Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 8171:4daf03d2bd0a quic
OpenSSL compatibility.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Fri, 28 Feb 2020 13:09:51 +0300 |
parents | 53a5cdbe500c |
children | 640a13fc0f83 |
comparison
equal
deleted
inserted
replaced
8170:53a5cdbe500c | 8171:4daf03d2bd0a |
---|---|
95 static int | 95 static int |
96 quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn, | 96 quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn, |
97 enum ssl_encryption_level_t level, const uint8_t *read_secret, | 97 enum ssl_encryption_level_t level, const uint8_t *read_secret, |
98 const uint8_t *write_secret, size_t secret_len) | 98 const uint8_t *write_secret, size_t secret_len) |
99 { | 99 { |
100 u_char *name; | |
100 size_t *rlen, *wlen; | 101 size_t *rlen, *wlen; |
101 uint8_t **rsec, **wsec; | 102 uint8_t **rsec, **wsec; |
102 const char *name; | |
103 const EVP_MD *digest; | 103 const EVP_MD *digest; |
104 const EVP_AEAD *aead; | 104 #ifdef OPENSSL_IS_BORINGSSL |
105 const EVP_AEAD *evp; | |
106 #else | |
107 const EVP_CIPHER *evp; | |
108 #endif | |
105 ngx_connection_t *c; | 109 ngx_connection_t *c; |
106 | 110 |
107 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); | 111 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); |
108 | 112 |
109 ngx_ssl_handshake_log(c); | 113 ngx_ssl_handshake_log(c); |
123 "set_encryption_secrets: write %*s, len: %uz, level:%d", | 127 "set_encryption_secrets: write %*s, len: %uz, level:%d", |
124 m, buf, secret_len, (int) level); | 128 m, buf, secret_len, (int) level); |
125 } | 129 } |
126 #endif | 130 #endif |
127 | 131 |
128 name = SSL_get_cipher(ssl_conn); | 132 name = (u_char *) SSL_get_cipher(ssl_conn); |
129 | 133 |
130 if (OPENSSL_strcasecmp(name, "TLS_AES_128_GCM_SHA256") == 0) { | 134 if (ngx_strcasecmp(name, (u_char *) "TLS_AES_128_GCM_SHA256") == 0 |
131 aead = EVP_aead_aes_128_gcm(); | 135 || ngx_strcasecmp(name, (u_char *) "(NONE)") == 0) |
136 { | |
137 #ifdef OPENSSL_IS_BORINGSSL | |
138 evp = EVP_aead_aes_128_gcm(); | |
139 #else | |
140 evp = EVP_aes_128_gcm(); | |
141 #endif | |
132 digest = EVP_sha256(); | 142 digest = EVP_sha256(); |
133 | 143 |
134 } else if (OPENSSL_strcasecmp(name, "TLS_AES_256_GCM_SHA384") == 0) { | 144 } else if (ngx_strcasecmp(name, (u_char *) "TLS_AES_256_GCM_SHA384") == 0) { |
135 aead = EVP_aead_aes_256_gcm(); | 145 #ifdef OPENSSL_IS_BORINGSSL |
146 evp = EVP_aead_aes_256_gcm(); | |
147 #else | |
148 evp = EVP_aes_256_gcm(); | |
149 #endif | |
136 digest = EVP_sha384(); | 150 digest = EVP_sha384(); |
137 | 151 |
138 } else { | 152 } else { |
139 return 0; | 153 return 0; |
140 } | 154 } |
141 | 155 |
142 size_t hkdfl_len; | 156 size_t hkdfl_len, llen; |
143 uint8_t hkdfl[20]; | 157 uint8_t hkdfl[20]; |
144 uint8_t *p; | 158 uint8_t *p; |
145 const char *label; | 159 const char *label; |
160 #if (NGX_DEBUG) | |
161 u_char buf[512]; | |
162 size_t m; | |
163 #endif | |
146 | 164 |
147 ngx_str_t *client_key, *client_iv, *client_hp; | 165 ngx_str_t *client_key, *client_iv, *client_hp; |
148 ngx_str_t *server_key, *server_iv, *server_hp; | 166 ngx_str_t *server_key, *server_iv, *server_hp; |
