| // Copyright 2023 The Go Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| //go:build go1.21 |
| |
| package quic |
| |
| import ( |
| "crypto/tls" |
| "errors" |
| "time" |
| ) |
| |
| // maybeSend sends datagrams, if possible. |
| // |
| // If sending is blocked by pacing, it returns the next time |
| // a datagram may be sent. |
| // |
| // If sending is blocked indefinitely, it returns the zero Time. |
| func (c *Conn) maybeSend(now time.Time) (next time.Time) { |
| // Assumption: The congestion window is not underutilized. |
| // If congestion control, pacing, and anti-amplification all permit sending, |
| // but we have no packet to send, then we will declare the window underutilized. |
| c.loss.cc.setUnderutilized(false) |
| |
| // Send one datagram on each iteration of this loop, |
| // until we hit a limit or run out of data to send. |
| // |
| // For each number space where we have write keys, |
| // attempt to construct a packet in that space. |
| // If the packet contains no frames (we have no data in need of sending), |
| // abandon the packet. |
| // |
| // Speculatively constructing packets means we don't need |
| // separate code paths for "do we have data to send?" and |
| // "send the data" that need to be kept in sync. |
| for { |
| limit, next := c.loss.sendLimit(now) |
| if limit == ccBlocked { |
| // If anti-amplification blocks sending, then no packet can be sent. |
| return next |
| } |
| if !c.sendOK(now) { |
| return time.Time{} |
| } |
| // We may still send ACKs, even if congestion control or pacing limit sending. |
| |
| // Prepare to write a datagram of at most maxSendSize bytes. |
| c.w.reset(c.loss.maxSendSize()) |
| |
| dstConnID, ok := c.connIDState.dstConnID() |
| if !ok { |
| // It is currently not possible for us to end up without a connection ID, |
| // but handle the case anyway. |
| return time.Time{} |
| } |
| |
| // Initial packet. |
| pad := false |
| var sentInitial *sentPacket |
| if c.keysInitial.canWrite() { |
| pnumMaxAcked := c.acks[initialSpace].largestSeen() |
| pnum := c.loss.nextNumber(initialSpace) |
| p := longPacket{ |
| ptype: packetTypeInitial, |
| version: quicVersion1, |
| num: pnum, |
| dstConnID: dstConnID, |
| srcConnID: c.connIDState.srcConnID(), |
| extra: c.retryToken, |
| } |
| c.w.startProtectedLongHeaderPacket(pnumMaxAcked, p) |
| c.appendFrames(now, initialSpace, pnum, limit) |
| if logPackets { |
| logSentPacket(c, packetTypeInitial, pnum, p.srcConnID, p.dstConnID, c.w.payload()) |
| } |
| sentInitial = c.w.finishProtectedLongHeaderPacket(pnumMaxAcked, c.keysInitial.w, p) |
| if sentInitial != nil { |
| c.idleHandlePacketSent(now, sentInitial) |
| // Client initial packets and ack-eliciting server initial packaets |
| // need to be sent in a datagram padded to at least 1200 bytes. |
| // We can't add the padding yet, however, since we may want to |
| // coalesce additional packets with this one. |
| if c.side == clientSide || sentInitial.ackEliciting { |
| pad = true |
| } |
| } |
| } |
| |
| // Handshake packet. |
| if c.keysHandshake.canWrite() { |
| pnumMaxAcked := c.acks[handshakeSpace].largestSeen() |
| pnum := c.loss.nextNumber(handshakeSpace) |
| p := longPacket{ |
| ptype: packetTypeHandshake, |
| version: quicVersion1, |
| num: pnum, |
| dstConnID: dstConnID, |
| srcConnID: c.connIDState.srcConnID(), |
| } |
| c.w.startProtectedLongHeaderPacket(pnumMaxAcked, p) |
| c.appendFrames(now, handshakeSpace, pnum, limit) |
| if logPackets { |
| logSentPacket(c, packetTypeHandshake, pnum, p.srcConnID, p.dstConnID, c.w.payload()) |
| } |
| if sent := c.w.finishProtectedLongHeaderPacket(pnumMaxAcked, c.keysHandshake.w, p); sent != nil { |
| c.idleHandlePacketSent(now, sent) |
| c.loss.packetSent(now, handshakeSpace, sent) |
| if c.side == clientSide { |
| // "[...] a client MUST discard Initial keys when it first |
| // sends a Handshake packet [...]" |
| // https://www.rfc-editor.org/rfc/rfc9001.html#section-4.9.1-2 |
| c.discardKeys(now, initialSpace) |
| } |
| } |
| } |
| |
| // 1-RTT packet. |
| if c.keysAppData.canWrite() { |
| pnumMaxAcked := c.acks[appDataSpace].largestSeen() |
| pnum := c.loss.nextNumber(appDataSpace) |
| c.w.start1RTTPacket(pnum, pnumMaxAcked, dstConnID) |
| c.appendFrames(now, appDataSpace, pnum, limit) |
| if pad && len(c.w.payload()) > 0 { |
| // 1-RTT packets have no length field and extend to the end |
| // of the datagram, so if we're sending a datagram that needs |
