phongn commented on code in PR #13186: URL: https://github.com/apache/trafficserver/pull/13186#discussion_r3320545617
########## src/iocore/net/OpenSSLQUICPacketHandler.cc: ########## @@ -0,0 +1,281 @@ +/** @file + + OpenSSL native QUIC listener support. + + @section license License + + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */ + +#include "P_QUICPacketHandler.h" +#include "P_QUICNetProcessor.h" +#include "P_QUICNetVConnection.h" +#include "P_SSLCertLookup.h" +#include "P_UnixNet.h" +#include "iocore/net/QUICMultiCertConfigLoader.h" +#include "iocore/net/quic/QUICConfig.h" +#include "tscore/ink_atomic.h" +#include "tscore/ink_sock.h" + +#include <openssl/err.h> +#include <openssl/ssl.h> + +#include <cerrno> + +namespace +{ +constexpr ink_hrtime OPENSSL_QUIC_EVENT_INTERVAL = HRTIME_MSECONDS(2); + +DbgCtl dbg_ctl_openssl_quic{"openssl_quic"}; + +} // end anonymous namespace + +QUICPacketHandler::QUICPacketHandler() +{ + this->_closed_con_collector = std::make_unique<QUICClosedConCollector>(); + this->_closed_con_collector->mutex = new_ProxyMutex(); +} + +QUICPacketHandler::~QUICPacketHandler() +{ + if (this->_collector_event != nullptr) { + this->_collector_event->cancel(); + this->_collector_event = nullptr; + } +} + +void +QUICPacketHandler::close_connection(QUICNetVConnection *conn) +{ + int isin = ink_atomic_swap(&conn->in_closed_queue, 1); + if (!isin) { + this->_closed_con_collector->closedQueue.push(conn); + } +} + +void +QUICPacketHandler::send_packet(UDPConnection * /* udp_con ATS_UNUSED */, IpEndpoint & /* addr ATS_UNUSED */, + Ptr<IOBufferBlock> /* udp_payload ATS_UNUSED */, uint16_t /* segment_size ATS_UNUSED */, + struct timespec * /* send_at_hint ATS_UNUSED */) +{ +} + +QUICPacketHandlerIn::QUICPacketHandlerIn(NetProcessor::AcceptOptions const &opt) : NetAccept(opt), QUICPacketHandler() +{ + this->mutex = new_ProxyMutex(); +} + +QUICPacketHandlerIn::~QUICPacketHandlerIn() +{ + if (this->_event != nullptr) { + this->_event->cancel(); + this->_event = nullptr; + } + if (this->_listener != nullptr) { + SSL_free(this->_listener); + this->_listener = nullptr; + } +} + +NetProcessor * +QUICPacketHandlerIn::getNetProcessor() const +{ + return &quic_NetProcessor; +} + +NetAccept * +QUICPacketHandlerIn::clone() const +{ + return new QUICPacketHandlerIn(this->opt); +} + +int +QUICPacketHandlerIn::acceptEvent(int /* event ATS_UNUSED */, void * /* data ATS_UNUSED */) +{ + this->setThreadAffinity(this_ethread()); + + if (this->_collector_event == nullptr) { + this->_collector_event = this_ethread()->schedule_every(this->_closed_con_collector.get(), HRTIME_MSECONDS(100)); + } + + if (this->_listener == nullptr && !this->_start_listener()) { + return EVENT_DONE; + } + + this->_event = nullptr; + this->_service_listener(); + this->_schedule_event(); + + return EVENT_CONT; +} + +void +QUICPacketHandlerIn::init_accept(EThread *t) +{ + SET_HANDLER(&QUICPacketHandlerIn::acceptEvent); + + if (t == nullptr) { + t = eventProcessor.assign_thread(ET_NET); + } + + if (!this->action_->continuation->mutex) { + this->action_->continuation->mutex = t->mutex; + this->action_->mutex = t->mutex; + } + + this->mutex = get_NetHandler(t)->mutex; + t->schedule_imm(this); +} + +Continuation * +QUICPacketHandlerIn::_get_continuation() +{ + return this; +} + +void +QUICPacketHandlerIn::_recv_packet(int /* event ATS_UNUSED */, UDPPacket * /* udpPacket ATS_UNUSED */) +{ +} + +bool +QUICPacketHandlerIn::_start_listener() +{ + if (!this->server.sock.is_ok()) { + this->server.sock = UnixSocket{this->server.accept_addr.sa.sa_family, SOCK_DGRAM, 0}; + if (!this->server.sock.is_ok()) { + Error("failed to create OpenSSL QUIC UDP socket: %s", strerror(errno)); + return false; + } + + if (this->server.accept_addr.sa.sa_family == AF_INET6 && this->server.sock.enable_option(IPPROTO_IPV6, IPV6_V6ONLY) < 0) { + Error("failed to set IPV6_V6ONLY on OpenSSL QUIC socket: %s", strerror(errno)); + return false; + } + if (this->server.sock.enable_option(SOL_SOCKET, SO_REUSEADDR) < 0) { + Error("failed to set SO_REUSEADDR on OpenSSL QUIC socket: %s", strerror(errno)); + return false; + } + if (this->server.sock.bind(&this->server.accept_addr.sa, ats_ip_size(&this->server.accept_addr.sa)) < 0) { + Error("failed to bind OpenSSL QUIC socket: %s", strerror(errno)); + return false; + } + } + + if (this->server.sock.set_nonblocking() < 0) { + Error("failed to make OpenSSL QUIC socket nonblocking: %s", strerror(errno)); + return false; + } + if (this->opt.recv_bufsize > 0) { + this->server.sock.set_rcvbuf_size(this->opt.recv_bufsize); + } + if (this->opt.send_bufsize > 0) { + this->server.sock.set_sndbuf_size(this->opt.send_bufsize); + } + + QUICCertConfig::scoped_config server_cert; + QUICConfig::scoped_config params; + uint64_t listener_flags = 0; + if (!params->stateless_retry()) { + listener_flags |= SSL_LISTENER_FLAG_NO_VALIDATE; + } + + this->_listener = SSL_new_listener(server_cert->defaultContext(), listener_flags); + if (this->_listener == nullptr) { + Error("failed to create OpenSSL QUIC listener"); + return false; + } + + if (SSL_set_fd(this->_listener, this->server.sock.get_fd()) != 1) { + Error("failed to configure OpenSSL QUIC listener socket"); + return false; + } + SSL_set_blocking_mode(this->_listener, 0); + SSL_set_event_handling_mode(this->_listener, SSL_VALUE_EVENT_HANDLING_MODE_EXPLICIT); + + SSL_set_feature_request_uint(this->_listener, SSL_VALUE_QUIC_IDLE_TIMEOUT, params->no_activity_timeout_in()); + SSL_set_feature_request_uint(this->_listener, SSL_VALUE_QUIC_STREAM_BIDI_LOCAL_AVAIL, params->initial_max_streams_bidi_in()); + SSL_set_feature_request_uint(this->_listener, SSL_VALUE_QUIC_STREAM_UNI_LOCAL_AVAIL, params->initial_max_streams_uni_in()); + SSL_set_incoming_stream_policy(this->_listener, SSL_INCOMING_STREAM_POLICY_ACCEPT, 0); + + if (SSL_listen(this->_listener) != 1) { + Error("failed to start OpenSSL QUIC listener"); + return false; + } + + Dbg(dbg_ctl_openssl_quic, "OpenSSL QUIC listener started on fd %d", this->server.sock.get_fd()); + return true; +} + +void +QUICPacketHandlerIn::_service_listener() +{ + SSL_handle_events(this->_listener); + + while (SSL *ssl = SSL_accept_connection(this->_listener, SSL_ACCEPT_CONNECTION_NO_BLOCK)) { + SSL_set_blocking_mode(ssl, 0); + SSL_set_event_handling_mode(ssl, SSL_VALUE_EVENT_HANDLING_MODE_IMPLICIT); + SSL_set_incoming_stream_policy(ssl, SSL_INCOMING_STREAM_POLICY_ACCEPT, 0); + SSL_set_default_stream_mode(ssl, SSL_DEFAULT_STREAM_MODE_NONE); + + auto *vc = static_cast<QUICNetVConnection *>(getNetProcessor()->allocate_vc(this_ethread())); + if (vc == nullptr) { + SSL_free(ssl); + continue; + } + + IpEndpoint remote_addr; + remote_addr.setToAnyAddr(this->server.accept_addr.sa.sa_family); + + vc->init(ssl, this); + vc->id = net_next_connection_number(); + vc->set_quic_endpoints(this->server.accept_addr, remote_addr); Review Comment: 🤖 _Automated review by **Claude Code**, posted on behalf of @phongn._ Confirming this against OpenSSL 3.5.5 (the system lib here). The literal "set to any" is now just the fallback — the code does try `get_quic_peer_addr()` first — but the underlying concern holds: - OpenSSL 3.5 exposes **no per-connection server-side peer-address getter** (only the client-side setter `SSL_set1_initial_peer_addr`); there is no `SSL_get*peer*addr`. - `SSL_get_rbio()` on a listener-accepted connection returns the listener's **shared** UDP socket BIO, so `BIO_dgram_get_peer()` returns whatever peer was last recorded on that shared BIO — not reliably *this* connection's. Under concurrency it can return the wrong peer, and on failure it falls back to `0.0.0.0`/`::`. Either way the client IP that reaches access logs, ACLs, transparency, and plugins can be wrong. The curl/proxy-verifier tests run over loopback and don't assert on `%<chi>`, so they won't catch this — a test that checks the logged client IP would. Worth confirming whether OpenSSL intends any supported way to recover the per-connection peer here. ########## src/proxy/http3/Http3StreamDataVIOAdaptor.cc: ########## @@ -53,17 +57,17 @@ Http3StreamDataVIOAdaptor::handle_frame(std::shared_ptr<const Http3Frame> frame, void Http3StreamDataVIOAdaptor::finalize() { - SCOPED_MUTEX_LOCK(lock, this->_sink_vio->mutex, this_ethread()); - MIOBuffer *writer = this->_sink_vio->get_writer(); - IOBufferReader *reader = this->_buffer->alloc_reader(); - IOBufferBlock *block; - while (reader->read_avail() > 0 && (block = reader->get_current_block()) != nullptr) { - writer->append_block(block); - reader->consume(block->size()); + if (this->_finalized) { + return; } - this->_buffer->dealloc_reader(reader); - this->_sink_vio->nbytes = this->_total_data_length; + SCOPED_MUTEX_LOCK(lock, this->_sink_vio->mutex, this_ethread()); + MIOBuffer *writer = this->_sink_vio->get_writer(); + int64_t delivered = writer->write(this->_reader, this->_reader->read_avail()); + this->_reader->consume(delivered); + this->_sink_vio->nbytes = this->_total_data_length; + this->_sink_vio->ndone += delivered; + this->_finalized = true; Review Comment: 🤖 _Automated review by **Claude Code**, posted on behalf of @phongn._ Traced this one. Both the header adaptor and this data adaptor sink to the same VIO (`&_read_vio`, the consumer-facing read VIO from `do_io_read`). I don't think it produces a negative `ntodo()` in practice: that `ndone` is producer-side accounting, `do_io_read()` resets it to `0` per read cycle, and the raw QUIC-stream consumption is tracked on a separate VIO (`_info.read_vio->ndone`). The varied body-size tests (0 / 100 / 120 KB / 300 KB, GET and POST) passing is consistent with that. That said, the broader point stands: `finalize()` overwriting the consumer-set `nbytes` with `ndone` (and both adaptors hand-incrementing `ndone`) leans on a non-obvious ordering invariant — it's only safe because of the `do_io_read` reset. A short comment explaining why `nbytes = ndone` is safe here, or deriving completion from end-of-stream rather than overwriting `nbytes`, would make this more robust against future changes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
