nginx: src/event/quic/ngx_event_quic

annotate src/event/quic/ngx_event_quic_protection.h @ 9177:22d110af473c

QUIC: removed key field from ngx_quic_secret_t. It is made local as it is only needed now when creating crypto context. BoringSSL lacks EVP interface for ChaCha20, providing instead a function for one-shot encryption, thus hp is still preserved. Based on a patch by Roman Arutyunyan.

author	Sergey Kandaurov <pluknet@nginx.com>
date	Fri, 20 Oct 2023 18:05:07 +0400
parents	8dacf87e4007
children

rev	line source
8221 69345a26ba69 Split transport and crypto parts into separate files. Vladimir Homutov <vl@nginx.com> parents: diff changeset	1
69345a26ba69 Split transport and crypto parts into separate files. Vladimir Homutov <vl@nginx.com> parents: diff changeset	2 /*
69345a26ba69 Split transport and crypto parts into separate files. Vladimir Homutov <vl@nginx.com> parents: diff changeset	3 * Copyright (C) Nginx, Inc.
69345a26ba69 Split transport and crypto parts into separate files. Vladimir Homutov <vl@nginx.com> parents: diff changeset	4 */
69345a26ba69 Split transport and crypto parts into separate files. Vladimir Homutov <vl@nginx.com> parents: diff changeset	5
69345a26ba69 Split transport and crypto parts into separate files. Vladimir Homutov <vl@nginx.com> parents: diff changeset	6
69345a26ba69 Split transport and crypto parts into separate files. Vladimir Homutov <vl@nginx.com> parents: diff changeset	7 #ifndef _NGX_EVENT_QUIC_PROTECTION_H_INCLUDED_
69345a26ba69 Split transport and crypto parts into separate files. Vladimir Homutov <vl@nginx.com> parents: diff changeset	8 #define _NGX_EVENT_QUIC_PROTECTION_H_INCLUDED_
69345a26ba69 Split transport and crypto parts into separate files. Vladimir Homutov <vl@nginx.com> parents: diff changeset	9
69345a26ba69 Split transport and crypto parts into separate files. Vladimir Homutov <vl@nginx.com> parents: diff changeset	10
8347 a5141e6b3214 Fixed includes in quic headers. Roman Arutyunyan <arut@nginx.com> parents: 8339 diff changeset	11 #include <ngx_config.h>
a5141e6b3214 Fixed includes in quic headers. Roman Arutyunyan <arut@nginx.com> parents: 8339 diff changeset	12 #include <ngx_core.h>
a5141e6b3214 Fixed includes in quic headers. Roman Arutyunyan <arut@nginx.com> parents: 8339 diff changeset	13
8694 cef042935003 QUIC: the "quic_host_key" directive. Vladimir Homutov <vl@nginx.com> parents: 8673 diff changeset	14 #include <ngx_event_quic_transport.h>
cef042935003 QUIC: the "quic_host_key" directive. Vladimir Homutov <vl@nginx.com> parents: 8673 diff changeset	15
8347 a5141e6b3214 Fixed includes in quic headers. Roman Arutyunyan <arut@nginx.com> parents: 8339 diff changeset	16
8306 058a5af7ddfc Refactored QUIC secrets storage. Vladimir Homutov <vl@nginx.com> parents: 8303 diff changeset	17 #define NGX_QUIC_ENCRYPTION_LAST ((ssl_encryption_application) + 1)
058a5af7ddfc Refactored QUIC secrets storage. Vladimir Homutov <vl@nginx.com> parents: 8303 diff changeset	18
9128 756ab66de10e QUIC: TLS_AES_128_CCM_SHA256 cipher suite support. Roman Arutyunyan <arut@nginx.com> parents: 9126 diff changeset	19 /* RFC 5116, 5.1/5.3 and RFC 8439, 2.3/2.5 for all supported ciphers */
9025 e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	20 #define NGX_QUIC_IV_LEN 12
9126 29a6c0e11f75 QUIC: a new constant for AEAD tag length. Roman Arutyunyan <arut@nginx.com> parents: 9080 diff changeset	21 #define NGX_QUIC_TAG_LEN 16
8306 058a5af7ddfc Refactored QUIC secrets storage. Vladimir Homutov <vl@nginx.com> parents: 8303 diff changeset	22
9025 e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	23 /* largest hash used in TLS is SHA-384 */
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	24 #define NGX_QUIC_MAX_MD_SIZE 48
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	25
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	26
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	27 #ifdef OPENSSL_IS_BORINGSSL
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	28 #define ngx_quic_cipher_t EVP_AEAD
9172 4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	29 #define ngx_quic_crypto_ctx_t EVP_AEAD_CTX
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	30 #else
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	31 #define ngx_quic_cipher_t EVP_CIPHER
9172 4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	32 #define ngx_quic_crypto_ctx_t EVP_CIPHER_CTX
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	33 #endif
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	34
