upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-05-28 04:12:17 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 12
haproxy/src/quic_rx.c

2542 lines
79 KiB
C
Raw Permalink Normal View History

MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
/*
* QUIC protocol implementation. Lower layer with internal features implemented
* here such as QUIC encryption, idle timeout, acknowledgement and
* retransmission.
*
* Copyright 2020 HAProxy Technologies, Frederic Lecaille <flecaille@haproxy.com>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*
*/
#include <haproxy/quic_rx.h>
#include <haproxy/list.h>
BUG/MAJOR: quic: use ncbmbuf for CRYPTO handling In QUIC, TLS handshake messages such as ClientHello are encapsulated in CRYPTO frames. Each QUIC implementation can split the content in several frames of random sizes. In fact, this feature is now used by several clients, based on chrome so-called "Chaos protection" mechanism : https://quiche.googlesource.com/quiche/+/cb6b51054274cb2c939264faf34a1776e0a5bab7 To support this, haproxy uses a ncbuf storage to store received CRYPTO frames before passing it to the SSL library. However, this storage suffers from a limitation as gaps between two filled blocks cannot be smaller than 8 bytes. Thus, depending on the size of received CRYPTO frames and their order, ncbuf may not be sufficient. Over time, several mechanisms were implemented in haproxy QUIC frames parsing to overcome the ncbuf limitation. However, reports recently highlight that with some clients haproxy is not able to deal with CRYPTO frames reception. In particular, this is the case with the latest ngtcp2 release, which implements a similar chaos protection mechanism via the following patch. It also seems that this impacts haproxy interaction with firefox. commit 89c29fd8611d5e6d2f6b1f475c5e3494c376028c Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> Date: Mon Aug 4 22:48:06 2025 +0900 Crumble Client Initial CRYPTO (aka chaos protection) To fix haproxy CRYPTO frames buffering once and for all, an alternative non-contiguous buffer named ncbmbuf has been recently implemented. This type does not suffer from gaps size limitation, albeit at the cost of a small reduction in the size available for data storage. Thus, the purpose of this current patch is to replace ncbuf with the newer ncbmbuf for QUIC CRYPTO frames parsing. Now, ncbmb_add() is used to buffer received frames which is guaranteed to suceed. The only remaining case of error is if a received frame offset and length exceed the ncbmbuf data storage, which would result in a CRYPTO_BUFFER_EXCEEDED error code. A notable behavior change when switching to ncbmbuf implementation is that NCB_ADD_COMPARE mode cannot be used anymore during add. Instead, crypto frame content received at a similar offset will be overwritten. A final note regarding STREAM frames parsing. For now, it is considered unnecessary to switch from ncbuf in this case. Indeed, QUIC clients does not perform aggressive fragmentation for them. Keeping ncbuf ensure that the data storage size is bigger than the equivalent ncbmbuf area. This should fix github issue #3141. This patch must be backported up to 2.6. It is first necessary to pick the relevant commits for ncbmbuf implementation prior to it.
2025-10-16 10:43:16 -04:00
#include <haproxy/ncbmbuf.h>
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
#include <haproxy/proto_quic.h>
#include <haproxy/quic_ack.h>
MINOR: quic: RX part modifications to support BBR qc_notify_cc_of_newly_acked_pkts() aim is to notify the congestion algorithm of all the packet acknowledgements. It must call quic_cc_drs_update_rate_sample() to update the delivery rate sampling information. It must also call quic_cc_drs_on_ack_recv() to update the state of the delivery rate sampling part used by BBR. Finally, ->on_ack_rcvd() is called with the total number of bytes delivered by the sender from the newly acknowledged packets with <bytes_delivered> as parameter to do so. <pkt_delivered> store the per-packet number of bytes delivered by the newly sent acknowledged packet (the packet with the highest packet number). <bytes_lost> is also used and has been set by qc_packet_loss_lookup() before calling qc_notify_cc_of_newly_acked_pkts().
2024-10-22 13:03:27 -04:00
#include <haproxy/quic_cc_drs.h>
REORG: quic: Add a new module to handle QUIC connection IDs Move quic_cid and quic_connnection_id from quic_conn-t.h to new quic_cid-t.h header. Move defintions of quic_stateless_reset_token_init(), quic_derive_cid(), new_quic_cid(), quic_get_cid_tid() and retrieve_qc_conn_from_cid() to quic_cid.c new C file.
2023-11-23 13:21:03 -05:00
#include <haproxy/quic_cid.h>
REORG: quic: Add a new module for retransmissions Move several functions in relation with the retransmissions from TX part (quic_tx.c) to quic_retransmit.c new C file.
2023-11-28 08:27:33 -05:00
#include <haproxy/quic_retransmit.h>
REORG: quic: Add a new module for QUIC retry Add quic_retry.c new C file for the QUIC retry feature: quic_saddr_cpy() moved from quic_tx.c, quic_generate_retry_token_aad() moved from quic_generate_retry_token() moved from parse_retry_token() moved from quic_retry_token_check() moved from quic_retry_token_check() moved from
2023-11-28 05:25:04 -05:00
#include <haproxy/quic_retry.h>
MEDIUM: quic: implement quic-initial rules Implement a new set of rules labelled as quic-initial. These rules as specific to QUIC. They are scheduled to be executed early on Initial packet parsing, prior a new QUIC connection instantiation. Contrary to tcp-request connection, this allows to reject traffic earlier, most notably by avoiding unnecessary QUIC SSL handshake processing. A new module quic_rules is created. Its main function quic_init_exec_rules() is called on Initial packet parsing in function quic_rx_pkt_retrieve_conn(). For the moment, only "accept" and "dgram-drop" are valid actions. Both are final. The latter drops silently the Initial packet instead of allocating a new QUIC connection.
2024-07-18 12:25:43 -04:00
#include <haproxy/quic_rules.h>
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
#include <haproxy/quic_sock.h>
CLEANUP: quic-stats: include counters from quic_stats There's something a bit awkward in the way stats counters are inherited through the QUIC modules: quic_conn-t includes quic_stats-t.h, which declares quic_stats_module as extern from a type that's not known from this file. And anyway externs should not be exported from type defintions since they're not part of the ABI itself. This commit moves the declaration to quic_stats.h which now takes care to include stats-t.h to get the definition of struct stats_module. The few users who used to learn it through quic_conn-t.h now include it explicitly. As a bonus this reduces the number of preprocessed lines by 5000 (~0.1%). By the way, it looks like struct stats_module could benefit from being moved off stats-t.h since it's only used at places where the rest of the stats is not needed. Maybe something to consider for a future cleanup.
2026-02-24 12:50:30 -05:00
#include <haproxy/quic_stats.h>
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
#include <haproxy/quic_stream.h>
#include <haproxy/quic_ssl.h>
#include <haproxy/quic_tls.h>
BUG/MEDIUM: quic: always validate sender address on 0-RTT It has been reported by Wedl Michael, a student at the University of Applied Sciences St. Poelten, a potential vulnerability into haproxy as described below. An attacker could have obtained a TLS session ticket after having established a connection to an haproxy QUIC listener, using its real IP address. The attacker has not even to send a application level request (HTTP3). Then the attacker could open a 0-RTT session with a spoofed IP address trusted by the QUIC listen to bypass IP allow/block list and send HTTP3 requests. To mitigate this vulnerability, one decided to use a token which can be provided to the client each time it successfully managed to connect to haproxy. These tokens may be reused for future connections to validate the address/path of the remote peer as this is done with the Retry token which is used for the current connection, not the next one. Such tokens are transported by NEW_TOKEN frames which was not used at this time by haproxy. So, each time a client connect to an haproxy QUIC listener with 0-RTT enabled, it is provided with such a token which can be reused for the next 0-RTT session. If no such a token is presented by the client, haproxy checks if the session is a 0-RTT one, so with early-data presented by the client. Contrary to the Retry token, the decision to refuse the connection is made only when the TLS stack has been provided with enough early-data from the Initial ClientHello TLS message and when these data have been accepted. Hopefully, this event arrives fast enough to allow haproxy to kill the connection if some early-data have been accepted without token presented by the client. quic_build_post_handshake_frames() has been modified to build a NEW_TOKEN frame with this newly implemented token to be transported inside. quic_tls_derive_retry_token_secret() was renamed to quic_do_tls_derive_token_secre() and modified to be reused and derive the secret for the new token implementation. quic_token_validate() has been implemented to validate both the Retry and the new token implemented by this patch. When this is a non-retry token which could not be validated, the datagram received is marked as requiring a Retry packet to be sent, and no connection is created. When the Initial packet does not embed any non-retry token and if 0-RTT is enabled the connection is marked with this new flag: QUIC_FL_CONN_NO_TOKEN_RCVD. As soon as the TLS stack detects that some early-data have been provided and accepted by the client, the connection is marked to be killed (QUIC_FL_CONN_TO_KILL) from ha_quic_add_handshake_data(). This is done calling qc_ssl_eary_data_accepted() new function. The secret TLS handshake is interrupted as soon as possible returnin 0 from ha_quic_add_handshake_data(). The connection is also marked as requiring a Retry packet to be sent (QUIC_FL_CONN_SEND_RETRY) from ha_quic_add_handshake_data(). The the handshake I/O handler (quic_conn_io_cb()) knows how to behave: kill the connection after having sent a Retry packet. About TLS stack compatibility, this patch is supported by aws-lc. It is disabled for wolfssl which does not support 0-RTT at this time thanks to HAVE_SSL_0RTT_QUIC. This patch depends on these commits: MINOR: quic: Add trace for QUIC_EV_CONN_IO_CB event. MINOR: quic: Implement qc_ssl_eary_data_accepted(). MINOR: quic: Modify NEW_TOKEN frame structure (qf_new_token struct) BUG/MINOR: quic: Missing incrementation in NEW_TOKEN frame builder MINOR: quic: Token for future connections implementation. MINOR: quic: Implement quic_tls_derive_token_secret(). MINOR: tools: Implement ipaddrcpy(). Must be backported as far as 2.6.
2024-08-30 09:38:54 -04:00
#include <haproxy/quic_token.h>
REORG: quic: cleanup traces definition Move all QUIC trace definitions from quic_conn.h to quic_trace-t.h. Also remove multiple definition trace_quic macro definition into quic_trace.h. This forces all QUIC source files who relies on trace to include it while reducing the size of quic_conn.h.
2023-10-06 11:39:00 -04:00
#include <haproxy/quic_trace.h>
MINOR: quic: split congestion controler options for FE/BE usage Various settings can be configured related to QUIC congestion controler. This patch duplicates them to be able to set independent values on frontend and backend sides. As with previous patch, option are renamed to use "fe/be" unified prefixes. This is part of the current serie of commits which unify QUIC settings. Older options are deprecated and will be removed on 3.5 release.
2025-07-31 11:15:51 -04:00
#include <haproxy/quic_tune.h>
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
#include <haproxy/quic_tx.h>
MINOR: quic: move function to check stream type in utils Move general function to check if a stream is uni or bidirectional from QUIC MUX to quic_utils module. This should prevent unnecessary include of QUIC MUX header file in other sources.
2025-05-21 04:51:39 -04:00
#include <haproxy/quic_utils.h>
MEDIUM: quic: count quic_conn for global sslconns Similar to the previous commit which check for maxconn before allocating a QUIC connection, this patch checks for maxsslconn at the same step. This is necessary as a QUIC connection cannot run without a SSL context. This should be backported up to 2.6. It relies on the following patch : "BUG/MINOR: ssl: use a thread-safe sslconns increment"
2023-10-25 09:38:50 -04:00
#include <haproxy/ssl_sock.h>
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
#include <haproxy/trace.h>
DECLARE_POOL(pool_head_quic_conn_rxbuf, "quic_conn_rxbuf", QUIC_CONN_RX_BUFSZ);
MEDIUM: tree-wide: replace most DECLARE_POOL with DECLARE_TYPED_POOL This will make the pools size and alignment automatically inherit the type declaration. It was done like this: sed -i -e 's:DECLARE_POOL(\([^,]*,[^,]*,\s*\)sizeof(\([^)]*\))):DECLARE_TYPED_POOL(\1\2):g' $(git grep -lw DECLARE_POOL src addons) sed -i -e 's:DECLARE_STATIC_POOL(\([^,]*,[^,]*,\s*\)sizeof(\([^)]*\))):DECLARE_STATIC_TYPED_POOL(\1\2):g' $(git grep -lw DECLARE_STATIC_POOL src addons) 81 replacements were made. The only remaining ones are those which set their own size without depending on a structure. The few ones with an extra size were manually handled. It also means that the requested alignments are now checked against the type's. Given that none is specified for now, no issue is reported. It was verified with "show pools detailed" that the definitions are exactly the same, and that the binaries are similar.
2025-08-06 10:43:27 -04:00
DECLARE_TYPED_POOL(pool_head_quic_rx_packet, "quic_rx_packet", struct quic_rx_packet);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
/* Decode an expected packet number from <truncated_on> its truncated value,
* depending on <largest_pn> the largest received packet number, and <pn_nbits>
* the number of bits used to encode this packet number (its length in bytes * 8).
* See https://quicwg.org/base-drafts/draft-ietf-quic-transport.html#packet-encoding
*/
static uint64_t decode_packet_number(uint64_t largest_pn,
uint32_t truncated_pn, unsigned int pn_nbits)
{
uint64_t expected_pn = largest_pn + 1;
uint64_t pn_win = (uint64_t)1 << pn_nbits;
uint64_t pn_hwin = pn_win / 2;
uint64_t pn_mask = pn_win - 1;
uint64_t candidate_pn;
candidate_pn = (expected_pn & ~pn_mask) | truncated_pn;
/* Note that <pn_win> > <pn_hwin>. */
if (candidate_pn < QUIC_MAX_PACKET_NUM - pn_win &&
candidate_pn + pn_hwin <= expected_pn)
return candidate_pn + pn_win;
if (candidate_pn > expected_pn + pn_hwin && candidate_pn >= pn_win)
return candidate_pn - pn_win;
return candidate_pn;
}
/* Remove the header protection of <pkt> QUIC packet using <tls_ctx> as QUIC TLS
* cryptographic context.
* <largest_pn> is the largest received packet number and <pn> the address of
* the packet number field for this packet with <byte0> address of its first byte.
* <end> points to one byte past the end of this packet.
* Returns 1 if succeeded, 0 if not.
*/
static int qc_do_rm_hp(struct quic_conn *qc,
struct quic_rx_packet *pkt, struct quic_tls_ctx *tls_ctx,
int64_t largest_pn, unsigned char *pn, unsigned char *byte0)
{
int ret, i, pnlen;
uint64_t packet_number;
uint32_t truncated_pn = 0;
unsigned char mask[5] = {0};
unsigned char *sample;
TRACE_ENTER(QUIC_EV_CONN_RMHP, qc);
ret = 0;
/* Check there is enough data in this packet. */
if (pkt->len - (pn - byte0) < QUIC_PACKET_PN_MAXLEN + sizeof mask) {
TRACE_PROTO("too short packet", QUIC_EV_CONN_RMHP, qc, pkt);
goto leave;
}
sample = pn + QUIC_PACKET_PN_MAXLEN;
MEDIUM: quic: add key argument to header protection crypto functions In order to prepare the code for using Chacha20 with the EVP_AEAD API, both quic_tls_hp_decrypt() and quic_tls_hp_encrypt() need an extra key argument. Indeed Chacha20 does not exists as an EVP_CIPHER in AWS-LC, so the key won't be embedded into the EVP_CIPHER_CTX, so we need an extra parameter to use it.
2024-07-25 04:33:29 -04:00
if (!quic_tls_hp_decrypt(mask, sample, sizeof mask, tls_ctx->rx.hp_ctx, tls_ctx->rx.hp_key)) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_ERROR("HP removing failed", QUIC_EV_CONN_RMHP, qc, pkt);
goto leave;
}
*byte0 ^= mask[0] & (*byte0 & QUIC_PACKET_LONG_HEADER_BIT ? 0xf : 0x1f);
pnlen = (*byte0 & QUIC_PACKET_PNL_BITMASK) + 1;
for (i = 0; i < pnlen; i++) {
pn[i] ^= mask[i + 1];
truncated_pn = (truncated_pn << 8) | pn[i];
}
packet_number = decode_packet_number(largest_pn, truncated_pn, pnlen * 8);
/* Store remaining information for this unprotected header */
pkt->pn = packet_number;
pkt->pnl = pnlen;
ret = 1;
leave:
TRACE_LEAVE(QUIC_EV_CONN_RMHP, qc);
return ret;
}
/* Decrypt <pkt> packet using encryption level <qel> for <qc> connection.
* Decryption is done in place in packet buffer.
*
* Returns 1 on success else 0.
*/
static int qc_pkt_decrypt(struct quic_conn *qc, struct quic_enc_level *qel,
struct quic_rx_packet *pkt)
{
int ret, kp_changed;
unsigned char iv[QUIC_TLS_IV_LEN];
struct quic_tls_ctx *tls_ctx =
qc_select_tls_ctx(qc, qel, pkt->type, pkt->version);
MEDIUM: ssl/quic: implement quic crypto with EVP_AEAD The QUIC crypto is using the EVP_CIPHER API in order to achieve authenticated encryption, this was the API which was used with OpenSSL. With libraries that inspires from BoringSSL (libreSSL and AWS-LC), the AEAD algorithms are implemented using the EVP_AEAD API. This patch converts the call to the EVP_CIPHER API when called in the contex of AEAD cryptography for QUIC. The patch defines some QUIC_AEAD macros that can be either EVP_CIPHER or EVP_AEAD depending on the library. This was mainly done for AWS-LC but this could be useful for other libraries. This should finally allow to use CHACHA20_POLY1305 with AWS-LC. This patch allows to use the following ciphers with the EVP_AEAD API: - TLS1_3_CK_AES_128_GCM_SHA256 - TLS1_3_CK_AES_256_GCM_SHA384 AWS-LC does not implement TLS1_3_CK_AES_128_CCM_SHA256 and TLS1_3_CK_CHACHA20_POLY1305_SHA256 requires some hack for headers protection which will come in another patch.
2024-07-10 04:28:27 -04:00
QUIC_AEAD_CTX *rx_ctx = tls_ctx->rx.ctx;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
unsigned char *rx_iv = tls_ctx->rx.iv;
size_t rx_iv_sz = tls_ctx->rx.ivlen;
unsigned char *rx_key = tls_ctx->rx.key;
TRACE_ENTER(QUIC_EV_CONN_RXPKT, qc);
ret = 0;
kp_changed = 0;
if (pkt->type == QUIC_PACKET_TYPE_SHORT) {
/* The two tested bits are not at the same position,
* this is why they are first both inversed.
*/
if (!(*pkt->data & QUIC_PACKET_KEY_PHASE_BIT) ^ !(tls_ctx->flags & QUIC_FL_TLS_KP_BIT_SET)) {
if (pkt->pn < tls_ctx->rx.pn) {
/* The lowest packet number of a previous key phase
* cannot be null if it really stores previous key phase
* secrets.
*/
// TODO: check if BUG_ON() more suitable
if (!qc->ku.prv_rx.pn) {
TRACE_ERROR("null previous packet number", QUIC_EV_CONN_RXPKT, qc);
goto leave;
}
rx_ctx = qc->ku.prv_rx.ctx;
rx_iv = qc->ku.prv_rx.iv;
rx_key = qc->ku.prv_rx.key;
}
else if (pkt->pn > qel->pktns->rx.largest_pn) {
/* Next key phase */
TRACE_PROTO("Key phase changed", QUIC_EV_CONN_RXPKT, qc);
kp_changed = 1;
rx_ctx = qc->ku.nxt_rx.ctx;
rx_iv = qc->ku.nxt_rx.iv;
rx_key = qc->ku.nxt_rx.key;
}
}
}
quic_aead_iv_build(iv, sizeof iv, rx_iv, rx_iv_sz, pkt->pn);
ret = quic_tls_decrypt(pkt->data + pkt->aad_len, pkt->len - pkt->aad_len,
pkt->data, pkt->aad_len,
rx_ctx, tls_ctx->rx.aead, rx_key, iv);
if (!ret) {
TRACE_ERROR("quic_tls_decrypt() failed", QUIC_EV_CONN_RXPKT, qc);
goto leave;
}
/* Update the keys only if the packet decryption succeeded. */
if (kp_changed) {
quic_tls_rotate_keys(qc);
/* Toggle the Key Phase bit */
tls_ctx->flags ^= QUIC_FL_TLS_KP_BIT_SET;
/* Store the lowest packet number received for the current key phase */
tls_ctx->rx.pn = pkt->pn;
/* Prepare the next key update */
if (!quic_tls_key_update(qc)) {
TRACE_ERROR("quic_tls_key_update() failed", QUIC_EV_CONN_RXPKT, qc);
goto leave;
}
}
/* Update the packet length (required to parse the frames). */
pkt->len -= QUIC_TLS_TAG_LEN;
ret = 1;
leave:
TRACE_LEAVE(QUIC_EV_CONN_RXPKT, qc);
return ret;
}
REORG: quic: Rename some functions used upon ACK receipt Rename some functions to reflect more their jobs. Move qc_release_lost_pkts() to quic_loss.c
2023-11-27 10:25:53 -05:00
/* Handle <frm> frame whose packet it is attached to has just been acknowledged. The memory allocated
* for this frame will be at least released in every cases.
MINOR: quic: implement dedicated type for out-of-order stream ACK QUIC streamdesc layer is responsible to handle reception of ACK for streams. It removes stream data from the underlying buffers on ACK reception. Streamdesc layer treats ACK in order at the stream level. Out of order ACKs are buffered in a tree until they can be handled on older data acknowledgement reception. Previously, qf_stream instance which comes from the quic_tx_packet was used as tree node to buffer such ranges. Introduce a new type dedicated to represent out of order stream ack data range. This type is named qc_stream_ack. It contains minimal infos only relative to the acknowledged stream data range. This allows to reduce size of frequently used quic_frame with the removal of tree node from qf_stream. Another side effect of this change is that now quic_frame are always released immediately on ACK reception, both in-order and out-of-order. This allows to also release the quic_tx_packet instance which should reduce memory consumption. The drawback of this change is that qc_stream_ack instance must be allocated on out-of-order ACK reception. As such, qc_stream_desc_ack() may fail if an error happens on allocation. For the moment, such error is silenly recovered up to qc_treat_rx_pkts() with the dropping of the received packet containing the ACK frame. In the future, it may be useful to close the connection as this error may only happens on low memory usage.
2024-10-01 11:34:55 -04:00
*
CLEANUP: assorted typo fixes in the code and comments code, comments and doc actually.
2025-04-01 16:44:54 -04:00
* Returns 1 on success else 0.
REORG: quic: Rename some functions used upon ACK receipt Rename some functions to reflect more their jobs. Move qc_release_lost_pkts() to quic_loss.c
2023-11-27 10:25:53 -05:00
*/
MINOR: quic: implement dedicated type for out-of-order stream ACK QUIC streamdesc layer is responsible to handle reception of ACK for streams. It removes stream data from the underlying buffers on ACK reception. Streamdesc layer treats ACK in order at the stream level. Out of order ACKs are buffered in a tree until they can be handled on older data acknowledgement reception. Previously, qf_stream instance which comes from the quic_tx_packet was used as tree node to buffer such ranges. Introduce a new type dedicated to represent out of order stream ack data range. This type is named qc_stream_ack. It contains minimal infos only relative to the acknowledged stream data range. This allows to reduce size of frequently used quic_frame with the removal of tree node from qf_stream. Another side effect of this change is that now quic_frame are always released immediately on ACK reception, both in-order and out-of-order. This allows to also release the quic_tx_packet instance which should reduce memory consumption. The drawback of this change is that qc_stream_ack instance must be allocated on out-of-order ACK reception. As such, qc_stream_desc_ack() may fail if an error happens on allocation. For the moment, such error is silenly recovered up to qc_treat_rx_pkts() with the dropping of the received packet containing the ACK frame. In the future, it may be useful to close the connection as this error may only happens on low memory usage.
2024-10-01 11:34:55 -04:00
static int qc_handle_newly_acked_frm(struct quic_conn *qc, struct quic_frame *frm)
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
{
MINOR: quic: implement dedicated type for out-of-order stream ACK QUIC streamdesc layer is responsible to handle reception of ACK for streams. It removes stream data from the underlying buffers on ACK reception. Streamdesc layer treats ACK in order at the stream level. Out of order ACKs are buffered in a tree until they can be handled on older data acknowledgement reception. Previously, qf_stream instance which comes from the quic_tx_packet was used as tree node to buffer such ranges. Introduce a new type dedicated to represent out of order stream ack data range. This type is named qc_stream_ack. It contains minimal infos only relative to the acknowledged stream data range. This allows to reduce size of frequently used quic_frame with the removal of tree node from qf_stream. Another side effect of this change is that now quic_frame are always released immediately on ACK reception, both in-order and out-of-order. This allows to also release the quic_tx_packet instance which should reduce memory consumption. The drawback of this change is that qc_stream_ack instance must be allocated on out-of-order ACK reception. As such, qc_stream_desc_ack() may fail if an error happens on allocation. For the moment, such error is silenly recovered up to qc_treat_rx_pkts() with the dropping of the received packet containing the ACK frame. In the future, it may be useful to close the connection as this error may only happens on low memory usage.
2024-10-01 11:34:55 -04:00
int ret = 0;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_ENTER(QUIC_EV_CONN_PRSAFRM, qc);
TRACE_PROTO("RX ack TX frm", QUIC_EV_CONN_PRSAFRM, qc, frm);
switch (frm->type) {
case QUIC_FT_STREAM_8 ... QUIC_FT_STREAM_F:
{
struct qf_stream *strm_frm = &frm->stream;
struct eb64_node *node = NULL;
struct qc_stream_desc *stream = NULL;
MINOR: quic: implement dedicated type for out-of-order stream ACK QUIC streamdesc layer is responsible to handle reception of ACK for streams. It removes stream data from the underlying buffers on ACK reception. Streamdesc layer treats ACK in order at the stream level. Out of order ACKs are buffered in a tree until they can be handled on older data acknowledgement reception. Previously, qf_stream instance which comes from the quic_tx_packet was used as tree node to buffer such ranges. Introduce a new type dedicated to represent out of order stream ack data range. This type is named qc_stream_ack. It contains minimal infos only relative to the acknowledged stream data range. This allows to reduce size of frequently used quic_frame with the removal of tree node from qf_stream. Another side effect of this change is that now quic_frame are always released immediately on ACK reception, both in-order and out-of-order. This allows to also release the quic_tx_packet instance which should reduce memory consumption. The drawback of this change is that qc_stream_ack instance must be allocated on out-of-order ACK reception. As such, qc_stream_desc_ack() may fail if an error happens on allocation. For the moment, such error is silenly recovered up to qc_treat_rx_pkts() with the dropping of the received packet containing the ACK frame. In the future, it may be useful to close the connection as this error may only happens on low memory usage.
2024-10-01 11:34:55 -04:00
int ack;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
/* do not use strm_frm->stream as the qc_stream_desc instance
* might be freed at this stage. Use the id to do a proper
* lookup.
*
* TODO if lookup operation impact on the perf is noticeable,
* implement a refcount on qc_stream_desc instances.
*/
node = eb64_lookup(&qc->streams_by_id, strm_frm->id);
if (!node) {
TRACE_DEVEL("acked stream for released stream", QUIC_EV_CONN_ACKSTRM, qc, strm_frm);
qc_release_frm(qc, frm);
BUG/MEDIUM: quic: do not consider ACK on released stream as error When an ACK is received by haproxy, a lookup is performed to retrieve the related emitted frames. For STREAM type frames, a lookup is performed under quic_conn stream_desc tree. Indeed, the corresponding stream instance could be already released if multiple ACK were received refering to the same stream offset, which can happen notably if retransmission occured. qc_handle_newly_acked_frm() implements this logic. If the case with an already released stream is encounted, an error is returned. In the end, this error is propagated via qc_parse_pkt_frms() into qc_treat_rx_pkts(), despite being in fact a perfectly valid case. Fix this by adjusting ACK handling function to return a success value for the particular case of released stream instead. The impact of this bug is unknown, but it can have several consequences. * if the packet with the ACK contains other frames after it, their content will be skipped * the packet won't be acknowledged by haproxy, even if it contains other frames and is ack-eliciting. This may cause unneeded retransmission by the client. * RTT sampling information related to this ACK is ignored by haproxy Finally, it also caused the increment of the quic_conn counter dropped_parsing (droppars in "show quic" output) which should be reserved only for real error cases. This regression is present since the following patch : e7578084b0536e3e5988be7f09091c85beb8fa9d MINOR: quic: implement dedicated type for out-of-order stream ACK Before, qc_handle_newly_acked_frm() return type was always ignored. As such, no backport is needed.
2024-11-06 11:18:45 -05:00
/* return as success */
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
MINOR: quic: implement dedicated type for out-of-order stream ACK QUIC streamdesc layer is responsible to handle reception of ACK for streams. It removes stream data from the underlying buffers on ACK reception. Streamdesc layer treats ACK in order at the stream level. Out of order ACKs are buffered in a tree until they can be handled on older data acknowledgement reception. Previously, qf_stream instance which comes from the quic_tx_packet was used as tree node to buffer such ranges. Introduce a new type dedicated to represent out of order stream ack data range. This type is named qc_stream_ack. It contains minimal infos only relative to the acknowledged stream data range. This allows to reduce size of frequently used quic_frame with the removal of tree node from qf_stream. Another side effect of this change is that now quic_frame are always released immediately on ACK reception, both in-order and out-of-order. This allows to also release the quic_tx_packet instance which should reduce memory consumption. The drawback of this change is that qc_stream_ack instance must be allocated on out-of-order ACK reception. As such, qc_stream_desc_ack() may fail if an error happens on allocation. For the moment, such error is silenly recovered up to qc_treat_rx_pkts() with the dropping of the received packet containing the ACK frame. In the future, it may be useful to close the connection as this error may only happens on low memory usage.
2024-10-01 11:34:55 -04:00
else {
stream = eb64_entry(node, struct qc_stream_desc, by_id);
ack = qc_stream_desc_ack(stream, strm_frm->offset,
strm_frm->len,
frm->type & QUIC_STREAM_FRAME_TYPE_FIN_BIT);
if (!ack) {
TRACE_DEVEL("stream consumed on ACK received",
QUIC_EV_CONN_ACKSTRM, qc, strm_frm, stream);
if (qc_stream_desc_done(stream)) {
BUG/MEDIUM: quic: free stream_desc on all data acked The following patch simplifies qc_stream_desc_ack(). The qc_stream_desc instance is not freed anymore, even if all data were acknowledged. As implies by the commit message, the caller is responsible to perform this cleaning operation. f4a83fbb14bdd14ed94752a2280a2f40c1b690d2 MINOR: quic: do not remove qc_stream_desc automatically on ACK handling However, despite the commit instruction, qc_stream_desc_free() invokation was not moved in the caller. This commit fixes this by adding it after stream ACK handling. This is performed only when a transfer is completed : all data is acknowledged and qc_stream_desc has been released by its MUX stream instance counterpart. This bug may cause a significant increase in memory usage when dealing with long running connection. However, there is no memory leak, as every qc_stream_desc attached to a connection are finally freed when quic_conn instance is released. This must be backported up to 3.1.
2025-05-07 11:08:42 -04:00
/* Free qc_stream_desc instance as transfer is now completed. */
qc_stream_desc_free(stream, 0);
stream = NULL;
MINOR: quic: implement dedicated type for out-of-order stream ACK QUIC streamdesc layer is responsible to handle reception of ACK for streams. It removes stream data from the underlying buffers on ACK reception. Streamdesc layer treats ACK in order at the stream level. Out of order ACKs are buffered in a tree until they can be handled on older data acknowledgement reception. Previously, qf_stream instance which comes from the quic_tx_packet was used as tree node to buffer such ranges. Introduce a new type dedicated to represent out of order stream ack data range. This type is named qc_stream_ack. It contains minimal infos only relative to the acknowledged stream data range. This allows to reduce size of frequently used quic_frame with the removal of tree node from qf_stream. Another side effect of this change is that now quic_frame are always released immediately on ACK reception, both in-order and out-of-order. This allows to also release the quic_tx_packet instance which should reduce memory consumption. The drawback of this change is that qc_stream_ack instance must be allocated on out-of-order ACK reception. As such, qc_stream_desc_ack() may fail if an error happens on allocation. For the moment, such error is silenly recovered up to qc_treat_rx_pkts() with the dropping of the received packet containing the ACK frame. In the future, it may be useful to close the connection as this error may only happens on low memory usage.
2024-10-01 11:34:55 -04:00
TRACE_DEVEL("stream released and freed", QUIC_EV_CONN_ACKSTRM, qc);
qc_check_close_on_released_mux(qc);
}
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
MINOR: quic: implement dedicated type for out-of-order stream ACK QUIC streamdesc layer is responsible to handle reception of ACK for streams. It removes stream data from the underlying buffers on ACK reception. Streamdesc layer treats ACK in order at the stream level. Out of order ACKs are buffered in a tree until they can be handled on older data acknowledgement reception. Previously, qf_stream instance which comes from the quic_tx_packet was used as tree node to buffer such ranges. Introduce a new type dedicated to represent out of order stream ack data range. This type is named qc_stream_ack. It contains minimal infos only relative to the acknowledged stream data range. This allows to reduce size of frequently used quic_frame with the removal of tree node from qf_stream. Another side effect of this change is that now quic_frame are always released immediately on ACK reception, both in-order and out-of-order. This allows to also release the quic_tx_packet instance which should reduce memory consumption. The drawback of this change is that qc_stream_ack instance must be allocated on out-of-order ACK reception. As such, qc_stream_desc_ack() may fail if an error happens on allocation. For the moment, such error is silenly recovered up to qc_treat_rx_pkts() with the dropping of the received packet containing the ACK frame. In the future, it may be useful to close the connection as this error may only happens on low memory usage.
2024-10-01 11:34:55 -04:00
qc_release_frm(qc, frm);
}
else if (ack > 0) {
TRACE_DEVEL("handled out-of-order stream ACK",
QUIC_EV_CONN_ACKSTRM, qc, strm_frm, stream);
qc_release_frm(qc, frm);
}
else {
/* Fatal error during qc_stream_desc_ack(). */
goto leave;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
}
}
break;
default:
qc_release_frm(qc, frm);
}
MINOR: quic: implement dedicated type for out-of-order stream ACK QUIC streamdesc layer is responsible to handle reception of ACK for streams. It removes stream data from the underlying buffers on ACK reception. Streamdesc layer treats ACK in order at the stream level. Out of order ACKs are buffered in a tree until they can be handled on older data acknowledgement reception. Previously, qf_stream instance which comes from the quic_tx_packet was used as tree node to buffer such ranges. Introduce a new type dedicated to represent out of order stream ack data range. This type is named qc_stream_ack. It contains minimal infos only relative to the acknowledged stream data range. This allows to reduce size of frequently used quic_frame with the removal of tree node from qf_stream. Another side effect of this change is that now quic_frame are always released immediately on ACK reception, both in-order and out-of-order. This allows to also release the quic_tx_packet instance which should reduce memory consumption. The drawback of this change is that qc_stream_ack instance must be allocated on out-of-order ACK reception. As such, qc_stream_desc_ack() may fail if an error happens on allocation. For the moment, such error is silenly recovered up to qc_treat_rx_pkts() with the dropping of the received packet containing the ACK frame. In the future, it may be useful to close the connection as this error may only happens on low memory usage.
2024-10-01 11:34:55 -04:00
ret = 1;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
leave:
TRACE_LEAVE(QUIC_EV_CONN_PRSAFRM, qc);
MINOR: quic: implement dedicated type for out-of-order stream ACK QUIC streamdesc layer is responsible to handle reception of ACK for streams. It removes stream data from the underlying buffers on ACK reception. Streamdesc layer treats ACK in order at the stream level. Out of order ACKs are buffered in a tree until they can be handled on older data acknowledgement reception. Previously, qf_stream instance which comes from the quic_tx_packet was used as tree node to buffer such ranges. Introduce a new type dedicated to represent out of order stream ack data range. This type is named qc_stream_ack. It contains minimal infos only relative to the acknowledged stream data range. This allows to reduce size of frequently used quic_frame with the removal of tree node from qf_stream. Another side effect of this change is that now quic_frame are always released immediately on ACK reception, both in-order and out-of-order. This allows to also release the quic_tx_packet instance which should reduce memory consumption. The drawback of this change is that qc_stream_ack instance must be allocated on out-of-order ACK reception. As such, qc_stream_desc_ack() may fail if an error happens on allocation. For the moment, such error is silenly recovered up to qc_treat_rx_pkts() with the dropping of the received packet containing the ACK frame. In the future, it may be useful to close the connection as this error may only happens on low memory usage.
2024-10-01 11:34:55 -04:00
return ret;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
BUG/MAJOR: quic: Really ignore malformed ACK frames. If not correctly parsed, an ACK frame must be ignored without any more treatment. Before this patch an ACK frame could be partially correctly parsed, then some errors could be detected which leaded newly acknowledged packets to be released in a wrong way calling free_quic_tx_pkts() called by qc_parse_ack_frm(). But there is no reason to release such packets because of a malformed ACK frame. This patch modifies qc_parse_ack_frm(). The newly acknowledged TX packets is done in two steps. It first collects the newly acknowledged packet calling qc_newly_acked_pkts(). Then proceed the same way as before for the treatments of haproxy TX packets acknowledged by the peer. If the ACK frame could not be fully parsed, the newly ackowledged packets are replaced back from where they were detached: the tree of TX packets for their encryption level. Must be backported as far as 2.6.
2023-08-29 08:48:54 -04:00
/* Collect newly acknowledged TX packets from <pkts> ebtree into <newly_acked_pkts>
* list depending on <largest> and <smallest> packet number of a range of acknowledged
* packets announced in an ACK frame. <largest_node> may be provided to start
* looking from this packet node.
