Mercurial > hg > nginx
annotate src/event/quic/ngx_event_quic_openssl_compat.c @ 9196:6c8595b77e66
QUIC: path aware in-flight bytes accounting.
On-packet acknowledgement is made path aware, as per RFC 9000, Section 9.4:
Packets sent on the old path MUST NOT contribute to congestion control
or RTT estimation for the new path.
To make this possible in a single congestion control context, the first packet
to be sent after the new path has been validated, which includes resetting the
congestion controller and RTT estimator, is now remembered in the connection.
Packets sent previously, such as on the old path, are not taken into account.
Note that although the packet number is saved per-connection, the added checks
affect application level packets only. For non-application level packets,
which are only processed prior to the handshake is complete, the remembered
packet number remains set to zero.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 12 Dec 2023 20:21:12 +0400 |
parents | b74f891053c7 |
children |
rev | line source |
---|---|
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
1 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
2 /* |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
3 * Copyright (C) Nginx, Inc. |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
4 */ |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
5 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
6 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
7 #include <ngx_config.h> |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
8 #include <ngx_core.h> |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
9 #include <ngx_event.h> |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
10 #include <ngx_event_quic_connection.h> |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
11 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
12 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
13 #if (NGX_QUIC_OPENSSL_COMPAT) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
14 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
15 #define NGX_QUIC_COMPAT_RECORD_SIZE 1024 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
16 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
17 #define NGX_QUIC_COMPAT_SSL_TP_EXT 0x39 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
18 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
19 #define NGX_QUIC_COMPAT_CLIENT_HANDSHAKE "CLIENT_HANDSHAKE_TRAFFIC_SECRET" |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
20 #define NGX_QUIC_COMPAT_SERVER_HANDSHAKE "SERVER_HANDSHAKE_TRAFFIC_SECRET" |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
21 #define NGX_QUIC_COMPAT_CLIENT_APPLICATION "CLIENT_TRAFFIC_SECRET_0" |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
22 #define NGX_QUIC_COMPAT_SERVER_APPLICATION "SERVER_TRAFFIC_SECRET_0" |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
23 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
24 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
25 typedef struct { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
26 ngx_quic_secret_t secret; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
27 ngx_uint_t cipher; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
28 } ngx_quic_compat_keys_t; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
29 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
30 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
31 typedef struct { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
32 ngx_log_t *log; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
33 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
34 u_char type; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
35 ngx_str_t payload; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
36 uint64_t number; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
37 ngx_quic_compat_keys_t *keys; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
38 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
39 enum ssl_encryption_level_t level; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
40 } ngx_quic_compat_record_t; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
41 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
42 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
43 struct ngx_quic_compat_s { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
44 const SSL_QUIC_METHOD *method; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
45 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
46 enum ssl_encryption_level_t write_level; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
47 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
48 uint64_t read_record; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
49 ngx_quic_compat_keys_t keys; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
50 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
51 ngx_str_t tp; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
52 ngx_str_t ctp; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
53 }; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
54 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
55 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
56 static void ngx_quic_compat_keylog_callback(const SSL *ssl, const char *line); |
9172
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
57 static ngx_int_t ngx_quic_compat_set_encryption_secret(ngx_connection_t *c, |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
58 ngx_quic_compat_keys_t *keys, enum ssl_encryption_level_t level, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
59 const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len); |
9172
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
60 static void ngx_quic_compat_cleanup_encryption_secret(void *data); |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
61 static int ngx_quic_compat_add_transport_params_callback(SSL *ssl, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
62 unsigned int ext_type, unsigned int context, const unsigned char **out, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
63 size_t *outlen, X509 *x, size_t chainidx, int *al, void *add_arg); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
64 static int ngx_quic_compat_parse_transport_params_callback(SSL *ssl, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
65 unsigned int ext_type, unsigned int context, const unsigned char *in, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
66 size_t inlen, X509 *x, size_t chainidx, int *al, void *parse_arg); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
67 static void ngx_quic_compat_message_callback(int write_p, int version, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
68 int content_type, const void *buf, size_t len, SSL *ssl, void *arg); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
69 static size_t ngx_quic_compat_create_header(ngx_quic_compat_record_t *rec, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
70 u_char *out, ngx_uint_t plain); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
71 static ngx_int_t ngx_quic_compat_create_record(ngx_quic_compat_record_t *rec, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
72 ngx_str_t *res); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
73 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
74 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
75 ngx_int_t |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
76 ngx_quic_compat_init(ngx_conf_t *cf, SSL_CTX *ctx) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
77 { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
