quiche: use max header size configured in HCM

source/common/http/codec_client.cc

@@ -34,14 +34,17 @@ CodecClient::CodecClient(Type type, Network::ClientConnectionPtr&& connection,
   connection_->addConnectionCallbacks(*this);
   connection_->addReadFilter(Network::ReadFilterSharedPtr{new CodecReadFilter(*this)});
 
-  // In general, codecs are handed new not-yet-connected connections, but in the
-  // case of ALPN, the codec may be handed an already connected connection.
-  if (!connection_->connecting()) {
-    ASSERT(connection_->state() == Network::Connection::State::Open);
-    connected_ = true;
-  } else {
-    ENVOY_CONN_LOG(debug, "connecting", *connection_);
-    connection_->connect();
+  // Do not start handshake for H3 connection till it is initialized.
+  if (type_ != Type::HTTP3) {
+    // In general, codecs are handed new not-yet-connected connections, but in the
+    // case of ALPN, the codec may be handed an already connected connection.
+    if (!connection_->connecting()) {
+      ASSERT(connection_->state() == Network::Connection::State::Open);
+      connected_ = true;
+    } else {
+      ENVOY_CONN_LOG(debug, "connecting", *connection_);
+      connection_->connect();
+    }
   }
 
   if (idle_timeout_) {
@@ -185,10 +188,21 @@ CodecClientProd::CodecClientProd(Type type, Network::ClientConnectionPtr&& conne
   }
   case Type::HTTP3: {
 #ifdef ENVOY_ENABLE_QUIC
+    auto& quic_session = dynamic_cast<Quic::EnvoyQuicClientSession&>(*connection_);
     codec_ = std::make_unique<Quic::QuicHttpClientConnectionImpl>(
-        dynamic_cast<Quic::EnvoyQuicClientSession&>(*connection_), *this,
-        host->cluster().http3CodecStats(), host->cluster().http3Options(),
+        quic_session, *this, host->cluster().http3CodecStats(), host->cluster().http3Options(),
         Http::DEFAULT_MAX_REQUEST_HEADERS_KB);
+    // Initialize the session after max request header size is changed in above http client
+    // connection creation.
+    quic_session.Initialize();
+    // The other two codecs have already connected in base class.
+    if (!connection_->connecting()) {
+      ASSERT(connection_->state() == Network::Connection::State::Open);
+      connected_ = true;
+    } else {
+      ENVOY_CONN_LOG(debug, "connecting", *connection_);
+      connection_->connect();
+    }
     break;
 #else
     // Should be blocked by configuration checking at an earlier point.

source/common/http/codec_client.h

@@ -47,7 +47,7 @@ class CodecClientCallbacks {
  * This is an HTTP client that multiple stream management and underlying connection management
  * across multiple HTTP codec types.
  */
-class CodecClient : Logger::Loggable<Logger::Id::client>,
+class CodecClient : protected Logger::Loggable<Logger::Id::client>,
                     public Http::ConnectionCallbacks,
                     public Network::ConnectionCallbacks,
                     public Event::DeferredDeletable {
@@ -177,6 +177,7 @@ class CodecClient : Logger::Loggable<Logger::Id::client>,
   ClientConnectionPtr codec_;
   Event::TimerPtr idle_timer_;
   const absl::optional<std::chrono::milliseconds> idle_timeout_;
+  bool connected_{};
 
 private:
   /**
@@ -254,7 +255,6 @@ class CodecClient : Logger::Loggable<Logger::Id::client>,
   std::list<ActiveRequestPtr> active_requests_;
   Http::ConnectionCallbacks* codec_callbacks_{};
   CodecClientCallbacks* codec_client_callbacks_{};
-  bool connected_{};
   bool remote_closed_{};
   bool protocol_error_{false};
 };

source/common/quic/BUILD

@@ -354,6 +354,8 @@ envoy_cc_library(
         "//source/common/network:address_lib",
         "//source/common/network:listen_socket_lib",
         "//source/common/network:socket_option_factory_lib",
+        "//source/common/quic:quic_io_handle_wrapper_lib",
+        "//source/extensions/transport_sockets:well_known_names",
         "@com_googlesource_quiche//:quic_core_http_header_list_lib",
         "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
     ],

