Mercurial > hg > nginx-quic
annotate src/event/quic/ngx_event_quic_protection.h @ 8728:ddd5e5c0f87d quic
QUIC: improved path validation.
Previously, path was considered valid during arbitrary selected 10m timeout
since validation. This is quite not what RFC 9000 says; the relevant
part is:
An endpoint MAY skip validation of a peer address if that
address has been seen recently.
The patch considers a path to be 'recently seen' if packets were received
during idle timeout. If a packet is received from the path that was seen
not so recently, such path is considered new, and anti-amplification
restrictions apply.
| author | Vladimir Homutov <vl@nginx.com> |
|---|---|
| date | Mon, 13 Dec 2021 17:27:29 +0300 |
| parents | 3341e4089c6c |
| children | d8865baab732 |
| rev | line source |
|---|---|
|
7687
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
1 |
|
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
2 /* |
|
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
3 * Copyright (C) Nginx, Inc. |
|
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
4 */ |
|
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
5 |
|
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
6 |
|
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
7 #ifndef _NGX_EVENT_QUIC_PROTECTION_H_INCLUDED_ |
|
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
8 #define _NGX_EVENT_QUIC_PROTECTION_H_INCLUDED_ |
|
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
9 |
|
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
10 |
|
7824
a5141e6b3214
Fixed includes in quic headers.
Roman Arutyunyan <arut@nginx.com>
parents:
7816
diff
changeset
|
11 #include <ngx_config.h> |
|
a5141e6b3214
Fixed includes in quic headers.
Roman Arutyunyan <arut@nginx.com>
parents:
7816
diff
changeset
|
12 #include <ngx_core.h> |
|
a5141e6b3214
Fixed includes in quic headers.
Roman Arutyunyan <arut@nginx.com>
parents:
7816
diff
changeset
|
13 |
|
8287
cef042935003
QUIC: the "quic_host_key" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8266
diff
changeset
|
14 #include <ngx_event_quic_transport.h> |
|
cef042935003
QUIC: the "quic_host_key" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8266
diff
changeset
|
15 |
|
7824
a5141e6b3214
Fixed includes in quic headers.
Roman Arutyunyan <arut@nginx.com>
parents:
7816
diff
changeset
|
16 |
|
7772
058a5af7ddfc
Refactored QUIC secrets storage.
Vladimir Homutov <vl@nginx.com>
parents:
7769
diff
changeset
|
17 #define NGX_QUIC_ENCRYPTION_LAST ((ssl_encryption_application) + 1) |
|
058a5af7ddfc
Refactored QUIC secrets storage.
Vladimir Homutov <vl@nginx.com>
parents:
7769
diff
changeset
|
18 |
|
058a5af7ddfc
Refactored QUIC secrets storage.
Vladimir Homutov <vl@nginx.com>
parents:
7769
diff
changeset
|
19 |
|
8191
9c3be23ddbe7
QUIC: refactored key handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8100
diff
changeset
|
20 ngx_quic_keys_t *ngx_quic_keys_new(ngx_pool_t *pool); |
|
9c3be23ddbe7
QUIC: refactored key handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8100
diff
changeset
|
21 ngx_int_t ngx_quic_keys_set_initial_secret(ngx_pool_t *pool, |
|
8322
44b4c6180106
QUIC: multiple versions support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8295
diff
changeset
|
22 ngx_quic_keys_t *keys, ngx_str_t *secret, uint32_t version); |
|
8715
3341e4089c6c
QUIC: converted ngx_quic_keys_set_encryption_secret() to NGX codes.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8415
diff
changeset
|
23 ngx_int_t ngx_quic_keys_set_encryption_secret(ngx_pool_t *pool, |
|
3341e4089c6c
QUIC: converted ngx_quic_keys_set_encryption_secret() to NGX codes.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8415
diff
changeset
|
24 ngx_uint_t is_write, ngx_quic_keys_t *keys, |
|
3341e4089c6c
QUIC: converted ngx_quic_keys_set_encryption_secret() to NGX codes.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8415
diff
changeset
|
25 enum ssl_encryption_level_t level, const SSL_CIPHER *cipher, |
|
3341e4089c6c
QUIC: converted ngx_quic_keys_set_encryption_secret() to NGX codes.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8415
diff
changeset
|
26 const uint8_t *secret, size_t secret_len); |
|
8191
9c3be23ddbe7
QUIC: refactored key handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8100
diff
changeset
|
27 ngx_uint_t ngx_quic_keys_available(ngx_quic_keys_t *keys, |
|
8295
d4e02b3b734f
QUIC: fixed indentation.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8287
diff
changeset
|
28 enum ssl_encryption_level_t level); |
|
8191
9c3be23ddbe7
QUIC: refactored key handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8100
diff
changeset
|
29 void ngx_quic_keys_discard(ngx_quic_keys_t *keys, |
|
8295
d4e02b3b734f
QUIC: fixed indentation.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8287
diff
changeset
|
30 enum ssl_encryption_level_t level); |
|
8191
9c3be23ddbe7
QUIC: refactored key handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8100
diff
changeset
|
31 void ngx_quic_keys_switch(ngx_connection_t *c, ngx_quic_keys_t *keys); |
|
9c3be23ddbe7
QUIC: refactored key handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8100
diff
changeset
|
32 ngx_int_t ngx_quic_keys_update(ngx_connection_t *c, ngx_quic_keys_t *keys); |
|
9c3be23ddbe7
QUIC: refactored key handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8100
diff
changeset
|
33 ngx_int_t ngx_quic_encrypt(ngx_quic_header_t *pkt, ngx_str_t *res); |
|
9c3be23ddbe7
QUIC: refactored key handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8100
diff
changeset
|
34 ngx_int_t ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn); |
|
7687
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
35 |
|
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
36 |
|
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
37 #endif /* _NGX_EVENT_QUIC_PROTECTION_H_INCLUDED_ */ |