blob: 1ffb383d0dd47eb779b095ffa30a2ed350be935c [file] [log] [blame] [edit]
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "quiche/quic/core/quic_dispatcher.h"
#include <openssl/ssl.h>
#include <algorithm>
#include <cstddef>
#include <cstdint>
#include <limits>
#include <list>
#include <memory>
#include <optional>
#include <ostream>
#include <string>
#include <utility>
#include <vector>
#include "absl/base/attributes.h"
#include "absl/base/macros.h"
#include "absl/base/optimization.h"
#include "absl/container/flat_hash_set.h"
#include "absl/strings/str_cat.h"
#include "absl/strings/string_view.h"
#include "quiche/quic/core/chlo_extractor.h"
#include "quiche/quic/core/connection_id_generator.h"
#include "quiche/quic/core/crypto/crypto_handshake_message.h"
#include "quiche/quic/core/crypto/crypto_protocol.h"
#include "quiche/quic/core/crypto/quic_compressed_certs_cache.h"
#include "quiche/quic/core/frames/quic_connection_close_frame.h"
#include "quiche/quic/core/frames/quic_frame.h"
#include "quiche/quic/core/frames/quic_rst_stream_frame.h"
#include "quiche/quic/core/frames/quic_stop_sending_frame.h"
#include "quiche/quic/core/quic_alarm.h"
#include "quiche/quic/core/quic_alarm_factory.h"
#include "quiche/quic/core/quic_blocked_writer_interface.h"
#include "quiche/quic/core/quic_buffered_packet_store.h"
#include "quiche/quic/core/quic_connection.h"
#include "quiche/quic/core/quic_connection_id.h"
#include "quiche/quic/core/quic_constants.h"
#include "quiche/quic/core/quic_crypto_server_stream_base.h"
#include "quiche/quic/core/quic_data_writer.h"
#include "quiche/quic/core/quic_error_codes.h"
#include "quiche/quic/core/quic_framer.h"
#include "quiche/quic/core/quic_packet_creator.h"
#include "quiche/quic/core/quic_packet_number.h"
#include "quiche/quic/core/quic_packet_writer.h"
#include "quiche/quic/core/quic_packets.h"
#include "quiche/quic/core/quic_session.h"
#include "quiche/quic/core/quic_stream_frame_data_producer.h"
#include "quiche/quic/core/quic_stream_send_buffer.h"
#include "quiche/quic/core/quic_time.h"
#include "quiche/quic/core/quic_time_wait_list_manager.h"
#include "quiche/quic/core/quic_types.h"
#include "quiche/quic/core/quic_utils.h"
#include "quiche/quic/core/quic_version_manager.h"
#include "quiche/quic/core/quic_versions.h"
#include "quiche/quic/core/tls_chlo_extractor.h"
#include "quiche/quic/platform/api/quic_bug_tracker.h"
#include "quiche/quic/platform/api/quic_flag_utils.h"
#include "quiche/quic/platform/api/quic_flags.h"
#include "quiche/quic/platform/api/quic_logging.h"
#include "quiche/quic/platform/api/quic_socket_address.h"
#include "quiche/quic/platform/api/quic_stack_trace.h"
#include "quiche/common/platform/api/quiche_logging.h"
#include "quiche/common/print_elements.h"
#include "quiche/common/quiche_buffer_allocator.h"
#include "quiche/common/quiche_callbacks.h"
#include "quiche/common/quiche_text_utils.h"
namespace quic {
using BufferedPacket = QuicBufferedPacketStore::BufferedPacket;
using BufferedPacketList = QuicBufferedPacketStore::BufferedPacketList;
using EnqueuePacketResult = QuicBufferedPacketStore::EnqueuePacketResult;
namespace {
// Minimal INITIAL packet length sent by clients is 1200.
const QuicPacketLength kMinClientInitialPacketLength = 1200;
// An alarm that informs the QuicDispatcher to delete old sessions.
class DeleteSessionsAlarm : public QuicAlarm::DelegateWithoutContext {
public:
explicit DeleteSessionsAlarm(QuicDispatcher* dispatcher)
: dispatcher_(dispatcher) {}
DeleteSessionsAlarm(const DeleteSessionsAlarm&) = delete;
DeleteSessionsAlarm& operator=(const DeleteSessionsAlarm&) = delete;
void OnAlarm() override { dispatcher_->DeleteSessions(); }
private:
// Not owned.
QuicDispatcher* dispatcher_;
};
// An alarm that informs the QuicDispatcher to clear
// recent_stateless_reset_addresses_.
class ClearStatelessResetAddressesAlarm
: public QuicAlarm::DelegateWithoutContext {
public:
explicit ClearStatelessResetAddressesAlarm(QuicDispatcher* dispatcher)
: dispatcher_(dispatcher) {}
ClearStatelessResetAddressesAlarm(const DeleteSessionsAlarm&) = delete;
ClearStatelessResetAddressesAlarm& operator=(const DeleteSessionsAlarm&) =
delete;
void OnAlarm() override { dispatcher_->ClearStatelessResetAddresses(); }
private:
// Not owned.
QuicDispatcher* dispatcher_;
};
// Helper for statelessly closing connections by generating the
// correct termination packets and adding the connection to the time wait
// list manager.
class StatelessConnectionTerminator {
public:
StatelessConnectionTerminator(QuicConnectionId server_connection_id,
QuicConnectionId original_server_connection_id,
const ParsedQuicVersion version,
QuicPacketNumber last_sent_packet_number,
QuicConnectionHelperInterface* helper,
QuicTimeWaitListManager* time_wait_list_manager)
: server_connection_id_(server_connection_id),
framer_(ParsedQuicVersionVector{version},
/*unused*/ QuicTime::Zero(), Perspective::IS_SERVER,
/*unused*/ kQuicDefaultConnectionIdLength),
collector_(helper->GetStreamSendBufferAllocator()),
creator_(server_connection_id, &framer_, &collector_),
time_wait_list_manager_(time_wait_list_manager) {
framer_.set_data_producer(&collector_);
// Always set encrypter with original_server_connection_id.
framer_.SetInitialObfuscators(original_server_connection_id);
if (last_sent_packet_number.IsInitialized()) {
QUICHE_DCHECK(
GetQuicRestartFlag(quic_dispatcher_ack_buffered_initial_packets));
QUIC_RESTART_FLAG_COUNT_N(quic_dispatcher_ack_buffered_initial_packets, 3,
8);
creator_.set_packet_number(last_sent_packet_number);
}
}
~StatelessConnectionTerminator() {
// Clear framer's producer.
framer_.set_data_producer(nullptr);
}
// Generates a packet containing a CONNECTION_CLOSE frame specifying
// |error_code| and |error_details| and add the connection to time wait.
void CloseConnection(QuicErrorCode error_code,
const std::string& error_details, bool ietf_quic,
std::vector<QuicConnectionId> active_connection_ids) {
SerializeConnectionClosePacket(error_code, error_details);
time_wait_list_manager_->AddConnectionIdToTimeWait(
QuicTimeWaitListManager::SEND_TERMINATION_PACKETS,
TimeWaitConnectionInfo(ietf_quic, collector_.packets(),
std::move(active_connection_ids),
/*srtt=*/QuicTime::Delta::Zero()));
}
private:
void SerializeConnectionClosePacket(QuicErrorCode error_code,
const std::string& error_details) {
QuicConnectionCloseFrame* frame =
new QuicConnectionCloseFrame(framer_.transport_version(), error_code,
NO_IETF_QUIC_ERROR, error_details,
/*transport_close_frame_type=*/0);
if (!creator_.AddFrame(QuicFrame(frame), NOT_RETRANSMISSION)) {
QUIC_BUG(quic_bug_10287_1) << "Unable to add frame to an empty packet";
delete frame;
return;
}
creator_.FlushCurrentPacket();
QUICHE_DCHECK_EQ(1u, collector_.packets()->size());
}
QuicConnectionId server_connection_id_;
QuicFramer framer_;
// Set as the visitor of |creator_| to collect any generated packets.
