# HG changeset patch # User Sergey Kandaurov # Date 1582884592 -10800 # Node ID 76e29ff31cd3621915e4689e2f2c520bd851f687 # Parent 8964cc6ecc4adb2fcea1c8f39be40b91eeaf1a00 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal(). diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -452,17 +452,13 @@ static int quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn, enum ssl_encryption_level_t level, const uint8_t *data, size_t len) { - u_char buf[2048], *p, *ciphertext, *clear, *ad, *name; - size_t ad_len, clear_len; - ngx_int_t m; - ngx_str_t *server_key, *server_iv, *server_hp; -#ifdef OPENSSL_IS_BORINGSSL - const EVP_AEAD *cipher; -#else - const EVP_CIPHER *cipher; -#endif - ngx_connection_t *c; - ngx_quic_connection_t *qc; + u_char buf[2048], *p, *name; + ngx_int_t m; + ngx_str_t in, out, ad; + ngx_quic_secret_t *secret; + ngx_connection_t *c; + ngx_quic_connection_t *qc; + const ngx_aead_cipher_t *cipher; static int pn = 0; c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); @@ -474,15 +470,11 @@ quic_add_handshake_data(ngx_ssl_conn_t * switch (level) { case ssl_encryption_initial: - server_key = &qc->server_in.key; - server_iv = &qc->server_in.iv; - server_hp = &qc->server_in.hp; + secret = &qc->server_in; break; case ssl_encryption_handshake: - server_key = &qc->server_hs.key; - server_iv = &qc->server_hs.iv; - server_hp = &qc->server_hs.hp; + secret = &qc->server_hs; break; default: @@ -494,12 +486,12 @@ quic_add_handshake_data(ngx_ssl_conn_t * "quic_add_handshake_data: %*s%s, len: %uz, level:%d", m, buf, len < 2048 ? "" : "...", len, (int) level); - clear = ngx_alloc(4 + len + 5 /*minimal ACK*/, c->log); - if (clear == 0) { + in.data = ngx_alloc(4 + len + 5 /*minimal ACK*/, c->log); + if (in.data == 0) { return 0; } - p = clear; + p = in.data; ngx_quic_build_int(&p, 6); // crypto frame ngx_quic_build_int(&p, 0); ngx_quic_build_int(&p, len); @@ -513,19 +505,19 @@ quic_add_handshake_data(ngx_ssl_conn_t * ngx_quic_build_int(&p, 0); } - clear_len = p - clear; - size_t ciphertext_len = clear_len + 16 /*expansion*/; + in.len = p - in.data; + out.len = in.len + EVP_GCM_TLS_TAG_LEN; ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic_add_handshake_data: clear_len:%uz, ciphertext_len:%uz", - clear_len, ciphertext_len); - - ad = ngx_alloc(346 /*max header*/, c->log); - if (ad == 0) { + in.len, out.len); + + ad.data = ngx_alloc(346 /*max header*/, c->log); + if (ad.data == 0) { return 0; } - p = ad; + p = ad.data; if (level == ssl_encryption_initial) { *p++ = 0xc0; // initial, packet number len } else if (level == ssl_encryption_handshake) { @@ -542,7 +534,7 @@ quic_add_handshake_data(ngx_ssl_conn_t * if (level == ssl_encryption_initial) { ngx_quic_build_int(&p, 0); // token length } - ngx_quic_build_int(&p, ciphertext_len + 1); // length (inc. pnl) + ngx_quic_build_int(&p, out.len + 1); // length (inc. pnl) u_char *pnp = p; if (level == ssl_encryption_initial) { @@ -552,12 +544,12 @@ quic_add_handshake_data(ngx_ssl_conn_t * *p++ = pn++; } - ad_len = p - ad; - - m = ngx_hex_dump(buf, (u_char *) ad, ad_len) - buf; + ad.len = p - ad.data; + + m = ngx_hex_dump(buf, ad.data, ad.len) - buf; ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic_add_handshake_data ad: %*s, len: %uz", - m, buf, ad_len); + m, buf, ad.len); name = (u_char *) SSL_get_cipher(ssl_conn); @@ -582,18 +574,12 @@ quic_add_handshake_data(ngx_ssl_conn_t * return 0; } - - ciphertext = ngx_alloc(ciphertext_len, c->log); - if (ciphertext == 0) { - return 0; - } - - uint8_t *nonce = ngx_pstrdup(c->pool, server_iv); + uint8_t *nonce = ngx_pstrdup(c->pool, &secret->iv); if (level == ssl_encryption_handshake) { nonce[11] ^= (pn - 1); } - m = ngx_hex_dump(buf, (u_char *) server_iv->data, 12) - buf; + m = ngx_hex_dump(buf, (u_char *) secret->iv.data, 12) - buf; ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic_add_handshake_data sample: server_iv %*s", m, buf); @@ -602,102 +588,17 @@ quic_add_handshake_data(ngx_ssl_conn_t * "quic_add_handshake_data sample: n=%d nonce %*s", pn - 1, m, buf); - -#ifdef OPENSSL_IS_BORINGSSL - size_t out_len; - EVP_AEAD_CTX *aead = EVP_AEAD_CTX_new(cipher, - server_key->data, - server_key->len, - EVP_AEAD_DEFAULT_TAG_LENGTH); - - if (EVP_AEAD_CTX_seal(aead, ciphertext, &out_len, ciphertext_len, - nonce, server_iv->len, - clear, clear_len, ad, ad_len) - != 1) + if (ngx_quic_tls_seal(c, cipher, secret, &out, nonce, &in, &ad) != NGX_OK) { - EVP_AEAD_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, c->log, 0, - "EVP_AEAD_CTX_seal() failed"); - return 0; - } - - EVP_AEAD_CTX_free(aead); -#else - int out_len; - EVP_CIPHER_CTX *aead; - - aead = EVP_CIPHER_CTX_new(); - if (aead == NULL) { - ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_CIPHER_CTX_new() failed"); - return 0; - } - - if (EVP_EncryptInit_ex(aead, cipher, NULL, NULL, NULL) != 1) { - EVP_CIPHER_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed"); - return 0; - } - - if (EVP_CIPHER_CTX_ctrl(aead, EVP_CTRL_GCM_SET_IVLEN, server_iv->len, NULL) - == 0) - { - EVP_CIPHER_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, c->log, 0, - "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed"); return 0; } - if (EVP_EncryptInit_ex(aead, NULL, NULL, server_key->data, nonce) - != 1) - { - EVP_CIPHER_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed"); - return 0; - } - - if (EVP_EncryptUpdate(aead, NULL, &out_len, ad, ad_len) != 1) { - EVP_CIPHER_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed"); - return 0; - } - - if (EVP_EncryptUpdate(aead, ciphertext, &out_len, clear, clear_len) != 1) { - EVP_CIPHER_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed"); - return 0; - } - - ciphertext_len = out_len; - - if (EVP_EncryptFinal_ex(aead, ciphertext + out_len, &out_len) <= 0) { - EVP_CIPHER_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptFinal_ex failed"); - return 0; - } - - ciphertext_len += out_len; - - if (EVP_CIPHER_CTX_ctrl(aead, EVP_CTRL_GCM_GET_TAG, EVP_GCM_TLS_TAG_LEN, - ciphertext + clear_len) - == 0) - { - EVP_CIPHER_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, c->log, 0, - "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_GET_TAG) failed"); - return 0; - } - - EVP_CIPHER_CTX_free(aead); - - out_len = ciphertext_len + EVP_GCM_TLS_TAG_LEN; -#endif - EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); - u_char *sample = ciphertext + 3; // pnl=0 + u_char *sample = &out.data[3]; // pnl=0 uint8_t mask[16]; int outlen; - if (EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL, server_hp->data, NULL) + if (EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL, secret->hp.data, NULL) != 1) { EVP_CIPHER_CTX_free(ctx); @@ -725,25 +626,24 @@ quic_add_handshake_data(ngx_ssl_conn_t * "quic_add_handshake_data mask: %*s, len: %uz", m, buf, 16); - m = ngx_hex_dump(buf, (u_char *) server_hp->data, 16) - buf; + m = ngx_hex_dump(buf, (u_char *) secret->hp.data, 16) - buf; ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic_add_handshake_data hp_key: %*s, len: %uz", m, buf, 16); // header protection, pnl = 0 - ad[0] ^= mask[0] & 0x0f; + ad.data[0] ^= mask[0] & 0x0f; *pnp ^= mask[1]; -printf("clear_len %ld ciphertext_len %ld out_len %ld ad_len %ld\n", -clear_len, ciphertext_len, (size_t) out_len, ad_len); - - u_char *packet = ngx_alloc(ad_len + out_len, c->log); +printf("clear_len %ld ciphertext_len %ld ad_len %ld\n", in.len, out.len, ad.len); + + u_char *packet = ngx_alloc(ad.len + out.len, c->log); if (packet == 0) { return 0; } - p = ngx_cpymem(packet, ad, ad_len); - p = ngx_cpymem(p, ciphertext, out_len); + p = ngx_cpymem(packet, ad.data, ad.len); + p = ngx_cpymem(p, out.data, out.len); m = ngx_hex_dump(buf, (u_char *) packet, ngx_min(1024, p - packet)) - buf; ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0, diff --git a/src/event/ngx_event_quic.c b/src/event/ngx_event_quic.c --- a/src/event/ngx_event_quic.c +++ b/src/event/ngx_event_quic.c @@ -163,3 +163,211 @@ ngx_hkdf_expand(u_char *out_key, size_t return NGX_OK; } + + +ngx_int_t +ngx_quic_tls_open(ngx_connection_t *c, const ngx_aead_cipher_t *cipher, + ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in, + ngx_str_t *ad) +{ + out->len = in->len - EVP_GCM_TLS_TAG_LEN; + out->data = ngx_pnalloc(c->pool, out->len); + if (out->data == NULL) { + return NGX_ERROR; + } + +#ifdef OPENSSL_IS_BORINGSSL + EVP_AEAD_CTX *ctx; + + ctx = EVP_AEAD_CTX_new(cipher, s->key.data, s->key.len, + EVP_AEAD_DEFAULT_TAG_LENGTH); + if (ctx == NULL) { + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_AEAD_CTX_new() failed"); + return NGX_ERROR; + } + + if (EVP_AEAD_CTX_open(ctx, out->data, &out->len, out->len, nonce, s->iv.len, + in->data, in->len, ad->data, ad->len) + != 1) + { + EVP_AEAD_CTX_free(ctx); + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_AEAD_CTX_open() failed"); + return NGX_ERROR; + } + + EVP_AEAD_CTX_free(ctx); +#else + int len; + u_char *tag; + EVP_CIPHER_CTX *ctx; + + ctx = EVP_CIPHER_CTX_new(); + if (ctx == NULL) { + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_CIPHER_CTX_new() failed"); + return NGX_ERROR; + } + + if (EVP_DecryptInit_ex(ctx, cipher, NULL, NULL, NULL) != 1) { + EVP_CIPHER_CTX_free(ctx); + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptInit_ex() failed"); + return NGX_ERROR; + } + + if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, s->iv.len, NULL) + == 0) + { + EVP_CIPHER_CTX_free(ctx); + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, + "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed"); + return NGX_ERROR; + } + + if (EVP_DecryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) { + EVP_CIPHER_CTX_free(ctx); + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptInit_ex() failed"); + return NGX_ERROR; + } + + if (EVP_DecryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) { + EVP_CIPHER_CTX_free(ctx); + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptUpdate() failed"); + return NGX_ERROR; + } + + if (EVP_DecryptUpdate(ctx, out->data, &len, in->data, + in->len - EVP_GCM_TLS_TAG_LEN) + != 1) + { + EVP_CIPHER_CTX_free(ctx); + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptUpdate() failed"); + return NGX_ERROR; + } + + out->len = len; + tag = in->data + in->len - EVP_GCM_TLS_TAG_LEN; + + if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, EVP_GCM_TLS_TAG_LEN, tag) + == 