149 | 167 |
150 switch (level) { | 168 switch (level) { |
201 | 219 |
202 ngx_memcpy(*wsec, write_secret, secret_len); | 220 ngx_memcpy(*wsec, write_secret, secret_len); |
203 | 221 |
204 // client keys | 222 // client keys |
205 | 223 |
206 client_key->len = EVP_AEAD_key_length(aead); | 224 #ifdef OPENSSL_IS_BORINGSSL |
225 client_key->len = EVP_AEAD_key_length(evp); | |
226 #else | |
227 client_key->len = EVP_CIPHER_key_length(evp); | |
228 #endif | |
207 client_key->data = ngx_pnalloc(c->pool, client_key->len); | 229 client_key->data = ngx_pnalloc(c->pool, client_key->len); |
208 if (client_key->data == NULL) { | 230 if (client_key->data == NULL) { |
209 return 0; | 231 return 0; |
210 } | 232 } |
211 | 233 |
212 label = "tls13 quic key"; | 234 label = "tls13 quic key"; |
213 hkdfl_len = 2 + 1 + sizeof(label) - 1 + 1; | 235 llen = sizeof("tls13 quic key") - 1; |
236 hkdfl_len = 2 + 1 + llen + 1; | |
214 hkdfl[0] = client_key->len / 256; | 237 hkdfl[0] = client_key->len / 256; |
215 hkdfl[1] = client_key->len % 256; | 238 hkdfl[1] = client_key->len % 256; |
216 hkdfl[2] = sizeof(label) - 1; | 239 hkdfl[2] = llen; |
217 p = ngx_cpymem(&hkdfl[3], label, sizeof(label) - 1); | 240 p = ngx_cpymem(&hkdfl[3], label, llen); |
218 *p = '\0'; | 241 *p = '\0'; |
219 | 242 |
220 if (HKDF_expand(client_key->data, client_key->len, | 243 if (ngx_hkdf_expand(client_key->data, client_key->len, |
221 digest, *rsec, *rlen, | 244 digest, *rsec, *rlen, hkdfl, hkdfl_len) |
222 hkdfl, hkdfl_len) | 245 != NGX_OK) |
223 == 0) | |
224 { | 246 { |
225 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, | 247 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, |
226 "HKDF_expand(client_key) failed"); | 248 "ngx_hkdf_expand(client_key) failed"); |
227 return 0; | 249 return 0; |
228 } | 250 } |
229 | 251 |
230 | 252 m = ngx_hex_dump(buf, client_key->data, client_key->len) - buf; |
231 client_iv->len = EVP_AEAD_nonce_length(aead); | 253 ngx_log_debug4(NGX_LOG_DEBUG_HTTP, c->log, 0, |
254 "quic client key: %*s, len: %uz, level: %d", | |
255 m, buf, client_key->len, level); | |
256 m = ngx_hex_dump(buf, hkdfl, hkdfl_len) - buf; | |
257 ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0, | |
258 "hkdf: %*s, len: %uz", m, buf, hkdfl_len); | |
259 | |
260 | |
261 #ifdef OPENSSL_IS_BORINGSSL | |
262 client_iv->len = EVP_AEAD_nonce_length(evp); | |
263 #else | |
264 client_iv->len = EVP_CIPHER_iv_length(evp); | |
265 #endif | |
232 client_iv->data = ngx_pnalloc(c->pool, client_iv->len); | 266 client_iv->data = ngx_pnalloc(c->pool, client_iv->len); |
233 if (client_iv->data == NULL) { | 267 if (client_iv->data == NULL) { |
234 return 0; | 268 return 0; |
235 } | 269 } |
236 | 270 |
237 label = "tls13 quic iv"; | 271 label = "tls13 quic iv"; |
238 hkdfl_len = 2 + 1 + sizeof(label) - 1 + 1; | 272 llen = sizeof("tls13 quic iv") - 1; |
273 hkdfl_len = 2 + 1 + llen + 1; | |
239 hkdfl[0] = client_iv->len / 256; | 274 hkdfl[0] = client_iv->len / 256; |
240 hkdfl[1] = client_iv->len % 256; | 275 hkdfl[1] = client_iv->len % 256; |
241 hkdfl[2] = sizeof(label) - 1; | 276 hkdfl[2] = llen; |