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
*/
BUG/MAJOR: quic: Really ignore malformed ACK frames. If not correctly parsed, an ACK frame must be ignored without any more treatment. Before this patch an ACK frame could be partially correctly parsed, then some errors could be detected which leaded newly acknowledged packets to be released in a wrong way calling free_quic_tx_pkts() called by qc_parse_ack_frm(). But there is no reason to release such packets because of a malformed ACK frame. This patch modifies qc_parse_ack_frm(). The newly acknowledged TX packets is done in two steps. It first collects the newly acknowledged packet calling qc_newly_acked_pkts(). Then proceed the same way as before for the treatments of haproxy TX packets acknowledged by the peer. If the ACK frame could not be fully parsed, the newly ackowledged packets are replaced back from where they were detached: the tree of TX packets for their encryption level. Must be backported as far as 2.6.
2023-08-29 08:48:54 -04:00
static void qc_newly_acked_pkts(struct quic_conn *qc, struct eb_root *pkts,
struct list *newly_acked_pkts,
struct eb64_node *largest_node,
uint64_t largest, uint64_t smallest)
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
{
struct eb64_node *node;
struct quic_tx_packet *pkt;
TRACE_ENTER(QUIC_EV_CONN_PRSAFRM, qc);
node = eb64_lookup_ge(pkts, smallest);
if (!node)
goto leave;
largest_node = largest_node ? largest_node : eb64_lookup_le(pkts, largest);
if (!largest_node)
goto leave;
while (node && node->key <= largest_node->key) {
BUG/MAJOR: quic: Really ignore malformed ACK frames. If not correctly parsed, an ACK frame must be ignored without any more treatment. Before this patch an ACK frame could be partially correctly parsed, then some errors could be detected which leaded newly acknowledged packets to be released in a wrong way calling free_quic_tx_pkts() called by qc_parse_ack_frm(). But there is no reason to release such packets because of a malformed ACK frame. This patch modifies qc_parse_ack_frm(). The newly acknowledged TX packets is done in two steps. It first collects the newly acknowledged packet calling qc_newly_acked_pkts(). Then proceed the same way as before for the treatments of haproxy TX packets acknowledged by the peer. If the ACK frame could not be fully parsed, the newly ackowledged packets are replaced back from where they were detached: the tree of TX packets for their encryption level. Must be backported as far as 2.6.
2023-08-29 08:48:54 -04:00
pkt = eb64_entry(node, struct quic_tx_packet, pn_node);
LIST_APPEND(newly_acked_pkts, &pkt->list);
node = eb64_next(node);
eb64_delete(&pkt->pn_node);
}
leave:
TRACE_LEAVE(QUIC_EV_CONN_PRSAFRM, qc);
}
MINOR: quic: implement dedicated type for out-of-order stream ACK QUIC streamdesc layer is responsible to handle reception of ACK for streams. It removes stream data from the underlying buffers on ACK reception. Streamdesc layer treats ACK in order at the stream level. Out of order ACKs are buffered in a tree until they can be handled on older data acknowledgement reception. Previously, qf_stream instance which comes from the quic_tx_packet was used as tree node to buffer such ranges. Introduce a new type dedicated to represent out of order stream ack data range. This type is named qc_stream_ack. It contains minimal infos only relative to the acknowledged stream data range. This allows to reduce size of frequently used quic_frame with the removal of tree node from qf_stream. Another side effect of this change is that now quic_frame are always released immediately on ACK reception, both in-order and out-of-order. This allows to also release the quic_tx_packet instance which should reduce memory consumption. The drawback of this change is that qc_stream_ack instance must be allocated on out-of-order ACK reception. As such, qc_stream_desc_ack() may fail if an error happens on allocation. For the moment, such error is silenly recovered up to qc_treat_rx_pkts() with the dropping of the received packet containing the ACK frame. In the future, it may be useful to close the connection as this error may only happens on low memory usage.
2024-10-01 11:34:55 -04:00
/* Handle <newly_acked_pkts> list of newly acknowledged TX packets.
*
CLEANUP: assorted typo fixes in the code and comments code, comments and doc actually.
2025-04-01 16:44:54 -04:00
* Returns 1 on success else 0.
MINOR: quic: implement dedicated type for out-of-order stream ACK QUIC streamdesc layer is responsible to handle reception of ACK for streams. It removes stream data from the underlying buffers on ACK reception. Streamdesc layer treats ACK in order at the stream level. Out of order ACKs are buffered in a tree until they can be handled on older data acknowledgement reception. Previously, qf_stream instance which comes from the quic_tx_packet was used as tree node to buffer such ranges. Introduce a new type dedicated to represent out of order stream ack data range. This type is named qc_stream_ack. It contains minimal infos only relative to the acknowledged stream data range. This allows to reduce size of frequently used quic_frame with the removal of tree node from qf_stream. Another side effect of this change is that now quic_frame are always released immediately on ACK reception, both in-order and out-of-order. This allows to also release the quic_tx_packet instance which should reduce memory consumption. The drawback of this change is that qc_stream_ack instance must be allocated on out-of-order ACK reception. As such, qc_stream_desc_ack() may fail if an error happens on allocation. For the moment, such error is silenly recovered up to qc_treat_rx_pkts() with the dropping of the received packet containing the ACK frame. In the future, it may be useful to close the connection as this error may only happens on low memory usage.
2024-10-01 11:34:55 -04:00
*/
static int qc_handle_newly_acked_pkts(struct quic_conn *qc,
unsigned int *pkt_flags, struct list *newly_acked_pkts)
BUG/MAJOR: quic: Really ignore malformed ACK frames. If not correctly parsed, an ACK frame must be ignored without any more treatment. Before this patch an ACK frame could be partially correctly parsed, then some errors could be detected which leaded newly acknowledged packets to be released in a wrong way calling free_quic_tx_pkts() called by qc_parse_ack_frm(). But there is no reason to release such packets because of a malformed ACK frame. This patch modifies qc_parse_ack_frm(). The newly acknowledged TX packets is done in two steps. It first collects the newly acknowledged packet calling qc_newly_acked_pkts(). Then proceed the same way as before for the treatments of haproxy TX packets acknowledged by the peer. If the ACK frame could not be fully parsed, the newly ackowledged packets are replaced back from where they were detached: the tree of TX packets for their encryption level. Must be backported as far as 2.6.
2023-08-29 08:48:54 -04:00
{
struct quic_tx_packet *pkt, *tmp;
MINOR: quic: implement dedicated type for out-of-order stream ACK QUIC streamdesc layer is responsible to handle reception of ACK for streams. It removes stream data from the underlying buffers on ACK reception. Streamdesc layer treats ACK in order at the stream level. Out of order ACKs are buffered in a tree until they can be handled on older data acknowledgement reception. Previously, qf_stream instance which comes from the quic_tx_packet was used as tree node to buffer such ranges. Introduce a new type dedicated to represent out of order stream ack data range. This type is named qc_stream_ack. It contains minimal infos only relative to the acknowledged stream data range. This allows to reduce size of frequently used quic_frame with the removal of tree node from qf_stream. Another side effect of this change is that now quic_frame are always released immediately on ACK reception, both in-order and out-of-order. This allows to also release the quic_tx_packet instance which should reduce memory consumption. The drawback of this change is that qc_stream_ack instance must be allocated on out-of-order ACK reception. As such, qc_stream_desc_ack() may fail if an error happens on allocation. For the moment, such error is silenly recovered up to qc_treat_rx_pkts() with the dropping of the received packet containing the ACK frame. In the future, it may be useful to close the connection as this error may only happens on low memory usage.
2024-10-01 11:34:55 -04:00
int ret = 0;
BUG/MAJOR: quic: Really ignore malformed ACK frames. If not correctly parsed, an ACK frame must be ignored without any more treatment. Before this patch an ACK frame could be partially correctly parsed, then some errors could be detected which leaded newly acknowledged packets to be released in a wrong way calling free_quic_tx_pkts() called by qc_parse_ack_frm(). But there is no reason to release such packets because of a malformed ACK frame. This patch modifies qc_parse_ack_frm(). The newly acknowledged TX packets is done in two steps. It first collects the newly acknowledged packet calling qc_newly_acked_pkts(). Then proceed the same way as before for the treatments of haproxy TX packets acknowledged by the peer. If the ACK frame could not be fully parsed, the newly ackowledged packets are replaced back from where they were detached: the tree of TX packets for their encryption level. Must be backported as far as 2.6.
2023-08-29 08:48:54 -04:00
TRACE_ENTER(QUIC_EV_CONN_PRSAFRM, qc);
list_for_each_entry_safe(pkt, tmp, newly_acked_pkts, list) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
struct quic_frame *frm, *frmbak;
*pkt_flags |= pkt->flags;
TRACE_DEVEL("Removing packet #", QUIC_EV_CONN_PRSAFRM, qc, NULL, &pkt->pn_node.key);
MINOR: quic: implement dedicated type for out-of-order stream ACK QUIC streamdesc layer is responsible to handle reception of ACK for streams. It removes stream data from the underlying buffers on ACK reception. Streamdesc layer treats ACK in order at the stream level. Out of order ACKs are buffered in a tree until they can be handled on older data acknowledgement reception. Previously, qf_stream instance which comes from the quic_tx_packet was used as tree node to buffer such ranges. Introduce a new type dedicated to represent out of order stream ack data range. This type is named qc_stream_ack. It contains minimal infos only relative to the acknowledged stream data range. This allows to reduce size of frequently used quic_frame with the removal of tree node from qf_stream. Another side effect of this change is that now quic_frame are always released immediately on ACK reception, both in-order and out-of-order. This allows to also release the quic_tx_packet instance which should reduce memory consumption. The drawback of this change is that qc_stream_ack instance must be allocated on out-of-order ACK reception. As such, qc_stream_desc_ack() may fail if an error happens on allocation. For the moment, such error is silenly recovered up to qc_treat_rx_pkts() with the dropping of the received packet containing the ACK frame. In the future, it may be useful to close the connection as this error may only happens on low memory usage.
2024-10-01 11:34:55 -04:00
list_for_each_entry_safe(frm, frmbak, &pkt->frms, list) {
if (!qc_handle_newly_acked_frm(qc, frm))
goto leave;
}
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
/* If there are others packet in the same datagram <pkt> is attached to,
* detach the previous one and the next one from <pkt>.
*/
quic_tx_packet_dgram_detach(pkt);
eb64_delete(&pkt->pn_node);
}
MINOR: quic: implement dedicated type for out-of-order stream ACK QUIC streamdesc layer is responsible to handle reception of ACK for streams. It removes stream data from the underlying buffers on ACK reception. Streamdesc layer treats ACK in order at the stream level. Out of order ACKs are buffered in a tree until they can be handled on older data acknowledgement reception. Previously, qf_stream instance which comes from the quic_tx_packet was used as tree node to buffer such ranges. Introduce a new type dedicated to represent out of order stream ack data range. This type is named qc_stream_ack. It contains minimal infos only relative to the acknowledged stream data range. This allows to reduce size of frequently used quic_frame with the removal of tree node from qf_stream. Another side effect of this change is that now quic_frame are always released immediately on ACK reception, both in-order and out-of-order. This allows to also release the quic_tx_packet instance which should reduce memory consumption. The drawback of this change is that qc_stream_ack instance must be allocated on out-of-order ACK reception. As such, qc_stream_desc_ack() may fail if an error happens on allocation. For the moment, such error is silenly recovered up to qc_treat_rx_pkts() with the dropping of the received packet containing the ACK frame. In the future, it may be useful to close the connection as this error may only happens on low memory usage.
2024-10-01 11:34:55 -04:00
ret = 1;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
leave:
TRACE_LEAVE(QUIC_EV_CONN_PRSAFRM, qc);
MINOR: quic: implement dedicated type for out-of-order stream ACK QUIC streamdesc layer is responsible to handle reception of ACK for streams. It removes stream data from the underlying buffers on ACK reception. Streamdesc layer treats ACK in order at the stream level. Out of order ACKs are buffered in a tree until they can be handled on older data acknowledgement reception. Previously, qf_stream instance which comes from the quic_tx_packet was used as tree node to buffer such ranges. Introduce a new type dedicated to represent out of order stream ack data range. This type is named qc_stream_ack. It contains minimal infos only relative to the acknowledged stream data range. This allows to reduce size of frequently used quic_frame with the removal of tree node from qf_stream. Another side effect of this change is that now quic_frame are always released immediately on ACK reception, both in-order and out-of-order. This allows to also release the quic_tx_packet instance which should reduce memory consumption. The drawback of this change is that qc_stream_ack instance must be allocated on out-of-order ACK reception. As such, qc_stream_desc_ack() may fail if an error happens on allocation. For the moment, such error is silenly recovered up to qc_treat_rx_pkts() with the dropping of the received packet containing the ACK frame. In the future, it may be useful to close the connection as this error may only happens on low memory usage.
2024-10-01 11:34:55 -04:00
return ret;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
REORG: quic: Rename some functions used upon ACK receipt Rename some functions to reflect more their jobs. Move qc_release_lost_pkts() to quic_loss.c
2023-11-27 10:25:53 -05:00
/* Handle all frames sent from <pkt> packet and reinsert them in the same order
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
* they have been sent into <pktns_frm_list>. The loss counter of each frame is
* incremented and checked if it does not exceed retransmission limit.
*
* Returns 1 on success, 0 if a frame loss limit is exceeded. A
* CONNECTION_CLOSE is scheduled in this case.
*/
REORG: quic: Rename some functions used upon ACK receipt Rename some functions to reflect more their jobs. Move qc_release_lost_pkts() to quic_loss.c
2023-11-27 10:25:53 -05:00
int qc_handle_frms_of_lost_pkt(struct quic_conn *qc,
struct quic_tx_packet *pkt,
struct list *pktns_frm_list)
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
{
struct quic_frame *frm, *frmbak;
struct list *pkt_frm_list = &pkt->frms;
uint64_t pn = pkt->pn_node.key;
int close = 0;
TRACE_ENTER(QUIC_EV_CONN_PRSAFRM, qc);
list_for_each_entry_safe(frm, frmbak, pkt_frm_list, list) {
/* First remove this frame from the packet it was attached to */
LIST_DEL_INIT(&frm->list);
quic_tx_packet_refdec(pkt);
/* At this time, this frame is not freed but removed from its packet */
frm->pkt = NULL;
/* Remove any reference to this frame */
qc_frm_unref(frm, qc);
switch (frm->type) {
case QUIC_FT_STREAM_8 ... QUIC_FT_STREAM_F:
{
MINOR: quic: implement function to check if STREAM is fully acked When a STREAM frame is retransmitted, a check is performed to remove range of data already acked from it. This is useful when STREAM frames are duplicated and splitted to cover different data ranges. The newly retransmitted frame contains only unacked data. This process is performed similarly in qc_dup_pkt_frms() and qc_build_frms(). Refactor the code into a new function named qc_stream_frm_is_acked(). It returns true if frame data are already fully acked and retransmission can be avoided. If only a partial range of data is acknowledged, frame content is updated to only cover the unacked data. This patch does not have any functional change. However, it simplifies retransmission for STREAM frames. Also, it will be reused to fix retransmission for empty STREAM frames with FIN set from the following patch : BUG/MEDIUM: quic: handle retransmit for standalone FIN STREAM As such, it must be backported prior to it.
2024-08-06 11:36:56 -04:00
if (qc_stream_frm_is_acked(qc, frm)) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
qc_frm_free(qc, &frm);
continue;
}
break;
}
default:
break;
}
/* Do not resend probing packet with old data */
if (pkt->flags & QUIC_FL_TX_PACKET_PROBE_WITH_OLD_DATA) {
TRACE_DEVEL("ignored frame with old data from packet", QUIC_EV_CONN_PRSAFRM,
qc, frm, &pn);
if (frm->origin)
LIST_DEL_INIT(&frm->ref);
qc_frm_free(qc, &frm);
continue;
}
if (frm->flags & QUIC_FL_TX_FRAME_ACKED) {
TRACE_DEVEL("already acked frame", QUIC_EV_CONN_PRSAFRM, qc, frm);
TRACE_DEVEL("freeing frame from packet", QUIC_EV_CONN_PRSAFRM,
qc, frm, &pn);
qc_frm_free(qc, &frm);
}
else {
MINOR: quic: split congestion controler options for FE/BE usage Various settings can be configured related to QUIC congestion controler. This patch duplicates them to be able to set independent values on frontend and backend sides. As with previous patch, option are renamed to use "fe/be" unified prefixes. This is part of the current serie of commits which unify QUIC settings. Older options are deprecated and will be removed on 3.5 release.
2025-07-31 11:15:51 -04:00
const uint max_frame_loss = QUIC_TUNE_FB_GET(cc_max_frame_loss, qc);
if (++frm->loss_count >= max_frame_loss) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_ERROR("retransmission limit reached, closing the connection", QUIC_EV_CONN_PRSAFRM, qc);
quic_set_connection_close(qc, quic_err_transport(QC_ERR_INTERNAL_ERROR));
qc_notify_err(qc);
close = 1;
}
LIST_APPEND(pktns_frm_list, &frm->list);
TRACE_DEVEL("frame requeued", QUIC_EV_CONN_PRSAFRM, qc, frm);
}
}
end:
TRACE_LEAVE(QUIC_EV_CONN_PRSAFRM, qc);
return !close;
}
/* Send a packet ack event nofication for each newly acked packet of
* <newly_acked_pkts> list and free them.
* Always succeeds.
*/
REORG: quic: Rename some functions used upon ACK receipt Rename some functions to reflect more their jobs. Move qc_release_lost_pkts() to quic_loss.c
2023-11-27 10:25:53 -05:00
static void qc_notify_cc_of_newly_acked_pkts(struct quic_conn *qc,
MINOR: quic: RX part modifications to support BBR qc_notify_cc_of_newly_acked_pkts() aim is to notify the congestion algorithm of all the packet acknowledgements. It must call quic_cc_drs_update_rate_sample() to update the delivery rate sampling information. It must also call quic_cc_drs_on_ack_recv() to update the state of the delivery rate sampling part used by BBR. Finally, ->on_ack_rcvd() is called with the total number of bytes delivered by the sender from the newly acknowledged packets with <bytes_delivered> as parameter to do so. <pkt_delivered> store the per-packet number of bytes delivered by the newly sent acknowledged packet (the packet with the highest packet number). <bytes_lost> is also used and has been set by qc_packet_loss_lookup() before calling qc_notify_cc_of_newly_acked_pkts().
2024-10-22 13:03:27 -04:00
struct list *newly_acked_pkts,
unsigned int bytes_lost,
unsigned int rtt)
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
{
struct quic_tx_packet *pkt, *tmp;
struct quic_cc_event ev = { .type = QUIC_CC_EVT_ACK, };
MINOR: quic: RX part modifications to support BBR qc_notify_cc_of_newly_acked_pkts() aim is to notify the congestion algorithm of all the packet acknowledgements. It must call quic_cc_drs_update_rate_sample() to update the delivery rate sampling information. It must also call quic_cc_drs_on_ack_recv() to update the state of the delivery rate sampling part used by BBR. Finally, ->on_ack_rcvd() is called with the total number of bytes delivered by the sender from the newly acknowledged packets with <bytes_delivered> as parameter to do so. <pkt_delivered> store the per-packet number of bytes delivered by the newly sent acknowledged packet (the packet with the highest packet number). <bytes_lost> is also used and has been set by qc_packet_loss_lookup() before calling qc_notify_cc_of_newly_acked_pkts().
2024-10-22 13:03:27 -04:00
struct quic_cc_path *p = qc->path;
struct quic_cc_drs *drs =
p->cc.algo->get_drs ? p->cc.algo->get_drs(&p->cc) : NULL;
unsigned int bytes_delivered = 0, pkt_delivered = 0;
BUILD: quic: fix a build error about an non initialized timestamp This is to please a non identified compilers which complains about an hypothetic <time_ns> variable which would be not initialized even if this is the case only when it is not used. This build issue arrived with this commit: BUG/MINOR: improve BBR throughput on very fast links Should be backported to 3.1 with this previous commit.
2024-11-29 08:39:48 -05:00
uint64_t time_ns = task_mono_time();
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_ENTER(QUIC_EV_CONN_PRSAFRM, qc);
list_for_each_entry_safe(pkt, tmp, newly_acked_pkts, list) {
pkt->pktns->tx.in_flight -= pkt->in_flight_len;
MINOR: quic: RX part modifications to support BBR qc_notify_cc_of_newly_acked_pkts() aim is to notify the congestion algorithm of all the packet acknowledgements. It must call quic_cc_drs_update_rate_sample() to update the delivery rate sampling information. It must also call quic_cc_drs_on_ack_recv() to update the state of the delivery rate sampling part used by BBR. Finally, ->on_ack_rcvd() is called with the total number of bytes delivered by the sender from the newly acknowledged packets with <bytes_delivered> as parameter to do so. <pkt_delivered> store the per-packet number of bytes delivered by the newly sent acknowledged packet (the packet with the highest packet number). <bytes_lost> is also used and has been set by qc_packet_loss_lookup() before calling qc_notify_cc_of_newly_acked_pkts().
2024-10-22 13:03:27 -04:00
p->prep_in_flight -= pkt->in_flight_len;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
if (pkt->flags & QUIC_FL_TX_PACKET_ACK_ELICITING)
MINOR: quic: RX part modifications to support BBR qc_notify_cc_of_newly_acked_pkts() aim is to notify the congestion algorithm of all the packet acknowledgements. It must call quic_cc_drs_update_rate_sample() to update the delivery rate sampling information. It must also call quic_cc_drs_on_ack_recv() to update the state of the delivery rate sampling part used by BBR. Finally, ->on_ack_rcvd() is called with the total number of bytes delivered by the sender from the newly acknowledged packets with <bytes_delivered> as parameter to do so. <pkt_delivered> store the per-packet number of bytes delivered by the newly sent acknowledged packet (the packet with the highest packet number). <bytes_lost> is also used and has been set by qc_packet_loss_lookup() before calling qc_notify_cc_of_newly_acked_pkts().
2024-10-22 13:03:27 -04:00
p->ifae_pkts--;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
/* If this packet contained an ACK frame, proceed to the
* acknowledging of range of acks from the largest acknowledged
* packet number which was sent in an ACK frame by this packet.
*/
if (pkt->largest_acked_pn != -1)
qc_treat_ack_of_ack(qc, &pkt->pktns->rx.arngs, pkt->largest_acked_pn);
MINOR: quic: RX part modifications to support BBR qc_notify_cc_of_newly_acked_pkts() aim is to notify the congestion algorithm of all the packet acknowledgements. It must call quic_cc_drs_update_rate_sample() to update the delivery rate sampling information. It must also call quic_cc_drs_on_ack_recv() to update the state of the delivery rate sampling part used by BBR. Finally, ->on_ack_rcvd() is called with the total number of bytes delivered by the sender from the newly acknowledged packets with <bytes_delivered> as parameter to do so. <pkt_delivered> store the per-packet number of bytes delivered by the newly sent acknowledged packet (the packet with the highest packet number). <bytes_lost> is also used and has been set by qc_packet_loss_lookup() before calling qc_notify_cc_of_newly_acked_pkts().
2024-10-22 13:03:27 -04:00
bytes_delivered += pkt->len;
pkt_delivered = pkt->rs.delivered;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
ev.ack.acked = pkt->in_flight_len;
BUG/MINOR: improve BBR throughput on very fast links This patch fixes the loss of information when computing the delivery rate (quic_cc_drs.c) on links with very low latency due to usage of 32bits variables with the millisecond as precision. Initialize the quic_conn task with TASK_F_WANTS_TIME flag ask it to ask the scheduler to update the call date of this task. This allows this task to get a nanosecond resolution on the call date calling task_mono_time(). This is enabled only for congestion control algorithms with delivery rate estimation support (BBR only at this time). Store the send date with nanosecond precision of each TX packet into ->time_sent_ns new quic_tx_packet struct member to store the date a packet was sent in nanoseconds thanks to task_mono_time(). Make use of this new timestamp by the delivery rate estimation algorithm (quic_cc_drs.c). Rename current ->time_sent member from quic_tx_packet struct to ->time_sent_ms to distinguish the unit used by this variable (millisecond) and update the code which uses this variable. The logic found in quic_loss.c is not modified at all. Must be backported to 3.1.
2024-11-27 13:39:34 -05:00
ev.ack.time_sent = pkt->time_sent_ms;
MINOR: quic: HyStart++ implementation (RFC 9406) This is a simple algorithm to replace the classic slow start phase of the congestion control algorithms. It should reduce the high packet loss during this step. Implemented only for Cubic.
2024-03-05 12:30:41 -05:00
ev.ack.pn = pkt->pn_node.key;
MINOR: quic: RX part modifications to support BBR qc_notify_cc_of_newly_acked_pkts() aim is to notify the congestion algorithm of all the packet acknowledgements. It must call quic_cc_drs_update_rate_sample() to update the delivery rate sampling information. It must also call quic_cc_drs_on_ack_recv() to update the state of the delivery rate sampling part used by BBR. Finally, ->on_ack_rcvd() is called with the total number of bytes delivered by the sender from the newly acknowledged packets with <bytes_delivered> as parameter to do so. <pkt_delivered> store the per-packet number of bytes delivered by the newly sent acknowledged packet (the packet with the highest packet number). <bytes_lost> is also used and has been set by qc_packet_loss_lookup() before calling qc_notify_cc_of_newly_acked_pkts().
2024-10-22 13:03:27 -04:00
/* Note that this event is not emitted for BBR. */
quic_cc_event(&p->cc, &ev);
BUG/MINOR: quic: do not increase congestion window if app limited Previously, congestion window was increased any time each time a new acknowledge was received. However, it did not take into account the window filling level. In a network condition with negligible loss, this will cause the window to be incremented until the maximum value (by default 480k), even though the application does not have enough data to fill it. In most cases, this issue is not noticeable. However, it may lead to excessive memory consumption when a QUIC connection is suddendly interrupted, as in this case haproxy will fill the window with retransmission. It even has caused OOM crash when thousands of clients were interrupted at once on a local network benchmark. Fix this by first checking window level prior to every incrementation via a new helper function quic_cwnd_may_increase(). It was arbitrarily decided that the window must be at least 50% full when the ACK is handled prior to increment it. This value is a good compromise to keep window in check while still allowing fast increment when needed. Note that this patch only concerns cubic and newreno algorithm. BBR has already its notion of application limited which ensures the window is only incremented when necessary. This should be backported up to 2.6.
2025-01-09 11:26:37 -05:00
p->in_flight -= pkt->in_flight_len;
MINOR: quic: RX part modifications to support BBR qc_notify_cc_of_newly_acked_pkts() aim is to notify the congestion algorithm of all the packet acknowledgements. It must call quic_cc_drs_update_rate_sample() to update the delivery rate sampling information. It must also call quic_cc_drs_on_ack_recv() to update the state of the delivery rate sampling part used by BBR. Finally, ->on_ack_rcvd() is called with the total number of bytes delivered by the sender from the newly acknowledged packets with <bytes_delivered> as parameter to do so. <pkt_delivered> store the per-packet number of bytes delivered by the newly sent acknowledged packet (the packet with the highest packet number). <bytes_lost> is also used and has been set by qc_packet_loss_lookup() before calling qc_notify_cc_of_newly_acked_pkts().
2024-10-22 13:03:27 -04:00
if (drs && (pkt->flags & QUIC_FL_TX_PACKET_ACK_ELICITING))
BUG/MINOR: improve BBR throughput on very fast links This patch fixes the loss of information when computing the delivery rate (quic_cc_drs.c) on links with very low latency due to usage of 32bits variables with the millisecond as precision. Initialize the quic_conn task with TASK_F_WANTS_TIME flag ask it to ask the scheduler to update the call date of this task. This allows this task to get a nanosecond resolution on the call date calling task_mono_time(). This is enabled only for congestion control algorithms with delivery rate estimation support (BBR only at this time). Store the send date with nanosecond precision of each TX packet into ->time_sent_ns new quic_tx_packet struct member to store the date a packet was sent in nanoseconds thanks to task_mono_time(). Make use of this new timestamp by the delivery rate estimation algorithm (quic_cc_drs.c). Rename current ->time_sent member from quic_tx_packet struct to ->time_sent_ms to distinguish the unit used by this variable (millisecond) and update the code which uses this variable. The logic found in quic_loss.c is not modified at all. Must be backported to 3.1.
2024-11-27 13:39:34 -05:00
quic_cc_drs_update_rate_sample(drs, pkt, time_ns);
BUG/MAJOR: quic: Really ignore malformed ACK frames. If not correctly parsed, an ACK frame must be ignored without any more treatment. Before this patch an ACK frame could be partially correctly parsed, then some errors could be detected which leaded newly acknowledged packets to be released in a wrong way calling free_quic_tx_pkts() called by qc_parse_ack_frm(). But there is no reason to release such packets because of a malformed ACK frame. This patch modifies qc_parse_ack_frm(). The newly acknowledged TX packets is done in two steps. It first collects the newly acknowledged packet calling qc_newly_acked_pkts(). Then proceed the same way as before for the treatments of haproxy TX packets acknowledged by the peer. If the ACK frame could not be fully parsed, the newly ackowledged packets are replaced back from where they were detached: the tree of TX packets for their encryption level. Must be backported as far as 2.6.
2023-08-29 08:48:54 -04:00
LIST_DEL_INIT(&pkt->list);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
quic_tx_packet_refdec(pkt);
}
MINOR: quic: RX part modifications to support BBR qc_notify_cc_of_newly_acked_pkts() aim is to notify the congestion algorithm of all the packet acknowledgements. It must call quic_cc_drs_update_rate_sample() to update the delivery rate sampling information. It must also call quic_cc_drs_on_ack_recv() to update the state of the delivery rate sampling part used by BBR. Finally, ->on_ack_rcvd() is called with the total number of bytes delivered by the sender from the newly acknowledged packets with <bytes_delivered> as parameter to do so. <pkt_delivered> store the per-packet number of bytes delivered by the newly sent acknowledged packet (the packet with the highest packet number). <bytes_lost> is also used and has been set by qc_packet_loss_lookup() before calling qc_notify_cc_of_newly_acked_pkts().
2024-10-22 13:03:27 -04:00
if (drs) {
quic_cc_drs_on_ack_recv(drs, p, pkt_delivered);
drs->lost += bytes_lost;
}
if (p->cc.algo->on_ack_rcvd)
p->cc.algo->on_ack_rcvd(&p->cc, bytes_delivered, pkt_delivered,
rtt, bytes_lost, now_ms);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_LEAVE(QUIC_EV_CONN_PRSAFRM, qc);
}
/* Parse ACK frame into <frm> from a buffer at <buf> address with <end> being at
* one byte past the end of this buffer. Also update <rtt_sample> if needed, i.e.
* if the largest acked packet was newly acked and if there was at least one newly
* acked ack-eliciting packet.
* Return 1, if succeeded, 0 if not.
*/
static int qc_parse_ack_frm(struct quic_conn *qc,
struct quic_frame *frm,
struct quic_enc_level *qel,
unsigned int *rtt_sample,
const unsigned char **pos, const unsigned char *end)
{
struct qf_ack *ack_frm = &frm->ack;
uint64_t smallest, largest;
struct eb_root *pkts;
struct eb64_node *largest_node;
unsigned int time_sent, pkt_flags;
struct list newly_acked_pkts = LIST_HEAD_INIT(newly_acked_pkts);
struct list lost_pkts = LIST_HEAD_INIT(lost_pkts);
BUG/MINOR: quic: Possible skipped RTT sampling There are very few chances this bug may occur. Furthermore the consequences are not dramatic: an RTT sampling may be ignored. I guess this may happen when the now_ms global value wraps. Do not rely on the time variable value a packet was sent to decide if it is a newly acknowledged packet but on its presence or not in the tx packet ebtree. Must be backported as far as 2.6.
2023-08-29 05:01:19 -04:00
int ret = 0, new_largest_acked_pn = 0;
BUG/MAJOR: quic: Really ignore malformed ACK frames. If not correctly parsed, an ACK frame must be ignored without any more treatment. Before this patch an ACK frame could be partially correctly parsed, then some errors could be detected which leaded newly acknowledged packets to be released in a wrong way calling free_quic_tx_pkts() called by qc_parse_ack_frm(). But there is no reason to release such packets because of a malformed ACK frame. This patch modifies qc_parse_ack_frm(). The newly acknowledged TX packets is done in two steps. It first collects the newly acknowledged packet calling qc_newly_acked_pkts(). Then proceed the same way as before for the treatments of haproxy TX packets acknowledged by the peer. If the ACK frame could not be fully parsed, the newly ackowledged packets are replaced back from where they were detached: the tree of TX packets for their encryption level. Must be backported as far as 2.6.
2023-08-29 08:48:54 -04:00
struct quic_tx_packet *pkt, *tmp;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_ENTER(QUIC_EV_CONN_PRSAFRM, qc);
BUG/MAJOR: quic: Really ignore malformed ACK frames. If not correctly parsed, an ACK frame must be ignored without any more treatment. Before this patch an ACK frame could be partially correctly parsed, then some errors could be detected which leaded newly acknowledged packets to be released in a wrong way calling free_quic_tx_pkts() called by qc_parse_ack_frm(). But there is no reason to release such packets because of a malformed ACK frame. This patch modifies qc_parse_ack_frm(). The newly acknowledged TX packets is done in two steps. It first collects the newly acknowledged packet calling qc_newly_acked_pkts(). Then proceed the same way as before for the treatments of haproxy TX packets acknowledged by the peer. If the ACK frame could not be fully parsed, the newly ackowledged packets are replaced back from where they were detached: the tree of TX packets for their encryption level. Must be backported as far as 2.6.
2023-08-29 08:48:54 -04:00
pkts = &qel->pktns->tx.pkts;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
if (ack_frm->largest_ack > qel->pktns->tx.next_pn) {
TRACE_DEVEL("ACK for not sent packet", QUIC_EV_CONN_PRSAFRM,
qc, NULL, &ack_frm->largest_ack);
goto err;
}
if (ack_frm->first_ack_range > ack_frm->largest_ack) {
TRACE_DEVEL("too big first ACK range", QUIC_EV_CONN_PRSAFRM,
qc, NULL, &ack_frm->first_ack_range);
goto err;
}
largest = ack_frm->largest_ack;
smallest = largest - ack_frm->first_ack_range;
pkt_flags = 0;
largest_node = NULL;
time_sent = 0;
if ((int64_t)ack_frm->largest_ack > qel->pktns->rx.largest_acked_pn) {
largest_node = eb64_lookup(pkts, largest);
if (!largest_node) {
TRACE_DEVEL("Largest acked packet not found",
QUIC_EV_CONN_PRSAFRM, qc);
}
else {
time_sent = eb64_entry(largest_node,
BUG/MINOR: improve BBR throughput on very fast links This patch fixes the loss of information when computing the delivery rate (quic_cc_drs.c) on links with very low latency due to usage of 32bits variables with the millisecond as precision. Initialize the quic_conn task with TASK_F_WANTS_TIME flag ask it to ask the scheduler to update the call date of this task. This allows this task to get a nanosecond resolution on the call date calling task_mono_time(). This is enabled only for congestion control algorithms with delivery rate estimation support (BBR only at this time). Store the send date with nanosecond precision of each TX packet into ->time_sent_ns new quic_tx_packet struct member to store the date a packet was sent in nanoseconds thanks to task_mono_time(). Make use of this new timestamp by the delivery rate estimation algorithm (quic_cc_drs.c). Rename current ->time_sent member from quic_tx_packet struct to ->time_sent_ms to distinguish the unit used by this variable (millisecond) and update the code which uses this variable. The logic found in quic_loss.c is not modified at all. Must be backported to 3.1.
2024-11-27 13:39:34 -05:00
struct quic_tx_packet, pn_node)->time_sent_ms;
BUG/MINOR: quic: Possible skipped RTT sampling There are very few chances this bug may occur. Furthermore the consequences are not dramatic: an RTT sampling may be ignored. I guess this may happen when the now_ms global value wraps. Do not rely on the time variable value a packet was sent to decide if it is a newly acknowledged packet but on its presence or not in the tx packet ebtree. Must be backported as far as 2.6.
2023-08-29 05:01:19 -04:00
new_largest_acked_pn = 1;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
}
TRACE_PROTO("RX ack range", QUIC_EV_CONN_PRSAFRM,
qc, NULL, &largest, &smallest);
do {
uint64_t gap, ack_range;
BUG/MAJOR: quic: Really ignore malformed ACK frames. If not correctly parsed, an ACK frame must be ignored without any more treatment. Before this patch an ACK frame could be partially correctly parsed, then some errors could be detected which leaded newly acknowledged packets to be released in a wrong way calling free_quic_tx_pkts() called by qc_parse_ack_frm(). But there is no reason to release such packets because of a malformed ACK frame. This patch modifies qc_parse_ack_frm(). The newly acknowledged TX packets is done in two steps. It first collects the newly acknowledged packet calling qc_newly_acked_pkts(). Then proceed the same way as before for the treatments of haproxy TX packets acknowledged by the peer. If the ACK frame could not be fully parsed, the newly ackowledged packets are replaced back from where they were detached: the tree of TX packets for their encryption level. Must be backported as far as 2.6.
2023-08-29 08:48:54 -04:00
qc_newly_acked_pkts(qc, pkts, &newly_acked_pkts,
largest_node, largest, smallest);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
if (!ack_frm->ack_range_num--)
break;
if (!quic_dec_int(&gap, pos, end)) {
TRACE_ERROR("quic_dec_int(gap) failed", QUIC_EV_CONN_PRSAFRM, qc);
goto err;
}
if (smallest < gap + 2) {
TRACE_DEVEL("wrong gap value", QUIC_EV_CONN_PRSAFRM,
qc, NULL, &gap, &smallest);
goto err;
}
largest = smallest - gap - 2;
if (!quic_dec_int(&ack_range, pos, end)) {
TRACE_ERROR("quic_dec_int(ack_range) failed", QUIC_EV_CONN_PRSAFRM, qc);
goto err;
}
if (largest < ack_range) {
TRACE_DEVEL("wrong ack range value", QUIC_EV_CONN_PRSAFRM,
qc, NULL, &largest, &ack_range);
goto err;
}
/* Do not use this node anymore. */
largest_node = NULL;
/* Next range */
smallest = largest - ack_range;
TRACE_PROTO("RX next ack range", QUIC_EV_CONN_PRSAFRM,
qc, NULL, &largest, &smallest);
} while (1);
if (!LIST_ISEMPTY(&newly_acked_pkts)) {
MINOR: quic: RX part modifications to support BBR qc_notify_cc_of_newly_acked_pkts() aim is to notify the congestion algorithm of all the packet acknowledgements. It must call quic_cc_drs_update_rate_sample() to update the delivery rate sampling information. It must also call quic_cc_drs_on_ack_recv() to update the state of the delivery rate sampling part used by BBR. Finally, ->on_ack_rcvd() is called with the total number of bytes delivered by the sender from the newly acknowledged packets with <bytes_delivered> as parameter to do so. <pkt_delivered> store the per-packet number of bytes delivered by the newly sent acknowledged packet (the packet with the highest packet number). <bytes_lost> is also used and has been set by qc_packet_loss_lookup() before calling qc_notify_cc_of_newly_acked_pkts().