| // padding we need to add it inside the 1-RTT packet. |
| c.w.appendPaddingTo(paddedInitialDatagramSize) |
| pad = false |
| } |
| if logPackets { |
| logSentPacket(c, packetType1RTT, pnum, nil, dstConnID, c.w.payload()) |
| } |
| if sent := c.w.finish1RTTPacket(pnum, pnumMaxAcked, dstConnID, &c.keysAppData); sent != nil { |
| c.idleHandlePacketSent(now, sent) |
| c.loss.packetSent(now, appDataSpace, sent) |
| } |
| } |
| |
| buf := c.w.datagram() |
| if len(buf) == 0 { |
| if limit == ccOK { |
| // We have nothing to send, and congestion control does not |
| // block sending. The congestion window is underutilized. |
| c.loss.cc.setUnderutilized(true) |
| } |
| return next |
| } |
| |
| if sentInitial != nil { |
| if pad { |
| // Pad out the datagram with zeros, coalescing the Initial |
| // packet with invalid packets that will be ignored by the peer. |
| // https://www.rfc-editor.org/rfc/rfc9000.html#section-14.1-1 |
| for len(buf) < paddedInitialDatagramSize { |
| buf = append(buf, 0) |
| // Technically this padding isn't in any packet, but |
| // account it to the Initial packet in this datagram |
| // for purposes of flow control and loss recovery. |
| sentInitial.size++ |
| sentInitial.inFlight = true |
| } |
| } |
| // If we're a client and this Initial packet is coalesced |
| // with a Handshake packet, then we've discarded Initial keys |
| // since constructing the packet and shouldn't record it as in-flight. |
| if c.keysInitial.canWrite() { |
| c.loss.packetSent(now, initialSpace, sentInitial) |
| } |
| } |
| |
| c.endpoint.sendDatagram(buf, c.peerAddr) |
| } |
| } |
| |
| func (c *Conn) appendFrames(now time.Time, space numberSpace, pnum packetNumber, limit ccLimit) { |
| if c.lifetime.localErr != nil { |
| c.appendConnectionCloseFrame(now, space, c.lifetime.localErr) |
| return |
| } |
| |
| shouldSendAck := c.acks[space].shouldSendAck(now) |
| if limit != ccOK { |
| // ACKs are not limited by congestion control. |
| if shouldSendAck && c.appendAckFrame(now, space) { |
| c.acks[space].sentAck() |
| } |
| return |
| } |
| // We want to send an ACK frame if the ack controller wants to send a frame now, |
| // OR if we are sending a packet anyway and have ack-eliciting packets which we |
| // have not yet acked. |
| // |
| // We speculatively add ACK frames here, to put them at the front of the packet |
| // to avoid truncation. |
| // |
| // After adding all frames, if we don't need to send an ACK frame and have not |
| // added any other frames, we abandon the packet. |
| if c.appendAckFrame(now, space) { |
| defer func() { |
| // All frames other than ACK and PADDING are ack-eliciting, |
| // so if the packet is ack-eliciting we've added additional |
| // frames to it. |
| if !shouldSendAck && !c.w.sent.ackEliciting { |
| // There's nothing in this packet but ACK frames, and |
| // we don't want to send an ACK-only packet at this time. |
| // Abandoning the packet means we wrote an ACK frame for |
| // nothing, but constructing the frame is cheap. |
| c.w.abandonPacket() |
| return |
| } |
| // Either we are willing to send an ACK-only packet, |
| // or we've added additional frames. |
| c.acks[space].sentAck() |
| if !c.w.sent.ackEliciting && c.keysAppData.needAckEliciting() { |
| // The peer has initiated a key update. |
| // We haven't sent them any packets yet in the new phase. |
| // Make this an ack-eliciting packet. |
| // Their ack of this packet will complete the key update. |
| c.w.appendPingFrame() |
| } |
| }() |
| } |
| if limit != ccOK { |
| return |
| } |
| pto := c.loss.ptoExpired |
| |
| // TODO: Add all the other frames we can send. |
| |
| // CRYPTO |
| c.crypto[space].dataToSend(pto, func(off, size int64) int64 { |
| b, _ := c.w.appendCryptoFrame(off, int(size)) |
| c.crypto[space].sendData(off, b) |
| return int64(len(b)) |
| }) |
| |
| // Test-only PING frames. |
| if space == c.testSendPingSpace && c.testSendPing.shouldSendPTO(pto) { |
| if !c.w.appendPingFrame() { |
| return |
| } |
| c.testSendPing.setSent(pnum) |
| } |
| |
| if space == appDataSpace { |
| // HANDSHAKE_DONE |
| if c.handshakeConfirmed.shouldSendPTO(pto) { |
| if !c.w.appendHandshakeDoneFrame() { |
| return |
| } |
| c.handshakeConfirmed.setSent(pnum) |
| } |
| |
| // NEW_CONNECTION_ID, RETIRE_CONNECTION_ID |
| if !c.connIDState.appendFrames(c, pnum, pto) { |
| return |
| } |
| |
| // All stream-related frames. This should come last in the packet, |
| // so large amounts of STREAM data don't crowd out other frames |
