Mercurial > hg > nginx
comparison src/event/ngx_event_quic.c @ 8204:9e0c30e1f7fb quic
Compatibility with BoringSSL revised QUIC encryption secret APIs.
See for details: https://boringssl.googlesource.com/boringssl/+/1e85905%5E!/
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Wed, 11 Mar 2020 21:53:02 +0300 |
parents | ec0c44aa2881 |
children | a5423632d67b |
comparison
equal
deleted
inserted
replaced
8203:ec0c44aa2881 | 8204:9e0c30e1f7fb |
---|---|
232 static ngx_int_t ngx_quic_new_connection(ngx_connection_t *c, ngx_ssl_t *ssl, | 232 static ngx_int_t ngx_quic_new_connection(ngx_connection_t *c, ngx_ssl_t *ssl, |
233 ngx_buf_t *b); | 233 ngx_buf_t *b); |
234 static ngx_int_t ngx_quic_handshake_input(ngx_connection_t *c, ngx_buf_t *b); | 234 static ngx_int_t ngx_quic_handshake_input(ngx_connection_t *c, ngx_buf_t *b); |
235 static ngx_int_t ngx_quic_app_input(ngx_connection_t *c, ngx_buf_t *b); | 235 static ngx_int_t ngx_quic_app_input(ngx_connection_t *c, ngx_buf_t *b); |
236 | 236 |
237 #if BORINGSSL_API_VERSION >= 10 | |
238 static int ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn, | |
239 enum ssl_encryption_level_t level, const SSL_CIPHER *cipher, | |
240 const uint8_t *secret, size_t secret_len); | |
241 static int ngx_quic_set_write_secret(ngx_ssl_conn_t *ssl_conn, | |
242 enum ssl_encryption_level_t level, const SSL_CIPHER *cipher, | |
243 const uint8_t *secret, size_t secret_len); | |
244 #else | |
237 static int ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn, | 245 static int ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn, |
238 enum ssl_encryption_level_t level, const uint8_t *read_secret, | 246 enum ssl_encryption_level_t level, const uint8_t *read_secret, |
239 const uint8_t *write_secret, size_t secret_len); | 247 const uint8_t *write_secret, size_t secret_len); |
248 #endif | |
240 static int ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn, | 249 static int ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn, |
241 enum ssl_encryption_level_t level, const uint8_t *data, size_t len); | 250 enum ssl_encryption_level_t level, const uint8_t *data, size_t len); |
242 static ngx_int_t ngx_quic_create_long_packet(ngx_connection_t *c, | 251 static ngx_int_t ngx_quic_create_long_packet(ngx_connection_t *c, |
243 ngx_ssl_conn_t *ssl_conn, ngx_quic_header_t *pkt, ngx_str_t *in, | 252 ngx_ssl_conn_t *ssl_conn, ngx_quic_header_t *pkt, ngx_str_t *in, |
244 ngx_str_t *res); | 253 ngx_str_t *res); |
286 | 295 |
287 static ngx_int_t ngx_quic_ciphers(ngx_connection_t *c, | 296 static ngx_int_t ngx_quic_ciphers(ngx_connection_t *c, |
288 ngx_quic_ciphers_t *ciphers, enum ssl_encryption_level_t level); | 297 ngx_quic_ciphers_t *ciphers, enum ssl_encryption_level_t level); |
289 | 298 |
290 static SSL_QUIC_METHOD quic_method = { | 299 static SSL_QUIC_METHOD quic_method = { |
300 #if BORINGSSL_API_VERSION >= 10 | |
301 ngx_quic_set_read_secret, | |
302 ngx_quic_set_write_secret, | |
303 #else | |
291 ngx_quic_set_encryption_secrets, | 304 ngx_quic_set_encryption_secrets, |
305 #endif | |
292 ngx_quic_add_handshake_data, | 306 ngx_quic_add_handshake_data, |
293 ngx_quic_flush_flight, | 307 ngx_quic_flush_flight, |
294 ngx_quic_send_alert, | 308 ngx_quic_send_alert, |
295 }; | 309 }; |
296 | 310 |
526 qc->frames = NULL; | 540 qc->frames = NULL; |
527 | 541 |
528 return NGX_OK; | 542 return NGX_OK; |
529 } | 543 } |
530 | 544 |
545 | |
546 #if BORINGSSL_API_VERSION >= 10 | |
547 | |
548 static int | |
549 ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn, | |
550 enum ssl_encryption_level_t level, const SSL_CIPHER *cipher, | |
551 const uint8_t *secret, size_t secret_len) | |
552 { | |
553 ngx_int_t key_len; | |
554 ngx_uint_t i; | |
555 ngx_connection_t *c; | |
556 ngx_quic_secret_t *client; | |
557 ngx_quic_ciphers_t ciphers; | |
558 | |
559 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); | |
560 | |