78 SSL_CTX_set_keylog_callback(ctx, ngx_quic_compat_keylog_callback); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
79 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
80 if (SSL_CTX_has_client_custom_ext(ctx, NGX_QUIC_COMPAT_SSL_TP_EXT)) { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
81 return NGX_OK; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
82 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
83 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
84 if (SSL_CTX_add_custom_ext(ctx, NGX_QUIC_COMPAT_SSL_TP_EXT, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
85 SSL_EXT_CLIENT_HELLO |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
86 |SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
87 ngx_quic_compat_add_transport_params_callback, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
88 NULL, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
89 NULL, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
90 ngx_quic_compat_parse_transport_params_callback, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
91 NULL) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
92 == 0) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
93 { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
94 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
95 "SSL_CTX_add_custom_ext() failed"); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
96 return NGX_ERROR; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
97 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
98 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
99 return NGX_OK; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
100 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
101 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
102 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
103 static void |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
104 ngx_quic_compat_keylog_callback(const SSL *ssl, const char *line) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
105 { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
106 u_char ch, *p, *start, value; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
107 size_t n; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
108 ngx_uint_t write; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
109 const SSL_CIPHER *cipher; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
110 ngx_quic_compat_t *com; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
111 ngx_connection_t *c; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
112 ngx_quic_connection_t *qc; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
113 enum ssl_encryption_level_t level; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
114 u_char secret[EVP_MAX_MD_SIZE]; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
115 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
116 c = ngx_ssl_get_connection(ssl); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
117 if (c->type != SOCK_DGRAM) { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
118 return; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
119 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
120 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
121 p = (u_char *) line; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
122 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
123 for (start = p; *p && *p != ' '; p++); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
124 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
125 n = p - start; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
126 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
127 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
128 "quic compat secret %*s", n, start); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
129 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
130 if (n == sizeof(NGX_QUIC_COMPAT_CLIENT_HANDSHAKE) - 1 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
131 && ngx_strncmp(start, NGX_QUIC_COMPAT_CLIENT_HANDSHAKE, n) == 0) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
132 { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
133 level = ssl_encryption_handshake; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
134 write = 0; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
135 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
136 } else if (n == sizeof(NGX_QUIC_COMPAT_SERVER_HANDSHAKE) - 1 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
137 && ngx_strncmp(start, NGX_QUIC_COMPAT_SERVER_HANDSHAKE, n) == 0) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
138 { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
139 level = ssl_encryption_handshake; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
140 write = 1; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
141 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
142 } else if (n == sizeof(NGX_QUIC_COMPAT_CLIENT_APPLICATION) - 1 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
143 && ngx_strncmp(start, NGX_QUIC_COMPAT_CLIENT_APPLICATION, n) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
144 == 0) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
145 { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
146 level = ssl_encryption_application; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
147 write = 0; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
148 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
149 } else if (n == sizeof(NGX_QUIC_COMPAT_SERVER_APPLICATION) - 1 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
150 && ngx_strncmp(start, NGX_QUIC_COMPAT_SERVER_APPLICATION, n) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
151 == 0) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
152 { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
153 level = ssl_encryption_application; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
154 write = 1; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
155 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
156 } else { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
157 return; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
158 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
159 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
160 if (*p++ == '\0') { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
161 return; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
162 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
163 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
164 for ( /* void */ ; *p && *p != ' '; p++); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
165 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
166 if (*p++ == '\0') { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
167 return; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
168 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
169 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
170 for (n = 0, start = p; *p; p++) { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
171 ch = *p; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
172 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
173 if (ch >= '0' && ch <= '9') { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
174 value = ch - '0'; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
175 goto next; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
176 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
177 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
178 ch = (u_char) (ch | 0x20); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
179 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
