Mercurial > hg > nginx
annotate src/event/quic/ngx_event_quic_tokens.c @ 9283:bbdcab20d67e
QUIC: ignore CRYPTO frames after handshake completion.
Sending handshake-level CRYPTO frames after the client's Finished message could
lead to memory disclosure and a potential segfault, if those frames are sent in
one packet with the Finished frame.
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Tue, 28 May 2024 17:19:08 +0400 |
parents | 77c1418916f7 |
children |
rev | line source |
---|---|
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
1 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
2 /* |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
3 * Copyright (C) Nginx, Inc. |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
4 */ |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
5 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
6 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
7 #include <ngx_config.h> |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
8 #include <ngx_core.h> |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
9 #include <ngx_event.h> |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
10 #include <ngx_sha1.h> |
8755
b4e6b7049984
QUIC: normalize header inclusion.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8752
diff
changeset
|
11 #include <ngx_event_quic_connection.h> |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
12 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
13 |
8763
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
14 static void ngx_quic_address_hash(struct sockaddr *sockaddr, socklen_t socklen, |
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
15 ngx_uint_t no_port, u_char buf[20]); |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
16 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
17 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
18 ngx_int_t |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
19 ngx_quic_new_sr_token(ngx_connection_t *c, ngx_str_t *cid, u_char *secret, |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
20 u_char *token) |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
21 { |
9015
a2fbae359828
QUIC: fixed indentation.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8837
diff
changeset
|
22 ngx_str_t tmp; |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
23 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
24 tmp.data = secret; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
25 tmp.len = NGX_QUIC_SR_KEY_LEN; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
26 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
27 if (ngx_quic_derive_key(c->log, "sr_token_key", &tmp, cid, token, |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
28 NGX_QUIC_SR_TOKEN_LEN) |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
29 != NGX_OK) |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
30 { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
31 return NGX_ERROR; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
32 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
33 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
34 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
35 "quic stateless reset token %*xs", |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
36 (size_t) NGX_QUIC_SR_TOKEN_LEN, token); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
37 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
38 return NGX_OK; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
39 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
40 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
41 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
42 ngx_int_t |
9026
3550b00d9dc8
QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents:
9015
diff
changeset
|
43 ngx_quic_new_token(ngx_log_t *log, struct sockaddr *sockaddr, |
8763
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
44 socklen_t socklen, u_char *key, ngx_str_t *token, ngx_str_t *odcid, |
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
45 time_t exp, ngx_uint_t is_retry) |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
46 { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
47 int len, iv_len; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
48 u_char *p, *iv; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
49 EVP_CIPHER_CTX *ctx; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
50 const EVP_CIPHER *cipher; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
51 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
52 u_char in[NGX_QUIC_MAX_TOKEN_SIZE]; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
53 |
8763
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
54 ngx_quic_address_hash(sockaddr, socklen, !is_retry, in); |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
55 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
56 p = in + 20; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
57 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
58 p = ngx_cpymem(p, &exp, sizeof(time_t)); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
59 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
60 *p++ = is_retry ? 1 : 0; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
61 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
62 if (odcid) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
63 *p++ = odcid->len; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
64 p = ngx_cpymem(p, odcid->data, odcid->len); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
65 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
66 } else { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
67 *p++ = 0; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
68 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
69 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
70 len = p - in; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
71 |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
72 cipher = EVP_aes_256_gcm(); |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
73 iv_len = NGX_QUIC_AES_256_GCM_IV_LEN; |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
74 |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
75 if ((size_t) (iv_len + len + NGX_QUIC_AES_256_GCM_TAG_LEN) > token->len) { |
9026
3550b00d9dc8
QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents:
9015
diff
changeset
|
76 ngx_log_error(NGX_LOG_ALERT, log, 0, "quic token buffer is too small"); |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
77 return NGX_ERROR; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
78 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
79 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
80 ctx = EVP_CIPHER_CTX_new(); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
81 if (ctx == NULL) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
82 return NGX_ERROR; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
83 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
84 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
85 iv = token->data; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
86 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
87 if (RAND_bytes(iv, iv_len) <= 0 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
88 || !EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv)) |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
89 { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
90 EVP_CIPHER_CTX_free(ctx); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
91 return NGX_ERROR; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
92 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
93 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
94 token->len = iv_len; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
95 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
96 if (EVP_EncryptUpdate(ctx, token->data + token->len, &len, in, len) != 1) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
97 EVP_CIPHER_CTX_free(ctx); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
98 return NGX_ERROR; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
99 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