| // we may need to send. |
| if !c.appendStreamFrames(&c.w, pnum, pto) { |
| return |
| } |
| |
| if !c.appendKeepAlive(now) { |
| return |
| } |
| } |
| |
| // If this is a PTO probe and we haven't added an ack-eliciting frame yet, |
| // add a PING to make this an ack-eliciting probe. |
| // |
| // Technically, there are separate PTO timers for each number space. |
| // When a PTO timer expires, we MUST send an ack-eliciting packet in the |
| // timer's space. We SHOULD send ack-eliciting packets in every other space |
| // with in-flight data. (RFC 9002, section 6.2.4) |
| // |
| // What we actually do is send a single datagram containing an ack-eliciting packet |
| // for every space for which we have keys. |
| // |
| // We fill the PTO probe packets with new or unacknowledged data. For example, |
| // a PTO probe sent for the Initial space will generally retransmit previously |
| // sent but unacknowledged CRYPTO data. |
| // |
| // When sending a PTO probe datagram containing multiple packets, it is |
| // possible that an earlier packet will fill up the datagram, leaving no |
| // space for the remaining probe packet(s). This is not a problem in practice. |
| // |
| // A client discards Initial keys when it first sends a Handshake packet |
| // (RFC 9001 Section 4.9.1). Handshake keys are discarded when the handshake |
| // is confirmed (RFC 9001 Section 4.9.2). The PTO timer is not set for the |
| // Application Data packet number space until the handshake is confirmed |
| // (RFC 9002 Section 6.2.1). Therefore, the only times a PTO probe can fire |
| // while data for multiple spaces is in flight are: |
| // |
| // - a server's Initial or Handshake timers can fire while Initial and Handshake |
| // data is in flight; and |
| // |
| // - a client's Handshake timer can fire while Handshake and Application Data |
| // data is in flight. |
| // |
| // It is theoretically possible for a server's Initial CRYPTO data to overflow |
| // the maximum datagram size, but unlikely in practice; this space contains |
| // only the ServerHello TLS message, which is small. It's also unlikely that |
| // the Handshake PTO probe will fire while Initial data is in flight (this |
| // requires not just that the Initial CRYPTO data completely fill a datagram, |
| // but a quite specific arrangement of lost and retransmitted packets.) |
| // We don't bother worrying about this case here, since the worst case is |
| // that we send a PTO probe for the in-flight Initial data and drop the |
| // Handshake probe. |
| // |
| // If a client's Handshake PTO timer fires while Application Data data is in |
| // flight, it is possible that the resent Handshake CRYPTO data will crowd |
| // out the probe for the Application Data space. However, since this probe is |
| // optional (recall that the Application Data PTO timer is never set until |
| // after Handshake keys have been discarded), dropping it is acceptable. |
| if pto && !c.w.sent.ackEliciting { |
| c.w.appendPingFrame() |
| } |
| } |
| |
| func (c *Conn) appendAckFrame(now time.Time, space numberSpace) bool { |
| seen, delay := c.acks[space].acksToSend(now) |
| if len(seen) == 0 { |
| return false |
| } |
| d := unscaledAckDelayFromDuration(delay, ackDelayExponent) |
| return c.w.appendAckFrame(seen, d) |
| } |
| |
| func (c *Conn) appendConnectionCloseFrame(now time.Time, space numberSpace, err error) { |
| c.sentConnectionClose(now) |
| switch e := err.(type) { |
| case localTransportError: |
| c.w.appendConnectionCloseTransportFrame(e.code, 0, e.reason) |
| case *ApplicationError: |
| if space != appDataSpace { |
| // "CONNECTION_CLOSE frames signaling application errors (type 0x1d) |
| // MUST only appear in the application data packet number space." |
| // https://www.rfc-editor.org/rfc/rfc9000#section-12.5-2.2 |
| c.w.appendConnectionCloseTransportFrame(errApplicationError, 0, "") |
| } else { |
| c.w.appendConnectionCloseApplicationFrame(e.Code, e.Reason) |
| } |
| default: |
| // TLS alerts are sent using error codes [0x0100,0x01ff). |
| // https://www.rfc-editor.org/rfc/rfc9000#section-20.1-2.36.1 |
| var alert tls.AlertError |
| switch { |
| case errors.As(err, &alert): |
| // tls.AlertError is a uint8, so this can't exceed 0x01ff. |
| code := errTLSBase + transportError(alert) |
| c.w.appendConnectionCloseTransportFrame(code, 0, "") |
| default: |
| c.w.appendConnectionCloseTransportFrame(errInternal, 0, "") |
| } |
| } |
| } |