180 if (ch >= 'a' && ch <= 'f') { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
181 value = ch - 'a' + 10; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
182 goto next; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
183 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
184 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
185 ngx_log_error(NGX_LOG_EMERG, c->log, 0, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
186 "invalid OpenSSL QUIC secret format"); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
187 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
188 return; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
189 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
190 next: |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
191 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
192 if ((p - start) % 2) { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
193 secret[n++] += value; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
194 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
195 } else { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
196 if (n >= EVP_MAX_MD_SIZE) { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
197 ngx_log_error(NGX_LOG_EMERG, c->log, 0, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
198 "too big OpenSSL QUIC secret"); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
199 return; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
200 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
201 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
202 secret[n] = (value << 4); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
203 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
204 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
205 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
206 qc = ngx_quic_get_connection(c); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
207 com = qc->compat; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
208 cipher = SSL_get_current_cipher(ssl); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
209 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
210 if (write) { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
211 com->method->set_write_secret((SSL *) ssl, level, cipher, secret, n); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
212 com->write_level = level; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
213 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
214 } else { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
215 com->method->set_read_secret((SSL *) ssl, level, cipher, secret, n); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
216 com->read_record = 0; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
217 |
9172
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
218 (void) ngx_quic_compat_set_encryption_secret(c, &com->keys, level, |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
219 cipher, secret, n); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
220 } |
9178
b74f891053c7
QUIC: explicitly zero out unused keying material.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9177
diff
changeset
|
221 |
b74f891053c7
QUIC: explicitly zero out unused keying material.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9177
diff
changeset
|
222 ngx_explicit_memzero(secret, n); |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
223 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
224 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
225 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
226 static ngx_int_t |
9172
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
227 ngx_quic_compat_set_encryption_secret(ngx_connection_t *c, |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
228 ngx_quic_compat_keys_t *keys, enum ssl_encryption_level_t level, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
229 const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
230 { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
231 ngx_int_t key_len; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
232 ngx_str_t secret_str; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
233 ngx_uint_t i; |
9177
22d110af473c
QUIC: removed key field from ngx_quic_secret_t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9176
diff
changeset
|
234 ngx_quic_md_t key; |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
235 ngx_quic_hkdf_t seq[2]; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
236 ngx_quic_secret_t *peer_secret; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
237 ngx_quic_ciphers_t ciphers; |
9172
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
238 ngx_pool_cleanup_t *cln; |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
239 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
240 peer_secret = &keys->secret; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
241 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
242 keys->cipher = SSL_CIPHER_get_id(cipher); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
243 |
9176
8dacf87e4007
QUIC: simplified ngx_quic_ciphers() API.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9175
diff
changeset
|
244 key_len = ngx_quic_ciphers(keys->cipher, &ciphers); |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
245 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
246 if (key_len == NGX_ERROR) { |
9172
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
247 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher"); |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
248 return NGX_ERROR; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
249 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
250 |
9177
22d110af473c
QUIC: removed key field from ngx_quic_secret_t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9176
diff
changeset
|
251 key.len = key_len; |
22d110af473c
QUIC: removed key field from ngx_quic_secret_t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9176
diff
changeset
|
252 |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
253 peer_secret->iv.len = NGX_QUIC_IV_LEN; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
254 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
255 secret_str.len = secret_len; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
256 secret_str.data = (u_char *) secret; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
257 |
9177
22d110af473c
QUIC: removed key field from ngx_quic_secret_t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9176
diff
changeset
|
258 ngx_quic_hkdf_set(&seq[0], "tls13 key", &key, &secret_str); |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
259 ngx_quic_hkdf_set(&seq[1], "tls13 iv", &peer_secret->iv, &secret_str); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
260 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
261 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { |
9172
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
262 if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, c->log) != NGX_OK) { |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
263 return NGX_ERROR; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
264 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
265 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
266 |
9172
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
267 /* register cleanup handler once */ |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
268 |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
269 if (peer_secret->ctx) { |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
270 ngx_quic_crypto_cleanup(peer_secret); |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
