diff options
| author | Vladimir Homutov <vl@nginx.com> | 2020-03-17 14:10:37 +0300 |
|---|---|---|
| committer | Vladimir Homutov <vl@nginx.com> | 2020-03-17 14:10:37 +0300 |
| commit | cd54c1cab72bf6fa4a2c935d31f739c0fc4a265c (patch) | |
| tree | b20c89b16a490b754336e9273c423328ac8d12d1 /src | |
| parent | ca7943393ef1d355c1bde7df91e3f652a4400424 (diff) | |
| download | nginx-cd54c1cab72bf6fa4a2c935d31f739c0fc4a265c.tar.gz nginx-cd54c1cab72bf6fa4a2c935d31f739c0fc4a265c.zip | |
Firefox fixes.
+ support for more than one initial packet
+ workaround for trailing zeroes in packet
+ ignore application data packet if no keys yet (issue in draft 27/ff nightly)
+ fixed PING frame parser
+ STREAM frames need to be acknowledged
The following HTTP configuration is used for firefox (v74):
http {
ssl_certificate_key localhost.key;
ssl_certificate localhost.crt;
ssl_protocols TLSv1.2 TLSv1.3;
server {
listen 127.0.0.1:10368 reuseport http3;
ssl_quic on;
server_name localhost;
location / {
return 200 "This-is-QUICK\n";
}
}
server {
listen 127.0.0.1:5555 ssl; # point the browser here
server_name localhost;
location / {
add_header Alt-Svc 'h3-24=":10368";ma=100';
return 200 "ALT-SVC";
}
}
}
Diffstat (limited to 'src')
| -rw-r--r-- | src/event/ngx_event_quic.c | 67 | ||||
| -rw-r--r-- | src/event/ngx_event_quic.h | 3 |
2 files changed, 62 insertions, 8 deletions
diff --git a/src/event/ngx_event_quic.c b/src/event/ngx_event_quic.c index ffa54bd15..410fa0fcd 100644 --- a/src/event/ngx_event_quic.c +++ b/src/event/ngx_event_quic.c @@ -205,6 +205,8 @@ static void ngx_quic_rbtree_insert_stream(ngx_rbtree_node_t *temp, static void ngx_quic_handshake_handler(ngx_event_t *rev); static ngx_int_t ngx_quic_handshake_input(ngx_connection_t *c, ngx_quic_header_t *pkt); +static ngx_int_t ngx_quic_initial_input(ngx_connection_t *c, + ngx_quic_header_t *pkt); static ngx_int_t ngx_quic_app_input(ngx_connection_t *c, ngx_quic_header_t *pkt); @@ -389,6 +391,7 @@ static ngx_int_t ngx_quic_input(ngx_connection_t *c, ngx_buf_t *b) { u_char *p; + ngx_int_t rc; ngx_quic_header_t pkt; if (c->quic == NULL) { @@ -405,16 +408,33 @@ ngx_quic_input(ngx_connection_t *c, ngx_buf_t *b) pkt.data = p; pkt.len = b->last - p; + if (p[0] == 0) { + /* XXX: no idea WTF is this, just ignore */ + ngx_log_error(NGX_LOG_ALERT, c->log, 0, "FIREFOX: ZEROES"); + break; + } + + // TODO: check current state if (p[0] & NGX_QUIC_PKT_LONG) { - // TODO: check current state - if (ngx_quic_handshake_input(c, &pkt) != NGX_OK) { + + if ((p[0] & 0xf0) == NGX_QUIC_PKT_INITIAL) { + rc = ngx_quic_initial_input(c, &pkt); + + } else if ((p[0] & 0xf0) == NGX_QUIC_PKT_HANDSHAKE) { + rc = ngx_quic_handshake_input(c, &pkt); + + } else { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "BUG: unknown quic state"); return NGX_ERROR; } + } else { + rc = ngx_quic_app_input(c, &pkt); + } - if (ngx_quic_app_input(c, &pkt) != NGX_OK) { - return NGX_ERROR; - } + if (rc == NGX_ERROR) { + return NGX_ERROR; } /* b->pos is at header end, adjust by actual packet length */ @@ -1073,7 +1093,6 @@ ngx_quic_read_frame(ngx_connection_t *c, u_char *start, u_char *end, case NGX_QUIC_FT_PING: ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "PING frame"); - p++; break; case NGX_QUIC_FT_NEW_CONNECTION_ID: @@ -1489,6 +1508,8 @@ ngx_quic_payload_handler(ngx_connection_t *c, ngx_quic_header_t *pkt) case NGX_QUIC_FT_STREAM6: case NGX_QUIC_FT_STREAM7: + ack_this = 1; + ngx_log_debug7(NGX_LOG_DEBUG_EVENT, c->log, 0, "STREAM frame 0x%xi id 0x%xi offset 0x%xi len 0x%xi bits:off=%d len=%d fin=%d", frame.type, @@ -1775,6 +1796,34 @@ ngx_quic_new_connection(ngx_connection_t *c, ngx_ssl_t *ssl, static ngx_int_t +ngx_quic_initial_input(ngx_connection_t *c, ngx_quic_header_t *pkt) +{ + ngx_ssl_conn_t *ssl_conn; + ngx_quic_connection_t *qc; + + qc = c->quic; + ssl_conn = c->ssl->connection; + + if (ngx_quic_process_long_header(c, pkt) != NGX_OK) { + return NGX_ERROR; + } + + if (ngx_quic_process_initial_header(c, pkt) != NGX_OK) { + return NGX_ERROR; + } + + pkt->secret = &qc->secrets.client.in; + pkt->level = ssl_encryption_initial; + + if (ngx_quic_decrypt(c->pool, ssl_conn, pkt) != NGX_OK) { + return NGX_ERROR; + } + + return ngx_quic_payload_handler(c, pkt); +} + + +static ngx_int_t ngx_quic_handshake_input(ngx_connection_t *c, ngx_quic_header_t *pkt) { ngx_ssl_conn_t *ssl_conn; @@ -1836,7 +1885,11 @@ ngx_quic_app_input(ngx_connection_t *c, ngx_quic_header_t *pkt) qc = c->quic; - /* TODO: this is a stub, untested */ + if (qc->secrets.client.ad.key.len == 0) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "no read keys yet, packet ignored"); + return NGX_DECLINED; + } if (ngx_quic_process_short_header(c, pkt) != NGX_OK) { return NGX_ERROR; diff --git a/src/event/ngx_event_quic.h b/src/event/ngx_event_quic.h index faa35c9ab..252875569 100644 --- a/src/event/ngx_event_quic.h +++ b/src/event/ngx_event_quic.h @@ -11,7 +11,8 @@ #include <ngx_event_openssl.h> -#define quic_version 0xff000018 /* draft-24 */ +#define quic_version 0xff000018 /* draft-24 (ngtcp2) */ +//#define quic_version 0xff00001b /* draft-27 (FFN 76) */ /* 17.2. Long Header Packets */ |