| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
| |
keyrot_rekey() treated any re-key attempt against a live epoch
(current or previous) the same way, whether the offered root key
matched the live one (a replay) or was genuinely different (a
conflict). Compare the offered key against the live batch's root
and return -EREPLAY for a match, keeping -1/-ECRYPT for an actual
conflict, so callers can handle replayed re-keys distinctly from
real ones.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
| |
The ML-DSA OAP test defined CLI_AUTH/NO_CLI_AUTH and passed them for
the srv_auth parameters of the re-key tests. Rename to the neutral
AUTH/NO_AUTH already used by oap_test.c and move the pair to the
shared common.h.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
| |
Add tests for two client-encap KEM properties the server enforces:
reject a client KDF below the server floor, and confirm a re-key
forces ephemeral server-encap.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
| |
Parametrize the re-key roundtrips over the full (srv_auth, cli_auth)
matrix. Add a KEM re-key axis, request-ID and cleartext-echo tamper
tests, and an unsupported cipher/kdf/digest NID cluster guarded by an
assertion.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Stop the non-OpenSSL runners from masking a real failure as SKIP by
only downgrading to SKIP if they passed.
Fix a stray call that ran test_kex_dhe_wrong_algo in the skip branch.
Fix double free + free of an uninitialised pointer in test_store_add.
Test that a KDF- less derive must fail.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The oap_hdr_encode() function validated its own output by re-decoding
with rekey hardcoded false. The case where the client signs a re-key
failed its own self-check because the cert is not sent again. Now uses
a flag on the encode() to signal the signed re-key without
certificate.
Also fixes a double free after a failed self-decode check.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
| |
A re-key epoch arrives from the peer, so we need to reject duplicates
to avoid two batches sharing a wire epoch with different keys.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
| |
ML-KEM, ML-DSA and SLH-DSA all landed in OpenSSL 3.5.0, not 3.4.0.
ML-KEM+ML-DSA and SLH-DSA can be disabled by DISABLE_ML / DISABLE_SLH.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
| |
KEY_REKEY_WM_CHECK_BITS now controls the watermark check, once per 2^n
flow writes (FLOW_WM_CHECK in dev.c). Now the configuration check
(check watermark < outstanding packets) is contained in lib.cmake
instead of assuming the value of FLOW_WM_CHECK.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
| |
Zeroize the symmetric key in the unpacked IRM message once it has been
copied into the crypt context, in both flow__irm_result_des and
flow_rekey__irm_result_des, so key material does not linger in the
protobuf buffer until it is freed.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
| |
Leftover from the kex_config->enc_config->sec_config rename. Finished
by renames load_kex_config and the cli/srv variants to
load_sec_config, the kcfg variables to scfg, and fixes the "KEX
config"/"encryption config" comments.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds support for:
Server key confirmation: the session key is bound to the
negotiated algorithm via the HKDF info. The server returns a
key-confirmation tag (rsp_tag, replacing the bare request-hash echo),
so a cipher downgrade or key desync is detected. The cleartext path
keeps a request echo, compared in constant time.
Sealed server identity: AEAD-seal the certificate, signature and
piggybacked data in the encrypted response (kex and rsp_tag move
ahead as AAD), hiding the server identity and response sizes.
Cert-less re-key: let the client omit its certificate, verifying the
peer against the cached certificate. On PQC flows, ephemeral
server-encap KEX (preserving forward secrecy) is used, even if the
original flow allocation was client-encap.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
| |
Validate the configured key exchange and cipher against the supported
ranks (returning ENOTSUP) instead of only rejecting an undefined
cipher NID, so an unsupported algorithm is caught at config load.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
| |
Reject a packet shorter than head_skip + CRCLEN before computing the
CRC, instead of hashing over an underflowed length when the buffer is
too small to hold the trailer.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Extend re-key delivery beyond the locally-initiated watermark path:
Handle peer-initiated re-key requests, allowing one request and one
response per flow at a time. The client side wins if both ends try to
re-key at the same time. Caches the peer certificate to support
cert-less authenticated/signed re-keys.
After a rekey, the initiator promotes first (timer) and starts sending
under the new key. The responder observes the new key (peer_synced)
and then the responder promotes. The responder will self-decide to use
the new keys if it exhausted the older set in the case where it never
sees the peer (unidirectional flow).
