nginx: src/event/quic/ngx_event

comparison src/event/quic/ngx_event_quic.c @ 8686:dffb66fb783b quic

QUIC: stateless retry. Previously, quic connection object was created when Retry packet was sent. This is neither necessary nor convenient, and contradicts the idea of retry: protecting from bad clients and saving server resources. Now, the connection is not created, token is verified cryptographically instead of holding it in connection.

author	Vladimir Homutov <vl@nginx.com>
date	Fri, 29 Jan 2021 15:53:47 +0300
parents	7df607cb2d11
children	1c6343bd7933

comparison

equal deleted inserted replaced

-:dbe33ef9cd9a
+:dffb66fb783b
 #include <ngx_config.h>
 #include <ngx_core.h>
 #include <ngx_event.h>
 #include <ngx_event_quic_transport.h>
 #include <ngx_event_quic_protection.h>
+#include <ngx_sha1.h>
 /*  0-RTT and 1-RTT data exist in the same packet number space,
 *  so we have 3 packet number spaces:
 *
 uint32_t                          version;
 ngx_str_t                         scid;  /* initial client ID */
 ngx_str_t                         dcid;  /* server (our own) ID */
 ngx_str_t                         odcid; /* original server ID */
-ngx_str_t                         token;
 struct sockaddr                  *sockaddr;
 socklen_t                         socklen;
 ngx_queue_t                       client_ids;
 unsigned                          error_app:1;
 unsigned                          send_timer_set:1;
 unsigned                          closing:1;
 unsigned                          draining:1;
 unsigned                          key_phase:1;
-unsigned                          in_retry:1;
-unsigned                          initialized:1;
 unsigned                          validated:1;
 } ngx_quic_connection_t;
 typedef struct {
 ngx_quic_header_t *inpkt);
 static ngx_int_t ngx_quic_create_server_id(ngx_connection_t *c, u_char *id);
 #if (NGX_QUIC_BPF)
 static ngx_int_t ngx_quic_bpf_attach_id(ngx_connection_t *c, u_char *id);
 #endif
-static ngx_int_t ngx_quic_send_retry(ngx_connection_t *c);
+static ngx_int_t ngx_quic_send_retry(ngx_connection_t *c,
-static ngx_int_t ngx_quic_new_token(ngx_connection_t *c, ngx_str_t *token);
+ngx_quic_conf_t *conf, ngx_quic_header_t *pkt);
+static ngx_int_t ngx_quic_new_token(ngx_connection_t *c, u_char *key,
+ngx_str_t *token, ngx_str_t *odcid, time_t expires, ngx_uint_t is_retry);
+static void ngx_quic_address_hash(ngx_connection_t *c, ngx_uint_t no_port,
+u_char buf[20]);
 static ngx_int_t ngx_quic_validate_token(ngx_connection_t *c,
-ngx_quic_header_t *pkt);
+u_char *key, ngx_quic_header_t *pkt);
 static ngx_int_t ngx_quic_init_connection(ngx_connection_t *c);
 static ngx_inline size_t ngx_quic_max_udp_payload(ngx_connection_t *c);
 static void ngx_quic_input_handler(ngx_event_t *rev);
 static void ngx_quic_close_connection(ngx_connection_t *c, ngx_int_t rc);
 static ngx_int_t ngx_quic_input(ngx_connection_t *c, ngx_buf_t *b,
 ngx_quic_conf_t *conf);
 static ngx_int_t ngx_quic_process_packet(ngx_connection_t *c,