source/common/quic/active_quic_listener.cc

@@ -46,6 +46,7 @@ ActiveQuicListener::ActiveQuicListener(
       kernel_worker_routing_(kernel_worker_routing) {
   // This flag fix a QUICHE issue which may crash Envoy during connection close.
   SetQuicReloadableFlag(quic_single_ack_in_packet2, true);
+  SetQuicFlag(FLAGS_quic_header_size_limit_includes_overhead, false);
 
   if (Runtime::LoaderSingleton::getExisting()) {
     enabled_.emplace(Runtime::FeatureFlag(enabled, Runtime::LoaderSingleton::get()));

source/common/quic/client_connection_factory_impl.cc

@@ -49,11 +49,11 @@ createQuicNetworkConnection(Http::PersistentQuicInfo& info, Event::Dispatcher& d
       info_impl->alarm_factory_, quic::ParsedQuicVersionVector{info_impl->supported_versions_[0]},
       local_addr, dispatcher, nullptr);
   auto& static_info = StaticInfo::get();
+  SetQuicFlag(FLAGS_quic_header_size_limit_includes_overhead, false);
   auto ret = std::make_unique<EnvoyQuicClientSession>(
       static_info.quic_config_, info_impl->supported_versions_, std::move(connection),
       info_impl->server_id_, info_impl->crypto_config_.get(), &static_info.push_promise_index_,
       dispatcher, 0);
-  ret->Initialize();
   return ret;
 }
 

source/common/quic/codec_impl.cc

@@ -22,14 +22,15 @@ QuicHttpServerConnectionImpl::QuicHttpServerConnectionImpl(
     EnvoyQuicServerSession& quic_session, Http::ServerConnectionCallbacks& callbacks,
     Http::Http3::CodecStats& stats,
     const envoy::config::core::v3::Http3ProtocolOptions& http3_options,
-    const uint32_t /*max_request_headers_kb*/,
+    const uint32_t max_request_headers_kb,
     envoy::config::core::v3::HttpProtocolOptions::HeadersWithUnderscoresAction
         headers_with_underscores_action)
     : QuicHttpConnectionImplBase(quic_session, stats), quic_server_session_(quic_session) {
   quic_session.setCodecStats(stats);
   quic_session.setHttp3Options(http3_options);
   quic_session.setHeadersWithUnderscoreAction(headers_with_underscores_action);
   quic_session.setHttpConnectionCallbacks(callbacks);
+  quic_session.set_max_inbound_header_list_size(max_request_headers_kb * 1024u);
 }
 
 void QuicHttpServerConnectionImpl::onUnderlyingConnectionAboveWriteBufferHighWatermark() {
@@ -68,11 +69,12 @@ QuicHttpClientConnectionImpl::QuicHttpClientConnectionImpl(
     EnvoyQuicClientSession& session, Http::ConnectionCallbacks& callbacks,
     Http::Http3::CodecStats& stats,
     const envoy::config::core::v3::Http3ProtocolOptions& http3_options,
-    const uint32_t /*max_request_headers_kb*/)
+    const uint32_t max_request_headers_kb)
     : QuicHttpConnectionImplBase(session, stats), quic_client_session_(session) {
   session.setCodecStats(stats);
   session.setHttp3Options(http3_options);
   session.setHttpConnectionCallbacks(callbacks);
+  session.set_max_inbound_header_list_size(max_request_headers_kb * 1024);
 }
 
 Http::RequestEncoder&

source/common/quic/envoy_quic_client_session.cc

@@ -14,10 +14,7 @@ EnvoyQuicClientSession::EnvoyQuicClientSession(
     : QuicFilterManagerConnectionImpl(*connection, dispatcher, send_buffer_limit),
       quic::QuicSpdyClientSession(config, supported_versions, connection.release(), server_id,
                                   crypto_config, push_promise_index),
-      host_name_(server_id.host()) {
-  // HTTP/3 header limits should be configurable, but for now hard-code to Envoy defaults.
-  set_max_inbound_header_list_size(Http::DEFAULT_MAX_REQUEST_HEADERS_KB * 1000);
-}
+      host_name_(server_id.host()) {}
 
