nginx: src/stream/ngx_stream_quic

comparison src/stream/ngx_stream_quic_module.c @ 8694:cef042935003 quic

QUIC: the "quic_host_key" directive. The token generation in QUIC is reworked. Single host key is used to generate all required keys of needed sizes using HKDF. The "quic_stateless_reset_token_key" directive is removed. Instead, the "quic_host_key" directive is used, which reads key from file, or sets it to random bytes if not specified.

author	Vladimir Homutov <vl@nginx.com>
date	Mon, 08 Feb 2021 16:49:33 +0300
parents	dffb66fb783b
children	b4e6b7049984

comparison

equal deleted inserted replaced

-:3956bbf91002
+:cef042935003
 #include <ngx_config.h>
 #include <ngx_core.h>
 #include <ngx_stream.h>
+#include <ngx_event_quic_protection.h>
 static ngx_int_t ngx_stream_variable_quic(ngx_stream_session_t *s,
 ngx_stream_variable_value_t *v, uintptr_t data);
 static ngx_int_t ngx_stream_quic_add_variables(ngx_conf_t *cf);
 void *child);
 static char *ngx_stream_quic_max_ack_delay(ngx_conf_t *cf, void *post,
 void *data);
 static char *ngx_stream_quic_max_udp_payload_size(ngx_conf_t *cf, void *post,
 void *data);
+static char *ngx_stream_quic_host_key(ngx_conf_t *cf, ngx_command_t *cmd,
+void *conf);
 static ngx_conf_post_t  ngx_stream_quic_max_ack_delay_post =
 { ngx_stream_quic_max_ack_delay };
 static ngx_conf_post_t  ngx_stream_quic_max_udp_payload_size_post =
 ngx_conf_set_flag_slot,
 NGX_STREAM_SRV_CONF_OFFSET,
 offsetof(ngx_quic_conf_t, retry),
 NULL },
-{ ngx_string("quic_stateless_reset_token_key"),
+{ ngx_string("quic_host_key"),
 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG,
-ngx_conf_set_str_slot,
+ngx_stream_quic_host_key,
 NGX_STREAM_SRV_CONF_OFFSET,
-offsetof(ngx_quic_conf_t, sr_token_key),
+0,
 NULL },
 ngx_null_command
 };
 { ngx_string("quic"), NULL, ngx_stream_variable_quic, 0, 0, 0 },
 ngx_stream_null_variable
 };
+static ngx_str_t  ngx_stream_quic_salt = ngx_string("ngx_quic");
 static ngx_int_t
 ngx_stream_variable_quic(ngx_stream_session_t *s,
 ngx_stream_variable_value_t *v, uintptr_t data)
 {
 *
 *     conf->tp.original_dcid = { 0, NULL };
 *     conf->tp.initial_scid = { 0, NULL };
 *     conf->tp.retry_scid = { 0, NULL };
 *     conf->tp.preferred_address = NULL
-*     conf->sr_token_key = { 0, NULL }
+*     conf->host_key = { 0, NULL }
 *     conf->require_alpn = 0;
 */
 conf->tp.max_idle_timeout = NGX_CONF_UNSET_MSEC;
 conf->tp.max_ack_delay = NGX_CONF_UNSET_MSEC;
 ngx_conf_merge_uint_value(conf->tp.active_connection_id_limit,
 prev->tp.active_connection_id_limit, 2);
 ngx_conf_merge_value(conf->retry, prev->retry, 0);
-if (RAND_bytes(conf->token_key, sizeof(conf->token_key)) <= 0) {
+ngx_conf_merge_str_value(conf->host_key, prev->host_key, "");
-return NGX_CONF_ERROR;
-}
+if (conf->host_key.len == 0) {
-ngx_conf_merge_str_value(conf->sr_token_key, prev->sr_token_key, "");
+conf->host_key.len = NGX_QUIC_DEFAULT_HOST_KEY_LEN;
+conf->host_key.data = ngx_palloc(cf->pool, conf->host_key.len);
-if (conf->sr_token_key.len == 0) {
+if (conf->host_key.data == NULL) {