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
| |
Add a function crypt_ct_cmp() that wraps CRYPTO_memcmp (OpenSSL) with
a volatile-loop fallback, for comparing authentication tags without
leaking timing.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
| |
Nest the flat req_auth and cacert members of struct sec_config into a
sub-struct a { req; cacert; }, keeping the authentication settings
together.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
| |
The per-name config file holds more than encryption settings (KEX,
cipher, KDF, peer authentication), so renamed it from enc.conf to
sec.conf and the code internals to match.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This contains a few improvements and fixes in the OpenSSL backed. We
now zeroize shared secrets with OPENSSL_clear_free. The i2d_PUBKEY
output is bound against CRYPT_KEY_BUFSZ. We now return NULL rather
than silently falling back to SHA-256 when a digest is unknown. FILE
handles are now closed via pthread cleanup so a cancelled thread
cannot leak them. The DHE kex tests now set the KDF NID explicitly,
since the SHA-256 fallback is gone.
Also refactors the PEM string loaders to clean up some code duplication.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
| |
The getrandom() function may return fewer bytes than requested or fail
with EINTR. Loop until the buffer is filled, retrying on EINTR,
instead of trusting a single call to fill the buffer completely.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
| |
Drops the per-table hash_key flag and the local MD5 hash() helper.
The calc_key function now folds the key with hash_mix64
unconditionally. Simplifies pft_create, which no longer takes a bool.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
| |
Adds a (non-cryptographic) MurmurHash3 fmix64 finalizer for hashing an
integer key to a table index, replacing the MD5-based bucket hashing
in the pft.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Re-key each encrypted flow's batch root periodically so a long-lived
flow never exhausts or over-uses a single root. The IRMd re-runs the
OAP exchange with the peer IRMd over the flow-update relay. The
per-flow re-keying state is tracked in the registry (reg_flow).
A re-key delivers one root seed from the OAP exchange. keyrot
immediately HKDF-expands it into 128 node keys (KR_NODES_SZ = 128 × 32
B) and wipes the root. Then each of the 128 node keys is itself a root
→ HKDF-expanded into 64 (2^KEY_NODE_BITS) leaf keys, forked per
direction; each leaf key is the actual AEAD key, good for 2^20 packets
(the low counter bits are its nonce/seq). If the number of keys runs
low, a re-key will be triggered (KEY_REKEY_WATERMARK).
The rekey is signalled out of band to the application. The rbuff ACL
is generalized into a flags word, so an RB_REKEY bit rides alongside
the access RB_RD/RB_WR and FLOWDOWN/FLOWPEER bits. The RD and WR bits
are revised ditching the fcntl historical weirdness. The seed is
pulled via flow_read/flow_write, installed with crypt_rekey(). TX
holds the old epoch until the peer is observed on the new one (or a
grace deadline elapses), promoted from both the read and write paths
so a recv-mostly flow still advances.
Also fix the FLOW_ACCEPT and FLOW_ALLOC handlers, which on a key-buffer
allocation failure returned from inside the cleanup-push region: that
leaked the reply message and skipped both the stack-key scrub and the
cleanup pop.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This adds an ipcp_flow_update() call to relay opaque messages between
the two IRMds (carried by FLOW_IRM_UPDATE messages), which passes it
back up to the peer IRMd via ipcp_flow_update_arr(). The broadcast
layer does not implement this.
Needed for periodic re-keying of encrypted flows via OAP.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Flow crypto signalled rotation with a single phase-parity bit, so a
loss burst that hid an even number of rotations went unnoticed and
wedged the flow for good.
Each packet now carries a small cleartext selector naming its key
directly, so a receiver that falls behind recovers on the next packet
instead of getting stuck.
The selector also serves as the AEAD nonce and is authenticated as
associated data (AAD). Key rotation moves into a new backend-agnostic
keyrot module that rotates sub-keys to bound AEAD usage while
preserving forward secrecy.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
| |
load_sec_config_file() treated any fopen() failure as an absent
config and silently disabled encryption.
file_exists() similarly lumped non-ENOENT stat() errors in with
"present".
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the linked-list cache with three timestamp-generation hash
buckets, each capped at OAP_REPLAY_MAX entries.
A bucket is an open-addressed hash set whose slots count as live only
while slot.gen equals the bucket generation, so a stale bucket clears
in O(1) by bumping its generation instead of being scanned and pruned.