2024-10-22 13:03:27 -04:00
unsigned int bytes_lost = 0;
MINOR: quic: implement dedicated type for out-of-order stream ACK QUIC streamdesc layer is responsible to handle reception of ACK for streams. It removes stream data from the underlying buffers on ACK reception. Streamdesc layer treats ACK in order at the stream level. Out of order ACKs are buffered in a tree until they can be handled on older data acknowledgement reception. Previously, qf_stream instance which comes from the quic_tx_packet was used as tree node to buffer such ranges. Introduce a new type dedicated to represent out of order stream ack data range. This type is named qc_stream_ack. It contains minimal infos only relative to the acknowledged stream data range. This allows to reduce size of frequently used quic_frame with the removal of tree node from qf_stream. Another side effect of this change is that now quic_frame are always released immediately on ACK reception, both in-order and out-of-order. This allows to also release the quic_tx_packet instance which should reduce memory consumption. The drawback of this change is that qc_stream_ack instance must be allocated on out-of-order ACK reception. As such, qc_stream_desc_ack() may fail if an error happens on allocation. For the moment, such error is silenly recovered up to qc_treat_rx_pkts() with the dropping of the received packet containing the ACK frame. In the future, it may be useful to close the connection as this error may only happens on low memory usage.
2024-10-01 11:34:55 -04:00
if (!qc_handle_newly_acked_pkts(qc, &pkt_flags, &newly_acked_pkts))
goto leave;
BUG/MAJOR: quic: Really ignore malformed ACK frames. If not correctly parsed, an ACK frame must be ignored without any more treatment. Before this patch an ACK frame could be partially correctly parsed, then some errors could be detected which leaded newly acknowledged packets to be released in a wrong way calling free_quic_tx_pkts() called by qc_parse_ack_frm(). But there is no reason to release such packets because of a malformed ACK frame. This patch modifies qc_parse_ack_frm(). The newly acknowledged TX packets is done in two steps. It first collects the newly acknowledged packet calling qc_newly_acked_pkts(). Then proceed the same way as before for the treatments of haproxy TX packets acknowledged by the peer. If the ACK frame could not be fully parsed, the newly ackowledged packets are replaced back from where they were detached: the tree of TX packets for their encryption level. Must be backported as far as 2.6.
2023-08-29 08:48:54 -04:00
if (new_largest_acked_pn && (pkt_flags & QUIC_FL_TX_PACKET_ACK_ELICITING)) {
*rtt_sample = tick_remain(time_sent, now_ms);
qel->pktns->rx.largest_acked_pn = ack_frm->largest_ack;
}
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
if (!eb_is_empty(&qel->pktns->tx.pkts)) {
MINOR: quic: RX part modifications to support BBR qc_notify_cc_of_newly_acked_pkts() aim is to notify the congestion algorithm of all the packet acknowledgements. It must call quic_cc_drs_update_rate_sample() to update the delivery rate sampling information. It must also call quic_cc_drs_on_ack_recv() to update the state of the delivery rate sampling part used by BBR. Finally, ->on_ack_rcvd() is called with the total number of bytes delivered by the sender from the newly acknowledged packets with <bytes_delivered> as parameter to do so. <pkt_delivered> store the per-packet number of bytes delivered by the newly sent acknowledged packet (the packet with the highest packet number). <bytes_lost> is also used and has been set by qc_packet_loss_lookup() before calling qc_notify_cc_of_newly_acked_pkts().
2024-10-22 13:03:27 -04:00
qc_packet_loss_lookup(qel->pktns, qc, &lost_pkts, &bytes_lost);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
if (!qc_release_lost_pkts(qc, qel->pktns, &lost_pkts, now_ms))
goto leave;
}
MINOR: quic: RX part modifications to support BBR qc_notify_cc_of_newly_acked_pkts() aim is to notify the congestion algorithm of all the packet acknowledgements. It must call quic_cc_drs_update_rate_sample() to update the delivery rate sampling information. It must also call quic_cc_drs_on_ack_recv() to update the state of the delivery rate sampling part used by BBR. Finally, ->on_ack_rcvd() is called with the total number of bytes delivered by the sender from the newly acknowledged packets with <bytes_delivered> as parameter to do so. <pkt_delivered> store the per-packet number of bytes delivered by the newly sent acknowledged packet (the packet with the highest packet number). <bytes_lost> is also used and has been set by qc_packet_loss_lookup() before calling qc_notify_cc_of_newly_acked_pkts().
2024-10-22 13:03:27 -04:00
qc_notify_cc_of_newly_acked_pkts(qc, &newly_acked_pkts,
bytes_lost, *rtt_sample);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
if (quic_peer_validated_addr(qc))
qc->path->loss.pto_count = 0;
qc_set_timer(qc);
qc_notify_send(qc);
}
ret = 1;
leave:
TRACE_LEAVE(QUIC_EV_CONN_PRSAFRM, qc);
return ret;
err:
BUG/MAJOR: quic: Really ignore malformed ACK frames. If not correctly parsed, an ACK frame must be ignored without any more treatment. Before this patch an ACK frame could be partially correctly parsed, then some errors could be detected which leaded newly acknowledged packets to be released in a wrong way calling free_quic_tx_pkts() called by qc_parse_ack_frm(). But there is no reason to release such packets because of a malformed ACK frame. This patch modifies qc_parse_ack_frm(). The newly acknowledged TX packets is done in two steps. It first collects the newly acknowledged packet calling qc_newly_acked_pkts(). Then proceed the same way as before for the treatments of haproxy TX packets acknowledged by the peer. If the ACK frame could not be fully parsed, the newly ackowledged packets are replaced back from where they were detached: the tree of TX packets for their encryption level. Must be backported as far as 2.6.
2023-08-29 08:48:54 -04:00
/* Move back these packets into their tree. */
list_for_each_entry_safe(pkt, tmp, &newly_acked_pkts, list) {
LIST_DEL_INIT(&pkt->list);
eb64_insert(pkts, &pkt->pn_node);
}
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
goto leave;
}
/* Parse a STREAM frame <strm_frm> received in <pkt> packet for <qc>
* connection. <fin> is true if FIN bit is set on frame type.
*
* Return 1 on success. On error, 0 is returned. In this case, the packet
* containing the frame must not be acknowledged.
*/
static int qc_handle_strm_frm(struct quic_rx_packet *pkt,
struct qf_stream *strm_frm,
struct quic_conn *qc, char fin)
{
int ret;
/* RFC9000 13.1. Packet Processing
*
* A packet MUST NOT be acknowledged until packet protection has been
* successfully removed and all frames contained in the packet have
* been processed. For STREAM frames, this means the data has been
* enqueued in preparation to be received by the application protocol,
* but it does not require that data be delivered and consumed.
*/
TRACE_ENTER(QUIC_EV_CONN_PRSFRM, qc);
ret = qcc_recv(qc->qcc, strm_frm->id, strm_frm->len,
MINOR: quic: implement dedicated type for out-of-order stream ACK QUIC streamdesc layer is responsible to handle reception of ACK for streams. It removes stream data from the underlying buffers on ACK reception. Streamdesc layer treats ACK in order at the stream level. Out of order ACKs are buffered in a tree until they can be handled on older data acknowledgement reception. Previously, qf_stream instance which comes from the quic_tx_packet was used as tree node to buffer such ranges. Introduce a new type dedicated to represent out of order stream ack data range. This type is named qc_stream_ack. It contains minimal infos only relative to the acknowledged stream data range. This allows to reduce size of frequently used quic_frame with the removal of tree node from qf_stream. Another side effect of this change is that now quic_frame are always released immediately on ACK reception, both in-order and out-of-order. This allows to also release the quic_tx_packet instance which should reduce memory consumption. The drawback of this change is that qc_stream_ack instance must be allocated on out-of-order ACK reception. As such, qc_stream_desc_ack() may fail if an error happens on allocation. For the moment, such error is silenly recovered up to qc_treat_rx_pkts() with the dropping of the received packet containing the ACK frame. In the future, it may be useful to close the connection as this error may only happens on low memory usage.
2024-10-01 11:34:55 -04:00
strm_frm->offset, fin, (char *)strm_frm->data);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
CLEANUP: tree-wide: fix comment typos all over the tree (~68) This covers hpack, quic, h3, map, acl, pattern, tcpchecks, clienthello. Only comments were touched, 100% harmless, no need to backport.
2026-04-27 21:43:22 -04:00
/* frame rejected - packet must not be acknowledged */
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_LEAVE(QUIC_EV_CONN_PRSFRM, qc);
return !ret;
}
MINOR: quic: remove received CRYPTO temporary tree storage The previous commit switch from ncbuf to ncbmbuf as storage for received CRYPTO frames. The latter ensures that buffering of such frames cannot fail anymore due to gaps size. Previously, extra mechanism were implemented on QUIC frames parsing function to overcome the limitation of ncbuf on gaps size. Before insertion, CRYPTO frames were stored in a temporary tree to order their insertion. As this is not necessary anymore, this commit removes the temporary tree insertion. This commit is closely associated to the previous bug fix. As it provides a neat optimization and code simplication, it can be backported with it, but not in the next immediate release to spot potential regression.
2025-10-20 08:29:55 -04:00
/* Parse <crypto_frm> CRYPTO frame coming with <pkt> packet at <qel> <qc>
* connection.
MINOR: quic: extend return value of CRYPTO parsing qc_handle_crypto_frm() is the function used to handled a newly received CRYPTO frame. Change its API to use a newly dedicated return type. This allows to report if the frame was properly handled, ignored if already parsed previously or rejected after a fatal error. This commit does not have any functional changes. However, it allows to simplify qc_handle_crypto_frm() API by removing <fast_retrans> as output parameter. Also, this patch will be necessary to support multiple iteration of packet parsing for CRYPTO frames.
2024-11-04 11:27:39 -05:00
*
MINOR: quic: remove received CRYPTO temporary tree storage The previous commit switch from ncbuf to ncbmbuf as storage for received CRYPTO frames. The latter ensures that buffering of such frames cannot fail anymore due to gaps size. Previously, extra mechanism were implemented on QUIC frames parsing function to overcome the limitation of ncbuf on gaps size. Before insertion, CRYPTO frames were stored in a temporary tree to order their insertion. As this is not necessary anymore, this commit removes the temporary tree insertion. This commit is closely associated to the previous bug fix. As it provides a neat optimization and code simplication, it can be backported with it, but not in the next immediate release to spot potential regression.
2025-10-20 08:29:55 -04:00
* Returns 0 on success or a negative error code.
MINOR: quic: extend return value of CRYPTO parsing qc_handle_crypto_frm() is the function used to handled a newly received CRYPTO frame. Change its API to use a newly dedicated return type. This allows to report if the frame was properly handled, ignored if already parsed previously or rejected after a fatal error. This commit does not have any functional changes. However, it allows to simplify qc_handle_crypto_frm() API by removing <fast_retrans> as output parameter. Also, this patch will be necessary to support multiple iteration of packet parsing for CRYPTO frames.
2024-11-04 11:27:39 -05:00
*
* Also set <*fast_retrans> as output parameter to 1 if the speed up handshake
* completion may be run after having received duplicated CRYPTO data.
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
*/
MINOR: quic: remove received CRYPTO temporary tree storage The previous commit switch from ncbuf to ncbmbuf as storage for received CRYPTO frames. The latter ensures that buffering of such frames cannot fail anymore due to gaps size. Previously, extra mechanism were implemented on QUIC frames parsing function to overcome the limitation of ncbuf on gaps size. Before insertion, CRYPTO frames were stored in a temporary tree to order their insertion. As this is not necessary anymore, this commit removes the temporary tree insertion. This commit is closely associated to the previous bug fix. As it provides a neat optimization and code simplication, it can be backported with it, but not in the next immediate release to spot potential regression.
2025-10-20 08:29:55 -04:00
static int qc_handle_crypto_frm(struct quic_conn *qc,
struct qf_crypto *crypto_frm,
struct quic_rx_packet *pkt,
struct quic_enc_level *qel,
int *fast_retrans)
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
{
enum ncb_ret ncb_ret;
/* XXX TO DO: <cfdebug> is used only for the traces. */
struct quic_rx_crypto_frm cfdebug = {
MINOR: quic: remove ->offset qf_crypto struct field This patch follows this previous bug fix: BUG/MINOR: quic: reorder fragmented RX CRYPTO frames by their offsets where a ebtree node has been added to qf_crypto struct. It has the same meaning and type as ->offset_node.key field with ->offset_node an eb64tree node. This patch simply removes ->offset which is no more useful. This patch should be easily backported as far as 2.6 as the one mentioned above to ease any further backport to come.
2025-08-27 10:28:04 -04:00
.offset_node.key = crypto_frm->offset_node.key,
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
.len = crypto_frm->len,
};
struct quic_cstream *cstream = qel->cstream;
BUG/MAJOR: quic: use ncbmbuf for CRYPTO handling In QUIC, TLS handshake messages such as ClientHello are encapsulated in CRYPTO frames. Each QUIC implementation can split the content in several frames of random sizes. In fact, this feature is now used by several clients, based on chrome so-called "Chaos protection" mechanism : https://quiche.googlesource.com/quiche/+/cb6b51054274cb2c939264faf34a1776e0a5bab7 To support this, haproxy uses a ncbuf storage to store received CRYPTO frames before passing it to the SSL library. However, this storage suffers from a limitation as gaps between two filled blocks cannot be smaller than 8 bytes. Thus, depending on the size of received CRYPTO frames and their order, ncbuf may not be sufficient. Over time, several mechanisms were implemented in haproxy QUIC frames parsing to overcome the ncbuf limitation. However, reports recently highlight that with some clients haproxy is not able to deal with CRYPTO frames reception. In particular, this is the case with the latest ngtcp2 release, which implements a similar chaos protection mechanism via the following patch. It also seems that this impacts haproxy interaction with firefox. commit 89c29fd8611d5e6d2f6b1f475c5e3494c376028c Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> Date: Mon Aug 4 22:48:06 2025 +0900 Crumble Client Initial CRYPTO (aka chaos protection) To fix haproxy CRYPTO frames buffering once and for all, an alternative non-contiguous buffer named ncbmbuf has been recently implemented. This type does not suffer from gaps size limitation, albeit at the cost of a small reduction in the size available for data storage. Thus, the purpose of this current patch is to replace ncbuf with the newer ncbmbuf for QUIC CRYPTO frames parsing. Now, ncbmb_add() is used to buffer received frames which is guaranteed to suceed. The only remaining case of error is if a received frame offset and length exceed the ncbmbuf data storage, which would result in a CRYPTO_BUFFER_EXCEEDED error code. A notable behavior change when switching to ncbmbuf implementation is that NCB_ADD_COMPARE mode cannot be used anymore during add. Instead, crypto frame content received at a similar offset will be overwritten. A final note regarding STREAM frames parsing. For now, it is considered unnecessary to switch from ncbuf in this case. Indeed, QUIC clients does not perform aggressive fragmentation for them. Keeping ncbuf ensure that the data storage size is bigger than the equivalent ncbmbuf area. This should fix github issue #3141. This patch must be backported up to 2.6. It is first necessary to pick the relevant commits for ncbmbuf implementation prior to it.
2025-10-16 10:43:16 -04:00
struct ncbmbuf *ncbuf = &qel->cstream->rx.ncbuf;
BUG/MAJOR: quic: reject too large CRYPTO frames Received CRYPTO frames are inserted in a ncbuf to handle out-of-order reception via ncb_add(). They are stored on the position relative to the frame offset, minus a base offset which corresponds to the in-order data length already handled. Previouly, no check was implemented on the frame offset value prior to ncb_add(), which could easily trigger a crash if relative offset was too large. Fix this by ensuring first that the frame can be stored in the buffer before ncb_add() invokation. If this is not the case, connection is closed with error CRYPTO_BUFFER_EXCEEDED, as required by QUIC specification. This should fix github issue #2842. This must be backported up to 2.6.
2025-01-20 04:15:12 -05:00
uint64_t off_rel;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_ENTER(QUIC_EV_CONN_PRSHPKT, qc);
MINOR: quic: remove ->offset qf_crypto struct field This patch follows this previous bug fix: BUG/MINOR: quic: reorder fragmented RX CRYPTO frames by their offsets where a ebtree node has been added to qf_crypto struct. It has the same meaning and type as ->offset_node.key field with ->offset_node an eb64tree node. This patch simply removes ->offset which is no more useful. This patch should be easily backported as far as 2.6 as the one mentioned above to ease any further backport to come.
2025-08-27 10:28:04 -04:00
if (unlikely(crypto_frm->offset_node.key < cstream->rx.offset)) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
size_t diff;
MINOR: quic: remove ->offset qf_crypto struct field This patch follows this previous bug fix: BUG/MINOR: quic: reorder fragmented RX CRYPTO frames by their offsets where a ebtree node has been added to qf_crypto struct. It has the same meaning and type as ->offset_node.key field with ->offset_node an eb64tree node. This patch simply removes ->offset which is no more useful. This patch should be easily backported as far as 2.6 as the one mentioned above to ease any further backport to come.
2025-08-27 10:28:04 -04:00
if (crypto_frm->offset_node.key + crypto_frm->len <= cstream->rx.offset) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
/* Nothing to do */
TRACE_PROTO("Already received CRYPTO data",
MINOR: quic: extend return value of CRYPTO parsing qc_handle_crypto_frm() is the function used to handled a newly received CRYPTO frame. Change its API to use a newly dedicated return type. This allows to report if the frame was properly handled, ignored if already parsed previously or rejected after a fatal error. This commit does not have any functional changes. However, it allows to simplify qc_handle_crypto_frm() API by removing <fast_retrans> as output parameter. Also, this patch will be necessary to support multiple iteration of packet parsing for CRYPTO frames.
2024-11-04 11:27:39 -05:00
QUIC_EV_CONN_RXPKT, qc, pkt, &cfdebug);
MINOR: quic: remove received CRYPTO temporary tree storage The previous commit switch from ncbuf to ncbmbuf as storage for received CRYPTO frames. The latter ensures that buffering of such frames cannot fail anymore due to gaps size. Previously, extra mechanism were implemented on QUIC frames parsing function to overcome the limitation of ncbuf on gaps size. Before insertion, CRYPTO frames were stored in a temporary tree to order their insertion. As this is not necessary anymore, this commit removes the temporary tree insertion. This commit is closely associated to the previous bug fix. As it provides a neat optimization and code simplication, it can be backported with it, but not in the next immediate release to spot potential regression.
2025-10-20 08:29:55 -04:00
*fast_retrans = 1;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
goto done;
}
TRACE_PROTO("Partially already received CRYPTO data",
QUIC_EV_CONN_RXPKT, qc, pkt, &cfdebug);
MINOR: quic: remove ->offset qf_crypto struct field This patch follows this previous bug fix: BUG/MINOR: quic: reorder fragmented RX CRYPTO frames by their offsets where a ebtree node has been added to qf_crypto struct. It has the same meaning and type as ->offset_node.key field with ->offset_node an eb64tree node. This patch simply removes ->offset which is no more useful. This patch should be easily backported as far as 2.6 as the one mentioned above to ease any further backport to come.
2025-08-27 10:28:04 -04:00
diff = cstream->rx.offset - crypto_frm->offset_node.key;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
crypto_frm->len -= diff;
crypto_frm->data += diff;
MINOR: quic: remove ->offset qf_crypto struct field This patch follows this previous bug fix: BUG/MINOR: quic: reorder fragmented RX CRYPTO frames by their offsets where a ebtree node has been added to qf_crypto struct. It has the same meaning and type as ->offset_node.key field with ->offset_node an eb64tree node. This patch simply removes ->offset which is no more useful. This patch should be easily backported as far as 2.6 as the one mentioned above to ease any further backport to come.
2025-08-27 10:28:04 -04:00
crypto_frm->offset_node.key = cstream->rx.offset;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
BUG/MAJOR: quic: use ncbmbuf for CRYPTO handling In QUIC, TLS handshake messages such as ClientHello are encapsulated in CRYPTO frames. Each QUIC implementation can split the content in several frames of random sizes. In fact, this feature is now used by several clients, based on chrome so-called "Chaos protection" mechanism : https://quiche.googlesource.com/quiche/+/cb6b51054274cb2c939264faf34a1776e0a5bab7 To support this, haproxy uses a ncbuf storage to store received CRYPTO frames before passing it to the SSL library. However, this storage suffers from a limitation as gaps between two filled blocks cannot be smaller than 8 bytes. Thus, depending on the size of received CRYPTO frames and their order, ncbuf may not be sufficient. Over time, several mechanisms were implemented in haproxy QUIC frames parsing to overcome the ncbuf limitation. However, reports recently highlight that with some clients haproxy is not able to deal with CRYPTO frames reception. In particular, this is the case with the latest ngtcp2 release, which implements a similar chaos protection mechanism via the following patch. It also seems that this impacts haproxy interaction with firefox. commit 89c29fd8611d5e6d2f6b1f475c5e3494c376028c Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> Date: Mon Aug 4 22:48:06 2025 +0900 Crumble Client Initial CRYPTO (aka chaos protection) To fix haproxy CRYPTO frames buffering once and for all, an alternative non-contiguous buffer named ncbmbuf has been recently implemented. This type does not suffer from gaps size limitation, albeit at the cost of a small reduction in the size available for data storage. Thus, the purpose of this current patch is to replace ncbuf with the newer ncbmbuf for QUIC CRYPTO frames parsing. Now, ncbmb_add() is used to buffer received frames which is guaranteed to suceed. The only remaining case of error is if a received frame offset and length exceed the ncbmbuf data storage, which would result in a CRYPTO_BUFFER_EXCEEDED error code. A notable behavior change when switching to ncbmbuf implementation is that NCB_ADD_COMPARE mode cannot be used anymore during add. Instead, crypto frame content received at a similar offset will be overwritten. A final note regarding STREAM frames parsing. For now, it is considered unnecessary to switch from ncbuf in this case. Indeed, QUIC clients does not perform aggressive fragmentation for them. Keeping ncbuf ensure that the data storage size is bigger than the equivalent ncbmbuf area. This should fix github issue #3141. This patch must be backported up to 2.6. It is first necessary to pick the relevant commits for ncbmbuf implementation prior to it.
2025-10-16 10:43:16 -04:00
if (!quic_get_ncbuf(ncbuf) || ncbmb_is_null(ncbuf)) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_ERROR("CRYPTO ncbuf allocation failed", QUIC_EV_CONN_PRSHPKT, qc);
MINOR: quic: extend return value of CRYPTO parsing qc_handle_crypto_frm() is the function used to handled a newly received CRYPTO frame. Change its API to use a newly dedicated return type. This allows to report if the frame was properly handled, ignored if already parsed previously or rejected after a fatal error. This commit does not have any functional changes. However, it allows to simplify qc_handle_crypto_frm() API by removing <fast_retrans> as output parameter. Also, this patch will be necessary to support multiple iteration of packet parsing for CRYPTO frames.
2024-11-04 11:27:39 -05:00
goto err;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
/* crypto_frm->offset > cstream-trx.offset */
MINOR: quic: remove ->offset qf_crypto struct field This patch follows this previous bug fix: BUG/MINOR: quic: reorder fragmented RX CRYPTO frames by their offsets where a ebtree node has been added to qf_crypto struct. It has the same meaning and type as ->offset_node.key field with ->offset_node an eb64tree node. This patch simply removes ->offset which is no more useful. This patch should be easily backported as far as 2.6 as the one mentioned above to ease any further backport to come.
2025-08-27 10:28:04 -04:00
off_rel = crypto_frm->offset_node.key - cstream->rx.offset;
BUG/MAJOR: quic: reject too large CRYPTO frames Received CRYPTO frames are inserted in a ncbuf to handle out-of-order reception via ncb_add(). They are stored on the position relative to the frame offset, minus a base offset which corresponds to the in-order data length already handled. Previouly, no check was implemented on the frame offset value prior to ncb_add(), which could easily trigger a crash if relative offset was too large. Fix this by ensuring first that the frame can be stored in the buffer before ncb_add() invokation. If this is not the case, connection is closed with error CRYPTO_BUFFER_EXCEEDED, as required by QUIC specification. This should fix github issue #2842. This must be backported up to 2.6.
2025-01-20 04:15:12 -05:00
/* RFC 9000 7.5. Cryptographic Message Buffering
*
* Being unable to buffer CRYPTO frames during the handshake can lead to
* a connection failure. If an endpoint's buffer is exceeded during the
* handshake, it can expand its buffer temporarily to complete the
* handshake. If an endpoint does not expand its buffer, it MUST close
* the connection with a CRYPTO_BUFFER_EXCEEDED error code.
*/
BUG/MAJOR: quic: use ncbmbuf for CRYPTO handling In QUIC, TLS handshake messages such as ClientHello are encapsulated in CRYPTO frames. Each QUIC implementation can split the content in several frames of random sizes. In fact, this feature is now used by several clients, based on chrome so-called "Chaos protection" mechanism : https://quiche.googlesource.com/quiche/+/cb6b51054274cb2c939264faf34a1776e0a5bab7 To support this, haproxy uses a ncbuf storage to store received CRYPTO frames before passing it to the SSL library. However, this storage suffers from a limitation as gaps between two filled blocks cannot be smaller than 8 bytes. Thus, depending on the size of received CRYPTO frames and their order, ncbuf may not be sufficient. Over time, several mechanisms were implemented in haproxy QUIC frames parsing to overcome the ncbuf limitation. However, reports recently highlight that with some clients haproxy is not able to deal with CRYPTO frames reception. In particular, this is the case with the latest ngtcp2 release, which implements a similar chaos protection mechanism via the following patch. It also seems that this impacts haproxy interaction with firefox. commit 89c29fd8611d5e6d2f6b1f475c5e3494c376028c Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> Date: Mon Aug 4 22:48:06 2025 +0900 Crumble Client Initial CRYPTO (aka chaos protection) To fix haproxy CRYPTO frames buffering once and for all, an alternative non-contiguous buffer named ncbmbuf has been recently implemented. This type does not suffer from gaps size limitation, albeit at the cost of a small reduction in the size available for data storage. Thus, the purpose of this current patch is to replace ncbuf with the newer ncbmbuf for QUIC CRYPTO frames parsing. Now, ncbmb_add() is used to buffer received frames which is guaranteed to suceed. The only remaining case of error is if a received frame offset and length exceed the ncbmbuf data storage, which would result in a CRYPTO_BUFFER_EXCEEDED error code. A notable behavior change when switching to ncbmbuf implementation is that NCB_ADD_COMPARE mode cannot be used anymore during add. Instead, crypto frame content received at a similar offset will be overwritten. A final note regarding STREAM frames parsing. For now, it is considered unnecessary to switch from ncbuf in this case. Indeed, QUIC clients does not perform aggressive fragmentation for them. Keeping ncbuf ensure that the data storage size is bigger than the equivalent ncbmbuf area. This should fix github issue #3141. This patch must be backported up to 2.6. It is first necessary to pick the relevant commits for ncbmbuf implementation prior to it.
2025-10-16 10:43:16 -04:00
if (off_rel + crypto_frm->len > ncbmb_size(ncbuf)) {
BUG/MAJOR: quic: reject too large CRYPTO frames Received CRYPTO frames are inserted in a ncbuf to handle out-of-order reception via ncb_add(). They are stored on the position relative to the frame offset, minus a base offset which corresponds to the in-order data length already handled. Previouly, no check was implemented on the frame offset value prior to ncb_add(), which could easily trigger a crash if relative offset was too large. Fix this by ensuring first that the frame can be stored in the buffer before ncb_add() invokation. If this is not the case, connection is closed with error CRYPTO_BUFFER_EXCEEDED, as required by QUIC specification. This should fix github issue #2842. This must be backported up to 2.6.
2025-01-20 04:15:12 -05:00
TRACE_ERROR("CRYPTO frame too large", QUIC_EV_CONN_PRSHPKT, qc);
quic_set_connection_close(qc, quic_err_transport(QC_ERR_CRYPTO_BUFFER_EXCEEDED));
goto err;
}
BUG/MAJOR: quic: use ncbmbuf for CRYPTO handling In QUIC, TLS handshake messages such as ClientHello are encapsulated in CRYPTO frames. Each QUIC implementation can split the content in several frames of random sizes. In fact, this feature is now used by several clients, based on chrome so-called "Chaos protection" mechanism : https://quiche.googlesource.com/quiche/+/cb6b51054274cb2c939264faf34a1776e0a5bab7 To support this, haproxy uses a ncbuf storage to store received CRYPTO frames before passing it to the SSL library. However, this storage suffers from a limitation as gaps between two filled blocks cannot be smaller than 8 bytes. Thus, depending on the size of received CRYPTO frames and their order, ncbuf may not be sufficient. Over time, several mechanisms were implemented in haproxy QUIC frames parsing to overcome the ncbuf limitation. However, reports recently highlight that with some clients haproxy is not able to deal with CRYPTO frames reception. In particular, this is the case with the latest ngtcp2 release, which implements a similar chaos protection mechanism via the following patch. It also seems that this impacts haproxy interaction with firefox. commit 89c29fd8611d5e6d2f6b1f475c5e3494c376028c Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> Date: Mon Aug 4 22:48:06 2025 +0900 Crumble Client Initial CRYPTO (aka chaos protection) To fix haproxy CRYPTO frames buffering once and for all, an alternative non-contiguous buffer named ncbmbuf has been recently implemented. This type does not suffer from gaps size limitation, albeit at the cost of a small reduction in the size available for data storage. Thus, the purpose of this current patch is to replace ncbuf with the newer ncbmbuf for QUIC CRYPTO frames parsing. Now, ncbmb_add() is used to buffer received frames which is guaranteed to suceed. The only remaining case of error is if a received frame offset and length exceed the ncbmbuf data storage, which would result in a CRYPTO_BUFFER_EXCEEDED error code. A notable behavior change when switching to ncbmbuf implementation is that NCB_ADD_COMPARE mode cannot be used anymore during add. Instead, crypto frame content received at a similar offset will be overwritten. A final note regarding STREAM frames parsing. For now, it is considered unnecessary to switch from ncbuf in this case. Indeed, QUIC clients does not perform aggressive fragmentation for them. Keeping ncbuf ensure that the data storage size is bigger than the equivalent ncbmbuf area. This should fix github issue #3141. This patch must be backported up to 2.6. It is first necessary to pick the relevant commits for ncbmbuf implementation prior to it.
2025-10-16 10:43:16 -04:00
ncb_ret = ncbmb_add(ncbuf, off_rel, (const char *)crypto_frm->data,
crypto_frm->len, NCB_ADD_OVERWRT);
BUG_ON(ncb_ret != NCB_RET_OK);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
MINOR: quic: simplify rescheduling for handshake On CRYPTO frames reception, tasklet is rescheduled with TASK_HEAVY to limit CPU consumption. This commit slighly simplifies this by regrouping TASK_HEAVY setting and tasklet_wakeup() instructions in a single location in qc_handle_crypto_frm(). All other unnecessary tasklet_wakeup() are removed.
2024-03-08 11:40:16 -05:00
/* Reschedule with TASK_HEAVY if CRYPTO data ready for decoding. */
BUG/MAJOR: quic: use ncbmbuf for CRYPTO handling In QUIC, TLS handshake messages such as ClientHello are encapsulated in CRYPTO frames. Each QUIC implementation can split the content in several frames of random sizes. In fact, this feature is now used by several clients, based on chrome so-called "Chaos protection" mechanism : https://quiche.googlesource.com/quiche/+/cb6b51054274cb2c939264faf34a1776e0a5bab7 To support this, haproxy uses a ncbuf storage to store received CRYPTO frames before passing it to the SSL library. However, this storage suffers from a limitation as gaps between two filled blocks cannot be smaller than 8 bytes. Thus, depending on the size of received CRYPTO frames and their order, ncbuf may not be sufficient. Over time, several mechanisms were implemented in haproxy QUIC frames parsing to overcome the ncbuf limitation. However, reports recently highlight that with some clients haproxy is not able to deal with CRYPTO frames reception. In particular, this is the case with the latest ngtcp2 release, which implements a similar chaos protection mechanism via the following patch. It also seems that this impacts haproxy interaction with firefox. commit 89c29fd8611d5e6d2f6b1f475c5e3494c376028c Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> Date: Mon Aug 4 22:48:06 2025 +0900 Crumble Client Initial CRYPTO (aka chaos protection) To fix haproxy CRYPTO frames buffering once and for all, an alternative non-contiguous buffer named ncbmbuf has been recently implemented. This type does not suffer from gaps size limitation, albeit at the cost of a small reduction in the size available for data storage. Thus, the purpose of this current patch is to replace ncbuf with the newer ncbmbuf for QUIC CRYPTO frames parsing. Now, ncbmb_add() is used to buffer received frames which is guaranteed to suceed. The only remaining case of error is if a received frame offset and length exceed the ncbmbuf data storage, which would result in a CRYPTO_BUFFER_EXCEEDED error code. A notable behavior change when switching to ncbmbuf implementation is that NCB_ADD_COMPARE mode cannot be used anymore during add. Instead, crypto frame content received at a similar offset will be overwritten. A final note regarding STREAM frames parsing. For now, it is considered unnecessary to switch from ncbuf in this case. Indeed, QUIC clients does not perform aggressive fragmentation for them. Keeping ncbuf ensure that the data storage size is bigger than the equivalent ncbmbuf area. This should fix github issue #3141. This patch must be backported up to 2.6. It is first necessary to pick the relevant commits for ncbmbuf implementation prior to it.
2025-10-16 10:43:16 -04:00
if (ncbmb_data(ncbuf, 0)) {
MEDIUM: quic: Heavy task mode with non contiguously bufferized CRYPTO data This patch sets the handshake task in heavy task mode when receiving in disorder CRYPTO data which results in in order bufferized CRYPTO data. This is done thanks to a non-contiguous buffer and from qc_handle_crypto_frm() after having potentially bufferized CRYPTO data in this buffer. qc_treat_rx_crypto_frms() is no more called from qc_treat_rx_pkts() but instead this is where the task is set in heavy task mode. Consequently, this is the job of qc_ssl_provide_all_quic_data() to call directly qc_treat_rx_crypto_frms() to provide the in order bufferized CRYPTO data to the TLS stack. As this function releases the non-contiguous buffer for the CRYPTO data, if possible, there is no need to do that from qc_treat_rx_crypto_frms() anymore.
2023-10-31 11:23:05 -04:00
HA_ATOMIC_OR(&qc->wait_event.tasklet->state, TASK_HEAVY);
MINOR: quic: simplify rescheduling for handshake On CRYPTO frames reception, tasklet is rescheduled with TASK_HEAVY to limit CPU consumption. This commit slighly simplifies this by regrouping TASK_HEAVY setting and tasklet_wakeup() instructions in a single location in qc_handle_crypto_frm(). All other unnecessary tasklet_wakeup() are removed.
2024-03-08 11:40:16 -05:00
tasklet_wakeup(qc->wait_event.tasklet);
}
MEDIUM: quic: Heavy task mode with non contiguously bufferized CRYPTO data This patch sets the handshake task in heavy task mode when receiving in disorder CRYPTO data which results in in order bufferized CRYPTO data. This is done thanks to a non-contiguous buffer and from qc_handle_crypto_frm() after having potentially bufferized CRYPTO data in this buffer. qc_treat_rx_crypto_frms() is no more called from qc_treat_rx_pkts() but instead this is where the task is set in heavy task mode. Consequently, this is the job of qc_ssl_provide_all_quic_data() to call directly qc_treat_rx_crypto_frms() to provide the in order bufferized CRYPTO data to the TLS stack. As this function releases the non-contiguous buffer for the CRYPTO data, if possible, there is no need to do that from qc_treat_rx_crypto_frms() anymore.
2023-10-31 11:23:05 -04:00
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
done:
TRACE_LEAVE(QUIC_EV_CONN_PRSHPKT, qc);
MINOR: quic: remove received CRYPTO temporary tree storage The previous commit switch from ncbuf to ncbmbuf as storage for received CRYPTO frames. The latter ensures that buffering of such frames cannot fail anymore due to gaps size. Previously, extra mechanism were implemented on QUIC frames parsing function to overcome the limitation of ncbuf on gaps size. Before insertion, CRYPTO frames were stored in a temporary tree to order their insertion. As this is not necessary anymore, this commit removes the temporary tree insertion. This commit is closely associated to the previous bug fix. As it provides a neat optimization and code simplication, it can be backported with it, but not in the next immediate release to spot potential regression.
2025-10-20 08:29:55 -04:00
return 0;
MINOR: quic: extend return value of CRYPTO parsing qc_handle_crypto_frm() is the function used to handled a newly received CRYPTO frame. Change its API to use a newly dedicated return type. This allows to report if the frame was properly handled, ignored if already parsed previously or rejected after a fatal error. This commit does not have any functional changes. However, it allows to simplify qc_handle_crypto_frm() API by removing <fast_retrans> as output parameter. Also, this patch will be necessary to support multiple iteration of packet parsing for CRYPTO frames.
2024-11-04 11:27:39 -05:00
err:
TRACE_DEVEL("leaving on error", QUIC_EV_CONN_PRSHPKT, qc);
MINOR: quic: remove received CRYPTO temporary tree storage The previous commit switch from ncbuf to ncbmbuf as storage for received CRYPTO frames. The latter ensures that buffering of such frames cannot fail anymore due to gaps size. Previously, extra mechanism were implemented on QUIC frames parsing function to overcome the limitation of ncbuf on gaps size. Before insertion, CRYPTO frames were stored in a temporary tree to order their insertion. As this is not necessary anymore, this commit removes the temporary tree insertion. This commit is closely associated to the previous bug fix. As it provides a neat optimization and code simplication, it can be backported with it, but not in the next immediate release to spot potential regression.