242 p = ngx_cpymem(&hkdfl[3], label, sizeof(label) - 1); | 277 p = ngx_cpymem(&hkdfl[3], label, llen); |
243 *p = '\0'; | 278 *p = '\0'; |
244 | 279 |
245 if (HKDF_expand(client_iv->data, client_iv->len, | 280 if (ngx_hkdf_expand(client_iv->data, client_iv->len, |
246 digest, *rsec, *rlen, | 281 digest, *rsec, *rlen, hkdfl, hkdfl_len) |
247 hkdfl, hkdfl_len) | 282 != NGX_OK) |
248 == 0) | |
249 { | 283 { |
250 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, | 284 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, |
251 "HKDF_expand(client_iv) failed"); | 285 "ngx_hkdf_expand(client_iv) failed"); |
252 return 0; | 286 return 0; |
253 } | 287 } |
254 | 288 |
255 | 289 m = ngx_hex_dump(buf, client_iv->data, client_iv->len) - buf; |
256 client_hp->len = EVP_AEAD_key_length(aead); | 290 ngx_log_debug4(NGX_LOG_DEBUG_HTTP, c->log, 0, |
291 "quic client iv: %*s, len: %uz, level: %d", | |
292 m, buf, client_iv->len, level); | |
293 m = ngx_hex_dump(buf, hkdfl, hkdfl_len) - buf; | |
294 ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0, | |
295 "hkdf: %*s, len: %uz", m, buf, hkdfl_len); | |
296 | |
297 | |
298 #ifdef OPENSSL_IS_BORINGSSL | |
299 client_hp->len = EVP_AEAD_key_length(evp); | |
300 #else | |
301 client_hp->len = EVP_CIPHER_key_length(evp); | |
302 #endif | |
257 client_hp->data = ngx_pnalloc(c->pool, client_hp->len); | 303 client_hp->data = ngx_pnalloc(c->pool, client_hp->len); |
258 if (client_hp->data == NULL) { | 304 if (client_hp->data == NULL) { |
259 return 0; | 305 return 0; |
260 } | 306 } |
261 | 307 |
262 label = "tls13 quic hp"; | 308 label = "tls13 quic hp"; |
263 hkdfl_len = 2 + 1 + sizeof(label) - 1 + 1; | 309 llen = sizeof("tls13 quic hp") - 1; |
310 hkdfl_len = 2 + 1 + llen + 1; | |
264 hkdfl[0] = client_hp->len / 256; | 311 hkdfl[0] = client_hp->len / 256; |
265 hkdfl[1] = client_hp->len % 256; | 312 hkdfl[1] = client_hp->len % 256; |
266 hkdfl[2] = sizeof(label) - 1; | 313 hkdfl[2] = llen; |
267 p = ngx_cpymem(&hkdfl[3], label, sizeof(label) - 1); | 314 p = ngx_cpymem(&hkdfl[3], label, llen); |
268 *p = '\0'; | 315 *p = '\0'; |
269 | 316 |
270 if (HKDF_expand(client_hp->data, client_hp->len, | 317 if (ngx_hkdf_expand(client_hp->data, client_hp->len, |
271 digest, *rsec, *rlen, | 318 digest, *rsec, *rlen, hkdfl, hkdfl_len) |
272 hkdfl, hkdfl_len) | 319 != NGX_OK) |
273 == 0) | |
274 { | 320 { |
275 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, | 321 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, |
276 "HKDF_expand(client_hp) failed"); | 322 "ngx_hkdf_expand(client_hp) failed"); |
277 return 0; | 323 return 0; |
278 } | 324 } |
279 | 325 |
326 m = ngx_hex_dump(buf, client_hp->data, client_hp->len) - buf; | |
327 ngx_log_debug4(NGX_LOG_DEBUG_HTTP, c->log, 0, | |
328 "quic client hp: %*s, len: %uz, level: %d", | |
329 m, buf, client_hp->len, level); | |
330 m = ngx_hex_dump(buf, hkdfl, hkdfl_len) - buf; | |
331 ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0, | |
332 "hkdf: %*s, len: %uz", m, buf, hkdfl_len); | |
333 | |
280 | 334 |
281 // server keys | 335 // server keys |
282 | 336 |
283 server_key->len = EVP_AEAD_key_length(aead); | 337 #ifdef OPENSSL_IS_BORINGSSL |
