quic: refactor error handling

So far no application error codes (defined in rfc 9250 4.3) were specified when closing connections

Author: Frantisek Tobias

daemon/quic_common.c

@@ -1,10 +1,12 @@
 /*  Copyright (C) CZ.NIC, z.s.p.o. <[email protected]>
  *  SPDX-License-Identifier: GPL-3.0-or-later
  */
+#include <ngtcp2/ngtcp2.h>
+#include "contrib/openbsd/siphash.h"
 #include "quic_common.h"
 #include "libdnssec/random.h"
 #include "session2.h"
-#include <ngtcp2/ngtcp2.h>
+#include "quic_conn.h"
 
 uint64_t quic_timestamp(void)
 {
@@ -35,18 +37,83 @@ void init_random_cid(ngtcp2_cid *cid, size_t len)
 		/* DNSSEC_EOK */0 ? len : 0;
 }
 
-ssize_t send_version_negotiation(struct wire_buf *dest, ngtcp2_version_cid dec_cids,
-		ngtcp2_cid dcid, ngtcp2_cid scid)
+uint64_t cid2hash(const ngtcp2_cid *cid, kr_quic_table_t *table)
+{
+	SIPHASH_CTX ctx;
+	SipHash24_Init(&ctx, (const SIPHASH_KEY *)(table->hash_secret));
+	SipHash24_Update(&ctx, cid->data, MIN(cid->datalen, 8));
+	uint64_t ret = SipHash24_End(&ctx);
+
+	return ret;
+}
+
+kr_quic_cid_t **kr_quic_table_lookup2(const ngtcp2_cid *cid, kr_quic_table_t *table)
 {
-	uint8_t rnd = 0;
-	dnssec_random_buffer(&rnd, sizeof(rnd));
-	uint32_t supported_quic[1] = { NGTCP2_PROTO_VER_V1 };
-	int ret = ngtcp2_pkt_write_version_negotiation(
+	uint64_t hash = cid2hash(cid, table);
+
+	kr_quic_cid_t **res = table->conns + (hash % table->size);
+	while (*res != NULL && !ngtcp2_cid_eq(cid, (const ngtcp2_cid *)(*res)->cid_placeholder)) {
+		res = &(*res)->next;
+	}
+
+	return res;
+}
+
+struct pl_quic_conn_sess_data *kr_quic_table_lookup(const ngtcp2_cid *cid, kr_quic_table_t *table)
+{
+	kr_quic_cid_t **pcid = kr_quic_table_lookup2(cid, table);
+	return *pcid == NULL ? NULL : (*pcid)->conn_sess;
+}
+
+bool init_unique_cid(ngtcp2_cid *cid, size_t len, kr_quic_table_t *table)
+{
+	do {
+		if (init_random_cid(cid, len), cid->datalen == 0)
+			return false;
+
+	} while (kr_quic_table_lookup(cid, table) != NULL);
+
+	return true;
+}
+
+int write_retry_packet(struct wire_buf *dest, kr_quic_table_t *table,
+		ngtcp2_version_cid *dec_cids,
+		const struct sockaddr *src_addr,
+		uint8_t *secret, size_t secret_len)
+{
+	ngtcp2_cid dcid;
+	ngtcp2_cid scid;
+	ngtcp2_cid new_dcid;
+
+	ngtcp2_cid_init(&dcid, dec_cids->dcid, dec_cids->dcidlen);
+	ngtcp2_cid_init(&scid, dec_cids->scid, dec_cids->scidlen);
+
+	init_random_cid(&new_dcid, 0);
+	if (!init_unique_cid(&new_dcid, 0, table)) {
+		kr_log_debug(DOQ, "Failed to initialize unique cid for Retry packet\n");
+		return -1;
+	}
+
+	uint8_t retry_token[NGTCP2_CRYPTO_MAX_RETRY_TOKENLEN2];
+	uint64_t now = quic_timestamp();
+
+	int ret = ngtcp2_crypto_generate_retry_token2(
+		retry_token, (const uint8_t *)secret,
+		secret_len, dec_cids->version,
+		src_addr, kr_sockaddr_len(src_addr),
+		&new_dcid, &dcid, now);
+
+	if (ret < 0) {
+		kr_log_debug(DOQ, "Failed to generate retry token\n");
+		return ret;
+	}
+
+	ret = ngtcp2_crypto_write_retry(
 		wire_buf_free_space(dest),
 		wire_buf_free_space_length(dest),
-		rnd, dec_cids.scid, dec_cids.scidlen,
-		dec_cids.dcid, dec_cids.dcidlen, supported_quic,
-		sizeof(supported_quic) / sizeof(*supported_quic)
+		dec_cids->version, &scid,
+		&new_dcid, &dcid,
+		retry_token, ret
 	);
 
 	return ret;

daemon/quic_common.h

@@ -12,9 +12,9 @@
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
 
-#include "quic_conn.h"
+#include "session2.h"
 