 ngx_quic_conf_t *conf, ngx_quic_header_t *pkt);
-static ngx_int_t ngx_quic_init_secrets(ngx_connection_t *c);
+static ngx_int_t ngx_quic_send_early_cc(ngx_connection_t *c,
+ngx_quic_header_t *inpkt, ngx_uint_t err, const char *reason);
 static void ngx_quic_discard_ctx(ngx_connection_t *c,
 enum ssl_encryption_level_t level);
 static ngx_int_t ngx_quic_check_peer(ngx_quic_connection_t *qc,
 ngx_quic_header_t *pkt);
 static ngx_int_t ngx_quic_payload_handler(ngx_connection_t *c,
 }
 p = ngx_slprintf(p, last, "%s", qc->closing ? " closing" : "");
 p = ngx_slprintf(p, last, "%s", qc->draining ? " draining" : "");
 p = ngx_slprintf(p, last, "%s", qc->key_phase ? " kp" : "");
-p = ngx_slprintf(p, last, "%s", qc->in_retry ? " retry" : "");
 p = ngx_slprintf(p, last, "%s", qc->validated? " valid" : "");
 } else {
 p = ngx_slprintf(p, last, " early");
 }
 return;
 }
 qc = ngx_quic_get_connection(c);
-ngx_add_timer(c->read, qc->in_retry ? NGX_QUIC_RETRY_TIMEOUT
+if (qc == NULL) {
-: qc->tp.max_idle_timeout);
+ngx_quic_close_connection(c, NGX_DONE);
+return;
+}
+ngx_add_timer(c->read, qc->tp.max_idle_timeout);
+ngx_quic_connstate_dbg(c);
 c->read->handler = ngx_quic_input_handler;
-ngx_quic_connstate_dbg(c);
 return;
 }
 static ngx_quic_connection_t *
 ngx_max(2 * qc->tp.max_udp_payload_size,
 14720));
 qc->congestion.ssthresh = (size_t) -1;
 qc->congestion.recovery_start = ngx_current_msec;
-qc->odcid.len = pkt->dcid.len;
+qc->odcid.len = pkt->odcid.len;
-qc->odcid.data = ngx_pstrdup(c->pool, &pkt->dcid);
+qc->odcid.data = ngx_pstrdup(c->pool, &pkt->odcid);
 if (qc->odcid.data == NULL) {
 return NULL;
 }
 qc->dcid.len = NGX_QUIC_SERVER_CID_LEN;
 #if (NGX_QUIC_DRAFT_VERSION >= 28)
 qc->tp.original_dcid = qc->odcid;
 #endif
 qc->tp.initial_scid = qc->dcid;
+if (pkt->validated && pkt->retried) {
+qc->tp.retry_scid.len = pkt->dcid.len;
+qc->tp.retry_scid.data = ngx_pstrdup(c->pool, &pkt->dcid);
+if (qc->tp.retry_scid.data == NULL) {
+return NULL;
+}
+}
 qc->scid.len = pkt->scid.len;
-qc->scid.data = ngx_pnalloc(c->pool, qc->scid.len);
+qc->scid.data = ngx_pstrdup(c->pool, &pkt->scid);
 if (qc->scid.data == NULL) {
 return NULL;
 }
-ngx_memcpy(qc->scid.data, pkt->scid.data, qc->scid.len);
 cid = ngx_quic_alloc_client_id(c, qc);
 if (cid == NULL) {
 return NULL;
 }
 ngx_queue_insert_tail(&qc->client_ids, &cid->queue);
 qc->nclient_ids++;
 qc->client_seqnum = 0;
 qc->server_seqnum = NGX_QUIC_UNSET_PN;
+if (ngx_quic_keys_set_initial_secret(c->pool, qc->keys, &pkt->dcid)
+!= NGX_OK)
+{
+return NULL;
+}
+c->udp = &qc->udp;
+if (ngx_quic_insert_server_id(c, &qc->odcid) == NULL) {
+return NULL;
+}
+qc->server_seqnum = 0;
+if (ngx_quic_insert_server_id(c, &qc->dcid) == NULL) {
+return NULL;
+}
+qc->validated = pkt->validated;
 return qc;
 }
 #endif
 static ngx_int_t
-ngx_quic_send_retry(ngx_connection_t *c)
+ngx_quic_send_retry(ngx_connection_t *c, ngx_quic_conf_t *conf,
-{
+ngx_quic_header_t *inpkt)
-ssize_t                 len;
+{
-ngx_str_t               res, token;
