Mercurial > hg > nginx
comparison src/event/ngx_event_quic_protection.c @ 8562:b31c02454539 quic
QUIC: added stateless reset support.
The new "quic_stateless_reset_token_key" directive is added. It sets the
endpoint key used to generate stateless reset tokens and enables feature.
If the endpoint receives short-header packet that can't be matched to
existing connection, a stateless reset packet is generated with
a proper token.
If a valid stateless reset token is found in the incoming packet,
the connection is closed.
Example configuration:
http {
quic_stateless_reset_token_key "foo";
...
}
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Wed, 30 Sep 2020 20:54:46 +0300 |
parents | 0f37b4ef3cd9 |
children | 0e12c4aca3ab |
comparison
equal
deleted
inserted
replaced
8561:b4ef79ef1c23 | 8562:b31c02454539 |
---|---|
921 | 921 |
922 return NGX_OK; | 922 return NGX_OK; |
923 } | 923 } |
924 | 924 |
925 | 925 |
926 ngx_int_t | |
927 ngx_quic_new_sr_token(ngx_connection_t *c, ngx_str_t *cid, ngx_str_t *secret, | |
928 u_char *token) | |
929 { | |
930 uint8_t *p; | |
931 size_t is_len, key_len, info_len; | |
932 ngx_str_t label; | |
933 const EVP_MD *digest; | |
934 uint8_t info[20]; | |
935 uint8_t is[SHA256_DIGEST_LENGTH]; | |
936 uint8_t key[SHA256_DIGEST_LENGTH]; | |
937 | |
938 /* 10.4.2. Calculating a Stateless Reset Token */ | |
939 | |
940 digest = EVP_sha256(); | |
941 ngx_str_set(&label, "sr_token_key"); | |
942 | |
943 if (ngx_hkdf_extract(is, &is_len, digest, secret->data, secret->len, | |
944 cid->data, cid->len) | |
945 != NGX_OK) | |
946 { | |
947 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, | |
948 "ngx_hkdf_extract(%V) failed", &label); | |
949 return NGX_ERROR; | |
950 } | |
951 | |
952 key_len = SHA256_DIGEST_LENGTH; | |
953 | |
954 info_len = 2 + 1 + label.len + 1; | |
955 | |
956 info[0] = 0; | |
957 info[1] = key_len; | |
958 info[2] = label.len; | |
959 | |
960 p = ngx_cpymem(&info[3], label.data, label.len); | |
961 *p = '\0'; | |
962 | |
963 if (ngx_hkdf_expand(key, key_len, digest, is, is_len, info, info_len) | |
964 != NGX_OK) | |
965 { | |
966 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, | |
967 "ngx_hkdf_expand(%V) failed", &label); | |
968 return NGX_ERROR; | |
969 } | |
970 | |
971 ngx_memcpy(token, key, NGX_QUIC_SR_TOKEN_LEN); | |
972 | |
973 #if (NGX_DEBUG) | |
974 ngx_quic_hexdump(c->log, "quic stateless reset token", token, | |
975 NGX_QUIC_SR_TOKEN_LEN); | |
976 #endif | |
977 | |
978 return NGX_OK; | |
979 } | |
980 | |
981 | |
926 static uint64_t | 982 static uint64_t |
927 ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask, | 983 ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask, |
928 uint64_t *largest_pn) | 984 uint64_t *largest_pn) |
929 { | 985 { |
930 u_char *p; | 986 u_char *p; |