-/** RFC 9250 4.3.  DoQ Error Codes */
+/** RFC 9250 4.3 DoQ Error Codes for use as application protocol error codes */
 typedef enum {
 	/*! No error.  This is used when the connection or stream needs to be
 	    closed, but there is no error to signal. */
@@ -40,12 +40,12 @@ typedef enum {
 
 // Macros from knot quic impl
 #define SERVER_DEFAULT_SCIDLEN 18
-#define QUIC_REGULAR_TOKEN_TIMEOUT 	 (24LLU * 3600LLU * 1000000000LLU)
+#define QUIC_REGULAR_TOKEN_TIMEOUT       (24LLU * 3600LLU * 1000000000LLU)
 #define QUIC_SEND_VERSION_NEGOTIATION    NGTCP2_ERR_VERSION_NEGOTIATION
 #define QUIC_SEND_RETRY                  NGTCP2_ERR_RETRY
 #define QUIC_SEND_STATELESS_RESET        (-NGTCP2_STATELESS_RESET_TOKENLEN)
 #define QUIC_SEND_CONN_CLOSE             (-2000)
-#define QUIC_SEND_EXCESSIVE_LOAD         (-KR_QUIC_ERR_EXCESSIVE_LOAD)
+
 #define BUCKETS_PER_CONNS 8
 
 /* Application is responsible for extending the stream limit.
@@ -66,22 +66,60 @@ typedef enum {
 #define container_of(ptr, type, member) \
 	((type *)((char *)(ptr) - offsetof(type, member)))
 
+typedef enum {
+	KNOT_QUIC_TABLE_CLIENT_ONLY = (1 << 0),
+} kr_quic_table_flag_t;
+
+typedef struct kr_quic_cid {
+	uint8_t cid_placeholder[32];
+	struct pl_quic_conn_sess_data *conn_sess;
+	struct kr_quic_cid *next;
+} kr_quic_cid_t;
+
+typedef struct kr_quic_table {
+	kr_quic_table_flag_t flags;
+	/* general "settings" for connections */
+	size_t size;
+	size_t usage;
+	size_t pointers;
+	size_t max_conns;
+	size_t udp_payload_limit;
+	void (*log_cb)(const char *);
+	const char *qlog_dir;
+	uint64_t hash_secret[4];
+	struct tls_credentials *creds;
+	struct gnutls_priority_st *priority;
+	struct heap *expiry_heap;
+	struct kr_quic_cid *conns[];
+} kr_quic_table_t;
+
 /* quic subsession init parameters */
 struct kr_quic_conn_param {
+	bool retry_sent;
+	kr_quic_table_t *table;
 	ngtcp2_cid dcid;
 	ngtcp2_cid scid;
 	ngtcp2_cid odcid;
 	ngtcp2_version_cid *dec_cids;
 	struct comm_info *comm_storage;
 };
+
 struct kr_quic_stream_param {
 	int64_t stream_id;
 	ngtcp2_conn *conn;
 	struct comm_info comm_storage;
 };
 
-uint64_t quic_timestamp(void);
 bool kr_quic_conn_timeout(struct pl_quic_conn_sess_data *conn, uint64_t *now);
+uint64_t cid2hash(const ngtcp2_cid *cid, kr_quic_table_t *table);
+bool init_unique_cid(ngtcp2_cid *cid, size_t len, kr_quic_table_t *table);
 void init_random_cid(ngtcp2_cid *cid, size_t len);
-ssize_t send_version_negotiation(struct wire_buf *dest, ngtcp2_version_cid dec_cids,
-		ngtcp2_cid dcid, ngtcp2_cid scid);
+uint64_t quic_timestamp(void);
+kr_quic_cid_t **kr_quic_table_lookup2(const ngtcp2_cid *cid,
+		kr_quic_table_t *table);
+struct pl_quic_conn_sess_data *kr_quic_table_lookup(const ngtcp2_cid *cid,
+		kr_quic_table_t *table);
+int write_retry_packet(struct wire_buf *dest, kr_quic_table_t *table,
+		ngtcp2_version_cid *dec_cids,
+		const struct sockaddr *src_addr,
+		uint8_t *secret, size_t secret_len);