Mercurial > hg > nginx
annotate src/event/quic/ngx_event_quic_tokens.c @ 9153:8f7e6d8c061e
QUIC: use last client dcid to receive initial packets.
Previously, original dcid was used to receive initial client packets in case
server initial response was lost. However, last dcid should be used instead.
These two are the same unless retry is used. In case of retry, client resends
initial packet with a new dcid, that is different from the original dcid. If
server response is lost, the client resends this packet again with the same
dcid. This is shown in RFC 9000, 7.3. Authenticating Connection IDs, Figure 8.
The issue manifested itself with creating multiple server sessions in response
to each post-retry client initial packet, if server response is lost.
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Wed, 30 Aug 2023 11:09:21 +0400 |
parents | 77c1418916f7 |
children |
rev | line source |
---|---|
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
1 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
2 /* |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
3 * Copyright (C) Nginx, Inc. |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
4 */ |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
5 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
6 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
7 #include <ngx_config.h> |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
8 #include <ngx_core.h> |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
9 #include <ngx_event.h> |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
10 #include <ngx_sha1.h> |
8755
b4e6b7049984
QUIC: normalize header inclusion.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8752
diff
changeset
|
11 #include <ngx_event_quic_connection.h> |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
12 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
13 |
8763
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
14 static void ngx_quic_address_hash(struct sockaddr *sockaddr, socklen_t socklen, |
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
15 ngx_uint_t no_port, u_char buf[20]); |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
16 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
17 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
18 ngx_int_t |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
19 ngx_quic_new_sr_token(ngx_connection_t *c, ngx_str_t *cid, u_char *secret, |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
20 u_char *token) |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
21 { |
9015
a2fbae359828
QUIC: fixed indentation.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8837
diff
changeset
|
22 ngx_str_t tmp; |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
23 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
24 tmp.data = secret; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
25 tmp.len = NGX_QUIC_SR_KEY_LEN; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
26 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
27 if (ngx_quic_derive_key(c->log, "sr_token_key", &tmp, cid, token, |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
28 NGX_QUIC_SR_TOKEN_LEN) |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
29 != NGX_OK) |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
30 { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
31 return NGX_ERROR; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
32 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
33 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
34 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
35 "quic stateless reset token %*xs", |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
36 (size_t) NGX_QUIC_SR_TOKEN_LEN, token); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
37 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
38 return NGX_OK; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
39 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
40 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
41 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
42 ngx_int_t |
9026
3550b00d9dc8
QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents:
9015
diff
changeset
|
43 ngx_quic_new_token(ngx_log_t *log, struct sockaddr *sockaddr, |
8763
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
44 socklen_t socklen, u_char *key, ngx_str_t *token, ngx_str_t *odcid, |
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
45 time_t exp, ngx_uint_t is_retry) |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
46 { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
47 int len, iv_len; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
48 u_char *p, *iv; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
49 EVP_CIPHER_CTX *ctx; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
50 const EVP_CIPHER *cipher; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
51 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
52 u_char in[NGX_QUIC_MAX_TOKEN_SIZE]; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
53 |
8763
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
54 ngx_quic_address_hash(sockaddr, socklen, !is_retry, in); |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
55 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
56 p = in + 20; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
57 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
58 p = ngx_cpymem(p, &exp, sizeof(time_t)); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
59 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
60 *p++ = is_retry ? 1 : 0; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
61 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
62 if (odcid) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
63 *p++ = odcid->len; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
64 p = ngx_cpymem(p, odcid->data, odcid->len); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
65 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
66 } else { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
67 *p++ = 0; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
68 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
69 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
70 len = p - in; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
71 |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
72 cipher = EVP_aes_256_gcm(); |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
73 iv_len = NGX_QUIC_AES_256_GCM_IV_LEN; |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
74 |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
75 if ((size_t) (iv_len + len + NGX_QUIC_AES_256_GCM_TAG_LEN) > token->len) { |
9026
3550b00d9dc8
QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents:
9015
diff
changeset
|
76 ngx_log_error(NGX_LOG_ALERT, log, 0, "quic token buffer is too small"); |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
77 return NGX_ERROR; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
78 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
79 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
80 ctx = EVP_CIPHER_CTX_new(); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
81 if (ctx == NULL) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
82 return NGX_ERROR; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
83 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
84 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
85 iv = token->data; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
86 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
87 if (RAND_bytes(iv, iv_len) <= 0 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
88 || !EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv)) |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
89 { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
90 EVP_CIPHER_CTX_free(ctx); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
91 return NGX_ERROR; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
92 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
93 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
94 token->len = iv_len; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
95 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
