# HG changeset patch # User Vladimir Homutov # Date 1582725407 -10800 # Node ID 7ee1ada04c8a822aa77c3464d5ad1faab7c2d945 # Parent a9ff4392ecde0b88476e84333d8ca6711aae7055 Generic function for HKDF expansion. diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -153,15 +153,6 @@ quic_set_encryption_secrets(ngx_ssl_conn return 0; } - size_t hkdfl_len, llen; - uint8_t hkdfl[20]; - uint8_t *p; - const char *label; -#if (NGX_DEBUG) - u_char buf[512]; - size_t m; -#endif - ngx_str_t *client_key, *client_iv, *client_hp; ngx_str_t *server_key, *server_iv, *server_hp; @@ -219,230 +210,59 @@ quic_set_encryption_secrets(ngx_ssl_conn ngx_memcpy(*wsec, write_secret, secret_len); - // client keys - #ifdef OPENSSL_IS_BORINGSSL client_key->len = EVP_AEAD_key_length(evp); + server_key->len = EVP_AEAD_key_length(evp); + + client_iv->len = EVP_AEAD_nonce_length(evp); + server_iv->len = EVP_AEAD_nonce_length(evp); + + client_hp->len = EVP_AEAD_key_length(evp); + server_hp->len = EVP_AEAD_key_length(evp); #else client_key->len = EVP_CIPHER_key_length(evp); -#endif - client_key->data = ngx_pnalloc(c->pool, client_key->len); - if (client_key->data == NULL) { - return 0; - } - - label = "tls13 quic key"; - llen = sizeof("tls13 quic key") - 1; - hkdfl_len = 2 + 1 + llen + 1; - hkdfl[0] = client_key->len / 256; - hkdfl[1] = client_key->len % 256; - hkdfl[2] = llen; - p = ngx_cpymem(&hkdfl[3], label, llen); - *p = '\0'; - - if (ngx_hkdf_expand(client_key->data, client_key->len, - digest, *rsec, *rlen, hkdfl, hkdfl_len) - != NGX_OK) - { - ngx_ssl_error(NGX_LOG_INFO, c->log, 0, - "ngx_hkdf_expand(client_key) failed"); - return 0; - } - - m = ngx_hex_dump(buf, client_key->data, client_key->len) - buf; - ngx_log_debug4(NGX_LOG_DEBUG_HTTP, c->log, 0, - "quic client key: %*s, len: %uz, level: %d", - m, buf, client_key->len, level); - m = ngx_hex_dump(buf, hkdfl, hkdfl_len) - buf; - ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0, - "hkdf: %*s, len: %uz", m, buf, hkdfl_len); - - -#ifdef OPENSSL_IS_BORINGSSL - client_iv->len = EVP_AEAD_nonce_length(evp); -#else + server_key->len = EVP_CIPHER_key_length(evp); + client_iv->len = EVP_CIPHER_iv_length(evp); -#endif - client_iv->data = ngx_pnalloc(c->pool, client_iv->len); - if (client_iv->data == NULL) { - return 0; - } - - label = "tls13 quic iv"; - llen = sizeof("tls13 quic iv") - 1; - hkdfl_len = 2 + 1 + llen + 1; - hkdfl[0] = client_iv->len / 256; - hkdfl[1] = client_iv->len % 256; - hkdfl[2] = llen; - p = ngx_cpymem(&hkdfl[3], label, llen); - *p = '\0'; - - if (ngx_hkdf_expand(client_iv->data, client_iv->len, - digest, *rsec, *rlen, hkdfl, hkdfl_len) - != NGX_OK) - { - ngx_ssl_error(NGX_LOG_INFO, c->log, 0, - "ngx_hkdf_expand(client_iv) failed"); - return 0; - } - - m = ngx_hex_dump(buf, client_iv->data, client_iv->len) - buf; - ngx_log_debug4(NGX_LOG_DEBUG_HTTP, c->log, 0, - "quic client iv: %*s, len: %uz, level: %d", - m, buf, client_iv->len, level); - m = ngx_hex_dump(buf, hkdfl, hkdfl_len) - buf; - ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0, - "hkdf: %*s, len: %uz", m, buf, hkdfl_len); - - -#ifdef OPENSSL_IS_BORINGSSL - client_hp->len = EVP_AEAD_key_length(evp); -#else + server_iv->len = EVP_CIPHER_iv_length(evp); + client_hp->len = EVP_CIPHER_key_length(evp); -#endif - client_hp->data = ngx_pnalloc(c->pool, client_hp->len); - if (client_hp->data == NULL) { - return 0; - } - - label = "tls13 quic hp"; - llen = sizeof("tls13 quic hp") - 1; - hkdfl_len = 2 + 1 + llen + 1; - hkdfl[0] = client_hp->len / 256; - hkdfl[1] = client_hp->len % 256; - hkdfl[2] = llen; - p = ngx_cpymem(&hkdfl[3], label, llen); - *p = '\0'; - - if (ngx_hkdf_expand(client_hp->data, client_hp->len, - digest, *rsec, *rlen, hkdfl, hkdfl_len) - != NGX_OK) - { - ngx_ssl_error(NGX_LOG_INFO, c->log, 0, - "ngx_hkdf_expand(client_hp) failed"); - return 0; - } - - m = ngx_hex_dump(buf, client_hp->data, client_hp->len) - buf; - ngx_log_debug4(NGX_LOG_DEBUG_HTTP, c->log, 0, - "quic client hp: %*s, len: %uz, level: %d", - m, buf, client_hp->len, level); - m = ngx_hex_dump(buf, hkdfl, hkdfl_len) - buf; - ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0, - "hkdf: %*s, len: %uz", m, buf, hkdfl_len); - - - // server keys - -#ifdef OPENSSL_IS_BORINGSSL - server_key->len = EVP_AEAD_key_length(evp); -#else - server_key->len = EVP_CIPHER_key_length(evp); -#endif - server_key->data = ngx_pnalloc(c->pool, server_key->len); - if (server_key->data == NULL) { - return 0; - } - - label = "tls13 quic key"; - llen = sizeof("tls13 quic key") - 1; - hkdfl_len = 2 + 1 + llen + 1; - hkdfl[0] = server_key->len / 256; - hkdfl[1] = server_key->len % 256; - hkdfl[2] = llen; - p = ngx_cpymem(&hkdfl[3], label, llen); - *p = '\0'; - - if (ngx_hkdf_expand(server_key->data, server_key->len, - digest, *wsec, *wlen, hkdfl, hkdfl_len) - != NGX_OK) - { - ngx_ssl_error(NGX_LOG_INFO, c->log, 0, - "ngx_hkdf_expand(server_key) failed"); - return 0; - } - - m = ngx_hex_dump(buf, server_key->data, server_key->len) - buf; - ngx_log_debug4(NGX_LOG_DEBUG_HTTP, c->log, 0, - "quic server key: %*s, len: %uz, level: %d", - m, buf, server_key->len, level); - m = ngx_hex_dump(buf, hkdfl, hkdfl_len) - buf; - ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0, - "hkdf: %*s, len: %uz", m, buf, hkdfl_len); - - -#ifdef OPENSSL_IS_BORINGSSL - server_iv->len = EVP_AEAD_nonce_length(evp); -#else - server_iv->len = EVP_CIPHER_iv_length(evp); -#endif - server_iv->data = ngx_pnalloc(c->pool, server_iv->len); - if (server_iv->data == NULL) { - return 0; - } - - label = "tls13 quic iv"; - llen = sizeof("tls13 quic iv") - 1; - hkdfl_len = 2 + 1 + llen + 1; - hkdfl[0] = server_iv->len / 256; - hkdfl[1] = server_iv->len % 256; - hkdfl[2] = llen; - p = ngx_cpymem(&hkdfl[3], label, llen); - *p = '\0'; - - if (ngx_hkdf_expand(server_iv->data, server_iv->len, - digest, *wsec, *wlen, hkdfl, hkdfl_len) - != NGX_OK) - { - ngx_ssl_error(NGX_LOG_INFO, c->log, 0, - "ngx_hkdf_expand(server_iv) failed"); - return 