271 |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
272 } else { |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
273 cln = ngx_pool_cleanup_add(c->pool, 0); |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
274 if (cln == NULL) { |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
275 return NGX_ERROR; |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
276 } |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
277 |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
278 cln->handler = ngx_quic_compat_cleanup_encryption_secret; |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
279 cln->data = peer_secret; |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
280 } |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
281 |
9177
22d110af473c
QUIC: removed key field from ngx_quic_secret_t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9176
diff
changeset
|
282 if (ngx_quic_crypto_init(ciphers.c, peer_secret, &key, 1, c->log) |
22d110af473c
QUIC: removed key field from ngx_quic_secret_t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9176
diff
changeset
|
283 == NGX_ERROR) |
22d110af473c
QUIC: removed key field from ngx_quic_secret_t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9176
diff
changeset
|
284 { |
9172
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
285 return NGX_ERROR; |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
286 } |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
287 |
9178
b74f891053c7
QUIC: explicitly zero out unused keying material.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9177
diff
changeset
|
288 ngx_explicit_memzero(key.data, key.len); |
b74f891053c7
QUIC: explicitly zero out unused keying material.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9177
diff
changeset
|
289 |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
290 return NGX_OK; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
291 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
292 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
293 |
9172
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
294 static void |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
295 ngx_quic_compat_cleanup_encryption_secret(void *data) |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
296 { |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
297 ngx_quic_secret_t *secret = data; |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
298 |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
299 ngx_quic_crypto_cleanup(secret); |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
300 } |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
301 |
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
302 |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
303 static int |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
304 ngx_quic_compat_add_transport_params_callback(SSL *ssl, unsigned int ext_type, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
305 unsigned int context, const unsigned char **out, size_t *outlen, X509 *x, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
306 size_t chainidx, int *al, void *add_arg) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
307 { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
308 ngx_connection_t *c; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
309 ngx_quic_compat_t *com; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
310 ngx_quic_connection_t *qc; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
311 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
312 c = ngx_ssl_get_connection(ssl); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
313 if (c->type != SOCK_DGRAM) { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
314 return 0; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
315 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
316 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
317 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
318 "quic compat add transport params"); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
319 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
320 qc = ngx_quic_get_connection(c); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
321 com = qc->compat; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
322 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
323 *out = com->tp.data; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
324 *outlen = com->tp.len; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
325 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
326 return 1; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
327 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
328 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
329 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
330 static int |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
331 ngx_quic_compat_parse_transport_params_callback(SSL *ssl, unsigned int ext_type, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
332 unsigned int context, const unsigned char *in, size_t inlen, X509 *x, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
333 size_t chainidx, int *al, void *parse_arg) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
334 { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
335 u_char *p; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
336 ngx_connection_t *c; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
337 ngx_quic_compat_t *com; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
338 ngx_quic_connection_t *qc; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
339 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
340 c = ngx_ssl_get_connection(ssl); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
341 if (c->type != SOCK_DGRAM) { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
342 return 0; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
343 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
344 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
345 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
346 "quic compat parse transport params"); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
347 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
348 qc = ngx_quic_get_connection(c); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
349 com = qc->compat; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
350 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
351 p = ngx_pnalloc(c->pool, inlen); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
352 if (p == NULL) { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
353 return 0; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
354 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
355 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
356 ngx_memcpy(p, in, inlen); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
357 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
358 com->ctp.data = p; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
359 com->ctp.len = inlen; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
360 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
361 return 1; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
362 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
363 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
364 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
365 int |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
366 SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
367 { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
