Mercurial > hg > nginx

annotate src/event/quic/ngx_event_quic_tokens.c @ 9132:77c1418916f7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
QUIC: use AEAD to encrypt address validation tokens. Previously used AES256-CBC is now substituted with AES256-GCM. Although there seem to be no tangible consequences of token integrity loss.
author Roman Arutyunyan <arut@nginx.com>
date Thu, 08 Jun 2023 14:58:01 +0400
parents 5b49f8bac1b4
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
1
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
2 /*
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
3 * Copyright (C) Nginx, Inc.
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
4 */
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
5
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
6
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
7 #include <ngx_config.h>
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
8 #include <ngx_core.h>
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
9 #include <ngx_event.h>
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
10 #include <ngx_sha1.h>
8755
b4e6b7049984 QUIC: normalize header inclusion.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8752
diff changeset
11 #include <ngx_event_quic_connection.h>
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
12
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
13
8763
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
14 static void ngx_quic_address_hash(struct sockaddr *sockaddr, socklen_t socklen,
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
15 ngx_uint_t no_port, u_char buf[20]);
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
16
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
17
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
18 ngx_int_t
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
19 ngx_quic_new_sr_token(ngx_connection_t *c, ngx_str_t *cid, u_char *secret,
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
20 u_char *token)
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
21 {
9015
a2fbae359828 QUIC: fixed indentation.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8837
diff changeset
22 ngx_str_t tmp;
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
23
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
24 tmp.data = secret;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
25 tmp.len = NGX_QUIC_SR_KEY_LEN;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
26
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
27 if (ngx_quic_derive_key(c->log, "sr_token_key", &tmp, cid, token,
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
28 NGX_QUIC_SR_TOKEN_LEN)
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
29 != NGX_OK)
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
30 {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
31 return NGX_ERROR;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
32 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
33
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
34 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
35 "quic stateless reset token %*xs",
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
36 (size_t) NGX_QUIC_SR_TOKEN_LEN, token);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
37
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
38 return NGX_OK;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
39 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
40
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
41
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
42 ngx_int_t
9026
3550b00d9dc8 QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents: 9015
diff changeset
43 ngx_quic_new_token(ngx_log_t *log, struct sockaddr *sockaddr,
8763
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
44 socklen_t socklen, u_char *key, ngx_str_t *token, ngx_str_t *odcid,
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
45 time_t exp, ngx_uint_t is_retry)
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
46 {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
47 int len, iv_len;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
48 u_char *p, *iv;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
49 EVP_CIPHER_CTX *ctx;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
50 const EVP_CIPHER *cipher;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
51
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
52 u_char in[NGX_QUIC_MAX_TOKEN_SIZE];
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
53
8763
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
54 ngx_quic_address_hash(sockaddr, socklen, !is_retry, in);
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
55
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
56 p = in + 20;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
57
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
58 p = ngx_cpymem(p, &exp, sizeof(time_t));
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
59
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
60 *p++ = is_retry ? 1 : 0;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
61
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
62 if (odcid) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
63 *p++ = odcid->len;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
64 p = ngx_cpymem(p, odcid->data, odcid->len);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
65
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
66 } else {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
67 *p++ = 0;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
68 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
69
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
70 len = p - in;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
71
9132
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
72 cipher = EVP_aes_256_gcm();
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
73 iv_len = NGX_QUIC_AES_256_GCM_IV_LEN;
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
74
9132
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
75 if ((size_t) (iv_len + len + NGX_QUIC_AES_256_GCM_TAG_LEN) > token->len) {
9026
3550b00d9dc8 QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents: 9015
diff changeset
76 ngx_log_error(NGX_LOG_ALERT, log, 0, "quic token buffer is too small");
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
77 return NGX_ERROR;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
78 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
79
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
80 ctx = EVP_CIPHER_CTX_new();
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
81 if (ctx == NULL) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
82 return NGX_ERROR;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
83 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
84
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
85 iv = token->data;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
86
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
87 if (RAND_bytes(iv, iv_len) <= 0
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
88 || !EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv))
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
89 {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
90 EVP_CIPHER_CTX_free(ctx);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
91 return NGX_ERROR;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
92 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
93
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
94 token->len = iv_len;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
95
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
96 if (EVP_EncryptUpdate(ctx, token->data + token->len, &len, in, len) != 1) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
97 EVP_CIPHER_CTX_free(ctx);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
98 return NGX_ERROR;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
99 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
