Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic_protection.c @ 9128:756ab66de10e
QUIC: TLS_AES_128_CCM_SHA256 cipher suite support.
| author | Roman Arutyunyan <arut@nginx.com> |
|---|---|
| date | Tue, 20 Jun 2023 16:10:49 +0400 |
| parents | a7b850a5d98d |
| children | 7379cb29cd72 |
comparison
equal
deleted
inserted
replaced
| 9127:a7b850a5d98d | 9128:756ab66de10e |
|---|---|
| 91 ciphers->hp = EVP_chacha20(); | 91 ciphers->hp = EVP_chacha20(); |
| 92 #endif | 92 #endif |
| 93 ciphers->d = EVP_sha256(); | 93 ciphers->d = EVP_sha256(); |
| 94 len = 32; | 94 len = 32; |
| 95 break; | 95 break; |
| 96 | |
| 97 #ifndef OPENSSL_IS_BORINGSSL | |
| 98 case TLS1_3_CK_AES_128_CCM_SHA256: | |
| 99 ciphers->c = EVP_aes_128_ccm(); | |
| 100 ciphers->hp = EVP_aes_128_ctr(); | |
| 101 ciphers->d = EVP_sha256(); | |
| 102 len = 16; | |
| 103 break; | |
| 104 #endif | |
| 96 | 105 |
| 97 default: | 106 default: |
| 98 return NGX_ERROR; | 107 return NGX_ERROR; |
| 99 } | 108 } |
| 100 | 109 |
| 382 EVP_CIPHER_CTX_free(ctx); | 391 EVP_CIPHER_CTX_free(ctx); |
| 383 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptInit_ex() failed"); | 392 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptInit_ex() failed"); |
| 384 return NGX_ERROR; | 393 return NGX_ERROR; |
| 385 } | 394 } |
| 386 | 395 |
| 396 tag = in->data + in->len - NGX_QUIC_TAG_LEN; | |
| 397 | |
| 398 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, NGX_QUIC_TAG_LEN, tag) | |
| 399 == 0) | |
| 400 { | |
| 401 EVP_CIPHER_CTX_free(ctx); | |
| 402 ngx_ssl_error(NGX_LOG_INFO, log, 0, | |
| 403 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed"); | |
| 404 return NGX_ERROR; | |
| 405 } | |
| 406 | |
| 387 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, s->iv.len, NULL) | 407 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, s->iv.len, NULL) |
| 388 == 0) | 408 == 0) |
| 389 { | 409 { |
| 390 EVP_CIPHER_CTX_free(ctx); | 410 EVP_CIPHER_CTX_free(ctx); |
| 391 ngx_ssl_error(NGX_LOG_INFO, log, 0, | 411 ngx_ssl_error(NGX_LOG_INFO, log, 0, |
| 394 } | 414 } |
| 395 | 415 |
| 396 if (EVP_DecryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) { | 416 if (EVP_DecryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) { |
| 397 EVP_CIPHER_CTX_free(ctx); | 417 EVP_CIPHER_CTX_free(ctx); |
| 398 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptInit_ex() failed"); | 418 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptInit_ex() failed"); |
| 419 return NGX_ERROR; | |
| 420 } | |
| 421 | |
| 422 if (EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE | |
| 423 && EVP_DecryptUpdate(ctx, NULL, &len, NULL, in->len - NGX_QUIC_TAG_LEN) | |
| 424 != 1) | |
| 425 { | |
| 426 EVP_CIPHER_CTX_free(ctx); | |
| 427 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptUpdate() failed"); | |
| 399 return NGX_ERROR; | 428 return NGX_ERROR; |
| 400 } | 429 } |
| 401 | 430 |
| 402 if (EVP_DecryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) { | 431 if (EVP_DecryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) { |
| 403 EVP_CIPHER_CTX_free(ctx); | 432 EVP_CIPHER_CTX_free(ctx); |
| 413 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptUpdate() failed"); | 442 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptUpdate() failed"); |
| 414 return NGX_ERROR; | 443 return NGX_ERROR; |
| 415 } | 444 } |
| 416 | 445 |
| 417 out->len = len; | 446 out->len = len; |
| 418 tag = in->data + in->len - NGX_QUIC_TAG_LEN; | |
| 419 | |
| 420 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, NGX_QUIC_TAG_LEN, tag) | |
| 421 == 0) | |
| 422 { | |
| 423 EVP_CIPHER_CTX_free(ctx); | |
| 424 ngx_ssl_error(NGX_LOG_INFO, log, 0, | |
| 425 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed"); | |
| 426 return NGX_ERROR; | |
| 427 } | |
| 428 | 447 |
| 429 if (EVP_DecryptFinal_ex(ctx, out->data + len, &len) <= 0) { | 448 if (EVP_DecryptFinal_ex(ctx, out->data + len, &len) <= 0) { |
| 430 EVP_CIPHER_CTX_free(ctx); | 449 EVP_CIPHER_CTX_free(ctx); |
| 431 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptFinal_ex failed"); | 450 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptFinal_ex failed"); |
| 432 return NGX_ERROR; | 451 return NGX_ERROR; |
| 480 EVP_CIPHER_CTX_free(ctx); | 499 EVP_CIPHER_CTX_free(ctx); |
| 481 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptInit_ex() failed"); | 500 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptInit_ex() failed"); |
| 482 return NGX_ERROR; | 501 return NGX_ERROR; |
| 483 } | 502 } |
| 484 | 503 |
| 504 if (EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE | |
| 505 && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, NGX_QUIC_TAG_LEN, | |
| 506 NULL) | |
| 507 == 0) | |
| 508 { | |
| 509 EVP_CIPHER_CTX_free(ctx); | |
| 510 ngx_ssl_error(NGX_LOG_INFO, log, 0, | |
| 511 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed"); | |
| 512 return NGX_ERROR; | |
| 513 } | |
| 514 | |
| 485 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, s->iv.len, NULL) | 515 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, s->iv.len, NULL) |
| 486 == 0) | 516 == 0) |
| 487 { | 517 { |
| 488 EVP_CIPHER_CTX_free(ctx); | 518 EVP_CIPHER_CTX_free(ctx); |
| 489 ngx_ssl_error(NGX_LOG_INFO, log, 0, | 519 ngx_ssl_error(NGX_LOG_INFO, log, 0, |
| 492 } | 522 } |
| 493 | 523 |
| 494 if (EVP_EncryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) { | 524 if (EVP_EncryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) { |
| 495 EVP_CIPHER_CTX_free(ctx); | 525 EVP_CIPHER_CTX_free(ctx); |
| 496 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptInit_ex() failed"); | 526 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptInit_ex() failed"); |
| 527 return NGX_ERROR; | |
| 528 } | |
| 529 | |
| 530 if (EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE | |
| 531 && EVP_EncryptUpdate(ctx, NULL, &len, NULL, in->len) != 1) | |
| 532 { | |
| 533 EVP_CIPHER_CTX_free(ctx); | |
| 534 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptUpdate() failed"); | |
| 497 return NGX_ERROR; | 535 return NGX_ERROR; |
| 498 } | 536 } |
| 499 | 537 |
| 500 if (EVP_EncryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) { | 538 if (EVP_EncryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) { |
| 501 EVP_CIPHER_CTX_free(ctx); | 539 EVP_CIPHER_CTX_free(ctx); |