100 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
101 token->len += len; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
102 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
103 if (EVP_EncryptFinal_ex(ctx, token->data + token->len, &len) <= 0) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
104 EVP_CIPHER_CTX_free(ctx); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
105 return NGX_ERROR; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
106 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
107 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
108 token->len += len; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
109 |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
110 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
111 NGX_QUIC_AES_256_GCM_TAG_LEN, |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
112 token->data + token->len) |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
113 == 0) |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
114 { |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
115 EVP_CIPHER_CTX_free(ctx); |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
116 return NGX_ERROR; |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
117 } |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
118 |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
119 token->len += NGX_QUIC_AES_256_GCM_TAG_LEN; |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
120 |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
121 EVP_CIPHER_CTX_free(ctx); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
122 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
123 #ifdef NGX_QUIC_DEBUG_PACKETS |
9026
3550b00d9dc8
QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents:
9015
diff
changeset
|
124 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, log, 0, |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
125 "quic new token len:%uz %xV", token->len, token); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
126 #endif |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
127 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
128 return NGX_OK; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
129 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
130 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
131 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
132 static void |
8763
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
133 ngx_quic_address_hash(struct sockaddr *sockaddr, socklen_t socklen, |
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
134 ngx_uint_t no_port, u_char buf[20]) |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
135 { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
136 size_t len; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
137 u_char *data; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
138 ngx_sha1_t sha1; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
139 struct sockaddr_in *sin; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
140 #if (NGX_HAVE_INET6) |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
141 struct sockaddr_in6 *sin6; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
142 #endif |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
143 |
8763
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
144 len = (size_t) socklen; |
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
145 data = (u_char *) sockaddr; |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
146 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
147 if (no_port) { |
8763
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
148 switch (sockaddr->sa_family) { |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
149 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
150 #if (NGX_HAVE_INET6) |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
151 case AF_INET6: |
8763
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
152 sin6 = (struct sockaddr_in6 *) sockaddr; |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
153 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
154 len = sizeof(struct in6_addr); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
155 data = sin6->sin6_addr.s6_addr; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
156 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
157 break; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
158 #endif |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
159 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
160 case AF_INET: |
8763
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
161 sin = (struct sockaddr_in *) sockaddr; |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
162 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
163 len = sizeof(in_addr_t); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
164 data = (u_char *) &sin->sin_addr; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
165 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
166 break; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
167 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
168 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
169 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
170 ngx_sha1_init(&sha1); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
171 ngx_sha1_update(&sha1, data, len); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
172 ngx_sha1_final(buf, &sha1); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
173 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
174 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
175 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
176 ngx_int_t |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
177 ngx_quic_validate_token(ngx_connection_t *c, u_char *key, |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
178 ngx_quic_header_t *pkt) |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
179 { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
180 int len, tlen, iv_len; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
181 u_char *iv, *p; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
182 time_t now, exp; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
183 size_t total; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
184 ngx_str_t odcid; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
185 EVP_CIPHER_CTX *ctx; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
186 const EVP_CIPHER *cipher; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
187 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
188 u_char addr_hash[20]; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
189 u_char tdec[NGX_QUIC_MAX_TOKEN_SIZE]; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
190 |
9043
5b49f8bac1b4
QUIC: plug MSVC warning about potentially uninitialized variable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9026
diff
changeset
|
191 #if NGX_SUPPRESS_WARN |
5b49f8bac1b4
QUIC: plug MSVC warning about potentially uninitialized variable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9026
diff
changeset
|
192 ngx_str_null(&odcid); |
5b49f8bac1b4
QUIC: plug MSVC warning about potentially uninitialized variable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9026
diff
changeset
|
193 #endif |
5b49f8bac1b4
QUIC: plug MSVC warning about potentially uninitialized variable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9026
diff
changeset
|
194 |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
195 /* Retry token or NEW_TOKEN in a previous connection */ |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
196 |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
197 cipher = EVP_aes_256_gcm(); |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
198 iv = pkt->token.data; |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
199 iv_len = NGX_QUIC_AES_256_GCM_IV_LEN; |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
200 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
201 /* sanity checks */ |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
202 |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
