From: Hugo Landau Date: Mon, 22 Aug 2022 14:32:16 +0000 (+0100) Subject: QUIC Flow Control X-Git-Tag: openssl-3.2.0-alpha1~2010 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=508e087c4c9e0f6548816e0044022b257f179585;p=thirdparty%2Fopenssl.git QUIC Flow Control Reviewed-by: Paul Dale Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/19040) --- diff --git a/doc/designs/quic-design/quic-fc.md b/doc/designs/quic-design/quic-fc.md new file mode 100644 index 00000000000..54ba209badf --- /dev/null +++ b/doc/designs/quic-design/quic-fc.md @@ -0,0 +1,272 @@ +Flow Control +============ + +Introduction to QUIC Flow Control +--------------------------------- + +QUIC flow control acts at both connection and stream levels. At any time, +transmission of stream data could be prevented by connection-level flow control, +by stream-level flow control, or both. Flow control uses a credit-based model in +which the relevant flow control limit is expressed as the maximum number of +bytes allowed to be sent on a stream, or across all streams, since the beginning +of the stream or connection. This limit may be periodically bumped. + +It is important to note that both connection and stream-level flow control +relate only to the transmission of QUIC stream data. QUIC flow control at stream +level counts the total number of logical bytes sent on a given stream. Note that +this does not count retransmissions; thus, if a byte is sent, lost, and sent +again, this still only counts as one byte for the purposes of flow control. Note +that the total number of logical bytes sent on a given stream is equivalent to +the current “length” of the stream. In essence, the relevant quantity is +`max(offset + len)` for all STREAM frames `(offset, len)` we have ever sent for +the stream. + +(It is essential that this be determined correctly, as deadlock may occur if we +believe we have exhausted our flow control credit whereas the peer believes we +have not, as the peer may wait indefinitely for us to send more data before +advancing us more flow control credit.) + +QUIC flow control at connection level is based on the sum of all the logical +bytes transmitted across all streams since the start of the connection. + +Connection-level flow control is controlled by the `MAX_DATA` frame; +stream-level flow control is controlled by the `MAX_STREAM_DATA` frame. + +The `DATA_BLOCKED` and `STREAM_DATA_BLOCKED` frames defined by RFC 9000 are less +important than they first appear, as peers are not allowed to rely on them. (For +example, a peer is not allowed to wait until we send `DATA_BLOCKED` to increase +our connection-level credit, and a conformant QUIC implementation can choose to +never generate either of these frame types.) These frames rather serve two +purposes: to enhance flow control performance, and as a debugging aid. +However, their implementation is not critical. + +Note that it follows from the above that the CRYPTO-frame stream is not subject +to flow control. + +Note that flow control and congestion control are completely separate +mechanisms. In a given circumstance, either or both mechanisms may restrict our +ability to transmit application data. + +Consider the following diagram: + + RWM SWM SWM' CWM CWM' + | | | | | + | |<-- credit| -->| | + | <-|- threshold -|----->| | + -----------------> + window size + +We introduce the following terminology: + +- **Controlled bytes** refers to any byte which counts for purposes of flow + control. A controlled byte is any byte of application data in a STREAM frame + payload, the first time it is sent (retransmissions do not count). + +- (RX side only) **Retirement**, which refers to where we dequeue one or more + controlled bytes from a QUIC stream and hand them to the application, meaning + we are no longer responsible for them. + + Retirement is an important factor in our RX flow control design, as we want + peers to transmit not just at the rate that our QUIC implementation can + process incoming data, but also at a rate the application can handle. + +- (RX side only) The **Retired Watermark** (RWM), the total number of retired + controlled bytes since the beginning of the connection or stream. + +- The **Spent Watermark** (SWM), which is the number of controlled bytes we have + sent (for the TX side) or received (for the RX side). This represents the + amount of flow control budget which has been spent. It is a monotonic value + and never decreases. On the RX side, such bytes have not necessarily been + retired yet. + +- The **Credit Watermark** (CWM), which is the number of bytes which have + been authorized for transmission so far. This count is a cumulative count + since the start of the connection or stream and thus is also monotonic. + +- The available **credit**, which is always simply the difference between + the SWM and the CWM. + +- (RX side only) The **threshold**, which is how close we let the RWM + get to the CWM before we choose to extend the peer more credit by bumping the + CWM. The threshold is relative to (i.e., subtracted from) the CWM. + +- (RX side only) The **window size**, which is the amount by which we or a peer + choose to bump the CWM each time, as we reach or exceed the threshold. The new + CWM is calculated as the SWM plus the window size (note that it added to the + SWM, not the old CWM.) + +Note that: + +- If the available credit is zero, the TX side is blocked due to a lack of + credit. + +- If any circumstance occurs which would cause the SWM to exceed the CWM, + a flow control protocol violation has occurred and the connection + should be terminated. + +Connection-Level Flow Control - TX Side +--------------------------------------- + +TX side flow control is exceptionally simple. It can be modelled as the +following state machine: + + ---> event: On TX (numBytes) + ---> event: On TX Window Updated (numBytes) + <--- event: On TX Blocked + Get TX Window() -> numBytes + +The On TX event is passed to the state machine whenever we send a packet. +`numBytes` is the total number of controlled bytes we sent in the packet (i.e., +the number of bytes of STREAM frame payload which are not retransmissions). This +value is added to the TX-side SWM value. Note that this may be zero, though +there is no need to pass the event in this case. + +The On TX Window Updated event is passed to the state machine whenever we have +our CWM increased. In other words, it is passed whenever we receive a `MAX_DATA` +frame, with the integer value contained in that frame (or when we receive the +`initial_max_data` transport parameter). + +The On TX Window Updated event expresses the CWM (that is, the cumulative +number of controlled bytes we are allowed to send since the start of the +connection), thus