Mercurial > hg > nginx
comparison src/event/ngx_event_quic.c @ 8634:831d1960826f quic
QUIC: generate default stateless reset token key.
Previously, if quic_stateless_reset_token_key was empty or unspecified,
initial stateless reset token was not generated. However subsequent tokens
were generated with empty key, which resulted in error with certain SSL
libraries, for example OpenSSL.
Now a random 32-byte stateless reset token key is generated if none is
specified in the configuration. As a result, stateless reset tokens are now
generated for all server ids.
| author | Roman Arutyunyan <arut@nginx.com> |
|---|---|
| date | Wed, 11 Nov 2020 21:08:48 +0000 |
| parents | e167c7b4cff4 |
| children | d1cf691a82e8 |
comparison
equal
deleted
inserted
replaced
| 8633:d8b01c2b8931 | 8634:831d1960826f |
|---|---|
| 1131 u_char buf[NGX_QUIC_MAX_SR_PACKET]; | 1131 u_char buf[NGX_QUIC_MAX_SR_PACKET]; |
| 1132 | 1132 |
| 1133 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, | 1133 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
| 1134 "quic handle stateless reset output"); | 1134 "quic handle stateless reset output"); |
| 1135 | 1135 |
| 1136 if (conf->sr_token_key.len == 0) { | |
| 1137 return NGX_DECLINED; | |
| 1138 } | |
| 1139 | |
| 1140 if (pkt->len <= NGX_QUIC_MIN_PKT_LEN) { | 1136 if (pkt->len <= NGX_QUIC_MIN_PKT_LEN) { |
| 1141 return NGX_DECLINED; | 1137 return NGX_DECLINED; |
| 1142 } | 1138 } |
| 1143 | 1139 |
| 1144 if (pkt->len <= NGX_QUIC_MIN_SR_PACKET) { | 1140 if (pkt->len <= NGX_QUIC_MIN_SR_PACKET) { |
| 1571 if (SSL_CTX_get_max_early_data(qc->conf->ssl->ctx)) { | 1567 if (SSL_CTX_get_max_early_data(qc->conf->ssl->ctx)) { |
| 1572 SSL_set_quic_early_data_enabled(ssl_conn, 1); | 1568 SSL_set_quic_early_data_enabled(ssl_conn, 1); |
| 1573 } | 1569 } |
| 1574 #endif | 1570 #endif |
| 1575 | 1571 |
| 1576 if (qc->conf->sr_token_key.len) { | 1572 if (ngx_quic_new_sr_token(c, &qc->dcid, &qc->conf->sr_token_key, |
| 1577 qc->tp.sr_enabled = 1; | 1573 qc->tp.sr_token) |
| 1578 | 1574 != NGX_OK) |
| 1579 if (ngx_quic_new_sr_token(c, &qc->dcid, &qc->conf->sr_token_key, | 1575 { |
| 1580 qc->tp.sr_token) | 1576 return NGX_ERROR; |
| 1581 != NGX_OK) | 1577 } |
| 1582 { | 1578 |
| 1583 return NGX_ERROR; | 1579 ngx_quic_hexdump(c->log, "quic stateless reset token", |
| 1584 } | 1580 qc->tp.sr_token, (size_t) NGX_QUIC_SR_TOKEN_LEN); |
| 1585 | |
| 1586 ngx_quic_hexdump(c->log, "quic stateless reset token", | |
| 1587 qc->tp.sr_token, (size_t) NGX_QUIC_SR_TOKEN_LEN); | |
| 1588 } | |
| 1589 | 1581 |
| 1590 len = ngx_quic_create_transport_params(NULL, NULL, &qc->tp, &clen); | 1582 len = ngx_quic_create_transport_params(NULL, NULL, &qc->tp, &clen); |
| 1591 /* always succeeds */ | 1583 /* always succeeds */ |
| 1592 | 1584 |
| 1593 p = ngx_pnalloc(c->pool, len); | 1585 p = ngx_pnalloc(c->pool, len); |