338 server_key->len = EVP_AEAD_key_length(evp); | |
339 #else | |
340 server_key->len = EVP_CIPHER_key_length(evp); | |
341 #endif | |
284 server_key->data = ngx_pnalloc(c->pool, server_key->len); | 342 server_key->data = ngx_pnalloc(c->pool, server_key->len); |
285 if (server_key->data == NULL) { | 343 if (server_key->data == NULL) { |
286 return 0; | 344 return 0; |
287 } | 345 } |
288 | 346 |
289 label = "tls13 quic key"; | 347 label = "tls13 quic key"; |
290 hkdfl_len = 2 + 1 + sizeof(label) - 1 + 1; | 348 llen = sizeof("tls13 quic key") - 1; |
349 hkdfl_len = 2 + 1 + llen + 1; | |
291 hkdfl[0] = server_key->len / 256; | 350 hkdfl[0] = server_key->len / 256; |
292 hkdfl[1] = server_key->len % 256; | 351 hkdfl[1] = server_key->len % 256; |
293 hkdfl[2] = sizeof(label) - 1; | 352 hkdfl[2] = llen; |
294 p = ngx_cpymem(&hkdfl[3], label, sizeof(label) - 1); | 353 p = ngx_cpymem(&hkdfl[3], label, llen); |
295 *p = '\0'; | 354 *p = '\0'; |
296 | 355 |
297 if (HKDF_expand(server_key->data, server_key->len, | 356 if (ngx_hkdf_expand(server_key->data, server_key->len, |
298 digest, *wsec, *wlen, | 357 digest, *wsec, *wlen, hkdfl, hkdfl_len) |
299 hkdfl, hkdfl_len) | 358 != NGX_OK) |
300 == 0) | |
301 { | 359 { |
302 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, | 360 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, |
303 "HKDF_expand(server_key) failed"); | 361 "ngx_hkdf_expand(server_key) failed"); |
304 return 0; | 362 return 0; |
305 } | 363 } |
306 | 364 |
307 | 365 m = ngx_hex_dump(buf, server_key->data, server_key->len) - buf; |
308 server_iv->len = EVP_AEAD_nonce_length(aead); | 366 ngx_log_debug4(NGX_LOG_DEBUG_HTTP, c->log, 0, |
367 "quic server key: %*s, len: %uz, level: %d", | |
368 m, buf, server_key->len, level); | |
369 m = ngx_hex_dump(buf, hkdfl, hkdfl_len) - buf; | |
370 ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0, | |
371 "hkdf: %*s, len: %uz", m, buf, hkdfl_len); | |
372 | |
373 | |
374 #ifdef OPENSSL_IS_BORINGSSL | |
375 server_iv->len = EVP_AEAD_nonce_length(evp); | |
376 #else | |
377 server_iv->len = EVP_CIPHER_iv_length(evp); | |
378 #endif | |
309 server_iv->data = ngx_pnalloc(c->pool, server_iv->len); | 379 server_iv->data = ngx_pnalloc(c->pool, server_iv->len); |
310 if (server_iv->data == NULL) { | 380 if (server_iv->data == NULL) { |
311 return 0; | 381 return 0; |
312 } | 382 } |
313 | 383 |
314 label = "tls13 quic iv"; | 384 label = "tls13 quic iv"; |
315 hkdfl_len = 2 + 1 + sizeof(label) - 1 + 1; | 385 llen = sizeof("tls13 quic iv") - 1; |
386 hkdfl_len = 2 + 1 + llen + 1; | |
316 hkdfl[0] = server_iv->len / 256; | 387 hkdfl[0] = server_iv->len / 256; |
317 hkdfl[1] = server_iv->len % 256; | 388 hkdfl[1] = server_iv->len % 256; |
318 hkdfl[2] = sizeof(label) - 1; | 389 hkdfl[2] = llen; |
319 p = ngx_cpymem(&hkdfl[3], label, sizeof(label) - 1); | 390 p = ngx_cpymem(&hkdfl[3], label, llen); |
320 *p = '\0'; | 391 *p = '\0'; |
321 | 392 |
322 if (HKDF_expand(server_iv->data, server_iv->len, | 393 if (ngx_hkdf_expand(server_iv->data, server_iv->len, |
323 digest, *wsec, *wlen, | 394 digest, *wsec, *wlen, hkdfl, hkdfl_len) |
324 hkdfl, hkdfl_len) | 395 != NGX_OK) |