561 ngx_quic_hexdump(c->log, "level:%d read", secret, secret_len, level); | |
562 | |
563 key_len = ngx_quic_ciphers(c, &ciphers, level); | |
564 | |
565 if (key_len == NGX_ERROR) { | |
566 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher"); | |
567 return 0; | |
568 } | |
569 | |
570 switch (level) { | |
571 | |
572 case ssl_encryption_handshake: | |
573 client = &c->quic->client_hs; | |
574 break; | |
575 | |
576 case ssl_encryption_application: | |
577 client = &c->quic->client_ad; | |
578 break; | |
579 | |
580 default: | |
581 return 0; | |
582 } | |
583 | |
584 client->key.len = key_len; | |
585 client->iv.len = NGX_QUIC_IV_LEN; | |
586 client->hp.len = key_len; | |
587 | |
588 struct { | |
589 ngx_str_t label; | |
590 ngx_str_t *key; | |
591 const uint8_t *secret; | |
592 } seq[] = { | |
593 { ngx_string("tls13 quic key"), &client->key, secret }, | |
594 { ngx_string("tls13 quic iv"), &client->iv, secret }, | |
595 { ngx_string("tls13 quic hp"), &client->hp, secret }, | |
596 }; | |
597 | |
598 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { | |
599 | |
600 if (ngx_quic_hkdf_expand(c, ciphers.d, seq[i].key, &seq[i].label, | |
601 seq[i].secret, secret_len) | |
602 != NGX_OK) | |
603 { | |
604 return 0; | |
605 } | |
606 } | |
607 | |
608 return 1; | |
609 } | |
610 | |
611 | |
612 static int | |
613 ngx_quic_set_write_secret(ngx_ssl_conn_t *ssl_conn, | |
614 enum ssl_encryption_level_t level, const SSL_CIPHER *cipher, | |
615 const uint8_t *secret, size_t secret_len) | |
616 { | |
617 ngx_int_t key_len; | |
618 ngx_uint_t i; | |
619 ngx_connection_t *c; | |
620 ngx_quic_secret_t *server; | |
621 ngx_quic_ciphers_t ciphers; | |
622 | |
623 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); | |
624 | |
625 ngx_quic_hexdump(c->log, "level:%d write", secret, secret_len, level); | |
626 | |
627 key_len = ngx_quic_ciphers(c, &ciphers, level); | |
628 | |
629 if (key_len == NGX_ERROR) { | |
630 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher"); | |
631 return 0; | |
632 } | |
633 | |
634 switch (level) { | |
635 | |
636 case ssl_encryption_handshake: | |
637 server = &c->quic->server_hs; | |
638 break; | |
639 | |
640 case ssl_encryption_application: | |
641 server = &c->quic->server_ad; | |
642 break; | |
643 | |
644 default: | |
645 return 0; | |
646 } | |
647 | |
648 server->key.len = key_len; | |
649 server->iv.len = NGX_QUIC_IV_LEN; | |
650 server->hp.len = key_len; | |
651 | |
652 struct { | |
653 ngx_str_t label; | |
654 ngx_str_t *key; | |
655 const uint8_t *secret; | |
656 } seq[] = { | |
657 { ngx_string("tls13 quic key"), &server->key, secret }, | |
658 { ngx_string("tls13 quic iv"), &server->iv, secret }, | |
659 { ngx_string("tls13 quic hp"), &server->hp, secret }, | |
660 }; | |
661 | |
662 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { | |
663 | |
664 if (ngx_quic_hkdf_expand(c, ciphers.d, seq[i].key, &seq[i].label, | |
665 seq[i].secret, secret_len) | |
666 != NGX_OK) | |
667 { | |
668 return 0; | |
669 } | |
670 } | |
671 | |
672 return 1; | |
673 } | |
674 | |
675 #else | |
531 | 676 |
532 static int | 677 static int |
533 ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn, | 678 ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn, |
534 enum ssl_encryption_level_t level, const uint8_t *read_secret, | 679 enum ssl_encryption_level_t level, const uint8_t *read_secret, |
535 const uint8_t *write_secret, size_t secret_len) | 680 const uint8_t *write_secret, size_t secret_len) |
602 } | 747 } |
603 } | 748 } |
604 | 749 |
605 return 1; | 750 return 1; |
606 } | 751 } |
752 | |
753 #endif | |
607 | 754 |
608 | 755 |
609 static ngx_int_t | 756 static ngx_int_t |
610 ngx_quic_create_long_packet(ngx_connection_t *c, ngx_ssl_conn_t *ssl_conn, | 757 ngx_quic_create_long_packet(ngx_connection_t *c, ngx_ssl_conn_t *ssl_conn, |
611 ngx_quic_header_t *pkt, ngx_str_t *payload, ngx_str_t *res) | 758 ngx_quic_header_t *pkt, ngx_str_t *payload, ngx_str_t *res) |