Date: Tue, 25 Jan 2022 13:59:58 GMT From: "Sergey A. Osokin" <osa@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 5f4f061728d8 - main - www/nginx-devel: update HTTPv3/QUIC patch to the recent commit Message-ID: <202201251359.20PDxww6033834@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by osa: URL: https://cgit.FreeBSD.org/ports/commit/?id=5f4f061728d8515176cd51d569bec152a384ecdd commit 5f4f061728d8515176cd51d569bec152a384ecdd Author: Sergey A. Osokin <osa@FreeBSD.org> AuthorDate: 2022-01-25 13:59:22 +0000 Commit: Sergey A. Osokin <osa@FreeBSD.org> CommitDate: 2022-01-25 13:59:51 +0000 www/nginx-devel: update HTTPv3/QUIC patch to the recent commit Bump PORTREVISION. --- www/nginx-devel/Makefile | 2 +- www/nginx-devel/files/extra-patch-httpv3 | 987 +++++++++++++------------------ 2 files changed, 407 insertions(+), 582 deletions(-) diff --git a/www/nginx-devel/Makefile b/www/nginx-devel/Makefile index 2ce4b8b4fce2..6d4f2874fa9a 100644 --- a/www/nginx-devel/Makefile +++ b/www/nginx-devel/Makefile @@ -2,7 +2,7 @@ PORTNAME?= nginx PORTVERSION= 1.21.5 -PORTREVISION= 10 +PORTREVISION= 11 CATEGORIES= www MASTER_SITES= https://nginx.org/download/ \ LOCAL/osa diff --git a/www/nginx-devel/files/extra-patch-httpv3 b/www/nginx-devel/files/extra-patch-httpv3 index 4c5a4cae03df..9f0ab11e7c7c 100644 --- a/www/nginx-devel/files/extra-patch-httpv3 +++ b/www/nginx-devel/files/extra-patch-httpv3 @@ -1929,7 +1929,7 @@ diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c new file mode 100644 --- /dev/null +++ b/src/event/quic/ngx_event_quic.c -@@ -0,0 +1,1489 @@ +@@ -0,0 +1,1491 @@ + +/* + * Copyright (C) Nginx, Inc. @@ -2063,8 +2063,8 @@ new file mode 100644 + + qc = ngx_quic_get_connection(c); + -+ scid.data = qc->socket->cid->id; -+ scid.len = qc->socket->cid->len; ++ scid.data = qc->path->cid->id; ++ scid.len = qc->path->cid->len; + + if (scid.len != ctp->initial_scid.len + || ngx_memcmp(scid.data, ctp->initial_scid.data, scid.len) != 0) @@ -2305,7 +2305,7 @@ new file mode 100644 + { + cid = ngx_queue_data(q, ngx_quic_client_id_t, queue); + -+ if (cid->seqnum == 0 || cid->refcnt == 0) { ++ if (cid->seqnum == 0 || !cid->used) { + /* + * No stateless reset token in initial connection id. + * Don't accept a token from an unused connection id. @@ -2605,10 +2605,12 @@ new file mode 100644 + u_char *p, *start; + ngx_int_t rc; + ngx_uint_t good; ++ ngx_quic_path_t *path; + ngx_quic_header_t pkt; + ngx_quic_connection_t *qc; + + good = 0; ++ path = NULL; + + size = b->last - b->pos; + @@ -2622,6 +2624,7 @@ new file mode 100644 + pkt.len = b->last - p; + pkt.log = c->log; + pkt.first = (p == start) ? 1 : 0; ++ pkt.path = path; + pkt.flags = p[0]; + pkt.raw->pos++; + @@ -2652,6 +2655,8 @@ new file mode 100644 + good = 1; + } + ++ path = pkt.path; /* preserve packet path from 1st packet */ ++ + /* NGX_OK || NGX_DECLINED */ + + /* @@ -2757,14 +2762,15 @@ new file mode 100644 + } + + if (pkt->first) { -+ if (ngx_quic_find_path(c, c->udp->dgram->sockaddr, -+ c->udp->dgram->socklen) -+ == NULL) ++ if (ngx_cmp_sockaddr(c->udp->dgram->sockaddr, ++ c->udp->dgram->socklen, ++ qc->path->sockaddr, qc->path->socklen, 1) ++ != NGX_OK) + { + /* packet comes from unknown path, possibly