BUG/MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content
Received QUIC packets are stored in quic_conn Rx buffer after header
protection removal in qc_rx_pkt_handle(). These packets are then removed
after quic_conn IO handler via qc_treat_rx_pkts().
If HP cannot be removed, packets are still copied into quic_conn Rx
buffer. This can happen if encryption level TLS keys are not yet
available. The packet remains in the buffer until HP can be removed and
its content processed.
An issue occurs if client emits a 0-RTT packet but haproxy does not have
the shared secret, for example after a haproxy process restart. In this
case, the packet is copied in quic_conn Rx buffer but its HP won't ever
be removed. This prevents the buffer to be purged. After some time, if
the client has emitted enough packets, Rx buffer won't have any space
left and received packets are dropped. This will cause the connection to
freeze.
To fix this, remove any 0-RTT buffered packets on handshake completion.
At this stage, 0-RTT packets are unnecessary anymore. The client is
expected to reemit its content in 1-RTT packet which are properly
deciphered.
This can easily reproduce with HTTP/3 POST requests or retrieving a big
enough object, which will fill the Rx buffer with ACK frames. Here is a
picoquic command to provoke the issue on haproxy startup :
$ picoquicdemo -Q -v 00000001 -a h3 <hostname> 20443 "/?s=1g"
Note that allow-0rtt must be present on the bind line to trigger the
issue. Else haproxy will reject any 0-RTT packets.
This must be backported up to 2.6.
This could be one of the reason for github issue #2549 but it's unsure
for now.
(cherry picked from commit bba6baff306820a01ea66fddde5acbad11c601b6)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 0a06f5f5aefdba68c675f9c2bf55dad093f800e7)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit c1f51cecce9e7dc926527729d26ace8750b8ca64)
[wt: qc->eel => qc->els[QUIC_TLS_ENC_LEVEL_EARLY_DATA] (no dyn alloc)]
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/quic_conn.c b/src/quic_conn.c
index 5a5885e..4812834 100644
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -4600,7 +4600,7 @@
quic_rx_packet_refinc(pqpkt);
TRACE_PROTO("RX hp removed", QUIC_EV_CONN_ELRMHP, qc, pqpkt);
}
- LIST_DELETE(&pqpkt->list);
+ LIST_DEL_INIT(&pqpkt->list);
quic_rx_packet_refdec(pqpkt);
}
@@ -5268,6 +5268,33 @@
/* There may be remaining handshake to build (acks) */
st = QUIC_HS_ST_SERVER_HANDSHAKE;
}
+
+ /* Release 0RTT packets still waiting for HP removal. These
+ * packets are considered unneeded after handshake completion.
+ * They will be freed later from Rx buf via quic_rx_pkts_del().
+ */
+ if (!LIST_ISEMPTY(&qc->els[QUIC_TLS_ENC_LEVEL_EARLY_DATA].rx.pqpkts)) {
+ struct quic_rx_packet *pqpkt, *pkttmp;
+ list_for_each_entry_safe(pqpkt, pkttmp, &qc->els[QUIC_TLS_ENC_LEVEL_EARLY_DATA].rx.pqpkts, list) {
+ LIST_DEL_INIT(&pqpkt->list);
+ quic_rx_packet_refdec(pqpkt);
+ }
+
+ /* RFC 9001 4.9.3. Discarding 0-RTT Keys
+ * Additionally, a server MAY discard 0-RTT keys as soon as it receives
+ * a 1-RTT packet. However, due to packet reordering, a 0-RTT packet
+ * could arrive after a 1-RTT packet. Servers MAY temporarily retain 0-
+ * RTT keys to allow decrypting reordered packets without requiring
+ * their contents to be retransmitted with 1-RTT keys. After receiving a
+ * 1-RTT packet, servers MUST discard 0-RTT keys within a short time;
+ * the RECOMMENDED time period is three times the Probe Timeout (PTO,
+ * see [QUIC-RECOVERY]). A server MAY discard 0-RTT keys earlier if it
+ * determines that it has received all 0-RTT packets, which can be done
+ * by keeping track of missing packet numbers.
+ *
+ * TODO implement discarding of 0-RTT keys
+ */
+ }
}
/* A listener does not send any O-RTT packet. O-RTT packet number space must not