Summary:
This stack adds key update support to Mvfst client and server. This diff adds the main logic for detecting key updates in the QuicReadCodec. When an update is successful, the server transport reacts to it by updating the write phase and cipher.
The high level design is as follows:
- The QuicReadCodec is responsible for detecting incoming key update attempts by the peer, as well as tracking any ongoing locally-initiated key updates.
- Upon detecting a successful key update, the QuicReadCodec updates its state. The Server/Client transport reacts to this change by updating its write phase and cipher.
- A locally initiated key update starts with updating the write phase and key, and signaling the read codec that a key update has been initiated.
- The read codec keeps this in a pending state until a packet is successfully received in the new phase.
- Functions for syncing the read/write phase on incoming key updates, as well as initiating and verifying outgoing key updates are abstracted in QuicTransportFunctions and are used by both the client and server transports.
- Common handshake functions used for rotating the keys are now in HandshakeLayer that is shared by both client and server handshakes.
Reviewed By: mjoras
Differential Revision: D53016559
fbshipit-source-id: 134e965dabd62917193544a9655a4eb8868ab7f8
Summary: This is in preparation for enforcing ALPN requirement in the QUIC layer.
Reviewed By: mjoras
Differential Revision: D51285567
fbshipit-source-id: 3cc3c2fbde169ec9603b3309d0abda74aa698602
Summary: Update flow control settings names to reflect that these are indeed flow control
Reviewed By: jbeshay
Differential Revision: D48137685
fbshipit-source-id: a48372e21cdd529480e25785a9bd5de456427ef3
Summary: As it says on tin. Allows for callers to opt in to in-place decryption always.
Reviewed By: mingtaoy
Differential Revision: D28270936
fbshipit-source-id: 389d9f9f4f7283af33c8eee5125f74bf7c034cd7
Summary: Adds piping from AsyncFizzClient/Server down to the AEAD to support indicating what the desired behavior is. Doesn't modify the current behavior.
Reviewed By: knekritz
Differential Revision: D28037478
fbshipit-source-id: ac2d3d24828ced6ec435cd060c2d28a5700bf6bf
Summary:
Original commit changeset: a77b4ddb8bd5
- The diff broke AdFinder by causing 10x critical exceptions to be thrown
- We also suspect this diff causes data corruption that leads to adid = 0 issue that has further impact in the system(to be verified in canary)
Reviewed By: wylqc
Differential Revision: D27898082
fbshipit-source-id: 4d4a2458b218714abe810b7f3e3ef1bfe62675a0
Summary: Adds piping from AsyncFizzClient/Server down to the AEAD to support indicating what the desired behavior is
Reviewed By: mingtaoy
Differential Revision: D27274332
fbshipit-source-id: a77b4ddb8bd52c8fb2bd38c89d3e489d07c7781a
Summary:
Add ech config to connect API calls so it can be used in the client (see D24896065 for usage).
This involves updating some call sites where connect is being used.
Reviewed By: reanimus
Differential Revision: D24865702
fbshipit-source-id: bb050fdfbc8ad0f6b290f3daa0d04cbbd5b9c4b3
Summary:
Also move encoding/decoding of the AppToken to be transmitted via fizz in its own file.
Pull Request resolved: https://github.com/facebookincubator/mvfst/pull/175
Reviewed By: yangchi
Differential Revision: D23681956
Pulled By: mjoras
fbshipit-source-id: dc98d0b4ba2bee4a05ae8832d36ff4a116cfbd0d
Summary:
This is following a similar pattern than what was done for the client side.
Pull Request resolved: https://github.com/facebookincubator/mvfst/pull/160
Reviewed By: yangchi
Differential Revision: D23560951
Pulled By: xttjsn
fbshipit-source-id: 351417cbfa3230112fff4c4de59b307f88389cf6
Summary:
This implements the connection ID validation via transport parameters. Note we don't do anything with the retry transport parameter yet.
This will probably require further surgery to tests when we want the MVFST version to do this, but for now I'm punting on that test plumbing.
This retains support for h3-27.
Reviewed By: yangchi
Differential Revision: D22045631
fbshipit-source-id: e93841e734c0683655c751d808fd90b3b391eb3e
Summary:
Previously we would only write the data to the client after an asynchronous
event.
Reviewed By: mjoras
Differential Revision: D22020222
fbshipit-source-id: cecd8196d692a0b9f0a60ab7849707bcbb0e1a20
Summary:
The transport parameters format changed in draft 27. It is now self describing via varints.
This diff retains support for the old encoding and does not iterate the mvfst version.
Reviewed By: lnicco
Differential Revision: D20149977
fbshipit-source-id: c6fa9c226f859ed81ca83ada5a8bc5832b4a3388
Summary:
This eliminatees some tech debt by completely removing the notion of version from the core transport parameters structure and the app token for zero rtt.
Note that for the draft-27 changes we will need to temporarily re-introduce it, but to a different layer (the extension encoding itself).