96 if (EVP_EncryptUpdate(ctx, token->data + token->len, &len, in, len) != 1) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
97 EVP_CIPHER_CTX_free(ctx); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
98 return NGX_ERROR; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
99 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
100 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
101 token->len += len; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
102 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
103 if (EVP_EncryptFinal_ex(ctx, token->data + token->len, &len) <= 0) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
104 EVP_CIPHER_CTX_free(ctx); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
105 return NGX_ERROR; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
106 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
107 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
108 token->len += len; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
109 |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
110 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
111 NGX_QUIC_AES_256_GCM_TAG_LEN, |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
112 token->data + token->len) |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
113 == 0) |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
114 { |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
115 EVP_CIPHER_CTX_free(ctx); |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
116 return NGX_ERROR; |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
117 } |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
118 |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
119 token->len += NGX_QUIC_AES_256_GCM_TAG_LEN; |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
120 |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
121 EVP_CIPHER_CTX_free(ctx); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
122 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
123 #ifdef NGX_QUIC_DEBUG_PACKETS |
9026
3550b00d9dc8
QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents:
9015
diff
changeset
|
124 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, log, 0, |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
125 "quic new token len:%uz %xV", token->len, token); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
126 #endif |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
127 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
128 return NGX_OK; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
129 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
130 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
131 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
132 static void |
8763
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
133 ngx_quic_address_hash(struct sockaddr *sockaddr, socklen_t socklen, |
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
134 ngx_uint_t no_port, u_char buf[20]) |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
135 { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
136 size_t len; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
137 u_char *data; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
138 ngx_sha1_t sha1; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
139 struct sockaddr_in *sin; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
140 #if (NGX_HAVE_INET6) |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
141 struct sockaddr_in6 *sin6; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
142 #endif |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
143 |
8763
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
144 len = (size_t) socklen; |
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
145 data = (u_char *) sockaddr; |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
146 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
147 if (no_port) { |
8763
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
148 switch (sockaddr->sa_family) { |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
149 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
150 #if (NGX_HAVE_INET6) |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
151 case AF_INET6: |
8763
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
152 sin6 = (struct sockaddr_in6 *) sockaddr; |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
153 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
154 len = sizeof(struct in6_addr); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
155 data = sin6->sin6_addr.s6_addr; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
156 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
157 break; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
158 #endif |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
159 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
160 case AF_INET: |
8763
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
161 sin = (struct sockaddr_in *) sockaddr; |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
162 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
163 len = sizeof(in_addr_t); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
164 data = (u_char *) &sin->sin_addr; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
165 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
166 break; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
167 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
168 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
169 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
170 ngx_sha1_init(&sha1); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
171 ngx_sha1_update(&sha1, data, len); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
172 ngx_sha1_final(buf, &sha1); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
173 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
174 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
175 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
176 ngx_int_t |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
177 ngx_quic_validate_token(ngx_connection_t *c, u_char *key, |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
178 ngx_quic_header_t *pkt) |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
179 { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
180 int len, tlen, iv_len; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
181 u_char *iv, *p; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
182 time_t now, exp; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
183 size_t total; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
184 ngx_str_t odcid; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
185 EVP_CIPHER_CTX *ctx; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
186 const EVP_CIPHER *cipher; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
187 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
188 u_char addr_hash[20]; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
189 u_char tdec[NGX_QUIC_MAX_TOKEN_SIZE]; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
190 |
9043
5b49f8bac1b4
QUIC: plug MSVC warning about potentially uninitialized variable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9026
diff
changeset
|
191 #if NGX_SUPPRESS_WARN |
5b49f8bac1b4
QUIC: plug MSVC warning about potentially uninitialized variable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9026
diff
changeset
|
192 ngx_str_null(&odcid); |
5b49f8bac1b4
QUIC: plug MSVC warning about potentially uninitialized variable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9026
diff
changeset
|
193 #endif |
5b49f8bac1b4
QUIC: plug MSVC warning about potentially uninitialized variable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9026
diff
changeset
|
194 |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
195 /* Retry token or NEW_TOKEN in a previous connection */ |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
196 |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
197 cipher = EVP_aes_256_gcm(); |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
198 iv = pkt->token.data; |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
