Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic_protection.c @ 8980:d8865baab732 quic
QUIC: removed draft versions support.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Wed, 26 Jan 2022 14:15:40 +0300 |
parents | 3341e4089c6c |
children | d8b3851f172c |
comparison
equal
deleted
inserted
replaced
8979:3d0fc72d409e | 8980:d8865baab732 |
---|---|
144 } | 144 } |
145 | 145 |
146 | 146 |
147 ngx_int_t | 147 ngx_int_t |
148 ngx_quic_keys_set_initial_secret(ngx_pool_t *pool, ngx_quic_keys_t *keys, | 148 ngx_quic_keys_set_initial_secret(ngx_pool_t *pool, ngx_quic_keys_t *keys, |
149 ngx_str_t *secret, uint32_t version) | 149 ngx_str_t *secret) |
150 { | 150 { |
151 size_t is_len; | 151 size_t is_len; |
152 uint8_t is[SHA256_DIGEST_LENGTH]; | 152 uint8_t is[SHA256_DIGEST_LENGTH]; |
153 ngx_uint_t i; | 153 ngx_uint_t i; |
154 const EVP_MD *digest; | 154 const EVP_MD *digest; |
155 ngx_quic_secret_t *client, *server; | 155 ngx_quic_secret_t *client, *server; |
156 | 156 |
157 static const uint8_t salt[20] = | 157 static const uint8_t salt[20] = |
158 "\x38\x76\x2c\xf7\xf5\x59\x34\xb3\x4d\x17" | 158 "\x38\x76\x2c\xf7\xf5\x59\x34\xb3\x4d\x17" |
159 "\x9a\xe6\xa4\xc8\x0c\xad\xcc\xbb\x7f\x0a"; | 159 "\x9a\xe6\xa4\xc8\x0c\xad\xcc\xbb\x7f\x0a"; |
160 static const uint8_t salt29[20] = | |
161 "\xaf\xbf\xec\x28\x99\x93\xd2\x4c\x9e\x97" | |
162 "\x86\xf1\x9c\x61\x11\xe0\x43\x90\xa8\x99"; | |
163 | 160 |
164 client = &keys->secrets[ssl_encryption_initial].client; | 161 client = &keys->secrets[ssl_encryption_initial].client; |
165 server = &keys->secrets[ssl_encryption_initial].server; | 162 server = &keys->secrets[ssl_encryption_initial].server; |
166 | 163 |
167 /* | 164 /* |
173 | 170 |
174 digest = EVP_sha256(); | 171 digest = EVP_sha256(); |
175 is_len = SHA256_DIGEST_LENGTH; | 172 is_len = SHA256_DIGEST_LENGTH; |
176 | 173 |
177 if (ngx_hkdf_extract(is, &is_len, digest, secret->data, secret->len, | 174 if (ngx_hkdf_extract(is, &is_len, digest, secret->data, secret->len, |
178 (version & 0xff000000) ? salt29 : salt, sizeof(salt)) | 175 salt, sizeof(salt)) |
179 != NGX_OK) | 176 != NGX_OK) |
180 { | 177 { |
181 return NGX_ERROR; | 178 return NGX_ERROR; |
182 } | 179 } |
183 | 180 |
890 ngx_quic_ciphers_t ciphers; | 887 ngx_quic_ciphers_t ciphers; |
891 | 888 |
892 /* 5.8. Retry Packet Integrity */ | 889 /* 5.8. Retry Packet Integrity */ |
893 static u_char key[16] = | 890 static u_char key[16] = |
894 "\xbe\x0c\x69\x0b\x9f\x66\x57\x5a\x1d\x76\x6b\x54\xe3\x68\xc8\x4e"; | 891 "\xbe\x0c\x69\x0b\x9f\x66\x57\x5a\x1d\x76\x6b\x54\xe3\x68\xc8\x4e"; |
895 static u_char key29[16] = | |
896 "\xcc\xce\x18\x7e\xd0\x9a\x09\xd0\x57\x28\x15\x5a\x6c\xb9\x6b\xe1"; | |
897 static u_char nonce[NGX_QUIC_IV_LEN] = | 892 static u_char nonce[NGX_QUIC_IV_LEN] = |
898 "\x46\x15\x99\xd3\x5d\x63\x2b\xf2\x23\x98\x25\xbb"; | 893 "\x46\x15\x99\xd3\x5d\x63\x2b\xf2\x23\x98\x25\xbb"; |
899 static u_char nonce29[NGX_QUIC_IV_LEN] = | |
900 "\xe5\x49\x30\xf9\x7f\x21\x36\xf0\x53\x0a\x8c\x1c"; | |
901 static ngx_str_t in = ngx_string(""); | 894 static ngx_str_t in = ngx_string(""); |
902 | 895 |
903 ad.data = res->data; | 896 ad.data = res->data; |
904 ad.len = ngx_quic_create_retry_itag(pkt, ad.data, &start); | 897 ad.len = ngx_quic_create_retry_itag(pkt, ad.data, &start); |
905 | 898 |
914 if (ngx_quic_ciphers(0, &ciphers, pkt->level) == NGX_ERROR) { | 907 if (ngx_quic_ciphers(0, &ciphers, pkt->level) == NGX_ERROR) { |
915 return NGX_ERROR; | 908 return NGX_ERROR; |
916 } | 909 } |
917 | 910 |
918 secret.key.len = sizeof(key); | 911 secret.key.len = sizeof(key); |
919 secret.key.data = (pkt->version & 0xff000000) ? key29 : key; | 912 secret.key.data = key; |
920 secret.iv.len = NGX_QUIC_IV_LEN; | 913 secret.iv.len = NGX_QUIC_IV_LEN; |
921 | 914 |
922 if (ngx_quic_tls_seal(ciphers.c, &secret, &itag, | 915 if (ngx_quic_tls_seal(ciphers.c, &secret, &itag, nonce, &in, &ad, pkt->log) |
923 (pkt->version & 0xff000000) ? nonce29 : nonce, | |
924 &in, &ad, pkt->log) | |
925 != NGX_OK) | 916 != NGX_OK) |
926 { | 917 { |
927 return NGX_ERROR; | 918 return NGX_ERROR; |
928 } | 919 } |
929 | 920 |