it is monotonic and may never regress. If an On TX Window +Update event is passed to the state machine with a value lower than that passed +in any previous such event, it indicates a peer protocol error or a local +programming error. + +The Get TX Window function returns our credit value (that is, it returns the +number of controlled bytes we are allowed to send). This value is reduced by the +On TX event and increased by the On TX Window Updated event. In fact, it is +simply the difference between the last On TX Window Updated value and the sum of +the `numBytes` arguments of all On TX events so far; it is that simple. + +The On TX Blocked event is emitted at the time of any edge transition where the +value which would be returned by the Get TX Window function changes from +non-zero to zero. This always occurs during processing of an On TX event. (This +event is intended to assist in deciding when to generate `DATA_BLOCKED` +frames.) + +We must not exceed the flow control limits, else the peer may terminate the +connection with an error. + +An initial connection-level credit is communicated by the peer in the +`initial_max_data` transport parameter. All other credits occur as a result of a +`MAX_DATA` frame. + +Stream-Level Flow Control - TX Side +----------------------------------- + +Stream-level flow control works exactly the same as connection-level flow +control for the TX side. + +The On TX Window Updated event occurs in response to the `MAX_STREAM_DATA` +frame, or based on the relevant transport parameter +(`initial_max_stream_data_bidi_local`, `initial_max_stream_data_bidi_remote`, +`initial_max_stream_data_uni`). + +The On TX Blocked event can be used to decide when to generate +`STREAM_DATA_BLOCKED` frames. + +Note that the number of controlled bytes we can send in a stream is limited by +both connection and stream-level flow control; thus the number of controlled +bytes we can send is the lesser value of the values returned by the Get TX +Window function on the connection-level and stream-level state machines, +respectively. + +Connection-Level Flow Control - RX Side +--------------------------------------- + + ---> event: On RX Controlled Bytes (numBytes) [internal event] + ---> event: On Retire Controlled Bytes (numBytes) + <--- event: Increase Window (numBytes) + <--- event: Flow Control Error + +RX side connection-level flow control provides an indication of when to generate +`MAX_DATA` frames to bump the peer's connection-level transmission credit. It is +somewhat more involved than the TX side. + +The state machine receives On RX Controlled Bytes events from stream-level flow +controllers. Callers do not pass the event themselves. The event is generated by +a stream-level flow controller whenever we receive any controlled bytes. +`numBytes` is the number of controlled bytes we received. (This event is +generated by stream-level flow control as retransmitted stream data must be +counted only once, and the stream-level flow control is therefore in the best +position to determine how many controlled bytes (i.e., new, non-retransmitted +stream payload bytes) have been received). + +If we receive more controlled bytes than we authorized, the state machine emits +the Flow Control Error event. The connection should be terminated with a +protocol error in this case. + +The state machine emits the Increase Window event when it thinks that the peer +should be advanced more flow control credit (i.e., when the CWM should be +bumped). `numBytes` is the new CWM value, and is monotonic with regard to all +previous Increase Window events emitted by the state machine. + +The state machine is passed the On Retire Controlled bytes event when one or +more controlled bytes are dequeued from any stream and passed to the +application. + +The state machine uses the cadence of the On Retire Controlled Bytes events it +receives to determine when to increase the flow control window. Thus, the On +Retire Controlled Bytes event should be sent to the state machine when +processing of the received controlled bytes has been *completed* (i.e., passed +to the application). + +Stream-Level Flow Control - RX Side +----------------------------------- + +RX-side stream-level flow control works similarly to RX-side connection-level +flow control. There are a few differences: + +- There is no On RX Controlled Bytes event. + +- The On Retire Controlled Bytes event may optionally pass the same event + to a connection-level flow controller (an implementation decision), as these + events should always occur at the same time. + +- An additional event is added, which replaces the On RX Controlled Bytes event: + + ---> event: On RX Stream Frame (offsetPlusLength, isFin) + + This event should be passed to the state machine when a STREAM frame is + received. The `offsetPlusLength` argument is the sum of the offset field of + the STREAM frame and the length of the frame's payload in bytes. The isFin + argument should specify whether the STREAM frame had the FIN flag set. + + This event is used to generate the internal On RX Controlled Bytes event to + the connection-level flow controller. It is also used by stream-level flow + control to determine if flow control limits are violated by the peer. + + The state machine handles `offsetPlusLength` monotonically and ignores the + event if a previous such event already had an equal or greater value. The + reason this event is used instead of a `On RX (numBytes)` style event is that + this API can be monotonic and thus easier to use (the caller does not need to + remember if they have already counted a specific controlled byte in a STREAM + frame, which may after all duplicate some of the controlled bytes in a + previous STREAM frame). + +RX Window Sizing +---------------- + +For RX flow control we must determine our window size. This is the value we add +to the peer's current SWM to determine the new CWM each time as RWM reaches the +threshold. The window size should be adapted dynamically according to network +conditions. + +Many implementations choose to have a mechanism for increasing the window size +but not decreasing it, a simple approach which we adopt here. + +The common algorithm is a so-called auto-tuning approach in which the rate of +window consumption (i.e., the rate at which RWM approaches CWM after CWM is +bumped) is measured and compared to the measured connection RTT. If the time it +takes to consume one window size exceeds a fixed multiple of the RTT, the window +size is doubled, up to an implementation-chosen maximum window size. + +Auto-tuning occurs in 'epochs'. At the end of each auto-tuning epoch, a decision +is made on whether to double the window size, and a new auto-tuning