325 == 0) | |
326 { | 396 { |
327 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, | 397 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, |
328 "HKDF_expand(server_iv) failed"); | 398 "ngx_hkdf_expand(server_iv) failed"); |
329 return 0; | 399 return 0; |
330 } | 400 } |
331 | 401 |
332 | 402 m = ngx_hex_dump(buf, server_iv->data, server_iv->len) - buf; |
333 server_hp->len = EVP_AEAD_key_length(aead); | 403 ngx_log_debug4(NGX_LOG_DEBUG_HTTP, c->log, 0, |
404 "quic server iv: %*s, len: %uz, level: %d", | |
405 m, buf, server_iv->len, level); | |
406 m = ngx_hex_dump(buf, hkdfl, hkdfl_len) - buf; | |
407 ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0, | |
408 "hkdf: %*s, len: %uz", m, buf, hkdfl_len); | |
409 | |
410 | |
411 #ifdef OPENSSL_IS_BORINGSSL | |
412 server_hp->len = EVP_AEAD_key_length(evp); | |
413 #else | |
414 server_hp->len = EVP_CIPHER_key_length(evp); | |
415 #endif | |
334 server_hp->data = ngx_pnalloc(c->pool, server_hp->len); | 416 server_hp->data = ngx_pnalloc(c->pool, server_hp->len); |
335 if (server_hp->data == NULL) { | 417 if (server_hp->data == NULL) { |
336 return 0; | 418 return 0; |
337 } | 419 } |
338 | 420 |
339 label = "tls13 quic hp"; | 421 label = "tls13 quic hp"; |
340 hkdfl_len = 2 + 1 + sizeof(label) - 1 + 1; | 422 llen = sizeof("tls13 quic hp") - 1; |
423 hkdfl_len = 2 + 1 + llen + 1; | |
341 hkdfl[0] = server_hp->len / 256; | 424 hkdfl[0] = server_hp->len / 256; |
342 hkdfl[1] = server_hp->len % 256; | 425 hkdfl[1] = server_hp->len % 256; |
343 hkdfl[2] = sizeof(label) - 1; | 426 hkdfl[2] = llen; |
344 p = ngx_cpymem(&hkdfl[3], label, sizeof(label) - 1); | 427 p = ngx_cpymem(&hkdfl[3], label, llen); |
345 *p = '\0'; | 428 *p = '\0'; |
346 | 429 |
347 if (HKDF_expand(server_hp->data, server_hp->len, | 430 if (ngx_hkdf_expand(server_hp->data, server_hp->len, |
348 digest, *wsec, *wlen, | 431 digest, *wsec, *wlen, hkdfl, hkdfl_len) |
349 hkdfl, hkdfl_len) | 432 != NGX_OK) |
350 == 0) | |
351 { | 433 { |
352 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, | 434 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, |
353 "HKDF_expand(server_hp) failed"); | 435 "ngx_hkdf_expand(server_hp) failed"); |
354 return 0; | 436 return 0; |
355 } | 437 } |
438 | |
439 m = ngx_hex_dump(buf, server_hp->data, server_hp->len) - buf; | |
440 ngx_log_debug4(NGX_LOG_DEBUG_HTTP, c->log, 0, | |
441 "quic server hp: %*s, len: %uz, level: %d", | |
442 m, buf, server_hp->len, level); | |
443 m = ngx_hex_dump(buf, hkdfl, hkdfl_len) - buf; | |
444 ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0, | |
445 "hkdf: %*s, len: %uz", m, buf, hkdfl_len); | |
356 | 446 |
357 return 1; | 447 return 1; |
358 } | 448 } |
359 | 449 |
360 | 450 |
361 static int | 451 static int |
362 quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn, | 452 quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn, |
363 enum ssl_encryption_level_t level, const uint8_t *data, size_t len) | 453 enum ssl_encryption_level_t level, const uint8_t *data, size_t len) |
364 { | 454 { |
365 u_char buf[512], *p, *cipher, *clear, *ad; | 455 u_char buf[512], *p, *ciphertext, *clear, *ad, *name; |