2025-10-20 08:29:55 -04:00
return -1;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
/* Handle RETIRE_CONNECTION_ID frame from <frm> frame.
* Return 1 if succeeded, 0 if not. If succeeded, also set <to_retire>
* to the CID to be retired if not already retired.
*/
static int qc_handle_retire_connection_id_frm(struct quic_conn *qc,
struct quic_frame *frm,
struct quic_cid *dcid,
struct quic_connection_id **to_retire)
{
int ret = 0;
struct qf_retire_connection_id *rcid_frm = &frm->retire_connection_id;
struct eb64_node *node;
struct quic_connection_id *conn_id;
TRACE_ENTER(QUIC_EV_CONN_PRSHPKT, qc);
/* RFC 9000 19.16. RETIRE_CONNECTION_ID Frames:
* Receipt of a RETIRE_CONNECTION_ID frame containing a sequence number greater
* than any previously sent to the peer MUST be treated as a connection error
* of type PROTOCOL_VIOLATION.
*/
if (rcid_frm->seq_num >= qc->next_cid_seq_num) {
TRACE_PROTO("CID seq. number too big", QUIC_EV_CONN_PSTRM, qc, frm);
goto protocol_violation;
}
/* RFC 9000 19.16. RETIRE_CONNECTION_ID Frames:
* The sequence number specified in a RETIRE_CONNECTION_ID frame MUST NOT refer to
* the Destination Connection ID field of the packet in which the frame is contained.
* The peer MAY treat this as a connection error of type PROTOCOL_VIOLATION.
*/
MINOR: quic: Use a pool for the connection ID tree. Add "quic_cids" new pool to allocate the ->cids trees of quic_conn objects. Replace ->cids member of quic_conn objects by pointer to "quic_cids" and adapt the code consequently. Nothing special.
2023-08-07 03:50:04 -04:00
node = eb64_lookup(qc->cids, rcid_frm->seq_num);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
if (!node) {
TRACE_PROTO("CID already retired", QUIC_EV_CONN_PSTRM, qc, frm);
goto out;
}
conn_id = eb64_entry(node, struct quic_connection_id, seq_num);
/* Note that the length of <dcid> has already been checked. It must match the
* length of the CIDs which have been provided to the peer.
*/
if (!memcmp(dcid->data, conn_id->cid.data, QUIC_HAP_CID_LEN)) {
TRACE_PROTO("cannot retire the current CID", QUIC_EV_CONN_PSTRM, qc, frm);
goto protocol_violation;
}
*to_retire = conn_id;
out:
ret = 1;
leave:
TRACE_LEAVE(QUIC_EV_CONN_PRSHPKT, qc);
return ret;
protocol_violation:
quic_set_connection_close(qc, quic_err_transport(QC_ERR_PROTOCOL_VIOLATION));
qc_notify_err(qc);
goto leave;
}
REORG: quic: Move several inlined functions from quic_conn.h Move quic_pkt_type(), quic_saddr_cpy(), quic_write_uint32(), max_available_room(), max_stream_data_size(), quic_packet_number_length(), quic_packet_number_encode() and quic_compute_ack_delay_us() to quic_tx.c because only used in this file. Also move quic_ack_delay_ms() and quic_read_uint32() to quic_tx.c because they are used only in this file. Move quic_rx_packet_refinc() and quic_rx_packet_refdec() to quic_rx.h header. Move qc_el_rx_pkts(), qc_el_rx_pkts_del() and qc_list_qel_rx_pkts() to quic_tls.h header.
2023-11-27 05:34:03 -05:00
/* Returns the <ack_delay> field value in milliseconds from <ack_frm> ACK frame for
* <conn> QUIC connection. Note that the value of <ack_delay> coming from
* ACK frame is in microseconds.
*/
static inline unsigned int quic_ack_delay_ms(struct qf_ack *ack_frm,
struct quic_conn *conn)
{
return (ack_frm->ack_delay << conn->tx.params.ack_delay_exponent) / 1000;
}
MEDIUM: quic-be: Parse, store and reuse tokens provided by NEW_TOKEN Add a per thread ist struct to srv_per_thread struct to store the QUIC token to be reused for subsequent sessions. Parse at packet level (from qc_parse_ptk_frms()) these tokens and store them calling qc_try_store_new_token() newly implemented function. This is this new function which does its best (may fail) to update the tokens. Modify qc_do_build_pkt() to resend these tokens calling quic_enc_token() implemented by this patch.
2025-08-11 10:53:29 -04:00
/* Client only.
* Do its best to store <tok> token received from a NEW_TOKEN frame into <s>
* server cache for tokens to reuse.
*/
static inline void qc_try_store_new_token(struct server *s,
const unsigned char *tok,
size_t len)
{
struct ist *stok;
char *stok_ptr;
stok = &s->per_thr[tid].quic_retry_token;
stok_ptr = istptr(*stok);
if (len > istlen(*stok)) {
stok_ptr = realloc(stok_ptr, len);
if (stok_ptr)
s->per_thr[tid].quic_retry_token.ptr = stok_ptr;
else {
memset(istptr(*stok), 0, istlen(*stok));
istfree(stok);
}
}
if (stok_ptr) {
memcpy(stok_ptr, tok, len);
stok->len = len;
}
}
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
/* Parse all the frames of <pkt> QUIC packet for QUIC connection <qc> and <qel>
* as encryption level.
* Returns 1 if succeeded, 0 if failed.
*/
static int qc_parse_pkt_frms(struct quic_conn *qc, struct quic_rx_packet *pkt,
struct quic_enc_level *qel)
{
BUG/MINOR: quic: reorder fragmented RX CRYPTO frames by their offsets This issue impacts the QUIC listeners. It is the same as the one fixed by this commit: BUG/MINOR: quic: repeat packet parsing to deal with fragmented CRYPTO As chrome, ngtcp2 client decided to fragment its CRYPTO frames but in a much more agressive way. This could be fixed with a list local to qc_parse_pkt_frms() to please chrome thanks to the commit above. But this is not sufficient for ngtcp2 which often splits its ClientHello message into more than 10 fragments with very small ones. This leads the packet parser to interrupt the CRYPTO frames parsing due to the ncbuf gap size limit. To fix this, this patch approximatively proceeds the same way but with an ebtree to reorder the CRYPTO by their offsets. These frames are directly inserted into a local ebtree. Then this ebtree is reused to provide the reordered CRYPTO data to the underlying ncbuf (non contiguous buffer). This way there are very few less chances for the ncbufs used to store CRYPTO data to reach a too much fragmented state. Must be backported as far as 2.6.
2025-08-27 08:18:25 -04:00
struct quic_frame *frm = NULL;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
const unsigned char *pos, *end;
MINOR: quic: refactor frame parsing This patch refactors parsing in QUIC frame module. Function qc_parse_frm() has been splitted in three : * qc_parse_frm_type() * qc_parse_frm_pkt() * qc_parse_frm_payload() No functional change. The main objective of this patch is to facilitate a QMux implementation. One of the gain is the ability to manipulate QUIC frames without any reference to a QUIC packet as it is irrelevant for QMux. Also, quic_set_connection_close() calls are extracted as this relies on qc type. The caller is now responsible to set the required error code.
2025-02-19 08:53:14 -05:00
int fast_retrans = 0, pkt_flags = 0, ret;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_ENTER(QUIC_EV_CONN_PRSHPKT, qc);
/* Skip the AAD */
pos = pkt->data + pkt->aad_len;
end = pkt->data + pkt->len;
BUG/MINOR: quic: reject packet with no frame RFC 9000 indicates that a QUIC packet with no frame must trigger a connection closure with PROTOCOL_VIOLATION error code. Implement this via an early return inside qc_parse_pkt_frms(). This should be backported up to 2.6.
2023-10-09 04:42:35 -04:00
/* Packet with no frame. */
if (pos == end) {
/* RFC9000 12.4. Frames and Frame Types
*
* The payload of a packet that contains frames MUST contain at least
* one frame, and MAY contain multiple frames and multiple frame types.
* An endpoint MUST treat receipt of a packet containing no frames as a
* connection error of type PROTOCOL_VIOLATION. Frames always fit within
* a single QUIC packet and cannot span multiple packets.
*/
quic_set_connection_close(qc, quic_err_transport(QC_ERR_PROTOCOL_VIOLATION));
MINOR: quic: simplify qc_parse_pkt_frms() return path Change qc_parse_pkt_frms() return path for normal and error cases. Most notably, it allows to remove local variable ret as now return value is hardcoded on normal and err label. This also allows to define a different trace for error leaving code.
2024-11-04 12:17:01 -05:00
goto err;
BUG/MINOR: quic: reject packet with no frame RFC 9000 indicates that a QUIC packet with no frame must trigger a connection closure with PROTOCOL_VIOLATION error code. Implement this via an early return inside qc_parse_pkt_frms(). This should be backported up to 2.6.
2023-10-09 04:42:35 -04:00
}
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
while (pos < end) {
MINOR: quic: use dynamically allocated frame on parsing qc_parse_pkt_frms() is the function responsible to parse a received QUIC packet. Payload is decoded and splitted into individual frames which are then handled individually. Previously, frame was used as locally stack allocated. Change this to work on a dynamically allocated frame. This commit does bring any functional changes. However, it will be useful to extend packet parsing. In particular, it will be necessary to save some frames during parsing to reparse them after the others.
2024-11-05 10:33:27 -05:00
if (!frm && !(frm = qc_frm_alloc(0))) {
TRACE_ERROR("cannot allocate frame", QUIC_EV_CONN_PRSHPKT, qc);
goto err;
}
MINOR: quic: refactor frame parsing This patch refactors parsing in QUIC frame module. Function qc_parse_frm() has been splitted in three : * qc_parse_frm_type() * qc_parse_frm_pkt() * qc_parse_frm_payload() No functional change. The main objective of this patch is to facilitate a QMux implementation. One of the gain is the ability to manipulate QUIC frames without any reference to a QUIC packet as it is irrelevant for QMux. Also, quic_set_connection_close() calls are extracted as this relies on qc type. The caller is now responsible to set the required error code.
2025-02-19 08:53:14 -05:00
if (!qc_parse_frm_type(frm, &pos, end, qc)) {
/* RFC 9000 12.4. Frames and Frame Types
*
* An endpoint MUST treat the receipt of a frame of unknown type as a
* connection error of type FRAME_ENCODING_ERROR.
*/
quic_set_connection_close(qc, quic_err_transport(QC_ERR_FRAME_ENCODING_ERROR));
/* trace already emitted by above function */
goto err;
}
/* RFC 9000 12.4. Frames and Frame Types
*
* An endpoint MUST treat
* receipt of a frame in a packet type that is not permitted as a
* connection error of type PROTOCOL_VIOLATION.
*/
if (!qc_parse_frm_pkt(frm, pkt, &pkt_flags)) {
TRACE_ERROR("unauthorized frame", QUIC_EV_CONN_PRSFRM, qc, frm);
quic_set_connection_close(qc, quic_err_transport(QC_ERR_PROTOCOL_VIOLATION));
goto err;
}
pkt->flags |= pkt_flags;
if (!qc_parse_frm_payload(frm, &pos, end, qc)) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
// trace already emitted by function above
MINOR: quic: simplify qc_parse_pkt_frms() return path Change qc_parse_pkt_frms() return path for normal and error cases. Most notably, it allows to remove local variable ret as now return value is hardcoded on normal and err label. This also allows to define a different trace for error leaving code.
2024-11-04 12:17:01 -05:00
goto err;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
MINOR: quic: use dynamically allocated frame on parsing qc_parse_pkt_frms() is the function responsible to parse a received QUIC packet. Payload is decoded and splitted into individual frames which are then handled individually. Previously, frame was used as locally stack allocated. Change this to work on a dynamically allocated frame. This commit does bring any functional changes. However, it will be useful to extend packet parsing. In particular, it will be necessary to save some frames during parsing to reparse them after the others.
2024-11-05 10:33:27 -05:00
switch (frm->type) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
case QUIC_FT_PADDING:
break;
case QUIC_FT_PING:
break;
case QUIC_FT_ACK:
MINOR: quic: handle all frame types on reception Ensure every frame types are handled in qc_parse_pkt_frms. Add an ABORT_NOW on the default case. This is safe as an unknown frame must be rejected prior via qc_parse_frm().
2024-02-15 08:42:54 -05:00
case QUIC_FT_ACK_ECN:
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
{
unsigned int rtt_sample;
rtt_sample = UINT_MAX;
BUG/MAJOR: quic: Really ignore malformed ACK frames. If not correctly parsed, an ACK frame must be ignored without any more treatment. Before this patch an ACK frame could be partially correctly parsed, then some errors could be detected which leaded newly acknowledged packets to be released in a wrong way calling free_quic_tx_pkts() called by qc_parse_ack_frm(). But there is no reason to release such packets because of a malformed ACK frame. This patch modifies qc_parse_ack_frm(). The newly acknowledged TX packets is done in two steps. It first collects the newly acknowledged packet calling qc_newly_acked_pkts(). Then proceed the same way as before for the treatments of haproxy TX packets acknowledged by the peer. If the ACK frame could not be fully parsed, the newly ackowledged packets are replaced back from where they were detached: the tree of TX packets for their encryption level. Must be backported as far as 2.6.
2023-08-29 08:48:54 -04:00
MINOR: quic: use dynamically allocated frame on parsing qc_parse_pkt_frms() is the function responsible to parse a received QUIC packet. Payload is decoded and splitted into individual frames which are then handled individually. Previously, frame was used as locally stack allocated. Change this to work on a dynamically allocated frame. This commit does bring any functional changes. However, it will be useful to extend packet parsing. In particular, it will be necessary to save some frames during parsing to reparse them after the others.
2024-11-05 10:33:27 -05:00
if (!qc_parse_ack_frm(qc, frm, qel, &rtt_sample, &pos, end)) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
// trace already emitted by function above
MINOR: quic: simplify qc_parse_pkt_frms() return path Change qc_parse_pkt_frms() return path for normal and error cases. Most notably, it allows to remove local variable ret as now return value is hardcoded on normal and err label. This also allows to define a different trace for error leaving code.
2024-11-04 12:17:01 -05:00
goto err;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
if (rtt_sample != UINT_MAX) {
unsigned int ack_delay;
ack_delay = !quic_application_pktns(qel->pktns, qc) ? 0 :
qc->state >= QUIC_HS_ST_CONFIRMED ?
MINOR: quic: use dynamically allocated frame on parsing qc_parse_pkt_frms() is the function responsible to parse a received QUIC packet. Payload is decoded and splitted into individual frames which are then handled individually. Previously, frame was used as locally stack allocated. Change this to work on a dynamically allocated frame. This commit does bring any functional changes. However, it will be useful to extend packet parsing. In particular, it will be necessary to save some frames during parsing to reparse them after the others.
2024-11-05 10:33:27 -05:00
MS_TO_TICKS(QUIC_MIN(quic_ack_delay_ms(&frm->ack, qc), qc->max_ack_delay)) :
MS_TO_TICKS(quic_ack_delay_ms(&frm->ack, qc));
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
quic_loss_srtt_update(&qc->path->loss, rtt_sample, ack_delay, qc);
}
break;
}
case QUIC_FT_RESET_STREAM:
MINOR: quic: remove <mux_state> field This patch removes <mux_state> field from quic_conn structure. The purpose of this field was to indicate if MUX layer above quic_conn is not yet initialized, active, or already released. It became tedious to properly set it as initialization order of the various quic_conn/conn/MUX layers now differ between the frontend and backend sides, and also depending if 0-RTT is used or not. Recently, a new change introduced in connect_server() will allow to initialize QUIC MUX earlier if ALPN is cached on the server structure. This had another level of complexity. Thus, this patch removes <mux_state> field completely. Instead, a new flag QUIC_FL_CONN_XPRT_CLOSED is defined. It is set at a single place only on close XPRT callback invokation. It can be mixed with the new utility functions qc_wait_for_conn()/qc_is_conn_ready() to determine the status of conn/MUX layers now without an extra quic_conn field.
2025-11-05 05:52:12 -05:00
if (qc_is_conn_ready(qc)) {
MINOR: quic: use dynamically allocated frame on parsing qc_parse_pkt_frms() is the function responsible to parse a received QUIC packet. Payload is decoded and splitted into individual frames which are then handled individually. Previously, frame was used as locally stack allocated. Change this to work on a dynamically allocated frame. This commit does bring any functional changes. However, it will be useful to extend packet parsing. In particular, it will be necessary to save some frames during parsing to reparse them after the others.
2024-11-05 10:33:27 -05:00
struct qf_reset_stream *rs_frm = &frm->reset_stream;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
qcc_recv_reset_stream(qc->qcc, rs_frm->id, rs_frm->app_error_code, rs_frm->final_size);
}
break;
case QUIC_FT_STOP_SENDING:
{
MINOR: quic: use dynamically allocated frame on parsing qc_parse_pkt_frms() is the function responsible to parse a received QUIC packet. Payload is decoded and splitted into individual frames which are then handled individually. Previously, frame was used as locally stack allocated. Change this to work on a dynamically allocated frame. This commit does bring any functional changes. However, it will be useful to extend packet parsing. In particular, it will be necessary to save some frames during parsing to reparse them after the others.
2024-11-05 10:33:27 -05:00
struct qf_stop_sending *ss_frm = &frm->stop_sending;
MINOR: quic: remove <mux_state> field This patch removes <mux_state> field from quic_conn structure. The purpose of this field was to indicate if MUX layer above quic_conn is not yet initialized, active, or already released. It became tedious to properly set it as initialization order of the various quic_conn/conn/MUX layers now differ between the frontend and backend sides, and also depending if 0-RTT is used or not. Recently, a new change introduced in connect_server() will allow to initialize QUIC MUX earlier if ALPN is cached on the server structure. This had another level of complexity. Thus, this patch removes <mux_state> field completely. Instead, a new flag QUIC_FL_CONN_XPRT_CLOSED is defined. It is set at a single place only on close XPRT callback invokation. It can be mixed with the new utility functions qc_wait_for_conn()/qc_is_conn_ready() to determine the status of conn/MUX layers now without an extra quic_conn field.
2025-11-05 05:52:12 -05:00
if (qc_is_conn_ready(qc)) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
if (qcc_recv_stop_sending(qc->qcc, ss_frm->id,
ss_frm->app_error_code)) {
TRACE_ERROR("qcc_recv_stop_sending() failed", QUIC_EV_CONN_PRSHPKT, qc);
MINOR: quic: simplify qc_parse_pkt_frms() return path Change qc_parse_pkt_frms() return path for normal and error cases. Most notably, it allows to remove local variable ret as now return value is hardcoded on normal and err label. This also allows to define a different trace for error leaving code.
2024-11-04 12:17:01 -05:00
goto err;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
}
break;
}
case QUIC_FT_CRYPTO:
MINOR: quic: remove received CRYPTO temporary tree storage The previous commit switch from ncbuf to ncbmbuf as storage for received CRYPTO frames. The latter ensures that buffering of such frames cannot fail anymore due to gaps size. Previously, extra mechanism were implemented on QUIC frames parsing function to overcome the limitation of ncbuf on gaps size. Before insertion, CRYPTO frames were stored in a temporary tree to order their insertion. As this is not necessary anymore, this commit removes the temporary tree insertion. This commit is closely associated to the previous bug fix. As it provides a neat optimization and code simplication, it can be backported with it, but not in the next immediate release to spot potential regression.
2025-10-20 08:29:55 -04:00
if (qc_handle_crypto_frm(qc, &frm->crypto, pkt, qel, &fast_retrans))
goto err;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
break;
MINOR: quic: handle all frame types on reception Ensure every frame types are handled in qc_parse_pkt_frms. Add an ABORT_NOW on the default case. This is safe as an unknown frame must be rejected prior via qc_parse_frm().
2024-02-15 08:42:54 -05:00
case QUIC_FT_NEW_TOKEN:
MINOR: quic: prefer qc_is_back() usage over qc->target Previously quic_conn <target> member was used to determine if quic_conn was used on the frontend (as server) or backend side (as client). A new helper function can now be used to directly check flag QUIC_FL_CONN_IS_BACK. This reduces the dependency between quic_conn and their relative listener/server instances.
2025-08-06 10:19:38 -04:00
if (!qc_is_back(qc)) {
BUG/MINOR: quic: reject NEW_TOKEN frames from clients As specified by RFC 9000, reject NEW_TOKEN frames emitted by clients. Close the connection with error code PROTOCOL_VIOLATION. This must be backported up to 2.6.
2025-01-07 12:22:00 -05:00
TRACE_ERROR("reject NEW_TOKEN frame emitted by client",
QUIC_EV_CONN_PRSHPKT, qc);
/* RFC 9000 19.7. NEW_TOKEN Frames
* Clients MUST NOT send NEW_TOKEN frames. A server MUST treat receipt
* of a NEW_TOKEN frame as a connection error of type
* PROTOCOL_VIOLATION.
*/
quic_set_connection_close(qc, quic_err_transport(QC_ERR_PROTOCOL_VIOLATION));
goto err;
}
else {
MEDIUM: quic-be: Parse, store and reuse tokens provided by NEW_TOKEN Add a per thread ist struct to srv_per_thread struct to store the QUIC token to be reused for subsequent sessions. Parse at packet level (from qc_parse_ptk_frms()) these tokens and store them calling qc_try_store_new_token() newly implemented function. This is this new function which does its best (may fail) to update the tokens. Modify qc_do_build_pkt() to resend these tokens calling quic_enc_token() implemented by this patch.
2025-08-11 10:53:29 -04:00
struct qf_new_token *new_tok_frm = &frm->new_token;
if (!qc->conn) {
TRACE_ERROR("reject NEW_TOKEN frame (connection closed",
QUIC_EV_CONN_PRSHPKT, qc);
goto err;
}
qc_try_store_new_token(__objt_server(qc->conn->target),
new_tok_frm->r_data, new_tok_frm->len);
BUG/MINOR: quic: reject NEW_TOKEN frames from clients As specified by RFC 9000, reject NEW_TOKEN frames emitted by clients. Close the connection with error code PROTOCOL_VIOLATION. This must be backported up to 2.6.
2025-01-07 12:22:00 -05:00
}
MINOR: quic: handle all frame types on reception Ensure every frame types are handled in qc_parse_pkt_frms. Add an ABORT_NOW on the default case. This is safe as an unknown frame must be rejected prior via qc_parse_frm().
2024-02-15 08:42:54 -05:00
break;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
case QUIC_FT_STREAM_8 ... QUIC_FT_STREAM_F:
{
MINOR: quic: use dynamically allocated frame on parsing qc_parse_pkt_frms() is the function responsible to parse a received QUIC packet. Payload is decoded and splitted into individual frames which are then handled individually. Previously, frame was used as locally stack allocated. Change this to work on a dynamically allocated frame. This commit does bring any functional changes. However, it will be useful to extend packet parsing. In particular, it will be necessary to save some frames during parsing to reparse them after the others.
2024-11-05 10:33:27 -05:00
struct qf_stream *strm_frm = &frm->stream;
const char fin = frm->type & QUIC_STREAM_FRAME_TYPE_FIN_BIT;
MINOR: quic: refactor handling of streams after MUX release quic-conn layer has to handle itself STREAM frames after MUX release. If the stream was already seen, it is probably only a retransmitted frame which can be safely ignored. For other streams, an active closure may be needed. Thus it's necessary that quic-conn layer knows the highest stream ID already handled by the MUX after its release. Previously, this was done via <nb_streams> member array in quic-conn structure. Refactor this by replacing <nb_streams> by two members called <stream_max_uni>/<stream_max_bidi>. Indeed, it is unnecessary for quic-conn layer to monitor locally opened uni streams, as the peer cannot by definition emit a STREAM frame on it. Also, bidirectional streams are always opened by the remote side. Previously, <nb_streams> were set by quic-stream layer. Now, <stream_max_uni>/<stream_max_bidi> members are only set one time, just prior to QUIC MUX release. This is sufficient as quic-conn do not use them if the MUX is available. Note that previously, IDs were used relatively to their type, thus incremented by 1, after shifting the original value. For simplification, use the plain stream ID, which is incremented by 4.
2025-05-21 05:39:20 -04:00
const uint64_t max = quic_stream_is_uni(strm_frm->id) ?
qc->rx.stream_max_uni : qc->rx.stream_max_bidi;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
/* The upper layer may not be allocated. */
MINOR: quic: remove <mux_state> field This patch removes <mux_state> field from quic_conn structure. The purpose of this field was to indicate if MUX layer above quic_conn is not yet initialized, active, or already released. It became tedious to properly set it as initialization order of the various quic_conn/conn/MUX layers now differ between the frontend and backend sides, and also depending if 0-RTT is used or not. Recently, a new change introduced in connect_server() will allow to initialize QUIC MUX earlier if ALPN is cached on the server structure. This had another level of complexity. Thus, this patch removes <mux_state> field completely. Instead, a new flag QUIC_FL_CONN_XPRT_CLOSED is defined. It is set at a single place only on close XPRT callback invokation. It can be mixed with the new utility functions qc_wait_for_conn()/qc_is_conn_ready() to determine the status of conn/MUX layers now without an extra quic_conn field.
2025-11-05 05:52:12 -05:00
if (!qc_is_conn_ready(qc)) {
MINOR: quic: refactor handling of streams after MUX release quic-conn layer has to handle itself STREAM frames after MUX release. If the stream was already seen, it is probably only a retransmitted frame which can be safely ignored. For other streams, an active closure may be needed. Thus it's necessary that quic-conn layer knows the highest stream ID already handled by the MUX after its release. Previously, this was done via <nb_streams> member array in quic-conn structure. Refactor this by replacing <nb_streams> by two members called <stream_max_uni>/<stream_max_bidi>. Indeed, it is unnecessary for quic-conn layer to monitor locally opened uni streams, as the peer cannot by definition emit a STREAM frame on it. Also, bidirectional streams are always opened by the remote side. Previously, <nb_streams> were set by quic-stream layer. Now, <stream_max_uni>/<stream_max_bidi> members are only set one time, just prior to QUIC MUX release. This is sufficient as quic-conn do not use them if the MUX is available. Note that previously, IDs were used relatively to their type, thus incremented by 1, after shifting the original value. For simplification, use the plain stream ID, which is incremented by 4.
2025-05-21 05:39:20 -04:00
if (strm_frm->id < max) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_DATA("Already closed stream", QUIC_EV_CONN_PRSHPKT, qc);
}
else {
TRACE_DEVEL("No mux for new stream", QUIC_EV_CONN_PRSHPKT, qc);
MINOR: quic/h3: reorganize stream reject after MUX closure The QUIC MUX layer is closed after its transport counterpart. This may be necessary then to reject any new streams opened by the remote peer. This operation is dependent however from the application protocol. Previously, a function qc_h3_request_reject() was directly implemented in quic_conn source file for use when HTTP/3 was previously negotiated. However, this solution was not evolutive and broke layering. This patch introduces a new proper separation with a <strm_reject> callback defined in quic_conn structure. When set, it will be used to preemptively close any new stream. QUIC MUX is responsible to set it just before its closure. No functional change. This patch is purely a refactoring with a better architecture design. Especially, H3 specific code from transport layer is now completely removed.
2026-03-03 03:41:26 -05:00
if (qc->strm_reject) {
if (!qc->strm_reject(&qc->ael->pktns->tx.frms, strm_frm->id)) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_ERROR("error on request rejection", QUIC_EV_CONN_PRSHPKT, qc);
/* This packet will not be acknowledged */
MINOR: quic: simplify qc_parse_pkt_frms() return path Change qc_parse_pkt_frms() return path for normal and error cases. Most notably, it allows to remove local variable ret as now return value is hardcoded on normal and err label. This also allows to define a different trace for error leaving code.
2024-11-04 12:17:01 -05:00
goto err;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
}
else {
/* This packet will not be acknowledged */
MINOR: quic: simplify qc_parse_pkt_frms() return path Change qc_parse_pkt_frms() return path for normal and error cases. Most notably, it allows to remove local variable ret as now return value is hardcoded on normal and err label. This also allows to define a different trace for error leaving code.
2024-11-04 12:17:01 -05:00
goto err;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
}
break;
}
if (!qc_handle_strm_frm(pkt, strm_frm, qc, fin)) {
TRACE_ERROR("qc_handle_strm_frm() failed", QUIC_EV_CONN_PRSHPKT, qc);
MINOR: quic: simplify qc_parse_pkt_frms() return path Change qc_parse_pkt_frms() return path for normal and error cases. Most notably, it allows to remove local variable ret as now return value is hardcoded on normal and err label. This also allows to define a different trace for error leaving code.
2024-11-04 12:17:01 -05:00
goto err;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
break;
}
case QUIC_FT_MAX_DATA:
MINOR: quic: remove <mux_state> field This patch removes <mux_state> field from quic_conn structure. The purpose of this field was to indicate if MUX layer above quic_conn is not yet initialized, active, or already released. It became tedious to properly set it as initialization order of the various quic_conn/conn/MUX layers now differ between the frontend and backend sides, and also depending if 0-RTT is used or not. Recently, a new change introduced in connect_server() will allow to initialize QUIC MUX earlier if ALPN is cached on the server structure. This had another level of complexity. Thus, this patch removes <mux_state> field completely. Instead, a new flag QUIC_FL_CONN_XPRT_CLOSED is defined. It is set at a single place only on close XPRT callback invokation. It can be mixed with the new utility functions qc_wait_for_conn()/qc_is_conn_ready() to determine the status of conn/MUX layers now without an extra quic_conn field.
2025-11-05 05:52:12 -05:00
if (qc_is_conn_ready(qc)) {
MINOR: quic: use dynamically allocated frame on parsing qc_parse_pkt_frms() is the function responsible to parse a received QUIC packet. Payload is decoded and splitted into individual frames which are then handled individually. Previously, frame was used as locally stack allocated. Change this to work on a dynamically allocated frame. This commit does bring any functional changes. However, it will be useful to extend packet parsing. In particular, it will be necessary to save some frames during parsing to reparse them after the others.
2024-11-05 10:33:27 -05:00
struct qf_max_data *md_frm = &frm->max_data;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
qcc_recv_max_data(qc->qcc, md_frm->max_data);
}
break;
case QUIC_FT_MAX_STREAM_DATA:
MINOR: quic: remove <mux_state> field This patch removes <mux_state> field from quic_conn structure. The purpose of this field was to indicate if MUX layer above quic_conn is not yet initialized, active, or already released. It became tedious to properly set it as initialization order of the various quic_conn/conn/MUX layers now differ between the frontend and backend sides, and also depending if 0-RTT is used or not. Recently, a new change introduced in connect_server() will allow to initialize QUIC MUX earlier if ALPN is cached on the server structure. This had another level of complexity. Thus, this patch removes <mux_state> field completely. Instead, a new flag QUIC_FL_CONN_XPRT_CLOSED is defined. It is set at a single place only on close XPRT callback invokation. It can be mixed with the new utility functions qc_wait_for_conn()/qc_is_conn_ready() to determine the status of conn/MUX layers now without an extra quic_conn field.
2025-11-05 05:52:12 -05:00
if (qc_is_conn_ready(qc)) {
MINOR: quic: use dynamically allocated frame on parsing qc_parse_pkt_frms() is the function responsible to parse a received QUIC packet. Payload is decoded and splitted into individual frames which are then handled individually. Previously, frame was used as locally stack allocated. Change this to work on a dynamically allocated frame. This commit does bring any functional changes. However, it will be useful to extend packet parsing. In particular, it will be necessary to save some frames during parsing to reparse them after the others.
2024-11-05 10:33:27 -05:00
struct qf_max_stream_data *msd_frm = &frm->max_stream_data;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
if (qcc_recv_max_stream_data(qc->qcc, msd_frm->id,
msd_frm->max_stream_data)) {
TRACE_ERROR("qcc_recv_max_stream_data() failed", QUIC_EV_CONN_PRSHPKT, qc);
MINOR: quic: simplify qc_parse_pkt_frms() return path Change qc_parse_pkt_frms() return path for normal and error cases. Most notably, it allows to remove local variable ret as now return value is hardcoded on normal and err label. This also allows to define a different trace for error leaving code.
2024-11-04 12:17:01 -05:00
goto err;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
}
break;
case QUIC_FT_MAX_STREAMS_BIDI:
case QUIC_FT_MAX_STREAMS_UNI:
MINOR: quic: remove <mux_state> field This patch removes <mux_state> field from quic_conn structure. The purpose of this field was to indicate if MUX layer above quic_conn is not yet initialized, active, or already released. It became tedious to properly set it as initialization order of the various quic_conn/conn/MUX layers now differ between the frontend and backend sides, and also depending if 0-RTT is used or not. Recently, a new change introduced in connect_server() will allow to initialize QUIC MUX earlier if ALPN is cached on the server structure. This had another level of complexity. Thus, this patch removes <mux_state> field completely. Instead, a new flag QUIC_FL_CONN_XPRT_CLOSED is defined. It is set at a single place only on close XPRT callback invokation. It can be mixed with the new utility functions qc_wait_for_conn()/qc_is_conn_ready() to determine the status of conn/MUX layers now without an extra quic_conn field.
2025-11-05 05:52:12 -05:00
if (qc_is_conn_ready(qc)) {
MINOR: mux-quic: support max bidi streams value set by the peer Implement support for MAX_STREAMS frame. On frontend, this was mostly useless as haproxy would never initiate new bidirectional streams. However, this becomes necessary to control stream flow-control when using QUIC as a client on the backend side. Parsing of MAX_STREAMS is implemented via new qcc_recv_max_streams(). This allows to update <ms_uni>/<ms_bidi> QCC fields. This patch is necessary to achieve QUIC backend connection reuse.
2025-06-18 03:25:39 -04:00
int bidi;
struct qf_max_streams *ms_frm;
if (frm->type == QUIC_FT_MAX_STREAMS_BIDI) {
bidi = 1;
ms_frm = &frm->max_streams_bidi;
}
else {
bidi = 0;
ms_frm = &frm->max_streams_uni;
}
if (qcc_recv_max_streams(qc->qcc, ms_frm->max_streams, bidi)) {
TRACE_ERROR("qcc_recv_max_streams() failed", QUIC_EV_CONN_PRSHPKT, qc);
goto err;
}
}
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
break;
case QUIC_FT_DATA_BLOCKED:
qc->cntrs.data_blocked++;
break;
case QUIC_FT_STREAM_DATA_BLOCKED:
qc->cntrs.stream_data_blocked++;
break;
case QUIC_FT_STREAMS_BLOCKED_BIDI:
qc->cntrs.streams_blocked_bidi++;
break;
case QUIC_FT_STREAMS_BLOCKED_UNI:
qc->cntrs.streams_blocked_uni++;
break;
case QUIC_FT_NEW_CONNECTION_ID:
/* XXX TO DO XXX */
break;
case QUIC_FT_RETIRE_CONNECTION_ID:
{
struct quic_connection_id *conn_id = NULL;
BUG/MEDIUM: quic: handle collision on CID generation CIDs are provided by haproxy so that the peer can use them as DCID of its packets. Their value is set via a random generator. It happens on several occasions during connection lifetime: * via ODCID derivation if haproxy is the server * on quic_conn init if haproxy is the client * during post-handshake if haproxy is the server * on RETIRE_CONNECTION_ID frame parsing CIDs are stored in a global tree. On ODCID derivation, a check is performed to ensure the CID is not a duplicate value. This is mandatory to properly handle multiple INITIAL packets from the same client on different thread. However, for the other cases, no check is performed for CID collision. As _quic_cid_insert() is silent, the issue is not detected at all. This results in a CID advertized to the peer but not stored in the global one. In the end, this may cause two issues. The first one is that packets from the client which use the new CID will be rejected by haproxy, most probably with a STATELESS_RESET. The second issue is that it can cause a crash during quic_conn release. Indeed, the CID is stored in the quic_conn local tree and thus eb_delete() for the global tree will be performed. As <leaf_p> member is uninit, this results in a segfault. Note that this issue is pretty rare. It can only be observed if running with a high number of concurrent connections in parallel, so that the random generator will provide duplicate values. Patch is still labelled as MEDIUM as this modifies code paths used frequently. To fix this, _quic_cid_insert() unsafe function is completely removed. Instead, quic_cid_insert() can be used, which reports an error code if a collision happens. CID are then stored in the quic_conn tree only after global tree insert success. Here is the solution for each steps if a collision occurs : * on init as client: the connection is completely released * post-handshake: the CID is immediately released. The connection is kept, but it will miss an extra CID. * on RETIRE_CONNECTION_ID parsing: a loop is implemented to retry random generation. It it fails several times, the connection is closed in error. A small convenience change is made to quic_cid_insert(). Output parameter <new_tid> can now be NULL, which is useful as most of the times caller do not care about it. This must be backported up to 2.6.
2025-11-06 10:33:31 -05:00
int retry_rand_cid = 3; /* Number of random retries on CID collision. */
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
MINOR: quic: use dynamically allocated frame on parsing qc_parse_pkt_frms() is the function responsible to parse a received QUIC packet. Payload is decoded and splitted into individual frames which are then handled individually. Previously, frame was used as locally stack allocated. Change this to work on a dynamically allocated frame. This commit does bring any functional changes. However, it will be useful to extend packet parsing. In particular, it will be necessary to save some frames during parsing to reparse them after the others.
2024-11-05 10:33:27 -05:00
if (!qc_handle_retire_connection_id_frm(qc, frm, &pkt->dcid, &conn_id))
MINOR: quic: simplify qc_parse_pkt_frms() return path Change qc_parse_pkt_frms() return path for normal and error cases. Most notably, it allows to remove local variable ret as now return value is hardcoded on normal and err label. This also allows to define a different trace for error leaving code.
2024-11-04 12:17:01 -05:00
goto err;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
if (!conn_id)
break;
MINOR: quic: remove access to CID global tree outside of quic_cid module haproxy generates for each QUIC connection a set of CID. The peer must reuse them as DCID for its emitted packet. On datagram reception, DCID field serves as identifier to dispatch them on their correct thread. These CIDs are stored in a global CID tree. Access to this data structure must always be protected with CID_LOCK. This commit is a refactoring to regroup all CID tree access in quic_cid module. Several code parts are ajusted : * quic_cid_insert() is extended to check for insertion race-condition. This is useful on quic_conn instantiation. Code where such race cannot happen can use unsafe _quic_cid_insert() instead. * on RETIRE_CONNECTION_ID frame reception, existing quic_cid_delete() function is used. * remove tree lookup from qc_check_dcid(), extracted in the new quic_cmp_cid_conn() function. Ultimately, the latter should be removed as CID lookup could be conducted on quic_conn owned tree without locking.