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	35
9025 e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	36 typedef struct {
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	37 size_t len;
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	38 u_char data[NGX_QUIC_MAX_MD_SIZE];
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	39 } ngx_quic_md_t;
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	40
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	41
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	42 typedef struct {
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	43 size_t len;
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	44 u_char data[NGX_QUIC_IV_LEN];
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	45 } ngx_quic_iv_t;
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	46
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	47
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	48 typedef struct {
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	49 ngx_quic_md_t secret;
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	50 ngx_quic_iv_t iv;
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	51 ngx_quic_md_t hp;
9172 4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	52 ngx_quic_crypto_ctx_t *ctx;
9174 31702c53d2db QUIC: reusing crypto contexts for header protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9172 diff changeset	53 EVP_CIPHER_CTX *hp_ctx;
9025 e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	54 } ngx_quic_secret_t;
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	55
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	56
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	57 typedef struct {
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	58 ngx_quic_secret_t client;
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	59 ngx_quic_secret_t server;
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	60 } ngx_quic_secrets_t;
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	61
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	62
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	63 struct ngx_quic_keys_s {
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	64 ngx_quic_secrets_t secrets[NGX_QUIC_ENCRYPTION_LAST];
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	65 ngx_quic_secrets_t next_key;
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	66 ngx_uint_t cipher;
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	67 };
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	68
e50f77a2d0b0 QUIC: removed ngx_quic_keys_new(). Vladimir Homutov <vl@nginx.com> parents: 9024 diff changeset	69
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	70 typedef struct {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	71 const ngx_quic_cipher_t *c;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	72 const EVP_CIPHER *hp;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	73 const EVP_MD *d;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	74 } ngx_quic_ciphers_t;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	75
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	76
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	77 typedef struct {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	78 size_t out_len;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	79 u_char *out;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	80
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	81 size_t prk_len;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	82 const uint8_t *prk;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	83
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	84 size_t label_len;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	85 const u_char *label;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	86 } ngx_quic_hkdf_t;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	87
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	88 #define ngx_quic_hkdf_set(seq, _label, _out, _prk) \
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	89 (seq)->out_len = (_out)->len; (seq)->out = (_out)->data; \
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	90 (seq)->prk_len = (_prk)->len, (seq)->prk = (_prk)->data, \
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	91 (seq)->label_len = (sizeof(_label) - 1); (seq)->label = (u_char *)(_label);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	92
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	93
