Mercurial > hg > nginx

annotate src/event/quic/ngx_event_quic_tokens.c @ 9045:c6580dce98a8 quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
QUIC: fixed triggering stream read event (ticket #2409). If a client packet carrying a stream data frame is not acked due to packet loss, the stream data is retransmitted later by client. It's also possible that the retransmitted range is bigger than before due to more stream data being available by then. If the original data was read out by the application, there would be no read event triggered by the retransmitted frame, even though it contains new data.
author Roman Arutyunyan <arut@nginx.com>
date Wed, 23 Nov 2022 18:50:26 +0400
parents 5b49f8bac1b4
children 77c1418916f7
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
1
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
2 /*
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
3 * Copyright (C) Nginx, Inc.
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
4 */
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
5
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
6
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
7 #include <ngx_config.h>
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
8 #include <ngx_core.h>
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
9 #include <ngx_event.h>
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
10 #include <ngx_sha1.h>
8755
b4e6b7049984 QUIC: normalize header inclusion.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8752
diff changeset
11 #include <ngx_event_quic_connection.h>
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
12
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
13
8763
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
14 static void ngx_quic_address_hash(struct sockaddr *sockaddr, socklen_t socklen,
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
15 ngx_uint_t no_port, u_char buf[20]);
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
16
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
17
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
18 ngx_int_t
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
19 ngx_quic_new_sr_token(ngx_connection_t *c, ngx_str_t *cid, u_char *secret,
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
20 u_char *token)
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
21 {
9015
a2fbae359828 QUIC: fixed indentation.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8837
diff changeset
22 ngx_str_t tmp;
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
23
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
24 tmp.data = secret;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
25 tmp.len = NGX_QUIC_SR_KEY_LEN;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
26
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
27 if (ngx_quic_derive_key(c->log, "sr_token_key", &tmp, cid, token,
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
28 NGX_QUIC_SR_TOKEN_LEN)
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
29 != NGX_OK)
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
30 {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
31 return NGX_ERROR;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
32 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
33
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
34 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
35 "quic stateless reset token %*xs",
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
36 (size_t) NGX_QUIC_SR_TOKEN_LEN, token);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
37
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
38 return NGX_OK;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
39 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
40
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
41
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
42 ngx_int_t
9026
3550b00d9dc8 QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents: 9015
diff changeset
43 ngx_quic_new_token(ngx_log_t *log, struct sockaddr *sockaddr,
8763
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
44 socklen_t socklen, u_char *key, ngx_str_t *token, ngx_str_t *odcid,
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
45 time_t exp, ngx_uint_t is_retry)
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
46 {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
47 int len, iv_len;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
48 u_char *p, *iv;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
49 EVP_CIPHER_CTX *ctx;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
50 const EVP_CIPHER *cipher;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
51
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
52 u_char in[NGX_QUIC_MAX_TOKEN_SIZE];
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
53
8763
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
54 ngx_quic_address_hash(sockaddr, socklen, !is_retry, in);
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
55
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
56 p = in + 20;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
57
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
58 p = ngx_cpymem(p, &exp, sizeof(time_t));
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
59
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
60 *p++ = is_retry ? 1 : 0;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
61
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
62 if (odcid) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
63 *p++ = odcid->len;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
64 p = ngx_cpymem(p, odcid->data, odcid->len);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
65
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
66 } else {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
67 *p++ = 0;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
68 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
69
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
70 len = p - in;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
71
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
72 cipher = EVP_aes_256_cbc();
8801
2029a30863e2 QUIC: using compile time block/iv length for tokens.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8763
diff changeset
73 iv_len = NGX_QUIC_AES_256_CBC_IV_LEN;
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
74
9026
3550b00d9dc8 QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents: 9015
diff changeset
75 if ((size_t) (iv_len + len + NGX_QUIC_AES_256_CBC_BLOCK_SIZE) > token->len)
3550b00d9dc8 QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents: 9015
diff changeset
76 {
3550b00d9dc8 QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents: 9015
diff changeset
77 ngx_log_error(NGX_LOG_ALERT, log, 0, "quic token buffer is too small");
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
78 return NGX_ERROR;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
79 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
80
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
81 ctx = EVP_CIPHER_CTX_new();
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
82 if (ctx == NULL) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
83 return NGX_ERROR;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
84 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
85
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
86 iv = token->data;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
87
