Commit 307ca7fe authored by Dmitri Tikhonov's avatar Dmitri Tikhonov
Browse files

Release 2.16.3

- [OPTIMIZATION] Stash up to two reordered packets in IETF mini conn
  instead of dropping them.
- [BUGFIX] Crash: check decrypt context before using it.  This regression
  was introduced in 2.16.2.
parent f913a297
2020-06-15
- 2.16.3
- [OPTIMIZATION] Stash up to two reordered packets in IETF mini conn
instead of dropping them.
- [BUGFIX] Crash: check decrypt context before using it. This regression
was introduced in 2.16.2.
2020-06-12
- 2.16.2
- [BUGFIX] ID-28: do not use TLS middlebox compatibility mode in
......
......@@ -26,7 +26,7 @@ author = u'LiteSpeed Technologies'
# The short X.Y version
version = u'2.16'
# The full version, including alpha/beta/rc tags
release = u'2.16.2'
release = u'2.16.3'
# -- General configuration ---------------------------------------------------
......
......@@ -25,7 +25,7 @@ extern "C" {
#define LSQUIC_MAJOR_VERSION 2
#define LSQUIC_MINOR_VERSION 16
#define LSQUIC_PATCH_VERSION 2
#define LSQUIC_PATCH_VERSION 3
/**
* Engine flags:
......
......@@ -115,11 +115,15 @@ struct header_prot
const EVP_CIPHER *hp_cipher;
gen_hp_mask_f hp_gen_mask;
enum enc_level hp_enc_level;
enum {
HP_CAN_READ = 1 << 0,
HP_CAN_WRITE = 1 << 1,
} hp_flags;
unsigned hp_sz;
unsigned char hp_buf[2][EVP_MAX_KEY_LENGTH];
};
#define header_prot_inited(hp_) ((hp_)->hp_sz > 0)
#define header_prot_inited(hp_, rw_) ((hp_)->hp_flags & (1 << (rw_)))
struct crypto_ctx
......@@ -177,12 +181,11 @@ derive_hp_secrets (struct header_prot *hp, const EVP_MD *md,
const unsigned char *client_secret, const unsigned char *server_secret)
{
hp->hp_sz = EVP_AEAD_key_length(aead);
if (client_secret)
lsquic_qhkdf_expand(md, client_secret, secret_sz, PN_LABEL, PN_LABEL_SZ,
hp->hp_buf[0], hp->hp_sz);
if (server_secret)
lsquic_qhkdf_expand(md, server_secret, secret_sz, PN_LABEL, PN_LABEL_SZ,
hp->hp_buf[1], hp->hp_sz);
hp->hp_flags = HP_CAN_READ | HP_CAN_WRITE;
lsquic_qhkdf_expand(md, client_secret, secret_sz, PN_LABEL, PN_LABEL_SZ,
hp->hp_buf[0], hp->hp_sz);
lsquic_qhkdf_expand(md, server_secret, secret_sz, PN_LABEL, PN_LABEL_SZ,
hp->hp_buf[1], hp->hp_sz);
}
......@@ -1987,7 +1990,7 @@ iquic_esf_decrypt_packet (enc_session_t *enc_session_p,
else
hp = NULL;
if (UNLIKELY(!(hp && header_prot_inited(hp))))
if (UNLIKELY(!(hp && header_prot_inited(hp, 0))))
{
LSQ_DEBUG("header protection for level %u not initialized yet",
enc_level);
......@@ -2017,7 +2020,11 @@ iquic_esf_decrypt_packet (enc_session_t *enc_session_p,
key_phase = (dst[0] & 0x04) > 0;
pair = &enc_sess->esi_pairs[ key_phase ];
if (key_phase == enc_sess->esi_key_phase)
{
crypto_ctx = &pair->ykp_ctx[ 0 ];
/* Checked by header_prot_inited() above */
assert(crypto_ctx->yk_flags & YK_INITED);
}
else if (!is_valid_packno(
enc_sess->esi_pairs[enc_sess->esi_key_phase].ykp_thresh)
|| packet_in->pi_packno
......@@ -2616,6 +2623,7 @@ set_secret (SSL *ssl, enum ssl_encryption_level_t level,
}
lsquic_qhkdf_expand(crypa.md, secret, secret_len, PN_LABEL, PN_LABEL_SZ,
hp->hp_buf[rw], hp->hp_sz);
hp->hp_flags |= 1 << rw;
if (enc_sess->esi_flags & ESI_LOG_SECRETS)
{
......
......@@ -1185,6 +1185,31 @@ ignore_init (struct ietf_mini_conn *conn)
}
static void
imico_maybe_delay_processing (struct ietf_mini_conn *conn,
struct lsquic_packet_in *packet_in)
{
unsigned max_delayed;
if (conn->imc_flags & IMC_ADDR_VALIDATED)
max_delayed = IMICO_MAX_DELAYED_PACKETS_VALIDATED;
else
max_delayed = IMICO_MAX_DELAYED_PACKETS_UNVALIDATED;
if (conn->imc_delayed_packets_count < max_delayed)
{
++conn->imc_delayed_packets_count;
lsquic_packet_in_upref(packet_in);
TAILQ_INSERT_TAIL(&conn->imc_app_packets, packet_in, pi_next);
LSQ_DEBUG("delay processing of packet (now delayed %hhu)",
conn->imc_delayed_packets_count);
}
else
LSQ_DEBUG("drop packet, already delayed %hhu packets",
conn->imc_delayed_packets_count);
}
/* Only a single packet is supported */
static void
ietf_mini_conn_ci_packet_in (struct lsquic_conn *lconn,
......@@ -1222,8 +1247,9 @@ ietf_mini_conn_ci_packet_in (struct lsquic_conn *lconn,
conn->imc_enpub, &conn->imc_conn, packet_in);
if (dec_packin != DECPI_OK)
{
/* TODO: handle reordering perhaps? */
LSQ_DEBUG("could not decrypt packet");
if (DECPI_NOT_YET == dec_packin)
imico_maybe_delay_processing(conn, packet_in);
return;
}
......@@ -1231,10 +1257,7 @@ ietf_mini_conn_ci_packet_in (struct lsquic_conn *lconn,
if (pns == PNS_APP)
{
lsquic_packet_in_upref(packet_in);
TAILQ_INSERT_TAIL(&conn->imc_app_packets, packet_in, pi_next);
LSQ_DEBUG("delay processing of packet %"PRIu64" in pns %u",
packet_in->pi_packno, pns);
imico_maybe_delay_processing(conn, packet_in);
return;
}
else if (pns == PNS_HSK)
......
......@@ -94,6 +94,9 @@ struct ietf_mini_conn
uint8_t imc_ecn_counts_out[N_PNS][4];
uint8_t imc_incoming_ecn;
uint8_t imc_tls_alert;
#define IMICO_MAX_DELAYED_PACKETS_UNVALIDATED 1u
#define IMICO_MAX_DELAYED_PACKETS_VALIDATED 2u
unsigned char imc_delayed_packets_count;
#define IMICO_MAX_STASHED_FRAMES 10u
unsigned char imc_n_crypto_frames;
struct network_path imc_path;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment