Mercurial > hg > nginx

comparison src/event/ngx_event_quic.c @ 8384:52d0c4832570 quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Address validation using NEW_TOKEN frame.
author Sergey Kandaurov <pluknet@nginx.com>
date Thu, 14 May 2020 15:47:24 +0300
parents 7ea34e13937f
children fb7422074258
comparison
equal deleted inserted replaced
8383:7ea34e13937f 8384:52d0c4832570
185 static ngx_int_t ngx_quic_payload_handler(ngx_connection_t *c, 185 static ngx_int_t ngx_quic_payload_handler(ngx_connection_t *c,
186 ngx_quic_header_t *pkt); 186 ngx_quic_header_t *pkt);
187 static ngx_int_t ngx_quic_send_ack(ngx_connection_t *c, ngx_quic_header_t *pkt); 187 static ngx_int_t ngx_quic_send_ack(ngx_connection_t *c, ngx_quic_header_t *pkt);
188 static ngx_int_t ngx_quic_send_cc(ngx_connection_t *c, 188 static ngx_int_t ngx_quic_send_cc(ngx_connection_t *c,
189 enum ssl_encryption_level_t level, ngx_uint_t err); 189 enum ssl_encryption_level_t level, ngx_uint_t err);
190 static ngx_int_t ngx_quic_send_new_token(ngx_connection_t *c);
190 191
191 static ngx_int_t ngx_quic_handle_ack_frame(ngx_connection_t *c, 192 static ngx_int_t ngx_quic_handle_ack_frame(ngx_connection_t *c,
192 ngx_quic_header_t *pkt, ngx_quic_ack_frame_t *f); 193 ngx_quic_header_t *pkt, ngx_quic_ack_frame_t *f);
193 static ngx_int_t ngx_quic_handle_ack_frame_range(ngx_connection_t *c, 194 static ngx_int_t ngx_quic_handle_ack_frame_range(ngx_connection_t *c,
194 ngx_quic_send_ctx_t *ctx, uint64_t min, uint64_t max); 195 ngx_quic_send_ctx_t *ctx, uint64_t min, uint64_t max);
542 543
543 static ngx_int_t 544 static ngx_int_t
544 ngx_quic_new_connection(ngx_connection_t *c, ngx_ssl_t *ssl, ngx_quic_tp_t *tp, 545 ngx_quic_new_connection(ngx_connection_t *c, ngx_ssl_t *ssl, ngx_quic_tp_t *tp,
545 ngx_quic_header_t *pkt, ngx_connection_handler_pt handler) 546 ngx_quic_header_t *pkt, ngx_connection_handler_pt handler)
546 { 547 {
548 ngx_int_t rc;
547 ngx_uint_t i; 549 ngx_uint_t i;
548 ngx_quic_tp_t *ctp; 550 ngx_quic_tp_t *ctp;
549 ngx_quic_secrets_t *keys; 551 ngx_quic_secrets_t *keys;
550 ngx_quic_send_ctx_t *ctx; 552 ngx_quic_send_ctx_t *ctx;
551 ngx_quic_connection_t *qc; 553 ngx_quic_connection_t *qc;
640 != NGX_OK) 642 != NGX_OK)
641 { 643 {
642 return NGX_ERROR; 644 return NGX_ERROR;
643 } 645 }
644 646
645 if (tp->retry) { 647 if (pkt->token.len) {
648 rc = ngx_quic_validate_token(c, pkt);
649
650 if (rc == NGX_ERROR) {
651 ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic invalid token");
652 return NGX_ERROR;
653 }
654
655 if (rc == NGX_DECLINED) {
656 ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic expired token");
657 return ngx_quic_retry(c);
658 }
659
660 /* NGX_OK */
661
662 } else if (tp->retry) {
646 return ngx_quic_retry(c); 663 return ngx_quic_retry(c);
647 } 664 }
648 665
649 pkt->secret = &keys->client; 666 pkt->secret = &keys->client;
650 pkt->level = ssl_encryption_initial; 667 pkt->level = ssl_encryption_initial;
1949 return ngx_quic_output(c); 1966 return ngx_quic_output(c);
1950 } 1967 }
1951 1968
1952 1969
1953 static ngx_int_t 1970 static ngx_int_t
1971 ngx_quic_send_new_token(ngx_connection_t *c)
1972 {
1973 ngx_str_t token;
1974 ngx_quic_frame_t *frame;
1975
1976 if (!c->quic->tp.retry) {
1977 return NGX_OK;
1978 }
1979
1980 if (ngx_quic_new_token(c, &token) != NGX_OK) {
1981 return NGX_ERROR;
1982 }
1983
1984 frame = ngx_quic_alloc_frame(c, 0);
1985 if (frame == NULL) {
1986 return NGX_ERROR;
1987 }
1988
1989 frame->level = ssl_encryption_application;
1990 frame->type = NGX_QUIC_FT_NEW_TOKEN;
1991 frame->u.token.length = token.len;
1992 frame->u.token.data = token.data;
1993 ngx_sprintf(frame->info, "NEW_TOKEN");
1994 ngx_quic_queue_frame(c->quic, frame);
1995
1996 return NGX_OK;
1997 }
1998
1999 static ngx_int_t
1954 ngx_quic_handle_ack_frame(ngx_connection_t *c, ngx_quic_header_t *pkt, 2000 ngx_quic_handle_ack_frame(ngx_connection_t *c, ngx_quic_header_t *pkt,
1955 ngx_quic_ack_frame_t *ack) 2001 ngx_quic_ack_frame_t *ack)
1956 { 2002 {
1957 ssize_t n; 2003 ssize_t n;
1958 u_char *pos, *end; 2004 u_char *pos, *end;
2402 /* 12.4 Frames and frame types, figure 8 */ 2448 /* 12.4 Frames and frame types, figure 8 */
2403 frame->level = ssl_encryption_application; 2449 frame->level = ssl_encryption_application;
2404 frame->type = NGX_QUIC_FT_HANDSHAKE_DONE; 2450 frame->type = NGX_QUIC_FT_HANDSHAKE_DONE;
2405 ngx_sprintf(frame->info, "HANDSHAKE DONE on handshake completed"); 2451 ngx_sprintf(frame->info, "HANDSHAKE DONE on handshake completed");
2406 ngx_quic_queue_frame(c->quic, frame); 2452 ngx_quic_queue_frame(c->quic, frame);
2453
2454 if (ngx_quic_send_new_token(c) != NGX_OK) {
2455 return NGX_ERROR;
2456 }
2407 2457
2408 /* 2458 /*
2409 * Generating next keys before a key update is received. 2459 * Generating next keys before a key update is received.
2410 * See quic-tls 9.4 Header Protection Timing Side-Channels. 2460 * See quic-tls 9.4 Header Protection Timing Side-Channels.
2411 */ 2461 */