0) + { + EVP_CIPHER_CTX_free(ctx); + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, + "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_TAG) failed"); + return NGX_ERROR; + } + + if (EVP_DecryptFinal_ex(ctx, out->data + len, &len) <= 0) { + EVP_CIPHER_CTX_free(ctx); + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptFinal_ex failed"); + return NGX_ERROR; + } + + out->len += len; + + EVP_CIPHER_CTX_free(ctx); +#endif + + return NGX_OK; +} + + +ngx_int_t +ngx_quic_tls_seal(ngx_connection_t *c, const ngx_aead_cipher_t *cipher, + ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in, + ngx_str_t *ad) +{ + out->len = in->len + EVP_GCM_TLS_TAG_LEN; + out->data = ngx_pnalloc(c->pool, out->len); + if (out->data == NULL) { + return NGX_ERROR; + } + +#ifdef OPENSSL_IS_BORINGSSL + EVP_AEAD_CTX *ctx; + + ctx = EVP_AEAD_CTX_new(cipher, s->key.data, s->key.len, + EVP_AEAD_DEFAULT_TAG_LENGTH); + if (ctx == NULL) { + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_AEAD_CTX_new() failed"); + return NGX_ERROR; + } + + if (EVP_AEAD_CTX_seal(ctx, out->data, &out->len, out->len, nonce, s->iv.len, + in->data, in->len, ad->data, ad->len) + != 1) + { + EVP_AEAD_CTX_free(ctx); + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_AEAD_CTX_seal() failed"); + return NGX_ERROR; + } + + EVP_AEAD_CTX_free(ctx); +#else + int len; + EVP_CIPHER_CTX *ctx; + + ctx = EVP_CIPHER_CTX_new(); + if (ctx == NULL) { + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_CIPHER_CTX_new() failed"); + return NGX_ERROR; + } + + if (EVP_EncryptInit_ex(ctx, cipher, NULL, NULL, NULL) != 1) { + EVP_CIPHER_CTX_free(ctx); + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed"); + return NGX_ERROR; + } + + if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, s->iv.len, NULL) + == 0) + { + EVP_CIPHER_CTX_free(ctx); + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, + "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed"); + return NGX_ERROR; + } + + if (EVP_EncryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) { + EVP_CIPHER_CTX_free(ctx); + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed"); + return NGX_ERROR; + } + + if (EVP_EncryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) { + EVP_CIPHER_CTX_free(ctx); + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed"); + return NGX_ERROR; + } + + if (EVP_EncryptUpdate(ctx, out->data, &len, in->data, in->len) != 1) { + EVP_CIPHER_CTX_free(ctx); + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed"); + return NGX_ERROR; + } + + out->len = len; + + if (EVP_EncryptFinal_ex(ctx, out->data + out->len, &len) <= 0) { + EVP_CIPHER_CTX_free(ctx); + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptFinal_ex failed"); + return NGX_ERROR; + } + + out->len += len; + + if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, EVP_GCM_TLS_TAG_LEN, + out->data + in->len) + == 0) + { + EVP_CIPHER_CTX_free(ctx); + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, + "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_GET_TAG) failed"); + return NGX_ERROR; + } + + EVP_CIPHER_CTX_free(ctx); + + out->len += EVP_GCM_TLS_TAG_LEN; +#endif + + return NGX_OK; +} diff --git a/src/event/ngx_event_quic.h b/src/event/ngx_event_quic.h --- a/src/event/ngx_event_quic.h +++ b/src/event/ngx_event_quic.h @@ -11,6 +11,15 @@ #include +#ifdef OPENSSL_IS_BORINGSSL +#define ngx_aead_cipher_t EVP_AEAD +#define NGX_QUIC_INITIAL_CIPHER EVP_aead_aes_128_gcm() +#else +#define ngx_aead_cipher_t EVP_CIPHER +#define NGX_QUIC_INITIAL_CIPHER EVP_aes_128_gcm() +#endif + + typedef struct { ngx_str_t secret; ngx_str_t key; @@ -44,5 +53,12 @@ ngx_int_t ngx_hkdf_expand(u_char *out_ke const EVP_MD *digest, const u_char *prk, size_t prk_len, const u_char *info, size_t info_len); +ngx_int_t ngx_quic_tls_open(ngx_connection_t *c, + const ngx_aead_cipher_t *cipher, ngx_quic_secret_t *s, ngx_str_t *out, + u_char *nonce, ngx_str_t *in, ngx_str_t *ad); +ngx_int_t ngx_quic_tls_seal(ngx_connection_t *c, + const ngx_aead_cipher_t *cipher, ngx_quic_secret_t *s, ngx_str_t *out, + u_char *nonce, ngx_str_t *in, ngx_str_t *ad); + #endif /* _NGX_EVENT_QUIC_H_INCLUDED_ */ diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -783,28 +783,19 @@ ngx_http_quic_handshake(ngx_event_t *rev // initial secret - size_t is_len; - uint8_t is[SHA256_DIGEST_LENGTH]; - const EVP_MD *digest; -#ifdef OPENSSL_IS_BORINGSSL - const EVP_AEAD *cipher; -#else - const EVP_CIPHER *cipher; -#endif + size_t is_len; + uint8_t is[SHA256_DIGEST_LENGTH]; + const EVP_MD *digest; + const ngx_aead_cipher_t *cipher; static const uint8_t salt[20] = "\xc3\xee\xf7\x12\xc7\x2e\xbb\x5a\x11\xa7" "\xd2\x43\x2b\xb4\x63\x65\xbe\xf9\xf5\x02"; + /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */ + + cipher = NGX_QUIC_INITIAL_CIPHER; digest = EVP_sha256(); - /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */ - -#ifdef OPENSSL_IS_BORINGSSL - cipher = EVP_aead_aes_128_gcm(); -#else - cipher = EVP_aes_128_gcm(); -#endif - if (ngx_hkdf_extract(is, &is_len, digest, qc->dcid.data, qc->dcid.len, salt, sizeof(salt)) != NGX_OK) @@ -1179,9 +1170,9 @@ ngx_http_quic_handshake(ngx_event_t *rev // packet protection - ngx_str_t ciphertext; - ciphertext.data = b->pos; - ciphertext.len = plen - pnl; + ngx_str_t in; + in.data = b->pos; + in.len = plen - pnl; ngx_str_t ad; ad.len = b->pos - b->start; @@ -1210,144 +1201,44 @@ ngx_http_quic_handshake(ngx_event_t *rev } #endif - uint8_t cleartext[1600]; - size_t cleartext_len; - -#ifdef OPENSSL_IS_BORINGSSL - EVP_AEAD_CTX *aead = EVP_AEAD_CTX_new(cipher, - qc->client_in.key.data, - qc->client_in.key.len, - EVP_AEAD_DEFAULT_TAG_LENGTH); - if (aead == NULL) { - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_AEAD_CTX_new() failed"); - ngx_http_close_connection(c); - return; - } - - if (EVP_AEAD_CTX_open(aead, cleartext, &cleartext_len, sizeof(cleartext), - nonce, qc->client_in.iv.len, ciphertext.data, - ciphertext.len, ad.data, ad.len) - != 1) + ngx_str_t out; + + if (ngx_quic_tls_open(c, cipher, &qc->client_in, &out, nonce, &in, &ad) + != NGX_OK) { - EVP_AEAD_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, - "EVP_AEAD_CTX_open() failed"); - ngx_http_close_connection(c); - return; - } - - EVP_AEAD_CTX_free(aead); -#else - int len; - u_char *tag; - EVP_CIPHER_CTX *aead; - - aead = EVP_CIPHER_CTX_new(); - if (aead == NULL) { - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_CIPHER_CTX_new() failed"); - ngx_http_close_connection(c); - return; - } - - if (EVP_DecryptInit_ex(aead, cipher, NULL, NULL, NULL) != 1) { - EVP_CIPHER_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_DecryptInit_ex() failed"); ngx_http_close_connection(c); return; } - if (EVP_CIPHER_CTX_ctrl(aead, EVP_CTRL_GCM_SET_IVLEN, qc->client_in.iv.len, - NULL) - == 