bytes); } if (room) { chunk_appendf(&trace_buf, " room=%lld", (long long)*room); chunk_appendf(&trace_buf, " dcid.len=%llu scid.len=%llu", (unsigned long long)qc->dcid.len, (unsigned long long)qc->scid.len); } } if (mask & QUIC_EV_CONN_HDSHK) { const enum quic_handshake_state *state = a2; const int *err = a3; if (state) chunk_appendf(&trace_buf, " state=%s", quic_hdshk_state_str(*state)); if (err) chunk_appendf(&trace_buf, " err=%s", ssl_error_str(*err)); } if (mask & (QUIC_EV_CONN_TRMHP|QUIC_EV_CONN_ELRMHP|QUIC_EV_CONN_SPKT)) { const struct quic_rx_packet *pkt = a2; const unsigned long *pktlen = a3; const SSL *ssl = a4; if (pkt) { chunk_appendf(&trace_buf, " pkt@%p el=%c", pkt, quic_packet_type_enc_level_char(pkt->type)); if (pkt->pnl) chunk_appendf(&trace_buf, " pnl=%u pn=%llu", pkt->pnl, (unsigned long long)pkt->pn); if (pkt->token_len) chunk_appendf(&trace_buf, " toklen=%llu", (unsigned long long)pkt->token_len); if (pkt->aad_len) chunk_appendf(&trace_buf, " aadlen=%llu", (unsigned long long)pkt->aad_len); chunk_appendf(&trace_buf, " flags=0x%x len=%llu", pkt->flags, (unsigned long long)pkt->len); } if (pktlen) chunk_appendf(&trace_buf, " (%ld)", *pktlen); if (ssl) { enum ssl_encryption_level_t level = SSL_quic_read_level(ssl); chunk_appendf(&trace_buf, " el=%c", quic_enc_level_char(ssl_to_quic_enc_level(level))); } } if (mask & (QUIC_EV_CONN_ELRXPKTS|QUIC_EV_CONN_PRSHPKT|QUIC_EV_CONN_SSLDATA)) { const struct quic_rx_packet *pkt = a2; const struct quic_rx_crypto_frm *cf = a3; const SSL *ssl = a4; if (pkt) chunk_appendf(&trace_buf, " pkt@%p el=%c pn=%llu", pkt, quic_packet_type_enc_level_char(pkt->type), (unsigned long long)pkt->pn); if (cf) chunk_appendf(&trace_buf, " cfoff=%llu cflen=%llu", (unsigned long long)cf->offset_node.key, (unsigned long long)cf->len); if (ssl) { enum ssl_encryption_level_t level = SSL_quic_read_level(ssl); chunk_appendf(&trace_buf, " rel=%c", quic_enc_level_char(ssl_to_quic_enc_level(level))); } } if (mask & (QUIC_EV_CONN_PRSFRM|QUIC_EV_CONN_BFRM)) { const struct quic_frame *frm = a2; if (frm) chunk_appendf(&trace_buf, " %s", quic_frame_type_string(frm->type)); } if (mask & QUIC_EV_CONN_PHPKTS) { const struct quic_enc_level *qel = a2; if (qel) { struct quic_pktns *pktns; pktns = qc->pktns; chunk_appendf(&trace_buf, " qel=%c state=%s ack?%d cwnd=%llu ppif=%lld pif=%llu if=%llu pp=%u pdg=%llu", quic_enc_level_char_from_qel(qel, qc), quic_hdshk_state_str(HA_ATOMIC_LOAD(&qc->state)), !!(HA_ATOMIC_LOAD(&qc->flags) & QUIC_FL_PKTNS_ACK_REQUIRED), (unsigned long long)qc->path->cwnd, (unsigned long long)qc->path->prep_in_flight, (unsigned long long)qc->path->in_flight, (unsigned long long)pktns->tx.in_flight, pktns->tx.pto_probe, (unsigned long long)qc->tx.nb_pto_dgrams); } } if (mask & QUIC_EV_CONN_ENCPKT) { const struct enc_debug_info *edi = a2; if (edi) chunk_appendf(&trace_buf, " payload=@%p payload_len=%llu" " aad=@%p aad_len=%llu pn=%llu", edi->payload, (unsigned long long)edi->payload_len, edi->aad, (unsigned long long)edi->aad_len, (unsigned long long)edi->pn); } if (mask & QUIC_EV_CONN_RMHP) { const struct quic_rx_packet *pkt = a2; if (pkt) { const int *ret = a3; chunk_appendf(&trace_buf, " pkt@%p", pkt); if (ret && *ret) chunk_appendf(&trace_buf, " pnl=%u pn=%llu", pkt->pnl, (unsigned long long)pkt->pn); } } if (mask & QUIC_EV_CONN_PRSAFRM) { const struct quic_frame *frm = a2; const unsigned long *val1 = a3; const unsigned long *val2 = a4; if (frm) chunk_tx_frm_appendf(&trace_buf, frm); if (val1) chunk_appendf(&trace_buf, " %lu", *val1); if (val2) chunk_appendf(&trace_buf, "..%lu", *val2); } if (mask & QUIC_EV_CONN_RTTUPDT) { const unsigned int *rtt_sample = a2; const unsigned int *ack_delay = a3; const struct quic_loss *ql = a4; if (rtt_sample) chunk_appendf(&trace_buf, " rtt_sample=%ums", *rtt_sample); if (ack_delay) chunk_appendf(&trace_buf, " ack_delay=%ums", *ack_delay); if (ql) chunk_appendf(&trace_buf, " srtt=%ums rttvar=%ums min_rtt=%ums", ql->srtt >> 3, ql->rtt_var >> 2, ql->rtt_min); } if (mask & QUIC_EV_CONN_CC) { const struct quic_cc_event *ev = a2; const struct quic_cc *cc = a3; if (a2) quic_cc_event_trace(&trace_buf, ev); if (a3) quic_cc_state_trace(&trace_buf, cc); } if (mask & QUIC_EV_CONN_PKTLOSS) { const struct quic_pktns *pktns = a2; const struct list *lost_pkts = a3; struct quic_conn *qc = conn->qc; if (pktns) { chunk_appendf(&trace_buf, " pktns=%s", pktns == &qc->pktns[QUIC_TLS_PKTNS_INITIAL] ? "I" : pktns == &qc->pktns[QUIC_TLS_PKTNS_01RTT] ? "01RTT": "H"); if (pktns->tx.loss_time) chunk_appendf(&trace_buf, " loss_time=%dms", TICKS_TO_MS(tick_remain(now_ms, pktns->tx.loss_time))); } if (lost_pkts && !LIST_ISEMPTY(lost_pkts)) { struct quic_tx_packet *pkt; chunk_appendf(&trace_buf, " lost_pkts:"); list_for_each_entry(pkt, lost_pkts, list) chunk_appendf(&trace_buf, " %lu", (unsigned long)pkt->pn_node.key); } } if (mask & (QUIC_EV_CONN_STIMER|QUIC_EV_CONN_PTIMER|QUIC_EV_CONN_SPTO)) { struct quic_conn *qc = conn->qc; const struct quic_pktns *pktns = a2; const int *duration = a3; const uint64_t *ifae_pkts = a4; if (ifae_pkts) chunk_appendf(&trace_buf, " ifae_pkts=%llu", (unsigned long long)*ifae_pkts); if (pktns) { chunk_appendf(&trace_buf, " pktns=%s pp=%d", pktns == &qc->pktns[QUIC_TLS_PKTNS_INITIAL] ? "I" : pktns == &qc->pktns[QUIC_TLS_PKTNS_01RTT] ? "01RTT": "H", pktns->tx.pto_probe); if (mask & QUIC_EV_CONN_STIMER) { if (pktns->tx.loss_time) chunk_appendf(&trace_buf, " loss_time=%dms", TICKS_TO_MS(pktns->tx.loss_time - now_ms)); } if (mask & QUIC_EV_CONN_SPTO) { if (pktns->tx.time_of_last_eliciting) chunk_appendf(&trace_buf, " tole=%dms", TICKS_TO_MS(pktns->tx.time_of_last_eliciting - now_ms)); if (duration) chunk_appendf(&trace_buf, " dur=%dms", TICKS_TO_MS(*duration)); } } if (!(mask & QUIC_EV_CONN_SPTO) && qc->timer_task) { chunk_appendf(&trace_buf, " expire=%dms", TICKS_TO_MS(qc->timer - now_ms)); } } if (mask & QUIC_EV_CONN_SPPKTS) { const struct quic_tx_packet *pkt = a2; chunk_appendf(&trace_buf, " cwnd=%llu ppif=%llu pif=%llu", (unsigned long long)qc->path->cwnd, (unsigned long long)qc->path->prep_in_flight, (unsigned long long)qc->path->in_flight); if (pkt) { chunk_appendf(&trace_buf, " pn=%lu(%s) iflen=%llu cdlen=%llu", (unsigned long)pkt->pn_node.key, pkt->pktns == &qc->pktns[QUIC_TLS_PKTNS_INITIAL] ? "I" : pkt->pktns == &qc->pktns[QUIC_TLS_PKTNS_01RTT] ? "01RTT": "H", (unsigned long long)pkt->in_flight_len, (unsigned long long)pkt->cdata_len); } } if (mask & QUIC_EV_CONN_SSLALERT) { const uint8_t *alert = a2; const enum ssl_encryption_level_t *level = a3; if (alert) chunk_appendf(&trace_buf, " alert=0x%02x", *alert); if (level) chunk_appendf(&trace_buf, " el=%c", quic_enc_level_char(ssl_to_quic_enc_level(*level))); } if (mask & QUIC_EV_CONN_BCFRMS) { const size_t *sz1 = a2; const size_t *sz2 = a3; const size_t *sz3 = a4; if (sz1) chunk_appendf(&trace_buf, " %llu", (unsigned long long)*sz1); if (sz2) chunk_appendf(&trace_buf, " %llu", (unsigned long long)*sz2); if (sz3) chunk_appendf(&trace_buf, " %llu", (unsigned long long)*sz3); } if (mask & QUIC_EV_CONN_PSTRM) { const struct quic_frame *frm = a2; if (a2) { const struct quic_stream *s = &frm->stream; chunk_appendf(&trace_buf, " uni=%d fin=%d id=%llu off=%llu len=%llu", !!(s->id & QUIC_STREAM_FRAME_ID_DIR_BIT), !!(frm->type & QUIC_STREAM_FRAME_TYPE_FIN_BIT), (unsigned long long)s->id, (unsigned long long)s->offset.key, (unsigned long long)s->len); } } } if (mask & QUIC_EV_CONN_LPKT) { const struct quic_rx_packet *pkt = a2; const uint64_t *len = a3; if (conn) chunk_appendf(&trace_buf, " xprt_ctx@%p qc@%p", conn->xprt_ctx, conn->qc); if (pkt) chunk_appendf(&trace_buf, " pkt@%p type=0x%02x %s pkt->qc@%p", pkt, pkt->type, qc_pkt_long(pkt) ? "long" : "short", pkt->qc); if (len) chunk_appendf(&trace_buf, " len=%llu", (ull)*len); } } /* Returns 1 if the peer has validated QUIC connection address, 0 if not. */ static inline int quic_peer_validated_addr(struct ssl_sock_ctx *ctx) { struct quic_conn *qc; struct quic_pktns *hdshk_pktns, *app_pktns; qc = ctx->conn->qc; if (objt_server(qc->conn->target)) return 1; hdshk_pktns = qc->els[QUIC_TLS_ENC_LEVEL_HANDSHAKE].pktns; app_pktns = qc->els[QUIC_TLS_ENC_LEVEL_APP].pktns; if ((HA_ATOMIC_LOAD(&hdshk_pktns->flags) & QUIC_FL_PKTNS_ACK_RECEIVED) || (HA_ATOMIC_LOAD(&app_pktns->flags) & QUIC_FL_PKTNS_ACK_RECEIVED) || HA_ATOMIC_LOAD(&qc->state) >= QUIC_HS_ST_COMPLETE) return 1; return 0; } /* Set the timer attached to the QUIC connection with as I/O handler and used for * both loss detection and PTO and schedule the task assiated to this timer if needed. */ static inline void qc_set_timer(struct ssl_sock_ctx *ctx) { struct quic_conn *qc; struct quic_pktns *pktns; unsigned int pto; int handshake_complete; TRACE_ENTER(QUIC_EV_CONN_STIMER, ctx->conn, NULL, NULL, &ctx->conn->qc->path->ifae_pkts); qc = ctx->conn->qc; pktns = quic_loss_pktns(qc); if (tick_isset(pktns->tx.loss_time)) { qc->timer = pktns->tx.loss_time; goto out; } /* XXX TODO: anti-amplification: the timer must be * cancelled for a server which reached the anti-amplification limit. */ if (!qc->path->ifae_pkts && quic_peer_validated_addr(ctx)) { TRACE_PROTO("timer cancellation", QUIC_EV_CONN_STIMER, ctx->conn); /* Timer cancellation. */ qc->timer = TICK_ETERNITY; goto out; } handshake_complete = HA_ATOMIC_LOAD(&qc->state) >= QUIC_HS_ST_COMPLETE; pktns = quic_pto_pktns(qc, handshake_complete, &pto); if (tick_isset(pto)) qc->timer = pto; out: if (qc->timer != TICK_ETERNITY) task_schedule(qc->timer_task, qc->timer); TRACE_LEAVE(QUIC_EV_CONN_STIMER, ctx->conn, pktns); } #ifndef OPENSSL_IS_BORINGSSL int ha_quic_set_encryption_secrets(SSL *ssl, enum ssl_encryption_level_t level, const uint8_t *read_secret, const uint8_t *write_secret, size_t secret_len) { struct connection *conn = SSL_get_ex_data(ssl, ssl_app_data_index); struct quic_tls_ctx *tls_ctx = &conn->qc->els[ssl_to_quic_enc_level(level)].tls_ctx; const SSL_CIPHER *cipher = SSL_get_current_cipher(ssl); TRACE_ENTER(QUIC_EV_CONN_RWSEC, conn); tls_ctx->rx.aead = tls_ctx->tx.aead = tls_aead(cipher); tls_ctx->rx.md = tls_ctx->tx.md = tls_md(cipher); tls_ctx->rx.hp = tls_ctx->tx.hp = tls_hp(cipher); if (!quic_tls_derive_keys(tls_ctx->rx.aead, tls_ctx->rx.hp, tls_ctx->rx.md, tls_ctx->rx.key, sizeof tls_ctx->rx.key, tls_ctx->rx.iv, sizeof tls_ctx->rx.iv, tls_ctx->rx.hp_key, sizeof tls_ctx->rx.hp_key, read_secret, secret_len)) { TRACE_DEVEL("RX key derivation failed", QUIC_EV_CONN_RWSEC, conn); return 0; } tls_ctx->rx.flags |= QUIC_FL_TLS_SECRETS_SET; if (!quic_tls_derive_keys(tls_ctx->tx.aead, tls_ctx->tx.hp, tls_ctx->tx.md, tls_ctx->tx.key, sizeof tls_ctx->tx.key, tls_ctx->tx.iv, sizeof tls_ctx->tx.iv, tls_ctx->tx.hp_key, sizeof tls_ctx->tx.hp_key, write_secret, secret_len)) { TRACE_DEVEL("TX key derivation failed", QUIC_EV_CONN_RWSEC, conn); return 0; } tls_ctx->tx.flags |= QUIC_FL_TLS_SECRETS_SET; if (objt_server(conn->target) && level == ssl_encryption_application) { const unsigned char *buf; size_t buflen; SSL_get_peer_quic_transport_params(ssl, &buf, &buflen); if (!buflen) return 0; if (!quic_transport_params_store(conn->qc, 1, buf, buf + buflen)) return 0; } TRACE_LEAVE(QUIC_EV_CONN_RWSEC, conn, &level); return 1; } #else /* ->set_read_secret callback to derive the RX secrets at encryption * level. * Returns 1 if succeeded, 0 if not. */ int ha_set_rsec(SSL *ssl, enum ssl_encryption_level_t level, const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len) { struct connection *conn = SSL_get_ex_data(ssl, ssl_app_data_index); struct quic_tls_ctx *tls_ctx = &conn->qc->els[ssl_to_quic_enc_level(level)].tls_ctx; TRACE_ENTER(QUIC_EV_CONN_RSEC, conn); tls_ctx->rx.aead = tls_aead(cipher); tls_ctx->rx.md = tls_md(cipher); tls_ctx->rx.hp = tls_hp(cipher); if (!quic_tls_derive_keys(tls_ctx->rx.aead, tls_ctx->rx.hp, tls_ctx->rx.md, tls_ctx->rx.key, sizeof tls_ctx->rx.key, tls_ctx->rx.iv, sizeof tls_ctx->rx.iv, tls_ctx->rx.hp_key, sizeof tls_ctx->rx.hp_key, secret, secret_len)) { TRACE_DEVEL("RX key derivation failed", QUIC_EV_CONN_RSEC, conn); goto err; } if (objt_server(conn->target) && level == ssl_encryption_application) { const unsigned char *buf; size_t buflen; SSL_get_peer_quic_transport_params(ssl, &buf, &buflen); if (!buflen) goto err; if (!quic_transport_params_store(conn->qc, 1, buf, buf + buflen)) goto err; } tls_ctx->rx.flags |= QUIC_FL_TLS_SECRETS_SET; TRACE_LEAVE(QUIC_EV_CONN_RSEC, conn, &level, secret, &secret_len); return 1; err: TRACE_DEVEL("leaving in error", QUIC_EV_CONN_RSEC, conn); return 0; } /* ->set_write_secret callback to derive the TX secrets at * encryption level. * Returns 1 if succeeded, 0 if not. */ int ha_set_wsec(SSL *ssl, enum ssl_encryption_level_t level, const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len) { struct connection *conn = SSL_get_ex_data(ssl, ssl_app_data_index); struct quic_tls_ctx *tls_ctx = &conn->qc->els[ssl_to_quic_enc_level(level)].tls_ctx; TRACE_ENTER(QUIC_EV_CONN_WSEC, conn); tls_ctx->tx.aead = tls_aead(cipher); tls_ctx->tx.md = tls_md(cipher); tls_ctx->tx.hp = tls_hp(cipher); if (!quic_tls_derive_keys(tls_ctx->tx.aead, tls_ctx->tx.hp, tls_ctx->tx.md, tls_ctx->tx.key, sizeof tls_ctx->tx.key, tls_ctx->tx.iv, sizeof tls_ctx->tx.iv, tls_ctx->tx.hp_key, sizeof tls_ctx->tx.hp_key, secret, secret_len)) { TRACE_DEVEL("TX key derivation failed", QUIC_EV_CONN_WSEC, conn); goto err; } tls_ctx->tx.flags |= QUIC_FL_TLS_SECRETS_SET; TRACE_LEAVE(QUIC_EV_CONN_WSEC, conn, &level, secret, &secret_len); return 1; err: TRACE_DEVEL("leaving in error", QUIC_EV_CONN_WSEC, conn); return 0; } #endif /* This function copies the CRYPTO data provided by the TLS stack found at * with as size in CRYPTO buffers dedicated to store the information about * outgoing CRYPTO frames so that to be able to replay the CRYPTO data streams. * It fails only if it could not managed to allocate enough CRYPTO buffers to * store all the data. * Note that CRYPTO data may exist at any encryption level except at 0-RTT. */ static int quic_crypto_data_cpy(struct quic_enc_level *qel, const unsigned char *data, size_t len) { struct quic_crypto_buf **qcb; /* The remaining byte to store in CRYPTO buffers. */ size_t cf_offset, cf_len, *nb_buf; unsigned char *pos; nb_buf = &qel->tx.crypto.nb_buf; qcb = &qel->tx.crypto.bufs[*nb_buf - 1]; cf_offset = (*nb_buf - 1) * QUIC_CRYPTO_BUF_SZ + (*qcb)->sz; cf_len = len; while (len) { size_t to_copy, room; pos = (*qcb)->data + (*qcb)->sz; room = QUIC_CRYPTO_BUF_SZ - (*qcb)->sz; to_copy = len > room ? room : len; if (to_copy) { memcpy(pos, data, to_copy); /* Increment the total size of this CRYPTO buffers by . */ qel->tx.crypto.sz += to_copy; (*qcb)->sz += to_copy; pos += to_copy; len -= to_copy; data += to_copy; } else { struct quic_crypto_buf **tmp; tmp = realloc(qel->tx.crypto.bufs, (*nb_buf + 1) * sizeof *qel->tx.crypto.bufs); if (tmp) { qel->tx.crypto.bufs = tmp; qcb = &qel->tx.crypto.bufs[*nb_buf]; *qcb = pool_alloc(pool_head_quic_crypto_buf); if (!