epoch is +started. + +For more information on auto-tuning, see [Flow control in +QUIC](https://docs.google.com/document/d/1F2YfdDXKpy20WVKJueEf4abn_LVZHhMUMS5gX6Pgjl4/edit#heading=h.hcm2y5x4qmqt) +and [QUIC Flow +Control](https://docs.google.com/document/d/1SExkMmGiz8VYzV3s9E35JQlJ73vhzCekKkDi85F1qCE/edit#). diff --git a/include/internal/quic_error.h b/include/internal/quic_error.h new file mode 100644 index 00000000000..060fabef5d5 --- /dev/null +++ b/include/internal/quic_error.h @@ -0,0 +1,38 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef OSSL_QUIC_ERROR_H +# define OSSL_QUIC_ERROR_H + +# include + +/* RFC 9000 Section 20.1 */ +# define QUIC_ERR_NO_ERROR 0x00 +# define QUIC_ERR_INTERNAL_ERROR 0x01 +# define QUIC_ERR_CONNECTION_REFUSED 0x02 +# define QUIC_ERR_FLOW_CONTROL_ERROR 0x03 +# define QUIC_ERR_STREAM_LIMIT_ERROR 0x04 +# define QUIC_ERR_STREAM_STATE_ERROR 0x05 +# define QUIC_ERR_FINAL_SIZE_ERROR 0x06 +# define QUIC_ERR_FRAME_ENCODING_ERROR 0x07 +# define QUIC_ERR_TRANSPORT_PARAMETER_ERROR 0x08 +# define QUIC_ERR_CONNECTION_ID_LIMIT_ERROR 0x09 +# define QUIC_ERR_PROTOCOL_VIOLATION 0x0A +# define QUIC_ERR_INVALID_TOKEN 0x0B +# define QUIC_ERR_APPLICATION_ERROR 0x0C +# define QUIC_ERR_CRYPTO_BUFFER_EXCEEDED 0x0D +# define QUIC_ERR_KEY_UPDATE_ERROR 0x0E +# define QUIC_ERR_AEAD_LIMIT_REACHED 0x0F +# define QUIC_ERR_NO_VIABLE_PATH 0x10 + +/* Inclusive range for handshake-specific errors. */ +# define QUIC_ERR_CRYPTO_ERR_BEGIN 0x0100 +# define QUUC_ERR_CRYPTO_ERR_END 0x01FF + +#endif diff --git a/include/internal/quic_fc.h b/include/internal/quic_fc.h new file mode 100644 index 00000000000..20c18b5e1b9 --- /dev/null +++ b/include/internal/quic_fc.h @@ -0,0 +1,256 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef OSSL_QUIC_FC_H +# define OSSL_QUIC_FC_H + +# include +# include "internal/time.h" + +/* + * TX Flow Controller (TXFC) + * ========================= + * + * For discussion, see doc/designs/quic-design/quic-fc.md. + */ +typedef struct quic_txfc_st QUIC_TXFC; + +struct quic_txfc_st { + QUIC_TXFC *parent; /* stream-level iff non-NULL */ + uint64_t swm, cwm; + char has_become_blocked; +}; + +/* + * Initialises a TX flow controller. conn_txfc should be non-NULL and point to + * the connection-level flow controller if the TXFC is for stream-level flow + * control, and NULL otherwise. + */ +int ossl_quic_txfc_init(QUIC_TXFC *txfc, QUIC_TXFC *conn_txfc); + +/* + * Gets the parent (i.e., connection-level) TX flow controller. Returns NULL if + * called on a connection-level TX flow controller. + */ +QUIC_TXFC *ossl_quic_txfc_get_parent(QUIC_TXFC *txfc); + +/* + * Bump the credit watermark (CWM) value. This is the 'On TX Window Updated' + * operation. This function is a no-op if it has already been called with an + * equal or higher CWM value. + * + * It returns 1 iff the call resulted in the CWM being bumped and 0 if it was + * not increased because it has already been called with an equal or higher CWM + * value. This is not an error per se but may indicate a local programming error + * or a protocol error in a remote peer. + */ +int ossl_quic_txfc_bump_cwm(QUIC_TXFC *txfc, uint64_t cwm); + +/* + * Get the number of bytes by which we are in credit. This is the number of + * controlled bytes we are allowed to send. (Thus if this function returns 0, we + * are currently blocked.) + * + * If called on a stream-level TXFC, ossl_quic_txfc_get_credit is called on + * the connection-level TXFC as well, and the lesser of the two values is + * returned. + */ +uint64_t ossl_quic_txfc_get_credit(QUIC_TXFC *txfc); + +/* + * Like ossl_quic_txfc_get_credit(), but when called on a stream-level TXFC, + * retrieves only the stream-level credit value and does not clamp it based on + * connection-level flow control. + */ +uint64_t ossl_quic_txfc_get_credit_local(QUIC_TXFC *txfc); + +/* + * Consume num_bytes of credit. This is the 'On TX' operation. This should be + * called when we transmit any controlled bytes. Calling this with an argument + * of 0 is a no-op. + * + * We must never transmit more controlled bytes than we are in credit for (see + * the return value of ossl_quic_txfc_get_credit()). If you call this function + * with num_bytes greater than our current credit, this function consumes the + * remainder of the credit and returns 0. This indicates a serious programming + * error on the caller's part. Otherwise, the function returns 1. + * + * If called on a stream-level TXFC, ossl_quic_txfc_consume_credit() is called + * on the connection-level TXFC also. If the call to that function on the + * connection-level TXFC returns zero, this function will also return zero. + */ +int ossl_quic_txfc_consume_credit(QUIC_TXFC *txfc, uint64_t num_bytes); + +/* + * Like ossl_quic_txfc_consume_credit(), but when called on a stream-level TXFC, + * consumes only from the stream-level credit and does not inform the + * connection-level TXFC. + */ +int ossl_quic_txfc_consume_credit_local(QUIC_TXFC *txfc, uint64_t num_bytes); + +/* + * This flag is provided for convenience. A caller is not required to use it. It + * is a boolean flag set whenever our credit drops to zero. If clear is 1, the + * flag is cleared. The old value of the flag is returned. Callers may use this + * to determine if they need to send a DATA_BLOCKED or STREAM_DATA_BLOCKED + * frame, which should contain the value returned by ossl_quic_txfc_get_cwm(). + */ +int ossl_quic_txfc_has_become_blocked(QUIC_TXFC *txfc, int clear); + +/* + * Get the current CWM value. This is mainly only needed when generating a + * DATA_BLOCKED or STREAM_DATA_BLOCKED frame, or for diagnostic purposes. + */ +uint64_t ossl_quic_txfc_get_cwm(QUIC_TXFC *txfc); + +/* + * Get the current spent watermark (SWM) value. This is purely for diagnostic + * use and should not be needed in normal circumstances. + */ +uint64_t ossl_quic_txfc_get_swm(QUIC_TXFC *txfc); + +/* + * RX Flow Controller (RXFC) + * ========================= + */ +typedef struct quic_rxfc_st QUIC_RXFC; + +struct quic_rxfc_st { + /* + * swm is the sent/received watermark, which tracks how much we have + * received from the peer. rwm is the retired watermark, which tracks how + * much has been passed to the application. esrwm is the rwm value at which + * the current auto-tuning epoch started. hwm is the highest stream length + * (STREAM frame offset + payload length) we have seen from a STREAM frame + * yet. + */ + uint64_t cwm, swm, rwm, esrwm, hwm, cur_window_size, max_window_size; + OSSL_TIME epoch_start; + OSSL_TIME (*now)(void *arg); + void *now_arg; + QUIC_RXFC *parent; + unsigned char error_code, has_cwm_changed, is_fin; +}; + +/* + * Initialises an RX flow controller. conn_rxfc should be non-NULL and point to + * a connection-level RXFC if the RXFC is for stream-level flow control, and + * NULL otherwise. initial_window_size and max_window_size specify the initial + * and absolute maximum window sizes, respectively. Window size values are + * expressed in bytes and determine how much credit the RXFC extends to the peer + * to transmit more data at a time. + */ +int ossl_quic_rxfc_init(QUIC_RXFC *rxfc, QUIC_RXFC *conn_rxfc, + uint64_t initial_window_size, + uint64_t max_window_size, + OSSL_TIME (*now)(void *arg), + void *now_arg); + +/* + * Gets the parent (i.e., connection-level) RXFC. Returns NULL if called on a + * connection-level RXFC. + */ +QUIC_RXFC *ossl_quic_rxfc_get_parent(QUIC_RXFC *rxfc); + +/* + * Changes the current maximum window size value. + */ +void ossl_quic_rxfc_set_max_window_size(QUIC_RXFC *rxfc, + size_t max_window_size); + +/* + * To be called whenever a STREAM frame is received. + * + * end is the value (offset + len), where offset is the offset field of the + * STREAM frame and len is the length of the STREAM frame's payload in bytes. + * + * is_fin should be 1 if the STREAM frame had the FIN flag set and 0 otherwise. + * + * conn_rxfc should point to a connection-level RXFC, which will have its state + * updated correctly by the stream-level RXFC. + * + * This function may be used on a stream-level RXFC only. + * + * You should check ossl_quic_rxfc_has_error() on both connection-level and + * stream-level RXFCs after calling this function, as an incoming STREAM frame + * may cause flow control limits to be exceeded by an errant peer. This + * function still returns 1 in this case, as this is not a caller error. + * + * Returns 1 on success or 0 on failure. + */ +int ossl_quic_rxfc_on_rx_stream_frame(QUIC_RXFC *rxfc, + uint64_t end, int is_fin); + +/* + * To be called whenever controlled bytes are retired, i.e. when bytes are + * dequeued from a QUIC stream and passed to the application. num_bytes + * is the number of bytes which were passed to the application. + * + * You should call this only on a stream-level RXFC. This function will update + * the connection-level RXFC automatically. + * + * rtt should be the current best understanding of the RTT to the peer, as + * offered by the Statistics Manager. + * + * You should check ossl_quic_rxfc_has_cwm_changed() after calling this + * function, as it may have caused the RXFC to decide to grant more flow control + * credit to the peer. + * + * Returns 1 on success and 0 on failure. + */ +int ossl_quic_rxfc_on_retire(QUIC_RXFC *rxfc, + uint64_t num_bytes, + OSSL_TIME rtt); + +/* + * Returns the current CWM which the RXFC thinks the peer should have. + * + * Note that the RXFC will increase this value in response to events, at which + * time a MAX_DATA or MAX_STREAM_DATA frame must be generated. Use + * ossl_quic_rxfc_has_cwm_changed() to detect this condition. + * + * This value increases monotonically. + */ +uint64_t ossl_quic_rxfc_get_cwm(QUIC_RXFC *rxfc); + +/* + * Returns the current SWM. This is the total number of bytes the peer has + * transmitted to us. This is intended for diagnostic use only; you should + * not need it. + */ +uint64_t ossl_quic_rxfc_get_swm(QUIC_RXFC *rxfc); + +/* + * Returns the current RWM. This is the total number of bytes that has been + * retired. This is intended for diagnostic use only; you should not need it. + */ +uint64_t ossl_quic_rxfc_get_rwm(QUIC_RXFC *rxfc); + +/* + * Returns the CWM changed flag. If clear is 1, the flag is cleared and the old + * value is returned. + */ +int ossl_quic_rxfc_has_cwm_changed(QUIC_RXFC *rxfc, int clear); + +/* + * Returns a QUIC_ERR_* error code if a flow control error has been detected. + * Otherwise, returns QUIC_ERR_NO_ERROR. If clear is 1, the error is cleared + * and the old value is returned. + * + * May return one of the following values: + * + * QUIC_ERR_FLOW_CONTROL_ERROR: + * This indicates a flow control protocol violation by the remote peer; the + * connection should be terminated in this event. + * QUIC_ERR_FINAL_SIZE: + * The peer attempted to change the stream length after ending the stream. + */ +int ossl_quic_rxfc_get_error(QUIC_RXFC *rxfc, int clear); + +#endif diff --git a/ssl/quic/build.info b/ssl/quic/build.info index 973f44855cb..56c445e19ca 100644 --- a/ssl/quic/build.info +++ b/ssl/quic/build.info @@ -1,3 +1,3 @@ $LIBSSL=../../libssl -SOURCE[$LIBSSL]=quic_method.c quic_impl.c quic_wire.c quic_ackm.c quic_statm.c cc_dummy.c quic_demux.c quic_record_rx.c quic_record_rx_wrap.c quic_record_tx.c quic_record_util.c quic_record_shared.c quic_wire_pkt.c quic_rx_depack.c +SOURCE[$LIBSSL]=quic_method.c quic_impl.c quic_wire.c quic_ackm.c quic_statm.c cc_dummy.c quic_demux.c quic_record_rx.c quic_record_rx_wrap.c quic_record_tx.c quic_record_util.c quic_record_shared.c quic_wire_pkt.c quic_rx_depack.c quic_fc.c diff --git a/ssl/quic/quic_fc.c b/ssl/quic/quic_fc.c new file mode 100644 index 00000000000..84a3753a810 --- /dev/null +++ b/ssl/quic/quic_fc.c @@ -0,0 +1,372 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "internal/quic_fc.h" +#include "internal/quic_error.h" +#include "internal/common.h" +#include "internal/safe_math.h" +#include + +OSSL_SAFE_MATH_UNSIGNED(uint64_t, uint64_t) + +/* + * TX Flow Controller (TXFC) + * ========================= + */ + +int ossl_quic_txfc_init(QUIC_TXFC *txfc, QUIC_TXFC *conn_txfc) +{ + if (conn_txfc != NULL && conn_txfc->parent != NULL) + return 0; + + txfc->swm = 0; + txfc->cwm = 0; + txfc->parent = conn_txfc; + txfc->has_become_blocked = 0; + return 1; +} + +QUIC_TXFC *ossl_quic_txfc_get_parent(QUIC_TXFC *txfc) +{ + return txfc->parent; +} + +int ossl_quic_txfc_bump_cwm(QUIC_TXFC *txfc, uint64_t cwm) +{ + if (cwm <= txfc->cwm) + return 0; + + txfc->cwm = cwm; + return 1; +} + +uint64_t ossl_quic_txfc_get_credit_local(QUIC_TXFC *txfc) +{ + assert(txfc->swm <= txfc->cwm); + return txfc->cwm - txfc->swm; +} + +uint64_t ossl_quic_txfc_get_credit(QUIC_TXFC *txfc) +{ + uint64_t r, conn_r; + + r = ossl_quic_txfc_get_credit_local(txfc); + + if (txfc->parent != NULL) { + assert(txfc->parent->parent == NULL); + conn_r = ossl_quic_txfc_get_credit_local(txfc->parent); + if (conn_r < r) + r = conn_r; + } + + return r; +} + +int ossl_quic_txfc_consume_credit_local(QUIC_TXFC *txfc, uint64_t num_bytes) +{ + int ok = 1; + uint64_t credit = ossl_quic_txfc_get_credit_local(txfc); + + if (num_bytes > credit) { + ok = 0; + num_bytes = credit; + } + + if (num_bytes > 0 && num_bytes == credit) + txfc->has_become_blocked = 1; + + txfc->swm += num_bytes; + return ok; +} + +int ossl_quic_txfc_consume_credit(QUIC_TXFC *txfc, uint64_t num_bytes) +{ + int ok = ossl_quic_txfc_consume_credit_local(txfc, num_bytes); + + if (txfc->parent != NULL) { + assert(txfc->parent->parent == NULL); + if (!ossl_quic_txfc_consume_credit_local(txfc->parent, num_bytes)) + return 0; + } + + return ok; +} + +int ossl_quic_txfc_has_become_blocked(QUIC_TXFC *txfc, int clear) +{ + int r = txfc->has_become_blocked; + + if (clear) + txfc->has_become_blocked = 0; + + return r; +} + +uint64_t ossl_quic_txfc_get_cwm(QUIC_TXFC *txfc) +{ + return txfc->cwm; +} + +uint64_t ossl_quic_txfc_get_swm(QUIC_TXFC *txfc) +{ + return txfc->swm; +} + +/* + * RX Flow Controller (RXFC) + * ========================= + */ + +int ossl_quic_rxfc_init(QUIC_RXFC *rxfc, QUIC_RXFC *conn_rxfc, + uint64_t initial_window_size, + uint64_t max_window_size, + OSSL_TIME (*now)(void *now_arg), + void *now_arg) +{ + if (conn_rxfc != NULL && conn_rxfc->parent != NULL) + return 0; + + rxfc->swm = 0; + rxfc->cwm = initial_window_size; + rxfc->rwm = 0; + rxfc->esrwm = 0; + rxfc->hwm = 0; + rxfc->cur_window_size = initial_window_size; + rxfc->max_window_size = max_window_size; + rxfc->parent = conn_rxfc; + rxfc->error_code = 0; + rxfc->has_cwm_changed = 0; + rxfc->epoch_start = ossl_time_zero(); + rxfc->now = now; + rxfc->now_arg = now_arg; + rxfc->is_fin = 0; + return 1; +} + +QUIC_RXFC *ossl_quic_rxfc_get_parent(QUIC_RXFC *rxfc) +{ + return rxfc->parent; +} + +void ossl_quic_rxfc_set_max_window_size(QUIC_RXFC *rxfc, + size_t max_window_size) +{ + rxfc->max_window_size = max_window_size; +} + +static void rxfc_start_epoch(QUIC_RXFC *rxfc) +{ + rxfc->epoch_start = rxfc->now(rxfc->now_arg); + rxfc->esrwm = rxfc->rwm; +} + +static int on_rx_controlled_bytes(QUIC_RXFC *rxfc, uint64_t num_bytes) +{ + int ok = 1; + uint64_t credit = rxfc->cwm - rxfc->swm; + + if (num_bytes > credit) { + ok = 0; + num_bytes = credit; + rxfc->error_code = QUIC_ERR_FLOW_CONTROL_ERROR; + } + + rxfc->swm += num_bytes; + return ok; +} + +int ossl_quic_rxfc_on_rx_stream_frame(QUIC_RXFC *rxfc, uint64_t end, int is_fin) +{ + uint64_t delta; + + if (rxfc->parent == NULL) + return 0; + + if (rxfc->is_fin && ((is_fin && rxfc->hwm != end) || end > rxfc->hwm)) { + /* Stream size cannot change after the stream is finished */ + rxfc->error_code = QUIC_ERR_FINAL_SIZE_ERROR; + return 1; /* not a caller error */ + } + + if (is_fin) + rxfc->is_fin = 1; + + if (end > rxfc->hwm) { + delta = end - rxfc->hwm; + rxfc->hwm = end; + + on_rx_controlled_bytes(rxfc, delta); /* result ignored */ + on_rx_controlled_bytes(rxfc->parent, delta); /* result ignored */ + } else if (end < rxfc->hwm && is_fin) { + rxfc->error_code = QUIC_ERR_FINAL_SIZE_ERROR; + return 1; /* not a caller error */ + } + + return 1; +} + +/* threshold = 3/4 */ +#define WINDOW_THRESHOLD_NUM 3 +#define WINDOW_THRESHOLD_DEN 4 + +static int rxfc_cwm_bump_desired(QUIC_RXFC *rxfc) +{ + int err = 0; + uint64_t window_rem = rxfc->cwm - rxfc->rwm; + uint64_t threshold + = safe_mul_uint64_t(rxfc->cur_window_size, + WINDOW_THRESHOLD_NUM, &err) / WINDOW_THRESHOLD_DEN; + + if (err) + /* + * Extremely large window should never occur, but if it does, just use + * 1/2 as the threshold. + */ + threshold = rxfc->cur_window_size / 2; + + return window_rem <= threshold; +} + +static int rxfc_should_bump_window_size(QUIC_RXFC *rxfc, OSSL_TIME rtt) +{ + /* + * dt: time since start of epoch + * b: bytes of window consumed since start of epoch + * dw: proportion of window consumed since start of epoch + * T_window: time it will take to use up the entire window, based on dt, dw + * RTT: The current estimated RTT. + * + * b = rwm - esrwm + * dw = b / window_size + * T_window = dt / dw + * T_window = dt / (b / window_size) + * T_window = (dt * window_size) / b + * + * We bump the window size if T_window < 4 * RTT. + * + * We leave the division by b on the LHS to reduce the risk of overflowing + * our 64-bit nanosecond representation, which will afford plenty of + * precision left over after the division anyway. + */ + uint64_t b = rxfc->rwm - rxfc->esrwm; + OSSL_TIME now, dt, t_window; + + if (b == 0) + return 0; + + now = rxfc->now(rxfc->now_arg); + dt = ossl_time_subtract(now, rxfc->epoch_start); + t_window = ossl_time_muldiv(dt, rxfc->cur_window_size, b); + + return ossl_time_compare(t_window, ossl_time_multiply(rtt, 4)) < 0; +} + +static void rxfc_adjust_window_size(QUIC_RXFC *rxfc, uint64_t min_window_size, + OSSL_TIME rtt) +{ + /* Are we sending updates too often? */ + uint64_t new_window_size; + + new_window_size = rxfc->cur_window_size; + + if (rxfc_should_bump_window_size(rxfc, rtt)) + new_window_size *= 2; + + if (new_window_size < min_window_size) + new_window_size = min_window_size; + if (new_window_size > rxfc->max_window_size) /* takes precedence over min size */ + new_window_size = rxfc->max_window_size; + + rxfc->cur_window_size = new_window_size; + rxfc_start_epoch(rxfc); +} + +static void rxfc_update_cwm(QUIC_RXFC *rxfc, uint64_t min_window_size, + OSSL_TIME rtt) +{ + uint64_t new_cwm; + + if (!rxfc_cwm_bump_desired(rxfc)) + return; + + rxfc_adjust_window_size(rxfc, min_window_size, rtt); + + new_cwm = rxfc->rwm + rxfc->cur_window_size; + if (new_cwm > rxfc->cwm) { + rxfc->cwm = new_cwm; + rxfc->has_cwm_changed = 1; + } +} + +static int rxfc_on_retire(QUIC_RXFC *rxfc, uint64_t num_bytes, + uint64_t min_window_size, + OSSL_TIME rtt) +{ + if (ossl_time_is_zero(rxfc->epoch_start)) + /* This happens when we retire our first ever bytes. */ + rxfc_start_epoch(rxfc); + + rxfc->rwm += num_bytes; + rxfc_update_cwm(rxfc, min_window_size, rtt); + return 1; +} + +int ossl_quic_rxfc_on_retire(QUIC_RXFC *rxfc, + uint64_t num_bytes, + OSSL_TIME rtt) +{ + if (rxfc->parent == NULL) + return 0; + + if (num_bytes == 0) + return 1; + + if (rxfc->rwm + num_bytes > rxfc->swm) + /* Impossible for us to retire more bytes than we have received. */ + return 0; + + rxfc_on_retire(rxfc, num_bytes, 0, rtt); + rxfc_on_retire(rxfc->parent, num_bytes, rxfc->cur_window_size, rtt); + return 1; +} + +uint64_t ossl_quic_rxfc_get_cwm(QUIC_RXFC *rxfc) +{ + return rxfc->cwm; +} + +uint64_t ossl_quic_rxfc_get_swm(QUIC_RXFC *rxfc) +{ + return rxfc->swm; +} + +uint64_t ossl_quic_rxfc_get_rwm(QUIC_RXFC *rxfc) +{ + return rxfc->rwm; +} + +int ossl_quic_rxfc_has_cwm_changed(QUIC_RXFC *rxfc, int clear) +{ + int r = rxfc->has_cwm_changed; + + if (clear) + rxfc->has_cwm_changed = 0; + + return r; +} + +int ossl_quic_rxfc_get_error(QUIC_RXFC *rxfc, int clear) +{ + int r = rxfc->error_code; + + if (clear) + rxfc->error_code = 0; + + return r; +} diff --git a/test/build.info b/test/build.info index ea4e77aec30..6ad0772f5f1 100644 --- a/test/build.info +++ b/test/build.info @@ -287,6 +287,10 @@ IF[{- !