+time_t             expires;
-ngx_quic_header_t       pkt;
+ssize_t            len;
-ngx_quic_connection_t  *qc;
+ngx_str_t          res, token;
-u_char                  buf[NGX_QUIC_RETRY_BUFFER_SIZE];
+ngx_quic_header_t  pkt;
-qc = ngx_quic_get_connection(c);
+u_char             buf[NGX_QUIC_RETRY_BUFFER_SIZE];
+u_char             dcid[NGX_QUIC_SERVER_CID_LEN];
-if (ngx_quic_new_token(c, &token) != NGX_OK) {
+expires = ngx_time() + NGX_QUIC_RETRY_LIFETIME;
+if (ngx_quic_new_token(c, conf->token_key, &token, &inpkt->dcid, expires, 1)
+!= NGX_OK)
+{
 return NGX_ERROR;
 }
 ngx_memzero(&pkt, sizeof(ngx_quic_header_t));
 pkt.flags = NGX_QUIC_PKT_FIXED_BIT | NGX_QUIC_PKT_LONG | NGX_QUIC_PKT_RETRY;
-pkt.version = qc->version;
+pkt.version = inpkt->version;
 pkt.log = c->log;
-pkt.odcid = qc->odcid;
-pkt.dcid = qc->scid;
+pkt.odcid = inpkt->dcid;
-pkt.scid = qc->dcid;
+pkt.dcid = inpkt->scid;
+/* TODO: generate routable dcid */
+if (RAND_bytes(dcid, NGX_QUIC_SERVER_CID_LEN) != 1) {
+return NGX_ERROR;
+}
+pkt.scid.len = NGX_QUIC_SERVER_CID_LEN;
+pkt.scid.data = dcid;
 pkt.token = token;
 res.data = buf;
 if (ngx_quic_encrypt(&pkt, &res) != NGX_OK) {
 len = ngx_quic_send(c, res.data, res.len);
 if (len == NGX_ERROR) {
 return NGX_ERROR;
 }
-qc->token = token;
+ngx_log_debug(NGX_LOG_DEBUG_EVENT, c->log, 0,
-#if (NGX_QUIC_DRAFT_VERSION < 28)
+"quic retry packet sent to %xV", &pkt.dcid);
-qc->tp.original_dcid = qc->odcid;
-#endif
+/*
-qc->tp.retry_scid = qc->dcid;
+* quic-transport 17.2.5.1:  A server MUST NOT send more than one Retry
-qc->in_retry = 1;
+* packet in response to a single UDP datagram.
+* NGX_DONE will stop quic_input() from processing further
-if (ngx_quic_insert_server_id(c, &qc->dcid) == NULL) {
+*/
-return NGX_ERROR;
+return NGX_DONE;
-}
-return NGX_OK;
 }
 static ngx_int_t
-ngx_quic_new_token(ngx_connection_t *c, ngx_str_t *token)
+ngx_quic_new_token(ngx_connection_t *c, u_char *key, ngx_str_t *token,
-{
+ngx_str_t *odcid, time_t exp, ngx_uint_t is_retry)
-int                     len, iv_len;
+{
-u_char                 *data, *p, *key, *iv;
+int                len, iv_len;
-ngx_msec_t              now;
+u_char            *p, *iv;
-EVP_CIPHER_CTX         *ctx;
+EVP_CIPHER_CTX    *ctx;
-const EVP_CIPHER       *cipher;
+const EVP_CIPHER  *cipher;
-struct sockaddr_in     *sin;
-#if (NGX_HAVE_INET6)
+u_char             in[NGX_QUIC_MAX_TOKEN_SIZE];
-struct sockaddr_in6    *sin6;
-#endif
+ngx_quic_address_hash(c, !is_retry, in);
-ngx_quic_connection_t  *qc;
-u_char                  in[NGX_QUIC_MAX_TOKEN_SIZE];
+p = in + 20;
-switch (c->sockaddr->sa_family) {
+p = ngx_cpymem(p, &exp, sizeof(time_t));
-#if (NGX_HAVE_INET6)
+*p++ = is_retry ? 1 : 0;
-case AF_INET6:
-sin6 = (struct sockaddr_in6 *) c->sockaddr;
+if (odcid) {
+*p++ = odcid->len;
-len = sizeof(struct in6_addr);
+p = ngx_cpymem(p, odcid->data, odcid->len);
-data = sin6->sin6_addr.s6_addr;
+} else {
-break;
+*p++ = 0;
-#endif
+}
-#if (NGX_HAVE_UNIX_DOMAIN)
+len = p - in;