*qcb) return 0; (*qcb)->sz = 0; ++*nb_buf; } else { break; } } } /* Allocate a TX CRYPTO frame only if all the CRYPTO data * have been buffered. */ if (!len) { struct quic_frame *frm; frm = pool_alloc(pool_head_quic_frame); if (!frm) return 0; frm->type = QUIC_FT_CRYPTO; frm->crypto.offset = cf_offset; frm->crypto.len = cf_len; frm->crypto.qel = qel; MT_LIST_APPEND(&qel->pktns->tx.frms, &frm->mt_list); } return len == 0; } /* ->add_handshake_data QUIC TLS callback used by the QUIC TLS stack when it * wants to provide the QUIC layer with CRYPTO data. * Returns 1 if succeeded, 0 if not. */ int ha_quic_add_handshake_data(SSL *ssl, enum ssl_encryption_level_t level, const uint8_t *data, size_t len) { struct connection *conn; enum quic_tls_enc_level tel; struct quic_enc_level *qel; conn = SSL_get_ex_data(ssl, ssl_app_data_index); TRACE_ENTER(QUIC_EV_CONN_ADDDATA, conn); tel = ssl_to_quic_enc_level(level); qel = &conn->qc->els[tel]; if (tel == -1) { TRACE_PROTO("Wrong encryption level", QUIC_EV_CONN_ADDDATA, conn); goto err; } if (!quic_crypto_data_cpy(qel, data, len)) { TRACE_PROTO("Could not bufferize", QUIC_EV_CONN_ADDDATA, conn); goto err; } TRACE_PROTO("CRYPTO data buffered", QUIC_EV_CONN_ADDDATA, conn, &level, &len); TRACE_LEAVE(QUIC_EV_CONN_ADDDATA, conn); return 1; err: TRACE_DEVEL("leaving in error", QUIC_EV_CONN_ADDDATA, conn); return 0; } int ha_quic_flush_flight(SSL *ssl) { struct connection *conn = SSL_get_ex_data(ssl, ssl_app_data_index); TRACE_ENTER(QUIC_EV_CONN_FFLIGHT, conn); TRACE_LEAVE(QUIC_EV_CONN_FFLIGHT, conn); return 1; } int ha_quic_send_alert(SSL *ssl, enum ssl_encryption_level_t level, uint8_t alert) { struct connection *conn = SSL_get_ex_data(ssl, ssl_app_data_index); TRACE_DEVEL("SSL alert", QUIC_EV_CONN_SSLALERT, conn, &alert, &level); return 1; } /* QUIC TLS methods */ static SSL_QUIC_METHOD ha_quic_method = { #ifdef OPENSSL_IS_BORINGSSL .set_read_secret = ha_set_rsec, .set_write_secret = ha_set_wsec, #else .set_encryption_secrets = ha_quic_set_encryption_secrets, #endif .add_handshake_data = ha_quic_add_handshake_data, .flush_flight = ha_quic_flush_flight, .send_alert = ha_quic_send_alert, }; /* Initialize the TLS context of a listener with as configuration. * Returns an error count. */ int ssl_quic_initial_ctx(struct bind_conf *bind_conf) { struct proxy *curproxy = bind_conf->frontend; struct ssl_bind_conf __maybe_unused *ssl_conf_cur; int cfgerr = 0; #if 0 /* XXX Did not manage to use this. */ const char *ciphers = "TLS_AES_128_GCM_SHA256:" "TLS_AES_256_GCM_SHA384:" "TLS_CHACHA20_POLY1305_SHA256:" "TLS_AES_128_CCM_SHA256"; #endif const char *groups = "X25519:P-256:P-384:P-521"; long options = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) | SSL_OP_SINGLE_ECDH_USE | SSL_OP_CIPHER_SERVER_PREFERENCE; SSL_CTX *ctx; ctx = SSL_CTX_new(TLS_server_method()); bind_conf->initial_ctx = ctx; SSL_CTX_set_options(ctx, options); #if 0 if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) { ha_alert("Proxy '%s': unable to set TLS 1.3 cipher list to '%s' " "for bind '%s' at [%s:%d].\n", curproxy->id, ciphers, bind_conf->arg, bind_conf->file, bind_conf->line); cfgerr++; } #endif if (SSL_CTX_set1_curves_list(ctx, groups) != 1) { ha_alert("Proxy '%s': unable to set TLS 1.3 curves list to '%s' " "for bind '%s' at [%s:%d].\n", curproxy->id, groups, bind_conf->arg, bind_conf->file, bind_conf->line); cfgerr++; } SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS); SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION); SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION); SSL_CTX_set_default_verify_paths(ctx); #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME #ifdef OPENSSL_IS_BORINGSSL SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk); SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); #elif (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) if (bind_conf->ssl_conf.early_data) { SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY); SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite); } SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL); SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); #else SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_cbk); #endif SSL_CTX_set_tlsext_servername_arg(ctx, bind_conf); #endif SSL_CTX_set_quic_method(ctx, &ha_quic_method); return cfgerr; } /* Decode an expected packet number from its truncated value, * depending on the largest received packet number, and * the number of bits used to encode this packet number (its length in bytes * 8). * See https://quicwg.org/base-drafts/draft-ietf-quic-transport.html#packet-encoding */ static uint64_t decode_packet_number(uint64_t largest_pn, uint32_t truncated_pn, unsigned int pn_nbits) { uint64_t expected_pn = largest_pn + 1; uint64_t pn_win = (uint64_t)1 << pn_nbits; uint64_t pn_hwin = pn_win / 2; uint64_t pn_mask = pn_win - 1; uint64_t candidate_pn; candidate_pn = (expected_pn & ~pn_mask) | truncated_pn; /* Note that > . */ if (candidate_pn < QUIC_MAX_PACKET_NUM - pn_win && candidate_pn + pn_hwin <= expected_pn) return candidate_pn + pn_win; if (candidate_pn > expected_pn + pn_hwin && candidate_pn >= pn_win) return candidate_pn - pn_win; return candidate_pn; } /* Remove the header protection of QUIC packet using as QUIC TLS * cryptographic context. * is the largest received packet number and the address of * the packet number field for this packet with address of its first byte. * points to one byte past the end of this packet. * Returns 1 if succeeded, 0 if not. */ static int qc_do_rm_hp(struct quic_rx_packet *pkt, struct quic_tls_ctx *tls_ctx, int64_t largest_pn, unsigned char *pn, unsigned char *byte0, const unsigned char *end, struct ssl_sock_ctx *ctx) { int ret, outlen, i, pnlen; uint64_t packet_number; uint32_t truncated_pn = 0; unsigned char mask[5] = {0}; unsigned char *sample; EVP_CIPHER_CTX *cctx; unsigned char *hp_key; /* Check there is enough data in this packet. */ if (end - pn < QUIC_PACKET_PN_MAXLEN + sizeof mask) { TRACE_DEVEL("too short packet", QUIC_EV_CONN_RMHP, ctx->conn, pkt); return 0; } cctx = EVP_CIPHER_CTX_new(); if (!cctx) { TRACE_DEVEL("memory allocation failed", QUIC_EV_CONN_RMHP, ctx->conn, pkt); return 0; } ret = 0; sample = pn + QUIC_PACKET_PN_MAXLEN; hp_key = tls_ctx->rx.hp_key; if (!EVP_DecryptInit_ex(cctx, tls_ctx->rx.hp, NULL, hp_key, sample) || !EVP_DecryptUpdate(cctx, mask, &outlen, mask, sizeof mask) || !EVP_DecryptFinal_ex(cctx, mask, &outlen)) { TRACE_DEVEL("decryption failed", QUIC_EV_CONN_RMHP, ctx->conn, pkt); goto out; } *byte0 ^= mask[0] & (*byte0 & QUIC_PACKET_LONG_HEADER_BIT ? 0xf : 0x1f); pnlen = (*byte0 & QUIC_PACKET_PNL_BITMASK) + 1; for (i = 0; i < pnlen; i++) { pn[i] ^= mask[i + 1]; truncated_pn = (truncated_pn << 8) | pn[i]; } packet_number = decode_packet_number(largest_pn, truncated_pn, pnlen * 8); /* Store remaining information for this unprotected header */ pkt->pn = packet_number; pkt->pnl = pnlen; ret = 1; out: EVP_CIPHER_CTX_free(cctx); return ret; } /* Encrypt the payload of a QUIC packet with as number found at * address, with as payload length, as address of * the ADD and as AAD length depending on the QUIC TLS * context. * Returns 1 if succeeded, 0 if not. */ static int quic_packet_encrypt(unsigned char *payload, size_t payload_len, unsigned char *aad, size_t aad_len, uint64_t pn, struct quic_tls_ctx *tls_ctx, struct connection *conn) { unsigned char iv[12]; unsigned char *tx_iv = tls_ctx->tx.iv; size_t tx_iv_sz = sizeof tls_ctx->tx.iv; struct enc_debug_info edi; if (!quic_aead_iv_build(iv, sizeof iv, tx_iv, tx_iv_sz, pn)) { TRACE_DEVEL("AEAD IV building for encryption failed", QUIC_EV_CONN_HPKT, conn); goto err; } if (!quic_tls_encrypt(payload, payload_len, aad, aad_len, tls_ctx->tx.aead, tls_ctx->tx.key, iv)) { TRACE_DEVEL("QUIC packet encryption failed", QUIC_EV_CONN_HPKT, conn); goto err; } return 1; err: enc_debug_info_init(&edi, payload, payload_len, aad, aad_len, pn); TRACE_DEVEL("leaving in error", QUIC_EV_CONN_ENCPKT, conn, &edi); return 0; } /* Decrypt QUIC packet with as QUIC TLS cryptographic context. * Returns 1 if succeeded, 0 if not. */ static int qc_pkt_decrypt(struct quic_rx_packet *pkt, struct quic_tls_ctx *tls_ctx) { int ret; unsigned char iv[12]; unsigned char *rx_iv = tls_ctx->rx.iv; size_t rx_iv_sz = sizeof tls_ctx->rx.iv; if (!quic_aead_iv_build(iv, sizeof iv, rx_iv, rx_iv_sz, pkt->pn)) return 0; ret = quic_tls_decrypt(pkt->data + pkt->aad_len, pkt->len - pkt->aad_len, pkt->data, pkt->aad_len, tls_ctx->rx.aead, tls_ctx->rx.key, iv); if (!ret) return 0; /* Update the packet length (required to parse the frames). */ pkt->len = pkt->aad_len + ret; return 1; } /* Remove from stream the acknowledged frames. * Never fails. */ static int qcs_try_to_consume(struct qcs *qcs) { int ret; struct eb64_node *frm_node; ret = 0; frm_node = eb64_first(&qcs->tx.acked_frms); while (frm_node) { struct quic_stream *strm; strm = eb64_entry(&frm_node->node, struct quic_stream, offset); if (strm->offset.key != qcs->tx.ack_offset) break; b_del(strm->buf, strm->len); qcs->tx.ack_offset += strm->len; frm_node = eb64_next(frm_node); eb64_delete(&strm->offset); ret = 1; } return ret; } /* Treat frame whose packet it is attached to has just been acknowledged. */ static inline void qc_treat_acked_tx_frm(struct quic_frame *frm, struct ssl_sock_ctx *ctx) { int stream_acked; struct quic_conn *qc = ctx->conn->qc; TRACE_PROTO("Removing frame", QUIC_EV_CONN_PRSAFRM, ctx->conn, frm); stream_acked = 0; switch (frm->type) { case QUIC_FT_STREAM_8 ... QUIC_FT_STREAM_F: { struct qcs *qcs = frm->stream.qcs; struct quic_stream *strm = &frm->stream; if (qcs->tx.ack_offset == strm->offset.key) { b_del(strm->buf, strm->len); qcs->tx.ack_offset += strm->len; LIST_DELETE(&frm->list); pool_free(pool_head_quic_frame, frm); qc->qcc->flags &= ~QC_CF_MUX_MFULL; stream_acked = 1; } else { eb64_insert(&qcs->tx.acked_frms, &strm->offset); } stream_acked |= qcs_try_to_consume(qcs); if (qcs->flags & QC_SF_DETACH) tasklet_wakeup(qcs->shut_tl); } break; default: LIST_DELETE(&frm->list); pool_free(pool_head_quic_frame, frm); } if (stream_acked) { struct qcc *qcc = qc->qcc; if (qcc->subs && qcc->subs->events & SUB_RETRY_SEND) { tasklet_wakeup(qcc->subs->tasklet); qcc->subs->events &= ~SUB_RETRY_SEND; if (!qcc->subs->events) qcc->subs = NULL; } } } /* Remove down to node entries from tree of TX packet, * deallocating them, and their TX frames. * Returns the last node reached to be used for the next range. * May be NULL if node could not be found. */ static inline struct eb64_node *qc_ackrng_pkts(struct eb_root *pkts, unsigned int *pkt_flags, struct list *newly_acked_pkts, struct eb64_node *largest_node, uint64_t largest, uint64_t smallest, struct ssl_sock_ctx *ctx) { struct eb64_node *node; struct quic_tx_packet *pkt; if (largest_node) node = largest_node; else { node = eb64_lookup(pkts, largest); while (!node && largest > smallest) { node = eb64_lookup(pkts, --largest); } } while (node && node->key >= smallest) { struct quic_frame *frm, *frmbak; pkt = eb64_entry(&node->node, struct quic_tx_packet, pn_node); *pkt_flags |= pkt->flags; LIST_INSERT(newly_acked_pkts, &pkt->list); TRACE_PROTO("Removing packet #", QUIC_EV_CONN_PRSAFRM, ctx->conn,, &pkt->pn_node.key); list_for_each_entry_safe(frm, frmbak, &pkt->frms, list) qc_treat_acked_tx_frm(frm, ctx); node = eb64_prev(node); eb64_delete(&pkt->pn_node); } return node; } /* Treat frame whose packet it is attached to has just been detected as non * acknowledged. */ static inline void qc_treat_nacked_tx_frm(struct quic_frame *frm, struct quic_pktns *pktns, struct ssl_sock_ctx *ctx) { TRACE_PROTO("to resend frame", QUIC_EV_CONN_PRSAFRM, ctx->conn, frm); LIST_DELETE(&frm->list); MT_LIST_INSERT(&pktns->tx.frms, &frm->mt_list); } /* Free the TX packets of list */ static inline void free_quic_tx_pkts(struct list *pkts) { struct quic_tx_packet *pkt, *tmp; list_for_each_entry_safe(pkt, tmp, pkts, list) { LIST_DELETE(&pkt->list); eb64_delete(&pkt->pn_node); quic_tx_packet_refdec(pkt); } } /* Send a packet loss event nofification to the congestion controller * attached to connection with the number of lost bytes, * , the oldest lost packet and newest lost packet * at current time. * Always succeeds. */ static inline void qc_cc_loss_event(struct quic_conn *qc, unsigned int lost_bytes, unsigned int newest_time_sent, unsigned int period, unsigned int now_us) { struct quic_cc_event ev = { .type = QUIC_CC_EVT_LOSS, .loss.now_ms = now_ms, .loss.max_ack_delay = qc->max_ack_delay, .loss.lost_bytes = lost_bytes, .loss.newest_time_sent = newest_time_sent, .loss.period = period, }; quic_cc_event(&qc->path->cc, &ev); } /* Send a packet ack event nofication for each newly acked packet of * list and free them. * Always succeeds. */ static inline void qc_treat_newly_acked_pkts(struct ssl_sock_ctx *ctx, struct list *newly_acked_pkts) { struct quic_conn *qc = ctx->conn->qc; struct quic_tx_packet *pkt, *tmp; struct quic_cc_event ev = { .type = QUIC_CC_EVT_ACK, }; list_for_each_entry_safe(pkt, tmp, newly_acked_pkts, list) { pkt->pktns->tx.in_flight -= pkt->in_flight_len; qc->path->prep_in_flight -= pkt->in_flight_len; if (pkt->flags & QUIC_FL_TX_PACKET_ACK_ELICITING) qc->path->ifae_pkts--; ev.ack.acked = pkt->in_flight_len; ev.ack.time_sent = pkt->time_sent; quic_cc_event(&qc->path->cc, &ev); LIST_DELETE(&pkt->list); eb64_delete(&pkt->pn_node); quic_tx_packet_refdec(pkt); } } /* Handle list of lost packets detected at handling * their TX frames. * Send a packet loss event to the congestion controller if * in flight packet have been lost. * Also frees the packet in list. * Never fails. */ static inline void qc_release_lost_pkts(struct quic_pktns *pktns, struct ssl_sock_ctx *ctx, struct list *pkts, uint64_t now_us) { struct quic_conn *qc = ctx->conn->qc; struct quic_tx_packet *pkt, *tmp, *oldest_lost, *newest_lost; struct quic_frame *frm, *frmbak; uint64_t lost_bytes; lost_bytes = 0; oldest_lost = newest_lost = NULL; list_for_each_entry_safe(pkt, tmp, pkts, list) { lost_bytes += pkt->in_flight_len; pkt->pktns->tx.in_flight -= pkt->in_flight_len; qc->path->prep_in_flight -= pkt->in_flight_len; if (pkt->flags & QUIC_FL_TX_PACKET_ACK_ELICITING) qc->path->ifae_pkts--; /* Treat the frames of this lost packet. */ list_for_each_entry_safe(frm, frmbak, &pkt->frms, list) qc_treat_nacked_tx_frm(frm, pktns, ctx); LIST_DELETE(&pkt->list); if (!oldest_lost) { oldest_lost = newest_lost = pkt; } else { if (newest_lost != oldest_lost) quic_tx_packet_refdec(newest_lost); newest_lost = pkt; } } if (lost_bytes) { /* Sent a packet loss event to the congestion controller. */ qc_cc_loss_event(ctx->conn->qc, lost_bytes, newest_lost->time_sent, newest_lost->time_sent - oldest_lost->time_sent, now_us); quic_tx_packet_refdec(oldest_lost); if (newest_lost != oldest_lost) quic_tx_packet_refdec(newest_lost); } } /* Look for packet loss from sent packets for encryption level of a * connection with as I/O handler context. If remove is true, remove them from * their tree if deemed as lost or set the value the packet number * space if any not deemed lost. * Should be called after having received an ACK frame with newly acknowledged * packets or when the the loss detection timer has expired. * Always succeeds. */ static void qc_packet_loss_lookup(struct quic_pktns *pktns, struct quic_conn *qc, struct list *lost_pkts) { struct eb_root *pkts; struct eb64_node *node; struct quic_loss *ql; unsigned int loss_delay; TRACE_ENTER(QUIC_EV_CONN_PKTLOSS, qc->conn, pktns); pkts = &pktns->tx.pkts; pktns->tx.loss_time = TICK_ETERNITY; if (eb_is_empty(pkts)) goto out; ql = &qc->path->loss; loss_delay = QUIC_MAX(ql->latest_rtt, ql->srtt >> 3); loss_delay += loss_delay >> 3; loss_delay = QUIC_MAX(loss_delay, MS_TO_TICKS(QUIC_TIMER_GRANULARITY)); node = eb64_first(pkts); while (node) { struct quic_tx_packet *pkt; int64_t largest_acked_pn; unsigned int loss_time_limit, time_sent; pkt = eb64_entry(&node->node, struct quic_tx_packet, pn_node); largest_acked_pn = HA_ATOMIC_LOAD(&pktns->tx.largest_acked_pn); node = eb64_next(node); if ((int64_t)pkt->pn_node.key > largest_acked_pn) break; time_sent = pkt->time_sent; loss_time_limit = tick_add(time_sent, loss_delay); if (tick_is_le(time_sent, now_ms) || (int64_t)largest_acked_pn >= pkt->pn_node.key + QUIC_LOSS_PACKET_THRESHOLD) { eb64_delete(&pkt->pn_node); LIST_APPEND(lost_pkts, &pkt->list); } else { pktns->tx.loss_time = tick_first(pktns->tx.loss_time, loss_time_limit); } } out: TRACE_LEAVE(QUIC_EV_CONN_PKTLOSS, qc->conn, pktns, lost_pkts); } /* Parse ACK frame into from a buffer at address with being at * one byte past the end of this buffer. Also update if needed, i.e. * if the largest acked packet was newly acked and if there was at least one newly * acked ack-eliciting packet. * Return 1, if succeeded, 0 if not. */ static inline int qc_parse_ack_frm(struct quic_frame *frm, struct ssl_sock_ctx *ctx, struct quic_enc_level *qel, unsigned int *rtt_sample, const unsigned char **pos, const unsigned char *end) { struct quic_ack *ack = &frm->ack; uint64_t smallest, largest; struct eb_root *pkts; struct eb64_node *largest_node; unsigned int time_sent, pkt_flags; struct list newly_acked_pkts = LIST_HEAD_INIT(newly_acked_pkts); struct list lost_pkts = LIST_HEAD_INIT(lost_pkts); if (ack->largest_ack > qel->pktns->tx.next_pn) { TRACE_DEVEL("ACK for not sent packet", QUIC_EV_CONN_PRSAFRM, ctx->conn,, &ack->largest_ack); goto err; } if (ack->first_ack_range > ack->largest_ack) { TRACE_DEVEL("too big first ACK range", QUIC_EV_CONN_PRSAFRM, ctx->conn,, &ack->first_ack_range); goto err; } largest = ack->largest_ack; smallest = largest - ack->first_ack_range; pkts = &qel->pktns->tx.pkts; pkt_flags = 0; largest_node = NULL; time_sent = 0; if ((int64_t)ack->largest_ack > HA_ATOMIC_LOAD(&qel->pktns->tx.largest_acked_pn)) { largest_node = eb64_lookup(pkts, largest); if (!largest_node) { TRACE_DEVEL("Largest acked packet not found", QUIC_EV_CONN_PRSAFRM, ctx->conn); goto err; } time_sent = eb64_entry(&largest_node->node, struct quic_tx_packet, pn_node)->time_sent; } TRACE_PROTO("ack range", QUIC_EV_CONN_PRSAFRM, ctx->conn,, &largest, &smallest); do { uint64_t gap, ack_range; qc_ackrng_pkts(pkts, &pkt_flags, &newly_acked_pkts, largest_node, largest, smallest, ctx); if (!ack->ack_range_num--) break; if (!quic_dec_int(&gap, pos, end)) goto err; if (smallest < gap + 2) { TRACE_DEVEL("wrong gap value", QUIC_EV_CONN_PRSAFRM, ctx->conn,, &gap, &smallest); goto err; } largest = smallest - gap - 2; if (!quic_dec_int(&ack_range, pos, end)) goto err; if (largest < ack_range) { TRACE_DEVEL("wrong ack range value", QUIC_EV_CONN_PRSAFRM, ctx->conn,, &largest, &ack_range); goto err; } /* Do not use this node anymore. */ largest_node = NULL; /* Next range */ smallest = largest - ack_range; TRACE_PROTO("ack range", QUIC_EV_CONN_PRSAFRM, ctx->conn,, &largest, &smallest); } while (1); /* Flag this packet number space as having received an ACK. */ HA_ATOMIC_OR(&qel->pktns->flags, QUIC_FL_PKTNS_ACK_RECEIVED); if (time_sent && (pkt_flags & QUIC_FL_TX_PACKET_ACK_ELICITING)) { *rtt_sample = tick_remain(time_sent, now_ms); HA_ATOMIC_STORE(&qel->pktns->tx.largest_acked_pn, ack->largest_ack); } if (!LIST_ISEMPTY(&newly_acked_pkts)) { if (!eb_is_empty(&qel->pktns->tx.pkts)) { qc_packet_loss_lookup(qel->pktns, ctx->conn->qc, &lost_pkts); if (!LIST_ISEMPTY(&lost_pkts)) qc_release_lost_pkts(qel->pktns, ctx, &lost_pkts, now_ms); } qc_treat_newly_acked_pkts(ctx, &newly_acked_pkts); if (quic_peer_validated_addr(ctx)) ctx->conn->qc->path->loss.pto_count = 0; qc_set_timer(ctx); } return 1; err: free_quic_tx_pkts(&newly_acked_pkts); TRACE_DEVEL("leaving in error", QUIC_EV_CONN_PRSAFRM, ctx->conn); return 0; } /* This function gives the detail of the SSL error. It is used only * if the debug mode and the verbose mode are activated. It dump all * the SSL error until the stack was empty. */ static forceinline void qc_ssl_dump_errors(struct connection *conn) { if (unlikely(global.mode & MODE_DEBUG)) { while (1) { unsigned long ret; ret = ERR_get_error(); if (!ret) return; fprintf(stderr, "conn. @%p OpenSSL error[0x%lx] %s: %s\n", conn, ret, ERR_func_error_string(ret), ERR_reason_error_string(ret)); } } } /* Provide CRYPTO data to the TLS stack found at with as length * from encryption level with as QUIC connection context. * Remaining parameter are there for debugging purposes. * Return 1 if succeeded, 0 if not. */ static inline int qc_provide_cdata(struct quic_enc_level *el, struct ssl_sock_ctx *ctx, const unsigned char *data, size_t len, struct quic_rx_packet *pkt, struct quic_rx_crypto_frm *cf) { int ssl_err, state; struct quic_conn *qc; TRACE_ENTER(QUIC_EV_CONN_SSLDATA, ctx->conn); ssl_err = SSL_ERROR_NONE; qc = ctx->conn->qc; if (SSL_provide_quic_data(ctx->ssl, el->level, data, len) != 1) { TRACE_PROTO("SSL_provide_quic_data() error", QUIC_EV_CONN_SSLDATA, ctx->conn, pkt, cf, ctx->ssl); goto err; } el->rx.crypto.offset += len; TRACE_PROTO("in order CRYPTO data", QUIC_EV_CONN_SSLDATA, ctx->conn,, cf, ctx->ssl); state = HA_ATOMIC_LOAD(&qc->state); if (state < QUIC_HS_ST_COMPLETE) { ssl_err = SSL_do_handshake(ctx->ssl); if (ssl_err != 1) { ssl_err = SSL_get_error(ctx->ssl, ssl_err); if (ssl_err == SSL_ERROR_WANT_READ || ssl_err == SSL_ERROR_WANT_WRITE) { TRACE_PROTO("SSL handshake", QUIC_EV_CONN_HDSHK, ctx->conn, &state, &ssl_err); goto out; } TRACE_DEVEL("SSL handshake error", QUIC_EV_CONN_HDSHK, ctx->conn, &state, &ssl_err); qc_ssl_dump_errors(ctx->conn); BUG_ON(1); goto err; } TRACE_PROTO("SSL handshake OK", QUIC_EV_CONN_HDSHK, ctx->conn, &state); if (objt_listener(ctx->conn->target)) HA_ATOMIC_STORE(&qc->state, QUIC_HS_ST_CONFIRMED); else HA_ATOMIC_STORE(&qc->state, QUIC_HS_ST_COMPLETE); } else { ssl_err = SSL_process_quic_post_handshake(ctx->ssl); if (ssl_err != 1) { ssl_err = SSL_get_error(ctx->ssl, ssl_err); if (ssl_err == SSL_ERROR_WANT_READ || ssl_err == SSL_ERROR_WANT_WRITE) { TRACE_DEVEL("SSL post handshake", QUIC_EV_CONN_HDSHK, ctx->conn, &state, &ssl_err); goto out; } TRACE_DEVEL("SSL post handshake error", QUIC_EV_CONN_HDSHK, ctx->conn, &state, &ssl_err); goto err; } TRACE_PROTO("SSL post handshake succeeded", QUIC_EV_CONN_HDSHK, ctx->conn, &state); } out: TRACE_LEAVE(QUIC_EV_CONN_SSLDATA, ctx->conn); return 1; err: TRACE_DEVEL("leaving in error", QUIC_EV_CONN_SSLDATA, ctx->conn); return 0; } /* Allocate a new STREAM RX frame from STREAM frame attached to * RX packet. * Return it if succeeded, NULL if not. */ static inline struct quic_rx_strm_frm *new_quic_rx_strm_frm(struct quic_stream *stream_frm, struct quic_rx_packet *pkt) { struct quic_rx_strm_frm *frm; frm = pool_alloc(pool_head_quic_rx_strm_frm); if (frm) { frm->offset_node.key = stream_frm->offset.key; frm->len = stream_frm->len; frm->data = stream_frm->data; frm->pkt = pkt; } return frm; } /* Retrieve as an ebtree node the stream with as ID, possibly allocates * several streams, depending on the already open ones. * Return this node if succeeded, NULL if not. */ static struct eb64_node *qcc_get_qcs(struct qcc *qcc, uint64_t id) { unsigned int strm_type; int64_t sub_id; struct eb64_node *strm_node; TRACE_ENTER(QUIC_EV_CONN_PSTRM, qcc->conn); strm_type = id & QCS_ID_TYPE_MASK; sub_id = id >> QCS_ID_TYPE_SHIFT; strm_node = NULL; if (qc_local_stream_id(qcc, id)) { /* Local streams: this stream must be already opened. */ strm_node = eb64_lookup(&qcc->streams_by_id, id); if (!strm_node) { TRACE_PROTO("Unknown stream ID", QUIC_EV_CONN_PSTRM, qcc->conn); goto out; } } else { /* Remote streams. */ struct eb_root *strms; uint64_t largest_id; enum qcs_type qcs_type; strms = &qcc->streams_by_id; qcs_type = qcs_id_type(id); if (sub_id + 1 > qcc->strms[qcs_type].max_streams) { TRACE_PROTO("Streams limit reached", QUIC_EV_CONN_PSTRM, qcc->conn); goto out; } /* Note: ->largest_id was initialized with (uint64_t)-1 as value, 0 being a * correct value. */ largest_id = qcc->strms[qcs_type].largest_id; if (sub_id > (int64_t)largest_id) { /* RFC: "A stream ID that is used out of order results in all streams * of that type with lower-numbered stream IDs also being opened". * So, let's "open" these streams. */ int64_t i; struct qcs *qcs; qcs = NULL; for (i = largest_id + 1; i <= sub_id; i++) { qcs = qcs_new(qcc, (i << QCS_ID_TYPE_SHIFT) | strm_type); if (!qcs) { TRACE_PROTO("Could not allocate a new stream", QUIC_EV_CONN_PSTRM, qcc->conn); goto out; } qcc->strms[qcs_type].largest_id = i; } if (qcs) strm_node = &qcs->by_id; } else { strm_node = eb64_lookup(strms, id); } } TRACE_LEAVE(QUIC_EV_CONN_PSTRM, qcc->conn); return strm_node; out: TRACE_LEAVE(QUIC_EV_CONN_PSTRM, qcc->conn); return NULL; } /* Copy as most as possible STREAM data from into stream. * Returns the number of bytes copied or -1 if failed. Also update frame * to reflect the data which have been consumed. */ static size_t qc_strm_cpy(struct buffer *buf, struct quic_stream *strm_frm) { size_t ret; ret = 0; while (strm_frm->len) { size_t try; try = b_contig_space(buf); if (!try) break; if (try > strm_frm->len) try = strm_frm->len; memcpy(b_tail(buf), strm_frm->data, try); strm_frm->len -= try; strm_frm->offset.key += try; b_add(buf, try); ret += try; } return ret; } /* Handle bidirectional STREAM frame. Depending on its ID, several * streams may be open. The data are copied to the stream RX buffer if possible. * If not, the STREAM frame is stored to be treated again later. * We rely on the flow control so that not to store too much STREAM frames. * Return 1 if succeeded, 0 if not. */ static int qc_handle_bidi_strm_frm(struct quic_rx_packet *pkt, struct quic_stream *strm_frm, struct quic_conn *qc) { struct qcs *strm; struct eb64_node *strm_node, *frm_node; struct quic_rx_strm_frm *frm; strm_node = qcc_get_qcs(qc->qcc, strm_frm->id); if (!strm_node) { TRACE_PROTO("Stream not found", QUIC_EV_CONN_PSTRM, qc->conn); return 0; } strm = eb64_entry(&strm_node->node, struct qcs, by_id); frm_node = eb64_lookup(&strm->rx.frms, strm_frm->offset.key); /* FIXME: handle the case where this frame overlap others */ if (frm_node) { TRACE_PROTO("Already existing stream data", QUIC_EV_CONN_PSTRM, qc->conn); goto out; } if (strm_frm->offset.key == strm->rx.offset) { int ret; if (!qc_get_buf(strm, &strm->rx.buf)) goto store_frm; ret = qc_strm_cpy(&strm->rx.buf, strm_frm); if (ret && qc->qcc->app_ops->decode_qcs(strm, qc->qcc->ctx) == -1) { TRACE_PROTO("Decoding error", QUIC_EV_CONN_PSTRM); return 0; } strm->rx.offset += ret; } if (!strm_frm->len) goto out; store_frm: frm = new_quic_rx_strm_frm(strm_frm, pkt); if (!frm) { TRACE_PROTO("Could not alloc RX STREAM frame", QUIC_EV_CONN_PSTRM, qc->conn); return 0; } eb64_insert(&strm->rx.frms, &frm->offset_node); quic_rx_packet_refinc(pkt); out: return 1; } /* Handle unidirectional STREAM frame. Depending on its ID, several * streams may be open. The data are copied to the stream RX buffer if possible. * If not, the STREAM frame is stored to be treated again later. * We rely on the flow control so that not to store too much STREAM frames. * Return 1 if succeeded, 0 if not. */ static int qc_handle_uni_strm_frm(struct quic_rx_packet *pkt, struct quic_stream *strm_frm, struct quic_conn *qc) { struct qcs *strm; struct eb64_node *strm_node, *frm_node; struct quic_rx_strm_frm *frm; size_t strm_frm_len; strm_node = qcc_get_qcs(qc->qcc, strm_frm->id); if (!strm_node) { TRACE_PROTO("Stream not found", QUIC_EV_CONN_PSTRM, qc->conn); return 0; } strm = eb64_entry(&strm_node->node, struct qcs, by_id); frm_node = eb64_lookup(&strm->rx.frms, strm_frm->offset.key); /* FIXME: handle the case where this frame overlap others */ if (frm_node) { TRACE_PROTO("Already existing stream data", QUIC_EV_CONN_PSTRM, qc->conn); goto out; } strm_frm_len = strm_frm->len; if (strm_frm->offset.key == strm->rx.offset) { int ret; if (!qc_get_buf(strm, &strm->rx.buf)) goto store_frm; /* qc_strm_cpy() will modify the offset, depending on the number * of bytes copied. */ ret = qc_strm_cpy(&strm->rx.buf, strm_frm); /* Inform the application of the arrival of this new stream */ if (!strm->rx.offset && !qc->qcc->app_ops->attach_ruqs(strm, qc->qcc->ctx)) { TRACE_PROTO("Could not set an uni-stream", QUIC_EV_CONN_PSTRM, qc->conn); return 0; } if (ret) ruqs_notify_recv(strm); strm_frm->offset.key += ret; } /* Take this frame into an account for the stream flow control */ strm->rx.offset += strm_frm_len; /* It all the data were provided to the application, there is no need to * store any more information for it. */ if (!strm_frm->len) goto out; store_frm: frm = new_quic_rx_strm_frm(strm_frm, pkt); if (!frm) { TRACE_PROTO("Could not alloc RX STREAM frame", QUIC_EV_CONN_PSTRM, qc->conn); return 0; } eb64_insert(&strm->rx.frms, &frm->offset_node); quic_rx_packet_refinc(pkt); out: return 1; } static inline int qc_handle_strm_frm(struct quic_rx_packet *pkt, struct quic_stream *strm_frm, struct quic_conn *qc) { if (strm_frm->id & QCS_ID_DIR_BIT) return qc_handle_uni_strm_frm(pkt, strm_frm, qc); else return qc_handle_bidi_strm_frm(pkt, strm_frm, qc); } /* Parse all the frames of QUIC packet for QUIC connection with * as I/O handler context and as encryption level. * Returns 1 if succeeded, 0 if failed. */ static int qc_parse_pkt_frms(struct quic_rx_packet *pkt, struct ssl_sock_ctx *ctx, struct quic_enc_level *qel) { struct quic_frame frm; const unsigned char *pos, *end; struct quic_conn *conn = ctx->conn->qc; TRACE_ENTER(QUIC_EV_CONN_PRSHPKT, ctx->conn); /* Skip the AAD */ pos = pkt->data + pkt->aad_len; end = pkt->data + pkt->len; while (pos < end) { if (!qc_parse_frm(&frm, pkt, &pos, end, conn)) goto err; switch (frm.type) { case QUIC_FT_PADDING: if (pos != end) { TRACE_DEVEL("wrong frame", QUIC_EV_CONN_PRSHPKT, ctx->conn, pkt); goto err; } break; case QUIC_FT_PING: break; case QUIC_FT_ACK: { unsigned int rtt_sample; rtt_sample = 0; if (!qc_parse_ack_frm(&frm, ctx, qel, &rtt_sample, &pos, end)) goto err; if (rtt_sample) { unsigned int ack_delay; ack_delay = !quic_application_pktns(qel->pktns, conn) ? 0 : MS_TO_TICKS(QUIC_MIN(quic_ack_delay_ms(&frm.ack, conn), conn->max_ack_delay)); quic_loss_srtt_update(&conn->path->loss, rtt_sample, ack_delay, conn); } break; } case QUIC_FT_CRYPTO: if (frm.crypto.offset != qel->rx.crypto.offset) { struct quic_rx_crypto_frm *cf; cf = pool_alloc(pool_head_quic_rx_crypto_frm); if (!cf) { TRACE_DEVEL("CRYPTO frame allocation failed", QUIC_EV_CONN_PRSHPKT, ctx->conn); goto err; } cf->offset_node.key = frm.crypto.offset; cf->len = frm.crypto.len; cf->data = frm.crypto.data; cf->pkt = pkt; eb64_insert(&qel->rx.crypto.frms, &cf->offset_node); quic_rx_packet_refinc(pkt); } else { /* XXX TO DO: is used only for the traces. */ struct quic_rx_crypto_frm cf = { }; cf.offset_node.key = frm.crypto.offset; cf.len = frm.crypto.len; if (!qc_provide_cdata(qel, ctx, frm.crypto.data, frm.crypto.len, pkt, &cf)) goto err; } break; case QUIC_FT_STREAM_8: case QUIC_FT_STREAM_9: case QUIC_FT_STREAM_A: case QUIC_FT_STREAM_B: case QUIC_FT_STREAM_C: case QUIC_FT_STREAM_D: case QUIC_FT_STREAM_E: case QUIC_FT_STREAM_F: { struct quic_stream *stream = &frm.stream; TRACE_PROTO("STREAM frame", QUIC_EV_CONN_PSTRM, ctx->conn, &frm); if (objt_listener(ctx->conn->target)) { if (stream->id & QUIC_STREAM_FRAME_ID_INITIATOR_BIT) goto err; } else if (!