-conf->sr_token_key.len = NGX_QUIC_DEFAULT_SRT_KEY_LEN;
-conf->sr_token_key.data = ngx_pnalloc(cf->pool, conf->sr_token_key.len);
-if (conf->sr_token_key.data == NULL) {
 return NGX_CONF_ERROR;
 }
-if (RAND_bytes(conf->sr_token_key.data, conf->sr_token_key.len) <= 0) {
+if (RAND_bytes(conf->host_key.data, NGX_QUIC_DEFAULT_HOST_KEY_LEN)
+<= 0)
+{
 return NGX_CONF_ERROR;
 }
+}
+if (ngx_quic_derive_key(cf->log, "av_token_key",
+&conf->host_key, &ngx_stream_quic_salt,
+conf->av_token_key, NGX_QUIC_AV_KEY_LEN)
+!= NGX_OK)
+{
+return NGX_CONF_ERROR;
+}
+if (ngx_quic_derive_key(cf->log, "sr_token_key",
+&conf->host_key, &ngx_stream_quic_salt,
+conf->sr_token_key, NGX_QUIC_SR_KEY_LEN)
+!= NGX_OK)
+{
+return NGX_CONF_ERROR;
 }
 scf = ngx_stream_conf_get_module_srv_conf(cf, ngx_stream_ssl_module);
 conf->ssl = &scf->ssl;
 return NGX_CONF_ERROR;
 }
 return NGX_CONF_OK;
 }
+static char *
+ngx_stream_quic_host_key(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+ngx_quic_conf_t  *qcf = conf;
+u_char           *buf;
+size_t            size;
+ssize_t           n;
+ngx_str_t        *value;
+ngx_file_t        file;
+ngx_file_info_t   fi;
+if (qcf->host_key.len) {
+return "is duplicate";
+}
+buf = NULL;
+#if (NGX_SUPPRESS_WARN)
+size = 0;
+#endif
+value = cf->args->elts;
+if (ngx_conf_full_name(cf->cycle, &value[1], 1) != NGX_OK) {
+return NGX_CONF_ERROR;
+}
+ngx_memzero(&file, sizeof(ngx_file_t));
+file.name = value[1];
+file.log = cf->log;
+file.fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0);
+if (file.fd == NGX_INVALID_FILE) {
+ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
+ngx_open_file_n " \"%V\" failed", &file.name);
+return NGX_CONF_ERROR;
+}
+if (ngx_fd_info(file.fd, &fi) == NGX_FILE_ERROR) {
+ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno,
+ngx_fd_info_n " \"%V\" failed", &file.name);
+goto failed;
+}
+size = ngx_file_size(&fi);
+if (size == 0) {
+ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+"\"%V\" zero key size", &file.name);
+goto failed;
+}
+buf = ngx_pnalloc(cf->pool, size);
+if (buf == NULL) {
+goto failed;
+}
+n = ngx_read_file(&file, buf, size, 0);
+if (n == NGX_ERROR) {
+ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno,
+ngx_read_file_n " \"%V\" failed", &file.name);
+goto failed;
+}
+if ((size_t) n != size) {
+ngx_conf_log_error(NGX_LOG_CRIT, cf, 0,
+ngx_read_file_n " \"%V\" returned only "
+"%z bytes instead of %uz", &file.name, n, size);
+goto failed;
+}
+qcf->host_key.data = buf;
+qcf->host_key.len = n;
+if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
+ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno,
+ngx_close_file_n " \"%V\" failed", &file.name);
+}
+return NGX_CONF_OK;
+failed:
+if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
+ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno,
+ngx_close_file_n " \"%V\" failed", &file.name);
+}
+if (buf) {
+ngx_explicit_memzero(buf, size);
+}
+return NGX_CONF_ERROR;
+}

Mercurial > hg > nginx

comparison src/stream/ngx_stream_quic_module.c @ 8694:cef042935003 quic