1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
|
#include <import/eb64tree.h>
#include <import/ebmbtree.h>
#include <haproxy/pool.h>
#include <haproxy/quic_cid.h>
#include <haproxy/quic_conn.h>
#include <haproxy/quic_rx-t.h>
#include <haproxy/quic_trace.h>
#include <haproxy/trace.h>
#include <haproxy/xxhash.h>
/* Initialize the stateless reset token attached to <conn_id> connection ID.
* Returns 1 if succeeded, 0 if not.
*/
static int quic_stateless_reset_token_init(struct quic_connection_id *conn_id)
{
/* Output secret */
unsigned char *token = conn_id->stateless_reset_token;
size_t tokenlen = sizeof conn_id->stateless_reset_token;
/* Salt */
const unsigned char *cid = conn_id->cid.data;
size_t cidlen = conn_id->cid.len;
return quic_stateless_reset_token_cpy(token, tokenlen, cid, cidlen);
}
/* Generate a CID directly derived from <orig> CID and <addr> address.
*
* Returns the derived CID.
*/
struct quic_cid quic_derive_cid(const struct quic_cid *orig,
const struct sockaddr_storage *addr)
{
struct quic_cid cid;
const struct sockaddr_in *in;
const struct sockaddr_in6 *in6;
char *pos = trash.area;
size_t idx = 0;
uint64_t hash;
int i;
/* Prepare buffer for hash using original CID first. */
memcpy(pos, orig->data, orig->len);
idx += orig->len;
/* Concatenate client address. */
switch (addr->ss_family) {
case AF_INET:
in = (struct sockaddr_in *)addr;
memcpy(&pos[idx], &in->sin_addr, sizeof(in->sin_addr));
idx += sizeof(in->sin_addr);
memcpy(&pos[idx], &in->sin_port, sizeof(in->sin_port));
idx += sizeof(in->sin_port);
break;
case AF_INET6:
in6 = (struct sockaddr_in6 *)addr;
memcpy(&pos[idx], &in6->sin6_addr, sizeof(in6->sin6_addr));
idx += sizeof(in6->sin6_addr);
memcpy(&pos[idx], &in6->sin6_port, sizeof(in6->sin6_port));
idx += sizeof(in6->sin6_port);
break;
default:
/* TODO to implement */
ABORT_NOW();
}
/* Avoid similar values between multiple haproxy process. */
memcpy(&pos[idx], boot_seed, sizeof(boot_seed));
idx += sizeof(boot_seed);
/* Hash the final buffer content. */
hash = XXH64(pos, idx, 0);
for (i = 0; i < sizeof(hash); ++i)
cid.data[i] = hash >> ((sizeof(hash) * 7) - (8 * i));
cid.len = sizeof(hash);
return cid;
}
/* Allocate a new CID and attach it to <root> ebtree.
*
* If <orig> and <addr> params are non null, the new CID value is directly
* derived from them. Else a random value is generated. The CID is then marked
* with the current thread ID.
*
* Returns the new CID if succeeded, NULL if not.
*/
struct quic_connection_id *new_quic_cid(struct eb_root *root,
struct quic_conn *qc,
const struct quic_cid *orig,
const struct sockaddr_storage *addr)
{
struct quic_connection_id *conn_id;
TRACE_ENTER(QUIC_EV_CONN_TXPKT, qc);
/* Caller must set either none or both values. */
BUG_ON(!!orig != !!addr);
conn_id = pool_alloc(pool_head_quic_connection_id);
if (!conn_id) {
TRACE_ERROR("cid allocation failed", QUIC_EV_CONN_TXPKT, qc);
goto err;
}
conn_id->cid.len = QUIC_HAP_CID_LEN;
if (!orig) {
if (quic_newcid_from_hash64)
quic_newcid_from_hash64(conn_id->cid.data, conn_id->cid.len, qc->hash64,
global.cluster_secret, sizeof(global.cluster_secret));
else if (RAND_bytes(conn_id->cid.data, conn_id->cid.len) != 1) {
/* TODO: RAND_bytes() should be replaced */
TRACE_ERROR("RAND_bytes() failed", QUIC_EV_CONN_TXPKT, qc);
goto err;
}
}
else {
/* Derive the new CID value from original CID. */
conn_id->cid = quic_derive_cid(orig, addr);
}
if (quic_stateless_reset_token_init(conn_id) != 1) {
TRACE_ERROR("quic_stateless_reset_token_init() failed", QUIC_EV_CONN_TXPKT, qc);
goto err;
}
conn_id->qc = qc;
HA_ATOMIC_STORE(&conn_id->tid, tid);
conn_id->seq_num.key = qc ? qc->next_cid_seq_num++ : 0;
conn_id->retire_prior_to = 0;
/* insert the allocated CID in the quic_conn tree */
if (root)
eb64_insert(root, &conn_id->seq_num);
TRACE_LEAVE(QUIC_EV_CONN_TXPKT, qc);
return conn_id;
err:
pool_free(pool_head_quic_connection_id, conn_id);
TRACE_LEAVE(QUIC_EV_CONN_TXPKT, qc);
return NULL;
}
/* Retrieve the thread ID associated to QUIC connection ID <cid> of length
* <cid_len>. CID may be not found on the CID tree because it is an ODCID. In
* this case, it will derived using client address <cli_addr> as hash
* parameter. However, this is done only if <pos> points to an INITIAL or 0RTT
* packet of length <len>.
