void ossl_quic_free_token_store(SSL_TOKEN_STORE_HANDLE *hdl);
SSL_TOKEN_STORE_HANDLE *ossl_quic_get_token_store(SSL_CTX *ctx);
int ossl_quic_set_token_store(SSL_CTX *ctx, SSL_TOKEN_STORE_HANDLE *hdl);
-int ossl_quic_update_peer_token(SSL_CTX *ctx, BIO_ADDR *peer,
- const uint8_t *token, size_t token_len);
+int ossl_quic_set_peer_token(SSL_CTX *ctx, BIO_ADDR *peer,
+ const uint8_t *token, size_t token_len);
int ossl_quic_get_peer_token(SSL_CTX *ctx, BIO_ADDR *peer,
uint8_t **token, size_t *token_len,
QTOK **token_free_ptr);
/*
* Look to see if we have a token, and if so, set it on the packetiser
*/
- if (!ch->is_server && ossl_quic_get_peer_token(ch->port->channel_ctx,
- &ch->cur_peer_addr,
- &token, &token_len,
- &token_ptr)) {
- if (!ossl_quic_tx_packetiser_set_initial_token(ch->txp, token,
- token_len,
- free_peer_token,
- token_ptr))
- free_peer_token(NULL, 0, token_ptr);
- }
+ if (!ch->is_server
+ && ossl_quic_get_peer_token(ch->port->channel_ctx,
+ &ch->cur_peer_addr,
+ &token, &token_len,
+ &token_ptr)
+ && !ossl_quic_tx_packetiser_set_initial_token(ch->txp, token,
+ token_len,
+ free_peer_token,
+ token_ptr))
+ free_peer_token(NULL, 0, token_ptr);
+
/* Plug in secrets for the Initial EL. */
if (!ossl_quic_provide_initial_secret(ch->port->engine->libctx,
ch->port->engine->propq,
unsigned short *portptr;
uint8_t *addrptr;
+ if ((token != NULL && token_len == 0) || (token == NULL && token_len != 0))
+ return NULL;
+
if (!BIO_ADDR_rawaddress(peer, NULL, &addr_len))
return NULL;
family = BIO_ADDR_family(peer);
return new_token;
}
-int ossl_quic_update_peer_token(SSL_CTX *ctx, BIO_ADDR *peer,
- const uint8_t *token, size_t token_len)
+int ossl_quic_set_peer_token(SSL_CTX *ctx, BIO_ADDR *peer,
+ const uint8_t *token, size_t token_len)
{
SSL_TOKEN_STORE *c = ctx->tokencache;
QUIC_TOKEN *tok, *old = NULL;
*
* If however, we validated a NEW_TOKEN, which may be
* reused multiple times, only send a NEW_TOKEN frame
- * if the existing received token has 10% of its lifetime
+ * if the existing received token has less than 10% of its lifetime
* remaining. This prevents us from constantly sending
* NEW_TOKEN frames on every connection when not needed
*/
&ct_len)
|| !ossl_assert(ct_len >= QUIC_RETRY_INTEGRITY_TAG_LEN)) {
OPENSSL_free(ct_buf);
+ cleanup_validation_token(&token);
return;
}
* a NEW_TOKEN frame during a prior connection, which we should still
* validate here
*/
- if (hdr.token != NULL) {
- if (port_validate_token(&hdr, port, &e->peer,
- &odcid, &scid, &gen_new_token) == 0) {
- /*
- * RFC 9000 s 8.1.3
- * When a server receives an Initial packet with an address
- * validation token, it MUST attempt to validate the token,
- * unless it has already completed address validation.
- * If the token is invalid, then the server SHOULD proceed as
- * if the client did not have a validated address,
- * including potentially sending a Retry packet
- * Note: If address validation is disabled, just act like
- * The request is valid
- */
- if (port->validate_addr == 1) {
- port_send_retry(port, &e->peer, &hdr);
- goto undesirable;
- }
+ if (hdr.token != NULL
+ && port_validate_token(&hdr, port, &e->peer,
+ &odcid, &scid,
+ &gen_new_token) == 0) {
+ /*
+ * RFC 9000 s 8.1.3
+ * When a server receives an Initial packet with an address
+ * validation token, it MUST attempt to validate the token,
+ * unless it has already completed address validation.
+ * If the token is invalid, then the server SHOULD proceed as
+ * if the client did not have a validated address,
+ * including potentially sending a Retry packet
+ * Note: If address validation is disabled, just act like
+ * the request is valid
+ */
+ if (port->validate_addr == 1) {
+ port_send_retry(port, &e->peer, &hdr);
+ goto undesirable;
}
}
}
/* store the new token in our token cache */
- if (!ossl_quic_update_peer_token(ossl_quic_port_get_channel_ctx(ch->port),
- &ch->cur_peer_addr, token, token_len))
+ if (!ossl_quic_set_peer_token(ossl_quic_port_get_channel_ctx(ch->port),
+ &ch->cur_peer_addr, token, token_len))
return 0;
return 1;
projects / thirdparty / openssl.git / commitdiff