On overflow the cache fails closed - it rejects the header rather than
evicting the oldest entry. Under flood, dropping a genuine entry would
let that header be replayed, so refusing new entries is the safer
degradation than evict-oldest (fail-open) behaviour.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
| |
Added checks for CN > NAME_SIZE.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A peer certificate that verifies against the CA store could have
been issued by any trusted CA, and a peer could pick any supported
digest for its signature. Tighten the authentication contract with
two local policies.
cacert= pins the issuing CA: a peer certificate, if presented, must
chain through the pinned CA. Whether a certificate is mandatory at
all remains controlled by auth= alone.
digest= now also pins the signature digest: a classical peer must sign
with the locally configured digest, and may not omit the digest NID to
fall back to the key's default digest. PQC signatures (ML-DSA,
SLH-DSA) have an intrinsic digest and may be NID_undef.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OAP accepted requests and responses without a certificate even when
the peer was expected to authenticate. An on-path attacker could
strip the certificate and signature from a flow allocation response
and substitute its own key exchange, silently downgrading the
handshake to unauthenticated.
Add an auth=required|optional policy to enc.conf, enforced per role: a
client config requires the server to present a valid certificate, a
server config requires the same from the client. Default is required
for client side (https), optional server side. The client side default
can be changed via OAP_CLIENT_AUTH_DEFAULT for testing.
Replace the bare 'none' keyword with encryption=none, which disables
encryption only: the digest and the authentication policy are kept, so
authenticated but unencrypted flows can be configured. Configs using
bare 'none' are now rejected.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
| |
Age the simulated-leaked blocks via alloc_ts so the aged-reclaim
triggers in the test.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
| |
Use relaxed atomics in hot path to bump stats via
dt_stat_inc/dt_stat_load.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
| |
The reclaim_pid_from_sc() function reaped any block allocated with
refcount from a dead PID, but cross-process hand-offs can leave a
block briefly allocated by the producer while a live consumer still
holds it. This skips reclaim within SSM_POOL_RECLAIM_AGE_S (default
60s) so in-flight hand-offs survive a producer crash.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
| |
ssm_flow_set_notify wrote past the fqueue because of a missing bound
check, corrupting adjacent memory under burst. Drop redundant FLOW_PKT
when full and reserve the last slot for control events so they aren't
starved by data-plane traffic.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
| |
The stream FIN was not gated on the flow control window, potentially
causing a seqno overrun if the windows was full.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
| |
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The seqno was committed before calling rxm_arm, whose malloc could
fail and silently leave the seqno without a retransmission entry. None
of the recovery paths (RTO timer, RACK, SACK-driven, NACK-driven) can
repair a slot with NULL rxm, so the gap persists until the receiver's
keepalive marks the flow dead.
This fix splits rxm_arm into rxm_alloc plus rxm_arm (post-state
install). sack_rxm_snd follows the same alloc-then-arm shape.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The flow_tx_spb function consumed the spb on every failure path via
ssm_pool_remove, while its caller ipcp_flow_write left the spb to its
caller on early outs, causing ssm_pool_remove to be called twice.
In Debug builds this aborts at the old_ref == 0 check.
This aligns flow_tx_spb with np1_flow_write and dt_write_packet: spb
consumed on success, retained on failure. External callers already
release on failure, so no caller-side changes outside of dev.c are
needed.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The previous shape registered no-op _rib_read / _rib_readdir /
_rib_getattr handlers when IPCP_FLOW_STATS was off, and there was a
bug where *buf was not set in the no-op causing free on an
uninitialized pointer.
IPCP_FLOW_STATS was referenced by config.h.in but the declaration was
lost during the CMake refactor.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
| |
Worker mid fa_dealloc could still try to read from fa.psched because
stop_components() ran before ipcp_stop()/tpm_stop().
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
| |
The stat_used function updated dt.stat[fd].stamp under the per-stat
mutex, released it, then took dt.lock wrlock to bump dt.n_flows. A
concurrent dt_rib_readdir holding dt.lock rdlock between those two
critical sections saw the new stamp but the old n_flows.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
| |
Application-level OpenSSL objects (X509_STORE held by irm/OAP) must be
released before OPENSSL_cleanup() tears down libcrypto's globals,
otherwise their destructors run against half-finalised state.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
| |
The MGMT-frame branch in eth_ipcp_packet_reader releases the spb at
the top of the loop iteration; two error exits released a second time.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
| |
The contexts are not declared at the top of the function anymore after
addition of the CRC8/CRC16 variants (no implementation in libgcrypt).