*
* Returns the thread ID or a negative error code.
*/
int quic_get_cid_tid(const unsigned char *cid, size_t cid_len,
const struct sockaddr_storage *cli_addr,
unsigned char *pos, size_t len)
{
struct quic_cid_tree *tree;
struct quic_connection_id *conn_id;
struct ebmb_node *node;
tree = &quic_cid_trees[_quic_cid_tree_idx(cid)];
HA_RWLOCK_RDLOCK(QC_CID_LOCK, &tree->lock);
node = ebmb_lookup(&tree->root, cid, cid_len);
HA_RWLOCK_RDUNLOCK(QC_CID_LOCK, &tree->lock);
if (!node) {
struct quic_cid orig, derive_cid;
struct quic_rx_packet pkt;
if (!qc_parse_hd_form(&pkt, &pos, pos + len))
goto not_found;
if (pkt.type != QUIC_PACKET_TYPE_INITIAL &&
pkt.type != QUIC_PACKET_TYPE_0RTT) {
goto not_found;
}
memcpy(orig.data, cid, cid_len);
orig.len = cid_len;
derive_cid = quic_derive_cid(&orig, cli_addr);
tree = &quic_cid_trees[quic_cid_tree_idx(&derive_cid)];
HA_RWLOCK_RDLOCK(QC_CID_LOCK, &tree->lock);
node = ebmb_lookup(&tree->root, cid, cid_len);
HA_RWLOCK_RDUNLOCK(QC_CID_LOCK, &tree->lock);
}
if (!node)
goto not_found;
conn_id = ebmb_entry(node, struct quic_connection_id, node);
return HA_ATOMIC_LOAD(&conn_id->tid);
not_found:
return -1;
}
/* Retrieve a quic_conn instance from the <pkt> DCID field. If the packet is an
* INITIAL or 0RTT type, we may have to use client address <saddr> if an ODCID
* is used.
*
* Returns the instance or NULL if not found.
*/
struct quic_conn *retrieve_qc_conn_from_cid(struct quic_rx_packet *pkt,
struct sockaddr_storage *saddr,
int *new_tid)
{
struct quic_conn *qc = NULL;
struct ebmb_node *node;
struct quic_connection_id *conn_id;
struct quic_cid_tree *tree;
uint conn_id_tid;
TRACE_ENTER(QUIC_EV_CONN_RXPKT);
*new_tid = -1;
/* First look into DCID tree. */
tree = &quic_cid_trees[_quic_cid_tree_idx(pkt->dcid.data)];
HA_RWLOCK_RDLOCK(QC_CID_LOCK, &tree->lock);
node = ebmb_lookup(&tree->root, pkt->dcid.data, pkt->dcid.len);
/* If not found on an Initial/0-RTT packet, it could be because an
* ODCID is reused by the client. Calculate the derived CID value to
* retrieve it from the DCID tree.
*/
if (!node && (pkt->type == QUIC_PACKET_TYPE_INITIAL ||
pkt->type == QUIC_PACKET_TYPE_0RTT)) {
const struct quic_cid derive_cid = quic_derive_cid(&pkt->dcid, saddr);
HA_RWLOCK_RDUNLOCK(QC_CID_LOCK, &tree->lock);
tree = &quic_cid_trees[quic_cid_tree_idx(&derive_cid)];
HA_RWLOCK_RDLOCK(QC_CID_LOCK, &tree->lock);
node = ebmb_lookup(&tree->root, derive_cid.data, derive_cid.len);
}
if (!node)
goto end;
conn_id = ebmb_entry(node, struct quic_connection_id, node);
conn_id_tid = HA_ATOMIC_LOAD(&conn_id->tid);
if (conn_id_tid != tid) {
*new_tid = conn_id_tid;
goto end;
}
qc = conn_id->qc;
end:
HA_RWLOCK_RDUNLOCK(QC_CID_LOCK, &tree->lock);
TRACE_LEAVE(QUIC_EV_CONN_RXPKT, qc);
return qc;
}
/* Build a NEW_CONNECTION_ID frame for <conn_id> CID of <qc> connection.
*
* Returns 1 on success else 0.
*/
int qc_build_new_connection_id_frm(struct quic_conn *qc,
struct quic_connection_id *conn_id)
{
int ret = 0;
struct quic_frame *frm;
struct quic_enc_level *qel;
TRACE_ENTER(QUIC_EV_CONN_PRSHPKT, qc);
qel = qc->ael;
frm = qc_frm_alloc(QUIC_FT_NEW_CONNECTION_ID);
if (!frm) {
TRACE_ERROR("frame allocation error", QUIC_EV_CONN_IO_CB, qc);
goto leave;
}
quic_connection_id_to_frm_cpy(frm, conn_id);
LIST_APPEND(&qel->pktns->tx.frms, &frm->list);
ret = 1;
leave:
TRACE_LEAVE(QUIC_EV_CONN_PRSHPKT, qc);
return ret;
}
|