2024-06-27 12:08:54 -04:00
quic_cid_delete(conn_id);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
eb64_delete(&conn_id->seq_num);
pool_free(pool_head_quic_connection_id, conn_id);
TRACE_PROTO("CID retired", QUIC_EV_CONN_PSTRM, qc);
MINOR: quic: split global CID tree between FE and BE sides QUIC CIDs are stored in a global tree. Prior to this patch, CIDs used on both frontend and backend sides were mixed together. This patch implement CID storage separation between FE and BE sides. The original tre quic_cid_trees is splitted as quic_fe_cid_trees/quic_be_cid_trees. This patch should reduce contention between frontend and backend usages. Also, it should reduce the risk of random CID collision.
2025-11-21 11:21:26 -05:00
conn_id = quic_cid_alloc(qc_cid_side(qc));
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
if (!conn_id) {
TRACE_ERROR("CID allocation error", QUIC_EV_CONN_IO_CB, qc);
BUG/MINOR: quic: close connection on CID alloc failure During RETIRE_CONNECTION_ID frame parsing, a new connection ID is immediately reallocated after the release of the previous one. This is done to ensure that the peer will never run out of DCID. Prior to this patch, a CID allocation failure was be silently ignored. This prevent the emission of a new CID, which could prevent the peer to emit packets if it had no other CIDs available for use. Now, such error is considered fatal to the connection. This is the safest solution as it's better to close connections when memory is running low. It must be backported up to 2.8.
2025-11-06 08:45:33 -05:00
quic_set_connection_close(qc, quic_err_transport(QC_ERR_INTERNAL_ERROR));
qc_notify_err(qc);
goto err;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
MINOR: quic: split CID alloc/generation function Split new_quic_cid() function into multiple ones. This patch should not introduce any visible change. The objective is to render CID allocation and generation more modular. The first advantage of this patch is to bring code simplication. In particular, conn CID sequence number increment and insertion into connection tree is simpler than before. Another improvment is also that errors could now be handled easier at each different steps of the CID init. This patch is a prerequisite for the fix on CID collision, thus it must be backported prior to it to every affected version.
2025-11-06 13:19:26 -05:00
BUG/MEDIUM: quic: handle collision on CID generation CIDs are provided by haproxy so that the peer can use them as DCID of its packets. Their value is set via a random generator. It happens on several occasions during connection lifetime: * via ODCID derivation if haproxy is the server * on quic_conn init if haproxy is the client * during post-handshake if haproxy is the server * on RETIRE_CONNECTION_ID frame parsing CIDs are stored in a global tree. On ODCID derivation, a check is performed to ensure the CID is not a duplicate value. This is mandatory to properly handle multiple INITIAL packets from the same client on different thread. However, for the other cases, no check is performed for CID collision. As _quic_cid_insert() is silent, the issue is not detected at all. This results in a CID advertized to the peer but not stored in the global one. In the end, this may cause two issues. The first one is that packets from the client which use the new CID will be rejected by haproxy, most probably with a STATELESS_RESET. The second issue is that it can cause a crash during quic_conn release. Indeed, the CID is stored in the quic_conn local tree and thus eb_delete() for the global tree will be performed. As <leaf_p> member is uninit, this results in a segfault. Note that this issue is pretty rare. It can only be observed if running with a high number of concurrent connections in parallel, so that the random generator will provide duplicate values. Patch is still labelled as MEDIUM as this modifies code paths used frequently. To fix this, _quic_cid_insert() unsafe function is completely removed. Instead, quic_cid_insert() can be used, which reports an error code if a collision happens. CID are then stored in the quic_conn tree only after global tree insert success. Here is the solution for each steps if a collision occurs : * on init as client: the connection is completely released * post-handshake: the CID is immediately released. The connection is kept, but it will miss an extra CID. * on RETIRE_CONNECTION_ID parsing: a loop is implemented to retry random generation. It it fails several times, the connection is closed in error. A small convenience change is made to quic_cid_insert(). Output parameter <new_tid> can now be NULL, which is useful as most of the times caller do not care about it. This must be backported up to 2.6.
2025-11-06 10:33:31 -05:00
while (retry_rand_cid--) {
MINOR: quic: do not use quic_newcid_from_hash64 on BE side quic_newcid_from_hash64 is an external callback. If defined, it serves as a CID method generation, as an alternative to the default random implementation. This mechanism was not correctly implemented on the backend side. Indeed, <hash64> quic_conn member is only setted for frontend connections. The simplest solution would be to properly define it also for backend ones. However, quic_newcid_from_hash64 derivation is really only useful for the frontend side for now. Thus, this patch disables using it on the backend side in favor of the default random generator. To implement this, quic_cid_generate() is splitted in two functions, for both methods of CIDs generation. This is the responsibility of the caller to select the proper method. On backend side, only random implementation is now used.
2025-11-10 08:38:45 -05:00
ret = !qc_is_back(qc) && quic_newcid_from_hash64 ?
quic_cid_generate_from_hash(conn_id, qc->hash64) :
quic_cid_generate_random(conn_id);
if (ret) {
BUG/MEDIUM: quic: handle collision on CID generation CIDs are provided by haproxy so that the peer can use them as DCID of its packets. Their value is set via a random generator. It happens on several occasions during connection lifetime: * via ODCID derivation if haproxy is the server * on quic_conn init if haproxy is the client * during post-handshake if haproxy is the server * on RETIRE_CONNECTION_ID frame parsing CIDs are stored in a global tree. On ODCID derivation, a check is performed to ensure the CID is not a duplicate value. This is mandatory to properly handle multiple INITIAL packets from the same client on different thread. However, for the other cases, no check is performed for CID collision. As _quic_cid_insert() is silent, the issue is not detected at all. This results in a CID advertized to the peer but not stored in the global one. In the end, this may cause two issues. The first one is that packets from the client which use the new CID will be rejected by haproxy, most probably with a STATELESS_RESET. The second issue is that it can cause a crash during quic_conn release. Indeed, the CID is stored in the quic_conn local tree and thus eb_delete() for the global tree will be performed. As <leaf_p> member is uninit, this results in a segfault. Note that this issue is pretty rare. It can only be observed if running with a high number of concurrent connections in parallel, so that the random generator will provide duplicate values. Patch is still labelled as MEDIUM as this modifies code paths used frequently. To fix this, _quic_cid_insert() unsafe function is completely removed. Instead, quic_cid_insert() can be used, which reports an error code if a collision happens. CID are then stored in the quic_conn tree only after global tree insert success. Here is the solution for each steps if a collision occurs : * on init as client: the connection is completely released * post-handshake: the CID is immediately released. The connection is kept, but it will miss an extra CID. * on RETIRE_CONNECTION_ID parsing: a loop is implemented to retry random generation. It it fails several times, the connection is closed in error. A small convenience change is made to quic_cid_insert(). Output parameter <new_tid> can now be NULL, which is useful as most of the times caller do not care about it. This must be backported up to 2.6.
2025-11-06 10:33:31 -05:00
TRACE_ERROR("error on CID generation", QUIC_EV_CONN_PSTRM, qc);
quic_set_connection_close(qc, quic_err_transport(QC_ERR_INTERNAL_ERROR));
pool_free(pool_head_quic_connection_id, conn_id);
qc_notify_err(qc);
goto err;
}
if (quic_cid_insert(conn_id, NULL) == 0)
break;
}
if (retry_rand_cid < 0) {
/* Multiple collisions during CID random gen.
* Prefer to close the connection in error
* immediately.
*/
TRACE_ERROR("CID pool exhausted", QUIC_EV_CONN_IO_CB, qc);
MINOR: quic: split CID alloc/generation function Split new_quic_cid() function into multiple ones. This patch should not introduce any visible change. The objective is to render CID allocation and generation more modular. The first advantage of this patch is to bring code simplication. In particular, conn CID sequence number increment and insertion into connection tree is simpler than before. Another improvment is also that errors could now be handled easier at each different steps of the CID init. This patch is a prerequisite for the fix on CID collision, thus it must be backported prior to it to every affected version.
2025-11-06 13:19:26 -05:00
quic_set_connection_close(qc, quic_err_transport(QC_ERR_INTERNAL_ERROR));
pool_free(pool_head_quic_connection_id, conn_id);
qc_notify_err(qc);
goto err;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
MINOR: quic: split CID alloc/generation function Split new_quic_cid() function into multiple ones. This patch should not introduce any visible change. The objective is to render CID allocation and generation more modular. The first advantage of this patch is to bring code simplication. In particular, conn CID sequence number increment and insertion into connection tree is simpler than before. Another improvment is also that errors could now be handled easier at each different steps of the CID init. This patch is a prerequisite for the fix on CID collision, thus it must be backported prior to it to every affected version.
2025-11-06 13:19:26 -05:00
MEDIUM/OPTIM: quic: alloc quic_conn after CID collision check On Initial packet parsing, a new quic_conn instance is allocated via qc_new_conn(). Then a CID is allocated with its value derivated from client ODCID. On CID tree insert, a collision can occur if another thread was already parsing an Initial packet from the same client. In this case, the connection is released and the packet will be requeued to the other thread. Originally, CID collision check was performed prior to quic_conn allocation. This was changed by the commit below, as this could cause issue on quic_conn alloc failure. commit 4ae29be18c5b212dd2a1a8e9fa0ee2fcb9dbb4b3 BUG/MINOR: quic: Possible endless loop in quic_lstnr_dghdlr() However, this procedure is less optimal. Indeed, qc_new_conn() performs many steps, thus it could be better to skip it on Initial CID collision, which can happen frequently. This patch restores the older order of operations, with CID collision check prior to quic_conn allocation. To ensure this does not cause again the same bug, the CID is removed in case of quic_conn alloc failure. This should prevent any loop as it ensures that a CID found in the global tree does not point to a NULL quic_conn, unless if CID is attach to a foreign thread. When this thread will parse a re-enqueued packet, either the quic_conn is already allocated or the CID has been removed, triggering a fresh CID and quic_conn allocation procedure.
2025-11-10 05:02:45 -05:00
quic_cid_register_seq_num(conn_id, qc);
MINOR: quic: split CID alloc/generation function Split new_quic_cid() function into multiple ones. This patch should not introduce any visible change. The objective is to render CID allocation and generation more modular. The first advantage of this patch is to bring code simplication. In particular, conn CID sequence number increment and insertion into connection tree is simpler than before. Another improvment is also that errors could now be handled easier at each different steps of the CID init. This patch is a prerequisite for the fix on CID collision, thus it must be backported prior to it to every affected version.
2025-11-06 13:19:26 -05:00
qc_build_new_connection_id_frm(qc, conn_id);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
break;
}
MINOR: quic: handle all frame types on reception Ensure every frame types are handled in qc_parse_pkt_frms. Add an ABORT_NOW on the default case. This is safe as an unknown frame must be rejected prior via qc_parse_frm().
2024-02-15 08:42:54 -05:00
case QUIC_FT_PATH_CHALLENGE:
case QUIC_FT_PATH_RESPONSE:
/* TODO */
break;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
case QUIC_FT_CONNECTION_CLOSE:
BUG/MINOR: quic-be: handshake errors without connection stream closure This bug was revealed on backend side by reg-tests/ssl/del_ssl_crt-list.vtc when run wich QUIC connections. As expected by the test, a TLS alert is generated on servsr side. This latter sands a CONNECTION_CLOSE frame with a CRYPTO error (>= 0x100). In this case the client closes its QUIC connection. But the stream connection was not informed. This leads the connection to be closed after the server timeout expiration. It shouls be closed asap. This is the reason why reg-tests/ssl/del_ssl_crt-list.vtc could succeeds or failed, but only after a 5 seconds delay. To fix this, mimic the ssl_sock_io_cb() for TCP/SSL connections. Call the same code this patch implements with ssl_sock_handle_hs_error() to correctly handle the handshake errors. Note that some SSL counters were not incremented for both the backends and frontends. After such errors, ssl_sock_io_cb() start the mux after the connection has been flagged in error. This has as side effect to close the stream in conn_create_mux(). Must be backported to 3.3 only for backends. This is not sure at this time if this bug may impact the frontends.
2025-11-28 05:27:54 -05:00
/* Nothing to do for non crypto errors */
if ((frm->connection_close.error_code & QC_ERR_CRYPTO_ERROR) && qc->conn) {
ssl_sock_handle_hs_error(qc->conn);
if (objt_server(qc->conn->target) && !qc->conn->mux) {
/* This has as side effect to close the connection stream */
if (conn_create_mux(qc->conn, NULL) >= 0)
MINOR: connection: track mux calls to report their allocation context Most calls to mux ops were instrumented with a CALL_MUX_WITH_RET() or CALL_MUX_NO_RET() macro in order to make the current thread's context point to the called mux and be able to track its allocations. Only a bunch of harmless mux_ctl() and ->subscribe/unsubscribe calls were left untouched since useless. But destroy/detach/shut/init/snd_buf and rcv_buf are now tracked. It will not show allocations performed in IO callback via tasklet wakeups however. In order to ease reading of the output, cmp_memprof_ctx() knows about muxes and sorts based on the .subscribe function address instead of the mux_ops address so as to keep various callers grouped.
2026-03-11 05:28:25 -04:00
CALL_MUX_NO_RET(qc->conn->mux, wake(qc->conn));
BUG/MINOR: quic-be: handshake errors without connection stream closure This bug was revealed on backend side by reg-tests/ssl/del_ssl_crt-list.vtc when run wich QUIC connections. As expected by the test, a TLS alert is generated on servsr side. This latter sands a CONNECTION_CLOSE frame with a CRYPTO error (>= 0x100). In this case the client closes its QUIC connection. But the stream connection was not informed. This leads the connection to be closed after the server timeout expiration. It shouls be closed asap. This is the reason why reg-tests/ssl/del_ssl_crt-list.vtc could succeeds or failed, but only after a 5 seconds delay. To fix this, mimic the ssl_sock_io_cb() for TCP/SSL connections. Call the same code this patch implements with ssl_sock_handle_hs_error() to correctly handle the handshake errors. Note that some SSL counters were not incremented for both the backends and frontends. After such errors, ssl_sock_io_cb() start the mux after the connection has been flagged in error. This has as side effect to close the stream in conn_create_mux(). Must be backported to 3.3 only for backends. This is not sure at this time if this bug may impact the frontends.
2025-11-28 05:27:54 -05:00
}
}
__fallthrough;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
case QUIC_FT_CONNECTION_CLOSE_APP:
/* Increment the error counters */
MINOR: quic: use dynamically allocated frame on parsing qc_parse_pkt_frms() is the function responsible to parse a received QUIC packet. Payload is decoded and splitted into individual frames which are then handled individually. Previously, frame was used as locally stack allocated. Change this to work on a dynamically allocated frame. This commit does bring any functional changes. However, it will be useful to extend packet parsing. In particular, it will be necessary to save some frames during parsing to reparse them after the others.
2024-11-05 10:33:27 -05:00
quic_conn_closed_err_count_inc(qc, frm);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
if (!(qc->flags & QUIC_FL_CONN_DRAINING)) {
TRACE_STATE("Entering draining state", QUIC_EV_CONN_PRSHPKT, qc);
/* RFC 9000 10.2. Immediate Close:
* The closing and draining connection states exist to ensure
* that connections close cleanly and that delayed or reordered
* packets are properly discarded. These states SHOULD persist
* for at least three times the current PTO interval...
*
* Rearm the idle timeout only one time when entering draining
* state.
*/
qc->flags |= QUIC_FL_CONN_DRAINING|QUIC_FL_CONN_IMMEDIATE_CLOSE;
qc_detach_th_ctx_list(qc, 1);
qc_idle_timer_do_rearm(qc, 0);
qc_notify_err(qc);
}
break;
case QUIC_FT_HANDSHAKE_DONE:
MINOR: quic: prefer qc_is_back() usage over qc->target Previously quic_conn <target> member was used to determine if quic_conn was used on the frontend (as server) or backend side (as client). A new helper function can now be used to directly check flag QUIC_FL_CONN_IS_BACK. This reduces the dependency between quic_conn and their relative listener/server instances.
2025-08-06 10:19:38 -04:00
if (!qc_is_back(qc)) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_ERROR("non accepted QUIC_FT_HANDSHAKE_DONE frame",
QUIC_EV_CONN_PRSHPKT, qc);
BUG/MINOR: quic: reject HANDSHAKE_DONE as server As specified in RFC 9000, a client must never emit a HANDSHAKE_DONE frame. If this happens, the server must close the connection with error PROTOCOL VIOLATION. Previously, such a frame was silently discarded on server side. The connection remained opened which is not conformant to the specification. This should be backported up to 2.6.
2024-02-14 12:13:08 -05:00
/* RFC 9000 19.20. HANDSHAKE_DONE Frames
*
* A
* server MUST treat receipt of a HANDSHAKE_DONE frame as a connection
* error of type PROTOCOL_VIOLATION.
*/
quic_set_connection_close(qc, quic_err_transport(QC_ERR_PROTOCOL_VIOLATION));
MINOR: quic: simplify qc_parse_pkt_frms() return path Change qc_parse_pkt_frms() return path for normal and error cases. Most notably, it allows to remove local variable ret as now return value is hardcoded on normal and err label. This also allows to define a different trace for error leaving code.
2024-11-04 12:17:01 -05:00
goto err;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
qc->state = QUIC_HS_ST_CONFIRMED;
break;
default:
MINOR: quic: refactor frame parsing This patch refactors parsing in QUIC frame module. Function qc_parse_frm() has been splitted in three : * qc_parse_frm_type() * qc_parse_frm_pkt() * qc_parse_frm_payload() No functional change. The main objective of this patch is to facilitate a QMux implementation. One of the gain is the ability to manipulate QUIC frames without any reference to a QUIC packet as it is irrelevant for QMux. Also, quic_set_connection_close() calls are extracted as this relies on qc type. The caller is now responsible to set the required error code.
2025-02-19 08:53:14 -05:00
/* Unknown frame type must be rejected by qc_parse_frm_type(). */
MINOR: quic: handle all frame types on reception Ensure every frame types are handled in qc_parse_pkt_frms. Add an ABORT_NOW on the default case. This is safe as an unknown frame must be rejected prior via qc_parse_frm().
2024-02-15 08:42:54 -05:00
ABORT_NOW();
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
}
MINOR: quic: use dynamically allocated frame on parsing qc_parse_pkt_frms() is the function responsible to parse a received QUIC packet. Payload is decoded and splitted into individual frames which are then handled individually. Previously, frame was used as locally stack allocated. Change this to work on a dynamically allocated frame. This commit does bring any functional changes. However, it will be useful to extend packet parsing. In particular, it will be necessary to save some frames during parsing to reparse them after the others.
2024-11-05 10:33:27 -05:00
if (frm)
qc_frm_free(qc, &frm);
BUG/MINOR: quic: ensure handshake speed up is only run once per conn When a duplicated CRYPTO frame is received during handshake, a server may consider that there was a packet loss and immediately retransmit its pending CRYPTO data without having to wait for PTO expiration. However, RFC 9002 indicates that this should only be performed at most once per connection to avoid excessive packet transmission. QUIC connection is flagged with QUIC_FL_CONN_HANDSHAKE_SPEED_UP to mark that a fast retransmit has been performed. However, during the refactoring on CRYPTO handling with the storage conversion from ncbuf to ncbmbuf, the check on the flag was accidentely removed. The faulty patch is the following one : commit f50425c021eceb324add6873b58cc5f366554d31 MINOR: quic: remove received CRYPTO temporary tree storage This patch adds again the check on QUIC_FL_CONN_HANDSHAKE_SPEED_UP before initiating fast retransmit. This ensures this is only performed once per connection. This must be backported up to 3.3.
2026-02-11 05:34:15 -05:00
/* RFC 9002 6.2.3. Speeding up Handshake Completion
*
* To speed up handshake completion under these conditions, an endpoint
* MAY, for a limited number of times per connection, send a packet
* containing unacknowledged CRYPTO data earlier than the PTO expiry,
* subject to the address validation limits in Section 8.1 of [QUIC-
* TRANSPORT]. Doing so at most once for each connection is adequate to
* quickly recover from a single packet loss.
*/
if (fast_retrans && !(qc->flags & QUIC_FL_CONN_HANDSHAKE_SPEED_UP) &&
qc->iel && qc->hel) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
struct quic_enc_level *iqel = qc->iel;
struct quic_enc_level *hqel = qc->hel;
TRACE_PROTO("speeding up handshake completion", QUIC_EV_CONN_PRSHPKT, qc);
qc_prep_hdshk_fast_retrans(qc, &iqel->pktns->tx.frms, &hqel->pktns->tx.frms);
qc->flags |= QUIC_FL_CONN_HANDSHAKE_SPEED_UP;
}
/* The server must switch from INITIAL to HANDSHAKE handshake state when it
* has successfully parse a Handshake packet. The Initial encryption must also
* be discarded.
*/
MINOR: quic: prefer qc_is_back() usage over qc->target Previously quic_conn <target> member was used to determine if quic_conn was used on the frontend (as server) or backend side (as client). A new helper function can now be used to directly check flag QUIC_FL_CONN_IS_BACK. This reduces the dependency between quic_conn and their relative listener/server instances.
2025-08-06 10:19:38 -04:00
if (pkt->type == QUIC_PACKET_TYPE_HANDSHAKE && !qc_is_back(qc)) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
if (qc->state >= QUIC_HS_ST_SERVER_INITIAL) {
if (qc->ipktns && !quic_tls_pktns_is_dcd(qc, qc->ipktns)) {
/* Discard the handshake packet number space. */
TRACE_PROTO("discarding Initial pktns", QUIC_EV_CONN_PRSHPKT, qc);
MINOR: quic-be: address validation support implementation (RETRY) - Add ->retry_token and ->retry_token_len new quic_conn struct members to store the retry tokens. These objects are allocated by quic_rx_packet_parse() and released by quic_conn_release(). - Add <pool_head_quic_retry_token> new pool for these tokens. - Implement quic_retry_packet_check() to check the integrity tag of these tokens upon RETRY packets receipt. quic_tls_generate_retry_integrity_tag() is called by this new function. It has been modified to pass the address where the tag must be generated - Add <resend> new parameter to quic_pktns_discard(). This function is called to discard the packet number spaces where the already TX packets and frames are attached to. <resend> allows the caller to prevent this function to release the in flight TX packets/frames. The frames are requeued to be resent. - Modify quic_rx_pkt_parse() to handle the RETRY packets. What must be done upon such packets receipt is: - store the retry token, - store the new peer SCID as the DCID of the connection. Note that the peer will modify again its SCID. This is why this SCID is also stored as the ODCID which must be matched with the peer retry_source_connection_id transport parameter, - discard the Initial packet number space without flagging it as discarded and prevent retransmissions calling qc_set_timer(), - modify the TLS cryptographic cipher contexts (RX/TX), - wakeup the I/O handler to send new Initial packets asap. - Modify quic_transport_param_decode() to handle the retry_source_connection_id transport parameter as a QUIC client. Then its caller is modified to check this transport parameter matches with the SCID sent by the peer with the RETRY packet.
2025-06-25 12:11:24 -04:00
quic_pktns_discard(qc->ipktns, qc, 0);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
qc_set_timer(qc);
qc_el_rx_pkts_del(qc->iel);
qc_release_pktns_frms(qc, qc->ipktns);
}
if (qc->state < QUIC_HS_ST_SERVER_HANDSHAKE)
qc->state = QUIC_HS_ST_SERVER_HANDSHAKE;
}
}
TRACE_LEAVE(QUIC_EV_CONN_PRSHPKT, qc);
MINOR: quic: simplify qc_parse_pkt_frms() return path Change qc_parse_pkt_frms() return path for normal and error cases. Most notably, it allows to remove local variable ret as now return value is hardcoded on normal and err label. This also allows to define a different trace for error leaving code.
2024-11-04 12:17:01 -05:00
return 1;
err:
MINOR: quic: use dynamically allocated frame on parsing qc_parse_pkt_frms() is the function responsible to parse a received QUIC packet. Payload is decoded and splitted into individual frames which are then handled individually. Previously, frame was used as locally stack allocated. Change this to work on a dynamically allocated frame. This commit does bring any functional changes. However, it will be useful to extend packet parsing. In particular, it will be necessary to save some frames during parsing to reparse them after the others.
2024-11-05 10:33:27 -05:00
if (frm)
qc_frm_free(qc, &frm);
BUG/MINOR: quic: repeat packet parsing to deal with fragmented CRYPTO A ClientHello may be splitted accross several different CRYPTO frames, then mixed in a single QUIC packet. This is used notably by clients such as chrome to render the first Initial packet opaque to middleboxes. Each packet frame is handled sequentially. Out-of-order CRYPTO frames are buffered in a ncbuf, until gaps are filled and data is transferred to the SSL stack. If CRYPTO frames are heavily splitted with small fragments, buffering may fail as ncbuf does not support small gaps. This causes the whole packet to be rejected and unacknowledged. It could be solved if the client reemits its ClientHello after remixing its CRYPTO frames. This patch is written to improve CRYPTO frame parsing. Each CRYPTO frames which cannot be buffered due to ncbuf limitation are now stored in a temporary list. Packet parsing is completed until all frames have been handled. If temporary list is not empty, reparsing is done on the stored frames. With the newly buffered CRYPTO frames, ncbuf insert operation may this time succeeds if the frame now covers a whole gap. Reparsing will loop until either no progress can be made or it has been done at least 3 times, to prevent CPU utilization. This patch should fix github issue #2776. This should be backported up to 2.6, after a period of observation. Note that it relies on the following refactor patches : MINOR: quic: extend return value of CRYPTO parsing MINOR: quic: use dynamically allocated frame on parsing MINOR: quic: simplify qc_parse_pkt_frms() return path
2024-11-04 11:28:02 -05:00
MINOR: quic: simplify qc_parse_pkt_frms() return path Change qc_parse_pkt_frms() return path for normal and error cases. Most notably, it allows to remove local variable ret as now return value is hardcoded on normal and err label. This also allows to define a different trace for error leaving code.
2024-11-04 12:17:01 -05:00
TRACE_DEVEL("leaving on error", QUIC_EV_CONN_PRSHPKT, qc);
return 0;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
/* Detect the value of the spin bit to be used. */
static inline void qc_handle_spin_bit(struct quic_conn *qc, struct quic_rx_packet *pkt,
struct quic_enc_level *qel)
{
uint64_t largest_pn = qel->pktns->rx.largest_pn;
if (qel != qc->ael || largest_pn == -1 ||
pkt->pn <= largest_pn)
return;
MINOR: quic: prefer qc_is_back() usage over qc->target Previously quic_conn <target> member was used to determine if quic_conn was used on the frontend (as server) or backend side (as client). A new helper function can now be used to directly check flag QUIC_FL_CONN_IS_BACK. This reduces the dependency between quic_conn and their relative listener/server instances.
2025-08-06 10:19:38 -04:00
if (!qc_is_back(qc)) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
if (pkt->flags & QUIC_FL_RX_PACKET_SPIN_BIT)
qc->flags |= QUIC_FL_CONN_SPIN_BIT;
else
qc->flags &= ~QUIC_FL_CONN_SPIN_BIT;
}
else {
if (pkt->flags & QUIC_FL_RX_PACKET_SPIN_BIT)
qc->flags &= ~QUIC_FL_CONN_SPIN_BIT;
else
qc->flags |= QUIC_FL_CONN_SPIN_BIT;
}
}
/* Remove the header protection of packets at <el> encryption level.
* Always succeeds.
*/
static void qc_rm_hp_pkts(struct quic_conn *qc, struct quic_enc_level *el)
{
struct quic_rx_packet *pqpkt, *pkttmp;
TRACE_ENTER(QUIC_EV_CONN_ELRMHP, qc);
/* A server must not process incoming 1-RTT packets before the handshake is complete. */
MINOR: quic: prefer qc_is_back() usage over qc->target Previously quic_conn <target> member was used to determine if quic_conn was used on the frontend (as server) or backend side (as client). A new helper function can now be used to directly check flag QUIC_FL_CONN_IS_BACK. This reduces the dependency between quic_conn and their relative listener/server instances.
2025-08-06 10:19:38 -04:00
if (el == qc->ael && !qc_is_back(qc) && qc->state < QUIC_HS_ST_COMPLETE) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_PROTO("RX hp not removed (handshake not completed)",
QUIC_EV_CONN_ELRMHP, qc);
goto out;
}
list_for_each_entry_safe(pqpkt, pkttmp, &el->rx.pqpkts, list) {
struct quic_tls_ctx *tls_ctx;
tls_ctx = qc_select_tls_ctx(qc, el, pqpkt->type, pqpkt->version);
if (!qc_do_rm_hp(qc, pqpkt, tls_ctx, el->pktns->rx.largest_pn,
pqpkt->data + pqpkt->pn_offset, pqpkt->data)) {
TRACE_ERROR("RX hp removing error", QUIC_EV_CONN_ELRMHP, qc);
}
else {
qc_handle_spin_bit(qc, pqpkt, el);
/* The AAD includes the packet number field */
pqpkt->aad_len = pqpkt->pn_offset + pqpkt->pnl;
/* Store the packet into the tree of packets to decrypt. */
pqpkt->pn_node.key = pqpkt->pn;
eb64_insert(&el->rx.pkts, &pqpkt->pn_node);
quic_rx_packet_refinc(pqpkt);
TRACE_PROTO("RX hp removed", QUIC_EV_CONN_ELRMHP, qc, pqpkt);
}
BUG/MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content Received QUIC packets are stored in quic_conn Rx buffer after header protection removal in qc_rx_pkt_handle(). These packets are then removed after quic_conn IO handler via qc_treat_rx_pkts(). If HP cannot be removed, packets are still copied into quic_conn Rx buffer. This can happen if encryption level TLS keys are not yet available. The packet remains in the buffer until HP can be removed and its content processed. An issue occurs if client emits a 0-RTT packet but haproxy does not have the shared secret, for example after a haproxy process restart. In this case, the packet is copied in quic_conn Rx buffer but its HP won't ever be removed. This prevents the buffer to be purged. After some time, if the client has emitted enough packets, Rx buffer won't have any space left and received packets are dropped. This will cause the connection to freeze. To fix this, remove any 0-RTT buffered packets on handshake completion. At this stage, 0-RTT packets are unnecessary anymore. The client is expected to reemit its content in 1-RTT packet which are properly deciphered. This can easily reproduce with HTTP/3 POST requests or retrieving a big enough object, which will fill the Rx buffer with ACK frames. Here is a picoquic command to provoke the issue on haproxy startup : $ picoquicdemo -Q -v 00000001 -a h3 <hostname> 20443 "/?s=1g" Note that allow-0rtt must be present on the bind line to trigger the issue. Else haproxy will reject any 0-RTT packets. This must be backported up to 2.6. This could be one of the reason for github issue #2549 but it's unsure for now.
2024-07-29 04:42:50 -04:00
LIST_DEL_INIT(&pqpkt->list);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
quic_rx_packet_refdec(pqpkt);
}
out:
TRACE_LEAVE(QUIC_EV_CONN_ELRMHP, qc);
}
/* Check if it's possible to remove header protection for packets related to
* encryption level <qel>. If <qel> is NULL, assume it's false.
*
* Return true if the operation is possible else false.
*/
static int qc_qel_may_rm_hp(struct quic_conn *qc, struct quic_enc_level *qel)
{
int ret = 0;
TRACE_ENTER(QUIC_EV_CONN_TRMHP, qc);
if (!qel)
goto cant_rm_hp;
if (!quic_tls_has_rx_sec(qel)) {
TRACE_PROTO("non available secrets", QUIC_EV_CONN_TRMHP, qc);
goto cant_rm_hp;
}
if (qel == qc->ael && qc->state < QUIC_HS_ST_COMPLETE) {
TRACE_PROTO("handshake not complete", QUIC_EV_CONN_TRMHP, qc);
goto cant_rm_hp;
}
/* check if the connection layer is ready before using app level */
MINOR: quic: remove <mux_state> field This patch removes <mux_state> field from quic_conn structure. The purpose of this field was to indicate if MUX layer above quic_conn is not yet initialized, active, or already released. It became tedious to properly set it as initialization order of the various quic_conn/conn/MUX layers now differ between the frontend and backend sides, and also depending if 0-RTT is used or not. Recently, a new change introduced in connect_server() will allow to initialize QUIC MUX earlier if ALPN is cached on the server structure. This had another level of complexity. Thus, this patch removes <mux_state> field completely. Instead, a new flag QUIC_FL_CONN_XPRT_CLOSED is defined. It is set at a single place only on close XPRT callback invokation. It can be mixed with the new utility functions qc_wait_for_conn()/qc_is_conn_ready() to determine the status of conn/MUX layers now without an extra quic_conn field.
2025-11-05 05:52:12 -05:00
if ((qel == qc->ael || qel == qc->eel) && qc_wait_for_conn(qc)) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_PROTO("connection layer not ready", QUIC_EV_CONN_TRMHP, qc);
goto cant_rm_hp;
}
ret = 1;
cant_rm_hp:
TRACE_LEAVE(QUIC_EV_CONN_TRMHP, qc);
return ret;
}
/* Process all the packets for all the encryption levels listed in <qc> QUIC connection.
* Return 1 if succeeded, 0 if not.
*/
int qc_treat_rx_pkts(struct quic_conn *qc)
{
int ret = 0;
struct eb64_node *node;
int64_t largest_pn = -1;
unsigned int largest_pn_time_received = 0;
struct quic_enc_level *qel, *qelbak;
TRACE_ENTER(QUIC_EV_CONN_RXPKT, qc);
list_for_each_entry_safe(qel, qelbak, &qc->qel_list, list) {
/* Treat packets waiting for header packet protection decryption */
if (!LIST_ISEMPTY(&qel->rx.pqpkts) && qc_qel_may_rm_hp(qc, qel))
qc_rm_hp_pkts(qc, qel);
node = eb64_first(&qel->rx.pkts);
while (node) {
struct quic_rx_packet *pkt;
pkt = eb64_entry(node, struct quic_rx_packet, pn_node);
TRACE_DATA("new packet", QUIC_EV_CONN_RXPKT,
qc, pkt, NULL, qc->xprt_ctx->ssl);
if (!qc_pkt_decrypt(qc, qel, pkt)) {
/* Drop the packet */
TRACE_ERROR("packet decryption failed -> dropped",
QUIC_EV_CONN_RXPKT, qc, pkt);
}
else {
if (!qc_parse_pkt_frms(qc, pkt, qel)) {
/* Drop the packet */
TRACE_ERROR("packet parsing failed -> dropped",
QUIC_EV_CONN_RXPKT, qc, pkt);
qc->cntrs.dropped_parsing++;
}
else {
struct quic_arng ar = { .first = pkt->pn, .last = pkt->pn };
MEDIUM: quic: adjust address validation When a new QUIC connection is created, server considers peer address as not yet validated. The server must limit its sending up to 3 times the content already received. This is a defensive measure to avoid flooding a remote host victim of address spoofing. This patch adjust the condition to consider the peer address as validated. Two conditions are now considered : * successful handling of a received HANDSHAKE packet. This was already done before although implemented in a different way. * validation of a Retry token. This was not considered prior this patch despite RFC recommandation. This patch also adjusts how a connection is internally labelled as using a validated peer address. Before, above conditions were checked via quic_peer_validated_addr(). Now, a flag QUIC_FL_CONN_PEER_VALIDATED_ADDR is set to labelled this. It already existed prior this patch but was only used for quic_cc_conn. This should now be more explicit.
2023-11-06 04:32:17 -05:00
/* RFC 9000 8.1. Address Validation during Connection Establishment
*
* Connection establishment implicitly provides address validation for
* both endpoints. In particular, receipt of a packet protected with
* Handshake keys confirms that the peer successfully processed an
* Initial packet.
*/
MINOR: quic: reduce half open counters scope Accounting is implemented for half open connections which represent QUIC connections waiting for handshake completion. When reaching a certain limit, Retry mechanism is automatically activated prior to instantiate new connections. The issue with this behavior is that two notions are mixed : QUIC connection handshake phase and Retry which is mechanism against amplification attacks. As such, only peer address validation should be taken into account to activate Retry protection. This patch chooses to reduce the scope of half_open_conn. Now only connection waiting to validate the peer address are now accounted for. Most notably, connections instantiated with a validated Retry token check are not accounted. One impact of this patch is that it should prevent to activate Retry mechanism too early, in particular in case if multiple handshakes are too slow. Another limitation should be implemented to protect against this scenario.
2023-11-06 05:36:26 -05:00
if (qel == qc->hel &&
!(qc->flags & QUIC_FL_CONN_PEER_VALIDATED_ADDR)) {
MEDIUM: quic: adjust address validation When a new QUIC connection is created, server considers peer address as not yet validated. The server must limit its sending up to 3 times the content already received. This is a defensive measure to avoid flooding a remote host victim of address spoofing. This patch adjust the condition to consider the peer address as validated. Two conditions are now considered : * successful handling of a received HANDSHAKE packet. This was already done before although implemented in a different way. * validation of a Retry token. This was not considered prior this patch despite RFC recommandation. This patch also adjusts how a connection is internally labelled as using a validated peer address. Before, above conditions were checked via quic_peer_validated_addr(). Now, a flag QUIC_FL_CONN_PEER_VALIDATED_ADDR is set to labelled this. It already existed prior this patch but was only used for quic_cc_conn. This should now be more explicit.
2023-11-06 04:32:17 -05:00
TRACE_STATE("validate peer address on handshake packet",
QUIC_EV_CONN_RXPKT, qc, pkt);
qc->flags |= QUIC_FL_CONN_PEER_VALIDATED_ADDR;
MINOR: quic: add BUG_ON() on half_open_conn counter access from BE half_open_conn is a proxy counter used to account for quic_conn in half-open state : this represents a connection whose address is not yet validated (handshake successful, or via token validation). This counter only has sense for the frontend side. Currently, code is safe as access is only performed if quic_conn is not yet flagged with QUIC_FL_CONN_PEER_VALIDATED_ADDR, which is always set for backend connections. To better reflect this, add a BUG_ON() when half_open_conn is incremented/decremented to ensure this never occurs for backend connections.
