Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic_ssl.c @ 8763:4117aa7fa38e quic
QUIC: connection migration.
The patch adds proper transitions between multiple networking addresses that
can be used by a single quic connection. New networking paths are validated
using PATH_CHALLENGE/PATH_RESPONSE frames.
| author | Vladimir Homutov <vl@nginx.com> |
|---|---|
| date | Thu, 29 Apr 2021 15:35:02 +0300 |
| parents | 46161c610919 |
| children | b3f6ad181df4 |
comparison
equal
deleted
inserted
replaced
| 8762:12f18e0bca09 | 8763:4117aa7fa38e |
|---|---|
| 389 /* 12.4 Frames and frame types, figure 8 */ | 389 /* 12.4 Frames and frame types, figure 8 */ |
| 390 frame->level = ssl_encryption_application; | 390 frame->level = ssl_encryption_application; |
| 391 frame->type = NGX_QUIC_FT_HANDSHAKE_DONE; | 391 frame->type = NGX_QUIC_FT_HANDSHAKE_DONE; |
| 392 ngx_quic_queue_frame(qc, frame); | 392 ngx_quic_queue_frame(qc, frame); |
| 393 | 393 |
| 394 if (ngx_quic_send_new_token(c) != NGX_OK) { | 394 if (qc->conf->retry) { |
| 395 return NGX_ERROR; | 395 if (ngx_quic_send_new_token(c, qc->socket->path) != NGX_OK) { |
| 396 return NGX_ERROR; | |
| 397 } | |
| 396 } | 398 } |
| 397 | 399 |
| 398 /* | 400 /* |
| 399 * Generating next keys before a key update is received. | 401 * Generating next keys before a key update is received. |
| 400 * See quic-tls 9.4 Header Protection Timing Side-Channels. | 402 * See quic-tls 9.4 Header Protection Timing Side-Channels. |
| 408 * 4.10.2 An endpoint MUST discard its handshake keys | 410 * 4.10.2 An endpoint MUST discard its handshake keys |
| 409 * when the TLS handshake is confirmed | 411 * when the TLS handshake is confirmed |
| 410 */ | 412 */ |
| 411 ngx_quic_discard_ctx(c, ssl_encryption_handshake); | 413 ngx_quic_discard_ctx(c, ssl_encryption_handshake); |
| 412 | 414 |
| 413 if (ngx_quic_issue_server_ids(c) != NGX_OK) { | 415 /* start accepting clients on negotiated number of server ids */ |
| 416 if (ngx_quic_create_sockets(c) != NGX_OK) { | |
| 414 return NGX_ERROR; | 417 return NGX_ERROR; |
| 415 } | 418 } |
| 416 | 419 |
| 417 return NGX_OK; | 420 return NGX_OK; |
| 418 } | 421 } |
| 422 ngx_quic_init_connection(ngx_connection_t *c) | 425 ngx_quic_init_connection(ngx_connection_t *c) |
| 423 { | 426 { |
| 424 u_char *p; | 427 u_char *p; |
| 425 size_t clen; | 428 size_t clen; |
| 426 ssize_t len; | 429 ssize_t len; |
| 430 ngx_str_t dcid; | |
| 427 ngx_ssl_conn_t *ssl_conn; | 431 ngx_ssl_conn_t *ssl_conn; |
| 428 ngx_quic_connection_t *qc; | 432 ngx_quic_connection_t *qc; |
| 429 | 433 |
| 430 qc = ngx_quic_get_connection(c); | 434 qc = ngx_quic_get_connection(c); |
| 431 | 435 |
| 451 | 455 |
| 452 #if BORINGSSL_API_VERSION >= 13 | 456 #if BORINGSSL_API_VERSION >= 13 |
| 453 SSL_set_quic_use_legacy_codepoint(ssl_conn, qc->version != 1); | 457 SSL_set_quic_use_legacy_codepoint(ssl_conn, qc->version != 1); |
| 454 #endif | 458 #endif |
| 455 | 459 |
| 456 if (ngx_quic_new_sr_token(c, &qc->dcid, qc->conf->sr_token_key, | 460 dcid.data = qc->socket->sid.id; |
| 457 qc->tp.sr_token) | 461 dcid.len = qc->socket->sid.len; |
| 462 | |
| 463 if (ngx_quic_new_sr_token(c, &dcid, qc->conf->sr_token_key, qc->tp.sr_token) | |
| 458 != NGX_OK) | 464 != NGX_OK) |
| 459 { | 465 { |
| 460 return NGX_ERROR; | 466 return NGX_ERROR; |
| 461 } | 467 } |
| 462 | 468 |