Opened 2 years ago

Closed 2 years ago

Last modified 10 months ago

#2289 closed defect (fixed)

QUIC: RETIRE_CONNECTION_ID with invalid DestinationConnectionId

Reported by: WesleyRosenblum@… Owned by:
Priority: minor Milestone:
Component: http/3 Version: 1.19.x
Keywords: Cc:
uname -a:
nginx -V: nginx/1.21.4 (8703:aae8b91e0280)

Description

While testing nginx QUIC functionality, nginx sent a RETIRE_CONNECTION_ID frame with Sequence: 0, using the Destination Connection ID referred to by Sequence ID 0. This is prohibited by RFC 9000 §19.16:

The sequence number specified in a RETIRE_CONNECTION_ID frame MUST NOT refer to the Destination Connection ID field of the packet in which the frame is contained.

The invalid RETIRE_CONNECTION_ID frame was received in response to the server sending two NEW_CONNECTION_ID frames, each with Retire Prior To set to 1.

QUIC Short Header DCID=0000000000000008a1d253f480c1d8e8dd75e0c0 PKN=2

Destination Connection ID: 0000000000000008a1d253f480c1d8e8dd75e0c0
Packet Number: 2

NEW_CONNECTION_ID

Frame Type: NEW_CONNECTION_ID (0x0000000000000018)
Sequence: 1
Retire Prior To: 1
Connection ID Length: 16
Connection ID: 1aa096604a4a5c26f51a9ebb38965ee7
Stateless Reset Token: d4dde1412056fbd92b1158c6502cae29

NEW_CONNECTION_ID

Frame Type: NEW_CONNECTION_ID (0x0000000000000018)
Sequence: 2
Retire Prior To: 1
Connection ID Length: 16
Connection ID: 007061a58f6a2518b98f5a5c4ad39994
Stateless Reset Token: 3c5a67af0edc63d2451994942ab932ca

nginx responds with:

QUIC Short Header DCID=98376dec4bb617de72b3ce5062d58a66 PKN=2

Destination Connection ID: 98376dec4bb617de72b3ce5062d58a66
Packet Number: 2

RETIRE_CONNECTION_ID

Frame Type: RETIRE_CONNECTION_ID (0x0000000000000019)
Sequence: 0

Since Destination Connection ID: 98376dec4bb617de72b3ce5062d58a66 is the connection ID referred to by Sequence: 0, this is not valid. The Destination Connection should be either 1aa096604a4a5c26f51a9ebb38965ee7 or 007061a58f6a2518b98f5a5c4ad39994

Here is the nginx version information:

nginx version: nginx/1.21.4 (8703:aae8b91e0280)
built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --build=8703:aae8b91e0280 --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/run/nginx.pid --lock-path=/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-debug --with-http_ssl_module --with-http_v2_module --with-http_quic_module --with-stream_quic_module --with-http_v3_module --with-cc-opt='-I/boringssl/include -O0 -fno-common -fno-omit-frame-pointer -DNGX_QUIC_DRAFT_VERSION=29' --with-ld-opt='-L/boringssl/build/ssl -L/boringssl/build/crypto'

Thanks for considering this issue and let me know if you need any further information!

Change History (7)

comment:1 by vl, 2 years ago

Status: newaccepted

Yes indeed, we don't check if retired id matches currently used.
What is the client?

comment:2 by WesleyRosenblum@…, 2 years ago

Thanks. This came up in testing, not with a full client.

comment:3 by vl, 2 years ago

Resolution: fixed
Status: acceptedclosed

Thanks for reporting this.
Should be fixed now by https://hg.nginx.org/nginx-quic/rev/9680f0badc95

comment:4 by vl, 2 years ago

Component: documentationhttp/3

comment:6 by vl, 2 years ago

should be up to date now.

comment:7 by Vladimir Homutov <vl@…>, 10 months ago

In 8920:9680f0badc95/nginx:

QUIC: fixed using of retired connection id (ticket #2289).

RFC 9000 19.16

The sequence number specified in a RETIRE_CONNECTION_ID frame MUST NOT
refer to the Destination Connection ID field of the packet in which the
frame is contained.

Before the patch, the RETIRE_CONNECTION_ID frame was sent before switching
to the new client id. If retired client id was currently in use, this lead
to violation of the spec.

Note: See TracTickets for help on using tickets.