QUIC: avoided pool usage in token calculation.

4 files changed, 32 insertions, 20 deletions

diff --git a/src/event/quic/ngx_event_quic_output.c b/src/event/quic/ngx_event_quic_output.c
index c656c527e..ee64d555e 100644
--- a/src/event/quic/ngx_event_quic_output.c
+++ b/src/event/quic/ngx_event_quic_output.c
@@ -1009,10 +1009,14 @@ ngx_quic_send_retry(ngx_connection_t *c, ngx_quic_conf_t *conf,
 
     u_char             buf[NGX_QUIC_RETRY_BUFFER_SIZE];
     u_char             dcid[NGX_QUIC_SERVER_CID_LEN];
+    u_char             tbuf[NGX_QUIC_TOKEN_BUF_SIZE];
 
     expires = ngx_time() + NGX_QUIC_RETRY_TOKEN_LIFETIME;
 
-    if (ngx_quic_new_token(c, c->sockaddr, c->socklen, conf->av_token_key,
+    token.data = tbuf;
+    token.len = NGX_QUIC_TOKEN_BUF_SIZE;
+
+    if (ngx_quic_new_token(c->log, c->sockaddr, c->socklen, conf->av_token_key,
                            &token, &inpkt->dcid, expires, 1)
         != NGX_OK)
     {
@@ -1075,11 +1079,16 @@ ngx_quic_send_new_token(ngx_connection_t *c, ngx_quic_path_t *path)
     ngx_quic_frame_t       *frame;
     ngx_quic_connection_t  *qc;
 
+    u_char                  tbuf[NGX_QUIC_TOKEN_BUF_SIZE];
+
     qc = ngx_quic_get_connection(c);
 
     expires = ngx_time() + NGX_QUIC_NEW_TOKEN_LIFETIME;
 
-    if (ngx_quic_new_token(c, path->sockaddr, path->socklen,
+    token.data = tbuf;
+    token.len = NGX_QUIC_TOKEN_BUF_SIZE;
+
+    if (ngx_quic_new_token(c->log, path->sockaddr, path->socklen,
                            qc->conf->av_token_key, &token, NULL, expires, 0)
         != NGX_OK)
     {
diff --git a/src/event/quic/ngx_event_quic_tokens.c b/src/event/quic/ngx_event_quic_tokens.c
index b91134516..aeea2ed03 100644
--- a/src/event/quic/ngx_event_quic_tokens.c
+++ b/src/event/quic/ngx_event_quic_tokens.c
@@ -11,14 +11,6 @@
 #include <ngx_event_quic_connection.h>
 
 
-#define NGX_QUIC_MAX_TOKEN_SIZE              64
-    /* SHA-1(addr)=20 + sizeof(time_t) + retry(1) + odcid.len(1) + odcid */
-
-/* RFC 3602, 2.1 and 2.4 for AES-CBC block size and IV length */
-#define NGX_QUIC_AES_256_CBC_IV_LEN          16
-#define NGX_QUIC_AES_256_CBC_BLOCK_SIZE      16
-
-
 static void ngx_quic_address_hash(struct sockaddr *sockaddr, socklen_t socklen,
     ngx_uint_t no_port, u_char buf[20]);
 
@@ -48,7 +40,7 @@ ngx_quic_new_sr_token(ngx_connection_t *c, ngx_str_t *cid, u_char *secret,
 
 
 ngx_int_t
-ngx_quic_new_token(ngx_connection_t *c, struct sockaddr *sockaddr,
+ngx_quic_new_token(ngx_log_t *log, struct sockaddr *sockaddr,
     socklen_t socklen, u_char *key, ngx_str_t *token, ngx_str_t *odcid,
     time_t exp, ngx_uint_t is_retry)
 {
@@ -80,9 +72,9 @@ ngx_quic_new_token(ngx_connection_t *c, struct sockaddr *sockaddr,
     cipher = EVP_aes_256_cbc();
     iv_len = NGX_QUIC_AES_256_CBC_IV_LEN;
 