 EnvoyQuicClientSession::~EnvoyQuicClientSession() {
   ASSERT(!connection()->connected());
@@ -41,6 +38,7 @@ void EnvoyQuicClientSession::OnConnectionClosed(const quic::QuicConnectionCloseF
 
 void EnvoyQuicClientSession::Initialize() {
   quic::QuicSpdyClientSession::Initialize();
+  initialized_ = true;
   quic_connection_->setEnvoyConnection(*this);
 }
 

source/common/quic/envoy_quic_dispatcher.cc

@@ -3,6 +3,7 @@
 #include "common/http/utility.h"
 #include "common/quic/envoy_quic_server_connection.h"
 #include "common/quic/envoy_quic_server_session.h"
+#include "common/quic/envoy_quic_utils.h"
 
 namespace Envoy {
 namespace Quic {
@@ -48,8 +49,8 @@ void EnvoyQuicDispatcher::OnConnectionClosed(quic::QuicConnectionId connection_i
 
 std::unique_ptr<quic::QuicSession> EnvoyQuicDispatcher::CreateQuicSession(
     quic::QuicConnectionId server_connection_id, const quic::QuicSocketAddress& self_address,
-    const quic::QuicSocketAddress& peer_address, absl::string_view /*alpn*/,
-    const quic::ParsedQuicVersion& version, absl::string_view /*sni*/) {
+    const quic::QuicSocketAddress& peer_address, absl::string_view alpn,
+    const quic::ParsedQuicVersion& version, absl::string_view sni) {
   quic::QuicConfig quic_config = config();
   // TODO(danzh) setup flow control window via config.
   quic_config.SetInitialStreamFlowControlWindowToSend(
@@ -63,6 +64,17 @@ std::unique_ptr<quic::QuicSession> EnvoyQuicDispatcher::CreateQuicSession(
       quic_config, quic::ParsedQuicVersionVector{version}, std::move(quic_connection), this,
       session_helper(), crypto_config(), compressed_certs_cache(), dispatcher_,
       listener_config_.perConnectionBufferLimitBytes(), listener_config_);
+
+  const Network::FilterChain* filter_chain =
+      getFilterChain(listen_socket_.ioHandle(), listener_config_.filterChainManager(), self_address,
+                     peer_address, std::string(sni), alpn);
+  ASSERT(filter_chain);
+  if (filter_chain != nullptr) {
+    const bool has_filter_initialized =
+        listener_config_.filterChainFactory().createNetworkFilterChain(
+            *quic_session, filter_chain->networkFilterFactories());
+    ASSERT(has_filter_initialized);
+  }
   quic_session->Initialize();
   // Filter chain can't be retrieved here as self address is unknown at this
   // point.

source/common/quic/envoy_quic_proof_source.cc

@@ -83,16 +83,10 @@ EnvoyQuicProofSource::getTlsCertConfigAndFilterChain(const quic::QuicSocketAddre
                                                      const quic::QuicSocketAddress& client_address,
                                                      const std::string& hostname) {
   ENVOY_LOG(trace, "Getting cert chain for {}", hostname);
-  Network::ConnectionSocketImpl connection_socket(
-      std::make_unique<QuicIoHandleWrapper>(listen_socket_.ioHandle()),
-      quicAddressToEnvoyAddressInstance(server_address),
-      quicAddressToEnvoyAddressInstance(client_address));
-  connection_socket.setDetectedTransportProtocol(
-      Extensions::TransportSockets::TransportProtocolNames::get().Quic);
-  connection_socket.setRequestedServerName(hostname);
-  connection_socket.setRequestedApplicationProtocols({"h2"});
   const Network::FilterChain* filter_chain =
-      filter_chain_manager_.findFilterChain(connection_socket);
+      getFilterChain(listen_socket_.ioHandle(), filter_chain_manager_, server_address,
+                     client_address, hostname, "h3-29");
+
   if (filter_chain == nullptr) {
     listener_stats_.no_filter_chain_match_.inc();
     return {absl::nullopt, absl::nullopt};