$disabled{tests} -}] INCLUDE[quic_record_test]=../include ../apps/include DEPEND[quic_record_test]=../libcrypto.a ../libssl.a libtestutil.a + SOURCE[quic_fc_test]=quic_fc_test.c + INCLUDE[quic_fc_test]=../include ../apps/include + DEPEND[quic_fc_test]=../libcrypto.a ../libssl.a libtestutil.a + SOURCE[asynctest]=asynctest.c INCLUDE[asynctest]=../include ../apps/include DEPEND[asynctest]=../libcrypto @@ -991,7 +995,7 @@ ENDIF ENDIF IF[{- !$disabled{'quic'} -}] - PROGRAMS{noinst}=quicapitest quic_wire_test quic_ackm_test quic_record_test + PROGRAMS{noinst}=quicapitest quic_wire_test quic_ackm_test quic_record_test quic_fc_test ENDIF SOURCE[quicapitest]=quicapitest.c helpers/ssltestlib.c diff --git a/test/quic_fc_test.c b/test/quic_fc_test.c new file mode 100644 index 00000000000..14179b6d4c4 --- /dev/null +++ b/test/quic_fc_test.c @@ -0,0 +1,632 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "internal/quic_fc.h" +#include "internal/quic_error.h" +#include "testutil.h" + +static int test_txfc(int is_stream) +{ + int testresult = 0; + QUIC_TXFC conn_txfc, stream_txfc, *txfc, *parent_txfc; + + if (!TEST_true(ossl_quic_txfc_init(&conn_txfc, 0))) + goto err; + + if (is_stream && !TEST_true(ossl_quic_txfc_init(&stream_txfc, &conn_txfc))) + goto err; + + txfc = is_stream ? &stream_txfc : &conn_txfc; + parent_txfc = is_stream ? &conn_txfc : NULL; + + if (!TEST_true(ossl_quic_txfc_bump_cwm(txfc, 2000))) + goto err; + + if (is_stream && !TEST_true(ossl_quic_txfc_bump_cwm(parent_txfc, 2000))) + goto err; + + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_swm(txfc), 0)) + goto err; + + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_cwm(txfc), 2000)) + goto err; + + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc), 2000)) + goto err; + + if (is_stream && !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc), + 2000)) + goto err; + + if (!TEST_false(ossl_quic_txfc_has_become_blocked(txfc, 0))) + goto err; + + if (!TEST_true(ossl_quic_txfc_consume_credit(txfc, 500))) + goto err; + + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc), 1500)) + goto err; + + if (is_stream && !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc), + 1500)) + goto err; + + if (!TEST_false(ossl_quic_txfc_has_become_blocked(txfc, 0))) + goto err; + + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_swm(txfc), 500)) + goto err; + + if (!TEST_true(ossl_quic_txfc_consume_credit(txfc, 100))) + goto err; + + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_swm(txfc), 600)) + goto err; + + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc), 1400)) + goto err; + + if (is_stream && !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc), + 1400)) + goto err; + + if (!TEST_false(ossl_quic_txfc_has_become_blocked(txfc, 0))) + goto err; + + if (!TEST_true(ossl_quic_txfc_consume_credit(txfc, 1400))) + goto err; + + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc), 0)) + goto err; + + if (is_stream && !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc), + 0)) + goto err; + + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_swm(txfc), 2000)) + goto err; + + if (!TEST_true(ossl_quic_txfc_has_become_blocked(txfc, 0))) + goto err; + + if (!TEST_true(ossl_quic_txfc_has_become_blocked(txfc, 0))) + goto err; + + if (!TEST_true(ossl_quic_txfc_has_become_blocked(txfc, 1))) + goto err; + + if (!TEST_false(ossl_quic_txfc_has_become_blocked(txfc, 0))) + goto err; + + if (!TEST_false(ossl_quic_txfc_has_become_blocked(txfc, 0))) + goto err; + + if (!TEST_false(ossl_quic_txfc_consume_credit(txfc, 1))) + goto err; + + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_cwm(txfc), 2000)) + goto err; + + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_swm(txfc), 2000)) + goto err; + + if (!TEST_false(ossl_quic_txfc_bump_cwm(txfc, 2000))) + goto err; + + if (!TEST_true(ossl_quic_txfc_bump_cwm(txfc, 2500))) + goto err; + + if (is_stream && !TEST_true(ossl_quic_txfc_bump_cwm(parent_txfc, 2400))) + goto err; + + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_cwm(txfc), 2500)) + goto err; + + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_swm(txfc), 2000)) + goto err; + + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc), 500)) + goto err; + + if (is_stream) + ossl_quic_txfc_has_become_blocked(parent_txfc, 1); + + if (is_stream) { + if (!TEST_true(ossl_quic_txfc_consume_credit(txfc, 399))) + goto err; + + if (!TEST_false(ossl_quic_txfc_has_become_blocked(txfc, 0))) + goto err; + + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc), 1)) + goto err; + + if (!TEST_true(ossl_quic_txfc_consume_credit(txfc, 1))) + goto err; + + if (!TEST_true(ossl_quic_txfc_has_become_blocked(parent_txfc, 0))) + goto err; + + if (!TEST_true(ossl_quic_txfc_has_become_blocked(parent_txfc, 1))) + goto err; + + if (!TEST_false(ossl_quic_txfc_has_become_blocked(parent_txfc, 0))) + goto err; + } else { + if (!TEST_true(ossl_quic_txfc_consume_credit(txfc, 499))) + goto err; + + if (!TEST_false(ossl_quic_txfc_has_become_blocked(txfc, 0))) + goto err; + + if (is_stream && !TEST_false(ossl_quic_txfc_has_become_blocked(parent_txfc, 0))) + goto err; + + if (!TEST_true(ossl_quic_txfc_consume_credit(txfc, 1))) + goto err; + + if (!TEST_true(ossl_quic_txfc_has_become_blocked(txfc, 0))) + goto err; + + if (!TEST_true(ossl_quic_txfc_has_become_blocked(txfc, 1))) + goto err; + + if (!TEST_false(ossl_quic_txfc_has_become_blocked(txfc, 0))) + goto err; + } + + testresult = 1; +err: + return testresult; +} + +static OSSL_TIME cur_time; + +static OSSL_TIME fake_now(void *arg) +{ + return cur_time; +} + +#define RX_OPC_END 0 +#define RX_OPC_INIT_CONN 1 /* arg0=initial window, arg1=max window */ +#define RX_OPC_INIT_STREAM 2 /* arg0=initial window, arg1=max window */ +#define RX_OPC_RX 3 /* arg0=end, arg1=is_fin */ +#define RX_OPC_RETIRE 4 /* arg0=num_bytes, arg1=rtt in OSSL_TIME ticks, expect_fail */ +#define RX_OPC_CHECK_CWM_CONN 5 /* arg0=expected */ +#define RX_OPC_CHECK_CWM_STREAM 6 /* arg0=expected */ +#define RX_OPC_CHECK_SWM_CONN 7 /* arg0=expected */ +#define RX_OPC_CHECK_SWM_STREAM 8 /* arg0=expected */ +#define RX_OPC_CHECK_RWM_CONN 9 /* arg0=expected */ +#define RX_OPC_CHECK_RWM_STREAM 10 /* arg0=expected */ +#define RX_OPC_CHECK_CHANGED_CONN 11 /* arg0=expected, arg1=clear */ +#define RX_OPC_CHECK_CHANGED_STREAM 12 /* arg0=expected, arg1=clear */ +#define RX_OPC_CHECK_ERROR_CONN 13 /* arg0=expected, arg1=clear */ +#define RX_OPC_CHECK_ERROR_STREAM 14 /* arg0=expected, arg1=clear */ +#define RX_OPC_STEP_TIME 15 /* arg0=OSSL_TIME ticks to advance */ +#define RX_OPC_MSG 16 + +struct rx_test_op { + unsigned char op; + size_t stream_idx; + uint64_t arg0, arg1; + unsigned char expect_fail; + const char *msg; +}; + +#define RX_OP_END \ + { RX_OPC_END } +#define RX_OP_INIT_CONN(init_window_size, max_window_size) \ + { RX_OPC_INIT_CONN, 0, (init_window_size), (max_window_size) }, +#define