PacketCollector collector_;
QuicPacketCreator creator_;
QuicTimeWaitListManager* time_wait_list_manager_;
};
// Class which extracts the ALPN and SNI from a QUIC_CRYPTO CHLO packet.
class ChloAlpnSniExtractor : public ChloExtractor::Delegate {
public:
void OnChlo(QuicTransportVersion /*version*/,
QuicConnectionId /*server_connection_id*/,
const CryptoHandshakeMessage& chlo) override {
absl::string_view alpn_value;
if (chlo.GetStringPiece(kALPN, &alpn_value)) {
alpn_ = std::string(alpn_value);
}
absl::string_view sni;
if (chlo.GetStringPiece(quic::kSNI, &sni)) {
sni_ = std::string(sni);
}
absl::string_view uaid_value;
if (chlo.GetStringPiece(quic::kUAID, &uaid_value)) {
uaid_ = std::string(uaid_value);
}
}
std::string&& ConsumeAlpn() { return std::move(alpn_); }
std::string&& ConsumeSni() { return std::move(sni_); }
std::string&& ConsumeUaid() { return std::move(uaid_); }
private:
std::string alpn_;
std::string sni_;
std::string uaid_;
};
} // namespace
QuicDispatcher::QuicDispatcher(
const QuicConfig* config, const QuicCryptoServerConfig* crypto_config,
QuicVersionManager* version_manager,
std::unique_ptr<QuicConnectionHelperInterface> helper,
std::unique_ptr<QuicCryptoServerStreamBase::Helper> session_helper,
std::unique_ptr<QuicAlarmFactory> alarm_factory,
uint8_t expected_server_connection_id_length,
ConnectionIdGeneratorInterface& connection_id_generator)
: config_(config),
crypto_config_(crypto_config),
compressed_certs_cache_(
QuicCompressedCertsCache::kQuicCompressedCertsCacheSize),
helper_(std::move(helper)),
session_helper_(std::move(session_helper)),
alarm_factory_(std::move(alarm_factory)),
delete_sessions_alarm_(
alarm_factory_->CreateAlarm(new DeleteSessionsAlarm(this))),
buffered_packets_(this, helper_->GetClock(), alarm_factory_.get(),
stats_),
version_manager_(version_manager),
last_error_(QUIC_NO_ERROR),
new_sessions_allowed_per_event_loop_(0u),
accept_new_connections_(true),
expected_server_connection_id_length_(
expected_server_connection_id_length),
clear_stateless_reset_addresses_alarm_(alarm_factory_->CreateAlarm(
new ClearStatelessResetAddressesAlarm(this))),
connection_id_generator_(connection_id_generator) {
QUIC_DLOG(INFO) << "Created QuicDispatcher with versions: "
<< ParsedQuicVersionVectorToString(GetSupportedVersions());
}
QuicDispatcher::~QuicDispatcher() {
if (delete_sessions_alarm_ != nullptr) {
delete_sessions_alarm_->PermanentCancel();
}
if (clear_stateless_reset_addresses_alarm_ != nullptr) {
clear_stateless_reset_addresses_alarm_->PermanentCancel();
}
reference_counted_session_map_.clear();
closed_session_list_.clear();
num_sessions_in_session_map_ = 0;
}
void QuicDispatcher::InitializeWithWriter(QuicPacketWriter* writer) {
QUICHE_DCHECK(writer_ == nullptr);
writer_.reset(writer);
buffered_packets_.set_writer(writer);
time_wait_list_manager_.reset(CreateQuicTimeWaitListManager());
}
void QuicDispatcher::ProcessPacket(const QuicSocketAddress& self_address,
const QuicSocketAddress& peer_address,
const QuicReceivedPacket& packet) {
QUIC_DVLOG(2) << "Dispatcher received encrypted " << packet.length()
<< " bytes:" << std::endl
<< quiche::QuicheTextUtils::HexDump(
absl::string_view(packet.data(), packet.length()));
++stats_.packets_processed;
ReceivedPacketInfo packet_info(self_address, peer_address, packet);
std::string detailed_error;
QuicErrorCode error;
error = QuicFramer::ParsePublicHeaderDispatcherShortHeaderLengthUnknown(
packet, &packet_info.form, &packet_info.long_packet_type,
&packet_info.version_flag, &packet_info.use_length_prefix,
&packet_info.version_label, &packet_info.version,
&packet_info.destination_connection_id, &packet_info.source_connection_id,
&packet_info.retry_token, &detailed_error, connection_id_generator_);
if (error != QUIC_NO_ERROR) {
// Packet has framing error.
SetLastError(error);
QUIC_DLOG(ERROR) << detailed_error;
return;
}
if (packet_info.destination_connection_id.length() !=
expected_server_connection_id_length_ &&
packet_info.version.IsKnown() &&
!packet_info.version.AllowsVariableLengthConnectionIds()) {
SetLastError(QUIC_INVALID_PACKET_HEADER);
QUIC_DLOG(ERROR) << "Invalid Connection Id Length";
return;
}
if (packet_info.version_flag && IsSupportedVersion(packet_info.version)) {
if (!QuicUtils::IsConnectionIdValidForVersion(
packet_info.destination_connection_id,
packet_info.version.transport_version)) {
SetLastError(QUIC_INVALID_PACKET_HEADER);
QUIC_DLOG(ERROR)
<< "Invalid destination connection ID length for version";
return;
}
if (packet_info.version.SupportsClientConnectionIds() &&
!QuicUtils::IsConnectionIdValidForVersion(
packet_info.source_connection_id,
packet_info.version.transport_version)) {
SetLastError(QUIC_INVALID_PACKET_HEADER);
QUIC_DLOG(ERROR) << "Invalid source connection ID length for version";
return;
}
}
#ifndef NDEBUG
// Consult the buffered packet store to see if the packet's DCID is a replaced
// cid generated by us, if so, increment a counter used only by tests.
if (ack_buffered_initial_packets()) {
const BufferedPacketList* packet_list =
buffered_packets_.GetPacketList(packet_info.destination_connection_id);
if (packet_list != nullptr &&
packet_list->replaced_connection_id.has_value() &&
*packet_list->replaced_connection_id ==
packet_info.destination_connection_id) {
QUIC_RESTART_FLAG_COUNT_N(quic_dispatcher_ack_buffered_initial_packets, 4,
8);
++stats_.packets_processed_with_replaced_cid_in_store;
}
}
#endif
if (MaybeDispatchPacket(packet_info)) {
// Packet has been dropped or successfully dispatched, stop processing.
return;
}
// The framer might have extracted the incorrect Connection ID length from a
// short header. |packet| could be gQUIC; if Q043, the connection ID has been
// parsed correctly thanks to the fixed bit. If a Q046 short header,
// the dispatcher might have assumed it was a long connection ID when (because
// it was gQUIC) it actually issued or kept an 8-byte ID. The other case is
// where NEW_CONNECTION_IDs are not using the generator, and the dispatcher
// is, due to flag misconfiguration.
if (!packet_info.version_flag &&
IsSupportedVersion(ParsedQuicVersion::Q046())) {
ReceivedPacketInfo gquic_packet_info(self_address, peer_address, packet);
// Try again without asking |connection_id_generator_| for the length.
const QuicErrorCode gquic_error = QuicFramer::ParsePublicHeaderDispatcher(
packet, expected_server_connection_id_length_, &gquic_packet_info.form,
&gquic_packet_info.long_packet_type, &gquic_packet_info.version_flag,
&gquic_packet_info.use_length_prefix, &gquic_packet_info.version_label,
&gquic_packet_info.version,
&gquic_packet_info.destination_connection_id,
&gquic_packet_info.source_connection_id, &gquic_packet_info.retry_token,
&detailed_error);
if (gquic_error == QUIC_NO_ERROR) {
if (MaybeDispatchPacket(gquic_packet_info)) {
return;
}
} else {
QUICHE_VLOG(1) << "Tried to parse short header as gQUIC packet: "
<< detailed_error;
}
}
ProcessHeader(&packet_info);
}
namespace {
constexpr bool IsSourceUdpPortBlocked(uint16_t port) {
// These UDP source ports have been observed in large scale denial of service
// attacks and are not expected to ever carry user traffic, they are therefore
// blocked as a safety measure. See section 8.1 of RFC 9308 for details.