(stream->id & QUIC_STREAM_FRAME_ID_INITIATOR_BIT)) goto err; if (!qc_handle_strm_frm(pkt, stream, ctx->conn->qc)) goto err; break; } case QUIC_FT_NEW_CONNECTION_ID: break; case QUIC_FT_CONNECTION_CLOSE: case QUIC_FT_CONNECTION_CLOSE_APP: conn->qcc->flags |= QC_CF_CC_RECV; break; case QUIC_FT_HANDSHAKE_DONE: if (objt_listener(ctx->conn->target)) goto err; HA_ATOMIC_STORE(&conn->state, QUIC_HS_ST_CONFIRMED); break; default: goto err; } } /* The server must switch from INITIAL to HANDSHAKE handshake state when it * has successfully parse a Handshake packet. The Initial encryption must also * be discarded. */ if (pkt->type == QUIC_PACKET_TYPE_HANDSHAKE && objt_listener(ctx->conn->target)) { int state = HA_ATOMIC_LOAD(&conn->state); if (state >= QUIC_HS_ST_SERVER_INITIAL) { quic_tls_discard_keys(&conn->els[QUIC_TLS_ENC_LEVEL_INITIAL]); TRACE_PROTO("discarding Initial pktns", QUIC_EV_CONN_PRSHPKT, ctx->conn); quic_pktns_discard(conn->els[QUIC_TLS_ENC_LEVEL_INITIAL].pktns, conn); qc_set_timer(ctx); if (state < QUIC_HS_ST_SERVER_HANDSHAKE) HA_ATOMIC_STORE(&conn->state, QUIC_HS_ST_SERVER_HANDSHAKE); } } TRACE_LEAVE(QUIC_EV_CONN_PRSHPKT, ctx->conn); return 1; err: TRACE_DEVEL("leaving in error", QUIC_EV_CONN_PRSHPKT, ctx->conn); return 0; } /* Write datagram length and first packet address into ring * buffer. This is the responsibility of the caller to check there is enough * room in . Also increase the write index consequently. * This function must be called only after having built a correct datagram. * Always succeeds. */ static inline void qc_set_dg(struct cbuf *cbuf, uint16_t dglen, struct quic_tx_packet *pkt) { write_u16(cb_wr(cbuf), dglen); write_ptr(cb_wr(cbuf) + sizeof dglen, pkt); cb_add(cbuf, dglen + sizeof dglen + sizeof pkt); } /* Prepare as much as possible handshake packets into ring buffer for * the QUIC connection with as I/O handler context, possibly concatenating * several packets in the same datagram. A header made of two fields is added * to each datagram: the datagram length followed by the address of the first * packet in this datagram. * Returns 1 if succeeded, or 0 if something wrong happened. */ static int qc_prep_hdshk_pkts(struct qring *qr, struct ssl_sock_ctx *ctx) { struct quic_conn *qc; enum quic_tls_enc_level tel, next_tel; struct quic_enc_level *qel; struct cbuf *cbuf; unsigned char *end_buf, *end, *pos, *spos; struct quic_tx_packet *first_pkt, *cur_pkt, *prv_pkt; /* length of datagrams */ uint16_t dglen; size_t total; /* Each datagram is prepended with its length followed by the * address of the first packet in the datagram. */ size_t dg_headlen = sizeof dglen + sizeof first_pkt; TRACE_ENTER(QUIC_EV_CONN_PHPKTS, ctx->conn); qc = ctx->conn->qc; if (!quic_get_tls_enc_levels(&tel, &next_tel, HA_ATOMIC_LOAD(&qc->state))) { TRACE_DEVEL("unknown enc. levels", QUIC_EV_CONN_PHPKTS, ctx->conn); goto err; } start: total = 0; dglen = 0; qel = &qc->els[tel]; cbuf = qr->cbuf; spos = pos = cb_wr(cbuf); /* Leave at least bytes at the end of this buffer * to ensure there is enough room to mark the end of prepared * contiguous data with a zero length. */ end_buf = pos + cb_contig_space(cbuf) - sizeof dglen; first_pkt = prv_pkt = NULL; while (end_buf - pos >= (int)qc->path->mtu + dg_headlen || prv_pkt) { int err, nb_ptos, ack; enum quic_pkt_type pkt_type; TRACE_POINT(QUIC_EV_CONN_PHPKTS, ctx->conn, qel); nb_ptos = 0; if (!prv_pkt) { /* Consume a PTO dgram only if building a new dgrams (!prv_pkt) */ do { nb_ptos = HA_ATOMIC_LOAD(&qc->tx.nb_pto_dgrams); } while (nb_ptos && !HA_ATOMIC_CAS(&qc->tx.nb_pto_dgrams, &nb_ptos, nb_ptos - 1)); } ack = HA_ATOMIC_BTR(&qc->flags, QUIC_FL_PKTNS_ACK_REQUIRED_BIT); /* Do not build any more packet if the TX secrets are not available or * if there is nothing to send, i.e. if no ACK are required * and if there is no more packets to send upon PTO expiration * and if there is no more CRYPTO data available or in flight * congestion control limit is reached for prepared data */ if (!(qel->tls_ctx.tx.flags & QUIC_FL_TLS_SECRETS_SET) || (!ack && !nb_ptos && (MT_LIST_ISEMPTY(&qel->pktns->tx.frms) || qc->path->prep_in_flight >= qc->path->cwnd))) { TRACE_DEVEL("nothing more to do", QUIC_EV_CONN_PHPKTS, ctx->conn); /* Set the current datagram as prepared into if * the was already a correct packet which was previously written. */ if (prv_pkt) qc_set_dg(cbuf, dglen, first_pkt); break; } pkt_type = quic_tls_level_pkt_type(tel); if (!prv_pkt) { /* Leave room for the datagram header */ pos += dg_headlen; end = pos + qc->path->mtu; } cur_pkt = qc_build_pkt(&pos, end, qel, qc, pkt_type, ack, nb_ptos, &err); /* Restore the PTO dgrams counter if a packet could not be built */ if (err < 0) { if (!prv_pkt && nb_ptos) HA_ATOMIC_ADD(&qc->tx.nb_pto_dgrams, 1); if (ack) HA_ATOMIC_BTS(&qc->flags, QUIC_FL_PKTNS_ACK_REQUIRED_BIT); } switch (err) { case -2: goto err; case -1: /* If there was already a correct packet present, set the * current datagram as prepared into . */ if (prv_pkt) { qc_set_dg(cbuf, dglen, first_pkt); goto stop_build; } goto out; default: /* This is to please to GCC. We cannot have (err >= 0 && !cur_pkt) */ if (!cur_pkt) goto err; total += cur_pkt->len; /* keep trace of the first packet in the datagram */ if (!first_pkt) first_pkt = cur_pkt; /* Attach the current one to the previous one */ if (prv_pkt) prv_pkt->next = cur_pkt; /* Let's say we have to build a new dgram */ prv_pkt = NULL; dglen += cur_pkt->len; /* Discard the Initial encryption keys as soon as * a handshake packet could be built. */ if (HA_ATOMIC_LOAD(&qc->state) == QUIC_HS_ST_CLIENT_INITIAL && pkt_type == QUIC_PACKET_TYPE_HANDSHAKE) { quic_tls_discard_keys(&qc->els[QUIC_TLS_ENC_LEVEL_INITIAL]); TRACE_PROTO("discarding Initial pktns", QUIC_EV_CONN_PHPKTS, ctx->conn); quic_pktns_discard(qc->els[QUIC_TLS_ENC_LEVEL_INITIAL].pktns, qc); qc_set_timer(ctx); HA_ATOMIC_STORE(&qc->state, QUIC_HS_ST_CLIENT_HANDSHAKE); } /* Special case for Initial packets: when they have all * been sent, select the next level. */ if ((tel == QUIC_TLS_ENC_LEVEL_INITIAL || tel == QUIC_TLS_ENC_LEVEL_HANDSHAKE) && (MT_LIST_ISEMPTY(&qel->pktns->tx.frms) || (next_tel != QUIC_TLS_ENC_LEVEL_NONE && qc->els[next_tel].pktns->tx.in_flight))) { /* If QUIC_TLS_ENC_LEVEL_HANDSHAKE was already reached let's try QUIC_TLS_ENC_LEVEL_APP */ if (tel == QUIC_TLS_ENC_LEVEL_HANDSHAKE && next_tel == tel) next_tel = QUIC_TLS_ENC_LEVEL_APP; tel = next_tel; qel = &qc->els[tel]; if (!MT_LIST_ISEMPTY(&qel->pktns->tx.frms)) { /* If there is data for the next level, do not * consume a datagram. This is the case for a client * which sends only one Initial packet, then wait * for additional CRYPTO data from the server to enter the * next level. */ prv_pkt = cur_pkt; } } } /* If we have to build a new datagram, set the current datagram as * prepared into . */ if (!prv_pkt) { qc_set_dg(cbuf, dglen, first_pkt); first_pkt = NULL; dglen = 0; } } stop_build: /* Reset writer index if in front of index */ if (end_buf - pos < (int)qc->path->mtu + dg_headlen) { int rd = HA_ATOMIC_LOAD(&cbuf->rd); TRACE_DEVEL("buffer full", QUIC_EV_CONN_PHPKTS, ctx->conn); if (cb_contig_space(cbuf) >= sizeof(uint16_t)) { if ((pos != spos && cbuf->wr > rd) || (pos == spos && rd <= cbuf->wr)) { /* Mark the end of contiguous data for the reader */ write_u16(cb_wr(cbuf), 0); cb_add(cbuf, sizeof(uint16_t)); } } if (rd && rd <= cbuf->wr) { cb_wr_reset(cbuf); if (pos == spos) { /* Reuse the same buffer if nothing was built. */ goto start; } } } out: TRACE_LEAVE(QUIC_EV_CONN_PHPKTS, ctx->conn); return total; err: TRACE_DEVEL("leaving in error", QUIC_EV_CONN_PHPKTS, ctx->conn); return -1; } /* Send the QUIC packets which have been prepared for QUIC connections * from ring buffer with as I/O handler context. */ int qc_send_ppkts(struct qring *qr, struct ssl_sock_ctx *ctx) { struct quic_conn *qc; struct cbuf *cbuf; qc = ctx->conn->qc; cbuf = qr->cbuf; while (cb_contig_data(cbuf)) { unsigned char *pos; struct buffer tmpbuf = { }; struct quic_tx_packet *first_pkt, *pkt, *next_pkt; uint16_t dglen; size_t headlen = sizeof dglen + sizeof first_pkt; unsigned int time_sent; pos = cb_rd(cbuf); dglen = read_u16(pos); /* End of prepared datagrams. * Reset the reader index only if in front of the writer index. */ if (!dglen) { int wr = HA_ATOMIC_LOAD(&cbuf->wr); if (wr && wr < cbuf->rd) { cb_rd_reset(cbuf); continue; } break; } pos += sizeof dglen; first_pkt = read_ptr(pos); pos += sizeof first_pkt; tmpbuf.area = (char *)pos; tmpbuf.size = tmpbuf.data = dglen; TRACE_PROTO("to send", QUIC_EV_CONN_SPPKTS, ctx->conn); for (pkt = first_pkt; pkt; pkt = pkt->next) quic_tx_packet_refinc(pkt); if (ctx->xprt->snd_buf(qc->conn, qc->conn->xprt_ctx, &tmpbuf, tmpbuf.data, 0) <= 0) { for (pkt = first_pkt; pkt; pkt = pkt->next) quic_tx_packet_refdec(pkt); break; } cb_del(cbuf, dglen + headlen); qc->tx.bytes += tmpbuf.data; time_sent = now_ms; for (pkt = first_pkt; pkt; pkt = next_pkt) { pkt->time_sent = time_sent; if (pkt->flags & QUIC_FL_TX_PACKET_ACK_ELICITING) { pkt->pktns->tx.time_of_last_eliciting = time_sent; qc->path->ifae_pkts++; } qc->path->in_flight += pkt->in_flight_len; pkt->pktns->tx.in_flight += pkt->in_flight_len; if (pkt->in_flight_len) qc_set_timer(ctx); TRACE_PROTO("sent pkt", QUIC_EV_CONN_SPPKTS, ctx->conn, pkt); next_pkt = pkt->next; eb64_insert(&pkt->pktns->tx.pkts, &pkt->pn_node); quic_tx_packet_refdec(pkt); } } return 1; } /* Build all the frames which must be sent just after the handshake have succeeded. * This is essentially NEW_CONNECTION_ID frames. A QUIC server must also send * a HANDSHAKE_DONE frame. * Return 1 if succeeded, 0 if not. */ static int quic_build_post_handshake_frames(struct quic_conn *qc) { int i; struct quic_enc_level *qel; struct quic_frame *frm; qel = &qc->els[QUIC_TLS_ENC_LEVEL_APP]; /* Only servers must send a HANDSHAKE_DONE frame. */ if (!objt_server(qc->conn->target)) { frm = pool_alloc(pool_head_quic_frame); if (!frm) return 0; frm->type = QUIC_FT_HANDSHAKE_DONE; MT_LIST_APPEND(&qel->pktns->tx.frms, &frm->mt_list); } for (i = 1; i < qc->tx.params.active_connection_id_limit; i++) { struct quic_connection_id *cid; frm = pool_alloc(pool_head_quic_frame); cid = new_quic_cid(&qc->cids, i); if (!frm || !cid) goto err; quic_connection_id_to_frm_cpy(frm, cid); MT_LIST_APPEND(&qel->pktns->tx.frms, &frm->mt_list); } return 1; err: free_quic_conn_cids(qc); return 0; } /* Deallocate list of ACK ranges. */ void free_quic_arngs(struct quic_arngs *arngs) { struct eb64_node *n; struct quic_arng_node *ar; n = eb64_first(&arngs->root); while (n) { struct eb64_node *next; ar = eb64_entry(&n->node, struct quic_arng_node, first); next = eb64_next(n); eb64_delete(n); free(ar); n = next; } } /* Return the gap value between

and ACK ranges where follows

in * descending order. */ static inline size_t sack_gap(struct quic_arng_node *p, struct quic_arng_node *q) { return p->first.key - q->last - 2; } /* Remove the last elements of list of ack range updating its * encoded size until it goes below . * Returns 1 if succeeded, 0 if not (no more element to remove). */ static int quic_rm_last_ack_ranges(struct quic_arngs *arngs, size_t limit) { struct eb64_node *last, *prev; last = eb64_last(&arngs->root); while (last && arngs->enc_sz > limit) { struct quic_arng_node *last_node, *prev_node; prev = eb64_prev(last); if (!prev) return 0; last_node = eb64_entry(&last->node, struct quic_arng_node, first); prev_node = eb64_entry(&prev->node, struct quic_arng_node, first); arngs->enc_sz -= quic_int_getsize(last_node->last - last_node->first.key); arngs->enc_sz -= quic_int_getsize(sack_gap(prev_node, last_node)); arngs->enc_sz -= quic_decint_size_diff(arngs->sz); --arngs->sz; eb64_delete(last); pool_free(pool_head_quic_arng, last); last = prev; } return 1; } /* Set the encoded size of QUIC ack ranges. */ static void quic_arngs_set_enc_sz(struct quic_arngs *arngs) { struct eb64_node *node, *next; struct quic_arng_node *ar, *ar_next; node = eb64_last(&arngs->root); if (!node) return; ar = eb64_entry(&node->node, struct quic_arng_node, first); arngs->enc_sz = quic_int_getsize(ar->last) + quic_int_getsize(ar->last - ar->first.key) + quic_int_getsize(arngs->sz - 1); while ((next = eb64_prev(node))) { ar_next = eb64_entry(&next->node, struct quic_arng_node, first); arngs->enc_sz += quic_int_getsize(sack_gap(ar, ar_next)) + quic_int_getsize(ar_next->last - ar_next->first.key); node = next; ar = eb64_entry(&node->node, struct quic_arng_node, first); } } /* Insert ack range into tree of ack ranges. * Returns the ack range node which has been inserted if succeeded, NULL if not. */ static inline struct quic_arng_node *quic_insert_new_range(struct quic_arngs *arngs, struct quic_arng *ar) { struct quic_arng_node *new_ar; new_ar = pool_alloc(pool_head_quic_arng); if (new_ar) { new_ar->first.key = ar->first; new_ar->last = ar->last; eb64_insert(&arngs->root, &new_ar->first); arngs->sz++; } return new_ar; } /* Update tree of ACK ranges with as new ACK range value. * Note that this function computes the number of bytes required to encode * this tree of ACK ranges in descending order. * * Descending order * -------------> * range1 range2 * ..........|--------|..............|--------| * ^ ^ ^ ^ * | | | | * last1 first1 last2 first2 * ..........+--------+--------------+--------+...... * diff1 gap12 diff2 * * To encode the previous list of ranges we must encode integers as follows in * descending order: * enc(last2),enc(diff2),enc(gap12),enc(diff1) * with diff1 = last1 - first1 * diff2 = last2 - first2 * gap12 = first1 - last2 - 2 (>= 0) * */ int quic_update_ack_ranges_list(struct quic_arngs *arngs, struct quic_arng *ar) { struct eb64_node *le; struct quic_arng_node *new_node; struct eb64_node *new; new = NULL; if (eb_is_empty(&arngs->root)) { new_node = quic_insert_new_range(arngs, ar); if (!new_node) return 0; goto out; } le = eb64_lookup_le(&arngs->root, ar->first); if (!le) { new_node = quic_insert_new_range(arngs, ar); if (!new_node) return 0; } else { struct quic_arng_node *le_ar = eb64_entry(&le->node, struct quic_arng_node, first); /* Already existing range */ if (le_ar->last >= ar->last) return 1; if (le_ar->last + 1 >= ar->first) { le_ar->last = ar->last; new = le; new_node = le_ar; } else { new_node = quic_insert_new_range(arngs, ar); if (!new_node) return 0; new = &new_node->first; } } /* Verify that the new inserted node does not overlap the nodes * which follow it. */ if (new) { struct eb64_node *next; struct quic_arng_node *next_node; while ((next = eb64_next(new))) { next_node = eb64_entry(&next->node, struct quic_arng_node, first); if (new_node->last + 1 < next_node->first.key) break; if (next_node->last > new_node->last) new_node->last = next_node->last; eb64_delete(next); pool_free(pool_head_quic_arng, next_node); /* Decrement the size of these ranges. */ arngs->sz--; } } out: quic_arngs_set_enc_sz(arngs); return 1; } /* Remove the header protection of packets at encryption level. * Always succeeds. */ static inline void qc_rm_hp_pkts(struct quic_enc_level *el, struct ssl_sock_ctx *ctx) { struct quic_tls_ctx *tls_ctx; struct quic_rx_packet *pqpkt; struct mt_list *pkttmp1, pkttmp2; struct quic_enc_level *app_qel; TRACE_ENTER(QUIC_EV_CONN_ELRMHP, ctx->conn); app_qel = &ctx->conn->qc->els[QUIC_TLS_ENC_LEVEL_APP]; /* A server must not process incoming 1-RTT packets before the handshake is complete. */ if (el == app_qel && objt_listener(ctx->conn->target) && HA_ATOMIC_LOAD(&ctx->conn->qc->state) < QUIC_HS_ST_COMPLETE) { TRACE_PROTO("hp not removed (handshake not completed)", QUIC_EV_CONN_ELRMHP, ctx->conn); goto out; } tls_ctx = &el->tls_ctx; mt_list_for_each_entry_safe(pqpkt, &el->rx.pqpkts, list, pkttmp1, pkttmp2) { if (!qc_do_rm_hp(pqpkt, tls_ctx, el->pktns->rx.largest_pn, pqpkt->data + pqpkt->pn_offset, pqpkt->data, pqpkt->data + pqpkt->len, ctx)) { TRACE_PROTO("hp removing error", QUIC_EV_CONN_ELRMHP, ctx->conn); /* XXX TO DO XXX */ } else { /* The AAD includes the packet number field */ pqpkt->aad_len = pqpkt->pn_offset + pqpkt->pnl; /* Store the packet into the tree of packets to decrypt. */ pqpkt->pn_node.key = pqpkt->pn; HA_RWLOCK_WRLOCK(QUIC_LOCK, &el->rx.pkts_rwlock); eb64_insert(&el->rx.pkts, &pqpkt->pn_node); quic_rx_packet_refinc(pqpkt); HA_RWLOCK_WRUNLOCK(QUIC_LOCK, &el->rx.pkts_rwlock); TRACE_PROTO("hp removed", QUIC_EV_CONN_ELRMHP, ctx->conn, pqpkt); } MT_LIST_DELETE_SAFE(pkttmp1); quic_rx_packet_refdec(pqpkt); } out: TRACE_LEAVE(QUIC_EV_CONN_ELRMHP, ctx->conn); } /* Process all the CRYPTO frame at encryption level. * Return 1 if succeeded, 0 if not. */ static inline int qc_treat_rx_crypto_frms(struct quic_enc_level *el, struct ssl_sock_ctx *ctx) { struct eb64_node *node; TRACE_ENTER(QUIC_EV_CONN_RXCDATA, ctx->conn); HA_RWLOCK_WRLOCK(QUIC_LOCK, &el->rx.crypto.frms_rwlock); node = eb64_first(&el->rx.crypto.frms); while (node) { struct quic_rx_crypto_frm *cf; cf = eb64_entry(&node->node, struct quic_rx_crypto_frm, offset_node); if (cf->offset_node.key != el->rx.crypto.offset) break; if (!qc_provide_cdata(el, ctx, cf->data, cf->len, cf->pkt, cf)) goto err; node = eb64_next(node); quic_rx_packet_refdec(cf->pkt); eb64_delete(&cf->offset_node); pool_free(pool_head_quic_rx_crypto_frm, cf); } HA_RWLOCK_WRUNLOCK(QUIC_LOCK, &el->rx.crypto.frms_rwlock); TRACE_LEAVE(QUIC_EV_CONN_RXCDATA, ctx->conn); return 1; err: HA_RWLOCK_WRUNLOCK(QUIC_LOCK, &el->rx.crypto.frms_rwlock); TRACE_DEVEL("leaving in error", QUIC_EV_CONN_RXCDATA, ctx->conn); return 0; } /* Process all the packets at and encryption level. * This is the caller responsibility to check that is different of * as pointer value. * Return 1 if succeeded, 0 if not. */ int qc_treat_rx_pkts(struct quic_enc_level *cur_el, struct quic_enc_level *next_el, struct ssl_sock_ctx *ctx, int force_ack) { struct eb64_node *node; int64_t largest_pn = -1; struct quic_conn *qc = ctx->conn->qc; struct quic_enc_level *qel = cur_el; TRACE_ENTER(QUIC_EV_CONN_ELRXPKTS, ctx->conn); qel = cur_el; next_tel: if (!qel) goto out; HA_RWLOCK_WRLOCK(QUIC_LOCK, &qel->rx.pkts_rwlock); node = eb64_first(&qel->rx.pkts); while (node) { struct quic_rx_packet *pkt; pkt = eb64_entry(&node->node, struct quic_rx_packet, pn_node); TRACE_PROTO("new packet", QUIC_EV_CONN_ELRXPKTS, ctx->conn, pkt, NULL, ctx->ssl); if (!qc_pkt_decrypt(pkt, &qel->tls_ctx)) { /* Drop the packet */ TRACE_PROTO("packet decryption failed -> dropped", QUIC_EV_CONN_ELRXPKTS, ctx->conn, pkt); } else { if (!qc_parse_pkt_frms(pkt, ctx, qel)) { /* Drop the packet */ TRACE_PROTO("packet parsing failed -> dropped", QUIC_EV_CONN_ELRXPKTS, ctx->conn, pkt); } else { struct quic_arng ar = { .first = pkt->pn, .last = pkt->pn }; if (pkt->flags & QUIC_FL_RX_PACKET_ACK_ELICITING && (!(HA_ATOMIC_ADD_FETCH(&qc->rx.nb_ack_eliciting, 1) & 1) || force_ack)) HA_ATOMIC_BTS(&qc->flags, QUIC_FL_PKTNS_ACK_REQUIRED_BIT); if (pkt->pn > largest_pn) largest_pn = pkt->pn; /* Update the list of ranges to acknowledge. */ if (!quic_update_ack_ranges_list(&qel->pktns->rx.arngs, &ar)) TRACE_DEVEL("Could not update ack range list", QUIC_EV_CONN_ELRXPKTS, ctx->conn); } } node = eb64_next(node); eb64_delete(&pkt->pn_node); quic_rx_packet_refdec(pkt); } HA_RWLOCK_WRUNLOCK(QUIC_LOCK, &qel->rx.pkts_rwlock); /* Update the largest packet number. */ if (largest_pn != -1) HA_ATOMIC_UPDATE_MAX(&qel->pktns->rx.largest_pn, largest_pn); if (!qc_treat_rx_crypto_frms(qel, ctx)) goto err; if (qel == cur_el) { BUG_ON(qel == next_el); qel = next_el; goto next_tel; } out: TRACE_LEAVE(QUIC_EV_CONN_ELRXPKTS, ctx->conn); return 1; err: TRACE_DEVEL("leaving in error", QUIC_EV_CONN_ELRXPKTS, ctx->conn); return 0; } /* QUIC connection packet handler task. */ struct task *quic_conn_io_cb(struct task *t, void *context, unsigned int state) { int ret, ssl_err; struct ssl_sock_ctx *ctx; struct quic_conn *qc; enum quic_tls_enc_level tel, next_tel; struct quic_enc_level *qel, *next_qel; struct quic_tls_ctx *tls_ctx; struct qring *qr; // Tx ring int prev_st, st, force_ack; ctx = context; qc = ctx->conn->qc; qr = NULL; st = HA_ATOMIC_LOAD(&qc->state); TRACE_ENTER(QUIC_EV_CONN_HDSHK, ctx->conn, &st); ssl_err = SSL_ERROR_NONE; start: if (!quic_get_tls_enc_levels(&tel, &next_tel, st)) goto err; qel = &qc->els[tel]; next_qel = next_tel == QUIC_TLS_ENC_LEVEL_NONE ? NULL : &qc->els[next_tel]; next_level: tls_ctx = &qel->tls_ctx; /* If the header protection key for this level has been derived, * remove the packet header protections. */ if (!MT_LIST_ISEMPTY(&qel->rx.pqpkts) && (tls_ctx->rx.flags & QUIC_FL_TLS_SECRETS_SET)) qc_rm_hp_pkts(qel, ctx); prev_st = HA_ATOMIC_LOAD(&qc->state); force_ack = qel == &qc->els[QUIC_TLS_ENC_LEVEL_INITIAL] || qel == &qc->els[QUIC_TLS_ENC_LEVEL_HANDSHAKE]; if (!qc_treat_rx_pkts(qel, next_qel, ctx, force_ack)) goto err; st = HA_ATOMIC_LOAD(&qc->state); if (st >= QUIC_HS_ST_COMPLETE && (prev_st == QUIC_HS_ST_SERVER_INITIAL || prev_st == QUIC_HS_ST_SERVER_HANDSHAKE)) { /* Discard the Handshake keys. */ quic_tls_discard_keys(&qc->els[QUIC_TLS_ENC_LEVEL_HANDSHAKE]); TRACE_PROTO("discarding Handshake pktns", QUIC_EV_CONN_PHPKTS, ctx->conn); quic_pktns_discard(qc->els[QUIC_TLS_ENC_LEVEL_HANDSHAKE].pktns, qc); qc_set_timer(ctx); if (!quic_build_post_handshake_frames(qc)) goto err; goto start; } if (!qr) qr = MT_LIST_POP(qc->tx.qring_list, typeof(qr), mt_list); ret = qc_prep_hdshk_pkts(qr, ctx); if (ret == -1) goto err; else if (ret == 0) goto skip_send; if (!qc_send_ppkts(qr, ctx)) goto err; skip_send: /* Check if there is something to do for the next level. */ if (next_qel && next_qel != qel && (next_qel->tls_ctx.rx.flags & QUIC_FL_TLS_SECRETS_SET) && (!MT_LIST_ISEMPTY(&next_qel->rx.pqpkts) || !eb_is_empty(&next_qel->rx.pkts))) { qel = next_qel; next_qel = NULL; goto next_level; } MT_LIST_APPEND(qc->tx.qring_list, &qr->mt_list); TRACE_LEAVE(QUIC_EV_CONN_HDSHK, ctx->conn, &st); return t; err: if (qr) MT_LIST_APPEND(qc->tx.qring_list, &qr->mt_list); TRACE_DEVEL("leaving in error", QUIC_EV_CONN_HDSHK, ctx->conn, &st, &ssl_err); return t; } /* Uninitialize QUIC encryption level. Never fails. */ static void quic_conn_enc_level_uninit(struct quic_enc_level *qel) { int i; for (i = 0; i < qel->tx.crypto.nb_buf; i++) { if (qel->tx.crypto.bufs[i]) { pool_free(pool_head_quic_crypto_buf, qel->tx.crypto.bufs[i]); qel->tx.crypto.bufs[i] = NULL; } } ha_free(&qel->tx.crypto.bufs); } /* Initialize QUIC TLS encryption level with as level for QUIC * connection allocating everything needed. * Returns 1 if succeeded, 0 if not. */ static int quic_conn_enc_level_init(struct quic_conn *qc, enum quic_tls_enc_level level) { struct quic_enc_level *qel; qel = &qc->els[level]; qel->level = quic_to_ssl_enc_level(level); qel->tls_ctx.rx.aead = qel->tls_ctx.tx.aead = NULL; qel->tls_ctx.rx.md = qel->tls_ctx.tx.md = NULL; qel->tls_ctx.rx.hp = qel->tls_ctx.tx.hp = NULL; qel->tls_ctx.rx.flags = 0; qel->tls_ctx.tx.flags = 0; qel->rx.pkts = EB_ROOT; HA_RWLOCK_INIT(&qel->rx.pkts_rwlock); MT_LIST_INIT(&qel->rx.pqpkts); qel->rx.crypto.offset = 0; qel->rx.crypto.frms = EB_ROOT_UNIQUE; HA_RWLOCK_INIT(&qel->rx.crypto.frms_rwlock); /* Allocate only one buffer. */ qel->tx.crypto.bufs = malloc(sizeof *qel->tx.crypto.bufs); if (!qel->tx.crypto.bufs) goto err; qel->tx.crypto.bufs[0] = pool_alloc(pool_head_quic_crypto_buf); if (!qel->tx.crypto.bufs[0]) goto err; qel->tx.crypto.bufs[0]->sz = 0; qel->tx.crypto.nb_buf = 1; qel->tx.crypto.sz = 0; qel->tx.crypto.offset = 0; return 1; err: ha_free(&qel->tx.crypto.bufs); return 0; } /* Release all the memory allocated for QUIC connection. */ static void quic_conn_free(struct quic_conn *conn) { int i; if (!conn) return; free_quic_conn_cids(conn); /* remove the connection from receiver cids trees */ HA_RWLOCK_WRLOCK(OTHER_LOCK, &conn->li->rx.cids_lock); ebmb_delete(&conn->odcid_node); ebmb_delete(&conn->scid_node); HA_RWLOCK_WRUNLOCK(OTHER_LOCK, &conn->li->rx.cids_lock); for (i = 0; i < QUIC_TLS_ENC_LEVEL_MAX; i++) quic_conn_enc_level_uninit(&conn->els[i]); if (conn->timer_task) task_destroy(conn->timer_task); pool_free(pool_head_quic_conn_rxbuf, conn->rx.buf.area); pool_free(pool_head_quic_conn, conn); } void quic_close(struct connection *conn, void *xprt_ctx) { struct ssl_sock_ctx *conn_ctx = xprt_ctx; struct quic_conn *qc = conn_ctx->conn->qc; quic_conn_free(qc); } /* Callback called upon loss detection and PTO timer expirations. */ static struct task *process_timer(struct task *task, void *ctx, unsigned int state) { struct ssl_sock_ctx *conn_ctx; struct quic_conn *qc; struct quic_pktns *pktns; int st; conn_ctx = task->context; qc = conn_ctx->conn->qc; TRACE_ENTER(QUIC_EV_CONN_PTIMER, conn_ctx->conn, NULL, NULL, &qc->path->ifae_pkts); task->expire = TICK_ETERNITY; pktns = quic_loss_pktns(qc); if (tick_isset(pktns->tx.loss_time)) { struct list lost_pkts = LIST_HEAD_INIT(lost_pkts); qc_packet_loss_lookup(pktns, qc, &lost_pkts); if (!LIST_ISEMPTY(&lost_pkts)) qc_release_lost_pkts(pktns, ctx, &lost_pkts, now_ms); qc_set_timer(conn_ctx); goto out; } st = HA_ATOMIC_LOAD(&qc->state); if (qc->path->in_flight) { pktns = quic_pto_pktns(qc, st >= QUIC_HS_ST_COMPLETE, NULL); pktns->tx.pto_probe = 1; } else if (objt_server(qc->conn->target) && st <= QUIC_HS_ST_COMPLETE) { struct quic_enc_level *iel = &qc->els[QUIC_TLS_ENC_LEVEL_INITIAL]; struct quic_enc_level *hel = &qc->els[QUIC_TLS_ENC_LEVEL_HANDSHAKE]; if (hel->tls_ctx.rx.flags == QUIC_FL_TLS_SECRETS_SET) hel->pktns->tx.pto_probe = 1; if (iel->tls_ctx.rx.flags == QUIC_FL_TLS_SECRETS_SET) iel->pktns->tx.pto_probe = 1; } HA_ATOMIC_STORE(&qc->tx.nb_pto_dgrams, QUIC_MAX_NB_PTO_DGRAMS); tasklet_wakeup(conn_ctx->wait_event.tasklet); qc->path->loss.pto_count++; out: TRACE_LEAVE(QUIC_EV_CONN_PTIMER, conn_ctx->conn, pktns); return task; } /* Initialize QUIC connection with as root of QUIC * connections used to identify the first Initial packets of client connecting * to listeners. This parameter must be NULL for QUIC connections attached * to listeners. is the destination connection ID with as length. * is the source connection ID with as length. * Returns 1 if succeeded, 0 if not. */ static struct quic_conn *qc_new_conn(unsigned int version, int ipv4, unsigned char *dcid, size_t dcid_len, unsigned char *scid, size_t scid_len, int server, void *owner) { int i; struct quic_conn *qc; /* Initial CID. */ struct quic_connection_id *icid; char *buf_area; TRACE_ENTER(QUIC_EV_CONN_INIT); qc = pool_zalloc(pool_head_quic_conn); if (!qc) { TRACE_PROTO("Could not allocate a new connection", QUIC_EV_CONN_INIT); goto err; } buf_area = pool_alloc(pool_head_quic_conn_rxbuf); if (!buf_area) { TRACE_PROTO("Could not allocate a new RX buffer", QUIC_EV_CONN_INIT); goto err; } qc->cids = EB_ROOT; /* QUIC Server (or listener). */ if (server) { struct listener *l = owner; HA_ATOMIC_STORE(&qc->state, QUIC_HS_ST_SERVER_INITIAL); /* Copy the initial DCID. */ qc->odcid.len = dcid_len; if (qc->odcid.len) memcpy(qc->odcid.data, dcid, dcid_len); /* Copy the SCID as our DCID for this connection. */ if (scid_len) memcpy(qc->dcid.data, scid, scid_len); qc->dcid.len = scid_len; qc->tx.qring_list = &l->rx.tx_qring_list; qc->li = l; } /* QUIC Client (outgoing connection to servers) */ else { HA_ATOMIC_STORE(&qc->state, QUIC_HS_ST_CLIENT_INITIAL); if (dcid_len) memcpy(qc->dcid.data, dcid, dcid_len); qc->dcid.len = dcid_len; } /* Initialize the output buffer */ qc->obuf.pos = qc->obuf.data; icid = new_quic_cid(&qc->cids, 0); if (!icid) { TRACE_PROTO("Could not allocate a new connection ID", QUIC_EV_CONN_INIT); goto err; } /* Select our SCID which is the first CID with 0 as sequence number. */ qc->scid = icid->cid; /* Packet number spaces initialization. */ for (i = 0; i < QUIC_TLS_PKTNS_MAX; i++) quic_pktns_init(&qc->pktns[i]); /* QUIC encryption level context initialization. */ for (i = 0; i < QUIC_TLS_ENC_LEVEL_MAX; i++) { if (!quic_conn_enc_level_init(qc, i)) { TRACE_PROTO("Could not initialize an encryption level", QUIC_EV_CONN_INIT); goto err; } /* Initialize the packet number space. */ qc->els[i].pktns = &qc->pktns[quic_tls_pktns(i)]; } qc->version = version; /* TX part. */ LIST_INIT(&qc->tx.frms_to_send); qc->tx.nb_buf = QUIC_CONN_TX_BUFS_NB; qc->tx.wbuf = qc->tx.rbuf = 0; qc->tx.bytes = 0; qc->tx.nb_pto_dgrams = 0; /* RX part. */ qc->rx.bytes = 0; qc->rx.nb_ack_eliciting = 0; qc->rx.buf = b_make(buf_area, QUIC_CONN_RX_BUFSZ, 0, 0); HA_RWLOCK_INIT(&qc->rx.buf_rwlock); LIST_INIT(&qc->rx.pkt_list); /* XXX TO DO: Only one path at this time. */ qc->path = &qc->paths[0]; quic_path_init(qc->path, ipv4, default_quic_cc_algo, qc); TRACE_LEAVE(QUIC_EV_CONN_INIT); return qc; err: TRACE_DEVEL("leaving in error", QUIC_EV_CONN_INIT); quic_conn_free(qc); return NULL; } /* Initialize the timer task of QUIC connection. * Returns 1 if succeeded, 0 if not. */ static int quic_conn_init_timer(struct quic_conn *qc) { qc->timer_task = task_new_anywhere(); if (!qc->timer_task) return 0; qc->timer = TICK_ETERNITY; qc->timer_task->process = process_timer; qc->timer_task->context = qc->conn->xprt_ctx; return 1; } /* Parse into a long header located at <*buf> buffer, begin a pointer to the end * past one byte of this buffer. */ static inline int quic_packet_read_long_header(unsigned char **buf, const unsigned char *end, struct quic_rx_packet *pkt) { unsigned char dcid_len, scid_len; /* Version */ if (!quic_read_uint32(&pkt->version, (const unsigned char **)buf, end)) return 0; if (!pkt->version) { /* XXX TO DO XXX Version negotiation packet */ }; /* Destination Connection ID Length */ dcid_len = *(*buf)++; /* We want to be sure we can read bytes and one more for value */ if (dcid_len > QUIC_CID_MAXLEN || end - *buf < dcid_len + 1) /* XXX MUST BE DROPPED */ return 0; if (dcid_len) { /* Check that the length of this received DCID matches the CID lengths * of our implementation for non Initials packets only. */ if (pkt->type != QUIC_PACKET_TYPE_INITIAL && dcid_len != QUIC_CID_LEN) return 0; memcpy(pkt->dcid.data, *buf, dcid_len); } pkt->dcid.len = dcid_len; *buf += dcid_len; /* Source Connection ID Length */ scid_len = *(*buf)++; if (scid_len > QUIC_CID_MAXLEN || end - *buf < scid_len) /* XXX MUST BE DROPPED */ return 0; if (scid_len) memcpy(pkt->scid.data, *buf, scid_len); pkt->scid.len = scid_len; *buf += scid_len; return 1; } /* If the header protection of packet attached to connection with * as context may be removed, return 1, 0 if not. Also set <*qel> to the associated * encryption level matching with the packet type. <*qel> may be null if not found. * Note that may be null (for Initial packets). */ static int qc_pkt_may_rm_hp(struct quic_rx_packet *pkt, struct quic_conn *qc, struct ssl_sock_ctx *ctx, struct quic_enc_level **qel) { enum quic_tls_enc_level tel; /* Special case without connection context (first Initial packets) */ if (!ctx) { *qel = &qc->els[QUIC_TLS_ENC_LEVEL_INITIAL]; return 1; } tel = quic_packet_type_enc_level(pkt->type); if (tel == QUIC_TLS_ENC_LEVEL_NONE) { *qel = NULL; return 0; } *qel = &qc->els[tel]; if ((*qel)->tls_ctx.rx.flags & QUIC_FL_TLS_SECRETS_DCD) { TRACE_DEVEL("Discarded keys", QUIC_EV_CONN_TRMHP, ctx->conn); return 0; } if (((*qel)->tls_ctx.rx.flags & QUIC_FL_TLS_SECRETS_SET) && (tel != QUIC_TLS_ENC_LEVEL_APP || HA_ATOMIC_LOAD(&ctx->conn->qc->state) >= QUIC_HS_ST_COMPLETE)) return 1; return 0; } /* Insert RX packet in its RX packets tree */ static void qc_pkt_insert(struct quic_rx_packet *pkt, struct quic_enc_level *qel) { pkt->pn_node.key = pkt->pn; HA_RWLOCK_WRLOCK(QUIC_LOCK, &qel->rx.pkts_rwlock); eb64_insert(&qel->rx.pkts, &pkt->pn_node); HA_RWLOCK_WRUNLOCK(QUIC_LOCK, &qel->rx.pkts_rwlock); quic_rx_packet_refinc(pkt); } /* Try to remove the header protection of QUIC packet attached to * QUIC connection with as packet number field address, a pointer to one * byte past the end of the buffer containing this packet and the address of * the packet first byte. * If succeeded, this function updates <*buf> to point to the next packet in the buffer. * Returns 1 if succeeded, 0 if not. */ static inline int qc_try_rm_hp(struct quic_rx_packet *pkt, unsigned char **buf, unsigned char *beg, const unsigned char *end, struct quic_conn *qc, struct quic_enc_level **el, struct ssl_sock_ctx *ctx) { unsigned char *pn = NULL; /* Packet number field */ struct quic_enc_level *qel; /* Only for traces. */ struct quic_rx_packet *qpkt_trace; qpkt_trace = NULL; TRACE_ENTER(QUIC_EV_CONN_TRMHP, ctx ? ctx->conn : NULL); /* The packet number is here. This is also the start minus * QUIC_PACKET_PN_MAXLEN of the sample used to add/remove the header * protection. */ pn = *buf; if (qc_pkt_may_rm_hp(pkt, qc, ctx, &qel)) { /* Note that the following function enables us to unprotect the packet * number and its length subsequently used to decrypt the entire * packets. */ if (!qc_do_rm_hp(pkt, &qel->tls_ctx, qel->pktns->rx.largest_pn, pn, beg, end, ctx)) { TRACE_PROTO("hp error", QUIC_EV_CONN_TRMHP, ctx ? ctx->conn : NULL); goto err; } /* The AAD includes the packet number field found at . */ pkt->aad_len = pn - beg + pkt->pnl; qpkt_trace = pkt; } else if (qel) { if (qel->tls_ctx.rx.flags & QUIC_FL_TLS_SECRETS_DCD) { /* If the packet number space has been discarded, this packet * will be not parsed. */ TRACE_PROTO("Discarded pktns", QUIC_EV_CONN_TRMHP, ctx ? ctx->conn : NULL, pkt); goto out; } TRACE_PROTO("hp not removed", QUIC_EV_CONN_TRMHP, ctx ? ctx->conn : NULL, pkt); pkt->pn_offset = pn - beg; MT_LIST_APPEND(&qel->rx.pqpkts, &pkt->list); quic_rx_packet_refinc(pkt); } else { TRACE_PROTO("Unknown packet type", QUIC_EV_CONN_TRMHP, ctx ? ctx->conn : NULL); goto err; } *el = qel; /* No reference counter incrementation here!!! */ LIST_APPEND(&qc->rx.pkt_list, &pkt->qc_rx_pkt_list); memcpy(b_tail(&qc->rx.buf), beg, pkt->len); pkt->data = (unsigned char *)b_tail(&qc->rx.buf); b_add(&qc->rx.buf, pkt->len); out: /* Updtate the offset of <*buf> for the next QUIC packet. */ *buf = beg + pkt->len; TRACE_LEAVE(QUIC_EV_CONN_TRMHP, ctx ? ctx->conn : NULL, qpkt_trace); return 1; err: TRACE_DEVEL("leaving in error", QUIC_EV_CONN_TRMHP, ctx ? ctx->conn : NULL, qpkt_trace); return 0; } /* Parse the header form from first byte of pacekt to set type. * Also set <*long_header> to 1 if this form is long, 0 if not. */ static inline void qc_parse_hd_form(struct quic_rx_packet *pkt, unsigned char byte0, int *long_header) { if (byte0 & QUIC_PACKET_LONG_HEADER_BIT) { pkt->type = (byte0 >> QUIC_PACKET_TYPE_SHIFT) & QUIC_PACKET_TYPE_BITMASK; *long_header = 1; } else { pkt->type = QUIC_PACKET_TYPE_SHORT; *long_header = 0; } } __attribute__((unused)) static ssize_t qc_srv_pkt_rcv(unsigned char **buf, const unsigned char *end, struct quic_rx_packet *pkt, struct quic_dgram_ctx *dgram_ctx, struct sockaddr_storage *saddr) { unsigned char *beg; uint64_t len; struct quic_conn *qc; struct eb_root *cids; struct ebmb_node *node; struct connection *srv_conn; struct ssl_sock_ctx *conn_ctx; int long_header; size_t b_cspace; struct quic_enc_level *qel; qc = NULL; TRACE_ENTER(QUIC_EV_CONN_SPKT); if (end <= *buf) goto err; /* Fixed bit */ if (!(**buf & QUIC_PACKET_FIXED_BIT)) /* XXX TO BE DISCARDED */ goto err; srv_conn = dgram_ctx->owner; beg = *buf; /* Header form */ qc_parse_hd_form(pkt, *(*buf)++, &long_header); if (long_header) { size_t cid_lookup_len; if (!quic_packet_read_long_header(buf, end, pkt)) goto err; /* For Initial packets, and for servers (QUIC clients connections), * there is no Initial connection IDs storage. */ if (pkt->type == QUIC_PACKET_TYPE_INITIAL) { cids = &((struct server *)__objt_server(srv_conn->target))->cids; cid_lookup_len = pkt->dcid.len; } else { cids = &((struct server *)__objt_server(srv_conn->target))->cids; cid_lookup_len = QUIC_CID_LEN; } node = ebmb_lookup(cids, pkt->dcid.data, cid_lookup_len); if (!node) goto err; qc = ebmb_entry(node, struct quic_conn, scid_node); if (pkt->type == QUIC_PACKET_TYPE_INITIAL) { qc->dcid.len = pkt->scid.len; if (pkt->scid.len) memcpy(qc->dcid.data, pkt->scid.data, pkt->scid.len); } if (pkt->type == QUIC_PACKET_TYPE_INITIAL) { uint64_t token_len; if (!quic_dec_int(&token_len, (const unsigned char **)buf, end) || end - *buf < token_len) goto err; /* XXX TO DO XXX 0 value means "the token is not present". * A server which sends an Initial packet must not set the token. * So, a client which receives an Initial packet with a token * MUST discard the packet or generate a connection error with * PROTOCOL_VIOLATION as type. * The token must be provided in a Retry packet or NEW_TOKEN frame. */ pkt->token_len = token_len; } } else { /* XXX TO DO: Short header XXX */ if (end - *buf < QUIC_CID_LEN) goto err; cids = &((struct server *)__objt_server(srv_conn->target))->cids; node = ebmb_lookup(cids, *buf, QUIC_CID_LEN); if (!node) goto err; qc = ebmb_entry(node, struct quic_conn, scid_node); *buf += QUIC_CID_LEN; } /* Store the DCID used for this packet to check the packet which * come in this UDP datagram match with it. */ if (!dgram_ctx->dcid_node) dgram_ctx->dcid_node = node; /* Only packets packets with long headers and not RETRY or VERSION as type * have a length field. */ if (long_header && pkt->type != QUIC_PACKET_TYPE_RETRY && pkt->version) { if (!quic_dec_int(&len, (const unsigned char **)buf, end) || end - *buf < len) goto err; pkt->len = len; } else if (!long_header) { /* A short packet is the last one of an UDP datagram. */ pkt->len = end - *buf; } conn_ctx = qc->conn->xprt_ctx; /* Increase the total length of this packet by the header length. */ pkt->len += *buf - beg; /* Do not check the DCID node before the length. */ if (dgram_ctx->dcid_node != node) { TRACE_PROTO("Packet dropped", QUIC_EV_CONN_SPKT, qc->conn); goto err; } HA_RWLOCK_WRLOCK(QUIC_LOCK, &qc->rx.buf_rwlock); b_cspace = b_contig_space(&qc->rx.buf); if (b_cspace < pkt->len) { /* Let us consume the remaining contiguous space. */ b_add(&qc->rx.buf, b_cspace); if (b_contig_space(&qc->rx.buf) < pkt->len) { HA_RWLOCK_WRUNLOCK(QUIC_LOCK, &qc->rx.buf_rwlock); TRACE_PROTO("Too big packet", QUIC_EV_CONN_SPKT, qc->conn, pkt, &pkt->len); goto err; } } if (!qc_try_rm_hp(pkt, buf, beg, end, qc, &qel, conn_ctx)) { HA_RWLOCK_WRUNLOCK(QUIC_LOCK, &qc->rx.buf_rwlock); TRACE_PROTO("Packet dropped", QUIC_EV_CONN_SPKT, qc->conn); goto err; } HA_RWLOCK_WRUNLOCK(QUIC_LOCK, &qc->rx.buf_rwlock); if (pkt->aad_len) qc_pkt_insert(pkt, qel); /* Wake the tasklet of the QUIC connection packet handler. */ if (conn_ctx) tasklet_wakeup(conn_ctx->wait_event.tasklet); TRACE_LEAVE(QUIC_EV_CONN_SPKT, qc->conn); return pkt->len; err: TRACE_DEVEL("Leaing in error", QUIC_EV_CONN_SPKT, qc ? qc->conn : NULL); return -1; } static ssize_t qc_lstnr_pkt_rcv(unsigned char **buf, const unsigned char *end, struct quic_rx_packet *pkt, struct quic_dgram_ctx *dgram_ctx, struct sockaddr_storage *saddr) { unsigned char *beg; struct quic_conn *qc; struct eb_root *cids; struct ebmb_node *node; struct listener *l; struct ssl_sock_ctx *conn_ctx; int long_header = 0; size_t b_cspace; struct quic_enc_level *qel; qc = NULL; conn_ctx = NULL; TRACE_ENTER(QUIC_EV_CONN_LPKT, NULL, pkt); if (end <= *buf) goto err; /* Fixed bit */ if (!(**buf & QUIC_PACKET_FIXED_BIT)) { /* XXX TO BE DISCARDED */ TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT); goto err; } l = dgram_ctx->owner; beg = *buf; /* Header form */ qc_parse_hd_form(pkt, *(*buf)++, &long_header); if (long_header) { unsigned char dcid_len; if (!quic_packet_read_long_header(buf, end, pkt)) { TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT); goto err; } dcid_len = pkt->dcid.len; /* For Initial packets, and for servers (QUIC clients connections), * there is no Initial connection IDs storage. */ if (pkt->type == QUIC_PACKET_TYPE_INITIAL) { uint64_t token_len; /* DCIDs of first packets coming from clients may have the same values. * Let's distinguish them concatenating the socket addresses to the DCIDs. */ quic_cid_saddr_cat(&pkt->dcid, saddr); cids = &l->rx.odcids; if (!quic_dec_int(&token_len, (const unsigned char **)buf, end) || end - *buf < token_len) { TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT); goto err; } /* XXX TO DO XXX 0 value means "the token is not present". * A server which sends an Initial packet must not set the token. * So, a client which receives an Initial packet with a token * MUST discard the packet or generate a connection error with * PROTOCOL_VIOLATION as type. * The token must be provided in a Retry packet or NEW_TOKEN frame. */ pkt->token_len = token_len; } else { if (pkt->dcid.len != QUIC_CID_LEN) { TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT); goto err; } cids = &l->rx.cids; } /* Only packets packets with long headers and not RETRY or VERSION as type * have a length field. */ if (pkt->type != QUIC_PACKET_TYPE_RETRY && pkt->version) { uint64_t len; if (!quic_dec_int(&len, (const unsigned char **)buf, end) || end - *buf < len) { TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT); goto err; } pkt->len = len; } HA_RWLOCK_RDLOCK(OTHER_LOCK, &l->rx.cids_lock); node = ebmb_lookup(cids, pkt->dcid.data, pkt->dcid.len); if (!node && pkt->type == QUIC_PACKET_TYPE_INITIAL && dcid_len == QUIC_CID_LEN && cids == &l->rx.odcids) { /* Switch to the definitive tree ->cids containing the final CIDs. */ node = ebmb_lookup(&l->rx.cids, pkt->dcid.data, dcid_len); if (node) { /* If found, signal this with NULL as special value for . */ pkt->dcid.len = dcid_len; cids = NULL; } } HA_RWLOCK_RDUNLOCK(OTHER_LOCK, &l->rx.cids_lock); if (!node) { int ipv4; struct quic_cid *odcid; struct ebmb_node *n = NULL; const unsigned char *salt = initial_salt_v1; size_t salt_len = sizeof initial_salt_v1; if (pkt->type != QUIC_PACKET_TYPE_INITIAL) { TRACE_PROTO("Non Initiial packet", QUIC_EV_CONN_LPKT); goto err; } pkt->saddr = *saddr; /* Note that here, odcid_len equals to pkt->dcid.len minus the length * of . */ pkt->odcid_len = dcid_len; ipv4 = saddr->ss_family == AF_INET; qc = qc_new_conn(pkt->version, ipv4, pkt->dcid.data, pkt->dcid.len, pkt->scid.data, pkt->scid.len, 1, l); if (qc == NULL) goto err; odcid = &qc->rx.params.original_destination_connection_id; /* Copy the transport parameters. */ qc->rx.params = l->bind_conf->quic_params; /* Copy original_destination_connection_id transport parameter. */ memcpy(odcid->data, &pkt->dcid, pkt->odcid_len); odcid->len = pkt->odcid_len; /* Copy the initial source connection ID. */ quic_cid_cpy(&qc->rx.params.initial_source_connection_id, &qc->scid); qc->enc_params_len = quic_transport_params_encode(qc->enc_params, qc->enc_params + sizeof qc->enc_params, &qc->rx.params, 1); if (!qc->enc_params_len) goto err; /* NOTE: the socket address has been concatenated to the destination ID * chosen by the client for Initial packets. */ if (pkt->version == QUIC_PROTOCOL_VERSION_DRAFT_29) { salt = initial_salt_draft_29; salt_len = sizeof initial_salt_draft_29; } if (!qc_new_isecs(qc, salt, salt_len, pkt->dcid.data, pkt->odcid_len, 1)) { TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT, qc->conn); goto err; } pkt->qc = qc; /* This is the DCID node sent in this packet by the client. */ node = &qc->odcid_node; /* Enqueue this packet. */ MT_LIST_APPEND(&l->rx.pkts, &pkt->rx_list); /* Try to accept a new connection. */ listener_accept(l); HA_RWLOCK_WRLOCK(OTHER_LOCK, &l->rx.cids_lock); /* Insert the DCID the QUIC client has chosen (only for listeners) */ ebmb_insert(&l->rx.odcids, &qc->odcid_node, qc->odcid.len); /* Insert our SCID, the connection ID for the QUIC client. */ n = ebmb_insert(&l->rx.cids, &qc->scid_node, qc->scid.len); HA_RWLOCK_WRUNLOCK(OTHER_LOCK, &l->rx.cids_lock); if (n != &qc->scid_node) { quic_conn_free(qc); qc = ebmb_entry(n, struct quic_conn, scid_node); } } else { if (pkt->type == QUIC_PACKET_TYPE_INITIAL && cids == &l->rx.odcids) qc = ebmb_entry(node, struct quic_conn, odcid_node); else qc = ebmb_entry(node, struct quic_conn, scid_node); conn_ctx = qc->conn->xprt_ctx; } } else { if (end - *buf < QUIC_CID_LEN) { TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT); goto err; } cids = &l->rx.cids; node = ebmb_lookup(cids, *buf, QUIC_CID_LEN); if (!node) { TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT); goto err; } qc = ebmb_entry(node, struct quic_conn, scid_node); conn_ctx = qc->conn->xprt_ctx; *buf += QUIC_CID_LEN; /* A short packet is the last one of an UDP datagram. */ pkt->len = end - *buf; } pkt->qc = qc; /* Store the DCID used for this packet to check the packet which * come in this UDP datagram match with it. */ if (!dgram_ctx->dcid_node) { dgram_ctx->dcid_node = node; dgram_ctx->qc = qc; } /* Increase the total length of this packet by the header length. */ pkt->raw_len = pkt->len += *buf - beg; /* Do not check the DCID node before the length. */ if (dgram_ctx->dcid_node != node) { TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT, qc->conn); goto err; } HA_RWLOCK_WRLOCK(QUIC_LOCK, &qc->rx.buf_rwlock); b_cspace = b_contig_space(&qc->rx.buf); if (b_cspace < pkt->len) { /* Let us consume the remaining contiguous space. */ b_add(&qc->rx.buf, b_cspace); if (b_contig_space(&qc->rx.buf) < pkt->len) { HA_RWLOCK_WRUNLOCK(QUIC_LOCK, &qc->rx.buf_rwlock); TRACE_PROTO("Too big packet", QUIC_EV_CONN_LPKT, qc->conn, pkt, &pkt->len); goto err; } } if (!qc_try_rm_hp(pkt, buf, beg, end, qc, &qel, conn_ctx)) { HA_RWLOCK_WRUNLOCK(QUIC_LOCK, &qc->rx.buf_rwlock); TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT, qc->conn); goto err; } HA_RWLOCK_WRUNLOCK(QUIC_LOCK, &qc->rx.buf_rwlock); TRACE_PROTO("New packet", QUIC_EV_CONN_LPKT, qc->conn, pkt); if (pkt->aad_len) qc_pkt_insert(pkt, qel); /* Wake up the connection packet handler task from here only if all * the contexts have been initialized, especially the mux context * conn_ctx->conn->ctx. Note that this is ->start xprt callback which * will start it if these contexts for the connection are not already * initialized. */ if (conn_ctx && HA_ATOMIC_LOAD(&conn_ctx->conn->ctx)) tasklet_wakeup(conn_ctx->wait_event.tasklet); TRACE_LEAVE(QUIC_EV_CONN_LPKT, qc->conn, pkt); return pkt->len; err: TRACE_DEVEL("Leaving in error", QUIC_EV_CONN_LPKT, qc ? qc->conn : NULL, pkt); return -1; } /* This function builds into buffer a QUIC long packet header whose size may be computed * in advance. This is the reponsability of the caller to check there is enough room in this * buffer to build a long header. * Returns 0 if QUIC packet type is not supported by long header, or 1 if succeeded. */ static int quic_build_packet_long_header(unsigned char **buf, const unsigned char *end, int type, size_t pn_len, struct quic_conn *conn) { if (type > QUIC_PACKET_TYPE_RETRY) return 0; /* #0 byte flags */ *(*buf)++ = QUIC_PACKET_FIXED_BIT | QUIC_PACKET_LONG_HEADER_BIT | (type << QUIC_PACKET_TYPE_SHIFT) | (pn_len - 1); /* Version */ quic_write_uint32(buf, end, conn->version); *(*buf)++ = conn->dcid.len; /* Destination connection ID */ if (conn->dcid.len) { memcpy(*buf, conn->dcid.data, conn->dcid.len); *buf += conn->dcid.len; } /* Source connection ID */ *(*buf)++ = conn->scid.len; if (conn->scid.len) { memcpy(*buf, conn->scid.data, conn->scid.len); *buf += conn->scid.len; } return 1; } /* This function builds into buffer a QUIC long packet header whose size may be computed * in advance. This is the reponsability of the caller to check there is enough room in this * buffer to build a long header. * Returns 0 if QUIC packet type is not supported by long header, or 1 if succeeded. */ static int quic_build_packet_short_header(unsigned char **buf, const unsigned char *end, size_t pn_len, struct quic_conn *conn) { /* #0 byte flags */ *(*buf)++ = QUIC_PACKET_FIXED_BIT | (pn_len - 1); /* Destination connection ID */ if (conn->dcid.len) { memcpy(*buf, conn->dcid.data, conn->dcid.len); *buf += conn->dcid.len; } return 1; } /* Apply QUIC header protection to the packet with as first byte address, * as address of the Packet number field, being this field length * with as AEAD cipher and as secret key. * Returns 1 if succeeded or 0 if failed. */ static int quic_apply_header_protection(unsigned char *buf, unsigned char *pn, size_t pnlen, const EVP_CIPHER *aead, const unsigned char *key) { int i, ret, outlen; EVP_CIPHER_CTX *ctx; /* We need an IV of at least 5 bytes: one byte for bytes #0 * and at most 4 bytes for the packet number */ unsigned char mask[5] = {0}; ret = 0; ctx = EVP_CIPHER_CTX_new(); if (!ctx) return 0; if (!EVP_EncryptInit_ex(ctx, aead, NULL, key, pn + QUIC_PACKET_PN_MAXLEN) || !EVP_EncryptUpdate(ctx, mask, &outlen, mask, sizeof mask) || !EVP_EncryptFinal_ex(ctx, mask, &outlen)) goto out; *buf ^= mask[0] & (*buf & QUIC_PACKET_LONG_HEADER_BIT ? 