368 BIO *rbio, *wbio; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
369 ngx_connection_t *c; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
370 ngx_quic_compat_t *com; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
371 ngx_quic_connection_t *qc; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
372 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
373 c = ngx_ssl_get_connection(ssl); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
374 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
375 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic compat set method"); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
376 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
377 qc = ngx_quic_get_connection(c); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
378 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
379 qc->compat = ngx_pcalloc(c->pool, sizeof(ngx_quic_compat_t)); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
380 if (qc->compat == NULL) { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
381 return 0; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
382 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
383 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
384 com = qc->compat; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
385 com->method = quic_method; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
386 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
387 rbio = BIO_new(BIO_s_mem()); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
388 if (rbio == NULL) { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
389 return 0; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
390 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
391 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
392 wbio = BIO_new(BIO_s_null()); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
393 if (wbio == NULL) { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
394 return 0; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
395 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
396 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
397 SSL_set_bio(ssl, rbio, wbio); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
398 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
399 SSL_set_msg_callback(ssl, ngx_quic_compat_message_callback); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
400 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
401 /* early data is not supported */ |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
402 SSL_set_max_early_data(ssl, 0); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
403 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
404 return 1; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
405 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
406 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
407 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
408 static void |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
409 ngx_quic_compat_message_callback(int write_p, int version, int content_type, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
410 const void *buf, size_t len, SSL *ssl, void *arg) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
411 { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
412 ngx_uint_t alert; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
413 ngx_connection_t *c; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
414 ngx_quic_compat_t *com; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
415 ngx_quic_connection_t *qc; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
416 enum ssl_encryption_level_t level; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
417 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
418 if (!write_p) { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
419 return; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
420 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
421 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
422 c = ngx_ssl_get_connection(ssl); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
423 qc = ngx_quic_get_connection(c); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
424 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
425 if (qc == NULL) { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
426 /* closing */ |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
427 return; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
428 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
429 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
430 com = qc->compat; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
431 level = com->write_level; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
432 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
433 switch (content_type) { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
434 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
435 case SSL3_RT_HANDSHAKE: |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
436 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
437 "quic compat tx %s len:%uz ", |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
438 ngx_quic_level_name(level), len); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
439 |
9164
3db945fda515
QUIC: handle callback errors in compat.
Vladimir Khomutov <vl@inspert.ru>
parents:
9157
diff
changeset
|
440 if (com->method->add_handshake_data(ssl, level, buf, len) != 1) { |
3db945fda515
QUIC: handle callback errors in compat.
Vladimir Khomutov <vl@inspert.ru>
parents:
9157
diff
changeset
|
441 goto failed; |
3db945fda515
QUIC: handle callback errors in compat.
Vladimir Khomutov <vl@inspert.ru>
parents:
9157
diff
changeset
|
442 } |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
443 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
444 break; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
445 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
446 case SSL3_RT_ALERT: |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
447 if (len >= 2) { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
448 alert = ((u_char *) buf)[1]; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
449 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
450 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
451 "quic compat %s alert:%ui len:%uz ", |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
452 ngx_quic_level_name(level), alert, len); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
453 |
9164
3db945fda515
QUIC: handle callback errors in compat.
Vladimir Khomutov <vl@inspert.ru>
parents:
9157
diff
changeset
|
454 if (com->method->send_alert(ssl, level, alert) != 1) { |
3db945fda515
QUIC: handle callback errors in compat.
Vladimir Khomutov <vl@inspert.ru>
parents:
9157
diff
changeset
|
455 goto failed; |
3db945fda515
QUIC: handle callback errors in compat.
Vladimir Khomutov <vl@inspert.ru>
parents:
9157
diff
changeset
|
456 } |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
457 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
458 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
459 break; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
460 } |
9164
3db945fda515
QUIC: handle callback errors in compat.
Vladimir Khomutov <vl@inspert.ru>
parents:
9157
diff
changeset
|
461 |
3db945fda515
QUIC: handle callback errors in compat.
Vladimir Khomutov <vl@inspert.ru>
parents:
9157
diff
changeset
|
462 return; |
3db945fda515
QUIC: handle callback errors in compat.
Vladimir Khomutov <vl@inspert.ru>
parents:
9157
diff
changeset
|
463 |
3db945fda515
QUIC: handle callback errors in compat.