// https://www.rfc-editor.org/rfc/rfc9308.html#section-8.1
constexpr uint16_t blocked_ports[] = {
0, // We cannot send to port 0 so drop that source port.
17, // Quote of the Day, can loop with QUIC.
19, // Chargen, can loop with QUIC.
53, // DNS, vulnerable to reflection attacks.
111, // Portmap.
123, // NTP, vulnerable to reflection attacks.
137, // NETBIOS Name Service,
138, // NETBIOS Datagram Service
161, // SNMP.
389, // CLDAP.
500, // IKE, can loop with QUIC.
1900, // SSDP, vulnerable to reflection attacks.
3702, // WS-Discovery, vulnerable to reflection attacks.
5353, // mDNS, vulnerable to reflection attacks.
5355, // LLMNR, vulnerable to reflection attacks.
11211, // memcache, vulnerable to reflection attacks.
// This list MUST be sorted in increasing order.
};
constexpr size_t num_blocked_ports = ABSL_ARRAYSIZE(blocked_ports);
constexpr uint16_t highest_blocked_port =
blocked_ports[num_blocked_ports - 1];
if (ABSL_PREDICT_TRUE(port > highest_blocked_port)) {
// Early-return to skip comparisons for the majority of traffic.
return false;
}
for (size_t i = 0; i < num_blocked_ports; i++) {
if (port == blocked_ports[i]) {
return true;
}
}
return false;
}
} // namespace
bool QuicDispatcher::MaybeDispatchPacket(
const ReceivedPacketInfo& packet_info) {
if (IsSourceUdpPortBlocked(packet_info.peer_address.port())) {
// Silently drop the received packet.
QUIC_CODE_COUNT(quic_dropped_blocked_port);
return true;
}
const QuicConnectionId server_connection_id =
packet_info.destination_connection_id;
// The IETF spec requires the client to generate an initial server
// connection ID that is at least 64 bits long. After that initial
// connection ID, the dispatcher picks a new one of its expected length.
// Therefore we should never receive a connection ID that is smaller
// than 64 bits and smaller than what we expect. Unless the version is
// unknown, in which case we allow short connection IDs for version
// negotiation because that version could allow those.
if (packet_info.version_flag && packet_info.version.IsKnown() &&
IsServerConnectionIdTooShort(server_connection_id)) {
QUICHE_DCHECK(packet_info.version_flag);
QUICHE_DCHECK(packet_info.version.AllowsVariableLengthConnectionIds());
QUIC_DLOG(INFO) << "Packet with short destination connection ID "
<< server_connection_id << " expected "
<< static_cast<int>(expected_server_connection_id_length_);
// Drop the packet silently.
QUIC_CODE_COUNT(quic_dropped_invalid_small_initial_connection_id);
return true;
}
if (packet_info.version_flag && packet_info.version.IsKnown() &&
!QuicUtils::IsConnectionIdLengthValidForVersion(
server_connection_id.length(),
packet_info.version.transport_version)) {
QUIC_DLOG(INFO) << "Packet with destination connection ID "
<< server_connection_id << " is invalid with version "
<< packet_info.version;
// Drop the packet silently.
QUIC_CODE_COUNT(quic_dropped_invalid_initial_connection_id);
return true;
}
// Packets with connection IDs for active connections are processed
// immediately.
auto it = reference_counted_session_map_.find(server_connection_id);
if (it != reference_counted_session_map_.end()) {
QUICHE_DCHECK(!buffered_packets_.HasBufferedPackets(server_connection_id));
it->second->ProcessUdpPacket(packet_info.self_address,
packet_info.peer_address, packet_info.packet);
return true;
}
if (buffered_packets_.HasChloForConnection(server_connection_id)) {
EnqueuePacketResult rs = buffered_packets_.EnqueuePacket(
packet_info,
/*parsed_chlo=*/std::nullopt, ConnectionIdGenerator());
switch (rs) {
case EnqueuePacketResult::SUCCESS:
break;
case EnqueuePacketResult::CID_COLLISION:
QUICHE_DCHECK(false) << "Connection " << server_connection_id
<< " already has a CHLO buffered, but "
"EnqueuePacket returned CID_COLLISION.";
ABSL_FALLTHROUGH_INTENDED;
case EnqueuePacketResult::TOO_MANY_PACKETS:
ABSL_FALLTHROUGH_INTENDED;
case EnqueuePacketResult::TOO_MANY_CONNECTIONS:
OnBufferPacketFailure(rs, packet_info.destination_connection_id);
break;
}
return true;
}
if (OnFailedToDispatchPacket(packet_info)) {
return true;
}
if (time_wait_list_manager_->IsConnectionIdInTimeWait(server_connection_id)) {
// This connection ID is already in time-wait state.
time_wait_list_manager_->ProcessPacket(
packet_info.self_address, packet_info.peer_address,
packet_info.destination_connection_id, packet_info.form,
packet_info.packet.length(), GetPerPacketContext());
return true;
}
// The packet has an unknown connection ID.
if (!accept_new_connections_ && packet_info.version_flag) {
// If not accepting new connections, reject packets with version which can
// potentially result in new connection creation. But if the packet doesn't
// have version flag, leave it to ValidityChecks() to reset it.
// By adding the connection to time wait list, following packets on this
// connection will not reach ShouldAcceptNewConnections().
StatelesslyTerminateConnection(
packet_info.self_address, packet_info.peer_address,
packet_info.destination_connection_id, packet_info.form,
packet_info.version_flag, packet_info.use_length_prefix,
packet_info.version, QUIC_HANDSHAKE_FAILED_REJECTING_ALL_CONNECTIONS,
"Stop accepting new connections",
quic::QuicTimeWaitListManager::SEND_STATELESS_RESET);
// Time wait list will reject the packet correspondingly..
time_wait_list_manager()->ProcessPacket(
packet_info.self_address, packet_info.peer_address,
packet_info.destination_connection_id, packet_info.form,
packet_info.packet.length(), GetPerPacketContext());
OnNewConnectionRejected();
return true;
}
// Unless the packet provides a version, assume that we can continue
// processing using our preferred version.
if (packet_info.version_flag) {
if (!IsSupportedVersion(packet_info.version)) {
if (ShouldCreateSessionForUnknownVersion(packet_info)) {
return false;
}
// Since the version is not supported, send a version negotiation
// packet and stop processing the current packet.
MaybeSendVersionNegotiationPacket(packet_info);
return true;
}
if (crypto_config()->validate_chlo_size() &&
packet_info.form == IETF_QUIC_LONG_HEADER_PACKET &&
packet_info.long_packet_type == INITIAL &&
packet_info.packet.length() < kMinClientInitialPacketLength) {
QUIC_DVLOG(1) << "Dropping initial packet which is too short, length: "
<< packet_info.packet.length();
QUIC_CODE_COUNT(quic_drop_small_initial_packets);
return true;
}
}
return false;
}
void QuicDispatcher::ProcessHeader(ReceivedPacketInfo* packet_info) {
++stats_.packets_processed_with_unknown_cid;
QuicConnectionId server_connection_id =
packet_info->destination_connection_id;
// Packet's connection ID is unknown. Apply the validity checks.
QuicPacketFate fate = ValidityChecks(*packet_info);
// |connection_close_error_code| is used if the final packet fate is
// kFateTimeWait.
QuicErrorCode connection_close_error_code =
QUIC_HANDSHAKE_FAILED_INVALID_CONNECTION;
// If a fatal TLS alert was received when extracting Client Hello,
// |tls_alert_error_detail| will be set and will be used as the error_details
// of the connection close.
std::string tls_alert_error_detail;
if (fate == kFateProcess) {
ExtractChloResult extract_chlo_result =
TryExtractChloOrBufferEarlyPacket(*packet_info);
auto& parsed_chlo = extract_chlo_result.parsed_chlo;
if (extract_chlo_result.tls_alert.has_value()) {
QUIC_BUG_IF(quic_dispatcher_parsed_chlo_and_tls_alert_coexist_1,
parsed_chlo.has_value())
<< "parsed_chlo and tls_alert should not be set at the same time.";
// Fatal TLS alert when parsing Client Hello.
fate = kFateTimeWait;
uint8_t tls_alert = *extract_chlo_result.tls_alert;
connection_close_error_code = TlsAlertToQuicErrorCode(tls_alert).value_or(
connection_close_error_code);
tls_alert_error_detail =
absl::StrCat("TLS handshake failure from dispatcher (",
EncryptionLevelToString(ENCRYPTION_INITIAL), ") ",
static_cast<int>(tls_alert), ": ",
SSL_alert_desc_string_long(tls_alert));
} else if (!parsed_chlo.has_value()) {
// Client Hello incomplete. Packet has been buffered or (rarely) dropped.
return;
} else {
// Client Hello fully received.
fate = ValidityChecksOnFullChlo(*packet_info, *parsed_chlo);
if (fate == kFateProcess) {
ProcessChlo(*std::move(parsed_chlo), packet_info);
return;
}
}
}
switch (fate) {
case kFateProcess:
// kFateProcess have been processed above.