0xf : 0x1f); for (i = 0; i < pnlen; i++) pn[i] ^= mask[i + 1]; ret = 1; out: EVP_CIPHER_CTX_free(ctx); return ret; } /* Reduce the encoded size of ACK frame removing the last * ACK ranges if needed to a value below in bytes. * Return 1 if succeeded, 0 if not. */ static int quic_ack_frm_reduce_sz(struct quic_frame *ack_frm, size_t limit) { size_t room, ack_delay_sz; ack_delay_sz = quic_int_getsize(ack_frm->tx_ack.ack_delay); /* A frame is made of 1 byte for the frame type. */ room = limit - ack_delay_sz - 1; if (!quic_rm_last_ack_ranges(ack_frm->tx_ack.arngs, room)) return 0; return 1 + ack_delay_sz + ack_frm->tx_ack.arngs->enc_sz; } /* Prepare as most as possible CRYPTO or STREAM frames from their prebuilt frames * for encryption level to be encoded in a buffer with as available room, * and <*len> the packet Length field initialized with the number of bytes already present * in this buffer which must be taken into an account for the Length packet field value. * is the number of bytes already present in this packet before building frames. * * Update consequently <*len> to reflect the size of these frames built * by this function. Also attach these frames to QUIC packet. * Return 1 if succeeded, 0 if not. */ static inline int qc_build_frms(struct quic_tx_packet *pkt, size_t room, size_t *len, size_t headlen, struct quic_enc_level *qel, struct quic_conn *conn) { int ret; struct quic_frame *cf; struct mt_list *tmp1, tmp2; size_t remain = quic_path_prep_data(conn->path); ret = 0; if (*len > room || headlen > remain) return 0; /* If we are not probing we must take into an account the congestion * control window. */ if (!conn->tx.nb_pto_dgrams) room = QUIC_MIN(room, quic_path_prep_data(conn->path) - headlen); TRACE_PROTO("************** frames build (headlen)", QUIC_EV_CONN_BCFRMS, conn->conn, &headlen); mt_list_for_each_entry_safe(cf, &qel->pktns->tx.frms, mt_list, tmp1, tmp2) { /* header length, data length, frame length. */ size_t hlen, dlen, dlen_sz, avail_room, flen; if (!room) break; switch (cf->type) { case QUIC_FT_CRYPTO: TRACE_PROTO(" New CRYPTO frame build (room, len)", QUIC_EV_CONN_BCFRMS, conn->conn, &room, len); /* Compute the length of this CRYPTO frame header */ hlen = 1 + quic_int_getsize(cf->crypto.offset); /* Compute the data length of this CRyPTO frame. */ dlen = max_stream_data_size(room, *len + hlen, cf->crypto.len); TRACE_PROTO(" CRYPTO data length (hlen, crypto.len, dlen)", QUIC_EV_CONN_BCFRMS, conn->conn, &hlen, &cf->crypto.len, &dlen); if (!dlen) break; pkt->cdata_len += dlen; /* CRYPTO frame length. */ flen = hlen + quic_int_getsize(dlen) + dlen; TRACE_PROTO(" CRYPTO frame length (flen)", QUIC_EV_CONN_BCFRMS, conn->conn, &flen); /* Add the CRYPTO data length and its encoded length to the packet * length and the length of this length. */ *len += flen; room -= flen; if (dlen == cf->crypto.len) { /* CRYPTO data have been consumed. */ MT_LIST_DELETE_SAFE(tmp1); LIST_APPEND(&pkt->frms, &cf->list); } else { struct quic_frame *new_cf; new_cf = pool_alloc(pool_head_quic_frame); if (!new_cf) { TRACE_PROTO("No memory for new crypto frame", QUIC_EV_CONN_BCFRMS, conn->conn); return 0; } new_cf->type = QUIC_FT_CRYPTO; new_cf->crypto.len = dlen; new_cf->crypto.offset = cf->crypto.offset; new_cf->crypto.qel = qel; LIST_APPEND(&pkt->frms, &new_cf->list); /* Consume bytes of the current frame. */ cf->crypto.len -= dlen; cf->crypto.offset += dlen; } break; case QUIC_FT_STREAM_8 ... QUIC_FT_STREAM_F: /* Note that these frames are accepted in short packets only without * "Length" packet field. Here, <*len> is used only to compute the * sum of the lengths of the already built frames for this packet. */ TRACE_PROTO(" New STREAM frame build (room, len)", QUIC_EV_CONN_BCFRMS, conn->conn, &room, len); /* Compute the length of this STREAM frame "header" made a all the field * excepting the variable ones. Note that +1 is for the type of this frame. */ hlen = 1 + quic_int_getsize(cf->stream.id) + ((cf->type & QUIC_STREAM_FRAME_TYPE_OFF_BIT) ? quic_int_getsize(cf->stream.offset.key) : 0); /* Compute the data length of this STREAM frame. */ avail_room = room - hlen - *len; if ((ssize_t)avail_room <= 0) break; if (cf->type & QUIC_STREAM_FRAME_TYPE_LEN_BIT) { dlen = max_available_room(avail_room, &dlen_sz); if (dlen > cf->stream.len) { dlen = cf->stream.len; } dlen_sz = quic_int_getsize(dlen); flen = hlen + dlen_sz + dlen; } else { dlen = QUIC_MIN(avail_room, cf->stream.len); flen = hlen + dlen; } TRACE_PROTO(" STREAM data length (hlen, stream.len, dlen)", QUIC_EV_CONN_BCFRMS, conn->conn, &hlen, &cf->stream.len, &dlen); TRACE_PROTO(" STREAM frame length (flen)", QUIC_EV_CONN_BCFRMS, conn->conn, &flen); /* Add the STREAM data length and its encoded length to the packet * length and the length of this length. */ *len += flen; room -= flen; if (dlen == cf->stream.len) { /* STREAM data have been consumed. */ MT_LIST_DELETE_SAFE(tmp1); LIST_APPEND(&pkt->frms, &cf->list); } else { struct quic_frame *new_cf; new_cf = pool_zalloc(pool_head_quic_frame); if (!new_cf) { TRACE_PROTO("No memory for new STREAM frame", QUIC_EV_CONN_BCFRMS, conn->conn); return 0; } new_cf->type = cf->type; new_cf->stream.qcs = cf->stream.qcs; new_cf->stream.buf = cf->stream.buf; new_cf->stream.id = cf->stream.id; if (cf->type & QUIC_STREAM_FRAME_TYPE_OFF_BIT) new_cf->stream.offset = cf->stream.offset; new_cf->stream.len = dlen; new_cf->type |= QUIC_STREAM_FRAME_TYPE_LEN_BIT; /* FIN bit reset */ new_cf->type &= ~QUIC_STREAM_FRAME_TYPE_FIN_BIT; new_cf->stream.data = cf->stream.data; LIST_APPEND(&pkt->frms, &new_cf->list); cf->type |= QUIC_STREAM_FRAME_TYPE_OFF_BIT; /* Consume bytes of the current frame. */ cf->stream.len -= dlen; cf->stream.offset.key += dlen; cf->stream.data += dlen; } break; default: flen = qc_frm_len(cf); BUG_ON(!flen); if (flen > room) continue; *len += flen; room -= flen; MT_LIST_DELETE_SAFE(tmp1); LIST_APPEND(&pkt->frms, &cf->list); break; } ret = 1; } return ret; } /* This function evaluates if packet may be built into a buffer with * as available room. A valid packet should at least contain a valid * header and at least a frame. * To estimate the minimal space to build a packet, we consider the worst case: - there is not enough space to build ack-eliciting frames from qel->pktns->tx.frms. This is safe to consider this because when we build a packet we first build the ACK frames, then the ack-eliciting frames from qel->pktns->tx.frms only if there is enough space for these ack-eliciting frames, finally PING and PADDING frames if needed, - we have to ensure there is enough space to build an ACK frame if required, and a PING frame, even if we do not have to probe, - we also have to verify there is enough space to build a PADDING frame if needed, especially if there is no need to send an ACK frame. * Returns 1 if the may be built, 0 if not (not enough room to build * a valid packet). */ static int qc_eval_pkt(ssize_t room, struct quic_tx_packet *pkt, int ack, int nb_pto_dgrams, struct quic_enc_level *qel, struct quic_conn *conn) { size_t minlen, token_fields_len; /* XXX FIXME XXX : ack delay not supported */ uint64_t ack_delay = 0; size_t ack_frm_len = 0; TRACE_PROTO("Available room", QUIC_EV_CONN_HPKT, conn->conn, NULL, NULL, &room); /* When we do not have to probe nor send acks either, we must take into * an account the data which have already been prepared and limit * the size of this packet. We will potentially build an ack-eliciting * packet. */ if (!nb_pto_dgrams && !ack) { size_t path_room; path_room = quic_path_prep_data(conn->path); if (room > path_room) room = path_room; } if (ack) /* A frame is made of 1 byte for the frame type. */ ack_frm_len = 1 + quic_int_getsize(ack_delay) + qel->pktns->rx.arngs.enc_sz; /* XXX FIXME XXX : token not supported */ token_fields_len = pkt->type == QUIC_PACKET_TYPE_INITIAL ? 1 : 0; /* Check there is enough room to build the header followed by a token, * if present. The trailing room needed for the QUIC_TLS_TAG_LEN-bytes * encryption tag is also taken into an account. Note that we have no * knowledge of the packet number for this packet. It must be atomically * incremented each time a packet is built. But before building a packet * we must estimate if it may be built if we do not want to consume a packet * number for nothing! Note that we add 1 byte more to * to be able to build an ack-eliciting packet when probing without * ack-eliciting frames to send. In this case we need to add a 1-byte length * PING frame. */ minlen = QUIC_TLS_TAG_LEN + QUIC_PACKET_PN_MAXLEN + ack_frm_len + 1; if (pkt->type != QUIC_PACKET_TYPE_SHORT) minlen += QUIC_LONG_PACKET_MINLEN + conn->dcid.len + conn->scid.len + token_fields_len; else minlen += QUIC_SHORT_PACKET_MINLEN + conn->dcid.len; /* Consider any PADDING frame to add */ if (objt_server(conn->conn->target) && pkt->type == QUIC_PACKET_TYPE_INITIAL && minlen < QUIC_INITIAL_PACKET_MINLEN) { /* Pad too short client Initial packet */ minlen += QUIC_INITIAL_PACKET_MINLEN - minlen; } else if (!ack) { /* Consider we will have to add the longest short PADDING frame to * protect a 1-byte length packet number. */ minlen += QUIC_PACKET_PN_MAXLEN - 1; } if (room < minlen) { TRACE_PROTO("Not enoug room", QUIC_EV_CONN_HPKT, conn->conn, NULL, NULL, &room); return 0; } return 1; } /* This function builds a clear packet from information (its type) * into a buffer with as position pointer and as QUIC TLS encryption * level for QUIC connection and as QUIC TLS encryption level, * filling the buffer with as much frames as possible. * The trailing QUIC_TLS_TAG_LEN bytes of this packet are not built. But they are * reserved so that to ensure there is enough room to build this AEAD TAG after * having returned from this function. * This function also updates the value of pointer to point to the packet * number field in this packet. will also have the packet number * length as value. * * Always succeeds: this is the responsibility of the caller to ensure there is * enough room to build a packet. */ static void qc_do_build_pkt(unsigned char *pos, const unsigned char *end, struct quic_tx_packet *pkt, int ack, int nb_pto_dgrams, int64_t pn, size_t *pn_len, unsigned char **buf_pn, struct quic_enc_level *qel, struct quic_conn *conn) { unsigned char *beg; size_t len, len_frms, padding_len; struct quic_frame frm = { .type = QUIC_FT_CRYPTO, }; struct quic_frame ack_frm = { .type = QUIC_FT_ACK, }; size_t ack_frm_len; int64_t largest_acked_pn; int add_ping_frm; /* Length field value with CRYPTO frames if present. */ len_frms = 0; beg = pos; /* When not probing and not acking, reduce the size of this buffer to respect * the congestion controller window. So, we do not limit the size of this * packet if we have an ACK frame to send because an ACK frame is not * ack-eliciting. This size will be limited if we have ack-eliciting * frames to send from qel->pktns->tx.frms. */ if (!nb_pto_dgrams && !ack) { size_t path_room; path_room = quic_path_prep_data(conn->path); if (end - beg > path_room) end = beg + path_room; } largest_acked_pn = HA_ATOMIC_LOAD(&qel->pktns->tx.largest_acked_pn); /* packet number length */ *pn_len = quic_packet_number_length(pn, largest_acked_pn); /* Build the header */ if (pkt->type == QUIC_PACKET_TYPE_SHORT) quic_build_packet_short_header(&pos, end, *pn_len, conn); else quic_build_packet_long_header(&pos, end, pkt->type, *pn_len, conn); /* XXX FIXME XXX Encode the token length (0) for an Initial packet. */ if (pkt->type == QUIC_PACKET_TYPE_INITIAL) *pos++ = 0; /* Ensure there is enough room for the TLS encryption tag */ end -= QUIC_TLS_TAG_LEN; /* Build an ACK frame if required. */ ack_frm_len = 0; if (ack && !eb_is_empty(&qel->pktns->rx.arngs.root)) { ack_frm.tx_ack.ack_delay = 0; ack_frm.tx_ack.arngs = &qel->pktns->rx.arngs; /* XXX BE CAREFUL XXX : here we reserved at least one byte for the * smallest frame (PING) and <*pn_len> more for the packet number. Note * that from here, we do not know if we will have to send a PING frame. * This will be decided after having computed the ack-eliciting frames * to be added to this packet. */ ack_frm_len = quic_ack_frm_reduce_sz(&ack_frm, end - 1 - *pn_len - pos); if (!ack_frm_len) { ssize_t room = end - pos; TRACE_PROTO("Not enough room", QUIC_EV_CONN_HPKT, conn->conn, NULL, NULL, &room); BUG_ON(1); } } /* Length field value without the ack-eliciting frames. */ len = ack_frm_len + *pn_len; if (!MT_LIST_ISEMPTY(&qel->pktns->tx.frms)) { ssize_t room = end - pos; /* Initialize the length of the frames built below to . * If any frame could be successfully built by qc_build_frms(), * we will have len_frms > len. */ len_frms = len; if (!qc_build_frms(pkt, end - pos, &len_frms, pos - beg, qel, conn)) TRACE_PROTO("Not enough room", QUIC_EV_CONN_HPKT, conn->conn, NULL, NULL, &room); } add_ping_frm = 0; padding_len = 0; if (objt_server(conn->conn->target) && pkt->type == QUIC_PACKET_TYPE_INITIAL && len < QUIC_INITIAL_PACKET_MINLEN) { len += padding_len = QUIC_INITIAL_PACKET_MINLEN - len; } else if (LIST_ISEMPTY(&pkt->frms) || len_frms == len) { if (qel->pktns->tx.pto_probe) { /* If we cannot send a frame, we send a PING frame. */ add_ping_frm = 1; len += 1; } /* If there is no frame at all to follow, add at least a PADDING frame. */ if (!ack_frm_len) len += padding_len = QUIC_PACKET_PN_MAXLEN - *pn_len; } /* Length (of the remaining data). Must not fail because, the buffer size * has been checked above. Note that we have reserved QUIC_TLS_TAG_LEN bytes * for the encryption tag. It must be taken into an account for the length * of this packet. */ if (len_frms) len = len_frms + QUIC_TLS_TAG_LEN; else len += QUIC_TLS_TAG_LEN; if (pkt->type != QUIC_PACKET_TYPE_SHORT) quic_enc_int(&pos, end, len); /* Packet number field address. */ *buf_pn = pos; /* Packet number encoding. */ quic_packet_number_encode(&pos, end, pn, *pn_len); if (ack_frm_len && !qc_build_frm(&pos, end, &ack_frm, pkt, conn)) { ssize_t room = end - pos; TRACE_PROTO("Not enough room", QUIC_EV_CONN_HPKT, conn->conn, NULL, NULL, &room); BUG_ON(1); } /* Ack-eliciting frames */ if (!LIST_ISEMPTY(&pkt->frms)) { struct quic_frame *cf; list_for_each_entry(cf, &pkt->frms, list) { if (!qc_build_frm(&pos, end, cf, pkt, conn)) { ssize_t room = end - pos; TRACE_PROTO("Not enough room", QUIC_EV_CONN_HPKT, conn->conn, NULL, NULL, &room); BUG_ON(1); } } } /* Build a PING frame if needed. */ if (add_ping_frm) { frm.type = QUIC_FT_PING; if (!qc_build_frm(&pos, end, &frm, pkt, conn)) { ssize_t room = end - pos; TRACE_PROTO("Not enough room", QUIC_EV_CONN_HPKT, conn->conn, NULL, NULL, &room); BUG_ON(1); } } /* Build a PADDING frame if needed. */ if (padding_len) { frm.type = QUIC_FT_PADDING; frm.padding.len = padding_len; if (!qc_build_frm(&pos, end, &frm, pkt, conn)) { ssize_t room = end - pos; TRACE_PROTO("Not enough room", QUIC_EV_CONN_HPKT, conn->conn, NULL, NULL, &room); BUG_ON(1); } } /* Always reset this variable as this function has no idea * if it was set. It is handle by the loss detection timer. */ qel->pktns->tx.pto_probe = 0; pkt->len = pos - beg; } static inline void quic_tx_packet_init(struct quic_tx_packet *pkt, int type) { pkt->type = type; pkt->len = 0; pkt->cdata_len = 0; pkt->in_flight_len = 0; LIST_INIT(&pkt->frms); pkt->next = NULL; pkt->refcnt = 1; } /* Free TX packet which has not already attached to any tree. */ static inline void free_quic_tx_packet(struct quic_tx_packet *pkt) { struct quic_frame *frm, *frmbak; if (!pkt) return; list_for_each_entry_safe(frm, frmbak, &pkt->frms, list) { LIST_DELETE(&frm->list); pool_free(pool_head_quic_frame, frm); } quic_tx_packet_refdec(pkt); } /* Build a packet into packet buffer with as packet * type for QUIC connection from encryption level. * Return -2 if the packet could not be allocated or encrypted for any reason, * -1 if there was not enough room to build a packet. */ static struct quic_tx_packet *qc_build_pkt(unsigned char **pos, const unsigned char *buf_end, struct quic_enc_level *qel, struct quic_conn *qc, int pkt_type, int ack, int nb_pto_dgrams, int *err) { /* The pointer to the packet number field. */ unsigned char *buf_pn; unsigned char *beg, *end, *payload; int64_t pn; size_t pn_len, payload_len, aad_len; struct quic_tls_ctx *tls_ctx; struct quic_tx_packet *pkt; TRACE_ENTER(QUIC_EV_CONN_HPKT, qc->conn, NULL, qel); *err = 0; pkt = pool_alloc(pool_head_quic_tx_packet); if (!pkt) { TRACE_DEVEL("Not enough memory for a new packet", QUIC_EV_CONN_HPKT, qc->conn); *err = -2; goto err; } quic_tx_packet_init(pkt, pkt_type); beg = *pos; pn_len = 0; buf_pn = NULL; if (!qc_eval_pkt(buf_end - beg, pkt, ack, nb_pto_dgrams, qel, qc)) { *err = -1; goto err; } /* Consume a packet number. */ pn = HA_ATOMIC_ADD_FETCH(&qel->pktns->tx.next_pn, 1); qc_do_build_pkt(*pos, buf_end, pkt, ack, nb_pto_dgrams, pn, &pn_len, &buf_pn, qel, qc); end = beg + pkt->len; payload = buf_pn + pn_len; payload_len = end - payload; aad_len = payload - beg; tls_ctx = &qel->tls_ctx; if (!quic_packet_encrypt(payload, payload_len, beg, aad_len, pn, tls_ctx, qc->conn)) { *err = -2; goto err; } end += QUIC_TLS_TAG_LEN; pkt->len += QUIC_TLS_TAG_LEN; if (!quic_apply_header_protection(beg, buf_pn, pn_len, tls_ctx->tx.hp, tls_ctx->tx.hp_key)) { TRACE_DEVEL("Could not apply the header protection", QUIC_EV_CONN_HPKT, qc->conn); *err = -2; goto err; } /* Now that a correct packet is built, let us consume <*pos> buffer. */ *pos = end; /* Attach the built packet to its tree. */ pkt->pn_node.key = pn; /* Set the packet in fligth length for in flight packet only. */ if (pkt->flags & QUIC_FL_TX_PACKET_IN_FLIGHT) { pkt->in_flight_len = pkt->len; qc->path->prep_in_flight += pkt->len; } pkt->pktns = qel->pktns; TRACE_LEAVE(QUIC_EV_CONN_HPKT, qc->conn, pkt); return pkt; err: free_quic_tx_packet(pkt); TRACE_DEVEL("leaving in error", QUIC_EV_CONN_HPKT, qc->conn); return NULL; } /* Copy up to bytes from connection internal stream storage into buffer . * Return the number of bytes which have been copied. */ static size_t quic_conn_to_buf(struct connection *conn, void *xprt_ctx, struct buffer *buf, size_t count, int flags) { size_t try, done = 0; if (!conn_ctrl_ready(conn)) return 0; if (!fd_recv_ready(conn->handle.fd)) return 0; conn->flags &= ~CO_FL_WAIT_ROOM; /* read the largest possible block. For this, we perform only one call * to recv() unless the buffer wraps and we exactly fill the first hunk, * in which case we accept to do it once again. */ while (count > 0) { try = b_contig_space(buf); if (!try) break; if (try > count) try = count; b_add(buf, try); done += try; count -= try; } if (unlikely(conn->flags & CO_FL_WAIT_L4_CONN) && done) conn->flags &= ~CO_FL_WAIT_L4_CONN; leave: return done; read0: conn_sock_read0(conn); conn->flags &= ~CO_FL_WAIT_L4_CONN; /* Now a final check for a possible asynchronous low-level error * report. This can happen when a connection receives a reset * after a shutdown, both POLL_HUP and POLL_ERR are queued, and * we might have come from there by just checking POLL_HUP instead * of recv()'s return value 0, so we have no way to tell there was * an error without checking. */ if (unlikely(fdtab[conn->handle.fd].state & FD_POLL_ERR)) conn->flags |= CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH; goto leave; } /* Send up to pending bytes from buffer to connection 's * socket. may contain some CO_SFL_* flags to hint the system about * other pending data for example, but this flag is ignored at the moment. * Only one call to send() is performed, unless the buffer wraps, in which case * a second call may be performed. The connection's flags are updated with * whatever special event is detected (error, empty). The caller is responsible * for taking care of those events and avoiding the call if inappropriate. The * function does not call the connection's polling update function, so the caller * is responsible for this. It's up to the caller to update the buffer's contents * based on the return value. */ static size_t quic_conn_from_buf(struct connection *conn, void *xprt_ctx, const struct buffer *buf, size_t count, int flags) { ssize_t ret; size_t try, done; int send_flag; if (!conn_ctrl_ready(conn)) return 0; if (!fd_send_ready(conn->handle.fd)) return 0; done = 0; /* send the largest possible block. For this we perform only one call * to send() unless the buffer wraps and we exactly fill the first hunk, * in which case we accept to do it once again. */ while (count) { try = b_contig_data(buf, done); if (try > count) try = count; send_flag = MSG_DONTWAIT | MSG_NOSIGNAL; if (try < count || flags & CO_SFL_MSG_MORE) send_flag |= MSG_MORE; ret = sendto(conn->handle.fd, b_peek(buf, done), try, send_flag, (struct sockaddr *)conn->dst, get_addr_len(conn->dst)); if (ret > 0) { count -= ret; done += ret; /* A send succeeded, so we can consider ourself connected */ conn->flags |= CO_FL_WAIT_L4L6; /* if the system buffer is full, don't insist */ if (ret < try) break; } else if (ret == 0 || errno == EAGAIN || errno == ENOTCONN || errno == EINPROGRESS) { /* nothing written, we need to poll for write first */ fd_cant_send(conn->handle.fd); break; } else if (errno != EINTR) { conn->flags |= CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH; break; } } if (unlikely(conn->flags & CO_FL_WAIT_L4_CONN) && done) conn->flags &= ~CO_FL_WAIT_L4_CONN; if (done > 0) { /* we count the total bytes sent, and the send rate for 32-byte * blocks. The reason for the latter is that freq_ctr are * limited to 4GB and that it's not enough per second. */ _HA_ATOMIC_ADD(&global.out_bytes, done); update_freq_ctr(&global.out_32bps, (done + 16) / 32); } return done; } /* Called from the upper layer, to subscribe to events . The * event subscriber is not allowed to change from a previous call as long * as at least one event is still subscribed. The must only be a * combination of SUB_RETRY_RECV and SUB_RETRY_SEND. It always returns 0. */ static int quic_conn_subscribe(struct connection *conn, void *xprt_ctx, int event_type, struct wait_event *es) { struct qcc *qcc = conn->qc->qcc; BUG_ON(event_type & ~(SUB_RETRY_SEND|SUB_RETRY_RECV)); BUG_ON(qcc->subs && qcc->subs != es); es->events |= event_type; qcc->subs = es; if (event_type & SUB_RETRY_RECV) TRACE_DEVEL("subscribe(recv)", QUIC_EV_CONN_XPRTRECV, conn, qcc); if (event_type & SUB_RETRY_SEND) TRACE_DEVEL("subscribe(send)", QUIC_EV_CONN_XPRTSEND, conn, qcc); return 0; } /* Called from the upper layer, to unsubscribe from events . * The pointer is not allowed to differ from the one passed to the * subscribe() call. It always returns zero. */ static int quic_conn_unsubscribe(struct connection *conn, void *xprt_ctx, int event_type, struct wait_event *es) { return conn_unsubscribe(conn, xprt_ctx, event_type, es); } /* Try to allocate the <*ssl> SSL session object for QUIC connection * with as SSL context inherited settings. Also set the transport * parameters of this session. * This is the responsibility of the caller to check the validity of all the * pointers passed as parameter to this function. * Return 0 if succeeded, -1 if not. If failed, sets the ->err_code member of conn> to * CO_ER_SSL_NO_MEM. */ static int qc_ssl_sess_init(struct quic_conn *qc, SSL_CTX *ssl_ctx, SSL **ssl, unsigned char *params, size_t params_len) { int retry; retry = 1; retry: *ssl = SSL_new(ssl_ctx); if (!*ssl) { if (!retry--) goto err; pool_gc(NULL); goto retry; } if (!SSL_set_quic_method(*ssl, &ha_quic_method) || !SSL_set_ex_data(*ssl, ssl_app_data_index, qc->conn) || !SSL_set_quic_transport_params(*ssl, qc->enc_params, qc->enc_params_len)) { goto err; SSL_free(*ssl); *ssl = NULL; if (!retry--) goto err; pool_gc(NULL); goto retry; } return 0; err: qc->conn->err_code = CO_ER_SSL_NO_MEM; return -1; } /* Initialize a QUIC connection (quic_conn struct) to be attached to * connection with as address of the xprt context. * Returns 1 if succeeded, 0 if not. */ static int qc_conn_init(struct connection *conn, void **xprt_ctx) { struct ssl_sock_ctx *ctx; TRACE_ENTER(QUIC_EV_CONN_NEW, conn); if (*xprt_ctx) goto out; ctx = pool_alloc(pool_head_quic_conn_ctx); if (!ctx) { conn->err_code = CO_ER_SYS_MEMLIM; goto err; } ctx->wait_event.tasklet = tasklet_new(); if (!ctx->wait_event.tasklet) { conn->err_code = CO_ER_SYS_MEMLIM; goto err; } ctx->wait_event.tasklet->process = quic_conn_io_cb; ctx->wait_event.tasklet->context = ctx; ctx->wait_event.events = 0; ctx->conn = conn; ctx->subs = NULL; ctx->xprt_ctx = NULL; ctx->xprt = xprt_get(XPRT_QUIC); if (objt_server(conn->target)) { /* Server */ struct server *srv = __objt_server(conn->target); unsigned char dcid[QUIC_CID_LEN]; struct quic_conn *qc; int ssl_err, ipv4; ssl_err = SSL_ERROR_NONE; if (RAND_bytes(dcid, sizeof dcid) != 1) goto err; ipv4 = conn->dst->ss_family == AF_INET; qc = qc_new_conn(QUIC_PROTOCOL_VERSION_DRAFT_28, ipv4, dcid, sizeof dcid, NULL, 0, 0, srv); if (qc == NULL) goto err; /* Insert our SCID, the connection ID for the QUIC client. */ ebmb_insert(&srv->cids, &qc->scid_node, qc->scid.len); conn->qc = qc; qc->conn = conn; if (!qc_new_isecs(qc, initial_salt_v1, sizeof initial_salt_v1, dcid, sizeof dcid, 0)) goto err; qc->rx.params = srv->quic_params; /* Copy the initial source connection ID. */ quic_cid_cpy(&qc->rx.params.initial_source_connection_id, &qc->scid); qc->enc_params_len = quic_transport_params_encode(qc->enc_params, qc->enc_params + sizeof qc->enc_params, &qc->rx.params, 0); if (!qc->enc_params_len) goto err; if (qc_ssl_sess_init(qc, srv->ssl_ctx.ctx, &ctx->ssl, qc->enc_params, qc->enc_params_len) == -1) goto err; SSL_set_quic_transport_params(ctx->ssl, qc->enc_params, qc->enc_params_len); SSL_set_connect_state(ctx->ssl); ssl_err = SSL_do_handshake(ctx->ssl); if (ssl_err != 1) { int st; st = HA_ATOMIC_LOAD(&qc->state); ssl_err = SSL_get_error(ctx->ssl, ssl_err); if (ssl_err == SSL_ERROR_WANT_READ || ssl_err == SSL_ERROR_WANT_WRITE) { TRACE_PROTO("SSL handshake", QUIC_EV_CONN_HDSHK, ctx->conn, &st, &ssl_err); } else { TRACE_DEVEL("SSL handshake error", QUIC_EV_CONN_HDSHK, ctx->conn, &st, &ssl_err); goto err; } } } else if (objt_listener(conn->target)) { /* Listener */ struct bind_conf *bc = __objt_listener(conn->target)->bind_conf; struct quic_conn *qc = ctx->conn->qc; ctx->wait_event.tasklet->tid = quic_get_cid_tid(&qc->scid); if (qc_ssl_sess_init(qc, bc->initial_ctx, &ctx->ssl, qc->enc_params, qc->enc_params_len) == -1) goto err; SSL_set_accept_state(ctx->ssl); } *xprt_ctx = ctx; /* Leave init state and start handshake */ conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN; out: TRACE_LEAVE(QUIC_EV_CONN_NEW, conn); return 0; err: if (ctx && ctx->wait_event.tasklet) tasklet_free(ctx->wait_event.tasklet); pool_free(pool_head_quic_conn_ctx, ctx); TRACE_DEVEL("leaving in error", QUIC_EV_CONN_NEW, conn); return -1; } /* Start the QUIC transport layer */ static int qc_xprt_start(struct connection *conn, void *ctx) { struct quic_conn *qc; struct ssl_sock_ctx *qctx = ctx; qc = conn->qc; if (!quic_conn_init_timer(qc)) { TRACE_PROTO("Non initialized timer", QUIC_EV_CONN_LPKT, conn); return 0; } tasklet_wakeup(qctx->wait_event.tasklet); return 1; } /* transport-layer operations for QUIC connections. */ static struct xprt_ops ssl_quic = { .close = quic_close, .snd_buf = quic_conn_from_buf, .rcv_buf = quic_conn_to_buf, .subscribe = quic_conn_subscribe, .unsubscribe = quic_conn_unsubscribe, .init = qc_conn_init, .start = qc_xprt_start, .prepare_bind_conf = ssl_sock_prepare_bind_conf, .destroy_bind_conf = ssl_sock_destroy_bind_conf, .name = "QUIC", }; __attribute__((constructor)) static void __quic_conn_init(void) { ha_quic_meth = BIO_meth_new(0x666, "ha QUIC methods"); xprt_register(XPRT_QUIC, &ssl_quic); } __attribute__((destructor)) static void __quic_conn_deinit(void) { BIO_meth_free(ha_quic_meth); } /* Read all the QUIC packets found in from QUIC connection with * as owner calling function. * Return the number of bytes read if succeeded, -1 if not. */ static ssize_t quic_dgram_read(struct buffer *buf, size_t len, void *owner, struct sockaddr_storage *saddr, qpkt_read_func *func) { unsigned char *pos; const unsigned char *end; struct quic_dgram_ctx dgram_ctx = { .dcid_node = NULL, .owner = owner, }; pos = (unsigned char *)b_head(buf); end = pos + len; do { int ret; struct quic_rx_packet *pkt; size_t pkt_len; pkt = pool_zalloc(pool_head_quic_rx_packet); if (!pkt) goto err; quic_rx_packet_refinc(pkt); ret = func(&pos, end, pkt, &dgram_ctx, saddr); pkt_len = pkt->len; quic_rx_packet_refdec(pkt); if (ret == -1 && !pkt_len) /* If the packet length could not be found, we cannot continue. */ break; } while (pos < end); /* Increasing the received bytes counter by the UDP datagram length * if this datagram could be associated to a connection. */ if (dgram_ctx.qc) dgram_ctx.qc->rx.bytes += len; return pos - (unsigned char *)buf; err: return -1; } ssize_t quic_lstnr_dgram_read(struct buffer *buf, size_t len, void *owner, struct sockaddr_storage *saddr) { return quic_dgram_read(buf, len, owner, saddr, qc_lstnr_pkt_rcv); } /* * Local variables: * c-indent-level: 8 * c-basic-offset: 8 * End: */