-case AF_UNIX:
-len = ngx_min(c->addr_text.len, NGX_QUIC_MAX_TOKEN_SIZE - sizeof(now));
-data = c->addr_text.data;
-break;
-#endif
-default: /* AF_INET */
-sin = (struct sockaddr_in *) c->sockaddr;
-len = sizeof(in_addr_t);
-data = (u_char *) &sin->sin_addr;
-break;
-}
-p = ngx_cpymem(in, data, len);
-now = ngx_current_msec;
-len += sizeof(now);
-ngx_memcpy(p, &now, sizeof(now));
 cipher = EVP_aes_256_cbc();
 iv_len = EVP_CIPHER_iv_length(cipher);
 token->len = iv_len + len + EVP_CIPHER_block_size(cipher);
 ctx = EVP_CIPHER_CTX_new();
 if (ctx == NULL) {
 return NGX_ERROR;
 }
-qc = ngx_quic_get_connection(c);
-key = qc->conf->token_key;
 iv = token->data;
 if (RAND_bytes(iv, iv_len) <= 0
 || !EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv))
 {
 return NGX_OK;
 }
+static void
+ngx_quic_address_hash(ngx_connection_t *c, ngx_uint_t no_port, u_char buf[20])
+{
+size_t                len;
+u_char               *data;
+ngx_sha1_t            sha1;
+struct sockaddr_in   *sin;
+#if (NGX_HAVE_INET6)
+struct sockaddr_in6  *sin6;
+#endif
+len = (size_t) c->socklen;
+data = (u_char *) c->sockaddr;
+if (no_port) {
+switch (c->sockaddr->sa_family) {
+#if (NGX_HAVE_INET6)
+case AF_INET6:
+sin6 = (struct sockaddr_in6 *) c->sockaddr;
+len = sizeof(struct in6_addr);
+data = sin6->sin6_addr.s6_addr;
+break;
+#endif
+case AF_INET:
+sin = (struct sockaddr_in *) c->sockaddr;
+len = sizeof(in_addr_t);
+data = (u_char *) &sin->sin_addr;
+break;
+}
+}
+ngx_sha1_init(&sha1);
+ngx_sha1_update(&sha1, data, len);
+ngx_sha1_final(buf, &sha1);
+}
 static ngx_int_t
-ngx_quic_validate_token(ngx_connection_t *c, ngx_quic_header_t *pkt)
+ngx_quic_validate_token(ngx_connection_t *c, u_char *key,
-{
+ngx_quic_header_t *pkt)
-int                     len, tlen, iv_len;
+{
-u_char                 *key, *iv, *p, *data;
+int                len, tlen, iv_len;
-ngx_msec_t              msec;
+u_char            *iv, *p;
-EVP_CIPHER_CTX         *ctx;
+time_t             now, exp;
-const EVP_CIPHER       *cipher;
+size_t             total;
-struct sockaddr_in     *sin;
+ngx_str_t          odcid;
-#if (NGX_HAVE_INET6)
+EVP_CIPHER_CTX    *ctx;
-struct sockaddr_in6    *sin6;
+const EVP_CIPHER  *cipher;
-#endif
-ngx_quic_connection_t  *qc;
+u_char             addr_hash[20];
-u_char                  tdec[NGX_QUIC_MAX_TOKEN_SIZE];
+u_char             tdec[NGX_QUIC_MAX_TOKEN_SIZE];
-qc = ngx_quic_get_connection(c);
+/* Retry token or NEW_TOKEN in a previous connection */
-/* Retry token */
-if (qc->token.len) {
-if (pkt->token.len != qc->token.len) {
-goto bad_token;
-}
-if (ngx_memcmp(pkt->token.data, qc->token.data, pkt->token.len) != 0) {
-goto bad_token;
-}
-return NGX_OK;
-}
-/* NEW_TOKEN in a previous connection */
 cipher = EVP_aes_256_cbc();
-key = qc->conf->token_key;
 iv = pkt->token.data;
 iv_len = EVP_CIPHER_iv_length(cipher);
 /* sanity checks */
 if (pkt->token.len < (size_t) iv_len + EVP_CIPHER_block_size(cipher)) {
-goto bad_token;
+goto garbage;
 }