QUIC_BUG(quic_dispatcher_bad_packet_fate) << fate;
break;
case kFateTimeWait: {
// Add this connection_id to the time-wait state, to safely reject
// future packets.
QUIC_DLOG(INFO) << "Adding connection ID " << server_connection_id
<< " to time-wait list.";
QUIC_CODE_COUNT(quic_reject_fate_time_wait);
const std::string& connection_close_error_detail =
tls_alert_error_detail.empty() ? "Reject connection"
: tls_alert_error_detail;
StatelesslyTerminateConnection(
packet_info->self_address, packet_info->peer_address,
server_connection_id, packet_info->form, packet_info->version_flag,
packet_info->use_length_prefix, packet_info->version,
connection_close_error_code, connection_close_error_detail,
quic::QuicTimeWaitListManager::SEND_STATELESS_RESET);
QUICHE_DCHECK(time_wait_list_manager_->IsConnectionIdInTimeWait(
server_connection_id));
time_wait_list_manager_->ProcessPacket(
packet_info->self_address, packet_info->peer_address,
server_connection_id, packet_info->form, packet_info->packet.length(),
GetPerPacketContext());
buffered_packets_.DiscardPackets(server_connection_id);
} break;
case kFateDrop:
break;
}
}
QuicDispatcher::ExtractChloResult
QuicDispatcher::TryExtractChloOrBufferEarlyPacket(
const ReceivedPacketInfo& packet_info) {
ExtractChloResult result;
if (packet_info.version.UsesTls()) {
bool has_full_tls_chlo = false;
std::string sni;
std::vector<uint16_t> supported_groups;
std::vector<uint16_t> cert_compression_algos;
std::vector<std::string> alpns;
bool resumption_attempted = false, early_data_attempted = false;
if (buffered_packets_.HasBufferedPackets(
packet_info.destination_connection_id)) {
// If we already have buffered packets for this connection ID,
// use the associated TlsChloExtractor to parse this packet.
has_full_tls_chlo = buffered_packets_.IngestPacketForTlsChloExtraction(
packet_info.destination_connection_id, packet_info.version,
packet_info.packet, &supported_groups, &cert_compression_algos,
&alpns, &sni, &resumption_attempted, &early_data_attempted,
&result.tls_alert);
} else {
// If we do not have a BufferedPacketList for this connection ID,
// create a single-use one to check whether this packet contains a
// full single-packet CHLO.
TlsChloExtractor tls_chlo_extractor;
tls_chlo_extractor.IngestPacket(packet_info.version, packet_info.packet);
if (tls_chlo_extractor.HasParsedFullChlo()) {
// This packet contains a full single-packet CHLO.
has_full_tls_chlo = true;
supported_groups = tls_chlo_extractor.supported_groups();
cert_compression_algos = tls_chlo_extractor.cert_compression_algos();
alpns = tls_chlo_extractor.alpns();
sni = tls_chlo_extractor.server_name();
resumption_attempted = tls_chlo_extractor.resumption_attempted();
early_data_attempted = tls_chlo_extractor.early_data_attempted();
} else {
result.tls_alert = tls_chlo_extractor.tls_alert();
}
}
if (result.tls_alert.has_value()) {
QUIC_BUG_IF(quic_dispatcher_parsed_chlo_and_tls_alert_coexist_2,
has_full_tls_chlo)
<< "parsed_chlo and tls_alert should not be set at the same time.";
return result;
}
if (GetQuicFlag(quic_allow_chlo_buffering) && !has_full_tls_chlo) {
// This packet does not contain a full CHLO. It could be a 0-RTT
// packet that arrived before the CHLO (due to loss or reordering),
// or it could be a fragment of a multi-packet CHLO.
EnqueuePacketResult rs = buffered_packets_.EnqueuePacket(
packet_info,
/*parsed_chlo=*/std::nullopt, ConnectionIdGenerator());
switch (rs) {
case EnqueuePacketResult::SUCCESS:
break;
case EnqueuePacketResult::CID_COLLISION:
buffered_packets_.DiscardPackets(
packet_info.destination_connection_id);
ABSL_FALLTHROUGH_INTENDED;
case EnqueuePacketResult::TOO_MANY_PACKETS:
ABSL_FALLTHROUGH_INTENDED;
case EnqueuePacketResult::TOO_MANY_CONNECTIONS:
OnBufferPacketFailure(rs, packet_info.destination_connection_id);
break;
}
return result;
}
ParsedClientHello& parsed_chlo = result.parsed_chlo.emplace();
parsed_chlo.sni = std::move(sni);
parsed_chlo.supported_groups = std::move(supported_groups);
parsed_chlo.cert_compression_algos = std::move(cert_compression_algos);
parsed_chlo.alpns = std::move(alpns);
if (packet_info.retry_token.has_value()) {
parsed_chlo.retry_token = std::string(*packet_info.retry_token);
}
parsed_chlo.resumption_attempted = resumption_attempted;
parsed_chlo.early_data_attempted = early_data_attempted;
return result;
}
ChloAlpnSniExtractor alpn_extractor;
if (GetQuicFlag(quic_allow_chlo_buffering) &&
!ChloExtractor::Extract(packet_info.packet, packet_info.version,
config_->create_session_tag_indicators(),
&alpn_extractor,
packet_info.destination_connection_id.length())) {
// Buffer non-CHLO packets.
EnqueuePacketResult rs = buffered_packets_.EnqueuePacket(
packet_info,
/*parsed_chlo=*/std::nullopt, ConnectionIdGenerator());
switch (rs) {
case EnqueuePacketResult::SUCCESS:
break;
case EnqueuePacketResult::CID_COLLISION:
// This should never happen; we only replace CID in the packet store
// for IETF packets.
QUIC_BUG(quic_store_cid_collision_from_gquic_packet);
ABSL_FALLTHROUGH_INTENDED;
case EnqueuePacketResult::TOO_MANY_PACKETS:
ABSL_FALLTHROUGH_INTENDED;
case EnqueuePacketResult::TOO_MANY_CONNECTIONS:
OnBufferPacketFailure(rs, packet_info.destination_connection_id);
break;
}
return result;
}
ParsedClientHello& parsed_chlo = result.parsed_chlo.emplace();
parsed_chlo.sni = alpn_extractor.ConsumeSni();
parsed_chlo.uaid = alpn_extractor.ConsumeUaid();
parsed_chlo.alpns = {alpn_extractor.ConsumeAlpn()};
return result;
}
std::string QuicDispatcher::SelectAlpn(const std::vector<std::string>& alpns) {
if (alpns.empty()) {
return "";
}
if (alpns.size() > 1u) {
const std::vector<std::string>& supported_alpns =
version_manager_->GetSupportedAlpns();
for (const std::string& alpn : alpns) {
if (std::find(supported_alpns.begin(), supported_alpns.end(), alpn) !=
supported_alpns.end()) {
return alpn;
}
}
}
return alpns[0];
}
QuicDispatcher::QuicPacketFate QuicDispatcher::ValidityChecks(
const ReceivedPacketInfo& packet_info) {
if (!packet_info.version_flag) {
QUIC_DLOG(INFO)
<< "Packet without version arrived for unknown connection ID "
<< packet_info.destination_connection_id;
MaybeResetPacketsWithNoVersion(packet_info);
return kFateDrop;
}
// Let the connection parse and validate packet number.
return kFateProcess;
}
void QuicDispatcher::CleanUpSession(QuicConnectionId server_connection_id,
QuicConnection* connection,
QuicErrorCode /*error*/,
const std::string& /*error_details*/,
ConnectionCloseSource /*source*/) {
write_blocked_list_.Remove(*connection);
QuicTimeWaitListManager::TimeWaitAction action =
QuicTimeWaitListManager::SEND_STATELESS_RESET;
std::vector<std::unique_ptr<QuicEncryptedPacket>> termination_packets;
if (connection->HasTerminationPackets()) {
termination_packets = connection->ConsumeTerminationPackets();
action = QuicTimeWaitListManager::SEND_CONNECTION_CLOSE_PACKETS;
} else {
if (!connection->IsHandshakeComplete()) {
// TODO(fayang): Do not serialize connection close packet if the
// connection is closed by the client.