366 size_t ad_len, clear_len; | 456 size_t ad_len, clear_len; |
367 ngx_int_t m; | 457 ngx_int_t m; |
368 ngx_str_t *server_key, *server_iv, *server_hp; | 458 ngx_str_t *server_key, *server_iv, *server_hp; |
459 #ifdef OPENSSL_IS_BORINGSSL | |
460 const EVP_AEAD *cipher; | |
461 #else | |
462 const EVP_CIPHER *cipher; | |
463 #endif | |
369 ngx_connection_t *c; | 464 ngx_connection_t *c; |
370 ngx_quic_connection_t *qc; | 465 ngx_quic_connection_t *qc; |
371 | 466 |
372 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); | 467 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); |
468 | |
469 ngx_ssl_handshake_log(c); | |
470 | |
373 qc = c->quic; | 471 qc = c->quic; |
374 | 472 |
375 switch (level) { | 473 switch (level) { |
376 | 474 |
377 case ssl_encryption_initial: | 475 case ssl_encryption_initial: |
411 ngx_quic_build_int(&p, 0); | 509 ngx_quic_build_int(&p, 0); |
412 ngx_quic_build_int(&p, 0); | 510 ngx_quic_build_int(&p, 0); |
413 ngx_quic_build_int(&p, 0); | 511 ngx_quic_build_int(&p, 0); |
414 | 512 |
415 clear_len = p - clear; | 513 clear_len = p - clear; |
416 size_t cipher_len = clear_len + 16 /*expansion*/; | 514 size_t ciphertext_len = clear_len + 16 /*expansion*/; |
417 | 515 |
418 ad = ngx_alloc(346 /*max header*/, c->log); | 516 ad = ngx_alloc(346 /*max header*/, c->log); |
419 if (ad == 0) { | 517 if (ad == 0) { |
420 return 0; | 518 return 0; |
421 } | 519 } |
432 *p++ = 0x17; | 530 *p++ = 0x17; |
433 *p++ = qc->scid.len; | 531 *p++ = qc->scid.len; |
434 p = ngx_cpymem(p, qc->scid.data, qc->scid.len); | 532 p = ngx_cpymem(p, qc->scid.data, qc->scid.len); |
435 *p++ = qc->dcid.len; | 533 *p++ = qc->dcid.len; |
436 p = ngx_cpymem(p, qc->dcid.data, qc->dcid.len); | 534 p = ngx_cpymem(p, qc->dcid.data, qc->dcid.len); |
437 ngx_quic_build_int(&p, 0); // token length | 535 if (level == ssl_encryption_initial) { |
438 ngx_quic_build_int(&p, cipher_len); // length | 536 ngx_quic_build_int(&p, 0); // token length |
537 } | |
538 ngx_quic_build_int(&p, ciphertext_len + 1); // length (inc. pnl) | |
439 u_char *pnp = p; | 539 u_char *pnp = p; |
440 *p++ = 0; // packet number 0 | 540 *p++ = 0; // packet number 0 |
441 | 541 |
442 ad_len = p - ad; | 542 ad_len = p - ad; |
443 | 543 |
444 m = ngx_hex_dump(buf, (u_char *) ad, ad_len) - buf; | 544 m = ngx_hex_dump(buf, (u_char *) ad, ad_len) - buf; |
445 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, | 545 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
446 "quic_add_handshake_data ad: %*s, len: %uz", | 546 "quic_add_handshake_data ad: %*s, len: %uz", |
447 m, buf, ad_len); | 547 m, buf, ad_len); |
448 | 548 |
449 EVP_AEAD_CTX *aead = EVP_AEAD_CTX_new(EVP_aead_aes_128_gcm(), | 549 |
550 name = (u_char *) SSL_get_cipher(ssl_conn); | |
551 | |
552 if (ngx_strcasecmp(name, (u_char *) "TLS_AES_128_GCM_SHA256") == 0 | |
553 || ngx_strcasecmp(name, (u_char *) "(NONE)") == 0) | |
554 { | |
555 #ifdef OPENSSL_IS_BORINGSSL | |
556 cipher = EVP_aead_aes_128_gcm(); | |
557 #else | |
558 cipher = EVP_aes_128_gcm(); | |
559 #endif | |
560 | |
561 } else if (ngx_strcasecmp(name, (u_char *) "TLS_AES_256_GCM_SHA384") == 0) { | |
