nginx: src/event/quic/ngx_event_quic

annotate src/event/quic/ngx_event_quic_tokens.h @ 9132:77c1418916f7

QUIC: use AEAD to encrypt address validation tokens. Previously used AES256-CBC is now substituted with AES256-GCM. Although there seem to be no tangible consequences of token integrity loss.

author	Roman Arutyunyan <arut@nginx.com>
date	Thu, 08 Jun 2023 14:58:01 +0400
parents	3550b00d9dc8
children

rev	line source
8752 e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	1
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	2 /*
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	3 * Copyright (C) Nginx, Inc.
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	4 */
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	5
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	6
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	7 #ifndef _NGX_EVENT_QUIC_TOKENS_H_INCLUDED_
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	8 #define _NGX_EVENT_QUIC_TOKENS_H_INCLUDED_
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	9
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	10
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	11 #include <ngx_config.h>
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	12 #include <ngx_core.h>
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	13
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	14
9026 3550b00d9dc8 QUIC: avoided pool usage in token calculation. Vladimir Homutov <vl@nginx.com> parents: 8763 diff changeset	15 #define NGX_QUIC_MAX_TOKEN_SIZE 64
3550b00d9dc8 QUIC: avoided pool usage in token calculation. Vladimir Homutov <vl@nginx.com> parents: 8763 diff changeset	16 /* SHA-1(addr)=20 + sizeof(time_t) + retry(1) + odcid.len(1) + odcid */
3550b00d9dc8 QUIC: avoided pool usage in token calculation. Vladimir Homutov <vl@nginx.com> parents: 8763 diff changeset	17
9132 77c1418916f7 QUIC: use AEAD to encrypt address validation tokens. Roman Arutyunyan <arut@nginx.com> parents: 9026 diff changeset	18 #define NGX_QUIC_AES_256_GCM_IV_LEN 12
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens. Roman Arutyunyan <arut@nginx.com> parents: 9026 diff changeset	19 #define NGX_QUIC_AES_256_GCM_TAG_LEN 16
9026 3550b00d9dc8 QUIC: avoided pool usage in token calculation. Vladimir Homutov <vl@nginx.com> parents: 8763 diff changeset	20
9132 77c1418916f7 QUIC: use AEAD to encrypt address validation tokens. Roman Arutyunyan <arut@nginx.com> parents: 9026 diff changeset	21 #define NGX_QUIC_TOKEN_BUF_SIZE (NGX_QUIC_AES_256_GCM_IV_LEN \
9026 3550b00d9dc8 QUIC: avoided pool usage in token calculation. Vladimir Homutov <vl@nginx.com> parents: 8763 diff changeset	22 + NGX_QUIC_MAX_TOKEN_SIZE \
9132 77c1418916f7 QUIC: use AEAD to encrypt address validation tokens. Roman Arutyunyan <arut@nginx.com> parents: 9026 diff changeset	23 + NGX_QUIC_AES_256_GCM_TAG_LEN)
9026 3550b00d9dc8 QUIC: avoided pool usage in token calculation. Vladimir Homutov <vl@nginx.com> parents: 8763 diff changeset	24
3550b00d9dc8 QUIC: avoided pool usage in token calculation. Vladimir Homutov <vl@nginx.com> parents: 8763 diff changeset	25
8752 e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	26 ngx_int_t ngx_quic_new_sr_token(ngx_connection_t c, ngx_str_t cid,
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	27 u_char secret, u_char token);
9026 3550b00d9dc8 QUIC: avoided pool usage in token calculation. Vladimir Homutov <vl@nginx.com> parents: 8763 diff changeset	28 ngx_int_t ngx_quic_new_token(ngx_log_t log, struct sockaddr sockaddr,
8763 4117aa7fa38e QUIC: connection migration. Vladimir Homutov <vl@nginx.com> parents: 8752 diff changeset	29 socklen_t socklen, u_char key, ngx_str_t token, ngx_str_t *odcid,
4117aa7fa38e QUIC: connection migration. Vladimir Homutov <vl@nginx.com> parents: 8752 diff changeset	30 time_t expires, ngx_uint_t is_retry);
8752 e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	31 ngx_int_t ngx_quic_validate_token(ngx_connection_t *c,
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	32 u_char key, ngx_quic_header_t pkt);
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	33
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	34 #endif /* _NGX_EVENT_QUIC_TOKENS_H_INCLUDED_ */

Mercurial > hg > nginx

annotate src/event/quic/ngx_event_quic_tokens.h @ 9132:77c1418916f7