QUIC: worker-bound stateless reset tokens.

Previously, it was possible to obtain a stateless reset token for a connection by routing its packet to a wrong worker. This allowed to terminate the connection. The fix is to bind stateless reset token to the worker number.
author: Roman Arutyunyan <arut@nginx.com> 2026-02-26 18:36:52 +0400
committer: Roman Arutyunyan <arutyunyan.roman@gmail.com> 2026-02-27 19:30:02 +0400
commit: f72c7453f95143cd413dbc01d1ae9a28c67b39de (patch)
tree: b675dd7a08c471eafbb56c2acbea6bb7c31887c3 /src/event
parent: 717e707488c10b9d41ffbd9d04f4f31d57b1f8ab (diff)
download: nginx-f72c7453f95143cd413dbc01d1ae9a28c67b39de.tar.gz
nginx-f72c7453f95143cd413dbc01d1ae9a28c67b39de.tar.bz2
1 files changed, 6 insertions, 2 deletions
diff --git a/src/event/quic/ngx_event_quic_tokens.c b/src/event/quic/ngx_event_quic_tokens.c
index 6c94d5c18..b78d85a44 100644
--- a/src/event/quic/ngx_event_quic_tokens.c
+++ b/src/event/quic/ngx_event_quic_tokens.c
@@ -15,9 +15,13 @@ ngx_quic_new_sr_token(ngx_connection_t *c, ngx_str_t *cid, u_char *secret,
     u_char *token)
 {
     ngx_str_t  tmp;
+    u_char     buf[NGX_QUIC_SR_KEY_LEN + sizeof(ngx_uint_t)];
 
-    tmp.data = secret;
-    tmp.len = NGX_QUIC_SR_KEY_LEN;
+    ngx_memcpy(buf, secret, NGX_QUIC_SR_KEY_LEN);
+    ngx_memcpy(buf + NGX_QUIC_SR_KEY_LEN, &ngx_worker, sizeof(ngx_uint_t));
+
+    tmp.data = buf;
+    tmp.len = sizeof(buf);
 
     if (ngx_quic_derive_key(c->log, "sr_token_key", &tmp, cid, token,
                             NGX_QUIC_SR_TOKEN_LEN)
author	Roman Arutyunyan <arut@nginx.com>	2026-02-26 18:36:52 +0400
committer	Roman Arutyunyan <arutyunyan.roman@gmail.com>	2026-02-27 19:30:02 +0400
commit	f72c7453f95143cd413dbc01d1ae9a28c67b39de (patch)
tree	b675dd7a08c471eafbb56c2acbea6bb7c31887c3 /src/event
parent	717e707488c10b9d41ffbd9d04f4f31d57b1f8ab (diff)
download	nginx-f72c7453f95143cd413dbc01d1ae9a28c67b39de.tar.gz nginx-f72c7453f95143cd413dbc01d1ae9a28c67b39de.tar.bz2