Reviewed By: JunqiWang
Differential Revision: D20073578
fbshipit-source-id: 2b55af621566bf1c20e21dd17251116de1788fa0
Summary:
This moves the fizz specific part of the handshake into its own folder and library.
There is a bit of smurf naming going on as a result, not sure it is worth fixing or not at this stage. Maybe this code should be a in namespace named quic::fizz .
This should be doable with the client as well as soon as the key cache situation is figured out.
---
## Proxygen Canary
Reviewed By: yangchi
Differential Revision: D19290919
fbshipit-source-id: 48d7f7c70db42c65f7dffe3256805c268a481198
Summary: We'd like to remove this param from our decrypt() api, as it's no longer needed.
Reviewed By: reanimus
Differential Revision: D18855369
fbshipit-source-id: cfe5b3d847918a9ef4a4834df716b79baf0e804a
Summary:
That ensure the connect API from ClientHandshake doesn't depend on fizz specific things anymore.
Pull Request resolved: https://github.com/facebookincubator/mvfst/pull/76
Reviewed By: yangchi
Differential Revision: D18888115
Pulled By: mjoras
fbshipit-source-id: 00103d629708796b73787b3dabb6f8d3815ff976
Summary:
Client will set their active_connection_id_limit to the server as 7 (so it will
have 8 conn ids in total).
Reviewed By: JunqiWang
Differential Revision: D18532441
fbshipit-source-id: b0be65cec9f7c483469b0b4a2810bc370a6945c3
Summary:
They are strongly coupled, which indicate this is probably better to do it as one class.
Pull Request resolved: https://github.com/facebookincubator/mvfst/pull/44
Reviewed By: mjoras
Differential Revision: D17590918
Pulled By: yangchi
fbshipit-source-id: 2eaca079fd760107eefd2b74fa612d7a0c8b3001
Summary: Having access to the state when decrypting tickets gives us more control over ticket acceptance policies.
Reviewed By: knekritz
Differential Revision: D17528945
fbshipit-source-id: a3cb3d4c0917f2494f5669f283cda70776b608c6
Summary:
The CryptoFactory is extended with makePacketNumberCipher . In order to support that feature, FizzCryptoFactory now explicitly takes a QuicFizzFactory as argument instead of a generic fizz::Factory, which is the only type that is used in practice anyways.
The cypher argument was removed because:
1/ Only one cypher is used at all. Fizz also supports ChaCha20, but using it in mvfst will throw an exception.
2/ it seems like the factory should know what cypher it is dealing with.
If a choice of cypher needs to be supported going forward, it can be done by adding state to FizzCryptoFactory.
Pull Request resolved: https://github.com/facebookincubator/mvfst/pull/40
Reviewed By: mjoras
Differential Revision: D16785274
Pulled By: yangchi
fbshipit-source-id: a1c490e34c5ddd107e8e068d8b127c1ed00a59ec
Summary:
This ensure a lot of code do not depend on fizz anymore.
Pull Request resolved: https://github.com/facebookincubator/mvfst/pull/26
Reviewed By: mjoras, JunqiWang
Differential Revision: D16030663
Pulled By: yangchi
fbshipit-source-id: a3cc34905a6afb657da194e2166434425e7e163c
Summary: Replace hard coded stateless reset token with a token from the stateless reset token generator.
Reviewed By: yangchi
Differential Revision: D15481858
fbshipit-source-id: 30c96843c38c616600466b2fabb6defd5fcc5799
Summary: After a given amount of time, discards PSKs whose handshakes are too old.
Reviewed By: knekritz
Differential Revision: D14174662
fbshipit-source-id: ef505af91732c1030c6ce27835db49cf07d9c506
Summary:
This introduce quic::Aead as a simple typedef to fizz::Aead and update the codebase to use quic::Aead . This should not impact the functionality of the code in any way.
This is a first step toward introducing an interface that is specific for mvfst so that mvfst can swap fizz for something else.
Pull Request resolved: https://github.com/facebookincubator/mvfst/pull/12
Reviewed By: JunqiWang
Differential Revision: D15335324
Pulled By: mjoras
fbshipit-source-id: fef166a9a5c2cbae08ad9511d0abd749f330c221
Summary:
Draft-19 onwards effectively punted version negotiation to QUICv2. Now receiving version negotiation on clients is treated as an immediate termination of the connection.
The transport parameter format has also changed to no longer include any reference to the QUIC version. To avoid us (Facebook) having to turn off QUIC traffic in production, our server needs to be able to parse these transport parameters from our older clients. To achieve this when parsing the transport parameters we will, as a temporary measure, check for the Facebook QUIC version to determine which transport parameter format we are parsing. Luckily for us the version we chose maps nicely to an implausible length for the transport parameters (0xface).
Note that this diff still has the client send the old transport parameter format, so that the rollout can be staged.
Reviewed By: yangchi
Differential Revision: D15203481
fbshipit-source-id: dfaaddc3acc76434461b04430b82a0902138c060