199 iv_len = NGX_QUIC_AES_256_GCM_IV_LEN; |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
200 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
201 /* sanity checks */ |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
202 |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
203 if (pkt->token.len < (size_t) iv_len + NGX_QUIC_AES_256_GCM_TAG_LEN) { |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
204 goto garbage; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
205 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
206 |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
207 if (pkt->token.len > (size_t) iv_len + NGX_QUIC_MAX_TOKEN_SIZE |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
208 + NGX_QUIC_AES_256_GCM_TAG_LEN) |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
209 { |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
210 goto garbage; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
211 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
212 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
213 ctx = EVP_CIPHER_CTX_new(); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
214 if (ctx == NULL) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
215 return NGX_ERROR; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
216 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
217 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
218 if (!EVP_DecryptInit_ex(ctx, cipher, NULL, key, iv)) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
219 EVP_CIPHER_CTX_free(ctx); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
220 return NGX_ERROR; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
221 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
222 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
223 p = pkt->token.data + iv_len; |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
224 len = pkt->token.len - iv_len - NGX_QUIC_AES_256_GCM_TAG_LEN; |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
225 |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
226 if (EVP_DecryptUpdate(ctx, tdec, &tlen, p, len) != 1) { |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
227 EVP_CIPHER_CTX_free(ctx); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
228 goto garbage; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
229 } |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
230 total = tlen; |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
231 |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
232 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
233 NGX_QUIC_AES_256_GCM_TAG_LEN, p + len) |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
234 == 0) |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
235 { |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
236 EVP_CIPHER_CTX_free(ctx); |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
237 goto garbage; |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
238 } |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
239 |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
240 if (EVP_DecryptFinal_ex(ctx, tdec + tlen, &tlen) <= 0) { |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
241 EVP_CIPHER_CTX_free(ctx); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
242 goto garbage; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
243 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
244 total += tlen; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
245 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
246 EVP_CIPHER_CTX_free(ctx); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
247 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
248 if (total < (20 + sizeof(time_t) + 2)) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
249 goto garbage; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
250 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
251 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
252 p = tdec + 20; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
253 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
254 ngx_memcpy(&exp, p, sizeof(time_t)); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
255 p += sizeof(time_t); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
256 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
257 pkt->retried = (*p++ == 1); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
258 |
8763
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
259 ngx_quic_address_hash(c->sockaddr, c->socklen, !pkt->retried, addr_hash); |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
260 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
261 if (ngx_memcmp(tdec, addr_hash, 20) != 0) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
262 goto bad_token; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
263 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
264 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
265 odcid.len = *p++; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
266 if (odcid.len) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
267 if (odcid.len > NGX_QUIC_MAX_CID_LEN) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
268 goto bad_token; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
269 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
270 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
271 if ((size_t)(tdec + total - p) < odcid.len) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
272 goto bad_token; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
273 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
274 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
275 odcid.data = p; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
276 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
277 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
278 now = ngx_time(); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
279 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
280 if (now > exp) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
281 ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic expired token"); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
282 return NGX_DECLINED; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
283 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
284 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
285 if (odcid.len) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
286 pkt->odcid.len = odcid.len; |
9026
3550b00d9dc8
QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents:
9015
diff
changeset
|
287 pkt->odcid.data = pkt->odcid_buf; |
3550b00d9dc8
QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents:
9015
diff
changeset
|
288 ngx_memcpy(pkt->odcid.data, odcid.data, odcid.len); |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
289 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
290 } else { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
291 pkt->odcid = pkt->dcid; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
292 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
293 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
294 pkt->validated = 1; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
295 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
296 return NGX_OK; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
297 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
298 garbage: |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
299 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
300 ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic garbage token"); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
301 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
302 return NGX_ABORT; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
303 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
304 bad_token: |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
305 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
306 ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic invalid token"); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
307 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
308 return NGX_DECLINED; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
309 } |