RX_OP_INIT_STREAM(stream_idx, init_window_size, max_window_size) \ + { RX_OPC_INIT_STREAM, (stream_idx), (init_window_size), (max_window_size) }, +#define RX_OP_RX(stream_idx, end, is_fin) \ + { RX_OPC_RX, (stream_idx), (end), (is_fin) }, +#define RX_OP_RETIRE(stream_idx, num_bytes, rtt, expect_fail) \ + { RX_OPC_RETIRE, (stream_idx), (num_bytes), (rtt), (expect_fail) }, +#define RX_OP_CHECK_CWM_CONN(expected) \ + { RX_OPC_CHECK_CWM_CONN, 0, (expected) }, +#define RX_OP_CHECK_CWM_STREAM(stream_id, expected) \ + { RX_OPC_CHECK_CWM_STREAM, (stream_id), (expected) }, +#define RX_OP_CHECK_SWM_CONN(expected) \ + { RX_OPC_CHECK_SWM_CONN, 0, (expected) }, +#define RX_OP_CHECK_SWM_STREAM(stream_id, expected) \ + { RX_OPC_CHECK_SWM_STREAM, (stream_id), (expected) }, +#define RX_OP_CHECK_RWM_CONN(expected) \ + { RX_OPC_CHECK_RWM_CONN, 0, (expected) }, +#define RX_OP_CHECK_RWM_STREAM(stream_id, expected) \ + { RX_OPC_CHECK_RWM_STREAM, (stream_id), (expected) }, +#define RX_OP_CHECK_CHANGED_CONN(expected, clear) \ + { RX_OPC_CHECK_CHANGED_CONN, 0, (expected), (clear) }, +#define RX_OP_CHECK_CHANGED_STREAM(stream_id, expected, clear) \ + { RX_OPC_CHECK_CHANGED_STREAM, (stream_id), (expected), (clear) }, +#define RX_OP_CHECK_ERROR_CONN(expected, clear) \ + { RX_OPC_CHECK_ERROR_CONN, 0, (expected), (clear) }, +#define RX_OP_CHECK_ERROR_STREAM(stream_id, expected, clear) \ + { RX_OPC_CHECK_ERROR_STREAM, (stream_id), (expected), (clear) }, +#define RX_OP_STEP_TIME(t) \ + { RX_OPC_STEP_TIME, 0, (t) }, +#define RX_OP_MSG(msg) \ + { RX_OPC_MSG, 0, 0, 0, 0, (msg) }, + +#define RX_OP_INIT(init_window_size, max_window_size) \ + RX_OP_INIT_CONN(init_window_size, max_window_size) \ + RX_OP_INIT_STREAM(0, init_window_size, max_window_size) +#define RX_OP_CHECK_CWM(expected) \ + RX_OP_CHECK_CWM_CONN(expected) \ + RX_OP_CHECK_CWM_STREAM(0, expected) +#define RX_OP_CHECK_SWM(expected) \ + RX_OP_CHECK_SWM_CONN(expected) \ + RX_OP_CHECK_SWM_STREAM(0, expected) +#define RX_OP_CHECK_RWM(expected) \ + RX_OP_CHECK_RWM_CONN(expected) \ + RX_OP_CHECK_RWM_STREAM(0, expected) +#define RX_OP_CHECK_CHANGED(expected, clear) \ + RX_OP_CHECK_CHANGED_CONN(expected, clear) \ + RX_OP_CHECK_CHANGED_STREAM(0, expected, clear) +#define RX_OP_CHECK_ERROR(expected, clear) \ + RX_OP_CHECK_ERROR_CONN(expected, clear) \ + RX_OP_CHECK_ERROR_STREAM(0, expected, clear) + +#define INIT_WINDOW_SIZE (1 * 1024 * 1024) +#define INIT_S_WINDOW_SIZE (384 * 1024) + +/* 1. Basic RXFC Tests (stream window == connection window) */ +static const struct rx_test_op rx_script_1[] = { + RX_OP_STEP_TIME(1000 * OSSL_TIME_MS) + RX_OP_INIT(INIT_WINDOW_SIZE, 10 * INIT_WINDOW_SIZE) + /* Check initial state. */ + RX_OP_CHECK_CWM(INIT_WINDOW_SIZE) + RX_OP_CHECK_ERROR(0, 0) + RX_OP_CHECK_CHANGED(0, 0) + /* We cannot retire what we have not received. */ + RX_OP_RETIRE(0, 1, 0, 1) + /* Zero bytes is a no-op and always valid. */ + RX_OP_RETIRE(0, 0, 0, 0) + /* Consume some window. */ + RX_OP_RX(0, 50, 0) + /* CWM has not changed. */ + RX_OP_CHECK_CWM(INIT_WINDOW_SIZE) + RX_OP_CHECK_SWM(50) + + /* RX, Partial retire */ + RX_OP_RX(0, 60, 0) + RX_OP_CHECK_SWM(60) + RX_OP_RETIRE(0, 20, 50 * OSSL_TIME_MS, 0) + RX_OP_CHECK_RWM(20) + RX_OP_CHECK_SWM(60) + RX_OP_CHECK_CWM(INIT_WINDOW_SIZE) + RX_OP_CHECK_CHANGED(0, 0) + RX_OP_CHECK_ERROR(0, 0) + + /* Fully retired */ + RX_OP_RETIRE(0, 41, 0, 1) + RX_OP_RETIRE(0, 40, 0, 0) + RX_OP_CHECK_SWM(60) + RX_OP_CHECK_RWM(60) + RX_OP_CHECK_CWM(INIT_WINDOW_SIZE) + RX_OP_CHECK_CHANGED(0, 0) + RX_OP_CHECK_ERROR(0, 0) + + /* Exhaustion of window - we do not enlarge the window this epoch */ + RX_OP_STEP_TIME(201 * OSSL_TIME_MS) + RX_OP_RX(0, INIT_WINDOW_SIZE, 0) + RX_OP_RETIRE(0, INIT_WINDOW_SIZE - 60, 50 * OSSL_TIME_MS, 0) + RX_OP_CHECK_SWM(INIT_WINDOW_SIZE) + RX_OP_CHECK_CHANGED(1, 0) + RX_OP_CHECK_CHANGED(1, 1) + RX_OP_CHECK_CHANGED(0, 0) + RX_OP_CHECK_ERROR(0, 0) + RX_OP_CHECK_CWM(INIT_WINDOW_SIZE * 2) + + /* Second epoch - we still do not enlarge the window this epoch */ + RX_OP_RX(0, INIT_WINDOW_SIZE + 1, 0) + RX_OP_STEP_TIME(201 * OSSL_TIME_MS) + RX_OP_RX(0, INIT_WINDOW_SIZE * 2, 0) + RX_OP_RETIRE(0, INIT_WINDOW_SIZE, 50 * OSSL_TIME_MS, 0) + RX_OP_CHECK_SWM(INIT_WINDOW_SIZE * 2) + RX_OP_CHECK_CHANGED(1, 0) + RX_OP_CHECK_CHANGED(1, 1) + RX_OP_CHECK_CHANGED(0, 0) + RX_OP_CHECK_ERROR(0, 0) + RX_OP_CHECK_CWM(INIT_WINDOW_SIZE * 3) + + /* Third epoch - we enlarge the window */ + RX_OP_RX(0, INIT_WINDOW_SIZE * 2 + 1, 0) + RX_OP_STEP_TIME(199 * OSSL_TIME_MS) + RX_OP_RX(0, INIT_WINDOW_SIZE * 3, 0) + RX_OP_RETIRE(0, INIT_WINDOW_SIZE, 50 * OSSL_TIME_MS, 0) + RX_OP_CHECK_SWM(INIT_WINDOW_SIZE * 3) + RX_OP_CHECK_CHANGED(1, 0) + RX_OP_CHECK_CHANGED(1, 1) + RX_OP_CHECK_CHANGED(0, 0) + RX_OP_CHECK_ERROR(0, 0) + RX_OP_CHECK_CWM(INIT_WINDOW_SIZE * 5) + + /* Fourth epoch - peer violates flow control */ + RX_OP_RX(0, INIT_WINDOW_SIZE * 5 - 5, 0) + RX_OP_STEP_TIME(250 * OSSL_TIME_MS) + RX_OP_RX(0, INIT_WINDOW_SIZE * 5 + 1, 0) + RX_OP_CHECK_SWM(INIT_WINDOW_SIZE * 5) + RX_OP_CHECK_ERROR(QUIC_ERR_FLOW_CONTROL_ERROR, 0) + RX_OP_CHECK_ERROR(QUIC_ERR_FLOW_CONTROL_ERROR, 1) + RX_OP_CHECK_ERROR(0, 0) + RX_OP_CHECK_CWM(INIT_WINDOW_SIZE * 5) + /* + * No window expansion due to flow control violation; window expansion is + * triggered by retirement only. + */ + RX_OP_CHECK_CHANGED(0, 0) + + RX_OP_END +}; + +/* 2. Interaction between connection and stream-level flow control */ +static const struct rx_test_op rx_script_2[] = { + RX_OP_STEP_TIME(1000 * OSSL_TIME_MS) + RX_OP_INIT_CONN(INIT_WINDOW_SIZE, 10 * INIT_WINDOW_SIZE) + RX_OP_INIT_STREAM(0, INIT_S_WINDOW_SIZE, 30 * INIT_S_WINDOW_SIZE) + RX_OP_INIT_STREAM(1, INIT_S_WINDOW_SIZE, 30 * INIT_S_WINDOW_SIZE) + + RX_OP_RX(0, 10, 0) + RX_OP_CHECK_CWM_CONN(INIT_WINDOW_SIZE) + RX_OP_CHECK_CWM_STREAM(0, INIT_S_WINDOW_SIZE) + RX_OP_CHECK_CWM_STREAM(1, INIT_S_WINDOW_SIZE) + RX_OP_CHECK_SWM_CONN(10) + RX_OP_CHECK_SWM_STREAM(0, 10) + RX_OP_CHECK_SWM_STREAM(1, 0) + RX_OP_CHECK_RWM_CONN(0) + RX_OP_CHECK_RWM_STREAM(0, 0) + RX_OP_CHECK_RWM_STREAM(1, 0) + + RX_OP_RX(1, 42, 0) + RX_OP_RX(1, 42, 0) /* monotonic; equal or lower values ignored */ + RX_OP_RX(1, 35, 0) + RX_OP_CHECK_CWM_CONN(INIT_WINDOW_SIZE) + RX_OP_CHECK_CWM_STREAM(0, INIT_S_WINDOW_SIZE) + RX_OP_CHECK_CWM_STREAM(1, INIT_S_WINDOW_SIZE) + RX_OP_CHECK_SWM_CONN(52) + RX_OP_CHECK_SWM_STREAM(0, 10) + RX_OP_CHECK_SWM_STREAM(1, 42) + RX_OP_CHECK_RWM_CONN(0) + RX_OP_CHECK_RWM_STREAM(0, 0) + RX_OP_CHECK_RWM_STREAM(1, 0) + + RX_OP_RETIRE(0, 10, 50 * OSSL_TIME_MS, 0) + RX_OP_CHECK_RWM_CONN(10) + RX_OP_CHECK_RWM_STREAM(0, 10) + RX_OP_CHECK_CWM_CONN(INIT_WINDOW_SIZE) + RX_OP_CHECK_CWM_STREAM(0, INIT_S_WINDOW_SIZE) + RX_OP_CHECK_CWM_STREAM(1, INIT_S_WINDOW_SIZE) + + RX_OP_RETIRE(1, 42, 50 * OSSL_TIME_MS, 0) + RX_OP_CHECK_RWM_CONN(52) + RX_OP_CHECK_RWM_STREAM(1, 