tlshd: receive new session ticket msg after completing quic handshake

The latest update to the QUIC module changed to use NEW_SESSION_TICKET
event or SESSION_TICKET socket option to receive new session ticket msg
after handshake to avoid blocking the app data receiving before getting
the new session ticket msg in the previous recvmsg() way.

So delete the callback tlshd_quic_client_ticket_recv() and introduce
tlshd_quic_recv_session_ticket() called after handshake is completed.
In this function, it will try for conn->recv_ticket (from kernel) secs
in a loop to get the ticket msg via SESSION_TICKET socket option and
pass the session data back to kernel after processing the msg.

Signed-off-by: Xin Long <[email protected]>

Author: lxin

src/tlshd/client.c

@@ -455,33 +455,6 @@ static int tlshd_quic_client_x509_verify_function(gnutls_session_t session)
 	return tlshd_client_x509_verify_function(session, conn->parms);
 }
 
-static int tlshd_quic_client_ticket_recv(gnutls_session_t session, unsigned int htype,
-					 unsigned int when, unsigned int incoming,
-					 const gnutls_datum_t *msg)
-{
-	struct tlshd_quic_conn *conn = gnutls_session_get_ptr(session);
-	int ret, sockfd = conn->parms->sockfd;
-	gnutls_datum_t ticket;
-
-	if (htype != GNUTLS_HANDSHAKE_NEW_SESSION_TICKET)
-		return 0;
-
-	conn->completed = 1;
-	ret = gnutls_session_get_data2(session, &ticket);
-	if (ret) {
-		tlshd_log_gnutls_error(ret);
-		return ret;
-	}
-
-	ret = setsockopt(sockfd, SOL_QUIC, QUIC_SOCKOPT_SESSION_TICKET, ticket.data, ticket.size);
-	if (ret) {
-		tlshd_log_error("socket setsockopt session ticket error %d %u", errno, ticket.size);
-		return -1;
-	}
-	tlshd_log_debug("  Ticket recv: %u %u %u", when, incoming, msg->size);
-	return 0;
-}
-
 #define TLSHD_QUIC_NO_CERT_AUTH	3
 
 static int tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn)
@@ -525,8 +498,6 @@ static int tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn)
 				    GNUTLS_ENABLE_EARLY_DATA | GNUTLS_NO_END_OF_EARLY_DATA);
 	if (ret)
 		goto err_cred;
-	gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_ANY,
-					   GNUTLS_HOOK_POST, tlshd_quic_client_ticket_recv);
 	gnutls_session_set_ptr(session, conn);
 	if (conn->ticket_len) {
 		ret = gnutls_session_set_data(session, conn->ticket, conn->ticket_len);
@@ -585,8 +556,6 @@ static int tlshd_quic_client_set_psk_session(struct tlshd_quic_conn *conn)
 	ret = gnutls_init(&session, GNUTLS_CLIENT);
 	if (ret)
 		goto err_cred;
-	gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_ANY,
-					   GNUTLS_HOOK_POST, tlshd_quic_client_ticket_recv);
 	gnutls_session_set_ptr(session, conn);
 	ret = gnutls_credentials_set(session, GNUTLS_CRD_PSK, cred);
 	if (ret)

src/tlshd/quic.c

@@ -23,6 +23,7 @@
 #include <linux/tls.h>
 #include <keyutils.h>
 #include <stdbool.h>
+#include <unistd.h>
 #include <glib.h>
 
 #include "config.h"
@@ -139,8 +140,7 @@ static int quic_secret_func(gnutls_session_t session, gnutls_record_encryption_l
 					return ret;
 				}
 			}
-			if (!conn->recv_ticket)
-				conn->completed = 1;
+			conn->completed = 1;
 		}
 	}
 	tlshd_log_debug("  Secret func: %u %u %u", secret.level, !!tx_secret, !!rx_secret);
@@ -502,6 +502,54 @@ static int tlshd_quic_session_configure(struct tlshd_quic_conn *conn)
 		GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_CLIENT_HELLO | GNUTLS_EXT_FLAG_EE);
 }
 
+static void tlshd_quic_recv_session_ticket(struct tlshd_quic_conn *conn)
+{
+	gnutls_session_t session = conn->session;
+	int i, ret, sockfd = conn->parms->sockfd;
+	unsigned int len;
+	size_t size;
+
+	if (conn->is_serv || !conn->recv_ticket)
+		return;
+
+	for (i = 0; i < 10 * conn->recv_ticket; i++) { /* wait and try for conn->recv_ticket secs */
+		len = sizeof(conn->ticket);
+		ret = getsockopt(sockfd, SOL_QUIC, QUIC_SOCKOPT_SESSION_TICKET, conn->ticket, &len);
+		if (ret) {
+			tlshd_log_error("socket getsockopt session ticket error %d", errno);
+			conn->errcode = errno;
+			return;
+		}
+		if (len)
+			break;
+		usleep(100000);
+	}
+	if (i == 10 * conn->recv_ticket)
+		return;
+
+	/* process new session ticket msg and get the generated session data */
+	ret = quic_handshake_crypto_data(conn, QUIC_CRYPTO_APP, conn->ticket, len);
+	if (ret) {
+		conn->errcode = -ret;
+		return;
+	}
+	size = sizeof(conn->ticket);
+	ret = gnutls_session_get_data(session, conn->ticket, &size);
+	if (ret) {
+		tlshd_log_gnutls_error(ret);
+		conn->errcode = -ret;
+		return;
+	}
+
+	/* set it back to kernel for session resumption of next connection */
+	len = size;
+	ret = setsockopt(sockfd, SOL_QUIC, QUIC_SOCKOPT_SESSION_TICKET, conn->ticket, len);
+	if (ret) {
+		tlshd_log_error("socket setsockopt session ticket error %d %u", errno, len);
+		conn->errcode = errno;
+	}
+}
+
 /**
  * tlshd_quic_start_handshake - Drive the handshake interaction
  * @conn: QUIC handshake context
@@ -582,5 +630,7 @@ void tlshd_quic_start_handshake(struct tlshd_quic_conn *conn)
 			msg = conn->send_list;
 		}
 	}
+
+	tlshd_quic_recv_session_ticket(conn);
 }
 #endif