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
88 if (RAND_bytes(iv, iv_len) <= 0
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
89 || !EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv))
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
90 {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
91 EVP_CIPHER_CTX_free(ctx);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
92 return NGX_ERROR;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
93 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
94
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
95 token->len = iv_len;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
96
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
97 if (EVP_EncryptUpdate(ctx, token->data + token->len, &len, in, len) != 1) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
98 EVP_CIPHER_CTX_free(ctx);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
99 return NGX_ERROR;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
100 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
101
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
102 token->len += len;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
103
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
104 if (EVP_EncryptFinal_ex(ctx, token->data + token->len, &len) <= 0) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
105 EVP_CIPHER_CTX_free(ctx);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
106 return NGX_ERROR;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
107 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
108
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
109 token->len += len;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
110
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
111 EVP_CIPHER_CTX_free(ctx);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
112
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
113 #ifdef NGX_QUIC_DEBUG_PACKETS
9026
3550b00d9dc8 QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents: 9015
diff changeset
114 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, log, 0,
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
115 "quic new token len:%uz %xV", token->len, token);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
116 #endif
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
117
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
118 return NGX_OK;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
119 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
120
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
121
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
122 static void
8763
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
123 ngx_quic_address_hash(struct sockaddr *sockaddr, socklen_t socklen,
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
124 ngx_uint_t no_port, u_char buf[20])
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
125 {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
126 size_t len;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
127 u_char *data;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
128 ngx_sha1_t sha1;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
129 struct sockaddr_in *sin;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
130 #if (NGX_HAVE_INET6)
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
131 struct sockaddr_in6 *sin6;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
132 #endif
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
133
8763
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
134 len = (size_t) socklen;
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
135 data = (u_char *) sockaddr;
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
136
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
137 if (no_port) {
8763
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
138 switch (sockaddr->sa_family) {
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
139
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
140 #if (NGX_HAVE_INET6)
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
141 case AF_INET6:
8763
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
142 sin6 = (struct sockaddr_in6 *) sockaddr;
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
143
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
144 len = sizeof(struct in6_addr);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
145 data = sin6->sin6_addr.s6_addr;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
146
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
147 break;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
148 #endif
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
149
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
150 case AF_INET:
8763
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
151 sin = (struct sockaddr_in *) sockaddr;
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
152
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
153 len = sizeof(in_addr_t);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
154 data = (u_char *) &sin->sin_addr;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
155
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
156 break;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
157 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
158 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
159
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
160 ngx_sha1_init(&sha1);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
161 ngx_sha1_update(&sha1, data, len);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
162 ngx_sha1_final(buf, &sha1);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
163 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
164
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
165
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
166 ngx_int_t
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
167 ngx_quic_validate_token(ngx_connection_t *c, u_char *key,
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
168 ngx_quic_header_t *pkt)
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
169 {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
170 int len, tlen, iv_len;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
171 u_char *iv, *p;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
172 time_t now, exp;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
173 size_t total;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
174 ngx_str_t odcid;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
175 EVP_CIPHER_CTX *ctx;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
176 const EVP_CIPHER *cipher;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
177
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
178 u_char addr_hash[20];
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
179 u_char tdec[NGX_QUIC_MAX_TOKEN_SIZE];
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
180
9043
5b49f8bac1b4 QUIC: plug MSVC warning about potentially uninitialized variable.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9026
diff changeset
181 #if NGX_SUPPRESS_WARN
5b49f8bac1b4 QUIC: plug MSVC warning about potentially uninitialized variable.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9026
diff changeset
182 ngx_str_null(&odcid);
5b49f8bac1b4 QUIC: plug MSVC warning about potentially uninitialized variable.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9026
diff changeset
183 #endif
5b49f8bac1b4 QUIC: plug MSVC warning about potentially uninitialized variable.