 if (pkt->token.len > (size_t) iv_len + NGX_QUIC_MAX_TOKEN_SIZE) {
-goto bad_token;
+goto garbage;
 }
 ctx = EVP_CIPHER_CTX_new();
 if (ctx == NULL) {
 return NGX_ERROR;
 p = pkt->token.data + iv_len;
 len = pkt->token.len - iv_len;
 if (EVP_DecryptUpdate(ctx, tdec, &len, p, len) != 1) {
 EVP_CIPHER_CTX_free(ctx);
-goto bad_token;
+goto garbage;
 }
+total = len;
 if (EVP_DecryptFinal_ex(ctx, tdec + len, &tlen) <= 0) {
 EVP_CIPHER_CTX_free(ctx);
+goto garbage;
+}
+total += tlen;
+EVP_CIPHER_CTX_free(ctx);
+if (total < (20 + sizeof(time_t) + 2)) {
+goto garbage;
+}
+p = tdec + 20;
+ngx_memcpy(&exp, p, sizeof(time_t));
+p += sizeof(time_t);
+pkt->retried = (*p++ == 1);
+ngx_quic_address_hash(c, !pkt->retried, addr_hash);
+if (ngx_memcmp(tdec, addr_hash, 20) != 0) {
 goto bad_token;
 }
-EVP_CIPHER_CTX_free(ctx);
+odcid.len = *p++;
+if (odcid.len) {
-switch (c->sockaddr->sa_family) {
+if (odcid.len > NGX_QUIC_MAX_CID_LEN) {
+goto bad_token;
-#if (NGX_HAVE_INET6)
+}
-case AF_INET6:
-sin6 = (struct sockaddr_in6 *) c->sockaddr;
+if ((size_t)(tdec + total - p) < odcid.len) {
+goto bad_token;
-len = sizeof(struct in6_addr);
+}
-data = sin6->sin6_addr.s6_addr;
+odcid.data = p;
-break;
+p += odcid.len;
-#endif
+}
-#if (NGX_HAVE_UNIX_DOMAIN)
+now = ngx_time();
-case AF_UNIX:
+if (now > exp) {
-len = ngx_min(c->addr_text.len, NGX_QUIC_MAX_TOKEN_SIZE - sizeof(msec));
-data = c->addr_text.data;
-break;
-#endif
-default: /* AF_INET */
-sin = (struct sockaddr_in *) c->sockaddr;
-len = sizeof(in_addr_t);
-data = (u_char *) &sin->sin_addr;
-break;
-}
-if (ngx_memcmp(tdec, data, len) != 0) {
-goto bad_token;
-}
-ngx_memcpy(&msec, tdec + len, sizeof(msec));
-if (ngx_current_msec - msec > NGX_QUIC_RETRY_LIFETIME) {
 ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic expired token");
 return NGX_DECLINED;
 }
+if (odcid.len) {
+pkt->odcid.len = odcid.len;
+pkt->odcid.data = ngx_pstrdup(c->pool, &odcid);
+if (pkt->odcid.data == NULL) {
+return NGX_ERROR;
+}
+} else {
+pkt->odcid = pkt->dcid;
+}
+pkt->validated = 1;
 return NGX_OK;
+garbage:
+ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic garbage token");
+return NGX_ABORT;
 bad_token:
 ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic invalid token");
-qc->error = NGX_QUIC_ERR_INVALID_TOKEN;
-qc->error_reason = "invalid_token";
 return NGX_DECLINED;
 }
 "quic ngx_quic_close_connection rc:%i", rc);
 qc = ngx_quic_get_connection(c);
 if (qc == NULL) {
-ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+if (rc == NGX_ERROR) {
-"quic close connection early error");
+ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+"quic close connection early error");
+}
 } else if (ngx_quic_close_quic(c, rc) == NGX_AGAIN) {
 return;
 }
 }
 #endif
 if (rc == NGX_ERROR) {
 return NGX_ERROR;
+}
+if (rc == NGX_DONE) {
+/* stop further processing */
+return NGX_DECLINED;
 }
 if (rc == NGX_OK) {
 good = 1;
 }
 }
 return NGX_DECLINED;
 }
-if (qc->in_retry) {
-c->log->action = "retrying quic connection";
-if (pkt->level != ssl_encryption_initial) {