100
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
101 token->len += len;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
102
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
103 if (EVP_EncryptFinal_ex(ctx, token->data + token->len, &len) <= 0) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
104 EVP_CIPHER_CTX_free(ctx);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
105 return NGX_ERROR;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
106 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
107
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
108 token->len += len;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
109
9132
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
110 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG,
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
111 NGX_QUIC_AES_256_GCM_TAG_LEN,
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
112 token->data + token->len)
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
113 == 0)
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
114 {
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
115 EVP_CIPHER_CTX_free(ctx);
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
116 return NGX_ERROR;
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
117 }
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
118
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
119 token->len += NGX_QUIC_AES_256_GCM_TAG_LEN;
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
120
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
121 EVP_CIPHER_CTX_free(ctx);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
122
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
123 #ifdef NGX_QUIC_DEBUG_PACKETS
9026
3550b00d9dc8 QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents: 9015
diff changeset
124 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, log, 0,
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
125 "quic new token len:%uz %xV", token->len, token);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
126 #endif
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
127
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
128 return NGX_OK;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
129 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
130
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
131
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
132 static void
8763
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
133 ngx_quic_address_hash(struct sockaddr *sockaddr, socklen_t socklen,
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
134 ngx_uint_t no_port, u_char buf[20])
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
135 {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
136 size_t len;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
137 u_char *data;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
138 ngx_sha1_t sha1;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
139 struct sockaddr_in *sin;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
140 #if (NGX_HAVE_INET6)
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
141 struct sockaddr_in6 *sin6;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
142 #endif
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
143
8763
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
144 len = (size_t) socklen;
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
145 data = (u_char *) sockaddr;
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
146
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
147 if (no_port) {
8763
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
148 switch (sockaddr->sa_family) {
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
149
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
150 #if (NGX_HAVE_INET6)
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
151 case AF_INET6:
8763
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
152 sin6 = (struct sockaddr_in6 *) sockaddr;
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
153
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
154 len = sizeof(struct in6_addr);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
155 data = sin6->sin6_addr.s6_addr;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
156
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
157 break;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
158 #endif
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
159
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
160 case AF_INET:
8763
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
161 sin = (struct sockaddr_in *) sockaddr;
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
162
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
163 len = sizeof(in_addr_t);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
164 data = (u_char *) &sin->sin_addr;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
165
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
166 break;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
167 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
168 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
169
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
170 ngx_sha1_init(&sha1);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
171 ngx_sha1_update(&sha1, data, len);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
172 ngx_sha1_final(buf, &sha1);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
173 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
174
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
175
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
176 ngx_int_t
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
177 ngx_quic_validate_token(ngx_connection_t *c, u_char *key,
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
178 ngx_quic_header_t *pkt)
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
179 {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
180 int len, tlen, iv_len;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
181 u_char *iv, *p;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
182 time_t now, exp;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
183 size_t total;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
184 ngx_str_t odcid;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
185 EVP_CIPHER_CTX *ctx;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
186 const EVP_CIPHER *cipher;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
187
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
188 u_char addr_hash[20];
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
189 u_char tdec[NGX_QUIC_MAX_TOKEN_SIZE];
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
190
9043
5b49f8bac1b4 QUIC: plug MSVC warning about potentially uninitialized variable.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9026
diff changeset
191 #if NGX_SUPPRESS_WARN
5b49f8bac1b4 QUIC: plug MSVC warning about potentially uninitialized variable.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9026
diff changeset
192 ngx_str_null(&odcid);
5b49f8bac1b4 QUIC: plug MSVC warning about potentially uninitialized variable.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9026
diff changeset
193 #endif
5b49f8bac1b4 QUIC: plug MSVC warning about potentially uninitialized variable.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9026
diff changeset
194
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
195 /* Retry token or NEW_TOKEN in a previous connection */
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
196
9132
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
197 cipher = EVP_aes_256_gcm();
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
198 iv = pkt->token.data;
9132
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
199 iv_len = NGX_QUIC_AES_256_GCM_IV_LEN;
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
200
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
201 /* sanity checks */
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