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
qos_msg flows had no end-of-stream signal: a deallocating sender
relied on the peer's inactivity timers (~30 s) to notice. Worse, the
dealloc-linger path was bugged: a receiver that called flow_dealloc
would stop draining its rx_rb while the peer's tail retransmits kept
arriving. Peer retransmitted into a black hole until its own dealloc
fired, and the whole shutdown stretched takes t_a time.
Generalizes frcti_stream_fin_snd to frcti_fin_snd; for msg mode emit a
FRCT_FIN-only control packet with the FIN seqno boundary in
pci->ackno. Receiver-side frcti_rcv latches rcv_fin_seen and stores
the boundary on FRCT_FIN-without-DATA.
Fix comment on the FRCT flags.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
| |
RFC 8985 §7.3 permits up to two tail loss probes before falling back
to RTO. Previously FRCP allowed exactly one TLP per episode, making
tail-loss recovery dependent on a successful first probe; if that
probe was lost the sender fell straight to slow RTO with exponential
backoff.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Only the HoL slot retransmits on RTO; non-HoL slots defer and rely on
SACK/RACK fast-rxm for recovery. Matches RFC 6298 §5.4 + RFC 8985 §3
and Linux tcp_retransmit_skb(head, 1). Eliminates the spurious-RTO
storm where ~50-66% of retransmits arrived as duplicates at the peer.
Co-fixes for three latent state-machine bugs that the previous
spurious-retx mask was hiding:
- recovery_enter: seal recovery_high at the false→true edge only
(RFC 6582 §3.2). Previously extended on every gap-SACK, which
trapped the sender in NewReno indefinitely once any cum-ACK fell
behind the moving recovery_high.
- rtt_sample_eligible: drop the in_recovery super-gate. Karn at the
per-slot SND_RTX|SND_TLP level is already correct (matches Linux).
- rxm_due defer interval: use base RTO, not rto<<rto_mul. Inheriting
HoL's backoff parked deferred slots tens of seconds in the future.
Bring RACK reorder-window scaling into RFC 8985 §7.2 compliance:
reo_wnd_mult widens at most once per RTT, gated via a srtt-elapsed
check in reo_wnd_on_dsack.
Stat refactor for clearer attribution: rename rxm_snd → rxm_rto (now
RTO-driven sends only), add rxm_nack and rxm_due_defer, split rxm_rcv
into total FRCT_RXM arrivals and rxm_dup_rcv (duplicates). Expose
rx/tx ring queue depths as RIB stats.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Time out frct_tx for control packets at 250us so a full tx ring cannot
stall the timer wheel (and with it KA, TLP, RXM fires). DATA frames
(fresh, RXM, TLP, FIN) keep blocking - dropping them would lose
recovery progress.
Add inact_drop, drf_rebase, rq_released, tlp_snd, sdu_snd_alloc,
sdu_snd_tx, sdu_sole, rxm_tx_dead, and per-type tx_drop counters.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous bugfixes that fixed a false-positive inactivity timer
check unmasked the need for the tail loss probe (TLP) to quickly
recover from loss of the HoL.
When the sender finishes its app data with packets still inflight,
RACK fast-rxm cannot fire (no ACK arrives), pre-DRF NACK is gated on
rcv_cr.inact, and rto_mul climbs into seconds before the next RXM fire
— recv-side deadline expires first.
This adds the RFC 8985 §7.2 TLP: PTO = 2*SRTT + max_ack_delay (t_a),
capped by the HoL slot's current RTO deadline. Probe fires from
frcti_snd and after frcti_ack_rcv; per §7.3 at most one TLP per
recovery episode, tracked via tlp_high_seq. On fire, re-emit HoL via
fast_rxm_send and hand off to RTO — no PTO self re-arm. A new SND_TLP
slot flag is Karn-skipped for RTT sampling, cleared by RTO retransmit
or NACK-driven fast-rxm, and clears rto_mul on its TLP-ACK (rto_mul
carries no CC meaning in FRCP). Also caps MAX_RTO_MUL at 8 instead of
20.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
| |
The inactivity timers are updated under rdlock with atomics on the
time stamp. Inactivity is measured by comparison between the act stamp
against the thread's own current time (now_ns). A different thread
could already have updated the act stamp, causing undderun in the
signed comparison and causing a false-positive on the inactive test.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|