Sergey Kandaurov <pluknet@nginx.com>
parents: 9026
diff changeset
184
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
185 /* Retry token or NEW_TOKEN in a previous connection */
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
186
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
187 cipher = EVP_aes_256_cbc();
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
188 iv = pkt->token.data;
8801
2029a30863e2 QUIC: using compile time block/iv length for tokens.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8763
diff changeset
189 iv_len = NGX_QUIC_AES_256_CBC_IV_LEN;
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
190
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
191 /* sanity checks */
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
192
8801
2029a30863e2 QUIC: using compile time block/iv length for tokens.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8763
diff changeset
193 if (pkt->token.len < (size_t) iv_len + NGX_QUIC_AES_256_CBC_BLOCK_SIZE) {
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
194 goto garbage;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
195 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
196
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
197 if (pkt->token.len > (size_t) iv_len + NGX_QUIC_MAX_TOKEN_SIZE) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
198 goto garbage;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
199 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
200
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
201 ctx = EVP_CIPHER_CTX_new();
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
202 if (ctx == NULL) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
203 return NGX_ERROR;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
204 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
205
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
206 if (!EVP_DecryptInit_ex(ctx, cipher, NULL, key, iv)) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
207 EVP_CIPHER_CTX_free(ctx);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
208 return NGX_ERROR;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
209 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
210
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
211 p = pkt->token.data + iv_len;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
212 len = pkt->token.len - iv_len;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
213
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
214 if (EVP_DecryptUpdate(ctx, tdec, &len, p, len) != 1) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
215 EVP_CIPHER_CTX_free(ctx);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
216 goto garbage;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
217 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
218 total = len;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
219
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
220 if (EVP_DecryptFinal_ex(ctx, tdec + len, &tlen) <= 0) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
221 EVP_CIPHER_CTX_free(ctx);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
222 goto garbage;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
223 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
224 total += tlen;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
225
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
226 EVP_CIPHER_CTX_free(ctx);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
227
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
228 if (total < (20 + sizeof(time_t) + 2)) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
229 goto garbage;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
230 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
231
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
232 p = tdec + 20;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
233
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
234 ngx_memcpy(&exp, p, sizeof(time_t));
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
235 p += sizeof(time_t);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
236
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
237 pkt->retried = (*p++ == 1);
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
238
8763
4117aa7fa38e QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents: 8755
diff changeset
239 ngx_quic_address_hash(c->sockaddr, c->socklen, !pkt->retried, addr_hash);
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
240
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
241 if (ngx_memcmp(tdec, addr_hash, 20) != 0) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
242 goto bad_token;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
243 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
244
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
245 odcid.len = *p++;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
246 if (odcid.len) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
247 if (odcid.len > NGX_QUIC_MAX_CID_LEN) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
248 goto bad_token;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
249 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
250
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
251 if ((size_t)(tdec + total - p) < odcid.len) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
252 goto bad_token;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
253 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
254
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
255 odcid.data = p;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
256 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
257
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
258 now = ngx_time();
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
259
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
260 if (now > exp) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
261 ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic expired token");
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
262 return NGX_DECLINED;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
263 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
264
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
265 if (odcid.len) {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
266 pkt->odcid.len = odcid.len;
9026
3550b00d9dc8 QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents: 9015
diff changeset
267 pkt->odcid.data = pkt->odcid_buf;
3550b00d9dc8 QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents: 9015
diff changeset
268 ngx_memcpy(pkt->odcid.data, odcid.data, odcid.len);
8752
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
269
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
270 } else {
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
271 pkt->odcid = pkt->dcid;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
272 }
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
273
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
274 pkt->validated = 1;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
275
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
276 return NGX_OK;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
277
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
278 garbage:
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
279
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
280 ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic garbage token");
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
281
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
282 return NGX_ABORT;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
283
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
284 bad_token:
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
285
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
286 ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic invalid token");
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
287
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
288 return NGX_DECLINED;
e19723c40d28 QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff changeset
289 }