source/common/quic/envoy_quic_server_session.cc

@@ -14,14 +14,11 @@ EnvoyQuicServerSession::EnvoyQuicServerSession(
     std::unique_ptr<EnvoyQuicConnection> connection, quic::QuicSession::Visitor* visitor,
     quic::QuicCryptoServerStream::Helper* helper, const quic::QuicCryptoServerConfig* crypto_config,
     quic::QuicCompressedCertsCache* compressed_certs_cache, Event::Dispatcher& dispatcher,
-    uint32_t send_buffer_limit, Network::ListenerConfig& listener_config)
+    uint32_t send_buffer_limit, Network::ListenerConfig& /*listener_config*/)
     : quic::QuicServerSessionBase(config, supported_versions, connection.get(), visitor, helper,
                                   crypto_config, compressed_certs_cache),
       QuicFilterManagerConnectionImpl(*connection, dispatcher, send_buffer_limit),
-      quic_connection_(std::move(connection)), listener_config_(listener_config) {
-  // HTTP/3 header limits should be configurable, but for now hard-code to Envoy defaults.
-  set_max_inbound_header_list_size(Http::DEFAULT_MAX_REQUEST_HEADERS_KB * 1000);
-}
+      quic_connection_(std::move(connection)) {}
 
 EnvoyQuicServerSession::~EnvoyQuicServerSession() {
   ASSERT(!quic_connection_->connected());
@@ -89,6 +86,7 @@ void EnvoyQuicServerSession::OnConnectionClosed(const quic::QuicConnectionCloseF
 
 void EnvoyQuicServerSession::Initialize() {
   quic::QuicServerSessionBase::Initialize();
+  initialized_ = true;
   quic_connection_->setEnvoyConnection(*this);
 }
 
@@ -109,7 +107,6 @@ void EnvoyQuicServerSession::SetDefaultEncryptionLevel(quic::EncryptionLevel lev
   if (level != quic::ENCRYPTION_FORWARD_SECURE) {
     return;
   }
-  maybeCreateNetworkFilters();
   // This is only reached once, when handshake is done.
   raiseConnectionEvent(Network::ConnectionEvent::Connected);
 }
@@ -118,22 +115,9 @@ bool EnvoyQuicServerSession::hasDataToWrite() { return HasDataToWrite(); }
 
 void EnvoyQuicServerSession::OnTlsHandshakeComplete() {
   quic::QuicServerSessionBase::OnTlsHandshakeComplete();
-  maybeCreateNetworkFilters();
   raiseConnectionEvent(Network::ConnectionEvent::Connected);
 }
 
-void EnvoyQuicServerSession::maybeCreateNetworkFilters() {
-  auto proof_source_details =
-      dynamic_cast<const EnvoyQuicProofSourceDetails*>(GetCryptoStream()->ProofSourceDetails());
-  ASSERT(proof_source_details != nullptr,
-         "ProofSource didn't provide ProofSource::Details. No filter chain will be installed.");
-
-  const bool has_filter_initialized =
-      listener_config_.filterChainFactory().createNetworkFilterChain(
-          *this, proof_source_details->filterChain().networkFilterFactories());
-  ASSERT(has_filter_initialized);
-}
-
 size_t EnvoyQuicServerSession::WriteHeadersOnHeadersStream(
     quic::QuicStreamId id, spdy::SpdyHeaderBlock headers, bool fin,
     const spdy::SpdyStreamPrecedence& precedence,

source/common/quic/envoy_quic_server_session.h

@@ -90,10 +90,8 @@ class EnvoyQuicServerSession : public quic::QuicServerSessionBase,
 
 private:
   void setUpRequestDecoder(EnvoyQuicServerStream& stream);
-  void maybeCreateNetworkFilters();
 
   std::unique_ptr<EnvoyQuicConnection> quic_connection_;
-  Network::ListenerConfig& listener_config_;
   // These callbacks are owned by network filters and quic session should out live
   // them.
   Http::ServerConnectionCallbacks* http_connection_callbacks_{nullptr};

source/common/quic/envoy_quic_utils.cc

@@ -6,6 +6,8 @@
 #include "common/network/socket_option_factory.h"
 #include "common/network/utility.h"
 
+#include "extensions/transport_sockets/well_known_names.h"
+
 namespace Envoy {
 namespace Quic {
 
@@ -223,5 +225,20 @@ int deduceSignatureAlgorithmFromPublicKey(const EVP_PKEY* public_key, std::strin
   return sign_alg;
 }
 
