nghttpx: Regular token does not require server issued DCID
This commit is contained in:
parent
9d265e8bb8
commit
31be334660
|
@ -213,15 +213,16 @@ int QUICConnectionHandler::handle_packet(const UpstreamAddr *faddr,
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (vc.dcidlen != SHRPX_QUIC_SCIDLEN) {
|
|
||||||
// Initial packets with token must have DCID chosen by server.
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
auto qkm = select_quic_keying_material(*qkms.get(), vc.dcid);
|
|
||||||
|
|
||||||
switch (hd.token.base[0]) {
|
switch (hd.token.base[0]) {
|
||||||
case NGTCP2_CRYPTO_TOKEN_MAGIC_RETRY:
|
case NGTCP2_CRYPTO_TOKEN_MAGIC_RETRY: {
|
||||||
|
if (vc.dcidlen != SHRPX_QUIC_SCIDLEN) {
|
||||||
|
// Initial packets with Retry token must have DCID chosen by
|
||||||
|
// server.
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
auto qkm = select_quic_keying_material(*qkms.get(), vc.dcid);
|
||||||
|
|
||||||
if (verify_retry_token(odcid, hd.token.base, hd.token.len, hd.version,
|
if (verify_retry_token(odcid, hd.token.base, hd.token.len, hd.version,
|
||||||
hd.dcid, &remote_addr.su.sa, remote_addr.len,
|
hd.dcid, &remote_addr.su.sa, remote_addr.len,
|
||||||
qkm->secret.data(), qkm->secret.size()) != 0) {
|
qkm->secret.data(), qkm->secret.size()) != 0) {
|
||||||
|
@ -248,7 +249,19 @@ int QUICConnectionHandler::handle_packet(const UpstreamAddr *faddr,
|
||||||
tokenlen = hd.token.len;
|
tokenlen = hd.token.len;
|
||||||
|
|
||||||
break;
|
break;
|
||||||
case NGTCP2_CRYPTO_TOKEN_MAGIC_REGULAR:
|
}
|
||||||
|
case NGTCP2_CRYPTO_TOKEN_MAGIC_REGULAR: {
|
||||||
|
// If a token is a regular token, it must be at least
|
||||||
|
// NGTCP2_MIN_INITIAL_DCIDLEN bytes long.
|
||||||
|
if (vc.dcidlen < NGTCP2_MIN_INITIAL_DCIDLEN) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Regarding the QUIC secret that encrypted this token, DCID
|
||||||
|
// is a client chosen one, and we have no information embedded
|
||||||
|
// in a token. Just use the first QUIC secret.
|
||||||
|
auto qkm = &qkms->keying_materials.front();
|
||||||
|
|
||||||
if (verify_token(hd.token.base, hd.token.len, &remote_addr.su.sa,
|
if (verify_token(hd.token.base, hd.token.len, &remote_addr.su.sa,
|
||||||
remote_addr.len, qkm->secret.data(),
|
remote_addr.len, qkm->secret.data(),
|
||||||
qkm->secret.size()) != 0) {
|
qkm->secret.size()) != 0) {
|
||||||
|
@ -276,6 +289,7 @@ int QUICConnectionHandler::handle_packet(const UpstreamAddr *faddr,
|
||||||
tokenlen = hd.token.len;
|
tokenlen = hd.token.len;
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
}
|
||||||
default:
|
default:
|
||||||
if (quicconf.upstream.require_token) {
|
if (quicconf.upstream.require_token) {
|
||||||
send_retry(faddr, vc.version, vc.dcid, vc.dcidlen, vc.scid,
|
send_retry(faddr, vc.version, vc.dcid, vc.dcidlen, vc.scid,
|
||||||
|
|
Loading…
Reference in New Issue