Mercurial > hg > nginx

comparison src/event/ngx_event_quic_protection.c @ 8383:7ea34e13937f quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Address validation using Retry packets. The behaviour is toggled with the new directive "quic_retry on|off". QUIC token construction is made suitable for issuing with NEW_TOKEN.
author Sergey Kandaurov <pluknet@nginx.com>
date Thu, 14 May 2020 15:47:18 +0300
parents 2d0f4aa78ed6
children 81f85c479d7e
comparison
equal deleted inserted replaced
8382:b7704303a7e5 8383:7ea34e13937f
55 55
56 static ngx_int_t ngx_quic_create_long_packet(ngx_quic_header_t *pkt, 56 static ngx_int_t ngx_quic_create_long_packet(ngx_quic_header_t *pkt,
57 ngx_ssl_conn_t *ssl_conn, ngx_str_t *res); 57 ngx_ssl_conn_t *ssl_conn, ngx_str_t *res);
58 static ngx_int_t ngx_quic_create_short_packet(ngx_quic_header_t *pkt, 58 static ngx_int_t ngx_quic_create_short_packet(ngx_quic_header_t *pkt,
59 ngx_ssl_conn_t *ssl_conn, ngx_str_t *res); 59 ngx_ssl_conn_t *ssl_conn, ngx_str_t *res);
60 static ngx_int_t ngx_quic_create_retry_packet(ngx_quic_header_t *pkt,
61 ngx_str_t *res);
60 62
61 63
62 static ngx_int_t 64 static ngx_int_t
63 ngx_quic_ciphers(ngx_ssl_conn_t *ssl_conn, ngx_quic_ciphers_t *ciphers, 65 ngx_quic_ciphers(ngx_ssl_conn_t *ssl_conn, ngx_quic_ciphers_t *ciphers,
64 enum ssl_encryption_level_t level) 66 enum ssl_encryption_level_t level)
889 891
890 return NGX_OK; 892 return NGX_OK;
891 } 893 }
892 894
893 895
896 static ngx_int_t
897 ngx_quic_create_retry_packet(ngx_quic_header_t *pkt, ngx_str_t *res)
898 {
899 u_char *start;
900 ngx_str_t ad, itag;
901 ngx_quic_secret_t secret;
902 ngx_quic_ciphers_t ciphers;
903
904 /* 5.8. Retry Packet Integrity */
905 static u_char key[16] =
906 "\x4d\x32\xec\xdb\x2a\x21\x33\xc8"
907 "\x41\xe4\x04\x3d\xf2\x7d\x44\x30";
908 static u_char nonce[12] =
909 "\x4d\x16\x11\xd0\x55\x13"
910 "\xa5\x52\xc5\x87\xd5\x75";
911 static ngx_str_t in = ngx_string("");
912
913 ad.data = res->data;
914 ad.len = ngx_quic_create_retry_itag(pkt, ad.data, &start);
915
916 itag.data = ad.data + ad.len;
917
918 #ifdef NGX_QUIC_DEBUG_CRYPTO
919 ngx_quic_hexdump(pkt->log, "quic retry itag", ad.data, ad.len);
920 #endif
921
922 if (ngx_quic_ciphers(NULL, &ciphers, pkt->level) == NGX_ERROR) {
923 return NGX_ERROR;
924 }
925
926 secret.key.len = sizeof(key);
927 secret.key.data = key;
928 secret.iv.len = sizeof(nonce);
929
930 if (ngx_quic_tls_seal(ciphers.c, &secret, &itag, nonce, &in, &ad, pkt->log)
931 != NGX_OK)
932 {
933 return NGX_ERROR;
934 }
935
936 res->len = itag.data + itag.len - start;
937 res->data = start;
938
939 return NGX_OK;
940 }
941
942
894 static uint64_t 943 static uint64_t
895 ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask, 944 ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask,
896 uint64_t *largest_pn) 945 uint64_t *largest_pn)
897 { 946 {
898 u_char *p; 947 u_char *p;
948 ngx_quic_encrypt(ngx_quic_header_t *pkt, ngx_ssl_conn_t *ssl_conn, 997 ngx_quic_encrypt(ngx_quic_header_t *pkt, ngx_ssl_conn_t *ssl_conn,
949 ngx_str_t *res) 998 ngx_str_t *res)
950 { 999 {
951 if (ngx_quic_short_pkt(pkt->flags)) { 1000 if (ngx_quic_short_pkt(pkt->flags)) {
952 return ngx_quic_create_short_packet(pkt, ssl_conn, res); 1001 return ngx_quic_create_short_packet(pkt, ssl_conn, res);
1002 }
1003
1004 if (ngx_quic_pkt_retry(pkt->flags)) {
1005 return ngx_quic_create_retry_packet(pkt, res);
953 } 1006 }
954 1007
955 return ngx_quic_create_long_packet(pkt, ssl_conn, res); 1008 return ngx_quic_create_long_packet(pkt, ssl_conn, res);
956 } 1009 }
957 1010