QUIC_CODE_COUNT(quic_v44_add_to_time_wait_list_with_handshake_failed);
// This serializes a connection close termination packet and adds the
// connection to the time wait list.
// TODO(b/359200165): Fix |last_sent_packet_number|.
StatelessConnectionTerminator terminator(
server_connection_id,
connection->GetOriginalDestinationConnectionId(),
connection->version(), /*last_sent_packet_number=*/QuicPacketNumber(),
helper_.get(), time_wait_list_manager_.get());
terminator.CloseConnection(
QUIC_HANDSHAKE_FAILED_SYNTHETIC_CONNECTION_CLOSE,
"Connection is closed by server before handshake confirmed",
/*ietf_quic=*/true, connection->GetActiveServerConnectionIds());
return;
}
QUIC_CODE_COUNT(quic_v44_add_to_time_wait_list_with_stateless_reset);
}
time_wait_list_manager_->AddConnectionIdToTimeWait(
action,
TimeWaitConnectionInfo(
/*ietf_quic=*/true,
termination_packets.empty() ? nullptr : &termination_packets,
connection->GetActiveServerConnectionIds(),
connection->sent_packet_manager().GetRttStats()->smoothed_rtt()));
}
void QuicDispatcher::StartAcceptingNewConnections() {
accept_new_connections_ = true;
}
void QuicDispatcher::StopAcceptingNewConnections() {
accept_new_connections_ = false;
// No more CHLO will arrive and buffered CHLOs shouldn't be able to create
// connections.
buffered_packets_.DiscardAllPackets();
}
void QuicDispatcher::PerformActionOnActiveSessions(
quiche::UnretainedCallback<void(QuicSession*)> operation) const {
absl::flat_hash_set<QuicSession*> visited_session;
visited_session.reserve(reference_counted_session_map_.size());
for (auto const& kv : reference_counted_session_map_) {
QuicSession* session = kv.second.get();
if (visited_session.insert(session).second) {
operation(session);
}
}
}
// Get a snapshot of all sessions.
std::vector<std::shared_ptr<QuicSession>> QuicDispatcher::GetSessionsSnapshot()
const {
std::vector<std::shared_ptr<QuicSession>> snapshot;
snapshot.reserve(reference_counted_session_map_.size());
absl::flat_hash_set<QuicSession*> visited_session;
visited_session.reserve(reference_counted_session_map_.size());
for (auto const& kv : reference_counted_session_map_) {
QuicSession* session = kv.second.get();
if (visited_session.insert(session).second) {
snapshot.push_back(kv.second);
}
}
return snapshot;
}
std::unique_ptr<QuicPerPacketContext> QuicDispatcher::GetPerPacketContext()
const {
return nullptr;
}
void QuicDispatcher::DeleteSessions() {
if (!write_blocked_list_.Empty()) {
for (const auto& session : closed_session_list_) {
if (write_blocked_list_.Remove(*session->connection())) {
QUIC_BUG(quic_bug_12724_2)
<< "QuicConnection was in WriteBlockedList before destruction "
<< session->connection()->connection_id();
}
}
}
closed_session_list_.clear();
}
void QuicDispatcher::ClearStatelessResetAddresses() {
recent_stateless_reset_addresses_.clear();
}
void QuicDispatcher::OnCanWrite() {
// The socket is now writable.
writer_->SetWritable();
write_blocked_list_.OnWriterUnblocked();
}
bool QuicDispatcher::HasPendingWrites() const {
return !write_blocked_list_.Empty();
}
void QuicDispatcher::Shutdown() {
while (!reference_counted_session_map_.empty()) {
QuicSession* session = reference_counted_session_map_.begin()->second.get();
session->connection()->CloseConnection(
QUIC_PEER_GOING_AWAY, "Server shutdown imminent",
ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
// Validate that the session removes itself from the session map on close.
QUICHE_DCHECK(reference_counted_session_map_.empty() ||
reference_counted_session_map_.begin()->second.get() !=
session);
}
DeleteSessions();
}
void QuicDispatcher::OnConnectionClosed(QuicConnectionId server_connection_id,
QuicErrorCode error,
const std::string& error_details,
ConnectionCloseSource source) {
auto it = reference_counted_session_map_.find(server_connection_id);
if (it == reference_counted_session_map_.end()) {
QUIC_BUG(quic_bug_10287_3) << "ConnectionId " << server_connection_id
<< " does not exist in the session map. Error: "
<< QuicErrorCodeToString(error);
QUIC_BUG(quic_bug_10287_4) << QuicStackTrace();
return;
}
QUIC_DLOG_IF(INFO, error != QUIC_NO_ERROR)
<< "Closing connection (" << server_connection_id
<< ") due to error: " << QuicErrorCodeToString(error)
<< ", with details: " << error_details;
const QuicSession* session = it->second.get();
QuicConnection* connection = it->second->connection();
// Set up alarm to fire immediately to bring destruction of this session
// out of current call stack.
if (closed_session_list_.empty()) {
delete_sessions_alarm_->Update(helper()->GetClock()->ApproximateNow(),
QuicTime::Delta::Zero());
}
closed_session_list_.push_back(std::move(it->second));
CleanUpSession(it->first, connection, error, error_details, source);
bool session_removed = false;
for (const QuicConnectionId& cid :
connection->GetActiveServerConnectionIds()) {
auto it1 = reference_counted_session_map_.find(cid);
if (it1 != reference_counted_session_map_.end()) {
const QuicSession* session2 = it1->second.get();
// For cid == server_connection_id, session2 is a nullptr (and hence
// session2 != session) now since we have std::move the session into
// closed_session_list_ above.
if (session2 == session || cid == server_connection_id) {
reference_counted_session_map_.erase(it1);
session_removed = true;
} else {
// Leave this session in the map.
QUIC_BUG(quic_dispatcher_session_mismatch)
<< "Session is mismatched in the map. server_connection_id: "
<< server_connection_id << ". Current cid: " << cid
<< ". Cid of the other session "
<< (session2 == nullptr
? "null"
: session2->connection()->connection_id().ToString());
}
} else {
// GetActiveServerConnectionIds might return the original destination
// ID, which is not contained in the session map.
