Mercurial > hg > nginx
comparison src/event/ngx_event_quic.c @ 8384:52d0c4832570 quic
Address validation using NEW_TOKEN frame.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Thu, 14 May 2020 15:47:24 +0300 |
parents | 7ea34e13937f |
children | fb7422074258 |
comparison
equal
deleted
inserted
replaced
8383:7ea34e13937f | 8384:52d0c4832570 |
---|---|
185 static ngx_int_t ngx_quic_payload_handler(ngx_connection_t *c, | 185 static ngx_int_t ngx_quic_payload_handler(ngx_connection_t *c, |
186 ngx_quic_header_t *pkt); | 186 ngx_quic_header_t *pkt); |
187 static ngx_int_t ngx_quic_send_ack(ngx_connection_t *c, ngx_quic_header_t *pkt); | 187 static ngx_int_t ngx_quic_send_ack(ngx_connection_t *c, ngx_quic_header_t *pkt); |
188 static ngx_int_t ngx_quic_send_cc(ngx_connection_t *c, | 188 static ngx_int_t ngx_quic_send_cc(ngx_connection_t *c, |
189 enum ssl_encryption_level_t level, ngx_uint_t err); | 189 enum ssl_encryption_level_t level, ngx_uint_t err); |
190 static ngx_int_t ngx_quic_send_new_token(ngx_connection_t *c); | |
190 | 191 |
191 static ngx_int_t ngx_quic_handle_ack_frame(ngx_connection_t *c, | 192 static ngx_int_t ngx_quic_handle_ack_frame(ngx_connection_t *c, |
192 ngx_quic_header_t *pkt, ngx_quic_ack_frame_t *f); | 193 ngx_quic_header_t *pkt, ngx_quic_ack_frame_t *f); |
193 static ngx_int_t ngx_quic_handle_ack_frame_range(ngx_connection_t *c, | 194 static ngx_int_t ngx_quic_handle_ack_frame_range(ngx_connection_t *c, |
194 ngx_quic_send_ctx_t *ctx, uint64_t min, uint64_t max); | 195 ngx_quic_send_ctx_t *ctx, uint64_t min, uint64_t max); |
542 | 543 |
543 static ngx_int_t | 544 static ngx_int_t |
544 ngx_quic_new_connection(ngx_connection_t *c, ngx_ssl_t *ssl, ngx_quic_tp_t *tp, | 545 ngx_quic_new_connection(ngx_connection_t *c, ngx_ssl_t *ssl, ngx_quic_tp_t *tp, |
545 ngx_quic_header_t *pkt, ngx_connection_handler_pt handler) | 546 ngx_quic_header_t *pkt, ngx_connection_handler_pt handler) |
546 { | 547 { |
548 ngx_int_t rc; | |
547 ngx_uint_t i; | 549 ngx_uint_t i; |
548 ngx_quic_tp_t *ctp; | 550 ngx_quic_tp_t *ctp; |
549 ngx_quic_secrets_t *keys; | 551 ngx_quic_secrets_t *keys; |
550 ngx_quic_send_ctx_t *ctx; | 552 ngx_quic_send_ctx_t *ctx; |
551 ngx_quic_connection_t *qc; | 553 ngx_quic_connection_t *qc; |
640 != NGX_OK) | 642 != NGX_OK) |
641 { | 643 { |
642 return NGX_ERROR; | 644 return NGX_ERROR; |
643 } | 645 } |
644 | 646 |
645 if (tp->retry) { | 647 if (pkt->token.len) { |
648 rc = ngx_quic_validate_token(c, pkt); | |
649 | |
650 if (rc == NGX_ERROR) { | |
651 ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic invalid token"); | |
652 return NGX_ERROR; | |
653 } | |
654 | |
655 if (rc == NGX_DECLINED) { | |
656 ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic expired token"); | |
657 return ngx_quic_retry(c); | |
658 } | |
659 | |
660 /* NGX_OK */ | |
661 | |
662 } else if (tp->retry) { | |
646 return ngx_quic_retry(c); | 663 return ngx_quic_retry(c); |
647 } | 664 } |
648 | 665 |
649 pkt->secret = &keys->client; | 666 pkt->secret = &keys->client; |
650 pkt->level = ssl_encryption_initial; | 667 pkt->level = ssl_encryption_initial; |
1949 return ngx_quic_output(c); | 1966 return ngx_quic_output(c); |
1950 } | 1967 } |
1951 | 1968 |
1952 | 1969 |
1953 static ngx_int_t | 1970 static ngx_int_t |
1971 ngx_quic_send_new_token(ngx_connection_t *c) | |
1972 { | |
1973 ngx_str_t token; | |
1974 ngx_quic_frame_t *frame; | |
1975 | |
1976 if (!c->quic->tp.retry) { | |
1977 return NGX_OK; | |
1978 } | |
1979 | |
1980 if (ngx_quic_new_token(c, &token) != NGX_OK) { | |
1981 return NGX_ERROR; | |
1982 } | |
1983 | |
1984 frame = ngx_quic_alloc_frame(c, 0); | |
1985 if (frame == NULL) { | |
1986 return NGX_ERROR; | |
1987 } | |
1988 | |
1989 frame->level = ssl_encryption_application; | |
1990 frame->type = NGX_QUIC_FT_NEW_TOKEN; | |
1991 frame->u.token.length = token.len; | |
1992 frame->u.token.data = token.data; | |
1993 ngx_sprintf(frame->info, "NEW_TOKEN"); | |
1994 ngx_quic_queue_frame(c->quic, frame); | |
1995 | |
1996 return NGX_OK; | |
1997 } | |
1998 | |
1999 static ngx_int_t | |
1954 ngx_quic_handle_ack_frame(ngx_connection_t *c, ngx_quic_header_t *pkt, | 2000 ngx_quic_handle_ack_frame(ngx_connection_t *c, ngx_quic_header_t *pkt, |
1955 ngx_quic_ack_frame_t *ack) | 2001 ngx_quic_ack_frame_t *ack) |
1956 { | 2002 { |
1957 ssize_t n; | 2003 ssize_t n; |
1958 u_char *pos, *end; | 2004 u_char *pos, *end; |
2402 /* 12.4 Frames and frame types, figure 8 */ | 2448 /* 12.4 Frames and frame types, figure 8 */ |
2403 frame->level = ssl_encryption_application; | 2449 frame->level = ssl_encryption_application; |
2404 frame->type = NGX_QUIC_FT_HANDSHAKE_DONE; | 2450 frame->type = NGX_QUIC_FT_HANDSHAKE_DONE; |
2405 ngx_sprintf(frame->info, "HANDSHAKE DONE on handshake completed"); | 2451 ngx_sprintf(frame->info, "HANDSHAKE DONE on handshake completed"); |
2406 ngx_quic_queue_frame(c->quic, frame); | 2452 ngx_quic_queue_frame(c->quic, frame); |
2453 | |
2454 if (ngx_quic_send_new_token(c) != NGX_OK) { | |
2455 return NGX_ERROR; | |
2456 } | |
2407 | 2457 |
2408 /* | 2458 /* |
2409 * Generating next keys before a key update is received. | 2459 * Generating next keys before a key update is received. |
2410 * See quic-tls 9.4 Header Protection Timing Side-Channels. | 2460 * See quic-tls 9.4 Header Protection Timing Side-Channels. |
2411 */ | 2461 */ |