migration */ + ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, + "quic too early migration attempt"); -+ return NGX_DECLINED; ++ return NGX_DONE; + } + } + @@ -2923,9 +2929,12 @@ new file mode 100644 + + pkt->decrypted = 1; + -+ if (pkt->first) { -+ if (ngx_quic_update_paths(c, pkt) != NGX_OK) { -+ return NGX_ERROR; ++ c->log->action = "handling decrypted packet"; ++ ++ if (pkt->path == NULL) { ++ rc = ngx_quic_set_path(c, pkt); ++ if (rc != NGX_OK) { ++ return rc; + } + } + @@ -2944,9 +2953,10 @@ new file mode 100644 + */ + ngx_quic_discard_ctx(c, ssl_encryption_initial); + -+ if (qc->socket->path->state != NGX_QUIC_PATH_VALIDATED) { -+ qc->socket->path->state = NGX_QUIC_PATH_VALIDATED; -+ qc->socket->path->limited = 0; ++ if (!qc->path->validated) { ++ qc->path->validated = 1; ++ qc->path->limited = 0; ++ ngx_quic_path_dbg(c, "in handshake", qc->path); + ngx_post_event(&qc->push, &ngx_posted_events); + } + } @@ -3085,7 +3095,6 @@ new file mode 100644 + ngx_uint_t do_close, nonprobing; + ngx_chain_t chain; + ngx_quic_frame_t frame; -+ ngx_quic_socket_t *qsock; + ngx_quic_connection_t *qc; + + qc = ngx_quic_get_connection(c); @@ -3267,7 +3276,8 @@ new file mode 100644 + + case NGX_QUIC_FT_PATH_CHALLENGE: + -+ if (ngx_quic_handle_path_challenge_frame(c, &frame.u.path_challenge) ++ if (ngx_quic_handle_path_challenge_frame(c, pkt, ++ &frame.u.path_challenge) + != NGX_OK) + { + return NGX_ERROR; @@ -3326,26 +3336,18 @@ new file mode 100644 + ngx_quic_close_connection(c, NGX_OK); + } + -+ qsock = ngx_quic_get_socket(c); -+ -+ if (qsock != qc->socket) { ++ if (pkt->path != qc->path && nonprobing) { + -+ if (qsock->path != qc->socket->path && nonprobing) { -+ /* -+ * RFC 9000, 9.2. Initiating Connection Migration -+ * -+ * An endpoint can migrate a connection to a new local -+ * address by sending packets containing non-probing frames -+ * from that address. -+ */ -+ if (ngx_quic_handle_migration(c, pkt) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ } + /* -+ * else: packet arrived via non-default socket; -+ * no reason to change active path ++ * RFC 9000, 9.2. Initiating Connection Migration ++ * ++ * An endpoint can migrate a connection to a new local ++ * address by sending packets containing non-probing frames ++ * from that address. + */ ++ if (ngx_quic_handle_migration(c, pkt) != NGX_OK) { ++ return NGX_ERROR; ++ } + } + + if (ngx_quic_ack_packet(c, pkt) != NGX_OK) { @@ -3423,7 +3425,7 @@ diff --git a/src/event/quic/ngx_event_quic.h b/src/event/quic/ngx_event_quic.h new file mode 100644 --- /dev/null +++ b/src/event/quic/ngx_event_quic.h -@@ -0,0 +1,87 @@ +@@ -0,0 +1,88 @@ + +/* + * Copyright (C) Nginx, Inc. @@ -3466,6 +3468,7 @@ new file mode 100644 + size_t stream_buffer_size; + ngx_uint_t max_concurrent_streams_bidi; + ngx_uint_t max_concurrent_streams_uni; ++ ngx_uint_t active_connection_id_limit; + ngx_int_t stream_close_code; + ngx_int_t stream_reject_code_uni; + ngx_int_t stream_reject_code_bidi; @@ -5500,7 +5503,7 @@ diff --git a/src/event/quic/ngx_event_quic_connection.h b/src/event/quic/ngx_eve new file mode 100644 --- /dev/null +++ b/src/event/quic/ngx_event_quic_connection.h -@@ -0,0 +1,274 @@ +@@ -0,0 +1,272 @@ +/* + * Copyright (C) Nginx, Inc. + */ @@ -5572,7 +5575,7 @@ new file mode 100644 + size_t len; + u_char id[NGX_QUIC_CID_LEN_MAX]; + u_char sr_token[NGX_QUIC_SR_TOKEN_LEN]; -+ ngx_uint_t refcnt; ++ ngx_uint_t used; /* unsigned used:1; */ +}; + + @@ -5586,20 +5589,22 @@ new file mode 100644 +struct ngx_quic_path_s { + ngx_queue_t queue; + struct sockaddr *sockaddr; ++ ngx_sockaddr_t sa; + socklen_t socklen; -+ ngx_uint_t state; -+ ngx_uint_t limited; /* unsigned limited:1; */ ++ ngx_quic_client_id_t *cid; + ngx_msec_t expires; -+ ngx_msec_t last_seen; + ngx_uint_t tries; ++ ngx_uint_t tag; + off_t sent; + off_t received; + u_char challenge1[8]; + u_char challenge2[8]; -+ ngx_uint_t refcnt; + uint64_t seqnum; + ngx_str_t addr_text; + u_char text[NGX_SOCKADDR_STRLEN]; ++ unsigned validated:1; ++ unsigned validating:1; ++ unsigned limited:1; +}; + + @@ -5607,11 +5612,8 @@ new file mode 100644 + ngx_udp_connection_t udp; + ngx_quic_connection_t *quic; + ngx_queue_t queue; -+ + ngx_quic_server_id_t sid; -+ -+ ngx_quic_path_t *path; -+ ngx_quic_client_id_t *cid; ++ ngx_uint_t used; /* unsigned used:1; */ +}; + + @@ -5687,8 +5689,7 @@ new file mode 100644 +struct ngx_quic_connection_s { + uint32_t version; + -+ ngx_quic_socket_t *socket; -+ ngx_quic_socket_t *backup; ++ ngx_quic_path_t *path; + + ngx_queue_t sockets; + ngx_queue_t paths; @@ -5779,7 +5780,7 @@ diff --git a/src/event/quic/ngx_event_quic_connid.c b/src/event/quic/ngx_event_q new file mode 100644 --- /dev/null +++ b/src/event/quic/ngx_event_quic_connid.c -@@ -0,0 +1,613 @@ +@@ -0,0 +1,502 @@ + +/* + * Copyright (C) Nginx, Inc. @@ -5797,13 +5798,10 @@ new file mode 100644 +#if (NGX_QUIC_BPF) +static ngx_int_t ngx_quic_bpf_attach_id(ngx_connection_t *c, u_char *id); +#endif -+static ngx_int_t ngx_quic_send_retire_connection_id(ngx_connection_t *c, -+ uint64_t seqnum); -+ ++static ngx_int_t ngx_quic_retire_client_id(ngx_connection_t *c, ++ ngx_quic_client_id_t *cid); +static ngx_quic_client_id_t *ngx_quic_alloc_client_id(ngx_connection_t *c, + ngx_quic_connection_t *qc); -+static ngx_int_t ngx_quic_replace_retired_client_id(ngx_connection_t *c, -+ ngx_quic_client_id_t *retired_cid); +static ngx_int_t ngx_quic_send_server_id(ngx_connection_t *c, + ngx_quic_server_id_t *sid); + @@ -5859,9 +5857,9 @@ new file mode 100644 +ngx_quic_handle_new_connection_id_frame(ngx_connection_t *c, + ngx_quic_new_conn_id_frame_t *f) +{ -+ uint64_t seq; + ngx_str_t id; + ngx_queue_t *q; ++ ngx_quic_frame_t *frame; + ngx_quic_client_id_t *cid, *item; + ngx_quic_connection_t *qc; + @@ -5879,10 +5877,17 @@ new file mode 100644 + * done so for that sequence number. + */ + -+ if (ngx_quic_send_retire_connection_id(c, f->seqnum) != NGX_OK) { ++ frame = ngx_quic_alloc_frame(c); ++ if (frame == NULL) { + return NGX_ERROR; + } + ++ frame->level = ssl_encryption_application; ++ frame->type = NGX_QUIC_FT_RETIRE_CONNECTION_ID; ++ frame->u.retire_cid.sequence_number = f->seqnum; ++ ++ ngx_quic_queue_frame(qc, frame); ++ + goto retire; + } + @@ -5955,20 +5960,7 @@ new file mode 100644 + continue; + } + -+ /* this connection id must be retired */ -+ seq = cid->seqnum; -+ -+ if (cid->refcnt) { -+ /* we are going to retire client id which is in use */ -+ if (ngx_quic_replace_retired_client_id(c, cid) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ } else { -+ ngx_quic_unref_client_id(c, cid); -+ } -+ -+ if (ngx_quic_send_retire_connection_id(c, seq) != NGX_OK) { ++ if (ngx_quic_retire_client_id(c, cid) != NGX_OK) { + return NGX_ERROR; + } + } @@ -5995,25 +5987,47 @@ new file mode 100644 + + +static ngx_int_t -+ngx_quic_send_retire_connection_id(ngx_connection_t *c, uint64_t seqnum) ++ngx_quic_retire_client_id(ngx_connection_t *c, ngx_quic_client_id_t *cid) +{ -+ ngx_quic_frame_t *frame; ++ ngx_queue_t *q; ++ ngx_quic_path_t *path; ++ ngx_quic_client_id_t *new_cid; + ngx_quic_connection_t *qc; + + qc = ngx_quic_get_connection(c); + -+ frame = ngx_quic_alloc_frame(c); -+ if (frame == NULL) { -+ return NGX_ERROR; ++ if (!cid->used) { ++ return ngx_quic_free_client_id(c, cid); + } + -+ frame->level = ssl_encryption_application; -+ frame->type = NGX_QUIC_FT_RETIRE_CONNECTION_ID; -+ frame->u.retire_cid.sequence_number = seqnum; ++ /* we are going to retire client id which is in use */ + -+ ngx_quic_queue_frame(qc, frame); ++ q = ngx_queue_head(&qc->paths); + -+ /* we are no longer going to use this client id */ ++ while (q != ngx_queue_sentinel(&qc->paths)) { ++ ++ path = ngx_queue_data(q, ngx_quic_path_t, queue); ++ q = ngx_queue_next(q); ++ ++ if (path->cid != cid) { ++ continue; ++ } ++ ++ if (path == qc->path) { ++ /* this is the active path: update it with new CID */ ++ new_cid = ngx_quic_next_client_id(c); ++ if (new_cid == NULL) { ++ return NGX_ERROR; ++ } ++ ++ qc->path->cid = new_cid; ++ new_cid->used = 1; ++ ++ return ngx_quic_free_client_id(c, cid); ++ } ++ ++ return ngx_quic_free_path(c, path); ++ } + + return NGX_OK; +} @@ -6100,7 +6114,7 @@ new file mode 100644 + { + cid = ngx_queue_data(q, ngx_quic_client_id_t, queue); + -+ if (cid->refcnt == 0) { ++ if (!cid->used) { + return cid; + } + } @@ -6109,42 +6123,11 @@ new file mode 100644 +} + + -+ngx_quic_client_id_t * -+ngx_quic_used_client_id(ngx_connection_t *c, ngx_quic_path_t *path) -+{ -+ ngx_queue_t *q; -+ ngx_quic_socket_t *qsock; -+ ngx_quic_connection_t *qc; -+ -+ qc = ngx_quic_get_connection(c); -+ -+ /* best guess: cid used by active path is good for us */ -+ if (qc->socket->path == path) { -+ return qc->socket->cid; -+ } -+ -+ for (q = ngx_queue_head(&qc->sockets); -+ q != ngx_queue_sentinel(&qc->sockets); -+ q = ngx_queue_next(q)) -+ { -+ qsock = ngx_queue_data(q, ngx_quic_socket_t, queue); -+ -+ if (qsock->path && qsock->path == path) { -+ return qsock->cid; -+ } -+ } -+ -+ return NULL; -+} -+ -+ +ngx_int_t +ngx_quic_handle_retire_connection_id_frame(ngx_connection_t *c, + ngx_quic_retire_cid_frame_t *f) +{ -+ ngx_quic_path_t *path; -+ ngx_quic_socket_t *qsock, **tmp; -+ ngx_quic_client_id_t *cid; ++ ngx_quic_socket_t *qsock; + ngx_quic_connection_t *qc; + + qc = ngx_quic_get_connection(c); @@ -6190,76 +6173,14 @@ new file mode 100644 + ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, + "quic socket #%uL is retired", qsock->sid.seqnum); + -+ /* check if client is willing to retire sid we have in use */ -+ if (qsock->sid.seqnum == qc->socket->sid.seqnum) { -+ tmp = &qc->socket; -+ -+ } else if (qc->backup && qsock->sid.seqnum == qc->backup->sid.seqnum) { -+ tmp = &qc->backup; -+ -+ } else { -+ -+ ngx_quic_close_socket(c, qsock); -+ -+ /* restore socket count up to a limit after deletion */ -+ if (ngx_quic_create_sockets(c) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ return NGX_OK; -+ } -+ -+ /* preserve path/cid from retired socket */ -+ path = qsock->path; -+ cid = qsock->cid; -+ -+ /* ensure that closing_socket will not drop path and cid */ -+ path->refcnt++; -+ cid->refcnt++; -+ + ngx_quic_close_socket(c, qsock); + -+ /* restore original values */ -+ path->refcnt--; -+ cid->refcnt--; -+ + /* restore socket count up to a limit after deletion */ + if (ngx_quic_create_sockets(c) != NGX_OK) { -+ goto failed; -+ } -+ -+ qsock = ngx_quic_get_unconnected_socket(c); -+ if (qsock == NULL) { -+ qc->error = NGX_QUIC_ERR_CONNECTION_ID_LIMIT_ERROR; -+ qc->error_reason = "not enough server IDs"; -+ goto failed; ++ return NGX_ERROR; + } + -+ ngx_quic_connect(c, qsock, path, cid); -+ -+ ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ "quic %s socket is now #%uL:%uL:%uL (%s)", -+ (*tmp) == qc->socket ? "active" : "backup", -+ qsock->sid.seqnum, qsock->cid->seqnum, -+ qsock->path->seqnum, -+ ngx_quic_path_state_str(qsock->path)); -+ -+ /* restore active/backup pointer in quic connection */ -+ *tmp = qsock; -+ + return NGX_OK; -+ -+failed: -+ -+ /* -+ * socket was closed, path and cid were preserved artifically -+ * to be reused, but it didn't happen, thus unref here -+ */ -+ -+ ngx_quic_unref_path(c, path); -+ ngx_quic_unref_client_id(c, cid); -+ -+ return NGX_ERROR; +} + + @@ -6334,70 +6255,39 @@ new file mode 100644 +} + + -+static ngx_int_t -+ngx_quic_replace_retired_client_id(ngx_connection_t *c, -+ ngx_quic_client_id_t *retired_cid) ++ngx_int_t ++ngx_quic_free_client_id(ngx_connection_t *c, ngx_quic_client_id_t *cid) +{ -+ ngx_queue_t *q; -+ ngx_quic_socket_t *qsock; -+ ngx_quic_client_id_t *cid; ++ ngx_quic_frame_t *frame; + ngx_quic_connection_t *qc; + + qc = ngx_quic_get_connection(c); + -+ for (q = ngx_queue_head(&qc->sockets); -+ q != ngx_queue_sentinel(&qc->sockets); -+ q = ngx_queue_next(q)) -+ { -+ qsock = ngx_queue_data(q, ngx_quic_socket_t, queue); -+ -+ if (qsock->cid == retired_cid) { -+ -+ cid = ngx_quic_next_client_id(c); -+ if (cid == NULL) { -+ return NGX_ERROR; -+ } -+ -+ qsock->cid = cid; -+ cid->refcnt++; -+ -+ ngx_quic_unref_client_id(c, retired_cid); -+ -+ if (retired_cid->refcnt == 0) { -+ return NGX_OK; -+ } -+ } ++ frame = ngx_quic_alloc_frame(c); ++ if (frame == NULL) { ++ return NGX_ERROR; + } + -+ return NGX_OK; -+} -+ -+ -+void -+ngx_quic_unref_client_id(ngx_connection_t *c, ngx_quic_client_id_t *cid) -+{ -+ ngx_quic_connection_t *qc; -+ -+ if (cid->refcnt) { -+ cid->refcnt--; -+ } /* else: unused client id */ ++ frame->level = ssl_encryption_application; ++ frame->type = NGX_QUIC_FT_RETIRE_CONNECTION_ID; ++ frame->u.retire_cid.sequence_number = cid->seqnum; + -+ if (cid->refcnt) { -+ return; -+ } ++ ngx_quic_queue_frame(qc, frame); + -+ qc = ngx_quic_get_connection(c); ++ /* we are no longer going to use this client id */ + + ngx_queue_remove(&cid->queue); + ngx_queue_insert_head(&qc->free_client_ids, &cid->queue); + + qc->nclient_ids--; ++ ++ return NGX_OK; +} diff --git a/src/event/quic/ngx_event_quic_connid.h b/src/event/quic/ngx_event_quic_connid.h new file mode 100644 --- /dev/null +++ b/src/event/quic/ngx_event_quic_connid.h -@@ -0,0 +1,30 @@ +@@ -0,0 +1,29 @@ + +/* + * Copyright (C) Nginx, Inc. @@ -6423,16 +6313,15 @@ new file mode 100644 +ngx_quic_client_id_t *ngx_quic_create_client_id(ngx_connection_t *c, + ngx_str_t *id, uint64_t seqnum, u_char *token); +ngx_quic_client_id_t *ngx_quic_next_client_id(ngx_connection_t *c); -+ngx_quic_client_id_t *ngx_quic_used_client_id(ngx_connection_t *c, -+ ngx_quic_path_t *path); -+void ngx_quic_unref_client_id(ngx_connection_t *c, ngx_quic_client_id_t *cid); ++ngx_int_t ngx_quic_free_client_id(ngx_connection_t *c, ++ ngx_quic_client_id_t *cid); + +#endif /* _NGX_EVENT_QUIC_CONNID_H_INCLUDED_ */ diff --git a/src/event/quic/ngx_event_quic_frames.c b/src/event/quic/ngx_event_quic_frames.c new file mode 100644 --- /dev/null +++ b/src/event/quic/ngx_event_quic_frames.c -@@ -0,0 +1,811 @@ +@@ -0,0 +1,813 @@ + +/* + * Copyright (C) Nginx, Inc. @@ -6971,14 +6860,16 @@ new file mode 100644 + continue; + } + -+ for (p = b->pos + offset; p != b->last && in; /* void */ ) { ++ p = b->pos + offset; ++ ++ while (in) { + + if (!ngx_buf_in_memory(in->buf) || in->buf->pos == in->buf->last) { + in = in->next; + continue; + } + -+ if (limit == 0) { ++ if (p == b->last || limit == 0) { + break; + } + @@ -7295,7 +7186,7 @@ diff --git a/src/event/quic/ngx_event_quic_migration.c b/src/event/quic/ngx_even new file mode 100644 --- /dev/null +++ b/src/event/quic/ngx_event_quic_migration.c -@@ -0,0 +1,689 @@ +@@ -0,0 +1,672 @@ + +/* + * Copyright (C) Nginx, Inc. @@ -7314,17 +7205,14 @@ new file mode 100644 + ngx_quic_path_t *path); +static ngx_int_t ngx_quic_send_path_challenge(ngx_connection_t *c, + ngx_quic_path_t *path); -+static ngx_int_t ngx_quic_path_restore(ngx_connection_t *c); -+static ngx_quic_path_t *ngx_quic_alloc_path(ngx_connection_t *c); ++static ngx_quic_path_t *ngx_quic_get_path(ngx_connection_t *c, ngx_uint_t tag); + + +ngx_int_t +ngx_quic_handle_path_challenge_frame(ngx_connection_t *c, -+ ngx_quic_path_challenge_frame_t *f) ++ ngx_quic_header_t *pkt, ngx_quic_path_challenge_frame_t *f) +{ -+ ngx_quic_path_t *path; + ngx_quic_frame_t frame, *fp; -+ ngx_quic_socket_t *qsock; + ngx_quic_connection_t *qc; + + qc = ngx_quic_get_connection(c); @@ -7341,18 +7229,16 @@ new file mode 100644 + * A PATH_RESPONSE frame MUST be sent on the network path where the + * PATH_CHALLENGE frame was received. + */ -+ qsock = ngx_quic_get_socket(c); -+ path = qsock->path; + + /* + * An endpoint MUST expand datagrams that contain a PATH_RESPONSE frame + * to at least the smallest allowed maximum datagram size of 1200 bytes. + */ -+ if (ngx_quic_frame_sendto(c, &frame, 1200, path) != NGX_OK) { ++ if (ngx_quic_frame_sendto(c, &frame, 1200, pkt->path) != NGX_OK) { + return NGX_ERROR; + } + -+ if (qsock == qc->socket) { ++ if (pkt->path == qc->path) { + /* + * RFC 9000, 9.3.3. Off-Path Packet Forwarding + * @@ -7399,7 +7285,7 @@ new file mode 100644 + { + path = ngx_queue_data(q, ngx_quic_path_t, queue); + -+ if (path->state != NGX_QUIC_PATH_VALIDATING) { ++ if (!path->validating) { + continue; + } + @@ -7410,7 +7296,7 @@ new file mode 100644 + } + } + -+ ngx_log_error(NGX_LOG_INFO, c->log, 0, ++ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, + "quic stale PATH_RESPONSE ignored"); + + return NGX_OK; @@ -7428,8 +7314,9 @@ new file mode 100644 + + rst = 1; + -+ if (qc->backup) { -+ prev = qc->backup->path; ++ prev = ngx_quic_get_path(c, NGX_QUIC_PATH_BACKUP); ++ ++ if (prev != NULL) { + + if (ngx_cmp_sockaddr(prev->sockaddr, prev->socklen, + path->sockaddr, path->socklen, 0) @@ -7462,20 +7349,24 @@ new file mode 100644 + } + + ngx_log_error(NGX_LOG_INFO, c->log, 0, -+ "quic path #%uL successfully validated", path->seqnum); ++ "quic path #%uL addr:%V successfully validated", ++ path->seqnum, &path->addr_text); ++ ++ ngx_quic_path_dbg(c, "is validated", path); + -+ path->state = NGX_QUIC_PATH_VALIDATED; ++ path->validated = 1; ++ path->validating = 0; + path->limited = 0; + + return NGX_OK; +} + + -+static ngx_quic_path_t * -+ngx_quic_alloc_path(ngx_connection_t *c) ++ngx_quic_path_t * ++ngx_quic_new_path(ngx_connection_t *c, ++ struct sockaddr *sockaddr, socklen_t socklen, ngx_quic_client_id_t *cid) +{ + ngx_queue_t *q; -+ struct sockaddr *sa; + ngx_quic_path_t *path; + ngx_quic_connection_t *qc; + @@ -7488,9 +7379,7 @@ new file mode 100644 + + ngx_queue_remove(&path->queue); + -+ sa = path->sockaddr; + ngx_memzero(path, sizeof(ngx_quic_path_t)); -+ path->sockaddr = sa; + + } else { + @@ -7498,37 +7387,18 @@ new file mode 100644 + if (path == NULL) { + return NULL; + } -+ -+ path->sockaddr = ngx_palloc(c->pool, NGX_SOCKADDRLEN); -+ if (path->sockaddr == NULL) { -+ return NULL; -+ } + } + -+ return path; -+} -+ -+ -+ngx_quic_path_t * -+ngx_quic_add_path(ngx_connection_t *c, struct sockaddr *sockaddr, -+ socklen_t socklen) -+{ -+ ngx_quic_path_t *path; -+ ngx_quic_connection_t *qc; -+ -+ qc = ngx_quic_get_connection(c); ++ ngx_queue_insert_tail(&qc->paths, &path->queue); + -+ path = ngx_quic_alloc_path(c); -+ if (path == NULL) { -+ return NULL; -+ } ++ path->cid = cid; ++ cid->used = 1; + -+ path->state = NGX_QUIC_PATH_NEW; + path->limited = 1; + + path->seqnum = qc->path_seqnum++; -+ path->last_seen = ngx_current_msec; + ++ path->sockaddr = &path->sa.sockaddr; + path->socklen = socklen; + ngx_memcpy(path->sockaddr, sockaddr, socklen); + @@ -7536,19 +7406,15 @@ new file mode 100644 + path->addr_text.len = ngx_sock_ntop(sockaddr, socklen, path->text, + NGX_SOCKADDR_STRLEN, 1); + -+ ngx_queue_insert_tail(&qc->paths, &path->queue); -+ + ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ "quic path #%uL created src:%V", ++ "quic path #%uL created addr:%V", + path->seqnum, &path->addr_text); -+ + return path; +} + + -+ngx_quic_path_t * -+ngx_quic_find_path(ngx_connection_t *c, struct sockaddr *sockaddr, -+ socklen_t socklen) ++static ngx_quic_path_t * ++ngx_quic_get_path(ngx_connection_t *c, ngx_uint_t tag) +{ + ngx_queue_t *q; + ngx_quic_path_t *path; @@ -7562,10 +7428,7 @@ new file mode 100644 + { + path = ngx_queue_data(q, ngx_quic_path_t, queue); + -+ if (ngx_cmp_sockaddr(sockaddr, socklen, -+ path->sockaddr, path->socklen, 1) -+ == NGX_OK) -+ { ++ if (path->tag == tag) { + return path; + } + } @@ -7575,83 +7438,92 @@ new file mode 100644 + + +ngx_int_t -+ngx_quic_update_paths(ngx_connection_t *c, ngx_quic_header_t *pkt) ++ngx_quic_set_path(ngx_connection_t *c, ngx_quic_header_t *pkt) +{ + off_t len; -+ ngx_quic_path_t *path; ++ ngx_queue_t *q; ++ ngx_quic_path_t *path, *probe; + ngx_quic_socket_t *qsock; ++ ngx_quic_send_ctx_t *ctx; + ngx_quic_client_id_t *cid; + ngx_quic_connection_t *qc; + + qc = ngx_quic_get_connection(c); + qsock = ngx_quic_get_socket(c); + ++ len = pkt->raw->last - pkt->raw->start; ++ + if (c->udp->dgram == NULL) { -+ /* 1st ever packet in connection, path already exists */ -+ path = qsock->path; ++ /* first ever packet in connection, path already exists */ ++ path = qc->path; + goto update; + } + -+ path = ngx_quic_find_path(c, c->udp->dgram->sockaddr, -+ c->udp->dgram->socklen); -+ -+ if (path == NULL) { -+ path = ngx_quic_add_path(c, c->udp->dgram->sockaddr, -+ c->udp->dgram->socklen); -+ if (path == NULL) { -+ return NGX_ERROR; -+ } -+ -+ if (qsock->path) { -+ /* NAT rebinding case: packet to same CID, but from new address */ ++ probe = NULL; + -+ ngx_quic_unref_path(c, qsock->path); -+ -+ qsock->path = path; -+ path->refcnt++; ++ for (q = ngx_queue_head(&qc->paths); ++ q != ngx_queue_sentinel(&qc->paths); ++ q = ngx_queue_next(q)) ++ { ++ path = ngx_queue_data(q, ngx_quic_path_t, queue); + ++ if (ngx_cmp_sockaddr(c->udp->dgram->sockaddr, c->udp->dgram->socklen, ++ path->sockaddr, path->socklen, 1) ++ == NGX_OK) ++ { + goto update; + } + -+ } else if (qsock->path) { -+ goto update; ++ if (path->tag == NGX_QUIC_PATH_PROBE) { ++ probe = path; ++ } + } + -+ /* prefer unused client IDs if available */ -+ cid = ngx_quic_next_client_id(c); -+ if (cid == NULL) { ++ /* packet from new path, drop current probe, if any */ + -+ /* try to reuse connection ID used on the same path */ -+ cid = ngx_quic_used_client_id(c, path); -+ if (cid == NULL) { ++ ctx = ngx_quic_get_send_ctx(qc, pkt->level); + -+ qc->error = NGX_QUIC_ERR_CONNECTION_ID_LIMIT_ERROR; -+ qc->error_reason = "no available client ids for new path"; ++ /* ++ * only accept highest-numbered packets to prevent connection id ++ * exhaustion by excessive probing packets from unknown paths ++ */ ++ if (pkt->pn != ctx->largest_pn) { ++ return NGX_DONE; ++ } + -+ ngx_log_error(NGX_LOG_ERR, c->log, 0, -+ "no available client ids for new path"); ++ if (probe && ngx_quic_free_path(c, probe) != NGX_OK) { ++ return NGX_ERROR; ++ } + -+ return NGX_ERROR; -+ } ++ /* new path requires new client id */ ++ cid = ngx_quic_next_client_id(c); ++ if (cid == NULL) { ++ ngx_log_error(NGX_LOG_ERR, c->log, 0, ++ "quic no available client ids for new path"); ++ /* stop processing of this datagram */ ++ return NGX_DONE; + } + -+ ngx_quic_connect(c, qsock, path, cid); ++ path = ngx_quic_new_path(c, c->udp->dgram->sockaddr, ++ c->udp->dgram->socklen, cid); ++ if (path == NULL) { ++ return NGX_ERROR; ++ } + -+update: ++ path->tag = NGX_QUIC_PATH_PROBE; + -+ if (path->state != NGX_QUIC_PATH_NEW) { -+ /* force limits/revalidation for paths that were not seen recently */ -+ if (ngx_current_msec - path->last_seen > qc->tp.max_idle_timeout) { *** 878 LINES SKIPPED ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202201251359.20PDxww6033834>