Vladimir Khomutov <vl@inspert.ru>
parents:
9157
diff
changeset
|
464 failed: |
3db945fda515
QUIC: handle callback errors in compat.
Vladimir Khomutov <vl@inspert.ru>
parents:
9157
diff
changeset
|
465 |
3db945fda515
QUIC: handle callback errors in compat.
Vladimir Khomutov <vl@inspert.ru>
parents:
9157
diff
changeset
|
466 ngx_post_event(&qc->close, &ngx_posted_events); |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
467 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
468 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
469 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
470 int |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
471 SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
472 const uint8_t *data, size_t len) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
473 { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
474 BIO *rbio; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
475 size_t n; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
476 u_char *p; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
477 ngx_str_t res; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
478 ngx_connection_t *c; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
479 ngx_quic_compat_t *com; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
480 ngx_quic_connection_t *qc; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
481 ngx_quic_compat_record_t rec; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
482 u_char in[NGX_QUIC_COMPAT_RECORD_SIZE + 1]; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
483 u_char out[NGX_QUIC_COMPAT_RECORD_SIZE + 1 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
484 + SSL3_RT_HEADER_LENGTH |
9126
29a6c0e11f75
QUIC: a new constant for AEAD tag length.
Roman Arutyunyan <arut@nginx.com>
parents:
9118
diff
changeset
|
485 + NGX_QUIC_TAG_LEN]; |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
486 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
487 c = ngx_ssl_get_connection(ssl); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
488 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
489 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic compat rx %s len:%uz", |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
490 ngx_quic_level_name(level), len); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
491 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
492 qc = ngx_quic_get_connection(c); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
493 com = qc->compat; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
494 rbio = SSL_get_rbio(ssl); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
495 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
496 while (len) { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
497 ngx_memzero(&rec, sizeof(ngx_quic_compat_record_t)); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
498 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
499 rec.type = SSL3_RT_HANDSHAKE; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
500 rec.log = c->log; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
501 rec.number = com->read_record++; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
502 rec.keys = &com->keys; |
9118
b4a57278bf24
QUIC: fixed compat with ciphers other than AES128 (ticket #2500).
Roman Arutyunyan <arut@nginx.com>
parents:
9080
diff
changeset
|
503 rec.level = level; |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
504 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
505 if (level == ssl_encryption_initial) { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
506 n = ngx_min(len, 65535); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
507 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
508 rec.payload.len = n; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
509 rec.payload.data = (u_char *) data; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
510 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
511 ngx_quic_compat_create_header(&rec, out, 1); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
512 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
513 BIO_write(rbio, out, SSL3_RT_HEADER_LENGTH); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
514 BIO_write(rbio, data, n); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
515 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
516 #if defined(NGX_QUIC_DEBUG_CRYPTO) && defined(NGX_QUIC_DEBUG_PACKETS) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
517 ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
518 "quic compat record len:%uz %*xs%*xs", |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
519 n + SSL3_RT_HEADER_LENGTH, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
520 (size_t) SSL3_RT_HEADER_LENGTH, out, n, data); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
521 #endif |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
522 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
523 } else { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
524 n = ngx_min(len, NGX_QUIC_COMPAT_RECORD_SIZE); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
525 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
526 p = ngx_cpymem(in, data, n); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
527 *p++ = SSL3_RT_HANDSHAKE; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
528 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
529 rec.payload.len = p - in; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
530 rec.payload.data = in; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
531 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
532 res.data = out; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
533 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
534 if (ngx_quic_compat_create_record(&rec, &res) != NGX_OK) { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
535 return 0; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
536 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
537 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
538 #if defined(NGX_QUIC_DEBUG_CRYPTO) && defined(NGX_QUIC_DEBUG_PACKETS) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
539 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
540 "quic compat record len:%uz %xV", res.len, &res); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
541 #endif |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
542 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
543 BIO_write(rbio, res.data, res.len); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
544 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
545 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
546 data += n; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
547 len -= n; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
548 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
549 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
550 return 1; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
551 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
552 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
553 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
554 static size_t |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
555 ngx_quic_compat_create_header(ngx_quic_compat_record_t *rec, u_char *out, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
556 ngx_uint_t plain) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
557 { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
558 u_char type; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
559 size_t len; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
560 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
561 len = rec->payload.len; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
562 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
563 if (plain) { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
564 type = rec->type; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
565 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
566 } else { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
567 type = SSL3_RT_APPLICATION_DATA; |
9126
29a6c0e11f75
QUIC: a new constant for AEAD tag length.