QUIC_BUG_IF(quic_dispatcher_session_not_found,
cid != connection->GetOriginalDestinationConnectionId())
<< "Missing session for cid " << cid
<< ". server_connection_id: " << server_connection_id;
}
}
QUIC_BUG_IF(quic_session_is_not_removed, !session_removed);
--num_sessions_in_session_map_;
}
void QuicDispatcher::OnWriteBlocked(
QuicBlockedWriterInterface* blocked_writer) {
write_blocked_list_.Add(*blocked_writer);
}
void QuicDispatcher::OnRstStreamReceived(const QuicRstStreamFrame& /*frame*/) {}
void QuicDispatcher::OnStopSendingReceived(
const QuicStopSendingFrame& /*frame*/) {}
bool QuicDispatcher::TryAddNewConnectionId(
const QuicConnectionId& server_connection_id,
const QuicConnectionId& new_connection_id) {
auto it = reference_counted_session_map_.find(server_connection_id);
if (it == reference_counted_session_map_.end()) {
QUIC_BUG(quic_bug_10287_7)
<< "Couldn't locate the session that issues the connection ID in "
"reference_counted_session_map_. server_connection_id:"
<< server_connection_id << " new_connection_id: " << new_connection_id;
return false;
}
auto insertion_result = reference_counted_session_map_.insert(
std::make_pair(new_connection_id, it->second));
if (!insertion_result.second) {
QUIC_CODE_COUNT(quic_cid_already_in_session_map);
}
return insertion_result.second;
}
void QuicDispatcher::OnConnectionIdRetired(
const QuicConnectionId& server_connection_id) {
reference_counted_session_map_.erase(server_connection_id);
}
void QuicDispatcher::OnConnectionAddedToTimeWaitList(
QuicConnectionId server_connection_id) {
QUIC_DLOG(INFO) << "Connection " << server_connection_id
<< " added to time wait list.";
}
void QuicDispatcher::StatelesslyTerminateConnection(
const QuicSocketAddress& self_address,
const QuicSocketAddress& peer_address,
QuicConnectionId server_connection_id, PacketHeaderFormat format,
bool version_flag, bool use_length_prefix, ParsedQuicVersion version,
QuicErrorCode error_code, const std::string& error_details,
QuicTimeWaitListManager::TimeWaitAction action) {
const BufferedPacketList* packet_list =
buffered_packets_.GetPacketList(server_connection_id);
if (packet_list == nullptr) {
StatelesslyTerminateConnection(
self_address, peer_address, server_connection_id, format, version_flag,
use_length_prefix, version, error_code, error_details, action,
/*replaced_connection_id=*/std::nullopt,
/*last_sent_packet_number=*/QuicPacketNumber());
return;
}
QUIC_RESTART_FLAG_COUNT_N(quic_dispatcher_ack_buffered_initial_packets, 5, 8);
StatelesslyTerminateConnection(
self_address, peer_address, packet_list->original_connection_id, format,
version_flag, use_length_prefix, version, error_code, error_details,
action, packet_list->replaced_connection_id,
packet_list->GetLastSentPacketNumber());
}
void QuicDispatcher::StatelesslyTerminateConnection(
const QuicSocketAddress& self_address,
const QuicSocketAddress& peer_address,
QuicConnectionId server_connection_id, PacketHeaderFormat format,
bool version_flag, bool use_length_prefix, ParsedQuicVersion version,
QuicErrorCode error_code, const std::string& error_details,
QuicTimeWaitListManager::TimeWaitAction action,
const std::optional<QuicConnectionId>& replaced_connection_id,
QuicPacketNumber last_sent_packet_number) {
if (format != IETF_QUIC_LONG_HEADER_PACKET && !version_flag) {
QUIC_DVLOG(1) << "Statelessly terminating " << server_connection_id
<< " based on a non-ietf-long packet, action:" << action
<< ", error_code:" << error_code
<< ", error_details:" << error_details;
time_wait_list_manager_->AddConnectionIdToTimeWait(
action, TimeWaitConnectionInfo(format != GOOGLE_QUIC_PACKET, nullptr,
{server_connection_id}));
return;
}
// If the version is known and supported by framer, send a connection close.
if (IsSupportedVersion(version)) {
QUIC_DVLOG(1)
<< "Statelessly terminating " << server_connection_id
<< " based on an ietf-long packet, which has a supported version:"
<< version << ", error_code:" << error_code
<< ", error_details:" << error_details << ", replaced_connection_id:"
<< (replaced_connection_id.has_value()
? replaced_connection_id->ToString()
: "n/a");
if (ack_buffered_initial_packets()) {
// |server_connection_id| is the original connection ID when flag is true.
QuicConnectionId original_connection_id = server_connection_id;
if (last_sent_packet_number.IsInitialized()) {
QUIC_RESTART_FLAG_COUNT_N(quic_dispatcher_ack_buffered_initial_packets,
6, 8);
}
StatelessConnectionTerminator terminator(
replaced_connection_id.value_or(original_connection_id),
original_connection_id, version, last_sent_packet_number,
helper_.get(), time_wait_list_manager_.get());
std::vector<QuicConnectionId> active_connection_ids = {
original_connection_id};
if (replaced_connection_id.has_value()) {
active_connection_ids.push_back(*replaced_connection_id);
}
// This also adds the connection to time wait list.
terminator.CloseConnection(error_code, error_details,
format != GOOGLE_QUIC_PACKET,
/*active_connection_ids=*/
std::move(active_connection_ids));
} else {
StatelessConnectionTerminator terminator(
server_connection_id, server_connection_id, version,
last_sent_packet_number, helper_.get(),
time_wait_list_manager_.get());
// This also adds the connection to time wait list.
terminator.CloseConnection(
error_code, error_details, format != GOOGLE_QUIC_PACKET,
/*active_connection_ids=*/{server_connection_id});
}
QUIC_CODE_COUNT(quic_dispatcher_generated_connection_close);
QuicSession::RecordConnectionCloseAtServer(
error_code, ConnectionCloseSource::FROM_SELF);
// TODO(wub): Change the server_connection_id parameter to original+replaced
// connection ids.
OnStatelessConnectionCloseGenerated(self_address, peer_address,
server_connection_id, version,
error_code, error_details);
return;
}
QUIC_DVLOG(1)
<< "Statelessly terminating " << server_connection_id
<< " based on an ietf-long packet, which has an unsupported version:"
<< version << ", error_code:" << error_code
<< ", error_details:" << error_details;
// Version is unknown or unsupported by framer, send a version negotiation
// with an empty version list, which can be understood by the client.
std::vector<std::unique_ptr<QuicEncryptedPacket>> termination_packets;
termination_packets.push_back(QuicFramer::BuildVersionNegotiationPacket(
server_connection_id, EmptyQuicConnectionId(),
/*ietf_quic=*/format != GOOGLE_QUIC_PACKET, use_length_prefix,
/*versions=*/{}));
time_wait_list_manager()->AddConnectionIdToTimeWait(
QuicTimeWaitListManager::SEND_TERMINATION_PACKETS,
TimeWaitConnectionInfo(/*ietf_quic=*/format != GOOGLE_QUIC_PACKET,
&termination_packets, {server_connection_id}));
}
bool QuicDispatcher::ShouldCreateSessionForUnknownVersion(
const ReceivedPacketInfo& /*packet_info*/) {
return false;
}
// TODO(wub): Remove |server_connection_id| because |early_arrived_packets|
// already contains the original and replaced connection ID.
void QuicDispatcher::OnExpiredPackets(
QuicConnectionId server_connection_id,
BufferedPacketList early_arrived_packets) {
QUIC_CODE_COUNT(quic_reject_buffered_packets_expired);
QuicErrorCode error_code = QUIC_HANDSHAKE_FAILED_PACKETS_BUFFERED_TOO_LONG;
QuicSocketAddress self_address, peer_address;
if (!early_arrived_packets.buffered_packets.empty()) {
self_address = early_arrived_packets.buffered_packets.front().self_address;
peer_address = early_arrived_packets.buffered_packets.front().peer_address;
}
if (ack_buffered_initial_packets()) {
QUIC_RESTART_FLAG_COUNT_N(quic_dispatcher_ack_buffered_initial_packets, 7,
8);
StatelesslyTerminateConnection(
self_address, peer_address,
early_arrived_packets.original_connection_id,
early_arrived_packets.ietf_quic ? IETF_QUIC_LONG_HEADER_PACKET
: GOOGLE_QUIC_PACKET,
/*version_flag=*/true,
early_arrived_packets.version.HasLengthPrefixedConnectionIds(),
early_arrived_packets.version, error_code,
"Packets buffered for too long",
quic::QuicTimeWaitListManager::SEND_STATELESS_RESET,
early_arrived_packets.replaced_connection_id,
early_arrived_packets.GetLastSentPacketNumber());
} else {
StatelesslyTerminateConnection(
self_address, peer_address, server_connection_id,
early_arrived_packets.ietf_quic ? IETF_QUIC_LONG_HEADER_PACKET
: GOOGLE_QUIC_PACKET,
/*version_flag=*/true,
early_arrived_packets.version.HasLengthPrefixedConnectionIds(),
early_arrived_packets.version, error_code,
"Packets buffered for too long",
quic::QuicTimeWaitListManager::SEND_STATELESS_RESET);
}
}
void QuicDispatcher::ProcessBufferedChlos(size_t max_connections_to_create) {
// Reset the counter before starting creating connections.