-ngx_log_error(NGX_LOG_INFO, c->log, 0,
-"quic discard late retry packet");
-return NGX_DECLINED;
-}
-if (!pkt->token.len) {
-ngx_log_error(NGX_LOG_INFO, c->log, 0,
-"quic discard retry packet without token");
-return NGX_DECLINED;
-}
-qc->odcid.len = pkt->dcid.len;
-qc->odcid.data = ngx_pstrdup(c->pool, &pkt->dcid);
-if (qc->odcid.data == NULL) {
-return NGX_ERROR;
-}
-ngx_quic_clear_temp_server_ids(c);
-qc->dcid.len = NGX_QUIC_SERVER_CID_LEN;
-qc->dcid.data = ngx_pnalloc(c->pool, qc->dcid.len);
-if (qc->dcid.data == NULL) {
-return NGX_ERROR;
-}
-if (ngx_quic_create_server_id(c, qc->dcid.data) != NGX_OK) {
-return NGX_ERROR;
-}
-qc->server_seqnum = 0;
-if (ngx_quic_insert_server_id(c, &qc->dcid) == NULL) {
-return NGX_ERROR;
-}
-qc->tp.initial_scid = qc->dcid;
-qc->in_retry = 0;
-if (ngx_quic_init_secrets(c) != NGX_OK) {
-return NGX_ERROR;
-}
-if (ngx_quic_validate_token(c, pkt) != NGX_OK) {
-return NGX_ERROR;
-}
-qc->validated = 1;
-}
 } else {
 if (rc == NGX_ABORT) {
 return ngx_quic_negotiate_version(c, pkt);
 }
 if (pkt->level == ssl_encryption_initial) {
+c->log->action = "processing initial packet";
-c->log->action = "creating quic connection";
 if (pkt->dcid.len < NGX_QUIC_CID_LEN_MIN) {
 /* 7.2.  Negotiating Connection IDs */
 ngx_log_error(NGX_LOG_INFO, c->log, 0,
 "quic too short dcid in initial"
 " packet: len:%i", pkt->dcid.len);
 return NGX_ERROR;
 }
+/* process retry and initialize connection IDs */
+if (pkt->token.len) {
+rc = ngx_quic_validate_token(c, conf->token_key, pkt);
+if (rc == NGX_ERROR) {
+/* internal error */
+return NGX_ERROR;
+} else if (rc == NGX_ABORT) {
+/* token cannot be decrypted */
+return ngx_quic_send_early_cc(c, pkt,
+NGX_QUIC_ERR_INVALID_TOKEN,
+"cannot decrypt token");
+} else if (rc == NGX_DECLINED) {
+/* token is invalid */
+if (pkt->retried) {
+/* invalid Retry token */
+return ngx_quic_send_early_cc(c, pkt,
+NGX_QUIC_ERR_INVALID_TOKEN,
+"invalid token");
+} else if (conf->retry) {
+/* invalid NEW_TOKEN */
+return ngx_quic_send_retry(c, conf, pkt);
+}
+}
+/* NGX_OK */
+} else if (conf->retry) {
+return ngx_quic_send_retry(c, conf, pkt);
+} else {
+pkt->odcid = pkt->dcid;
+}
+if (ngx_terminate || ngx_exiting) {
+if (conf->retry) {
+return ngx_quic_send_retry(c, conf, pkt);
+}
+return NGX_ERROR;
+}
+c->log->action = "creating quic connection";
 qc = ngx_quic_new_connection(c, conf, pkt);
 if (qc == NULL) {
-return NGX_ERROR;
-}
-c->udp = &qc->udp;
-if (ngx_terminate || ngx_exiting) {
-qc->error = NGX_QUIC_ERR_CONNECTION_REFUSED;
-return NGX_ERROR;
-}
-if (pkt->token.len) {
-rc = ngx_quic_validate_token(c, pkt);
-if (rc == NGX_OK) {
-qc->validated = 1;
-} else if (rc == NGX_ERROR) {
-return NGX_ERROR;
-} else {
-/* NGX_DECLINED */
-if (conf->retry) {
-return ngx_quic_send_retry(c);
-}
-}
-} else if (conf->retry) {
-return ngx_quic_send_retry(c);
-}
-if (ngx_quic_init_secrets(c) != NGX_OK) {
-return NGX_ERROR;
-}
-if (ngx_quic_insert_server_id(c, &qc->odcid) == NULL) {
-return NGX_ERROR;
-}
-qc->server_seqnum = 0;
