Mercurial > hg > nginx

diff src/event/quic/ngx_event_quic.c @ 8694:cef042935003 quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
QUIC: the "quic_host_key" directive. The token generation in QUIC is reworked. Single host key is used to generate all required keys of needed sizes using HKDF. The "quic_stateless_reset_token_key" directive is removed. Instead, the "quic_host_key" directive is used, which reads key from file, or sets it to random bytes if not specified.
author Vladimir Homutov <vl@nginx.com>
date Mon, 08 Feb 2021 16:49:33 +0300
parents 3956bbf91002
children 0b3d70fbba99
line wrap: on
line diff
--- a/src/event/quic/ngx_event_quic.c
+++ b/src/event/quic/ngx_event_quic.c
@@ -225,6 +225,8 @@ static ngx_quic_connection_t *ngx_quic_n
     ngx_quic_conf_t *conf, ngx_quic_header_t *pkt);
 static ngx_int_t ngx_quic_send_stateless_reset(ngx_connection_t *c,
     ngx_quic_conf_t *conf, ngx_quic_header_t *pkt);
+static ngx_int_t ngx_quic_new_sr_token(ngx_connection_t *c, ngx_str_t *cid,
+    u_char *secret, u_char *token);
 static ngx_int_t ngx_quic_process_stateless_reset(ngx_connection_t *c,
     ngx_quic_header_t *pkt);
 static ngx_int_t ngx_quic_negotiate_version(ngx_connection_t *c,
@@ -1245,7 +1247,7 @@ ngx_quic_send_stateless_reset(ngx_connec
 
     token = &buf[len - NGX_QUIC_SR_TOKEN_LEN];
 
-    if (ngx_quic_new_sr_token(c, &pkt->dcid, &conf->sr_token_key, token)
+    if (ngx_quic_new_sr_token(c, &pkt->dcid, conf->sr_token_key, token)
         != NGX_OK)
     {
         return NGX_ERROR;
@@ -1258,6 +1260,32 @@ ngx_quic_send_stateless_reset(ngx_connec
 
 
 static ngx_int_t
+ngx_quic_new_sr_token(ngx_connection_t *c, ngx_str_t *cid, u_char *secret,
+    u_char *token)
+{
+    ngx_str_t tmp;
+
+    tmp.data = secret;
+    tmp.len = NGX_QUIC_SR_KEY_LEN;
+
+    if (ngx_quic_derive_key(c->log, "sr_token_key", &tmp, cid, token,
+                            NGX_QUIC_SR_TOKEN_LEN)
+        != NGX_OK)
+    {
+        return NGX_ERROR;
+    }
+
+#if (NGX_DEBUG)
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "quic stateless reset token %*xs",
+                    (size_t) NGX_QUIC_SR_TOKEN_LEN, token);
+#endif
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
 ngx_quic_process_stateless_reset(ngx_connection_t *c, ngx_quic_header_t *pkt)
 {
     u_char                 *tail, ch;
@@ -1391,9 +1419,10 @@ ngx_quic_send_retry(ngx_connection_t *c,
     u_char             buf[NGX_QUIC_RETRY_BUFFER_SIZE];
     u_char             dcid[NGX_QUIC_SERVER_CID_LEN];
 
-    expires = ngx_time() + NGX_QUIC_RETRY_LIFETIME;
-
-    if (ngx_quic_new_token(c, conf->token_key, &token, &inpkt->dcid, expires, 1)
+    expires = ngx_time() + NGX_QUIC_RETRY_TOKEN_LIFETIME;
+
+    if (ngx_quic_new_token(c, conf->av_token_key, &token, &inpkt->dcid,
+                           expires, 1)
         != NGX_OK)
     {
         return NGX_ERROR;
@@ -1723,7 +1752,7 @@ ngx_quic_init_connection(ngx_connection_
     }
 #endif
 
-    if (ngx_quic_new_sr_token(c, &qc->dcid, &qc->conf->sr_token_key,
+    if (ngx_quic_new_sr_token(c, &qc->dcid, qc->conf->sr_token_key,
                               qc->tp.sr_token)
         != NGX_OK)
     {
@@ -2235,7 +2264,7 @@ ngx_quic_process_packet(ngx_connection_t
 
     if (pkt->level == ssl_encryption_initial) {
         ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
-                       "quic token len:%uz %xV",
+                       "quic address validation token len:%uz %xV",
                        pkt->token.len, &pkt->token);
     }
 #endif
@@ -2306,7 +2335,7 @@ ngx_quic_process_packet(ngx_connection_t
 
     if (pkt->token.len) {
 
-        rc = ngx_quic_validate_token(c, conf->token_key, pkt);
+        rc = ngx_quic_validate_token(c, conf->av_token_key, pkt);
 
         if (rc == NGX_ERROR) {
             /* internal error */
@@ -2321,10 +2350,10 @@ ngx_quic_process_packet(ngx_connection_t
             /* token is invalid */
 
             if (pkt->retried) {
-                /* invalid Retry token */
+                /* invalid address validation token */
                 return ngx_quic_send_early_cc(c, pkt,
                                           NGX_QUIC_ERR_INVALID_TOKEN,
-                                          "invalid token");
+                                          "invalid address validation token");
             } else if (conf->retry) {
                 /* invalid NEW_TOKEN */
                 return ngx_quic_send_retry(c, conf, pkt);
@@ -3286,7 +3315,7 @@ ngx_quic_send_new_token(ngx_connection_t
 
     expires = ngx_time() + NGX_QUIC_NEW_TOKEN_LIFETIME;
 
-    if (ngx_quic_new_token(c, qc->conf->token_key, &token, NULL, expires, 0)
+    if (ngx_quic_new_token(c, qc->conf->av_token_key, &token, NULL, expires, 0)
         != NGX_OK)
     {
         return NGX_ERROR;
@@ -4667,7 +4696,7 @@ ngx_quic_issue_server_ids(ngx_connection
         frame->u.ncid.len = NGX_QUIC_SERVER_CID_LEN;
         ngx_memcpy(frame->u.ncid.cid, id, NGX_QUIC_SERVER_CID_LEN);
 
-        if (ngx_quic_new_sr_token(c, &dcid, &qc->conf->sr_token_key,
+        if (ngx_quic_new_sr_token(c, &dcid, qc->conf->sr_token_key,
                                   frame->u.ncid.srt)
             != NGX_OK)
         {