562 #ifdef OPENSSL_IS_BORINGSSL | |
563 cipher = EVP_aead_aes_256_gcm(); | |
564 #else | |
565 cipher = EVP_aes_256_gcm(); | |
566 #endif | |
567 | |
568 } else { | |
569 return 0; | |
570 } | |
571 | |
572 | |
573 ciphertext = ngx_alloc(ciphertext_len, c->log); | |
574 if (ciphertext == 0) { | |
575 return 0; | |
576 } | |
577 | |
578 #ifdef OPENSSL_IS_BORINGSSL | |
579 size_t out_len; | |
580 EVP_AEAD_CTX *aead = EVP_AEAD_CTX_new(cipher, | |
450 server_key->data, | 581 server_key->data, |
451 server_key->len, | 582 server_key->len, |
452 EVP_AEAD_DEFAULT_TAG_LENGTH); | 583 EVP_AEAD_DEFAULT_TAG_LENGTH); |
453 | 584 |
454 cipher = ngx_alloc(cipher_len, c->log); | 585 if (EVP_AEAD_CTX_seal(aead, ciphertext, &out_len, ciphertext_len, |
455 if (cipher == 0) { | |
456 return 0; | |
457 } | |
458 | |
459 size_t out_len; | |
460 | |
461 if (EVP_AEAD_CTX_seal(aead, cipher, &out_len, cipher_len, | |
462 server_iv->data, server_iv->len, | 586 server_iv->data, server_iv->len, |
463 clear, clear_len, ad, ad_len) | 587 clear, clear_len, ad, ad_len) |
464 != 1) | 588 != 1) |
465 { | 589 { |
466 EVP_AEAD_CTX_free(aead); | 590 EVP_AEAD_CTX_free(aead); |
468 "EVP_AEAD_CTX_seal() failed"); | 592 "EVP_AEAD_CTX_seal() failed"); |
469 return 0; | 593 return 0; |
470 } | 594 } |
471 | 595 |
472 EVP_AEAD_CTX_free(aead); | 596 EVP_AEAD_CTX_free(aead); |
597 #else | |
598 int out_len; | |
599 EVP_CIPHER_CTX *aead; | |
600 | |
601 aead = EVP_CIPHER_CTX_new(); | |
602 if (aead == NULL) { | |
603 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_CIPHER_CTX_new() failed"); | |
604 return 0; | |
605 } | |
606 | |
607 if (EVP_EncryptInit_ex(aead, cipher, NULL, NULL, NULL) != 1) { | |
608 EVP_CIPHER_CTX_free(aead); | |
609 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed"); | |
610 return 0; | |
611 } | |
612 | |
613 if (EVP_CIPHER_CTX_ctrl(aead, EVP_CTRL_GCM_SET_IVLEN, server_iv->len, NULL) | |
614 == 0) | |
615 { | |
616 EVP_CIPHER_CTX_free(aead); | |
617 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, | |
618 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed"); | |
619 return 0; | |
620 } | |
621 | |
622 if (EVP_EncryptInit_ex(aead, NULL, NULL, server_key->data, server_iv->data) | |
623 != 1) | |
624 { | |
625 EVP_CIPHER_CTX_free(aead); | |
626 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed"); | |
627 return 0; | |
628 } | |
629 | |
630 if (EVP_EncryptUpdate(aead, NULL, &out_len, ad, ad_len) != 1) { | |
631 EVP_CIPHER_CTX_free(aead); | |
632 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed"); | |
633 return 0; | |
634 } | |
635 | |
636 if (EVP_EncryptUpdate(aead, ciphertext, &out_len, clear, clear_len) != 1) { | |
637 EVP_CIPHER_CTX_free(aead); | |
638 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed"); | |
639 return 0; | |
640 } | |
641 | |
642 ciphertext_len = out_len; | |
643 | |
644 if (EVP_EncryptFinal_ex(aead, ciphertext + out_len, &out_len) <= 0) { | |
645 EVP_CIPHER_CTX_free(aead); | |
646 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptFinal_ex failed"); | |
647 return 0; | |
648 } | |
649 | |
650 ciphertext_len += out_len; | |
651 | |
652 if (EVP_CIPHER_CTX_ctrl(aead, EVP_CTRL_GCM_GET_TAG, EVP_GCM_TLS_TAG_LEN, | |
