QUIC: generate default stateless reset token key.

Previously, if quic_stateless_reset_token_key was empty or unspecified,
initial stateless reset token was not generated.  However subsequent tokens
were generated with empty key, which resulted in error with certain SSL
libraries, for example OpenSSL.

Now a random 32-byte stateless reset token key is generated if none is
specified in the configuration.  As a result, stateless reset tokens are now
generated for all server ids.

1 files changed, 13 insertions, 0 deletions

diff --git a/src/stream/ngx_stream_quic_module.c b/src/stream/ngx_stream_quic_module.c
index 4ddf5c90a..eaaaba89a 100644
--- a/src/stream/ngx_stream_quic_module.c
+++ b/src/stream/ngx_stream_quic_module.c
@@ -313,6 +313,19 @@ ngx_stream_quic_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
 
     ngx_conf_merge_str_value(conf->sr_token_key, prev->sr_token_key, "");
 
+    if (conf->sr_token_key.len == 0) {
+        conf->sr_token_key.len = NGX_QUIC_DEFAULT_SRT_KEY_LEN;
+
+        conf->sr_token_key.data = ngx_pnalloc(cf->pool, conf->sr_token_key.len);
+        if (conf->sr_token_key.data == NULL) {
+            return NGX_CONF_ERROR;
+        }
+
+        if (RAND_bytes(conf->sr_token_key.data, conf->sr_token_key.len) <= 0) {
+            return NGX_CONF_ERROR;
+        }
+    }
+
     scf = ngx_stream_conf_get_module_srv_conf(cf, ngx_stream_ssl_module);
     conf->ssl = &scf->ssl;