new_sessions_allowed_per_event_loop_ = max_connections_to_create;
for (; new_sessions_allowed_per_event_loop_ > 0;
--new_sessions_allowed_per_event_loop_) {
QuicConnectionId server_connection_id;
BufferedPacketList packet_list =
buffered_packets_.DeliverPacketsForNextConnection(
&server_connection_id);
const std::list<BufferedPacket>& packets = packet_list.buffered_packets;
if (packets.empty()) {
return;
}
if (!packet_list.parsed_chlo.has_value()) {
QUIC_BUG(quic_dispatcher_no_parsed_chlo_in_buffered_packets)
<< "Buffered connection has no CHLO. connection_id:"
<< server_connection_id;
continue;
}
auto session_ptr = CreateSessionFromChlo(
server_connection_id, packet_list.replaced_connection_id,
*packet_list.parsed_chlo, packet_list.version,
packets.front().self_address, packets.front().peer_address,
packet_list.tls_chlo_extractor.state(),
packet_list.connection_id_generator,
packet_list.dispatcher_sent_packets);
if (session_ptr != nullptr) {
DeliverPacketsToSession(packets, session_ptr.get());
}
}
}
bool QuicDispatcher::HasChlosBuffered() const {
return buffered_packets_.HasChlosBuffered();
}
// Return true if there is any packet buffered in the store.
bool QuicDispatcher::HasBufferedPackets(QuicConnectionId server_connection_id) {
return buffered_packets_.HasBufferedPackets(server_connection_id);
}
void QuicDispatcher::OnBufferPacketFailure(
EnqueuePacketResult result, QuicConnectionId server_connection_id) {
QUIC_DLOG(INFO) << "Fail to buffer packet on connection "
<< server_connection_id << " because of " << result;
}
QuicTimeWaitListManager* QuicDispatcher::CreateQuicTimeWaitListManager() {
return new QuicTimeWaitListManager(writer_.get(), this, helper_->GetClock(),
alarm_factory_.get());
}
void QuicDispatcher::ProcessChlo(ParsedClientHello parsed_chlo,
ReceivedPacketInfo* packet_info) {
if (GetQuicFlag(quic_allow_chlo_buffering) &&
new_sessions_allowed_per_event_loop_ <= 0) {
// Can't create new session any more. Wait till next event loop.
QUIC_BUG_IF(quic_bug_12724_7, buffered_packets_.HasChloForConnection(
packet_info->destination_connection_id));
EnqueuePacketResult rs = buffered_packets_.EnqueuePacket(
*packet_info, std::move(parsed_chlo), ConnectionIdGenerator());
switch (rs) {
case EnqueuePacketResult::SUCCESS:
break;
case EnqueuePacketResult::CID_COLLISION:
buffered_packets_.DiscardPackets(
packet_info->destination_connection_id);
ABSL_FALLTHROUGH_INTENDED;
case EnqueuePacketResult::TOO_MANY_PACKETS:
ABSL_FALLTHROUGH_INTENDED;
case EnqueuePacketResult::TOO_MANY_CONNECTIONS:
OnBufferPacketFailure(rs, packet_info->destination_connection_id);
break;
}
return;
}
BufferedPacketList packet_list =
buffered_packets_.DeliverPackets(packet_info->destination_connection_id);
// Get original_connection_id from buffered packets because
// destination_connection_id may be replaced connection_id if any packets
// have been sent by packet store.
QuicConnectionId original_connection_id =
packet_list.buffered_packets.empty()
? packet_info->destination_connection_id
: packet_list.original_connection_id;
TlsChloExtractor::State chlo_extractor_state =
packet_list.buffered_packets.empty()
? TlsChloExtractor::State::kParsedFullSinglePacketChlo
: packet_list.tls_chlo_extractor.state();
auto session_ptr = CreateSessionFromChlo(
original_connection_id, packet_list.replaced_connection_id, parsed_chlo,
packet_info->version, packet_info->self_address,
packet_info->peer_address, chlo_extractor_state,
packet_list.connection_id_generator, packet_list.dispatcher_sent_packets);
if (session_ptr == nullptr) {
// The only reason that CreateSessionFromChlo returns nullptr is because
// of CID collision, which can only happen if CreateSessionFromChlo
// attempted to replace the CID, CreateSessionFromChlo only replaces the
// CID when connection_id_generator is nullptr.
QUICHE_DCHECK_EQ(packet_list.connection_id_generator, nullptr);
return;
}
// Process the current packet first, then deliver queued-up packets.
// Note that multi-packet CHLOs, if received in packet number order, will
// not be delivered in the same order. This needs to be fixed.
session_ptr->ProcessUdpPacket(packet_info->self_address,
packet_info->peer_address, packet_info->packet);
DeliverPacketsToSession(packet_list.buffered_packets, session_ptr.get());
--new_sessions_allowed_per_event_loop_;
}
void QuicDispatcher::SetLastError(QuicErrorCode error) { last_error_ = error; }
bool QuicDispatcher::OnFailedToDispatchPacket(
const ReceivedPacketInfo& /*packet_info*/) {
return false;
}
const ParsedQuicVersionVector& QuicDispatcher::GetSupportedVersions() {
return version_manager_->GetSupportedVersions();
}
void QuicDispatcher::DeliverPacketsToSession(
const std::list<BufferedPacket>& packets, QuicSession* session) {
for (const BufferedPacket& packet : packets) {
session->ProcessUdpPacket(packet.self_address, packet.peer_address,
*(packet.packet));
}
}
bool QuicDispatcher::IsSupportedVersion(const ParsedQuicVersion version) {
for (const ParsedQuicVersion& supported_version :
version_manager_->GetSupportedVersions()) {
if (version == supported_version) {
return true;
}
}
return false;
}
bool QuicDispatcher::IsServerConnectionIdTooShort(
QuicConnectionId connection_id) const {
if (connection_id.length() >= kQuicMinimumInitialConnectionIdLength ||
connection_id.length() >= expected_server_connection_id_length_) {
return false;
}
uint8_t generator_output =
connection_id.IsEmpty()
? connection_id_generator_.ConnectionIdLength(0x00)
: connection_id_generator_.ConnectionIdLength(
static_cast<uint8_t>(*connection_id.data()));
return connection_id.length() < generator_output;
}
std::shared_ptr<QuicSession> QuicDispatcher::CreateSessionFromChlo(
const QuicConnectionId original_connection_id,
const std::optional<QuicConnectionId>& replaced_connection_id,
const ParsedClientHello& parsed_chlo, const ParsedQuicVersion version,
const QuicSocketAddress self_address, const QuicSocketAddress peer_address,
TlsChloExtractor::State chlo_extractor_state,
ConnectionIdGeneratorInterface* connection_id_generator,
absl::Span<const DispatcherSentPacket> dispatcher_sent_packets) {
bool should_generate_cid = false;
if (connection_id_generator == nullptr) {
should_generate_cid = true;
connection_id_generator = &ConnectionIdGenerator();
}
std::optional<QuicConnectionId> server_connection_id;
if (should_generate_cid) {
server_connection_id = connection_id_generator->MaybeReplaceConnectionId(
original_connection_id, version);
// Normalize the output of MaybeReplaceConnectionId.
if (server_connection_id.has_value() &&
(server_connection_id->IsEmpty() ||
*server_connection_id == original_connection_id)) {
server_connection_id.reset();
}
QUIC_DVLOG(1) << "MaybeReplaceConnectionId(" << original_connection_id
<< ") = "
<< (server_connection_id.has_value()
? server_connection_id->ToString()
: "nullopt");
if (server_connection_id.has_value()) {
switch (HandleConnectionIdCollision(
original_connection_id, *server_connection_id, self_address,
peer_address, version, &parsed_chlo)) {
case VisitorInterface::HandleCidCollisionResult::kOk:
break;
case VisitorInterface::HandleCidCollisionResult::kCollision:
return nullptr;
}
}
} else {
server_connection_id = replaced_connection_id;
}
const bool connection_id_replaced = server_connection_id.has_value();
if (!connection_id_replaced) {
server_connection_id = original_connection_id;
}
// Creates a new session and process all buffered packets for this connection.
