Lines Matching full:token
38 * @brief Represents a validation token for secure connection handling.
40 * This struct is used to store information related to a validation token.
43 * True iff this validation token is for a token sent in a RETRY packet.
44 * Otherwise, this token is from a NEW_TOKEN_packet. Iff this value is true,
48 * Time that the validation token was minted.
52 * connection. This ID helps associate the token with a specific connection.
77 * Maximum length of a marshalled validation token.
89 * Maximum length of an encrypted marshalled validation token.
91 * This will include the size of the marshalled validation token plus a 16 byte
170 /* Generate random key for token encryption */ in port_init()
801 * reset token. RFC 9000 s. 10.3 specifies this layout for stateless in port_try_handle_stateless_reset()
807 * Stateless Reset Token (128), in port_try_handle_stateless_reset()
812 * stateless reset token as a Stateless Reset, as other QUIC in port_try_handle_stateless_reset()
839 static void cleanup_validation_token(QUIC_VALIDATION_TOKEN *token) in cleanup_validation_token() argument
841 OPENSSL_free(token->remote_addr); in cleanup_validation_token()
845 * @brief Generates a validation token for a RETRY/NEW_TOKEN packet.
851 * @param token Address of token to fill data.
853 * @return 1 if validation token is filled successfully, 0 otherwise.
856 QUIC_CONN_ID rscid, QUIC_VALIDATION_TOKEN *token, in generate_token() argument
859 token->is_retry = is_retry; in generate_token()
860 token->timestamp = ossl_time_now(); in generate_token()
861 token->remote_addr = NULL; in generate_token()
862 token->odcid = odcid; in generate_token()
863 token->rscid = rscid; in generate_token()
865 if (!BIO_ADDR_rawaddress(peer, NULL, &token->remote_addr_len) in generate_token()
866 || token->remote_addr_len == 0 in generate_token()
867 || (token->remote_addr = OPENSSL_malloc(token->remote_addr_len)) == NULL in generate_token()
868 || !BIO_ADDR_rawaddress(peer, token->remote_addr, in generate_token()
869 &token->remote_addr_len)) { in generate_token()
870 cleanup_validation_token(token); in generate_token()
878 * @brief Marshals a validation token into a new buffer.
883 * @param token Validation token.
884 * @param buffer Address to store the marshalled token.
887 static int marshal_validation_token(QUIC_VALIDATION_TOKEN *token, in marshal_validation_token() argument
894 || (token->is_retry != 0 && token->is_retry != 1)) { in marshal_validation_token()
900 || !WPACKET_memset(&wpkt, token->is_retry, 1) in marshal_validation_token()
901 || !WPACKET_memcpy(&wpkt, &token->timestamp, in marshal_validation_token()
902 sizeof(token->timestamp)) in marshal_validation_token()
903 || (token->is_retry in marshal_validation_token()
904 && (!WPACKET_sub_memcpy_u8(&wpkt, &token->odcid.id, in marshal_validation_token()
905 token->odcid.id_len) in marshal_validation_token()
906 || !WPACKET_sub_memcpy_u8(&wpkt, &token->rscid.id, in marshal_validation_token()
907 token->rscid.id_len))) in marshal_validation_token()
908 || !WPACKET_sub_memcpy_u8(&wpkt, token->remote_addr, token->remote_addr_len) in marshal_validation_token()
923 * @brief Encrypts a validation token using AES-256-GCM
975 * @brief Decrypts a validation token using AES-256-GCM
1031 * @brief Parses contents of a buffer into a validation token.
1035 * @param token Validation token to fill data in.
1036 * @param buf Buffer of previously marshaled validation token.
1039 static int parse_validation_token(QUIC_VALIDATION_TOKEN *token, in parse_validation_token() argument
1044 if (buf == NULL || token == NULL) in parse_validation_token()
1047 token->remote_addr = NULL; in parse_validation_token()
1050 || !PACKET_copy_bytes(&pkt, &token->is_retry, sizeof(token->is_retry)) in parse_validation_token()
1051 || !(token->is_retry == 0 || token->is_retry == 1) in parse_validation_token()
1052 || !PACKET_copy_bytes(&pkt, (unsigned char *)&token->timestamp, in parse_validation_token()
1053 sizeof(token->timestamp)) in parse_validation_token()
1054 || (token->is_retry in parse_validation_token()
1056 || (token->odcid.id_len = (unsigned char)PACKET_remaining(&subpkt)) in parse_validation_token()
1059 (unsigned char *)&token->odcid.id, in parse_validation_token()
1060 token->odcid.id_len) in parse_validation_token()
1062 || (token->rscid.id_len = (unsigned char)PACKET_remaining(&subpkt)) in parse_validation_token()
1064 || !PACKET_copy_bytes(&subpkt, (unsigned char *)&token->rscid.id, in parse_validation_token()
1065 token->rscid.id_len))) in parse_validation_token()
1067 || (token->remote_addr_len = PACKET_remaining(&subpkt)) == 0 in parse_validation_token()
1068 || (token->remote_addr = OPENSSL_malloc(token->remote_addr_len)) == NULL in parse_validation_token()
1069 || !PACKET_copy_bytes(&subpkt, token->remote_addr, token->remote_addr_len) in parse_validation_token()
1071 cleanup_validation_token(token); in parse_validation_token()
1083 * includes a generated validation token and a new connection ID, following
1092 * - Generates a validation token for the client.