2026-02-20 05:05:40 -05:00
/* half_open_conn counter must not be manipulated by BE conns. */
BUG_ON(qc_is_back(qc) || !qc->prx_counters->half_open_conn);
MINOR: quic: reduce half open counters scope Accounting is implemented for half open connections which represent QUIC connections waiting for handshake completion. When reaching a certain limit, Retry mechanism is automatically activated prior to instantiate new connections. The issue with this behavior is that two notions are mixed : QUIC connection handshake phase and Retry which is mechanism against amplification attacks. As such, only peer address validation should be taken into account to activate Retry protection. This patch chooses to reduce the scope of half_open_conn. Now only connection waiting to validate the peer address are now accounted for. Most notably, connections instantiated with a validated Retry token check are not accounted. One impact of this patch is that it should prevent to activate Retry mechanism too early, in particular in case if multiple handshakes are too slow. Another limitation should be implemented to protect against this scenario.
2023-11-06 05:36:26 -05:00
HA_ATOMIC_DEC(&qc->prx_counters->half_open_conn);
MEDIUM: quic: adjust address validation When a new QUIC connection is created, server considers peer address as not yet validated. The server must limit its sending up to 3 times the content already received. This is a defensive measure to avoid flooding a remote host victim of address spoofing. This patch adjust the condition to consider the peer address as validated. Two conditions are now considered : * successful handling of a received HANDSHAKE packet. This was already done before although implemented in a different way. * validation of a Retry token. This was not considered prior this patch despite RFC recommandation. This patch also adjusts how a connection is internally labelled as using a validated peer address. Before, above conditions were checked via quic_peer_validated_addr(). Now, a flag QUIC_FL_CONN_PEER_VALIDATED_ADDR is set to labelled this. It already existed prior this patch but was only used for quic_cc_conn. This should now be more explicit.
2023-11-06 04:32:17 -05:00
}
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
/* Update the list of ranges to acknowledge. */
BUG/MEDIUM: quic: Avoid trying to send ACK frames from an empty ack ranges tree This may happen upon ack ranges allocation failures (from quic_update_ack_ranges_list(). This can lead to empty trees of ack ranges to be used to build ACK frames which is not good at all. Furthermore this is detected by a BUG_ON() (in qc_do_build_pkt()). To avoid this, simply update the acknowledgemen state of the connection only if quic_update_ack_ranges_list() succeeds, as it fails only in case of memory allocation failures. Must be backported as far as 2.6.
2023-11-07 12:27:50 -05:00
if (quic_update_ack_ranges_list(qc, &qel->pktns->rx.arngs, &ar)) {
if (pkt->flags & QUIC_FL_RX_PACKET_ACK_ELICITING) {
int arm_ack_timer =
qc->state >= QUIC_HS_ST_COMPLETE &&
qel->pktns == qc->apktns;
qel->pktns->flags |= QUIC_FL_PKTNS_ACK_REQUIRED;
qel->pktns->rx.nb_aepkts_since_last_ack++;
qc_idle_timer_rearm(qc, 1, arm_ack_timer);
}
if (pkt->pn > largest_pn) {
largest_pn = pkt->pn;
largest_pn_time_received = pkt->time_received;
}
}
else {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_ERROR("Could not update ack range list",
QUIC_EV_CONN_RXPKT, qc);
BUG/MEDIUM: quic: Avoid trying to send ACK frames from an empty ack ranges tree This may happen upon ack ranges allocation failures (from quic_update_ack_ranges_list(). This can lead to empty trees of ack ranges to be used to build ACK frames which is not good at all. Furthermore this is detected by a BUG_ON() (in qc_do_build_pkt()). To avoid this, simply update the acknowledgemen state of the connection only if quic_update_ack_ranges_list() succeeds, as it fails only in case of memory allocation failures. Must be backported as far as 2.6.
2023-11-07 12:27:50 -05:00
}
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
}
node = eb64_next(node);
eb64_delete(&pkt->pn_node);
quic_rx_packet_refdec(pkt);
}
if (largest_pn != -1 && largest_pn > qel->pktns->rx.largest_pn) {
/* Update the largest packet number. */
qel->pktns->rx.largest_pn = largest_pn;
/* Update the largest acknowledged packet timestamps */
qel->pktns->rx.largest_time_received = largest_pn_time_received;
qel->pktns->flags |= QUIC_FL_PKTNS_NEW_LARGEST_PN;
}
/* Release the Initial encryption level and packet number space. */
if ((qc->flags & QUIC_FL_CONN_IPKTNS_DCD) && qel == qc->iel) {
qc_enc_level_free(qc, &qc->iel);
quic_pktns_release(qc, &qc->ipktns);
}
largest_pn = -1;
}
out:
ret = 1;
leave:
TRACE_LEAVE(QUIC_EV_CONN_RXPKT, qc);
return ret;
}
/* Parse into <pkt> a long header located at <*pos> position, <end> begin a pointer to the end
* past one byte of this buffer.
*/
static inline int quic_packet_read_long_header(unsigned char **pos, const unsigned char *end,
struct quic_rx_packet *pkt)
{
int ret = 0;
unsigned char dcid_len, scid_len;
TRACE_ENTER(QUIC_EV_CONN_RXPKT);
if (end == *pos) {
TRACE_ERROR("buffer data consumed", QUIC_EV_CONN_RXPKT);
goto leave;
}
/* Destination Connection ID Length */
dcid_len = *(*pos)++;
/* We want to be sure we can read <dcid_len> bytes and one more for <scid_len> value */
if (dcid_len > QUIC_CID_MAXLEN || end - *pos < dcid_len + 1) {
TRACE_ERROR("too long DCID", QUIC_EV_CONN_RXPKT);
goto leave;
}
if (dcid_len) {
/* Check that the length of this received DCID matches the CID lengths
* of our implementation for non Initials packets only.
*/
if (pkt->version && pkt->version->num &&
pkt->type != QUIC_PACKET_TYPE_INITIAL &&
pkt->type != QUIC_PACKET_TYPE_0RTT &&
dcid_len != QUIC_HAP_CID_LEN) {
TRACE_ERROR("wrong DCID length", QUIC_EV_CONN_RXPKT);
goto leave;
}
memcpy(pkt->dcid.data, *pos, dcid_len);
}
pkt->dcid.len = dcid_len;
*pos += dcid_len;
/* Source Connection ID Length */
scid_len = *(*pos)++;
if (scid_len > QUIC_CID_MAXLEN || end - *pos < scid_len) {
TRACE_ERROR("too long SCID", QUIC_EV_CONN_RXPKT);
goto leave;
}
if (scid_len)
memcpy(pkt->scid.data, *pos, scid_len);
pkt->scid.len = scid_len;
*pos += scid_len;
ret = 1;
leave:
TRACE_LEAVE(QUIC_EV_CONN_RXPKT);
return ret;
}
/* Try to remove the header protection of <pkt> QUIC packet with <beg> the
* address of the packet first byte, using the keys from encryption level <el>.
*
* If header protection has been successfully removed, packet data are copied
* into <qc> Rx buffer. If <el> secrets are not yet available, the copy is also
* proceeded, and the packet is inserted into <qc> protected packets tree. In
* both cases, packet can now be considered handled by the <qc> connection.
*
* If header protection cannot be removed due to <el> secrets already
* discarded, no operation is conducted.
*
* Returns 1 on success : packet data is now handled by the connection. On
* error 0 is returned : packet should be dropped by the caller.
*/
static int qc_try_rm_hp(struct quic_conn *qc, struct quic_rx_packet *pkt,
unsigned char *beg, struct quic_enc_level **el)
{
int ret = 0;
unsigned char *pn = NULL; /* Packet number field */
enum quic_tls_enc_level tel;
struct quic_enc_level *qel;
/* Only for traces. */
TRACE_ENTER(QUIC_EV_CONN_TRMHP, qc);
BUG_ON(!pkt->pn_offset);
/* The packet number is here. This is also the start minus
* QUIC_PACKET_PN_MAXLEN of the sample used to add/remove the header
* protection.
*/
pn = beg + pkt->pn_offset;
tel = quic_packet_type_enc_level(pkt->type);
qel = qc_quic_enc_level(qc, tel);
if (!qel) {
struct quic_enc_level **qc_qel = qel_to_qel_addr(qc, tel);
struct quic_pktns **qc_pktns = qel_to_quic_pktns(qc, tel);
if (!qc_enc_level_alloc(qc, qc_pktns, qc_qel, quic_to_ssl_enc_level(tel))) {
TRACE_PROTO("Could not allocated an encryption level", QUIC_EV_CONN_ADDDATA, qc);
goto out;
}
qel = *qc_qel;
}
if (qc_qel_may_rm_hp(qc, qel)) {
struct quic_tls_ctx *tls_ctx =
qc_select_tls_ctx(qc, qel, pkt->type, pkt->version);
/* Note that the following function enables us to unprotect the packet
* number and its length subsequently used to decrypt the entire
* packets.
*/
if (!qc_do_rm_hp(qc, pkt, tls_ctx,
qel->pktns->rx.largest_pn, pn, beg)) {
TRACE_PROTO("hp error", QUIC_EV_CONN_TRMHP, qc);
goto out;
}
qc_handle_spin_bit(qc, pkt, qel);
/* The AAD includes the packet number field. */
pkt->aad_len = pkt->pn_offset + pkt->pnl;
if (pkt->len - pkt->aad_len < QUIC_TLS_TAG_LEN) {
TRACE_PROTO("Too short packet", QUIC_EV_CONN_TRMHP, qc);
goto out;
}
TRACE_PROTO("RX hp removed", QUIC_EV_CONN_TRMHP, qc, pkt);
}
else {
TRACE_PROTO("RX hp not removed", QUIC_EV_CONN_TRMHP, qc, pkt);
LIST_APPEND(&qel->rx.pqpkts, &pkt->list);
quic_rx_packet_refinc(pkt);
}
*el = qel;
/* No reference counter incrementation here!!! */
LIST_APPEND(&qc->rx.pkt_list, &pkt->qc_rx_pkt_list);
memcpy(b_tail(&qc->rx.buf), beg, pkt->len);
pkt->data = (unsigned char *)b_tail(&qc->rx.buf);
b_add(&qc->rx.buf, pkt->len);
ret = 1;
out:
MINOR: quic: Add more information about RX packets This patch is very useful to debug issues at RX packet processing level. Should be easily backported as far as 2.6 (for debug purposes).
2025-09-02 04:48:33 -04:00
TRACE_LEAVE(QUIC_EV_CONN_TRMHP, qc, pkt);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
return ret;
}
REORG: quic: Move several inlined functions from quic_conn.h Move quic_pkt_type(), quic_saddr_cpy(), quic_write_uint32(), max_available_room(), max_stream_data_size(), quic_packet_number_length(), quic_packet_number_encode() and quic_compute_ack_delay_us() to quic_tx.c because only used in this file. Also move quic_ack_delay_ms() and quic_read_uint32() to quic_tx.c because they are used only in this file. Move quic_rx_packet_refinc() and quic_rx_packet_refdec() to quic_rx.h header. Move qc_el_rx_pkts(), qc_el_rx_pkts_del() and qc_list_qel_rx_pkts() to quic_tls.h header.
2023-11-27 05:34:03 -05:00
/* Return a 32-bits integer in <val> from QUIC packet with <buf> as address.
* Makes <buf> point to the data after this 32-bits value if succeeded.
* Note that these 32-bits integers are network bytes ordered.
* Returns 0 if failed (not enough data in the buffer), 1 if succeeded.
*/
static inline int quic_read_uint32(uint32_t *val,
const unsigned char **buf,
const unsigned char *end)
{
if (end - *buf < sizeof *val)
return 0;
BUG/MEDIUM: quic: don't blindly rely on unaligned accesses There are several places where the QUIC low-level code performs unaligned accesses by casting unaligned char* pointers to uint32_t, but this is totally forbidden as it only works on machines that support unaligned accesses, and either crashes on other ones (SPARC, MIPS), can result in reading garbage (ARMv5) or be very slow due to the access being emulated (RISC-V). We do have functions for this, such as read_u32() and write_u32() that rely on the compiler's knowledge of the machine's capabilities to either perform an unaligned access or do it one byte at a time. This must be backported at least as far as 2.6. Some of the code moved a few times since, so in order to figure the points that need to be fixed, one may look for a forced pointer cast without having verified that either the machine is compatible or that the pointer is aligned using this: $ git grep 'uint[36][24]_t \*)' Or build and run the code on a MIPS or SPARC and perform requests using curl to see if they work or crash with a bus error. All the places fixed in this commit were found thanks to an immediate crash on the first request. This was tagged medium because the affected archs are not the most common ones where QUIC will be found these days.
2024-04-05 17:54:17 -04:00
*val = ntohl(read_u32(*buf));
REORG: quic: Move several inlined functions from quic_conn.h Move quic_pkt_type(), quic_saddr_cpy(), quic_write_uint32(), max_available_room(), max_stream_data_size(), quic_packet_number_length(), quic_packet_number_encode() and quic_compute_ack_delay_us() to quic_tx.c because only used in this file. Also move quic_ack_delay_ms() and quic_read_uint32() to quic_tx.c because they are used only in this file. Move quic_rx_packet_refinc() and quic_rx_packet_refdec() to quic_rx.h header. Move qc_el_rx_pkts(), qc_el_rx_pkts_del() and qc_list_qel_rx_pkts() to quic_tls.h header.
2023-11-27 05:34:03 -05:00
*buf += sizeof *val;
return 1;
}
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
/* Parse a QUIC packet header starting at <pos> position without exceeding <end>.
* Version and type are stored in <pkt> packet instance. Type is set to unknown
* on two occasions : for unsupported version, in this case version field is
* set to NULL; for Version Negotiation packet with version number set to 0.
*
* Returns 1 on success else 0.
*/
int qc_parse_hd_form(struct quic_rx_packet *pkt,
unsigned char **pos, const unsigned char *end)
{
uint32_t version;
int ret = 0;
const unsigned char byte0 = **pos;
TRACE_ENTER(QUIC_EV_CONN_RXPKT);
pkt->version = NULL;
pkt->type = QUIC_PACKET_TYPE_UNKNOWN;
(*pos)++;
if (byte0 & QUIC_PACKET_LONG_HEADER_BIT) {
unsigned char type =
(byte0 >> QUIC_PACKET_TYPE_SHIFT) & QUIC_PACKET_TYPE_BITMASK;
/* Version */
if (!quic_read_uint32(&version, (const unsigned char **)pos, end)) {
TRACE_ERROR("could not read the packet version", QUIC_EV_CONN_RXPKT);
goto out;
}
pkt->version = qc_supported_version(version);
if (version && pkt->version) {
if (version != QUIC_PROTOCOL_VERSION_2) {
pkt->type = type;
}
else {
switch (type) {
case 0:
pkt->type = QUIC_PACKET_TYPE_RETRY;
break;
case 1:
pkt->type = QUIC_PACKET_TYPE_INITIAL;
break;
case 2:
pkt->type = QUIC_PACKET_TYPE_0RTT;
break;
case 3:
pkt->type = QUIC_PACKET_TYPE_HANDSHAKE;
break;
}
}
}
}
else {
if (byte0 & QUIC_PACKET_SPIN_BIT)
pkt->flags |= QUIC_FL_RX_PACKET_SPIN_BIT;
pkt->type = QUIC_PACKET_TYPE_SHORT;
}
ret = 1;
out:
TRACE_LEAVE(QUIC_EV_CONN_RXPKT);
return ret;
}
/* Check that all the bytes between <pos> included and <end> address
* excluded are null. This is the responsibility of the caller to
* check that there is at least one byte between <pos> end <end>.
* Return 1 if this all the bytes are null, 0 if not.
*/
static inline int quic_padding_check(const unsigned char *pos,
const unsigned char *end)
{
while (pos < end && !*pos)
pos++;
return pos == end;
}
BUG/MEDIUM: quic: always validate sender address on 0-RTT It has been reported by Wedl Michael, a student at the University of Applied Sciences St. Poelten, a potential vulnerability into haproxy as described below. An attacker could have obtained a TLS session ticket after having established a connection to an haproxy QUIC listener, using its real IP address. The attacker has not even to send a application level request (HTTP3). Then the attacker could open a 0-RTT session with a spoofed IP address trusted by the QUIC listen to bypass IP allow/block list and send HTTP3 requests. To mitigate this vulnerability, one decided to use a token which can be provided to the client each time it successfully managed to connect to haproxy. These tokens may be reused for future connections to validate the address/path of the remote peer as this is done with the Retry token which is used for the current connection, not the next one. Such tokens are transported by NEW_TOKEN frames which was not used at this time by haproxy. So, each time a client connect to an haproxy QUIC listener with 0-RTT enabled, it is provided with such a token which can be reused for the next 0-RTT session. If no such a token is presented by the client, haproxy checks if the session is a 0-RTT one, so with early-data presented by the client. Contrary to the Retry token, the decision to refuse the connection is made only when the TLS stack has been provided with enough early-data from the Initial ClientHello TLS message and when these data have been accepted. Hopefully, this event arrives fast enough to allow haproxy to kill the connection if some early-data have been accepted without token presented by the client. quic_build_post_handshake_frames() has been modified to build a NEW_TOKEN frame with this newly implemented token to be transported inside. quic_tls_derive_retry_token_secret() was renamed to quic_do_tls_derive_token_secre() and modified to be reused and derive the secret for the new token implementation. quic_token_validate() has been implemented to validate both the Retry and the new token implemented by this patch. When this is a non-retry token which could not be validated, the datagram received is marked as requiring a Retry packet to be sent, and no connection is created. When the Initial packet does not embed any non-retry token and if 0-RTT is enabled the connection is marked with this new flag: QUIC_FL_CONN_NO_TOKEN_RCVD. As soon as the TLS stack detects that some early-data have been provided and accepted by the client, the connection is marked to be killed (QUIC_FL_CONN_TO_KILL) from ha_quic_add_handshake_data(). This is done calling qc_ssl_eary_data_accepted() new function. The secret TLS handshake is interrupted as soon as possible returnin 0 from ha_quic_add_handshake_data(). The connection is also marked as requiring a Retry packet to be sent (QUIC_FL_CONN_SEND_RETRY) from ha_quic_add_handshake_data(). The the handshake I/O handler (quic_conn_io_cb()) knows how to behave: kill the connection after having sent a Retry packet. About TLS stack compatibility, this patch is supported by aws-lc. It is disabled for wolfssl which does not support 0-RTT at this time thanks to HAVE_SSL_0RTT_QUIC. This patch depends on these commits: MINOR: quic: Add trace for QUIC_EV_CONN_IO_CB event. MINOR: quic: Implement qc_ssl_eary_data_accepted(). MINOR: quic: Modify NEW_TOKEN frame structure (qf_new_token struct) BUG/MINOR: quic: Missing incrementation in NEW_TOKEN frame builder MINOR: quic: Token for future connections implementation. MINOR: quic: Implement quic_tls_derive_token_secret(). MINOR: tools: Implement ipaddrcpy(). Must be backported as far as 2.6.
2024-08-30 09:38:54 -04:00
/* Validate the token, retry or not (provided by NEW_TOKEN) parsed into
* <pkt> RX packet from <dgram> datagram.
CLEANUP: assorted typo fixes in the code, commits and doc
2025-04-02 14:44:22 -04:00
* Return 1 if succeeded, 0 if not.
BUG/MEDIUM: quic: always validate sender address on 0-RTT It has been reported by Wedl Michael, a student at the University of Applied Sciences St. Poelten, a potential vulnerability into haproxy as described below. An attacker could have obtained a TLS session ticket after having established a connection to an haproxy QUIC listener, using its real IP address. The attacker has not even to send a application level request (HTTP3). Then the attacker could open a 0-RTT session with a spoofed IP address trusted by the QUIC listen to bypass IP allow/block list and send HTTP3 requests. To mitigate this vulnerability, one decided to use a token which can be provided to the client each time it successfully managed to connect to haproxy. These tokens may be reused for future connections to validate the address/path of the remote peer as this is done with the Retry token which is used for the current connection, not the next one. Such tokens are transported by NEW_TOKEN frames which was not used at this time by haproxy. So, each time a client connect to an haproxy QUIC listener with 0-RTT enabled, it is provided with such a token which can be reused for the next 0-RTT session. If no such a token is presented by the client, haproxy checks if the session is a 0-RTT one, so with early-data presented by the client. Contrary to the Retry token, the decision to refuse the connection is made only when the TLS stack has been provided with enough early-data from the Initial ClientHello TLS message and when these data have been accepted. Hopefully, this event arrives fast enough to allow haproxy to kill the connection if some early-data have been accepted without token presented by the client. quic_build_post_handshake_frames() has been modified to build a NEW_TOKEN frame with this newly implemented token to be transported inside. quic_tls_derive_retry_token_secret() was renamed to quic_do_tls_derive_token_secre() and modified to be reused and derive the secret for the new token implementation. quic_token_validate() has been implemented to validate both the Retry and the new token implemented by this patch. When this is a non-retry token which could not be validated, the datagram received is marked as requiring a Retry packet to be sent, and no connection is created. When the Initial packet does not embed any non-retry token and if 0-RTT is enabled the connection is marked with this new flag: QUIC_FL_CONN_NO_TOKEN_RCVD. As soon as the TLS stack detects that some early-data have been provided and accepted by the client, the connection is marked to be killed (QUIC_FL_CONN_TO_KILL) from ha_quic_add_handshake_data(). This is done calling qc_ssl_eary_data_accepted() new function. The secret TLS handshake is interrupted as soon as possible returnin 0 from ha_quic_add_handshake_data(). The connection is also marked as requiring a Retry packet to be sent (QUIC_FL_CONN_SEND_RETRY) from ha_quic_add_handshake_data(). The the handshake I/O handler (quic_conn_io_cb()) knows how to behave: kill the connection after having sent a Retry packet. About TLS stack compatibility, this patch is supported by aws-lc. It is disabled for wolfssl which does not support 0-RTT at this time thanks to HAVE_SSL_0RTT_QUIC. This patch depends on these commits: MINOR: quic: Add trace for QUIC_EV_CONN_IO_CB event. MINOR: quic: Implement qc_ssl_eary_data_accepted(). MINOR: quic: Modify NEW_TOKEN frame structure (qf_new_token struct) BUG/MINOR: quic: Missing incrementation in NEW_TOKEN frame builder MINOR: quic: Token for future connections implementation. MINOR: quic: Implement quic_tls_derive_token_secret(). MINOR: tools: Implement ipaddrcpy(). Must be backported as far as 2.6.
2024-08-30 09:38:54 -04:00
*/
static inline int quic_token_validate(struct quic_rx_packet *pkt,
struct quic_dgram *dgram,
struct listener *l, struct quic_conn *qc,
struct quic_cid *odcid)
{
int ret = 0;
TRACE_ENTER(QUIC_EV_CONN_LPKT, qc);
switch (*pkt->token) {
case QUIC_TOKEN_FMT_RETRY:
ret = quic_retry_token_check(pkt, dgram, l, qc, odcid);
break;
case QUIC_TOKEN_FMT_NEW:
ret = quic_token_check(pkt, dgram, qc);
if (!ret) {
/* Fallback to a retry token in case of any error. */
dgram->flags |= QUIC_DGRAM_FL_SEND_RETRY;
}
break;
default:
TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT, qc, NULL, NULL, pkt->version);
break;
}
if (!ret)
goto err;
ret = 1;
leave:
TRACE_LEAVE(QUIC_EV_CONN_LPKT, qc);
return ret;
err:
TRACE_DEVEL("leaving in error", QUIC_EV_CONN_LPKT, qc);
goto leave;
}
MINOR: quic: get rid of ->target quic_conn struct member The ->li (struct listener *) member of quic_conn struct was replaced by a ->target (struct obj_type *) member by this commit: MINOR: quic-be: get rid of ->li quic_conn member to abstract the connection type (front or back) when implementing QUIC for the backends. In these cases, ->target was a pointer to the ojb_type of a server struct. This could not work with the dynamic servers contrary to the listeners which are not dynamic. This patch almost reverts the one mentioned above. ->target pointer to obj_type member is replaced by ->li pointer to listener struct member. As the listener are not dynamic, this is easy to do this. All one has to do is to replace the objt_listener(qc->target) statement by qc->li where applicable. For the backend connection, when needed, this is always qc->conn->target which is used only when qc->conn is initialized. The only "problematic" case is for quic_dgram_parse() which takes a pointer to an obj_type as third argument. But this obj_type is only used to call quic_rx_pkt_parse(). Inside this function it is used to access the proxy counters of the connection thanks to qc_counters(). So, this obj_type argument may be null for now on with this patch. This is the reason why qc_counters() is modified to take this into consideration.
2025-09-09 05:49:33 -04:00
/* Listener only function.
*
* Find the associated connection to the packet <pkt> or create a new one if
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
* this is an Initial packet. <dgram> is the datagram containing the packet and
* <l> is the listener instance on which it was received.
*
* By default, <new_tid> is set to -1. However, if thread affinity has been
* chanbed, it will be set to its new thread ID.
*
* Returns the quic-conn instance or NULL if not found or thread affinity
* changed.
*/
static struct quic_conn *quic_rx_pkt_retrieve_conn(struct quic_rx_packet *pkt,
struct quic_dgram *dgram,
struct listener *l,
int *new_tid)
{
struct quic_cid token_odcid = { .len = 0 };
struct quic_conn *qc = NULL;
struct proxy *prx;
struct quic_counters *prx_counters;
TRACE_ENTER(QUIC_EV_CONN_LPKT);
*new_tid = -1;
prx = l->bind_conf->frontend;
prx_counters = EXTRA_COUNTERS_GET(prx->extra_counters_fe, &quic_stats_module);
OPTIM: quic: reduce the size of struct quic_dgram The QUIC code can only handle IPv4 or IPv6 addresses, so using two sockaddr_storage structs wastes a lot of space in the quic_dgram struct. This is a very large overhead since this structure is written in the MPSC ring buffers before every datagram, while many of those datagrams are only 50 bytes or less. Using an union instead saves 200 bytes per datagram, increasing the capacity of the buffers significantly.
2026-04-21 15:25:58 -04:00
qc = retrieve_qc_conn_from_cid(pkt, (struct sockaddr_storage *)&dgram->saddr, new_tid);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
MINOR: quic: add 2 BUG_ON() on datagram dispatch QUIC datagram dispatch is an error prone operation as it must always ensure the correct thread is used before accessing to the recipient quic_conn instance. Strengthen this code part by adding two BUG_ON_HOT() to ensure thread safety.
2024-07-01 04:15:58 -04:00
/* quic_conn must be set to NULL if bind on another thread. */
BUG_ON_HOT(qc && *new_tid != -1);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
/* If connection already created or rebinded on another thread. */
if (!qc && *new_tid != -1 && tid != *new_tid)
goto out;
if (pkt->type == QUIC_PACKET_TYPE_INITIAL) {
BUG_ON(!pkt->version); /* This must not happen. */
if (!qc) {
struct quic_connection_id *conn_id;
MEDIUM: quic: limit handshake per listener Implement a limit per listener for concurrent number of QUIC connections. When reached, INITIAL packets for new connections are automatically dropped until the number of handshakes is reduced. The limit value is automatically based on listener backlog, which itself defaults to maxconn. This feature is important to ensure CPU and memory resources are not consume if too many handshakes attempt are started in parallel. Special care is taken if a connection is released before handshake completion. In this case, counter must be decremented. This forces to ensure that member <qc.state> is set early in qc_new_conn() before any quic_conn_release() invocation.
2023-11-06 10:34:38 -05:00
/* Reject INITIAL early if listener limits reached. */
if (unlikely(HA_ATOMIC_LOAD(&l->rx.quic_curr_handshake) >=
quic_listener_max_handshake(l))) {
TRACE_DATA("Drop INITIAL on max handshake",
QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
goto out;
}
MEDIUM: quic: define an accept queue limit QUIC connections are pushed manually into a dedicated listener queue when they are ready to be accepted. This happens after handshake finalization or on 0-RTT packet reception. Listener is then woken up to dequeue them with listener_accept(). This patch comptabilizes the number of connections currently stored in the accept queue. If reaching a certain limit, INITIAL packets are dropped on reception to prevent further QUIC connections allocation. This should help to preserve system resources. This limit is automatically derived from the listener backlog. Half of its value is reserved for handshakes and the other half for accept queues. By default, backlog is equal to maxconn which guarantee that there can't be no more than maxconn connections in handshake or waiting to be accepted.
2023-11-08 08:29:31 -05:00
if (unlikely(HA_ATOMIC_LOAD(&l->rx.quic_curr_accept) >=
quic_listener_max_accept(l))) {
TRACE_DATA("Drop INITIAL on max accept",
QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
goto out;
}
BUG/MINOR: quic: fix retry token check inconsistency A client may send multiple INITIAL packets if ClientHello is too big for only one. In case a Retry token is used, the client must reuse it for every INITIAL packets. On the haproxy server side, there was an inconsistency to handle these packets depending on the socket mode : * when using listener socket, token is always revalidated. * when using connection socket, token check is bypassed. This is because quic_conn instance is known through its socket and thus quic_rx_pkt_retrieve_conn() is not necessary. RFC 9000 does not seems to mandate retry token validation after the first INITIAL packet per connection. Thus, this patch chooses to bypass the check every time the connection instance is known, as this indicates that a previous token was already validated. This should be backported up to 2.7.
2023-11-09 10:44:50 -05:00
if (pkt->token_len) {
BUG/MEDIUM: quic: always validate sender address on 0-RTT It has been reported by Wedl Michael, a student at the University of Applied Sciences St. Poelten, a potential vulnerability into haproxy as described below. An attacker could have obtained a TLS session ticket after having established a connection to an haproxy QUIC listener, using its real IP address. The attacker has not even to send a application level request (HTTP3). Then the attacker could open a 0-RTT session with a spoofed IP address trusted by the QUIC listen to bypass IP allow/block list and send HTTP3 requests. To mitigate this vulnerability, one decided to use a token which can be provided to the client each time it successfully managed to connect to haproxy. These tokens may be reused for future connections to validate the address/path of the remote peer as this is done with the Retry token which is used for the current connection, not the next one. Such tokens are transported by NEW_TOKEN frames which was not used at this time by haproxy. So, each time a client connect to an haproxy QUIC listener with 0-RTT enabled, it is provided with such a token which can be reused for the next 0-RTT session. If no such a token is presented by the client, haproxy checks if the session is a 0-RTT one, so with early-data presented by the client. Contrary to the Retry token, the decision to refuse the connection is made only when the TLS stack has been provided with enough early-data from the Initial ClientHello TLS message and when these data have been accepted. Hopefully, this event arrives fast enough to allow haproxy to kill the connection if some early-data have been accepted without token presented by the client. quic_build_post_handshake_frames() has been modified to build a NEW_TOKEN frame with this newly implemented token to be transported inside. quic_tls_derive_retry_token_secret() was renamed to quic_do_tls_derive_token_secre() and modified to be reused and derive the secret for the new token implementation. quic_token_validate() has been implemented to validate both the Retry and the new token implemented by this patch. When this is a non-retry token which could not be validated, the datagram received is marked as requiring a Retry packet to be sent, and no connection is created. When the Initial packet does not embed any non-retry token and if 0-RTT is enabled the connection is marked with this new flag: QUIC_FL_CONN_NO_TOKEN_RCVD. As soon as the TLS stack detects that some early-data have been provided and accepted by the client, the connection is marked to be killed (QUIC_FL_CONN_TO_KILL) from ha_quic_add_handshake_data(). This is done calling qc_ssl_eary_data_accepted() new function. The secret TLS handshake is interrupted as soon as possible returnin 0 from ha_quic_add_handshake_data(). The connection is also marked as requiring a Retry packet to be sent (QUIC_FL_CONN_SEND_RETRY) from ha_quic_add_handshake_data(). The the handshake I/O handler (quic_conn_io_cb()) knows how to behave: kill the connection after having sent a Retry packet. About TLS stack compatibility, this patch is supported by aws-lc. It is disabled for wolfssl which does not support 0-RTT at this time thanks to HAVE_SSL_0RTT_QUIC. This patch depends on these commits: MINOR: quic: Add trace for QUIC_EV_CONN_IO_CB event. MINOR: quic: Implement qc_ssl_eary_data_accepted(). MINOR: quic: Modify NEW_TOKEN frame structure (qf_new_token struct) BUG/MINOR: quic: Missing incrementation in NEW_TOKEN frame builder MINOR: quic: Token for future connections implementation. MINOR: quic: Implement quic_tls_derive_token_secret(). MINOR: tools: Implement ipaddrcpy(). Must be backported as far as 2.6.
2024-08-30 09:38:54 -04:00
TRACE_PROTO("Initial with token", QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
/* Validate the token, retry or not only when connection is unknown. */
if (!quic_token_validate(pkt, dgram, l, qc, &token_odcid)) {
if (dgram->flags & QUIC_DGRAM_FL_SEND_RETRY) {
OPTIM: quic: reduce the size of struct quic_dgram The QUIC code can only handle IPv4 or IPv6 addresses, so using two sockaddr_storage structs wastes a lot of space in the quic_dgram struct. This is a very large overhead since this structure is written in the MPSC ring buffers before every datagram, while many of those datagrams are only 50 bytes or less. Using an union instead saves 200 bytes per datagram, increasing the capacity of the buffers significantly.
2026-04-21 15:25:58 -04:00
if (send_retry(l->rx.fd, (struct sockaddr_storage *)&dgram->saddr, pkt, pkt->version)) {
BUG/MEDIUM: quic: always validate sender address on 0-RTT It has been reported by Wedl Michael, a student at the University of Applied Sciences St. Poelten, a potential vulnerability into haproxy as described below. An attacker could have obtained a TLS session ticket after having established a connection to an haproxy QUIC listener, using its real IP address. The attacker has not even to send a application level request (HTTP3). Then the attacker could open a 0-RTT session with a spoofed IP address trusted by the QUIC listen to bypass IP allow/block list and send HTTP3 requests. To mitigate this vulnerability, one decided to use a token which can be provided to the client each time it successfully managed to connect to haproxy. These tokens may be reused for future connections to validate the address/path of the remote peer as this is done with the Retry token which is used for the current connection, not the next one. Such tokens are transported by NEW_TOKEN frames which was not used at this time by haproxy. So, each time a client connect to an haproxy QUIC listener with 0-RTT enabled, it is provided with such a token which can be reused for the next 0-RTT session. If no such a token is presented by the client, haproxy checks if the session is a 0-RTT one, so with early-data presented by the client. Contrary to the Retry token, the decision to refuse the connection is made only when the TLS stack has been provided with enough early-data from the Initial ClientHello TLS message and when these data have been accepted. Hopefully, this event arrives fast enough to allow haproxy to kill the connection if some early-data have been accepted without token presented by the client. quic_build_post_handshake_frames() has been modified to build a NEW_TOKEN frame with this newly implemented token to be transported inside. quic_tls_derive_retry_token_secret() was renamed to quic_do_tls_derive_token_secre() and modified to be reused and derive the secret for the new token implementation. quic_token_validate() has been implemented to validate both the Retry and the new token implemented by this patch. When this is a non-retry token which could not be validated, the datagram received is marked as requiring a Retry packet to be sent, and no connection is created. When the Initial packet does not embed any non-retry token and if 0-RTT is enabled the connection is marked with this new flag: QUIC_FL_CONN_NO_TOKEN_RCVD. As soon as the TLS stack detects that some early-data have been provided and accepted by the client, the connection is marked to be killed (QUIC_FL_CONN_TO_KILL) from ha_quic_add_handshake_data(). This is done calling qc_ssl_eary_data_accepted() new function. The secret TLS handshake is interrupted as soon as possible returnin 0 from ha_quic_add_handshake_data(). The connection is also marked as requiring a Retry packet to be sent (QUIC_FL_CONN_SEND_RETRY) from ha_quic_add_handshake_data(). The the handshake I/O handler (quic_conn_io_cb()) knows how to behave: kill the connection after having sent a Retry packet. About TLS stack compatibility, this patch is supported by aws-lc. It is disabled for wolfssl which does not support 0-RTT at this time thanks to HAVE_SSL_0RTT_QUIC. This patch depends on these commits: MINOR: quic: Add trace for QUIC_EV_CONN_IO_CB event. MINOR: quic: Implement qc_ssl_eary_data_accepted(). MINOR: quic: Modify NEW_TOKEN frame structure (qf_new_token struct) BUG/MINOR: quic: Missing incrementation in NEW_TOKEN frame builder MINOR: quic: Token for future connections implementation. MINOR: quic: Implement quic_tls_derive_token_secret(). MINOR: tools: Implement ipaddrcpy(). Must be backported as far as 2.6.
2024-08-30 09:38:54 -04:00
TRACE_ERROR("Error during Retry generation",
QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
}
else
HA_ATOMIC_INC(&prx_counters->retry_sent);
goto out;
}
BUG/MINOR: quic: fix retry token check inconsistency A client may send multiple INITIAL packets if ClientHello is too big for only one. In case a Retry token is used, the client must reuse it for every INITIAL packets. On the haproxy server side, there was an inconsistency to handle these packets depending on the socket mode : * when using listener socket, token is always revalidated. * when using connection socket, token check is bypassed. This is because quic_conn instance is known through its socket and thus quic_rx_pkt_retrieve_conn() is not necessary. RFC 9000 does not seems to mandate retry token validation after the first INITIAL packet per connection. Thus, this patch chooses to bypass the check every time the connection instance is known, as this indicates that a previous token was already validated. This should be backported up to 2.7.
