Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic_protection.c @ 9128:756ab66de10e
QUIC: TLS_AES_128_CCM_SHA256 cipher suite support.
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Tue, 20 Jun 2023 16:10:49 +0400 |
parents | a7b850a5d98d |
children | 7379cb29cd72 |
comparison
equal
deleted
inserted
replaced
9127:a7b850a5d98d | 9128:756ab66de10e |
---|---|
91 ciphers->hp = EVP_chacha20(); | 91 ciphers->hp = EVP_chacha20(); |
92 #endif | 92 #endif |
93 ciphers->d = EVP_sha256(); | 93 ciphers->d = EVP_sha256(); |
94 len = 32; | 94 len = 32; |
95 break; | 95 break; |
96 | |
97 #ifndef OPENSSL_IS_BORINGSSL | |
98 case TLS1_3_CK_AES_128_CCM_SHA256: | |
99 ciphers->c = EVP_aes_128_ccm(); | |
100 ciphers->hp = EVP_aes_128_ctr(); | |
101 ciphers->d = EVP_sha256(); | |
102 len = 16; | |
103 break; | |
104 #endif | |
96 | 105 |
97 default: | 106 default: |
98 return NGX_ERROR; | 107 return NGX_ERROR; |
99 } | 108 } |
100 | 109 |
382 EVP_CIPHER_CTX_free(ctx); | 391 EVP_CIPHER_CTX_free(ctx); |
383 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptInit_ex() failed"); | 392 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptInit_ex() failed"); |
384 return NGX_ERROR; | 393 return NGX_ERROR; |
385 } | 394 } |
386 | 395 |
396 tag = in->data + in->len - NGX_QUIC_TAG_LEN; | |
397 | |
398 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, NGX_QUIC_TAG_LEN, tag) | |
399 == 0) | |
400 { | |
401 EVP_CIPHER_CTX_free(ctx); | |
402 ngx_ssl_error(NGX_LOG_INFO, log, 0, | |
403 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed"); | |
404 return NGX_ERROR; | |
405 } | |
406 | |
387 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, s->iv.len, NULL) | 407 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, s->iv.len, NULL) |
388 == 0) | 408 == 0) |
389 { | 409 { |
390 EVP_CIPHER_CTX_free(ctx); | 410 EVP_CIPHER_CTX_free(ctx); |
391 ngx_ssl_error(NGX_LOG_INFO, log, 0, | 411 ngx_ssl_error(NGX_LOG_INFO, log, 0, |
394 } | 414 } |
395 | 415 |
396 if (EVP_DecryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) { | 416 if (EVP_DecryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) { |
397 EVP_CIPHER_CTX_free(ctx); | 417 EVP_CIPHER_CTX_free(ctx); |
398 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptInit_ex() failed"); | 418 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptInit_ex() failed"); |
419 return NGX_ERROR; | |
420 } | |
421 | |
422 if (EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE | |
423 && EVP_DecryptUpdate(ctx, NULL, &len, NULL, in->len - NGX_QUIC_TAG_LEN) | |
424 != 1) | |
425 { | |
426 EVP_CIPHER_CTX_free(ctx); | |
427 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptUpdate() failed"); | |
399 return NGX_ERROR; | 428 return NGX_ERROR; |
400 } | 429 } |
401 | 430 |
402 if (EVP_DecryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) { | 431 if (EVP_DecryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) { |
403 EVP_CIPHER_CTX_free(ctx); | 432 EVP_CIPHER_CTX_free(ctx); |
413 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptUpdate() failed"); | 442 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptUpdate() failed"); |
414 return NGX_ERROR; | 443 return NGX_ERROR; |
415 } | 444 } |
416 | 445 |
417 out->len = len; | 446 out->len = len; |
418 tag = in->data + in->len - NGX_QUIC_TAG_LEN; | |
419 | |
420 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, NGX_QUIC_TAG_LEN, tag) | |
421 == 0) | |
422 { | |
423 EVP_CIPHER_CTX_free(ctx); | |
424 ngx_ssl_error(NGX_LOG_INFO, log, 0, | |
425 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed"); | |
426 return NGX_ERROR; | |
427 } | |
428 | 447 |
429 if (EVP_DecryptFinal_ex(ctx, out->data + len, &len) <= 0) { | 448 if (EVP_DecryptFinal_ex(ctx, out->data + len, &len) <= 0) { |
430 EVP_CIPHER_CTX_free(ctx); | 449 EVP_CIPHER_CTX_free(ctx); |
431 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptFinal_ex failed"); | 450 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptFinal_ex failed"); |
432 return NGX_ERROR; | 451 return NGX_ERROR; |
480 EVP_CIPHER_CTX_free(ctx); | 499 EVP_CIPHER_CTX_free(ctx); |
481 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptInit_ex() failed"); | 500 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptInit_ex() failed"); |
482 return NGX_ERROR; | 501 return NGX_ERROR; |
483 } | 502 } |
484 | 503 |
504 if (EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE | |
505 && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, NGX_QUIC_TAG_LEN, | |
506 NULL) | |
507 == 0) | |
508 { | |
509 EVP_CIPHER_CTX_free(ctx); | |
510 ngx_ssl_error(NGX_LOG_INFO, log, 0, | |
511 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed"); | |
512 return NGX_ERROR; | |
513 } | |
514 | |
485 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, s->iv.len, NULL) | 515 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, s->iv.len, NULL) |
486 == 0) | 516 == 0) |
487 { | 517 { |
488 EVP_CIPHER_CTX_free(ctx); | 518 EVP_CIPHER_CTX_free(ctx); |
489 ngx_ssl_error(NGX_LOG_INFO, log, 0, | 519 ngx_ssl_error(NGX_LOG_INFO, log, 0, |
492 } | 522 } |
493 | 523 |
494 if (EVP_EncryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) { | 524 if (EVP_EncryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) { |
495 EVP_CIPHER_CTX_free(ctx); | 525 EVP_CIPHER_CTX_free(ctx); |
496 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptInit_ex() failed"); | 526 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptInit_ex() failed"); |
527 return NGX_ERROR; | |
528 } | |
529 | |
530 if (EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE | |
531 && EVP_EncryptUpdate(ctx, NULL, &len, NULL, in->len) != 1) | |
532 { | |
533 EVP_CIPHER_CTX_free(ctx); | |
534 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptUpdate() failed"); | |
497 return NGX_ERROR; | 535 return NGX_ERROR; |
498 } | 536 } |
499 | 537 |
500 if (EVP_EncryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) { | 538 if (EVP_EncryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) { |
501 EVP_CIPHER_CTX_free(ctx); | 539 EVP_CIPHER_CTX_free(ctx); |