0) - { - EVP_CIPHER_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, - "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed"); - ngx_http_close_connection(c); - return; - } - - if (EVP_DecryptInit_ex(aead, NULL, NULL, qc->client_in.key.data, nonce) - != 1) - { - EVP_CIPHER_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_DecryptInit_ex() failed"); - ngx_http_close_connection(c); - return; - } - - if (EVP_DecryptUpdate(aead, NULL, &len, ad.data, ad.len) != 1) { - EVP_CIPHER_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_DecryptUpdate() failed"); - ngx_http_close_connection(c); - return; - } - - if (EVP_DecryptUpdate(aead, cleartext, &len, ciphertext.data, - ciphertext.len - EVP_GCM_TLS_TAG_LEN) - != 1) - { - EVP_CIPHER_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_DecryptUpdate() failed"); - ngx_http_close_connection(c); - return; - } - - cleartext_len = len; - tag = ciphertext.data + ciphertext.len - EVP_GCM_TLS_TAG_LEN; - - if (EVP_CIPHER_CTX_ctrl(aead, EVP_CTRL_GCM_SET_TAG, EVP_GCM_TLS_TAG_LEN, - tag) - == 0) - { - EVP_CIPHER_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, - "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_TAG) failed"); - ngx_http_close_connection(c); - return; - } - - if (EVP_DecryptFinal_ex(aead, cleartext + len, &len) <= 0) { - EVP_CIPHER_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_DecryptFinal_ex failed"); - ngx_http_close_connection(c); - return; - } - - cleartext_len += len; - - EVP_CIPHER_CTX_free(aead); -#endif - #if (NGX_DEBUG) if (c->log->log_level & NGX_LOG_DEBUG_EVENT) { - m = ngx_hex_dump(buf, cleartext, ngx_min(cleartext_len, 256)) - buf; + m = ngx_hex_dump(buf, out.data, ngx_min(out.len, 256)) - buf; ngx_log_debug4(NGX_LOG_DEBUG_HTTP, rev->log, 0, "quic packet payload: %*s%s, len: %uz", - m, buf, m < 512 ? "" : "...", cleartext_len); + m, buf, m < 512 ? "" : "...", out.len); } #endif - if (cleartext[0] != 0x06) { + if (out.data[0] != 0x06) { ngx_log_error(NGX_LOG_INFO, rev->log, 0, "unexpected frame in initial packet"); ngx_http_close_connection(c); return; } - if (cleartext[1] != 0x00) { + if (out.data[1] != 0x00) { ngx_log_error(NGX_LOG_INFO, rev->log, 0, "unexpected CRYPTO offset in initial packet"); ngx_http_close_connection(c); return; } - uint8_t *crypto = &cleartext[2]; + uint8_t *crypto = &out.data[2]; uint64_t crypto_len = ngx_quic_parse_int(&crypto); ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0, "quic initial packet CRYPTO length: %uL pp:%p:%p", - crypto_len, cleartext, crypto); + crypto_len, out.data, crypto); sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); @@ -1466,8 +1357,6 @@ ngx_http_quic_handshake_handler(ngx_even ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0, "quic handshake handler: %*s, len: %uz", m, buf, n); - /* XXX bug-for-bug compat - assuming initial ack in handshake pkt */ - if ((p[0] & 0xf0) != 0xe0) { ngx_log_error(NGX_LOG_INFO, rev->log, 0, "invalid packet type"); ngx_http_close_connection(c); @@ -1576,9 +1465,9 @@ ngx_http_quic_handshake_handler(ngx_even // packet protection - ngx_str_t ciphertext; - ciphertext.data = p; - ciphertext.len = plen - pnl; + ngx_str_t in; + in.data = p; + in.len = plen - pnl; ngx_str_t ad; ad.len = p - b; @@ -1607,11 +1496,7 @@ ngx_http_quic_handshake_handler(ngx_even } #endif -#ifdef OPENSSL_IS_BORINGSSL - const EVP_AEAD *cipher; -#else - const EVP_CIPHER *cipher; -#endif + const ngx_aead_cipher_t *cipher; u_char *name = (u_char *) SSL_get_cipher(c->ssl->connection); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, rev->log, 0, @@ -1639,122 +1524,21 @@ ngx_http_quic_handshake_handler(ngx_even return; } - - uint8_t cleartext[1600]; - size_t cleartext_len; - -#ifdef OPENSSL_IS_BORINGSSL - EVP_AEAD_CTX *aead = EVP_AEAD_CTX_new(cipher, - qc->client_hs.key.data, - qc->client_hs.key.len, - EVP_AEAD_DEFAULT_TAG_LENGTH); - if (aead == NULL) { - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_AEAD_CTX_new() failed"); - ngx_http_close_connection(c); - return; - } - - if (EVP_AEAD_CTX_open(aead, cleartext, &cleartext_len, sizeof(cleartext), - nonce, qc->client_hs.iv.len, ciphertext.data, - ciphertext.len, ad.data, ad.len) - != 1) + ngx_str_t out; + + if (ngx_quic_tls_open(c, cipher, &qc->client_hs, &out, nonce, &in, &ad) + != NGX_OK) { - EVP_AEAD_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, - "EVP_AEAD_CTX_open() failed"); - ngx_http_close_connection(c); - return; - } - - EVP_AEAD_CTX_free(aead); -#else - int len; - u_char *tag; - EVP_CIPHER_CTX *aead; - - aead = EVP_CIPHER_CTX_new(); - if (aead == NULL) { - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_CIPHER_CTX_new() failed"); - ngx_http_close_connection(c); - return; - } - - if (EVP_DecryptInit_ex(aead, cipher, NULL, NULL, NULL) != 1) { - EVP_CIPHER_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_DecryptInit_ex() failed"); ngx_http_close_connection(c); return; } - if (EVP_CIPHER_CTX_ctrl(aead, EVP_CTRL_GCM_SET_IVLEN, qc->client_hs.iv.len, - NULL) - == 0) - { - EVP_CIPHER_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, - "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed"); - ngx_http_close_connection(c); - return; - } - - if (EVP_DecryptInit_ex(aead, NULL, NULL, qc->client_hs.key.data, nonce) - != 1) - { - EVP_CIPHER_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_DecryptInit_ex() failed"); - ngx_http_close_connection(c); - return; - } - - if (EVP_DecryptUpdate(aead, NULL, &len, ad.data, ad.len) != 1) { - EVP_CIPHER_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_DecryptUpdate() failed"); - ngx_http_close_connection(c); - return; - } - - if (EVP_DecryptUpdate(aead, cleartext, &len, ciphertext.data, - ciphertext.len - EVP_GCM_TLS_TAG_LEN) - != 1) - { - EVP_CIPHER_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_DecryptUpdate() failed"); - ngx_http_close_connection(c); - return; - } - - cleartext_len = len; - tag = ciphertext.data + ciphertext.len - EVP_GCM_TLS_TAG_LEN; - - if (EVP_CIPHER_CTX_ctrl(aead, EVP_CTRL_GCM_SET_TAG, EVP_GCM_TLS_TAG_LEN, - tag) - == 0) - { - EVP_CIPHER_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, - "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_TAG) failed"); - ngx_http_close_connection(c); - return; - } - - if (EVP_DecryptFinal_ex(aead, cleartext + len, &len) <= 0) { - EVP_CIPHER_CTX_free(aead); - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_DecryptFinal_ex failed"); - ngx_http_close_connection(c); - return; - } - - cleartext_len += len; - - EVP_CIPHER_CTX_free(aead); -#endif - #if (NGX_DEBUG) if (c->log->log_level & NGX_LOG_DEBUG_EVENT) { - m = ngx_hex_dump(buf, cleartext, ngx_min(cleartext_len, 256)) - buf; + m = ngx_hex_dump(buf, out.data, ngx_min(out.len, 256)) - buf; ngx_log_debug4(NGX_LOG_DEBUG_HTTP, rev->log, 0, "quic packet payload: %*s%s, len: %uz", - m, buf, m < 512 ? "" : "...", cleartext_len); + m, buf, m < 512 ? "" : "...", out.len); } #endif