653 ciphertext + clear_len) | |
654 == 0) | |
655 { | |
656 EVP_CIPHER_CTX_free(aead); | |
657 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, | |
658 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_GET_TAG) failed"); | |
659 return 0; | |
660 } | |
661 | |
662 EVP_CIPHER_CTX_free(aead); | |
663 | |
664 out_len = ciphertext_len + EVP_GCM_TLS_TAG_LEN; | |
665 #endif | |
473 | 666 |
474 EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); | 667 EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); |
475 u_char *sample = cipher + 3; // pnl=0 | 668 u_char *sample = ciphertext + 3; // pnl=0 |
476 uint8_t mask[16]; | 669 uint8_t mask[16]; |
477 int outlen; | 670 int outlen; |
478 | 671 |
479 if (EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL, server_hp->data, NULL) | 672 if (EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL, server_hp->data, NULL) |
480 != 1) | 673 != 1) |
492 return 0; | 685 return 0; |
493 } | 686 } |
494 | 687 |
495 EVP_CIPHER_CTX_free(ctx); | 688 EVP_CIPHER_CTX_free(ctx); |
496 | 689 |
690 m = ngx_hex_dump(buf, (u_char *) sample, 16) - buf; | |
691 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, | |
692 "quic_add_handshake_data sample: %*s, len: %uz", | |
693 m, buf, 16); | |
694 | |
695 m = ngx_hex_dump(buf, (u_char *) mask, 16) - buf; | |
696 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, | |
697 "quic_add_handshake_data mask: %*s, len: %uz", | |
698 m, buf, 16); | |
699 | |
700 m = ngx_hex_dump(buf, (u_char *) server_hp->data, 16) - buf; | |
701 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, | |
702 "quic_add_handshake_data hp_key: %*s, len: %uz", | |
703 m, buf, 16); | |
704 | |
497 // header protection, pnl = 0 | 705 // header protection, pnl = 0 |
498 ad[0] ^= mask[0] & 0x0f; | 706 ad[0] ^= mask[0] & 0x0f; |
499 *pnp ^= mask[1]; | 707 *pnp ^= mask[1]; |
500 | 708 |
501 printf("cipher_len %ld out_len %ld ad_len %ld\n", cipher_len, out_len, ad_len); | 709 printf("clear_len %ld ciphertext_len %ld out_len %ld ad_len %ld\n", |
710 clear_len, ciphertext_len, (size_t) out_len, ad_len); | |
502 | 711 |
503 u_char *packet = ngx_alloc(ad_len + out_len, c->log); | 712 u_char *packet = ngx_alloc(ad_len + out_len, c->log); |
504 if (packet == 0) { | 713 if (packet == 0) { |
505 return 0; | 714 return 0; |
506 } | 715 } |
507 | 716 |
508 p = ngx_cpymem(packet, ad, ad_len); | 717 p = ngx_cpymem(packet, ad, ad_len); |
509 p = ngx_cpymem(p, cipher, out_len); | 718 p = ngx_cpymem(p, ciphertext, out_len); |
510 | 719 |
511 m = ngx_hex_dump(buf, (u_char *) packet, p - packet) - buf; | 720 m = ngx_hex_dump(buf, (u_char *) packet, ngx_min(256, p - packet)) - buf; |
512 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, | 721 ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0, |
513 "quic_add_handshake_data packet: %*s, len: %uz", | 722 "quic_add_handshake_data packet: %*s%s, len: %uz", |
514 m, buf, p - packet); | 723 m, buf, len < 512 ? "" : "...", p - packet); |
515 | 724 |
516 c->send(c, packet, p - packet); | 725 c->send(c, packet, p - packet); |
517 | 726 |
518 return 1; | 727 return 1; |
519 } | 728 } |