1094 * - Calculates the integrity tag and sets the token length.
1106 * Buffer is used for both marshalling the token as well as for the RETRY in port_send_retry()
1115 QUIC_VALIDATION_TOKEN token = {0}; in port_send_retry() local
1130 * will also come with token we generate here. in port_send_retry()
1136 memset(&token, 0, sizeof(QUIC_VALIDATION_TOKEN)); in port_send_retry()
1138 /* Generate retry validation token */ in port_send_retry()
1140 hdr.src_conn_id, &token, 1) in port_send_retry()
1141 || !marshal_validation_token(&token, buffer, &token_buf_len) in port_send_retry()
1164 hdr.token = hdr.data; in port_send_retry()
1198 cleanup_validation_token(&token); in port_send_retry()
1249 hdr.token = 0; in port_send_version_negotiation()
1291 * @brief defintions of token lifetimes
1300 * @brief Validates a received token in a QUIC packet header.
1302 * This function checks the validity of a token contained in the provided
1304 * verifying that the token matches an expected format and value. If the
1305 * token is from a RETRY packet, the function extracts the original connection
1307 * parameters. If the token is from a NEW_TOKEN packet, the values will be
1310 * @param hdr Pointer to the QUIC packet header containing the token.
1314 * token is valid.
1316 * token is valid.
1318 * @return 1 if the token is valid and ODCID/SCID are successfully set.
1322 * - Token length meets the required minimum.
1325 * - Token has not expired. Currently set to 10 seconds for tokens from RETRY
1334 QUIC_VALIDATION_TOKEN token = { 0 }; in port_validate_token() local
1342 if (!decrypt_validation_token(port, hdr->token, hdr->token_len, NULL, in port_validate_token()
1345 || !decrypt_validation_token(port, hdr->token, hdr->token_len, in port_validate_token()
1347 || !parse_validation_token(&token, dec_token, dec_token_len)) in port_validate_token()
1351 * Validate token timestamp. Current time should not be before the token in port_validate_token()
1354 if (ossl_time_compare(now, token.timestamp) < 0) in port_validate_token()
1356 time_diff = ossl_time2seconds(ossl_time_abs_difference(token.timestamp, in port_validate_token()
1358 if ((token.is_retry && time_diff > RETRY_LIFETIME) in port_validate_token()
1359 || (!token.is_retry && time_diff > NEW_TOKEN_LIFETIME)) in port_validate_token()
1364 || remote_addr_len != token.remote_addr_len in port_validate_token()
1367 || memcmp(remote_addr, token.remote_addr, remote_addr_len) != 0) in port_validate_token()
1371 * Set ODCID and SCID. If the token is from a RETRY packet, retrieve both in port_validate_token()
1372 * from the token. Otherwise, generate a new ODCID and use the header's in port_validate_token()
1375 if (token.is_retry) { in port_validate_token()
1379 * Sure the dcid encoded in the token matches the headers dcid to in port_validate_token()
1385 if (token.rscid.id_len != hdr->dst_conn_id.id_len in port_validate_token()
1386 || memcmp(&token.rscid.id, &hdr->dst_conn_id.id, in port_validate_token()
1387 token.rscid.id_len) != 0) in port_validate_token()
1389 *odcid = token.odcid; in port_validate_token()
1390 *scid = token.rscid; in port_validate_token()
1399 * If we validated a retry token, we should always in port_validate_token()
1404 * if the existing received token has less than 10% of its lifetime in port_validate_token()
1408 if (token.is_retry) { in port_validate_token()
1417 cleanup_validation_token(&token); in port_validate_token()
1425 QUIC_VALIDATION_TOKEN token; in generate_new_token() local
1451 memset(&token, 0, sizeof(QUIC_VALIDATION_TOKEN)); in generate_new_token()
1453 if (!generate_token(peer, ch->init_dcid, rscid, &token, 0) in generate_new_token()
1454 || !marshal_validation_token(&token, buffer, &token_buf_len) in generate_new_token()
1462 cleanup_validation_token(&token); in generate_new_token()
1469 cleanup_validation_token(&token); in generate_new_token()
1620 if (port->validate_addr == 1 && hdr.token == NULL) { in port_default_packet_handler()
1627 * server address validation, we may still get a token if we sent in port_default_packet_handler()
1631 if (hdr.token != NULL in port_default_packet_handler()
1638 * validation token, it MUST attempt to validate the token, in port_default_packet_handler()
1640 * If the token is invalid, then the server SHOULD proceed as in port_default_packet_handler()
1649 * secrets to token here to save some CPU cycles. in port_default_packet_handler()
1677 * Generate a token for sending in a later NEW_TOKEN frame in port_default_packet_handler()