-if (ngx_quic_insert_server_id(c, &qc->dcid) == NULL) {
 return NGX_ERROR;
 }
 } else if (pkt->level == ssl_encryption_application) {
 return ngx_quic_send_stateless_reset(c, conf, pkt);
 return ngx_quic_keys_update(c, qc->keys);
 }
 static ngx_int_t
-ngx_quic_init_secrets(ngx_connection_t *c)
+ngx_quic_send_early_cc(ngx_connection_t *c, ngx_quic_header_t *inpkt,
-{
+ngx_uint_t err, const char *reason)
-ngx_quic_connection_t  *qc;
+{
+ssize_t            len;
-qc = ngx_quic_get_connection(c);
+ngx_str_t          res;
+ngx_quic_frame_t   frame;
-if (ngx_quic_keys_set_initial_secret(c->pool, qc->keys, &qc->odcid)
+ngx_quic_header_t  pkt;
+static u_char       src[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE];
+static u_char       dst[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE];
+ngx_memzero(&frame, sizeof(ngx_quic_frame_t));
+ngx_memzero(&pkt, sizeof(ngx_quic_header_t));
+frame.level = inpkt->level;
+frame.type = NGX_QUIC_FT_CONNECTION_CLOSE;
+frame.u.close.error_code = err;
+frame.u.close.reason.data = (u_char *) reason;
+frame.u.close.reason.len = ngx_strlen(reason);
+len = ngx_quic_create_frame(NULL, &frame);
+if (len > NGX_QUIC_MAX_UDP_PAYLOAD_SIZE) {
+return NGX_ERROR;
+}
+ngx_quic_log_frame(c->log, &frame, 1);
+len = ngx_quic_create_frame(src, &frame);
+if (len == -1) {
+return NGX_ERROR;
+}
+pkt.keys = ngx_quic_keys_new(c->pool);
+if (pkt.keys == NULL) {
+return NGX_ERROR;
+}
+if (ngx_quic_keys_set_initial_secret(c->pool, pkt.keys, &inpkt->dcid)
 != NGX_OK)
 {
 return NGX_ERROR;
 }
-qc->initialized = 1;
+pkt.flags = NGX_QUIC_PKT_FIXED_BIT | NGX_QUIC_PKT_LONG
+| NGX_QUIC_PKT_INITIAL;
+pkt.num_len = 1;
+/*
+* pkt.num = 0;
+* pkt.trunc = 0;
+*/
+pkt.version = inpkt->version;
+pkt.log = c->log;
+pkt.level = inpkt->level;
+pkt.dcid = inpkt->scid;
+pkt.scid = inpkt->dcid;
+pkt.payload.data = src;
+pkt.payload.len = len;
+res.data = dst;
+if (ngx_quic_encrypt(&pkt, &res) != NGX_OK) {
+return NGX_ERROR;
+}
+if (ngx_quic_send(c, res.data, res.len) == NGX_ERROR) {
+return NGX_ERROR;
+}
 return NGX_OK;
 }
 if (qc->draining) {
 return NGX_OK;
 }
-if (!qc->initialized) {
-/* try to initialize secrets to send an early error */
-if (ngx_quic_init_secrets(c) != NGX_OK) {
-return NGX_OK;
-}
-}
 if (qc->closing
 && ngx_current_msec - qc->last_cc < NGX_QUIC_CC_MIN_INTERVAL)
 {
 /* dot not send CC too often */
 return NGX_OK;
 static ngx_int_t
 ngx_quic_send_new_token(ngx_connection_t *c)
 {
+time_t                  expires;
 ngx_str_t               token;
 ngx_quic_frame_t       *frame;
 ngx_quic_connection_t  *qc;
 qc = ngx_quic_get_connection(c);
 if (!qc->conf->retry) {
 return NGX_OK;
 }
-if (ngx_quic_new_token(c, &token) != NGX_OK) {
+expires = ngx_time() + NGX_QUIC_NEW_TOKEN_LIFETIME;
+if (ngx_quic_new_token(c, qc->conf->token_key, &token, NULL, expires, 0)
+!= NGX_OK)
+{
 return NGX_ERROR;
 }
 frame = ngx_quic_alloc_frame(c);
 if (frame == NULL) {

Mercurial > hg > nginx

comparison src/event/quic/ngx_event_quic.c @ 8686:dffb66fb783b quic