203 if (pkt->token.len < (size_t) iv_len + NGX_QUIC_AES_256_GCM_TAG_LEN) { |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
204 goto garbage; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
205 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
206 |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
207 if (pkt->token.len > (size_t) iv_len + NGX_QUIC_MAX_TOKEN_SIZE |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
208 + NGX_QUIC_AES_256_GCM_TAG_LEN) |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
209 { |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
210 goto garbage; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
211 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
212 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
213 ctx = EVP_CIPHER_CTX_new(); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
214 if (ctx == NULL) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
215 return NGX_ERROR; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
216 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
217 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
218 if (!EVP_DecryptInit_ex(ctx, cipher, NULL, key, iv)) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
219 EVP_CIPHER_CTX_free(ctx); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
220 return NGX_ERROR; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
221 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
222 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
223 p = pkt->token.data + iv_len; |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
224 len = pkt->token.len - iv_len - NGX_QUIC_AES_256_GCM_TAG_LEN; |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
225 |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
226 if (EVP_DecryptUpdate(ctx, tdec, &tlen, p, len) != 1) { |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
227 EVP_CIPHER_CTX_free(ctx); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
228 goto garbage; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
229 } |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
230 total = tlen; |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
231 |
9132
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
232 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
233 NGX_QUIC_AES_256_GCM_TAG_LEN, p + len) |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
234 == 0) |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
235 { |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
236 EVP_CIPHER_CTX_free(ctx); |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
237 goto garbage; |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
238 } |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
239 |
77c1418916f7
QUIC: use AEAD to encrypt address validation tokens.
Roman Arutyunyan <arut@nginx.com>
parents:
9043
diff
changeset
|
240 if (EVP_DecryptFinal_ex(ctx, tdec + tlen, &tlen) <= 0) { |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
241 EVP_CIPHER_CTX_free(ctx); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
242 goto garbage; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
243 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
244 total += tlen; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
245 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
246 EVP_CIPHER_CTX_free(ctx); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
247 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
248 if (total < (20 + sizeof(time_t) + 2)) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
249 goto garbage; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
250 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
251 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
252 p = tdec + 20; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
253 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
254 ngx_memcpy(&exp, p, sizeof(time_t)); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
255 p += sizeof(time_t); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
256 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
257 pkt->retried = (*p++ == 1); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
258 |
8763
4117aa7fa38e
QUIC: connection migration.
Vladimir Homutov <vl@nginx.com>
parents:
8755
diff
changeset
|
259 ngx_quic_address_hash(c->sockaddr, c->socklen, !pkt->retried, addr_hash); |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
260 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
261 if (ngx_memcmp(tdec, addr_hash, 20) != 0) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
262 goto bad_token; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
263 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
264 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
265 odcid.len = *p++; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
266 if (odcid.len) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
267 if (odcid.len > NGX_QUIC_MAX_CID_LEN) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
268 goto bad_token; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
269 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
270 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
271 if ((size_t)(tdec + total - p) < odcid.len) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
272 goto bad_token; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
273 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
274 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
275 odcid.data = p; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
276 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
277 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
278 now = ngx_time(); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
279 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
280 if (now > exp) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
281 ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic expired token"); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
282 return NGX_DECLINED; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
283 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
284 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
285 if (odcid.len) { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
286 pkt->odcid.len = odcid.len; |
9026
3550b00d9dc8
QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents:
9015
diff
changeset
|
287 pkt->odcid.data = pkt->odcid_buf; |
3550b00d9dc8
QUIC: avoided pool usage in token calculation.
Vladimir Homutov <vl@nginx.com>
parents:
9015
diff
changeset
|
288 ngx_memcpy(pkt->odcid.data, odcid.data, odcid.len); |
8752
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
289 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
290 } else { |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
291 pkt->odcid = pkt->dcid; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
292 } |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
293 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
294 pkt->validated = 1; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
295 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
296 return NGX_OK; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
297 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
298 garbage: |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
299 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
300 ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic garbage token"); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
301 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
302 return NGX_ABORT; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
303 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
304 bad_token: |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
305 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
306 ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic invalid token"); |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
307 |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
308 return NGX_DECLINED; |
e19723c40d28
QUIC: separate files for tokens related processing.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
309 } |