2023-11-09 10:44:50 -05:00
goto err;
BUG/MEDIUM: quic: always validate sender address on 0-RTT It has been reported by Wedl Michael, a student at the University of Applied Sciences St. Poelten, a potential vulnerability into haproxy as described below. An attacker could have obtained a TLS session ticket after having established a connection to an haproxy QUIC listener, using its real IP address. The attacker has not even to send a application level request (HTTP3). Then the attacker could open a 0-RTT session with a spoofed IP address trusted by the QUIC listen to bypass IP allow/block list and send HTTP3 requests. To mitigate this vulnerability, one decided to use a token which can be provided to the client each time it successfully managed to connect to haproxy. These tokens may be reused for future connections to validate the address/path of the remote peer as this is done with the Retry token which is used for the current connection, not the next one. Such tokens are transported by NEW_TOKEN frames which was not used at this time by haproxy. So, each time a client connect to an haproxy QUIC listener with 0-RTT enabled, it is provided with such a token which can be reused for the next 0-RTT session. If no such a token is presented by the client, haproxy checks if the session is a 0-RTT one, so with early-data presented by the client. Contrary to the Retry token, the decision to refuse the connection is made only when the TLS stack has been provided with enough early-data from the Initial ClientHello TLS message and when these data have been accepted. Hopefully, this event arrives fast enough to allow haproxy to kill the connection if some early-data have been accepted without token presented by the client. quic_build_post_handshake_frames() has been modified to build a NEW_TOKEN frame with this newly implemented token to be transported inside. quic_tls_derive_retry_token_secret() was renamed to quic_do_tls_derive_token_secre() and modified to be reused and derive the secret for the new token implementation. quic_token_validate() has been implemented to validate both the Retry and the new token implemented by this patch. When this is a non-retry token which could not be validated, the datagram received is marked as requiring a Retry packet to be sent, and no connection is created. When the Initial packet does not embed any non-retry token and if 0-RTT is enabled the connection is marked with this new flag: QUIC_FL_CONN_NO_TOKEN_RCVD. As soon as the TLS stack detects that some early-data have been provided and accepted by the client, the connection is marked to be killed (QUIC_FL_CONN_TO_KILL) from ha_quic_add_handshake_data(). This is done calling qc_ssl_eary_data_accepted() new function. The secret TLS handshake is interrupted as soon as possible returnin 0 from ha_quic_add_handshake_data(). The connection is also marked as requiring a Retry packet to be sent (QUIC_FL_CONN_SEND_RETRY) from ha_quic_add_handshake_data(). The the handshake I/O handler (quic_conn_io_cb()) knows how to behave: kill the connection after having sent a Retry packet. About TLS stack compatibility, this patch is supported by aws-lc. It is disabled for wolfssl which does not support 0-RTT at this time thanks to HAVE_SSL_0RTT_QUIC. This patch depends on these commits: MINOR: quic: Add trace for QUIC_EV_CONN_IO_CB event. MINOR: quic: Implement qc_ssl_eary_data_accepted(). MINOR: quic: Modify NEW_TOKEN frame structure (qf_new_token struct) BUG/MINOR: quic: Missing incrementation in NEW_TOKEN frame builder MINOR: quic: Token for future connections implementation. MINOR: quic: Implement quic_tls_derive_token_secret(). MINOR: tools: Implement ipaddrcpy(). Must be backported as far as 2.6.
2024-08-30 09:38:54 -04:00
}
}
else {
TRACE_PROTO("Initial without token", QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
BUG/MINOR: quic: fix retry token check inconsistency A client may send multiple INITIAL packets if ClientHello is too big for only one. In case a Retry token is used, the client must reuse it for every INITIAL packets. On the haproxy server side, there was an inconsistency to handle these packets depending on the socket mode : * when using listener socket, token is always revalidated. * when using connection socket, token check is bypassed. This is because quic_conn instance is known through its socket and thus quic_rx_pkt_retrieve_conn() is not necessary. RFC 9000 does not seems to mandate retry token validation after the first INITIAL packet per connection. Thus, this patch chooses to bypass the check every time the connection instance is known, as this indicates that a previous token was already validated. This should be backported up to 2.7.
2023-11-09 10:44:50 -05:00
}
MEDIUM: quic: implement quic-initial rules Implement a new set of rules labelled as quic-initial. These rules as specific to QUIC. They are scheduled to be executed early on Initial packet parsing, prior a new QUIC connection instantiation. Contrary to tcp-request connection, this allows to reject traffic earlier, most notably by avoiding unnecessary QUIC SSL handshake processing. A new module quic_rules is created. Its main function quic_init_exec_rules() is called on Initial packet parsing in function quic_rx_pkt_retrieve_conn(). For the moment, only "accept" and "dgram-drop" are valid actions. Both are final. The latter drops silently the Initial packet instead of allocating a new QUIC connection.
2024-07-18 12:25:43 -04:00
MINOR: quic: pass quic_dgram as obj_type for quic-initial rules To extend quic-initial rules, pass quic_dgram instance to argument for the various actions. As such, quic_dgram is now supported as an obj_type and can be used in session origin field.
2024-07-19 10:04:22 -04:00
if (!quic_init_exec_rules(l, dgram)) {
MEDIUM: quic: implement quic-initial rules Implement a new set of rules labelled as quic-initial. These rules as specific to QUIC. They are scheduled to be executed early on Initial packet parsing, prior a new QUIC connection instantiation. Contrary to tcp-request connection, this allows to reject traffic earlier, most notably by avoiding unnecessary QUIC SSL handshake processing. A new module quic_rules is created. Its main function quic_init_exec_rules() is called on Initial packet parsing in function quic_rx_pkt_retrieve_conn(). For the moment, only "accept" and "dgram-drop" are valid actions. Both are final. The latter drops silently the Initial packet instead of allocating a new QUIC connection.
2024-07-18 12:25:43 -04:00
TRACE_USER("drop datagram on quic-initial rules", QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
goto err;
}
MINOR: quic: implement reject quic-initial action Define a new quic-initial action named "reject". Contrary to dgram-drop, the client is notified of the rejection by a CONNECTION_CLOSE with CONNECTION_REFUSED error code. To be able to emit the necessary CONNECTION_CLOSE frame, quic_conn is instantiated, contrary to dgram-drop action. quic_set_connection_close() is called immediatly after qc_new_conn() which prevents the handshake startup.
2024-07-19 11:39:04 -04:00
/* No need to emit Retry if connection is refused. */
if (!pkt->token_len && !(dgram->flags & QUIC_DGRAM_FL_REJECT)) {
if ((l->bind_conf->options & BC_O_QUIC_FORCE_RETRY) ||
MINOR: quic: rename retry-threshold setting A QUIC global tune setting is defined to be able to force Retry emission prior to handshake. By definition, this ability is only supported by QUIC servers, hence it is a frontend option only. Rename the option to use "fe" prefix. The old option name is deprecated and will be removed in 3.5
2025-08-05 07:35:33 -04:00
HA_ATOMIC_LOAD(&prx_counters->half_open_conn) >= quic_tune.fe.sec_retry_threshold ||
MINOR: quic: implement send-retry quic-initial rules Define a new quic-initial "send-retry" rule. This allows to force the emission of a Retry packet on an initial without token instead of instantiating a new QUIC connection.
2024-07-22 07:29:04 -04:00
(dgram->flags & QUIC_DGRAM_FL_SEND_RETRY)) {
MINOR: quic: implement reject quic-initial action Define a new quic-initial action named "reject". Contrary to dgram-drop, the client is notified of the rejection by a CONNECTION_CLOSE with CONNECTION_REFUSED error code. To be able to emit the necessary CONNECTION_CLOSE frame, quic_conn is instantiated, contrary to dgram-drop action. quic_set_connection_close() is called immediatly after qc_new_conn() which prevents the handshake startup.
2024-07-19 11:39:04 -04:00
TRACE_PROTO("Initial without token, sending retry",
QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
OPTIM: quic: reduce the size of struct quic_dgram The QUIC code can only handle IPv4 or IPv6 addresses, so using two sockaddr_storage structs wastes a lot of space in the quic_dgram struct. This is a very large overhead since this structure is written in the MPSC ring buffers before every datagram, while many of those datagrams are only 50 bytes or less. Using an union instead saves 200 bytes per datagram, increasing the capacity of the buffers significantly.
2026-04-21 15:25:58 -04:00
if (send_retry(l->rx.fd, (struct sockaddr_storage *)&dgram->saddr, pkt, pkt->version)) {
MINOR: quic: implement reject quic-initial action Define a new quic-initial action named "reject". Contrary to dgram-drop, the client is notified of the rejection by a CONNECTION_CLOSE with CONNECTION_REFUSED error code. To be able to emit the necessary CONNECTION_CLOSE frame, quic_conn is instantiated, contrary to dgram-drop action. quic_set_connection_close() is called immediatly after qc_new_conn() which prevents the handshake startup.
2024-07-19 11:39:04 -04:00
TRACE_ERROR("Error during Retry generation",
QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
goto out;
}
MINOR: quic: delay Retry emission on quic-force-retry Currently, quic Retry packets are emitted for two different reasons after processing an Initial without token : - quic-force-retry is set on bind-line - an abnormal number of half-open connection is currently detected Previously, these two conditions were checked separately in different functions during datagram parsing. Uniformize this by moving quic-force-retry check in quic_rx_pkt_retrieve_conn() along the second condition check. The purpose of this patch is to uniformize datagram parsing stages. It is necessary to implement quic-initial rules in quic_rx_pkt_retrieve_conn() prior to any Retry emission. This prevents to emit unnecessary Retry if an Initial is subject to a reject rule.
2024-07-19 11:37:52 -04:00
MINOR: quic: implement reject quic-initial action Define a new quic-initial action named "reject". Contrary to dgram-drop, the client is notified of the rejection by a CONNECTION_CLOSE with CONNECTION_REFUSED error code. To be able to emit the necessary CONNECTION_CLOSE frame, quic_conn is instantiated, contrary to dgram-drop action. quic_set_connection_close() is called immediatly after qc_new_conn() which prevents the handshake startup.
2024-07-19 11:39:04 -04:00
HA_ATOMIC_INC(&prx_counters->retry_sent);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
goto out;
}
}
/* RFC 9000 7.2. Negotiating Connection IDs:
* When an Initial packet is sent by a client that has not previously
* received an Initial or Retry packet from the server, the client
* populates the Destination Connection ID field with an unpredictable
* value. This Destination Connection ID MUST be at least 8 bytes in length.
*/
if (pkt->dcid.len < QUIC_ODCID_MINLEN) {
TRACE_PROTO("dropped packet",
QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
goto err;
}
pkt->saddr = dgram->saddr;
MINOR: quic: split global CID tree between FE and BE sides QUIC CIDs are stored in a global tree. Prior to this patch, CIDs used on both frontend and backend sides were mixed together. This patch implement CID storage separation between FE and BE sides. The original tre quic_cid_trees is splitted as quic_fe_cid_trees/quic_be_cid_trees. This patch should reduce contention between frontend and backend usages. Also, it should reduce the risk of random CID collision.
2025-11-21 11:21:26 -05:00
conn_id = quic_cid_alloc(QUIC_CID_SIDE_FE);
MINOR: quic: split CID alloc/generation function Split new_quic_cid() function into multiple ones. This patch should not introduce any visible change. The objective is to render CID allocation and generation more modular. The first advantage of this patch is to bring code simplication. In particular, conn CID sequence number increment and insertion into connection tree is simpler than before. Another improvment is also that errors could now be handled easier at each different steps of the CID init. This patch is a prerequisite for the fix on CID collision, thus it must be backported prior to it to every affected version.
2025-11-06 13:19:26 -05:00
if (!conn_id) {
TRACE_ERROR("error on first CID allocation",
QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
goto err;
}
OPTIM: quic: reduce the size of struct quic_dgram The QUIC code can only handle IPv4 or IPv6 addresses, so using two sockaddr_storage structs wastes a lot of space in the quic_dgram struct. This is a very large overhead since this structure is written in the MPSC ring buffers before every datagram, while many of those datagrams are only 50 bytes or less. Using an union instead saves 200 bytes per datagram, increasing the capacity of the buffers significantly.
2026-04-21 15:25:58 -04:00
if (quic_cid_derive_from_odcid(conn_id, &pkt->dcid, (struct sockaddr_storage *)&pkt->saddr)) {
MINOR: quic: split CID alloc/generation function Split new_quic_cid() function into multiple ones. This patch should not introduce any visible change. The objective is to render CID allocation and generation more modular. The first advantage of this patch is to bring code simplication. In particular, conn CID sequence number increment and insertion into connection tree is simpler than before. Another improvment is also that errors could now be handled easier at each different steps of the CID init. This patch is a prerequisite for the fix on CID collision, thus it must be backported prior to it to every affected version.
2025-11-06 13:19:26 -05:00
TRACE_ERROR("error on CID generation",
QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
pool_free(pool_head_quic_connection_id, conn_id);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
goto err;
MINOR: quic: split CID alloc/generation function Split new_quic_cid() function into multiple ones. This patch should not introduce any visible change. The objective is to render CID allocation and generation more modular. The first advantage of this patch is to bring code simplication. In particular, conn CID sequence number increment and insertion into connection tree is simpler than before. Another improvment is also that errors could now be handled easier at each different steps of the CID init. This patch is a prerequisite for the fix on CID collision, thus it must be backported prior to it to every affected version.
2025-11-06 13:19:26 -05:00
}
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
MINOR: quic: remove access to CID global tree outside of quic_cid module haproxy generates for each QUIC connection a set of CID. The peer must reuse them as DCID for its emitted packet. On datagram reception, DCID field serves as identifier to dispatch them on their correct thread. These CIDs are stored in a global CID tree. Access to this data structure must always be protected with CID_LOCK. This commit is a refactoring to regroup all CID tree access in quic_cid module. Several code parts are ajusted : * quic_cid_insert() is extended to check for insertion race-condition. This is useful on quic_conn instantiation. Code where such race cannot happen can use unsafe _quic_cid_insert() instead. * on RETIRE_CONNECTION_ID frame reception, existing quic_cid_delete() function is used. * remove tree lookup from qc_check_dcid(), extracted in the new quic_cmp_cid_conn() function. Ultimately, the latter should be removed as CID lookup could be conducted on quic_conn owned tree without locking.
2024-06-27 12:08:54 -04:00
if (quic_cid_insert(conn_id, new_tid)) {
MINOR: quic: split CID alloc/generation function Split new_quic_cid() function into multiple ones. This patch should not introduce any visible change. The objective is to render CID allocation and generation more modular. The first advantage of this patch is to bring code simplication. In particular, conn CID sequence number increment and insertion into connection tree is simpler than before. Another improvment is also that errors could now be handled easier at each different steps of the CID init. This patch is a prerequisite for the fix on CID collision, thus it must be backported prior to it to every affected version.
2025-11-06 13:19:26 -05:00
/* Collision during CID insertion. This may
* happen when handling two Initial packets
* from the same client on different threads.
* <new_tid> will be set to redispatch the
* current packet.
*/
MINOR: quic: extend traces on CID allocation Add new traces to detect the CID generation method and also when an Initial packet is requeued due to CID collision.
2025-11-07 03:38:14 -05:00
TRACE_STATE("duplicate CID on Initial", QUIC_EV_CONN_LPKT);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
pool_free(pool_head_quic_connection_id, conn_id);
}
else {
OPTIM: quic: reduce the size of struct quic_dgram The QUIC code can only handle IPv4 or IPv6 addresses, so using two sockaddr_storage structs wastes a lot of space in the quic_dgram struct. This is a very large overhead since this structure is written in the MPSC ring buffers before every datagram, while many of those datagrams are only 50 bytes or less. Using an union instead saves 200 bytes per datagram, increasing the capacity of the buffers significantly.
2026-04-21 15:25:58 -04:00
qc = qc_new_conn(l, pkt, &token_odcid, NULL, conn_id,
(struct sockaddr_storage *)&dgram->daddr,
(struct sockaddr_storage *)&pkt->saddr);
MEDIUM/OPTIM: quic: alloc quic_conn after CID collision check On Initial packet parsing, a new quic_conn instance is allocated via qc_new_conn(). Then a CID is allocated with its value derivated from client ODCID. On CID tree insert, a collision can occur if another thread was already parsing an Initial packet from the same client. In this case, the connection is released and the packet will be requeued to the other thread. Originally, CID collision check was performed prior to quic_conn allocation. This was changed by the commit below, as this could cause issue on quic_conn alloc failure. commit 4ae29be18c5b212dd2a1a8e9fa0ee2fcb9dbb4b3 BUG/MINOR: quic: Possible endless loop in quic_lstnr_dghdlr() However, this procedure is less optimal. Indeed, qc_new_conn() performs many steps, thus it could be better to skip it on Initial CID collision, which can happen frequently. This patch restores the older order of operations, with CID collision check prior to quic_conn allocation. To ensure this does not cause again the same bug, the CID is removed in case of quic_conn alloc failure. This should prevent any loop as it ensures that a CID found in the global tree does not point to a NULL quic_conn, unless if CID is attach to a foreign thread. When this thread will parse a re-enqueued packet, either the quic_conn is already allocated or the CID has been removed, triggering a fresh CID and quic_conn allocation procedure.
2025-11-10 05:02:45 -05:00
if (qc == NULL) {
quic_cid_delete(conn_id); /* Removes CID from global tree as it points to a NULL qc. */
pool_free(pool_head_quic_connection_id, conn_id);
goto err;
}
/* Compute the hash used to derive extra CIDs. */
if (quic_hash64_from_cid) {
qc->hash64 = quic_hash64_from_cid(conn_id->cid.data, conn_id->cid.len,
global.cluster_secret, sizeof(global.cluster_secret));
}
quic_cid_register_seq_num(conn_id, qc);
MINOR: quic: implement reject quic-initial action Define a new quic-initial action named "reject". Contrary to dgram-drop, the client is notified of the rejection by a CONNECTION_CLOSE with CONNECTION_REFUSED error code. To be able to emit the necessary CONNECTION_CLOSE frame, quic_conn is instantiated, contrary to dgram-drop action. quic_set_connection_close() is called immediatly after qc_new_conn() which prevents the handshake startup.
2024-07-19 11:39:04 -04:00
if (dgram->flags & QUIC_DGRAM_FL_REJECT)
quic_set_connection_close(qc, quic_err_transport(QC_ERR_CONNECTION_REFUSED));
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
if (*new_tid != -1)
goto out;
}
}
else if (!qc) {
BUG/MINOR: quic: adjust restriction for stateless reset emission Review RFC 9000 and ensure restriction on Stateless reset are properly enforced. After careful examination, several changes are introduced. First, redefine minimal Stateless Reset emitted packet length to 21 bytes (5 random bytes + a token). This is the new default length used in every case, unless received packet which triggered it is 43 bytes or smaller. Ensure every Stateless Reset packets emitted are at 1 byte shorter than the received packet which triggered it. No Stateless reset will be emitted if this falls under the above limit of 21 bytes. Thus this should prevent looping issues. This should be backported up to 2.6.
2024-05-22 09:55:58 -04:00
/* Stateless Reset sent even for Long header packets as haproxy
* emits stateless_reset_token in its TPs.
*/
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_PROTO("RX non Initial pkt without connection", QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
OPTIM: quic: reduce the size of struct quic_dgram The QUIC code can only handle IPv4 or IPv6 addresses, so using two sockaddr_storage structs wastes a lot of space in the quic_dgram struct. This is a very large overhead since this structure is written in the MPSC ring buffers before every datagram, while many of those datagrams are only 50 bytes or less. Using an union instead saves 200 bytes per datagram, increasing the capacity of the buffers significantly.
2026-04-21 15:25:58 -04:00
if (!send_stateless_reset(l, (struct sockaddr_storage *)&dgram->saddr, pkt))
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_ERROR("stateless reset not sent", QUIC_EV_CONN_LPKT, qc);
goto err;
}
out:
TRACE_LEAVE(QUIC_EV_CONN_LPKT, qc);
return qc;
err:
BUG/MINOR: quic: remove dead code in error path In quic_rx_pkt_retrieve_conn(), err label is now only used if qc is NULL. Thus, condition on qc can be removed. No need to backport. This issue was reported by coverity on github. This should fix issue #2338.
2023-11-10 09:23:58 -05:00
HA_ATOMIC_INC(&prx_counters->dropped_pkt);
MEDIUM: quic: count quic_conn instance for maxconn Increment actconn and check maxconn limit when a quic_conn is instantiated. This is necessary because prior to this patch, quic_conn instances where not counted. Global actconn was only incremented after the handshake has been completed and the connection structure is allocated. The increment is done using increment_actconn() on INITIAL packet parsing if a new connection is about to be created. If the limit is reached, the allocation is cancelled and the INITIAL packet is dropped. The decrement is done under quic_conn_release(). This means that quic_cc_conn instances are not taken into account. This seems safe enough because quic_cc_conn are only used for minimal usage. The counterpart of this change is that maxconn must not be checked a second time when listener_accept() is done over a QUIC connection. For this, a new bind_conf flag BC_O_XPRT_MAXCONN is set for listeners when maxconn is already counted by the lower layer. For the moment, it is positionned only for QUIC listeners. Without this patch, haproxy process could suffer from heavy memory/CPU load if the number of concurrent handshake is high. This patch is not considered a bug fix per-se. However, it has a major benefit to protect against too many QUIC handshakes. As such, it should be backported up to 2.6. For this, it relies on the following patch : "MINOR: frontend: implement a dedicated actconn increment function"
2023-10-25 04:52:23 -04:00
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_LEAVE(QUIC_EV_CONN_LPKT);
return NULL;
}
/* Parse a QUIC packet starting at <pos>. Data won't be read after <end> even
* if the packet is incomplete. This function will populate fields of <pkt>
* instance, most notably its length. <dgram> is the UDP datagram which
MINOR: quic-be: Datagrams and packet parsing support Modify quic_dgram_parse() to stop passing it a listener as third parameter. In place the object type address of the connection socket owner is passed to support the haproxy servers with QUIC as transport protocol. qc_owner_obj_type() is implemented to return this address. qc_counters() is also implemented to return the QUIC specific counters of the proxy of owner of the connection. quic_rx_pkt_parse() called by quic_dgram_parse() is also modify to use the object type address used by this latter as last parameter. It is also modified to send Retry packet only from listeners. A QUIC client (connection to haproxy QUIC servers) must drop the Initial packets with non null token length. It is also not supposed to receive O-RTT packets which are dropped.
2024-01-10 10:48:51 -05:00
* contains the parsed packet. <o> is the address object type address of the
MINOR: quic-be: Store asap the DCID Store the peer connection ID (SCID) as the connection DCID as soon as an Initial packet is received. Stop comparing the packet to QUIC_PACKET_TYPE_0RTT is already match as QUIC_PACKET_TYPE_INITIAL. A QUIC server must not send too short datagram with ack-eliciting packets inside. This cannot be done from quic_rx_pkt_parse() because one does not know if there is ack-eliciting frame into the Initial packets. If the packet must be dropped, this is after having parsed it!
2024-01-12 08:39:08 -05:00
* object which receives this received packet. <qc> is the QUIC connection,
* only valid for QUIC clients.
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
*
* Returns 0 on success else non-zero. Packet length is guaranteed to be set to
* the real packet value or to cover all data between <pos> and <end> : this is
* useful to reject a whole datagram.
*/
MINOR: quic-be: Store asap the DCID Store the peer connection ID (SCID) as the connection DCID as soon as an Initial packet is received. Stop comparing the packet to QUIC_PACKET_TYPE_0RTT is already match as QUIC_PACKET_TYPE_INITIAL. A QUIC server must not send too short datagram with ack-eliciting packets inside. This cannot be done from quic_rx_pkt_parse() because one does not know if there is ack-eliciting frame into the Initial packets. If the packet must be dropped, this is after having parsed it!
2024-01-12 08:39:08 -05:00
static int quic_rx_pkt_parse(struct quic_conn *qc, struct quic_rx_packet *pkt,
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
unsigned char *pos, const unsigned char *end,
MINOR: quic-be: Datagrams and packet parsing support Modify quic_dgram_parse() to stop passing it a listener as third parameter. In place the object type address of the connection socket owner is passed to support the haproxy servers with QUIC as transport protocol. qc_owner_obj_type() is implemented to return this address. qc_counters() is also implemented to return the QUIC specific counters of the proxy of owner of the connection. quic_rx_pkt_parse() called by quic_dgram_parse() is also modify to use the object type address used by this latter as last parameter. It is also modified to send Retry packet only from listeners. A QUIC client (connection to haproxy QUIC servers) must drop the Initial packets with non null token length. It is also not supposed to receive O-RTT packets which are dropped.
2024-01-10 10:48:51 -05:00
struct quic_dgram *dgram, enum obj_type *o)
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
{
const unsigned char *beg = pos;
struct quic_counters *prx_counters;
MINOR: quic-be: Datagrams and packet parsing support Modify quic_dgram_parse() to stop passing it a listener as third parameter. In place the object type address of the connection socket owner is passed to support the haproxy servers with QUIC as transport protocol. qc_owner_obj_type() is implemented to return this address. qc_counters() is also implemented to return the QUIC specific counters of the proxy of owner of the connection. quic_rx_pkt_parse() called by quic_dgram_parse() is also modify to use the object type address used by this latter as last parameter. It is also modified to send Retry packet only from listeners. A QUIC client (connection to haproxy QUIC servers) must drop the Initial packets with non null token length. It is also not supposed to receive O-RTT packets which are dropped.
2024-01-10 10:48:51 -05:00
struct listener *l = objt_listener(o);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_ENTER(QUIC_EV_CONN_LPKT);
MINOR: quic-be: Datagrams and packet parsing support Modify quic_dgram_parse() to stop passing it a listener as third parameter. In place the object type address of the connection socket owner is passed to support the haproxy servers with QUIC as transport protocol. qc_owner_obj_type() is implemented to return this address. qc_counters() is also implemented to return the QUIC specific counters of the proxy of owner of the connection. quic_rx_pkt_parse() called by quic_dgram_parse() is also modify to use the object type address used by this latter as last parameter. It is also modified to send Retry packet only from listeners. A QUIC client (connection to haproxy QUIC servers) must drop the Initial packets with non null token length. It is also not supposed to receive O-RTT packets which are dropped.
2024-01-10 10:48:51 -05:00
prx_counters = qc_counters(o, &quic_stats_module);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
if (end <= pos) {
TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT);
goto drop;
}
/* Fixed bit */
if (!(*pos & QUIC_PACKET_FIXED_BIT)) {
if (!(pkt->flags & QUIC_FL_RX_PACKET_DGRAM_FIRST) &&
quic_padding_check(pos, end)) {
/* Some browsers may pad the remaining datagram space with null bytes.
* That is what we called add padding out of QUIC packets. Such
* datagrams must be considered as valid. But we can only consume
* the remaining space.
*/
pkt->len = end - pos;
goto drop_silent;
}
TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT);
goto drop;
}
/* Header form */
if (!qc_parse_hd_form(pkt, &pos, end)) {
TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT);
goto drop;
}
if (pkt->type != QUIC_PACKET_TYPE_SHORT) {
uint64_t len;
TRACE_PROTO("long header packet received", QUIC_EV_CONN_LPKT);
if (!quic_packet_read_long_header(&pos, end, pkt)) {
TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT);
goto drop;
}
/* When multiple QUIC packets are coalesced on the same UDP datagram,
* they must have the same DCID.
*/
if (!(pkt->flags & QUIC_FL_RX_PACKET_DGRAM_FIRST) &&
(pkt->dcid.len != dgram->dcid_len ||
MINOR: quic: store the DCID as an offset Using an offset instead of a pointer into the datagram buffer is less error-prone as we do not have to manually fixup that pointer when the datagram is moved somewhere else in memory.
2026-03-23 10:31:53 -04:00
memcmp(dgram->buf + dgram->dcid_off, pkt->dcid.data, pkt->dcid.len))) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT);
goto drop;
}
/* Retry of Version Negotiation packets are only sent by servers */
MINOR: quic-be: address validation support implementation (RETRY) - Add ->retry_token and ->retry_token_len new quic_conn struct members to store the retry tokens. These objects are allocated by quic_rx_packet_parse() and released by quic_conn_release(). - Add <pool_head_quic_retry_token> new pool for these tokens. - Implement quic_retry_packet_check() to check the integrity tag of these tokens upon RETRY packets receipt. quic_tls_generate_retry_integrity_tag() is called by this new function. It has been modified to pass the address where the tag must be generated - Add <resend> new parameter to quic_pktns_discard(). This function is called to discard the packet number spaces where the already TX packets and frames are attached to. <resend> allows the caller to prevent this function to release the in flight TX packets/frames. The frames are requeued to be resent. - Modify quic_rx_pkt_parse() to handle the RETRY packets. What must be done upon such packets receipt is: - store the retry token, - store the new peer SCID as the DCID of the connection. Note that the peer will modify again its SCID. This is why this SCID is also stored as the ODCID which must be matched with the peer retry_source_connection_id transport parameter, - discard the Initial packet number space without flagging it as discarded and prevent retransmissions calling qc_set_timer(), - modify the TLS cryptographic cipher contexts (RX/TX), - wakeup the I/O handler to send new Initial packets asap. - Modify quic_transport_param_decode() to handle the retry_source_connection_id transport parameter as a QUIC client. Then its caller is modified to check this transport parameter matches with the SCID sent by the peer with the RETRY packet.
2025-06-25 12:11:24 -04:00
if (l && (pkt->type == QUIC_PACKET_TYPE_RETRY || (pkt->version && !pkt->version->num))) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT);
goto drop;
}
MINOR: quic-be: Datagrams and packet parsing support Modify quic_dgram_parse() to stop passing it a listener as third parameter. In place the object type address of the connection socket owner is passed to support the haproxy servers with QUIC as transport protocol. qc_owner_obj_type() is implemented to return this address. qc_counters() is also implemented to return the QUIC specific counters of the proxy of owner of the connection. quic_rx_pkt_parse() called by quic_dgram_parse() is also modify to use the object type address used by this latter as last parameter. It is also modified to send Retry packet only from listeners. A QUIC client (connection to haproxy QUIC servers) must drop the Initial packets with non null token length. It is also not supposed to receive O-RTT packets which are dropped.
2024-01-10 10:48:51 -05:00
/* RFC9000 6. Version Negotiation. A Version Negotiation packet is
* sent only by servers.
*/
if (l && !pkt->version) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
/* unsupported version, send Negotiation packet */
OPTIM: quic: reduce the size of struct quic_dgram The QUIC code can only handle IPv4 or IPv6 addresses, so using two sockaddr_storage structs wastes a lot of space in the quic_dgram struct. This is a very large overhead since this structure is written in the MPSC ring buffers before every datagram, while many of those datagrams are only 50 bytes or less. Using an union instead saves 200 bytes per datagram, increasing the capacity of the buffers significantly.
2026-04-21 15:25:58 -04:00
if (send_version_negotiation(l->rx.fd, (struct sockaddr_storage *)&dgram->saddr, pkt)) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_ERROR("VN packet not sent", QUIC_EV_CONN_LPKT);
goto drop_silent;
}
TRACE_PROTO("VN packet sent", QUIC_EV_CONN_LPKT);
goto drop_silent;
}
if (pkt->type == QUIC_PACKET_TYPE_INITIAL) {
MINOR: quic-be: address validation support implementation (RETRY) - Add ->retry_token and ->retry_token_len new quic_conn struct members to store the retry tokens. These objects are allocated by quic_rx_packet_parse() and released by quic_conn_release(). - Add <pool_head_quic_retry_token> new pool for these tokens. - Implement quic_retry_packet_check() to check the integrity tag of these tokens upon RETRY packets receipt. quic_tls_generate_retry_integrity_tag() is called by this new function. It has been modified to pass the address where the tag must be generated - Add <resend> new parameter to quic_pktns_discard(). This function is called to discard the packet number spaces where the already TX packets and frames are attached to. <resend> allows the caller to prevent this function to release the in flight TX packets/frames. The frames are requeued to be resent. - Modify quic_rx_pkt_parse() to handle the RETRY packets. What must be done upon such packets receipt is: - store the retry token, - store the new peer SCID as the DCID of the connection. Note that the peer will modify again its SCID. This is why this SCID is also stored as the ODCID which must be matched with the peer retry_source_connection_id transport parameter, - discard the Initial packet number space without flagging it as discarded and prevent retransmissions calling qc_set_timer(), - modify the TLS cryptographic cipher contexts (RX/TX), - wakeup the I/O handler to send new Initial packets asap. - Modify quic_transport_param_decode() to handle the retry_source_connection_id transport parameter as a QUIC client. Then its caller is modified to check this transport parameter matches with the SCID sent by the peer with the RETRY packet.
2025-06-25 12:11:24 -04:00
/* For Initial packets, and for servers (QUIC clients connections),
* there is no Initial connection IDs storage.
*/
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
uint64_t token_len;
if (!quic_dec_int(&token_len, (const unsigned char **)&pos, end) ||
end - pos < token_len) {
TRACE_PROTO("Packet dropped",
QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
goto drop;
}
MINOR: quic-be: Datagrams and packet parsing support Modify quic_dgram_parse() to stop passing it a listener as third parameter. In place the object type address of the connection socket owner is passed to support the haproxy servers with QUIC as transport protocol. qc_owner_obj_type() is implemented to return this address. qc_counters() is also implemented to return the QUIC specific counters of the proxy of owner of the connection. quic_rx_pkt_parse() called by quic_dgram_parse() is also modify to use the object type address used by this latter as last parameter. It is also modified to send Retry packet only from listeners. A QUIC client (connection to haproxy QUIC servers) must drop the Initial packets with non null token length. It is also not supposed to receive O-RTT packets which are dropped.
2024-01-10 10:48:51 -05:00
if (!l && pkt->token_len) {
/* A server must sent Initial packets with a null token length. */
TRACE_PROTO("Packet dropped",
QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
goto drop;
}
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
pkt->token = pos;
pkt->token_len = token_len;
pos += pkt->token_len;
}
MINOR: quic-be: address validation support implementation (RETRY) - Add ->retry_token and ->retry_token_len new quic_conn struct members to store the retry tokens. These objects are allocated by quic_rx_packet_parse() and released by quic_conn_release(). - Add <pool_head_quic_retry_token> new pool for these tokens. - Implement quic_retry_packet_check() to check the integrity tag of these tokens upon RETRY packets receipt. quic_tls_generate_retry_integrity_tag() is called by this new function. It has been modified to pass the address where the tag must be generated - Add <resend> new parameter to quic_pktns_discard(). This function is called to discard the packet number spaces where the already TX packets and frames are attached to. <resend> allows the caller to prevent this function to release the in flight TX packets/frames. The frames are requeued to be resent. - Modify quic_rx_pkt_parse() to handle the RETRY packets. What must be done upon such packets receipt is: - store the retry token, - store the new peer SCID as the DCID of the connection. Note that the peer will modify again its SCID. This is why this SCID is also stored as the ODCID which must be matched with the peer retry_source_connection_id transport parameter, - discard the Initial packet number space without flagging it as discarded and prevent retransmissions calling qc_set_timer(), - modify the TLS cryptographic cipher contexts (RX/TX), - wakeup the I/O handler to send new Initial packets asap. - Modify quic_transport_param_decode() to handle the retry_source_connection_id transport parameter as a QUIC client. Then its caller is modified to check this transport parameter matches with the SCID sent by the peer with the RETRY packet.
2025-06-25 12:11:24 -04:00
else if (pkt->type == QUIC_PACKET_TYPE_RETRY) {
BUG/MEDIUM: quic-be: quic_conn_closed buffer overflow This bug impacts only the backends. Recent commits have modified quic_rx_pkt_parse() for the QUIC backend to handle the retry token, and version negotiation. This function is called for the quic_conn even when is closing state (so for the quic_conn_closed struct). The quic_conn struct and quic_conn_closed struct share some members thank to the leading QUIC_CONN_COMMON struct. The recent modification impacts some members which do not exist for the quic_connn_closed struct, leading to buffer overflows if modified. For the backends only this patch: 1- silently drops the Retry packet (received/parsed only by backends) 2- silently drops the Initial packets received in closing state This is safe for the Initial packets because in closing state the datagrams are entirely skipped thanks to qc_rx_check_closing() in quic_dgram_parse(). No backport needed because the backend support arrived with the current dev.
2025-11-21 03:52:41 -05:00
if (qc->flags & QUIC_FL_CONN_CLOSING) {
TRACE_PROTO("Packet dropped",
QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
goto drop;
}
MINOR: quic-be: address validation support implementation (RETRY) - Add ->retry_token and ->retry_token_len new quic_conn struct members to store the retry tokens. These objects are allocated by quic_rx_packet_parse() and released by quic_conn_release(). - Add <pool_head_quic_retry_token> new pool for these tokens. - Implement quic_retry_packet_check() to check the integrity tag of these tokens upon RETRY packets receipt. quic_tls_generate_retry_integrity_tag() is called by this new function. It has been modified to pass the address where the tag must be generated - Add <resend> new parameter to quic_pktns_discard(). This function is called to discard the packet number spaces where the already TX packets and frames are attached to. <resend> allows the caller to prevent this function to release the in flight TX packets/frames. The frames are requeued to be resent. - Modify quic_rx_pkt_parse() to handle the RETRY packets. What must be done upon such packets receipt is: - store the retry token, - store the new peer SCID as the DCID of the connection. Note that the peer will modify again its SCID. This is why this SCID is also stored as the ODCID which must be matched with the peer retry_source_connection_id transport parameter, - discard the Initial packet number space without flagging it as discarded and prevent retransmissions calling qc_set_timer(), - modify the TLS cryptographic cipher contexts (RX/TX), - wakeup the I/O handler to send new Initial packets asap. - Modify quic_transport_param_decode() to handle the retry_source_connection_id transport parameter as a QUIC client. Then its caller is modified to check this transport parameter matches with the SCID sent by the peer with the RETRY packet.
2025-06-25 12:11:24 -04:00
if (!quic_retry_packet_check(qc, pkt, beg, end, pos, &qc->retry_token_len))
/* TODO: should close the connection? */
goto drop;
qc->retry_token = pool_alloc(pool_head_quic_retry_token);
if (!qc->retry_token) {
TRACE_ERROR("retry token allocation failed", QUIC_EV_CONN_LPKT);
}
else {
memcpy(qc->retry_token, pos, qc->retry_token_len);
/* Save the peer Retry source connection ID into the connection ODCID.
* This is also this connection DCID (or even the first ODCID value).
* It can be erased because used only to check the retry integrity
* tag. Then, it will be matched against the retry_source_connection_id
* transport parameter which will be sent by the server.