std::string alpn = SelectAlpn(parsed_chlo.alpns);
std::unique_ptr<QuicSession> session =
CreateQuicSession(*server_connection_id, self_address, peer_address, alpn,
version, parsed_chlo, *connection_id_generator);
if (ABSL_PREDICT_FALSE(session == nullptr)) {
QUIC_BUG(quic_bug_10287_8)
<< "CreateQuicSession returned nullptr for " << *server_connection_id
<< " from " << peer_address << " to " << self_address << " ALPN \""
<< alpn << "\" version " << version;
return nullptr;
}
++stats_.sessions_created;
if (chlo_extractor_state ==
TlsChloExtractor::State::kParsedFullMultiPacketChlo) {
QUIC_CODE_COUNT(quic_connection_created_multi_packet_chlo);
session->connection()->SetMultiPacketClientHello();
} else {
QUIC_CODE_COUNT(quic_connection_created_single_packet_chlo);
}
if (ack_buffered_initial_packets() && !dispatcher_sent_packets.empty()) {
QUIC_RESTART_FLAG_COUNT_N(quic_dispatcher_ack_buffered_initial_packets, 8,
8);
session->connection()->AddDispatcherSentPackets(dispatcher_sent_packets);
}
if (connection_id_replaced) {
session->connection()->SetOriginalDestinationConnectionId(
original_connection_id);
}
session->connection()->OnParsedClientHelloInfo(parsed_chlo);
QUIC_DLOG(INFO) << "Created new session for " << *server_connection_id;
auto insertion_result = reference_counted_session_map_.insert(std::make_pair(
*server_connection_id, std::shared_ptr<QuicSession>(std::move(session))));
std::shared_ptr<QuicSession> session_ptr = insertion_result.first->second;
if (!insertion_result.second) {
QUIC_BUG(quic_bug_10287_9)
<< "Tried to add a session to session_map with existing "
"connection id: "
<< *server_connection_id;
} else {
++num_sessions_in_session_map_;
if (connection_id_replaced) {
auto insertion_result2 = reference_counted_session_map_.insert(
std::make_pair(original_connection_id, session_ptr));
QUIC_BUG_IF(quic_460317833_02, !insertion_result2.second)
<< "Original connection ID already in session_map: "
<< original_connection_id;
// If insertion of the original connection ID fails, it might cause
// loss of 0-RTT and other first flight packets, but the connection
// will usually progress.
}
}
return session_ptr;
}
QuicDispatcher::HandleCidCollisionResult
QuicDispatcher::HandleConnectionIdCollision(
const QuicConnectionId& original_connection_id,
const QuicConnectionId& replaced_connection_id,
const QuicSocketAddress& self_address,
const QuicSocketAddress& peer_address, ParsedQuicVersion version,
const ParsedClientHello* parsed_chlo) {
HandleCidCollisionResult result = HandleCidCollisionResult::kOk;
auto existing_session_iter =
reference_counted_session_map_.find(replaced_connection_id);
if (existing_session_iter != reference_counted_session_map_.end()) {
// Collide with an active session in dispatcher.
result = HandleCidCollisionResult::kCollision;
QUIC_CODE_COUNT(quic_connection_id_collision);
QuicConnection* other_connection =
existing_session_iter->second->connection();
if (other_connection != nullptr) { // Just make sure there is no crash.
QUIC_LOG_EVERY_N_SEC(ERROR, 10)
<< "QUIC Connection ID collision. original_connection_id:"
<< original_connection_id
<< ", replaced_connection_id:" << replaced_connection_id
<< ", version:" << version << ", self_address:" << self_address
<< ", peer_address:" << peer_address << ", parsed_chlo:"
<< (parsed_chlo == nullptr ? "null" : parsed_chlo->ToString())
<< ", other peer address: " << other_connection->peer_address()
<< ", other CIDs: "
<< quiche::PrintElements(
other_connection->GetActiveServerConnectionIds())
<< ", other stats: " << other_connection->GetStats();
}
} else if (buffered_packets_.HasBufferedPackets(replaced_connection_id)) {
// Collide with a buffered session in packet store.
result = HandleCidCollisionResult::kCollision;
QUIC_CODE_COUNT(quic_connection_id_collision_with_buffered_session);
}
if (result == HandleCidCollisionResult::kOk) {
return result;
}
const bool collide_with_active_session =
existing_session_iter != reference_counted_session_map_.end();
QUIC_DLOG(INFO) << "QUIC Connection ID collision with "
<< (collide_with_active_session ? "active session"
: "buffered session")
<< " for original_connection_id:" << original_connection_id
<< ", replaced_connection_id:" << replaced_connection_id;
// The original connection ID does not correspond to an existing
// session. It is safe to send CONNECTION_CLOSE and add to TIME_WAIT.
StatelesslyTerminateConnection(
self_address, peer_address, original_connection_id,
IETF_QUIC_LONG_HEADER_PACKET,
/*version_flag=*/true, version.HasLengthPrefixedConnectionIds(), version,
QUIC_HANDSHAKE_FAILED_CID_COLLISION,
"Connection ID collision, please retry",
QuicTimeWaitListManager::SEND_CONNECTION_CLOSE_PACKETS);
// Caller is responsible for erasing the connection from the buffered store,
// if needed.
return result;
}
void QuicDispatcher::MaybeResetPacketsWithNoVersion(
const ReceivedPacketInfo& packet_info) {
QUICHE_DCHECK(!packet_info.version_flag);
// Do not send a stateless reset if a reset has been sent to this address
// recently.
if (recent_stateless_reset_addresses_.contains(packet_info.peer_address)) {
QUIC_CODE_COUNT(quic_donot_send_reset_repeatedly);
return;
}
if (packet_info.form != GOOGLE_QUIC_PACKET) {
// Drop IETF packets smaller than the minimal stateless reset length.
if (packet_info.packet.length() <=
QuicFramer::GetMinStatelessResetPacketLength()) {
QUIC_CODE_COUNT(quic_drop_too_small_short_header_packets);
return;
}
} else {
const size_t MinValidPacketLength =
kPacketHeaderTypeSize + expected_server_connection_id_length_ +
PACKET_1BYTE_PACKET_NUMBER + /*payload size=*/1 + /*tag size=*/12;
if (packet_info.packet.length() < MinValidPacketLength) {
// The packet size is too small.
QUIC_CODE_COUNT(drop_too_small_packets);
return;
}
}
// Do not send a stateless reset if there are too many stateless reset
// addresses.
if (recent_stateless_reset_addresses_.size() >=
GetQuicFlag(quic_max_recent_stateless_reset_addresses)) {
QUIC_CODE_COUNT(quic_too_many_recent_reset_addresses);
return;
}
if (recent_stateless_reset_addresses_.empty()) {
clear_stateless_reset_addresses_alarm_->Update(
helper()->GetClock()->ApproximateNow() +
QuicTime::Delta::FromMilliseconds(
GetQuicFlag(quic_recent_stateless_reset_addresses_lifetime_ms)),
QuicTime::Delta::Zero());
}
recent_stateless_reset_addresses_.emplace(packet_info.peer_address);
time_wait_list_manager()->SendPublicReset(
packet_info.self_address, packet_info.peer_address,
packet_info.destination_connection_id,
packet_info.form != GOOGLE_QUIC_PACKET, packet_info.packet.length(),
GetPerPacketContext());
}
void QuicDispatcher::MaybeSendVersionNegotiationPacket(
const ReceivedPacketInfo& packet_info) {
if (crypto_config()->validate_chlo_size() &&
packet_info.packet.length() < kMinPacketSizeForVersionNegotiation) {
return;
}
time_wait_list_manager()->SendVersionNegotiationPacket(
packet_info.destination_connection_id, packet_info.source_connection_id,
packet_info.form != GOOGLE_QUIC_PACKET, packet_info.use_length_prefix,
GetSupportedVersions(), packet_info.self_address,
packet_info.peer_address, GetPerPacketContext());
}
size_t QuicDispatcher::NumSessions() const {
return num_sessions_in_session_map_;
}
} // namespace quic