-    token->len = iv_len + len + NGX_QUIC_AES_256_CBC_BLOCK_SIZE;
-    token->data = ngx_pnalloc(c->pool, token->len);
-    if (token->data == NULL) {
+    if ((size_t) (iv_len + len + NGX_QUIC_AES_256_CBC_BLOCK_SIZE) > token->len)
+    {
+        ngx_log_error(NGX_LOG_ALERT, log, 0, "quic token buffer is too small");
         return NGX_ERROR;
     }
 
@@ -119,7 +111,7 @@ ngx_quic_new_token(ngx_connection_t *c, struct sockaddr *sockaddr,
     EVP_CIPHER_CTX_free(ctx);
 
 #ifdef NGX_QUIC_DEBUG_PACKETS
-    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, log, 0,
                    "quic new token len:%uz %xV", token->len, token);
 #endif
 
@@ -268,10 +260,8 @@ ngx_quic_validate_token(ngx_connection_t *c, u_char *key,
 
     if (odcid.len) {
         pkt->odcid.len = odcid.len;
-        pkt->odcid.data = ngx_pstrdup(c->pool, &odcid);
-        if (pkt->odcid.data == NULL) {
-            return NGX_ERROR;
-        }
+        pkt->odcid.data = pkt->odcid_buf;
+        ngx_memcpy(pkt->odcid.data, odcid.data, odcid.len);
 
     } else {
         pkt->odcid = pkt->dcid;
diff --git a/src/event/quic/ngx_event_quic_tokens.h b/src/event/quic/ngx_event_quic_tokens.h
index 25be94d65..4a40f7b3a 100644
--- a/src/event/quic/ngx_event_quic_tokens.h
+++ b/src/event/quic/ngx_event_quic_tokens.h
@@ -12,9 +12,21 @@
 #include <ngx_core.h>
 
 
+#define NGX_QUIC_MAX_TOKEN_SIZE              64
+    /* SHA-1(addr)=20 + sizeof(time_t) + retry(1) + odcid.len(1) + odcid */
+
+/* RFC 3602, 2.1 and 2.4 for AES-CBC block size and IV length */
+#define NGX_QUIC_AES_256_CBC_IV_LEN          16
+#define NGX_QUIC_AES_256_CBC_BLOCK_SIZE      16
+
+#define NGX_QUIC_TOKEN_BUF_SIZE             (NGX_QUIC_AES_256_CBC_IV_LEN      \
+                                             + NGX_QUIC_MAX_TOKEN_SIZE        \
+                                             + NGX_QUIC_AES_256_CBC_BLOCK_SIZE)
+
+
 ngx_int_t ngx_quic_new_sr_token(ngx_connection_t *c, ngx_str_t *cid,
     u_char *secret, u_char *token);
-ngx_int_t ngx_quic_new_token(ngx_connection_t *c, struct sockaddr *sockaddr,
+ngx_int_t ngx_quic_new_token(ngx_log_t *log, struct sockaddr *sockaddr,
     socklen_t socklen, u_char *key, ngx_str_t *token, ngx_str_t *odcid,
     time_t expires, ngx_uint_t is_retry);
 ngx_int_t ngx_quic_validate_token(ngx_connection_t *c,
diff --git a/src/event/quic/ngx_event_quic_transport.h b/src/event/quic/ngx_event_quic_transport.h
index a512ad802..6f95f85ad 100644
--- a/src/event/quic/ngx_event_quic_transport.h
+++ b/src/event/quic/ngx_event_quic_transport.h
@@ -322,6 +322,7 @@ typedef struct {
 
     /* cleartext fields */
     ngx_str_t                                   odcid; /* retry packet tag */
+    u_char                                      odcid_buf[NGX_QUIC_MAX_CID_LEN];
     ngx_str_t                                   dcid;
     ngx_str_t                                   scid;
     uint64_t                                    pn;