Mercurial > hg > nginx-quic

view src/event/quic/ngx_event_quic_protection.h @ 8640:c4f249d485e3 quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
QUIC: attempt decrypt before checking for stateless reset. Checking the reset after encryption avoids false positives. More importantly, it avoids the check entirely in the usual case where decryption succeeds. RFC 9000, 10.3.1 Detecting a Stateless Reset Endpoints MAY skip this check if any packet from a datagram is successfully processed.
author Martin Duke <m.duke@f5.com>
date Tue, 12 Oct 2021 11:57:50 +0300
parents b4e6b7049984
children 3341e4089c6c
line wrap: on
line source


/*
 * Copyright (C) Nginx, Inc.
 */


#ifndef _NGX_EVENT_QUIC_PROTECTION_H_INCLUDED_
#define _NGX_EVENT_QUIC_PROTECTION_H_INCLUDED_


#include <ngx_config.h>
#include <ngx_core.h>

#include <ngx_event_quic_transport.h>


#define NGX_QUIC_ENCRYPTION_LAST  ((ssl_encryption_application) + 1)


ngx_quic_keys_t *ngx_quic_keys_new(ngx_pool_t *pool);
ngx_int_t ngx_quic_keys_set_initial_secret(ngx_pool_t *pool,
    ngx_quic_keys_t *keys, ngx_str_t *secret, uint32_t version);
int ngx_quic_keys_set_encryption_secret(ngx_pool_t *pool, ngx_uint_t is_write,
    ngx_quic_keys_t *keys, enum ssl_encryption_level_t level,
    const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len);
ngx_uint_t ngx_quic_keys_available(ngx_quic_keys_t *keys,
    enum ssl_encryption_level_t level);
void ngx_quic_keys_discard(ngx_quic_keys_t *keys,
    enum ssl_encryption_level_t level);
void ngx_quic_keys_switch(ngx_connection_t *c, ngx_quic_keys_t *keys);
ngx_int_t ngx_quic_keys_update(ngx_connection_t *c, ngx_quic_keys_t *keys);
ngx_int_t ngx_quic_encrypt(ngx_quic_header_t *pkt, ngx_str_t *res);
ngx_int_t ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn);


#endif /* _NGX_EVENT_QUIC_PROTECTION_H_INCLUDED_ */