*/
memcpy(qc->odcid.data, pkt->scid.data, pkt->scid.len);
qc->odcid.len = pkt->scid.len;
/* Copy the peer scid to be the destination of the next Initial packet */
memcpy(qc->dcid.data, pkt->scid.data, pkt->scid.len);
qc->dcid.len = pkt->scid.len;
/* Initial packet number space discarding without releasing
* the existing frames (not already sent).
*/
quic_pktns_discard(qc->ipktns, qc, 1);
qc_set_timer(qc);
qc_el_rx_pkts_del(qc->iel);
/* Reset the DISCARDED flag for Initial packet number space */
qc->flags &= ~QUIC_FL_CONN_IPKTNS_DCD;
/* Change the Initial TLS cryptographic context */
quic_tls_ctx_secs_free(&qc->iel->tls_ctx);
if (!qc_new_isecs(qc, &qc->iel->tls_ctx, qc->original_version,
qc->dcid.data, qc->dcid.len, !!l))
goto drop_silent;
tasklet_wakeup(qc->wait_event.tasklet);
}
goto drop_silent;
}
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
else if (pkt->type != QUIC_PACKET_TYPE_0RTT) {
if (pkt->dcid.len != QUIC_HAP_CID_LEN) {
TRACE_PROTO("Packet dropped",
QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
goto drop;
}
}
if (!quic_dec_int(&len, (const unsigned char **)&pos, end) ||
end - pos < len) {
TRACE_PROTO("Packet dropped",
QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
goto drop;
}
/* Packet Number is stored here. Packet Length totalizes the
* rest of the content.
*/
pkt->pn_offset = pos - beg;
pkt->len = pkt->pn_offset + len;
MINOR: quic-be: Datagrams and packet parsing support Modify quic_dgram_parse() to stop passing it a listener as third parameter. In place the object type address of the connection socket owner is passed to support the haproxy servers with QUIC as transport protocol. qc_owner_obj_type() is implemented to return this address. qc_counters() is also implemented to return the QUIC specific counters of the proxy of owner of the connection. quic_rx_pkt_parse() called by quic_dgram_parse() is also modify to use the object type address used by this latter as last parameter. It is also modified to send Retry packet only from listeners. A QUIC client (connection to haproxy QUIC servers) must drop the Initial packets with non null token length. It is also not supposed to receive O-RTT packets which are dropped.
2024-01-10 10:48:51 -05:00
/* Interrupt parsing after packet length retrieval : this
* ensures that only the packet is dropped but not the whole
* datagram.
*/
MINOR: quic-be: Store asap the DCID Store the peer connection ID (SCID) as the connection DCID as soon as an Initial packet is received. Stop comparing the packet to QUIC_PACKET_TYPE_0RTT is already match as QUIC_PACKET_TYPE_INITIAL. A QUIC server must not send too short datagram with ack-eliciting packets inside. This cannot be done from quic_rx_pkt_parse() because one does not know if there is ack-eliciting frame into the Initial packets. If the packet must be dropped, this is after having parsed it!
2024-01-12 08:39:08 -05:00
if (pkt->type == QUIC_PACKET_TYPE_INITIAL) {
if (l) {
/* RFC 9000. Initial Datagram Size
*
* A server MUST discard an Initial packet that is carried in a UDP datagram
* with a payload that is smaller than the smallest allowed maximum datagram
* size of 1200 bytes.
*/
if (dgram->len < QUIC_INITIAL_PACKET_MINLEN) {
TRACE_PROTO("RX too short datagram with an Initial packet", QUIC_EV_CONN_LPKT);
HA_ATOMIC_INC(&prx_counters->too_short_initial_dgram);
goto drop;
}
}
else {
/* TODO: This is not clear if a too short RX datagram which carries ack-eliciting
* packets must be dropped by a client. If this is the case, this is not from
* here, but after having parsed the datagram frames.
*
* RFC 9000. Initial Datagram Size
*
* Similarly, a server MUST expand the payload of all UDP datagrams carrying
* ack-eliciting Initial packets to at least the smallest allowed maximum
* datagram size of 1200 bytes.
*/
if (!(qc->flags & QUIC_FL_CONN_SCID_RECEIVED)) {
qc->flags |= QUIC_FL_CONN_SCID_RECEIVED;
memcpy(qc->dcid.data, pkt->scid.data, pkt->scid.len);
qc->dcid.len = pkt->scid.len;
}
BUG/MINOR: quic-be: missing version negotiation This bug impacts only the QUIC clients (or backends). The version negotiation was not supported at all for them. This is an oversight. Contrary to the QUIC server which choose the negotiated version after having received the transport parameters (into ClientHello message) the client selects the negotiated version from the first Initial packet version field. Indeed, the server transport parameters are inside the ServerHello messages ciphered into Handshake packets. This non intrusive patch does not impact the QUIC server implementation. It only selects the negotiated version from the first Initial packet received from the server and consequently initializes the TLS cipher context. Thank you to @InputOutputZ for having reporte this issue in GH #3178. No need to backport because the QUIC backends support arrives with 3.3.
2025-11-14 11:21:53 -05:00
BUG/MEDIUM: quic-be: quic_conn_closed buffer overflow This bug impacts only the backends. Recent commits have modified quic_rx_pkt_parse() for the QUIC backend to handle the retry token, and version negotiation. This function is called for the quic_conn even when is closing state (so for the quic_conn_closed struct). The quic_conn struct and quic_conn_closed struct share some members thank to the leading QUIC_CONN_COMMON struct. The recent modification impacts some members which do not exist for the quic_connn_closed struct, leading to buffer overflows if modified. For the backends only this patch: 1- silently drops the Retry packet (received/parsed only by backends) 2- silently drops the Initial packets received in closing state This is safe for the Initial packets because in closing state the datagrams are entirely skipped thanks to qc_rx_check_closing() in quic_dgram_parse(). No backport needed because the backend support arrived with the current dev.
2025-11-21 03:52:41 -05:00
if (qc_is_back(qc)) {
if (qc->flags & QUIC_FL_CONN_CLOSING) {
TRACE_PROTO("Packet dropped",
QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
BUG/MINOR: quic-be: missing version negotiation This bug impacts only the QUIC clients (or backends). The version negotiation was not supported at all for them. This is an oversight. Contrary to the QUIC server which choose the negotiated version after having received the transport parameters (into ClientHello message) the client selects the negotiated version from the first Initial packet version field. Indeed, the server transport parameters are inside the ServerHello messages ciphered into Handshake packets. This non intrusive patch does not impact the QUIC server implementation. It only selects the negotiated version from the first Initial packet received from the server and consequently initializes the TLS cipher context. Thank you to @InputOutputZ for having reporte this issue in GH #3178. No need to backport because the QUIC backends support arrives with 3.3.
2025-11-14 11:21:53 -05:00
goto drop;
}
BUG/MEDIUM: quic-be: quic_conn_closed buffer overflow This bug impacts only the backends. Recent commits have modified quic_rx_pkt_parse() for the QUIC backend to handle the retry token, and version negotiation. This function is called for the quic_conn even when is closing state (so for the quic_conn_closed struct). The quic_conn struct and quic_conn_closed struct share some members thank to the leading QUIC_CONN_COMMON struct. The recent modification impacts some members which do not exist for the quic_connn_closed struct, leading to buffer overflows if modified. For the backends only this patch: 1- silently drops the Retry packet (received/parsed only by backends) 2- silently drops the Initial packets received in closing state This is safe for the Initial packets because in closing state the datagrams are entirely skipped thanks to qc_rx_check_closing() in quic_dgram_parse(). No backport needed because the backend support arrived with the current dev.
2025-11-21 03:52:41 -05:00
/* Identify the negotiated version, chosen and sent by the server */
if (pkt->version != qc->original_version && !qc->nictx) {
qc->nictx = pool_alloc(pool_head_quic_tls_ctx);
if (!qc->nictx) {
TRACE_PROTO("Could not alloc a new Initial secrets TLS context",
QUIC_EV_CONN_RXPKT, qc);
goto drop;
}
BUG/MINOR: quic-be: missing version negotiation This bug impacts only the QUIC clients (or backends). The version negotiation was not supported at all for them. This is an oversight. Contrary to the QUIC server which choose the negotiated version after having received the transport parameters (into ClientHello message) the client selects the negotiated version from the first Initial packet version field. Indeed, the server transport parameters are inside the ServerHello messages ciphered into Handshake packets. This non intrusive patch does not impact the QUIC server implementation. It only selects the negotiated version from the first Initial packet received from the server and consequently initializes the TLS cipher context. Thank you to @InputOutputZ for having reporte this issue in GH #3178. No need to backport because the QUIC backends support arrives with 3.3.
2025-11-14 11:21:53 -05:00
BUG/MEDIUM: quic-be: quic_conn_closed buffer overflow This bug impacts only the backends. Recent commits have modified quic_rx_pkt_parse() for the QUIC backend to handle the retry token, and version negotiation. This function is called for the quic_conn even when is closing state (so for the quic_conn_closed struct). The quic_conn struct and quic_conn_closed struct share some members thank to the leading QUIC_CONN_COMMON struct. The recent modification impacts some members which do not exist for the quic_connn_closed struct, leading to buffer overflows if modified. For the backends only this patch: 1- silently drops the Retry packet (received/parsed only by backends) 2- silently drops the Initial packets received in closing state This is safe for the Initial packets because in closing state the datagrams are entirely skipped thanks to qc_rx_check_closing() in quic_dgram_parse(). No backport needed because the backend support arrived with the current dev.
2025-11-21 03:52:41 -05:00
quic_tls_ctx_reset(qc->nictx);
if (!qc_new_isecs(qc, qc->nictx, pkt->version,
qc->odcid.data, qc->odcid.len, 0)) {
TRACE_PROTO("Could not derive Initial secrets for new version",
QUIC_EV_CONN_RXPKT, qc);
goto drop;
}
TRACE_PROTO("new Initial secrets TLS context initialization done",
QUIC_EV_CONN_RXPKT, qc);
qc->negotiated_version = pkt->version;
}
BUG/MINOR: quic-be: missing version negotiation This bug impacts only the QUIC clients (or backends). The version negotiation was not supported at all for them. This is an oversight. Contrary to the QUIC server which choose the negotiated version after having received the transport parameters (into ClientHello message) the client selects the negotiated version from the first Initial packet version field. Indeed, the server transport parameters are inside the ServerHello messages ciphered into Handshake packets. This non intrusive patch does not impact the QUIC server implementation. It only selects the negotiated version from the first Initial packet received from the server and consequently initializes the TLS cipher context. Thank you to @InputOutputZ for having reporte this issue in GH #3178. No need to backport because the QUIC backends support arrives with 3.3.
2025-11-14 11:21:53 -05:00
}
MINOR: quic-be: Store asap the DCID Store the peer connection ID (SCID) as the connection DCID as soon as an Initial packet is received. Stop comparing the packet to QUIC_PACKET_TYPE_0RTT is already match as QUIC_PACKET_TYPE_INITIAL. A QUIC server must not send too short datagram with ack-eliciting packets inside. This cannot be done from quic_rx_pkt_parse() because one does not know if there is ack-eliciting frame into the Initial packets. If the packet must be dropped, this is after having parsed it!
2024-01-12 08:39:08 -05:00
}
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
MINOR: quic-be: Store asap the DCID Store the peer connection ID (SCID) as the connection DCID as soon as an Initial packet is received. Stop comparing the packet to QUIC_PACKET_TYPE_0RTT is already match as QUIC_PACKET_TYPE_INITIAL. A QUIC server must not send too short datagram with ack-eliciting packets inside. This cannot be done from quic_rx_pkt_parse() because one does not know if there is ack-eliciting frame into the Initial packets. If the packet must be dropped, this is after having parsed it!
2024-01-12 08:39:08 -05:00
else if (pkt->type == QUIC_PACKET_TYPE_0RTT) {
/* O-RTT packet are not sent by servers. */
if (!l || !l->bind_conf->ssl_conf.early_data) {
TRACE_PROTO("RX 0-RTT packet not supported", QUIC_EV_CONN_LPKT);
goto drop;
}
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
}
}
else {
TRACE_PROTO("RX short header packet", QUIC_EV_CONN_LPKT);
if (end - pos < QUIC_HAP_CID_LEN) {
TRACE_PROTO("RX pkt dropped", QUIC_EV_CONN_LPKT);
goto drop;
}
memcpy(pkt->dcid.data, pos, QUIC_HAP_CID_LEN);
pkt->dcid.len = QUIC_HAP_CID_LEN;
/* When multiple QUIC packets are coalesced on the same UDP datagram,
* they must have the same DCID.
*/
if (!(pkt->flags & QUIC_FL_RX_PACKET_DGRAM_FIRST) &&
(pkt->dcid.len != dgram->dcid_len ||
MINOR: quic: store the DCID as an offset Using an offset instead of a pointer into the datagram buffer is less error-prone as we do not have to manually fixup that pointer when the datagram is moved somewhere else in memory.
2026-03-23 10:31:53 -04:00
memcmp(dgram->buf + dgram->dcid_off, pkt->dcid.data, pkt->dcid.len))) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_PROTO("RX pkt dropped", QUIC_EV_CONN_LPKT);
goto drop;
}
pos += QUIC_HAP_CID_LEN;
pkt->pn_offset = pos - beg;
/* A short packet is the last one of a UDP datagram. */
pkt->len = end - beg;
}
TRACE_PROTO("RX pkt parsed", QUIC_EV_CONN_LPKT, NULL, pkt, NULL, pkt->version);
TRACE_LEAVE(QUIC_EV_CONN_LPKT);
return 0;
drop:
MINOR: quic: get rid of ->target quic_conn struct member The ->li (struct listener *) member of quic_conn struct was replaced by a ->target (struct obj_type *) member by this commit: MINOR: quic-be: get rid of ->li quic_conn member to abstract the connection type (front or back) when implementing QUIC for the backends. In these cases, ->target was a pointer to the ojb_type of a server struct. This could not work with the dynamic servers contrary to the listeners which are not dynamic. This patch almost reverts the one mentioned above. ->target pointer to obj_type member is replaced by ->li pointer to listener struct member. As the listener are not dynamic, this is easy to do this. All one has to do is to replace the objt_listener(qc->target) statement by qc->li where applicable. For the backend connection, when needed, this is always qc->conn->target which is used only when qc->conn is initialized. The only "problematic" case is for quic_dgram_parse() which takes a pointer to an obj_type as third argument. But this obj_type is only used to call quic_rx_pkt_parse(). Inside this function it is used to access the proxy counters of the connection thanks to qc_counters(). So, this obj_type argument may be null for now on with this patch. This is the reason why qc_counters() is modified to take this into consideration.
2025-09-09 05:49:33 -04:00
if (prx_counters)
HA_ATOMIC_INC(&prx_counters->dropped_pkt);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
drop_silent:
if (!pkt->len)
pkt->len = end - beg;
TRACE_PROTO("RX pkt parsing failed", QUIC_EV_CONN_LPKT, NULL, pkt, NULL, pkt->version);
TRACE_LEAVE(QUIC_EV_CONN_LPKT);
return -1;
}
/* Check if received packet <pkt> should be drop due to <qc> already in closing
* state. This can be true if a CONNECTION_CLOSE has already been emitted for
* this connection.
*
* Returns false if connection is not in closing state else true. The caller
* should drop the whole datagram in the last case to not mess up <qc>
* CONNECTION_CLOSE rate limit counter.
*/
static int qc_rx_check_closing(struct quic_conn *qc,
struct quic_rx_packet *pkt)
{
if (!(qc->flags & QUIC_FL_CONN_CLOSING))
return 0;
TRACE_STATE("Closing state connection", QUIC_EV_CONN_LPKT, qc, NULL, NULL, pkt->version);
/* Check if CONNECTION_CLOSE rate reemission is reached. */
if (++qc->nb_pkt_since_cc >= qc->nb_pkt_for_cc) {
qc->flags |= QUIC_FL_CONN_IMMEDIATE_CLOSE;
qc->nb_pkt_for_cc++;
qc->nb_pkt_since_cc = 0;
}
return 1;
}
/* Release the memory for the RX packets which are no more referenced
* and consume their payloads which have been copied to the RX buffer
* for the connection.
* Always succeeds.
*/
static void quic_rx_pkts_del(struct quic_conn *qc)
{
struct quic_rx_packet *pkt, *pktback;
list_for_each_entry_safe(pkt, pktback, &qc->rx.pkt_list, qc_rx_pkt_list) {
TRACE_PRINTF(TRACE_LEVEL_DEVELOPER, QUIC_EV_CONN_LPKT, qc, 0, 0, 0,
"pkt #%lld(type=%d,len=%llu,rawlen=%llu,refcnt=%u) (diff: %zd)",
(long long)pkt->pn_node.key,
pkt->type, (ull)pkt->len, (ull)pkt->raw_len, pkt->refcnt,
(unsigned char *)b_head(&qc->rx.buf) - pkt->data);
if (pkt->data != (unsigned char *)b_head(&qc->rx.buf)) {
size_t cdata;
cdata = b_contig_data(&qc->rx.buf, 0);
TRACE_PRINTF(TRACE_LEVEL_DEVELOPER, QUIC_EV_CONN_LPKT, qc, 0, 0, 0,
"cdata=%llu *b_head()=0x%x", (ull)cdata, *b_head(&qc->rx.buf));
if (cdata && !*b_head(&qc->rx.buf)) {
/* Consume the remaining data */
b_del(&qc->rx.buf, cdata);
}
break;
}
if (pkt->refcnt)
break;
b_del(&qc->rx.buf, pkt->raw_len);
LIST_DELETE(&pkt->qc_rx_pkt_list);
pool_free(pool_head_quic_rx_packet, pkt);
}
/* In frequent cases the buffer will be emptied at this stage. */
b_realign_if_empty(&qc->rx.buf);
}
/* Handle a parsed packet <pkt> by the connection <qc>. Data will be copied
* into <qc> receive buffer after header protection removal procedure.
*
* <dgram> must be set to the datagram which contains the QUIC packet. <beg>
* must point to packet buffer first byte.
*
* <tasklist_head> may be non-NULL when the caller treat several datagrams for
* different quic-conn. In this case, each quic-conn tasklet will be appended
* to it in order to be woken up after the current task.
*
* The caller can safely removed the packet data. If packet refcount was not
* incremented by this function, it means that the connection did not handled
* it and it should be freed by the caller.
*/
static void qc_rx_pkt_handle(struct quic_conn *qc, struct quic_rx_packet *pkt,
struct quic_dgram *dgram, unsigned char *beg,
struct list **tasklist_head)
{
const struct quic_version *qv = pkt->version;
struct quic_enc_level *qel = NULL;
size_t b_cspace;
TRACE_ENTER(QUIC_EV_CONN_LPKT, qc);
TRACE_PROTO("RX pkt", QUIC_EV_CONN_LPKT, qc, pkt, NULL, qv);
if (pkt->flags & QUIC_FL_RX_PACKET_DGRAM_FIRST &&
qc->flags & QUIC_FL_CONN_ANTI_AMPLIFICATION_REACHED) {
TRACE_PROTO("PTO timer must be armed after anti-amplication was reached",
QUIC_EV_CONN_LPKT, qc, NULL, NULL, qv);
TRACE_DEVEL("needs to wakeup the timer task after the amplification limit was reached",
QUIC_EV_CONN_LPKT, qc);
/* Reset the anti-amplification bit. It will be set again
* when sending the next packet if reached again.
*/
qc->flags &= ~QUIC_FL_CONN_ANTI_AMPLIFICATION_REACHED;
qc_set_timer(qc);
if (qc->timer_task && tick_isset(qc->timer) && tick_is_lt(qc->timer, now_ms))
task_wakeup(qc->timer_task, TASK_WOKEN_MSG);
}
/* Drop asap packet whose packet number space is discarded. */
if (quic_tls_pkt_type_pktns_dcd(qc, pkt->type)) {
TRACE_PROTO("Discarded packet number space", QUIC_EV_CONN_TRMHP, qc);
goto drop_silent;
}
if (qc->flags & QUIC_FL_CONN_IMMEDIATE_CLOSE) {
TRACE_PROTO("Connection error",
QUIC_EV_CONN_LPKT, qc, NULL, NULL, qv);
goto out;
}
pkt->raw_len = pkt->len;
quic_rx_pkts_del(qc);
b_cspace = b_contig_space(&qc->rx.buf);
if (b_cspace < pkt->len) {
TRACE_PRINTF(TRACE_LEVEL_DEVELOPER, QUIC_EV_CONN_LPKT, qc, 0, 0, 0,
"bspace=%llu pkt->len=%llu", (ull)b_cspace, (ull)pkt->len);
/* Do not consume buf if space not at the end. */
if (b_tail(&qc->rx.buf) + b_cspace < b_wrap(&qc->rx.buf)) {
TRACE_PROTO("Packet dropped",
QUIC_EV_CONN_LPKT, qc, NULL, NULL, qv);
qc->cntrs.dropped_pkt_bufoverrun++;
goto drop_silent;
}
/* Let us consume the remaining contiguous space. */
if (b_cspace) {
b_putchr(&qc->rx.buf, 0x00);
b_cspace--;
}
b_add(&qc->rx.buf, b_cspace);
if (b_contig_space(&qc->rx.buf) < pkt->len) {
TRACE_PROTO("Too big packet",
QUIC_EV_CONN_LPKT, qc, pkt, &pkt->len, qv);
qc->cntrs.dropped_pkt_bufoverrun++;
goto drop_silent;
}
}
if (!qc_try_rm_hp(qc, pkt, beg, &qel)) {
TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT, qc, NULL, NULL, qv);
goto drop;
}
TRACE_DATA("New packet", QUIC_EV_CONN_LPKT, qc, pkt, NULL, qv);
REORG: quic: Remove qc_pkt_insert() implementation As this function does only a few things with a not very well chosen name, remove it and replace it by the its statements at the unique location it is called.
2023-11-28 08:52:22 -05:00
if (pkt->aad_len) {
/* Insert this RX packet in its encryption level tree */
pkt->pn_node.key = pkt->pn;
quic_rx_packet_refinc(pkt);
eb64_insert(&qel->rx.pkts, &pkt->pn_node);
}
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
out:
*tasklist_head = tasklet_wakeup_after(*tasklist_head,
qc->wait_event.tasklet);
drop_silent:
TRACE_PROTO("RX pkt", QUIC_EV_CONN_LPKT, qc ? qc : NULL, pkt, NULL, qv);
TRACE_LEAVE(QUIC_EV_CONN_LPKT, qc ? qc : NULL);
return;
drop:
qc->cntrs.dropped_pkt++;
TRACE_PROTO("packet drop", QUIC_EV_CONN_LPKT, qc, pkt, NULL, qv);
TRACE_LEAVE(QUIC_EV_CONN_LPKT, qc);
}
/* Handle a new <dgram> received. Parse each QUIC packets and copied their
* content to a quic-conn instance. The datagram content can be released after
* this function.
*
* If datagram has been received on a quic-conn owned FD, <from_qc> must be set
MINOR: quic-be: Datagrams and packet parsing support Modify quic_dgram_parse() to stop passing it a listener as third parameter. In place the object type address of the connection socket owner is passed to support the haproxy servers with QUIC as transport protocol. qc_owner_obj_type() is implemented to return this address. qc_counters() is also implemented to return the QUIC specific counters of the proxy of owner of the connection. quic_rx_pkt_parse() called by quic_dgram_parse() is also modify to use the object type address used by this latter as last parameter. It is also modified to send Retry packet only from listeners. A QUIC client (connection to haproxy QUIC servers) must drop the Initial packets with non null token length. It is also not supposed to receive O-RTT packets which are dropped.
2024-01-10 10:48:51 -05:00
* to the connection instance. <o> is the object type address of the object
* (listener or server) receiving the datagram. The caller is
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
* responsible to ensure that the first packet is destined to this connection
* by comparing CIDs.
*
* If datagram has been received on a receiver FD, <from_qc> will be NULL. This
* function will thus retrieve the connection from the CID tree or allocate a
* new one if possible. <li> is the listener attached to the receiver.
*
MINOR: quic: get rid of ->target quic_conn struct member The ->li (struct listener *) member of quic_conn struct was replaced by a ->target (struct obj_type *) member by this commit: MINOR: quic-be: get rid of ->li quic_conn member to abstract the connection type (front or back) when implementing QUIC for the backends. In these cases, ->target was a pointer to the ojb_type of a server struct. This could not work with the dynamic servers contrary to the listeners which are not dynamic. This patch almost reverts the one mentioned above. ->target pointer to obj_type member is replaced by ->li pointer to listener struct member. As the listener are not dynamic, this is easy to do this. All one has to do is to replace the objt_listener(qc->target) statement by qc->li where applicable. For the backend connection, when needed, this is always qc->conn->target which is used only when qc->conn is initialized. The only "problematic" case is for quic_dgram_parse() which takes a pointer to an obj_type as third argument. But this obj_type is only used to call quic_rx_pkt_parse(). Inside this function it is used to access the proxy counters of the connection thanks to qc_counters(). So, this obj_type argument may be null for now on with this patch. This is the reason why qc_counters() is modified to take this into consideration.
2025-09-09 05:49:33 -04:00
* Note that for a QUIC backend, <from_qc> is never NULL. <o> is never NULL
* for a QUIC frontend.
*
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
* Returns 0 on success else non-zero. If an error happens, some packets from
* the datagram may not have been parsed.
*/
int quic_dgram_parse(struct quic_dgram *dgram, struct quic_conn *from_qc,
MINOR: quic-be: Datagrams and packet parsing support Modify quic_dgram_parse() to stop passing it a listener as third parameter. In place the object type address of the connection socket owner is passed to support the haproxy servers with QUIC as transport protocol. qc_owner_obj_type() is implemented to return this address. qc_counters() is also implemented to return the QUIC specific counters of the proxy of owner of the connection. quic_rx_pkt_parse() called by quic_dgram_parse() is also modify to use the object type address used by this latter as last parameter. It is also modified to send Retry packet only from listeners. A QUIC client (connection to haproxy QUIC servers) must drop the Initial packets with non null token length. It is also not supposed to receive O-RTT packets which are dropped.
2024-01-10 10:48:51 -05:00
enum obj_type *o)
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
{
struct quic_rx_packet *pkt;
struct quic_conn *qc = NULL;
unsigned char *pos, *end;
struct list *tasklist_head = NULL;
BUG/MEDIUM: quic-be: do not launch the connection migration process At this time the connection migration is not supported by QUIC backends. This patch prevents this process to be launched for connections to QUIC backends. Furthermore, the connection migration process could be started systematically when connecting a backend to INADDR_ANY, leading to crashes into qc_handle_conn_migration() (when referencing qc->li). Thank you to @InputOutputZ for having reported this issue in GH #3178. This patch simply checks the connection type (listener or not) before checking if a connection migration must be started. No need to backport because support for QUIC backends is available from 3.3.
2025-11-13 05:26:14 -05:00
struct listener *li = objt_listener(o);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
TRACE_ENTER(QUIC_EV_CONN_LPKT);
pos = dgram->buf;
end = pos + dgram->len;
do {
pkt = pool_alloc(pool_head_quic_rx_packet);
if (!pkt) {
TRACE_ERROR("RX packet allocation failed", QUIC_EV_CONN_LPKT);
goto err;
}
LIST_INIT(&pkt->qc_rx_pkt_list);
pkt->version = NULL;
pkt->type = QUIC_PACKET_TYPE_UNKNOWN;
pkt->pn_offset = 0;
pkt->len = 0;
pkt->raw_len = 0;
pkt->token = NULL;
pkt->token_len = 0;
pkt->aad_len = 0;
pkt->data = NULL;
pkt->pn_node.key = (uint64_t)-1;
pkt->refcnt = 0;
pkt->flags = 0;
pkt->time_received = now_ms;
/* Set flag if pkt is the first one in dgram. */
if (pos == dgram->buf)
pkt->flags |= QUIC_FL_RX_PACKET_DGRAM_FIRST;
quic_rx_packet_refinc(pkt);
MINOR: quic-be: Store asap the DCID Store the peer connection ID (SCID) as the connection DCID as soon as an Initial packet is received. Stop comparing the packet to QUIC_PACKET_TYPE_0RTT is already match as QUIC_PACKET_TYPE_INITIAL. A QUIC server must not send too short datagram with ack-eliciting packets inside. This cannot be done from quic_rx_pkt_parse() because one does not know if there is ack-eliciting frame into the Initial packets. If the packet must be dropped, this is after having parsed it!
2024-01-12 08:39:08 -05:00
if (quic_rx_pkt_parse(from_qc, pkt, pos, end, dgram, o))
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
goto next;
/* Search quic-conn instance for first packet of the datagram.
* quic_rx_packet_parse() is responsible to discard packets
* with different DCID as the first one in the same datagram.
*/
if (!qc) {
int new_tid = -1;
qc = from_qc ? from_qc : quic_rx_pkt_retrieve_conn(pkt, dgram, li, &new_tid);
/* qc is NULL if receiving a non Initial packet for an
* unknown connection or on connection affinity rebind.
*/
if (!qc) {
if (new_tid >= 0) {
MINOR: quic: extend traces on CID allocation Add new traces to detect the CID generation method and also when an Initial packet is requeued due to CID collision.
2025-11-07 03:38:14 -05:00
TRACE_STATE("re-enqueue packet to conn thread", QUIC_EV_CONN_LPKT);
OPTIM: quic: rework the QUIC RX code Use an MPSC ring buffer to hold data for each datagram handler. Holding this data in a per-handler buffer avoids the HoL blocking we experienced when we had per-listener buffers with data from all threads mixed up in them. This also gets rid of the mt_list contention we were suffering before, that was causing some threads to be stuck for a significant amount of time, causing warnings and even crashes in some cases.
2026-01-30 11:39:04 -05:00
quic_dgram_requeue(dgram, new_tid);
BUG/MINOR: quic: Possible RX packet memory leak under heavy load This bug could be reproduced with -dMfail and h2load generating plenty of connections. A "show pools" CLI command showed that some memory in relation with RX packet pool was never release. Furthermore, adding a RX packet counter to each connection and a BUG_ON() in quic_conn_release() has proved that this unreleased memory was in relation with RX packet which were not linked to a connection. The responsible is quic_dgram_parse() which does not release some RX packet memory before exiting after the connection thread affinity has changed. Must be backported as far as 2.7.
2023-11-22 10:29:08 -05:00
pool_free(pool_head_quic_rx_packet, pkt);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
goto out;
}
/* Skip the entire datagram. */
pkt->len = end - pos;
goto next;
}
dgram->qc = qc;
}
MINOR: quic: add 2 BUG_ON() on datagram dispatch QUIC datagram dispatch is an error prone operation as it must always ensure the correct thread is used before accessing to the recipient quic_conn instance. Strengthen this code part by adding two BUG_ON_HOT() to ensure thread safety.
2024-07-01 04:15:58 -04:00
/* Ensure quic_conn access only occurs on its attached thread. */
BUG_ON_HOT(((struct quic_connection_id *)
eb64_entry(eb64_first(qc->cids), struct quic_connection_id, seq_num))->tid != tid);
BUG/MAJOR: quic: complete thread migration before tcp-rules A quic_conn is instantiated and tied on the first thread which has received the first INITIAL packet. After handshake completion, listener_accept() is called. For each quic_conn, a new thread is selected among the least loaded ones Note that this occurs earlier if handling 0-RTT data. This thread connection migration is done in two steps : * inside listener_accept(), on the origin thread, quic_conn tasks/tasklet are killed. After this, no quic_conn related processing will occur on this thread. The connection is flagged with QUIC_FL_CONN_AFFINITY_CHANGED. * as soon as the first quic_conn related processing occurs on the new thread, the migration is finalized. This allows to allocate the new tasks/tasklet directly on the destination thread. This last step on the new thread must be done prior to other quic_conn access. There is two events which may trigger it : * a packet is received on the new thread. In this case, qc_finalize_affinity_rebind() is called from quic_dgram_parse(). * the recently accepted connection is popped from accept_queue_ring via accept_queue_process(). This will called session_accept_fd() as listener.bind_conf.accept callback. This instantiates a new session and start connection stack via conn_xprt_start(), which itself calls qc_xprt_start() where qc_finalize_affinity_rebind() is used. A condition was recently found which could cause a closing to be used with qc_finalize_affinity_rebind() which is forbidden with a BUG_ON(). This lat step was not compatible with layer 4 rule such as "tcp-request connection reject" which closes the connection early. In this case, most of the body of session_accept_fd() is skipped, including qc_xprt_start(), so thread migration is not finalized. At the end of the function, conn_xprt_close() is then called which flags the connection as CLOSING. If a datagram is received for this connection before it is released, this will call qc_finalize_affinity_rebind() which triggers its BUG_ON() to prevent thread migration for CLOSING quic_conn. FATAL: bug condition "qc->flags & ((1U << 29)|(1U << 30))" matched at src/quic_conn.c:2036 Thread 3 "haproxy" received signal SIGILL, Illegal instruction. [Switching to Thread 0x7ffff794f700 (LWP 2973030)] 0x00005555556221f3 in qc_finalize_affinity_rebind (qc=0x7ffff002d060) at src/quic_conn.c:2036 2036 BUG_ON(qc->flags & (QUIC_FL_CONN_CLOSING|QUIC_FL_CONN_DRAINING)); (gdb) bt #0 0x00005555556221f3 in qc_finalize_affinity_rebind (qc=0x7ffff002d060) at src/quic_conn.c:2036 #1 0x0000555555682463 in quic_dgram_parse (dgram=0x7fff5003ef10, from_qc=0x0, li=0x555555f38670) at src/quic_rx.c:2602 #2 0x0000555555651aae in quic_lstnr_dghdlr (t=0x555555fc4440, ctx=0x555555fc3f78, state=32832) at src/quic_sock.c:189 #3 0x00005555558c9393 in run_tasks_from_lists (budgets=0x7ffff7944c90) at src/task.c:596 #4 0x00005555558c9e8e in process_runnable_tasks () at src/task.c:876 #5 0x000055555586b7b2 in run_poll_loop () at src/haproxy.c:2966 #6 0x000055555586be87 in run_thread_poll_loop (data=0x555555d3d340 <ha_thread_info+64>) at src/haproxy.c:3165 #7 0x00007ffff7b59609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #8 0x00007ffff7a7e133 in clone () from /lib/x86_64-linux-gnu/libc.so.6 To fix this issue, ensure quic_conn migration is completed earlier inside session_accept_fd(), before any tcp rules processing. This is done by moving qc_finalize_affinity_rebind() invocation from qc_xprt_start() to qc_conn_init(). This must be backported up to 2.7.
2023-11-20 08:56:49 -05:00
/* Ensure thread connection migration is finalized ASAP. */
CLEANUP: quic: rename TID affinity elements This commit is the renaming counterpart of the previous one, this time for quic_conn module. Several elements related to TID affinity update from quic_conn has been renamed : public functions, but also flag renamed to QUIC_FL_CONN_TID_REBIND and trace event to QUIC_EV_CONN_BIND_TID. This should be backported with the same instruction as the previous commit.
2024-07-11 08:55:28 -04:00
if (qc->flags & QUIC_FL_CONN_TID_REBIND)
qc_finalize_tid_rebind(qc);
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
if (qc_rx_check_closing(qc, pkt)) {
/* Skip the entire datagram. */
pkt->len = end - pos;
goto next;
}
/* Detect QUIC connection migration. */
OPTIM: quic: reduce the size of struct quic_dgram The QUIC code can only handle IPv4 or IPv6 addresses, so using two sockaddr_storage structs wastes a lot of space in the quic_dgram struct. This is a very large overhead since this structure is written in the MPSC ring buffers before every datagram, while many of those datagrams are only 50 bytes or less. Using an union instead saves 200 bytes per datagram, increasing the capacity of the buffers significantly.
2026-04-21 15:25:58 -04:00
if (li && ipcmp(&qc->peer_addr, (struct sockaddr_storage *)&dgram->saddr, 1)) {
if (qc_handle_conn_migration(qc,
(struct sockaddr_storage *)&dgram->saddr,
(struct sockaddr_storage *)&dgram->daddr)) {
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
/* Skip the entire datagram. */
TRACE_ERROR("error during connection migration, datagram dropped", QUIC_EV_CONN_LPKT, qc);
pkt->len = end - pos;
goto next;
}
}
qc_rx_pkt_handle(qc, pkt, dgram, pos, &tasklist_head);
next:
pos += pkt->len;
quic_rx_packet_refdec(pkt);
/* Free rejected packets */
if (!pkt->refcnt) {
BUG_ON(LIST_INLIST(&pkt->qc_rx_pkt_list));
pool_free(pool_head_quic_rx_packet, pkt);
}
} while (pos < end);
/* Increasing the received bytes counter by the UDP datagram length
* if this datagram could be associated to a connection.
*/
if (dgram->qc)
MINOR: quic: Move some counters from [rt]x quic_conn anonymous struct Move rx.bytes, tx.bytes and tx.prep_bytes quic_conn struct member to bytes anonymous struct (bytes.rx, bytes.tx and bytes.prep member respectively). They are moved before being defined into a bytes anonoymous struct common to a future struct to be defined. Consequently adapt the code.
2023-08-04 11:02:25 -04:00
dgram->qc->bytes.rx += dgram->len;
MINOR: quic: Split QUIC connection code into three parts Move the TX part of the code to quic_tx.c. Add quic_tx-t.h and quic_tx.h headers for this TX part code. The definition of quic_tx_packet struct has been move from quic_conn-t.h to quic_tx-t.h. Same thing for the TX part: Move the RX part of the code to quic_rx.c. Add quic_rx-t.h and quic_rx.h headers for this TX part code. The definition of quic_rx_packet struct has been move from quic_conn-t.h to quic_rx-t.h.
2023-07-25 09:42:16 -04:00
/* This must never happen. */
BUG_ON(pos > end);
BUG_ON(pos < end || pos > dgram->buf + dgram->len);
out:
TRACE_LEAVE(QUIC_EV_CONN_LPKT);
return 0;
err:
TRACE_LEAVE(QUIC_EV_CONN_LPKT);
return -1;
}
/*
* Local variables:
* c-indent-level: 8
* c-basic-offset: 8
* End:
*/
Reference in a new issue Copy permalink