42) + RX_OP_CHECK_CWM_CONN(INIT_WINDOW_SIZE) + RX_OP_CHECK_CWM_STREAM(0, INIT_S_WINDOW_SIZE) + RX_OP_CHECK_CWM_STREAM(1, INIT_S_WINDOW_SIZE) + + RX_OP_CHECK_CHANGED_CONN(0, 0) + + /* FC limited by stream but not connection */ + RX_OP_STEP_TIME(1000 * OSSL_TIME_MS) + RX_OP_RX(0, INIT_S_WINDOW_SIZE, 0) + RX_OP_CHECK_SWM_CONN(INIT_S_WINDOW_SIZE + 42) + RX_OP_CHECK_SWM_STREAM(0, INIT_S_WINDOW_SIZE) + RX_OP_CHECK_SWM_STREAM(1, 42) + RX_OP_CHECK_CWM_CONN(INIT_WINDOW_SIZE) + RX_OP_CHECK_CWM_STREAM(0, INIT_S_WINDOW_SIZE) + + /* We bump CWM when more than 1/4 of the window has been retired */ + RX_OP_RETIRE(0, INIT_S_WINDOW_SIZE - 10, 50 * OSSL_TIME_MS, 0) + RX_OP_CHECK_CWM_STREAM(0, INIT_S_WINDOW_SIZE * 2) + RX_OP_CHECK_CHANGED_STREAM(0, 1, 0) + RX_OP_CHECK_CHANGED_STREAM(0, 1, 1) + RX_OP_CHECK_CHANGED_STREAM(0, 0, 0) + + /* + * This is more than 1/4 of the connection window, so CWM will + * be bumped here too. + */ + RX_OP_CHECK_CWM_CONN(INIT_S_WINDOW_SIZE + INIT_WINDOW_SIZE + 42) + RX_OP_CHECK_RWM_CONN(INIT_S_WINDOW_SIZE + 42) + RX_OP_CHECK_RWM_STREAM(0, INIT_S_WINDOW_SIZE) + RX_OP_CHECK_RWM_STREAM(1, 42) + RX_OP_CHECK_CHANGED_CONN(1, 0) + RX_OP_CHECK_CHANGED_CONN(1, 1) + RX_OP_CHECK_CHANGED_CONN(0, 0) + RX_OP_CHECK_ERROR_CONN(0, 0) + RX_OP_CHECK_ERROR_STREAM(0, 0, 0) + RX_OP_CHECK_ERROR_STREAM(1, 0, 0) + + /* Test exceeding limit at stream level. */ + RX_OP_RX(0, INIT_S_WINDOW_SIZE * 2 + 1, 0) + RX_OP_CHECK_ERROR_STREAM(0, QUIC_ERR_FLOW_CONTROL_ERROR, 0) + RX_OP_CHECK_ERROR_STREAM(0, QUIC_ERR_FLOW_CONTROL_ERROR, 1) + RX_OP_CHECK_ERROR_STREAM(0, 0, 0) + RX_OP_CHECK_ERROR_CONN(0, 0) /* doesn't affect conn */ + + /* Test exceeding limit at connection level. */ + RX_OP_RX(0, INIT_WINDOW_SIZE * 2, 0) + RX_OP_CHECK_ERROR_CONN(QUIC_ERR_FLOW_CONTROL_ERROR, 0) + RX_OP_CHECK_ERROR_CONN(QUIC_ERR_FLOW_CONTROL_ERROR, 1) + RX_OP_CHECK_ERROR_CONN(0, 0) + + RX_OP_END +}; + +static const struct rx_test_op *rx_scripts[] = { + rx_script_1, + rx_script_2 +}; + +static int run_rxfc_script(const struct rx_test_op *script) +{ +#define MAX_STREAMS 3 + int testresult = 0; + const struct rx_test_op *op = script; + QUIC_RXFC conn_rxfc, stream_rxfc[MAX_STREAMS]; + char stream_init_done[MAX_STREAMS] = {0}; + int conn_init_done = 0; + + cur_time = ossl_time_zero(); + + for (; op->op != RX_OPC_END; ++op) { + switch (op->op) { + case RX_OPC_INIT_CONN: + if (!TEST_true(ossl_quic_rxfc_init(&conn_rxfc, 0, + op->arg0, op->arg1, + fake_now, NULL))) + goto err; + + conn_init_done = 1; + break; + + case RX_OPC_INIT_STREAM: + if (!TEST_size_t_lt(op->stream_idx, OSSL_NELEM(stream_rxfc))) + goto err; + + if (!TEST_true(ossl_quic_rxfc_init(&stream_rxfc[op->stream_idx], + &conn_rxfc, + op->arg0, op->arg1, + fake_now, NULL))) + goto err; + + stream_init_done[op->stream_idx] = 1; + break; + + case RX_OPC_RX: + if (!TEST_true(conn_init_done && op->stream_idx < OSSL_NELEM(stream_rxfc) + && stream_init_done[op->stream_idx])) + goto err; + + if (!TEST_true(ossl_quic_rxfc_on_rx_stream_frame(&stream_rxfc[op->stream_idx], + op->arg0, + (int)op->arg1))) + goto err; + + break; + + case RX_OPC_RETIRE: + if (!TEST_true(conn_init_done && op->stream_idx < OSSL_NELEM(stream_rxfc) + && stream_init_done[op->stream_idx])) + goto err; + + if (!TEST_int_eq(ossl_quic_rxfc_on_retire(&stream_rxfc[op->stream_idx], + op->arg0, + ossl_ticks2time(op->arg1)), + !op->expect_fail)) + goto err; + + break; + case RX_OPC_CHECK_CWM_CONN: + if (!TEST_true(conn_init_done)) + goto err; + if (!TEST_uint64_t_eq(ossl_quic_rxfc_get_cwm(&conn_rxfc), + op->arg0)) + goto err; + break; + case RX_OPC_CHECK_CWM_STREAM: + if (!TEST_true(op->stream_idx < OSSL_NELEM(stream_rxfc) + && stream_init_done[op->stream_idx])) + goto err; + if (!TEST_uint64_t_eq(ossl_quic_rxfc_get_cwm(&stream_rxfc[op->stream_idx]), + op->arg0)) + goto err; + break; + case RX_OPC_CHECK_SWM_CONN: + if (!TEST_true(conn_init_done)) + goto err; + if (!TEST_uint64_t_eq(ossl_quic_rxfc_get_swm(&conn_rxfc), + op->arg0)) + goto err; + break; + case RX_OPC_CHECK_SWM_STREAM: + if (!TEST_true(op->stream_idx < OSSL_NELEM(stream_rxfc) + && stream_init_done[op->stream_idx])) + goto err; + if (!TEST_uint64_t_eq(ossl_quic_rxfc_get_swm(&stream_rxfc[op->stream_idx]), + op->arg0)) + goto err; + break; + case RX_OPC_CHECK_RWM_CONN: + if (!TEST_true(conn_init_done)) + goto err; + if (!TEST_uint64_t_eq(ossl_quic_rxfc_get_rwm(&conn_rxfc), + op->arg0)) + goto err; + break; + case RX_OPC_CHECK_RWM_STREAM: + if (!TEST_true(op->stream_idx < OSSL_NELEM(stream_rxfc) + && stream_init_done[op->stream_idx])) + goto err; + if (!TEST_uint64_t_eq(ossl_quic_rxfc_get_rwm(&stream_rxfc[op->stream_idx]), + op->arg0)) + goto err; + break; + case RX_OPC_CHECK_CHANGED_CONN: + if (!TEST_true(conn_init_done)) + goto err; + if (!TEST_int_eq(ossl_quic_rxfc_has_cwm_changed(&conn_rxfc, + (int)op->arg1), + (int)op->arg0)) + goto err; + break; + case RX_OPC_CHECK_CHANGED_STREAM: + if (!TEST_true(op->stream_idx < OSSL_NELEM(stream_rxfc) + && stream_init_done[op->stream_idx])) + goto err; + if (!TEST_int_eq(ossl_quic_rxfc_has_cwm_changed(&stream_rxfc[op->stream_idx], + (int)op->arg1), + (int)op->arg0)) + goto err; + break; + case RX_OPC_CHECK_ERROR_CONN: + if (!TEST_true(conn_init_done)) + goto err; + if (!TEST_int_eq(ossl_quic_rxfc_get_error(&conn_rxfc, + (int)op->arg1), + (int)op->arg0)) + goto err; + break; + case RX_OPC_CHECK_ERROR_STREAM: + if (!TEST_true(op->stream_idx < OSSL_NELEM(stream_rxfc) + && stream_init_done[op->stream_idx])) + goto err; + if (!TEST_int_eq(ossl_quic_rxfc_get_error(&stream_rxfc[op->stream_idx], + (int)op->arg1), + (int)op->arg0)) + goto err; + break; + case RX_OPC_STEP_TIME: + cur_time = ossl_time_add(cur_time, ossl_ticks2time(op->arg0)); + break; + case RX_OPC_MSG: + fprintf(stderr, "# %s\n", op->msg); + break; + default: + goto err; + } + } + + testresult = 1; +err: + return testresult; +} + +static int test_rxfc(int idx) +{ + return run_rxfc_script(rx_scripts[idx]); +} + +int setup_tests(void) +{ + ADD_ALL_TESTS(test_txfc, 2); + ADD_ALL_TESTS(test_rxfc, OSSL_NELEM(rx_scripts)); + return 1; +} diff --git a/test/quic_wire_test.c b/test/quic_wire_test.c index b10b14014fe..07ce4e12faf 100644 --- a/test/quic_wire_test.c +++ b/test/quic_wire_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_quic_fc.t b/test/recipes/70-test_quic_fc.t new file mode 100644 index 00000000000..ab92674883e --- /dev/null +++ b/test/recipes/70-test_quic_fc.t @@ -0,0 +1,19 @@ +#! /usr/bin/env perl +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use OpenSSL::Test; +use OpenSSL::Test::Utils; + +setup("test_quic_fc"); + +plan skip_all => "QUIC protocol is not supported by this OpenSSL build" + if disabled('quic'); + +plan tests => 1; + +ok(run(test(["quic_fc_test"])));