+const Network::FilterChain* getFilterChain(Network::IoHandle& io_handle,
+                                           Network::FilterChainManager& filter_chain_manager,
+                                           const quic::QuicSocketAddress& self_address,
+                                           const quic::QuicSocketAddress& peer_address,
+                                           const std::string& hostname, absl::string_view alpn) {
+  Network::ConnectionSocketImpl connection_socket(std::make_unique<QuicIoHandleWrapper>(io_handle),
+                                                  quicAddressToEnvoyAddressInstance(self_address),
+                                                  quicAddressToEnvoyAddressInstance(peer_address));
+  connection_socket.setDetectedTransportProtocol(
+      Extensions::TransportSockets::TransportProtocolNames::get().Quic);
+  connection_socket.setRequestedServerName(hostname);
+  connection_socket.setRequestedApplicationProtocols({alpn});
+  return filter_chain_manager.findFilterChain(connection_socket);
+}
+
 } // namespace Quic
 } // namespace Envoy

source/common/quic/envoy_quic_utils.h

@@ -7,6 +7,7 @@
 #include "common/http/header_map_impl.h"
 #include "common/network/address_impl.h"
 #include "common/network/listen_socket_impl.h"
+#include "common/quic/quic_io_handle_wrapper.h"
 
 #if defined(__GNUC__)
 #pragma GCC diagnostic push
@@ -125,5 +126,11 @@ bssl::UniquePtr<X509> parseDERCertificate(const std::string& der_bytes, std::str
 // not supported, return 0 with error_details populated correspondingly.
 int deduceSignatureAlgorithmFromPublicKey(const EVP_PKEY* public_key, std::string* error_details);
 
+const Network::FilterChain* getFilterChain(Network::IoHandle& io_handle,
+                                           Network::FilterChainManager& filter_chain_manager,
+                                           const quic::QuicSocketAddress& self_address,
+                                           const quic::QuicSocketAddress& peer_address,
+                                           const std::string& hostname, absl::string_view alpn);
+
 } // namespace Quic
 } // namespace Envoy

source/common/quic/quic_filter_manager_connection_impl.cc

@@ -1,5 +1,6 @@
 #include "common/quic/quic_filter_manager_connection_impl.h"
 
+#include <initializer_list>
 #include <memory>
 
 namespace Envoy {
@@ -65,6 +66,11 @@ void QuicFilterManagerConnectionImpl::close(Network::ConnectionCloseType type) {
     // Already detached from quic connection.
     return;
   }
+  if (!initialized_) {
+    // Delay close till the first OnCanWrite() call.
+    delayed_close_state_ = DelayedCloseState::CloseAfterFlush;
+    return;
+  }
   const bool delayed_close_timeout_configured = delayed_close_timeout_.count() > 0;
   if (hasDataToWrite() && type != Network::ConnectionCloseType::NoFlush) {
     if (delayed_close_timeout_configured) {

source/common/quic/quic_filter_manager_connection_impl.h

@@ -73,16 +73,16 @@ class QuicFilterManagerConnectionImpl : public Network::ConnectionImplBase,
   }
   Ssl::ConnectionInfoConstSharedPtr ssl() const override;
   Network::Connection::State state() const override {
-    if (quic_connection_ != nullptr && quic_connection_->connected()) {
+    if (!initialized_ || (quic_connection_ != nullptr && quic_connection_->connected())) {
       return Network::Connection::State::Open;
     }
     return Network::Connection::State::Closed;
   }
   bool connecting() const override {
-    if (quic_connection_ != nullptr && !quic_connection_->IsHandshakeComplete()) {
-      return true;
+    if (initialized_ && (quic_connection_ == nullptr || quic_connection_->IsHandshakeComplete())) {
+      return false;
     }
-    return false;
+    return true;
   }
   void write(Buffer::Instance& /*data*/, bool /*end_stream*/) override {
     // All writes should be handled by Quic internally.
@@ -143,6 +143,8 @@ class QuicFilterManagerConnectionImpl : public Network::ConnectionImplBase,
   absl::optional<std::reference_wrapper<Http::Http3::CodecStats>> codec_stats_;
   absl::optional<std::reference_wrapper<const envoy::config::core::v3::Http3ProtocolOptions>>
       http3_options_;
+  // If false, do not call into quic_connection_.
+  bool initialized_{false};
 
 private:
   friend class Envoy::TestPauseFilterForQuic;