9024 f2925c80401c QUIC: avoided pool usage in ngx_quic_protection.c. Vladimir Homutov <vl@nginx.com> parents: 8980 diff changeset	94 ngx_int_t ngx_quic_keys_set_initial_secret(ngx_quic_keys_t *keys,
f2925c80401c QUIC: avoided pool usage in ngx_quic_protection.c. Vladimir Homutov <vl@nginx.com> parents: 8980 diff changeset	95 ngx_str_t secret, ngx_log_t log);
f2925c80401c QUIC: avoided pool usage in ngx_quic_protection.c. Vladimir Homutov <vl@nginx.com> parents: 8980 diff changeset	96 ngx_int_t ngx_quic_keys_set_encryption_secret(ngx_log_t *log,
8926 3341e4089c6c QUIC: converted ngx_quic_keys_set_encryption_secret() to NGX codes. Sergey Kandaurov <pluknet@nginx.com> parents: 8755 diff changeset	97 ngx_uint_t is_write, ngx_quic_keys_t *keys,
3341e4089c6c QUIC: converted ngx_quic_keys_set_encryption_secret() to NGX codes. Sergey Kandaurov <pluknet@nginx.com> parents: 8755 diff changeset	98 enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
3341e4089c6c QUIC: converted ngx_quic_keys_set_encryption_secret() to NGX codes. Sergey Kandaurov <pluknet@nginx.com> parents: 8755 diff changeset	99 const uint8_t *secret, size_t secret_len);
8621 9c3be23ddbe7 QUIC: refactored key handling. Sergey Kandaurov <pluknet@nginx.com> parents: 8562 diff changeset	100 ngx_uint_t ngx_quic_keys_available(ngx_quic_keys_t *keys,
9168 ff98ae7d261e QUIC: split keys availability checks to read and write sides. Sergey Kandaurov <pluknet@nginx.com> parents: 9152 diff changeset	101 enum ssl_encryption_level_t level, ngx_uint_t is_write);
8621 9c3be23ddbe7 QUIC: refactored key handling. Sergey Kandaurov <pluknet@nginx.com> parents: 8562 diff changeset	102 void ngx_quic_keys_discard(ngx_quic_keys_t *keys,
8702 d4e02b3b734f QUIC: fixed indentation. Sergey Kandaurov <pluknet@nginx.com> parents: 8694 diff changeset	103 enum ssl_encryption_level_t level);
8621 9c3be23ddbe7 QUIC: refactored key handling. Sergey Kandaurov <pluknet@nginx.com> parents: 8562 diff changeset	104 void ngx_quic_keys_switch(ngx_connection_t c, ngx_quic_keys_t keys);
9152 2880f60a80c3 QUIC: posted generating TLS Key Update next keys. Sergey Kandaurov <pluknet@nginx.com> parents: 9128 diff changeset	105 void ngx_quic_keys_update(ngx_event_t *ev);
9172 4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	106 void ngx_quic_keys_cleanup(ngx_quic_keys_t *keys);
8621 9c3be23ddbe7 QUIC: refactored key handling. Sergey Kandaurov <pluknet@nginx.com> parents: 8562 diff changeset	107 ngx_int_t ngx_quic_encrypt(ngx_quic_header_t pkt, ngx_str_t res);
9c3be23ddbe7 QUIC: refactored key handling. Sergey Kandaurov <pluknet@nginx.com> parents: 8562 diff changeset	108 ngx_int_t ngx_quic_decrypt(ngx_quic_header_t pkt, uint64_t largest_pn);
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	109 void ngx_quic_compute_nonce(u_char *nonce, size_t len, uint64_t pn);
9176 8dacf87e4007 QUIC: simplified ngx_quic_ciphers() API. Sergey Kandaurov <pluknet@nginx.com> parents: 9174 diff changeset	110 ngx_int_t ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers);
9172 4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	111 ngx_int_t ngx_quic_crypto_init(const ngx_quic_cipher_t *cipher,
9177 22d110af473c QUIC: removed key field from ngx_quic_secret_t. Sergey Kandaurov <pluknet@nginx.com> parents: 9176 diff changeset	112 ngx_quic_secret_t s, ngx_quic_md_t key, ngx_int_t enc, ngx_log_t *log);
9172 4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	113 ngx_int_t ngx_quic_crypto_seal(ngx_quic_secret_t s, ngx_str_t out,
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	114 u_char nonce, ngx_str_t in, ngx_str_t ad, ngx_log_t log);
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	115 void ngx_quic_crypto_cleanup(ngx_quic_secret_t *s);
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	116 ngx_int_t ngx_quic_hkdf_expand(ngx_quic_hkdf_t hkdf, const EVP_MD digest,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: 9025 diff changeset	117 ngx_log_t *log);
8221 69345a26ba69 Split transport and crypto parts into separate files. Vladimir Homutov <vl@nginx.com> parents: diff changeset	118
69345a26ba69 Split transport and crypto parts into separate files. Vladimir Homutov <vl@nginx.com> parents: diff changeset	119
69345a26ba69 Split transport and crypto parts into separate files. Vladimir Homutov <vl@nginx.com> parents: diff changeset	120 #endif /* _NGX_EVENT_QUIC_PROTECTION_H_INCLUDED_ */

Mercurial > hg > nginx

annotate src/event/quic/ngx_event_quic_protection.h @ 9177:22d110af473c