Mercurial > hg > nginx

diff src/event/ngx_event_quic_protection.c @ 8383:7ea34e13937f quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Address validation using Retry packets. The behaviour is toggled with the new directive "quic_retry on|off". QUIC token construction is made suitable for issuing with NEW_TOKEN.
author Sergey Kandaurov <pluknet@nginx.com>
date Thu, 14 May 2020 15:47:18 +0300
parents 2d0f4aa78ed6
children 81f85c479d7e
line wrap: on
line diff
--- a/src/event/ngx_event_quic_protection.c
+++ b/src/event/ngx_event_quic_protection.c
@@ -57,6 +57,8 @@ static ngx_int_t ngx_quic_create_long_pa
     ngx_ssl_conn_t *ssl_conn, ngx_str_t *res);
 static ngx_int_t ngx_quic_create_short_packet(ngx_quic_header_t *pkt,
     ngx_ssl_conn_t *ssl_conn, ngx_str_t *res);
+static ngx_int_t ngx_quic_create_retry_packet(ngx_quic_header_t *pkt,
+    ngx_str_t *res);
 
 
 static ngx_int_t
@@ -891,6 +893,53 @@ ngx_quic_create_short_packet(ngx_quic_he
 }
 
 
+static ngx_int_t
+ngx_quic_create_retry_packet(ngx_quic_header_t *pkt, ngx_str_t *res)
+{
+    u_char              *start;
+    ngx_str_t            ad, itag;
+    ngx_quic_secret_t    secret;
+    ngx_quic_ciphers_t   ciphers;
+
+    /* 5.8.  Retry Packet Integrity */
+    static u_char     key[16] =
+        "\x4d\x32\xec\xdb\x2a\x21\x33\xc8"
+        "\x41\xe4\x04\x3d\xf2\x7d\x44\x30";
+    static u_char     nonce[12] =
+        "\x4d\x16\x11\xd0\x55\x13"
+        "\xa5\x52\xc5\x87\xd5\x75";
+    static ngx_str_t  in = ngx_string("");
+
+    ad.data = res->data;
+    ad.len = ngx_quic_create_retry_itag(pkt, ad.data, &start);
+
+    itag.data = ad.data + ad.len;
+
+#ifdef NGX_QUIC_DEBUG_CRYPTO
+    ngx_quic_hexdump(pkt->log, "quic retry itag", ad.data, ad.len);
+#endif
+
+    if (ngx_quic_ciphers(NULL, &ciphers, pkt->level) == NGX_ERROR) {
+        return NGX_ERROR;
+    }
+
+    secret.key.len = sizeof(key);
+    secret.key.data = key;
+    secret.iv.len = sizeof(nonce);
+
+    if (ngx_quic_tls_seal(ciphers.c, &secret, &itag, nonce, &in, &ad, pkt->log)
+        != NGX_OK)
+    {
+        return NGX_ERROR;
+    }
+
+    res->len = itag.data + itag.len - start;
+    res->data = start;
+
+    return NGX_OK;
+}
+
+
 static uint64_t
 ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask,
     uint64_t *largest_pn)
@@ -952,6 +1001,10 @@ ngx_quic_encrypt(ngx_quic_header_t *pkt,
         return ngx_quic_create_short_packet(pkt, ssl_conn, res);
     }
 
+    if (ngx_quic_pkt_retry(pkt->flags)) {
+        return ngx_quic_create_retry_packet(pkt, res);
+    }
+
     return ngx_quic_create_long_packet(pkt, ssl_conn, res);
 }