202
9132
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
203 if (pkt->token.len < (size_t) iv_len + NGX_QUIC_AES_256_GCM_TAG_LEN) {
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
204 goto garbage;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
205 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
206
9132
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
207 if (pkt->token.len > (size_t) iv_len + NGX_QUIC_MAX_TOKEN_SIZE
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
208 + NGX_QUIC_AES_256_GCM_TAG_LEN)
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
209 {
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
210 goto garbage;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
211 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
212
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
213 ctx = EVP_CIPHER_CTX_new();
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
214 if (ctx == NULL) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
215 return NGX_ERROR;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
216 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
217
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
218 if (!EVP_DecryptInit_ex(ctx, cipher, NULL, key, iv)) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
219 EVP_CIPHER_CTX_free(ctx);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
220 return NGX_ERROR;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
221 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
222
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
223 p = pkt->token.data + iv_len;
9132
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
224 len = pkt->token.len - iv_len - NGX_QUIC_AES_256_GCM_TAG_LEN;
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
225
9132
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
226 if (EVP_DecryptUpdate(ctx, tdec, &tlen, p, len) != 1) {
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
227 EVP_CIPHER_CTX_free(ctx);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
228 goto garbage;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
229 }
9132
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
230 total = tlen;
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
231
9132
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
232 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
233 NGX_QUIC_AES_256_GCM_TAG_LEN, p + len)
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
234 == 0)
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
235 {
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
236 EVP_CIPHER_CTX_free(ctx);
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
237 goto garbage;
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
238 }
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
239
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents: 9043
diff changeset
240 if (EVP_DecryptFinal_ex(ctx, tdec + tlen, &tlen) <= 0) {
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
241 EVP_CIPHER_CTX_free(ctx);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
242 goto garbage;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
243 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
244 total += tlen;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
245
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
246 EVP_CIPHER_CTX_free(ctx);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
247
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
248 if (total < (20 + sizeof(time_t) + 2)) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
249 goto garbage;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
250 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
251
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
252 p = tdec + 20;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
253
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
254 ngx_memcpy(&exp, p, sizeof(time_t));
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
255 p += sizeof(time_t);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
256
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
257 pkt->retried = (*p++ == 1);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
258
8763
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
259 ngx_quic_address_hash(c->sockaddr, c->socklen, !pkt->retried, addr_hash);
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
260
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
261 if (ngx_memcmp(tdec, addr_hash, 20) != 0) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
262 goto bad_token;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
263 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
264
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
265 odcid.len = *p++;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
266 if (odcid.len) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
267 if (odcid.len > NGX_QUIC_MAX_CID_LEN) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
268 goto bad_token;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
269 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
270
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
271 if ((size_t)(tdec + total - p) < odcid.len) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
272 goto bad_token;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
273 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
274
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
275 odcid.data = p;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
276 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
277
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
278 now = ngx_time();
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
279
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
280 if (now > exp) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
281 ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic expired token");
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
282 return NGX_DECLINED;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
283 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
284
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
285 if (odcid.len) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
286 pkt->odcid.len = odcid.len;
9026
3550b00d9dc8 QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents: 9015
diff changeset
287 pkt->odcid.data = pkt->odcid_buf;
3550b00d9dc8 QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents: 9015
diff changeset
288 ngx_memcpy(pkt->odcid.data, odcid.data, odcid.len);
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
289
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
290 } else {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
291 pkt->odcid = pkt->dcid;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
292 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
293
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
294 pkt->validated = 1;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
295
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
296 return NGX_OK;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
297
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
298 garbage:
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
299
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
300 ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic garbage token");
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
301
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
302 return NGX_ABORT;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
303
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
304 bad_token:
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
305
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
306 ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic invalid token");
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
307
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
308 return NGX_DECLINED;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
309 }