From 5bbc3f1967a8ac1cce0f16b428f156301b81beb9 Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@nginx.com>
Date: Wed, 11 Nov 2020 21:08:48 +0000
Subject: QUIC: generate default stateless reset token key.

Previously, if quic_stateless_reset_token_key was empty or unspecified,
initial stateless reset token was not generated.  However subsequent tokens
were generated with empty key, which resulted in error with certain SSL
libraries, for example OpenSSL.

Now a random 32-byte stateless reset token key is generated if none is
specified in the configuration.  As a result, stateless reset tokens are now
generated for all server ids.
---
 src/stream/ngx_stream_quic_module.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'src/stream/ngx_stream_quic_module.c')

diff --git a/src/stream/ngx_stream_quic_module.c b/src/stream/ngx_stream_quic_module.c
index 4ddf5c90a..eaaaba89a 100644
--- a/src/stream/ngx_stream_quic_module.c
+++ b/src/stream/ngx_stream_quic_module.c
@@ -313,6 +313,19 @@ ngx_stream_quic_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
 
     ngx_conf_merge_str_value(conf->sr_token_key, prev->sr_token_key, "");
 
+    if (conf->sr_token_key.len == 0) {
+        conf->sr_token_key.len = NGX_QUIC_DEFAULT_SRT_KEY_LEN;
+
+        conf->sr_token_key.data = ngx_pnalloc(cf->pool, conf->sr_token_key.len);
+        if (conf->sr_token_key.data == NULL) {
+            return NGX_CONF_ERROR;
+        }
+
+        if (RAND_bytes(conf->sr_token_key.data, conf->sr_token_key.len) <= 0) {
+            return NGX_CONF_ERROR;
+        }
+    }
+
     scf = ngx_stream_conf_get_module_srv_conf(cf, ngx_stream_ssl_module);
     conf->ssl = &scf->ssl;
 
-- 
cgit