Roman Arutyunyan <arut@nginx.com>
parents:
9118
diff
changeset
|
568 len += NGX_QUIC_TAG_LEN; |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
569 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
570 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
571 out[0] = type; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
572 out[1] = 0x03; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
573 out[2] = 0x03; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
574 out[3] = (len >> 8); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
575 out[4] = len; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
576 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
577 return 5; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
578 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
579 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
580 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
581 static ngx_int_t |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
582 ngx_quic_compat_create_record(ngx_quic_compat_record_t *rec, ngx_str_t *res) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
583 { |
9175
f7c9cd726298
QUIC: cleaned up now unused ngx_quic_ciphers() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9172
diff
changeset
|
584 ngx_str_t ad, out; |
f7c9cd726298
QUIC: cleaned up now unused ngx_quic_ciphers() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9172
diff
changeset
|
585 ngx_quic_secret_t *secret; |
f7c9cd726298
QUIC: cleaned up now unused ngx_quic_ciphers() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9172
diff
changeset
|
586 u_char nonce[NGX_QUIC_IV_LEN]; |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
587 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
588 ad.data = res->data; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
589 ad.len = ngx_quic_compat_create_header(rec, ad.data, 0); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
590 |
9126
29a6c0e11f75
QUIC: a new constant for AEAD tag length.
Roman Arutyunyan <arut@nginx.com>
parents:
9118
diff
changeset
|
591 out.len = rec->payload.len + NGX_QUIC_TAG_LEN; |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
592 out.data = res->data + ad.len; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
593 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
594 #ifdef NGX_QUIC_DEBUG_CRYPTO |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
595 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, rec->log, 0, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
596 "quic compat ad len:%uz %xV", ad.len, &ad); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
597 #endif |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
598 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
599 secret = &rec->keys->secret; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
600 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
601 ngx_memcpy(nonce, secret->iv.data, secret->iv.len); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
602 ngx_quic_compute_nonce(nonce, sizeof(nonce), rec->number); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
603 |
9172
4ccb0d973206
QUIC: reusing crypto contexts for packet protection.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9171
diff
changeset
|
604 if (ngx_quic_crypto_seal(secret, &out, nonce, &rec->payload, &ad, rec->log) |
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
605 != NGX_OK) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
606 { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
607 return NGX_ERROR; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
608 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
609 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
610 res->len = ad.len + out.len; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
611 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
612 return NGX_OK; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
613 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
614 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
615 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
616 int |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
617 SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
618 size_t params_len) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
619 { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
620 ngx_connection_t *c; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
621 ngx_quic_compat_t *com; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
622 ngx_quic_connection_t *qc; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
623 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
624 c = ngx_ssl_get_connection(ssl); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
625 qc = ngx_quic_get_connection(c); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
626 com = qc->compat; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
627 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
628 com->tp.len = params_len; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
629 com->tp.data = (u_char *) params; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
630 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
631 return 1; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
632 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
633 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
634 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
635 void |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
636 SSL_get_peer_quic_transport_params(const SSL *ssl, const uint8_t **out_params, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
637 size_t *out_params_len) |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
638 { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
639 ngx_connection_t *c; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
640 ngx_quic_compat_t *com; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
641 ngx_quic_connection_t *qc; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
642 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
643 c = ngx_ssl_get_connection(ssl); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
644 qc = ngx_quic_get_connection(c); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
645 com = qc->compat; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
646 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
647 *out_params = com->ctp.data; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
648 *out_params_len = com->ctp.len; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
649 } |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
650 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
651 #endif /* NGX_QUIC_OPENSSL_COMPAT */ |