0; - } - - m = ngx_hex_dump(buf, server_iv->data, server_iv->len) - buf; - ngx_log_debug4(NGX_LOG_DEBUG_HTTP, c->log, 0, - "quic server iv: %*s, len: %uz, level: %d", - m, buf, server_iv->len, level); - m = ngx_hex_dump(buf, hkdfl, hkdfl_len) - buf; - ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0, - "hkdf: %*s, len: %uz", m, buf, hkdfl_len); - - -#ifdef OPENSSL_IS_BORINGSSL - server_hp->len = EVP_AEAD_key_length(evp); -#else server_hp->len = EVP_CIPHER_key_length(evp); #endif - server_hp->data = ngx_pnalloc(c->pool, server_hp->len); - if (server_hp->data == NULL) { - return 0; - } - - label = "tls13 quic hp"; - llen = sizeof("tls13 quic hp") - 1; - hkdfl_len = 2 + 1 + llen + 1; - hkdfl[0] = server_hp->len / 256; - hkdfl[1] = server_hp->len % 256; - hkdfl[2] = llen; - p = ngx_cpymem(&hkdfl[3], label, llen); - *p = '\0'; - - if (ngx_hkdf_expand(server_hp->data, server_hp->len, - digest, *wsec, *wlen, hkdfl, hkdfl_len) - != NGX_OK) - { - ngx_ssl_error(NGX_LOG_INFO, c->log, 0, - "ngx_hkdf_expand(server_hp) failed"); - return 0; - } - - m = ngx_hex_dump(buf, server_hp->data, server_hp->len) - buf; - ngx_log_debug4(NGX_LOG_DEBUG_HTTP, c->log, 0, - "quic server hp: %*s, len: %uz, level: %d", - m, buf, server_hp->len, level); - m = ngx_hex_dump(buf, hkdfl, hkdfl_len) - buf; - ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0, - "hkdf: %*s, len: %uz", m, buf, hkdfl_len); + + ngx_str_t rss = { + .data = *rsec, + .len = *rlen + }; + + ngx_str_t wss = { + .data = *wsec, + .len = *wlen + }; + + struct { + ngx_str_t id; + ngx_str_t *in; + ngx_str_t *prk; + } seq[] = { + { ngx_string("tls13 quic key"), client_key, &rss }, + { ngx_string("tls13 quic iv"), client_iv, &rss }, + { ngx_string("tls13 quic hp"), client_hp, &rss }, + { ngx_string("tls13 quic key"), server_key, &wss }, + { ngx_string("tls13 quic iv"), server_iv, &wss }, + { ngx_string("tls13 quic hp"), server_hp, &wss }, + }; + + ngx_uint_t i; + + for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { + + if (ngx_quic_hkdf_expand(c, digest, seq[i].in, seq[i].prk, &seq[i].id, 1) + != NGX_OK) + { + return 0; + } + } return 1; } diff --git a/src/event/ngx_event_quic.c b/src/event/ngx_event_quic.c --- a/src/event/ngx_event_quic.c +++ b/src/event/ngx_event_quic.c @@ -120,6 +120,62 @@ ngx_hkdf_extract(u_char *out_key, size_t ngx_int_t +ngx_quic_hkdf_expand(ngx_connection_t *c, const EVP_MD *digest, ngx_str_t *out, + ngx_str_t *prk, ngx_str_t *name, ngx_uint_t sender) +{ + uint8_t *p; + size_t hkdfl_len; + uint8_t hkdfl[20]; + +#if (NGX_DEBUG) + u_char buf[512]; + size_t m; +#endif + + out->data = ngx_pnalloc(c->pool, out->len); + if (out->data == NULL) { + return NGX_ERROR; + } + + hkdfl_len = 2 + 1 + name->len + 1; + + if (sender) { + hkdfl[0] = out->len / 256; + hkdfl[1] = out->len % 256; + + } else { + hkdfl[0] = 0; + hkdfl[1] = out->len; + } + + hkdfl[2] = name->len; + p = ngx_cpymem(&hkdfl[3], name->data, name->len); + *p = '\0'; + + if (ngx_hkdf_expand(out->data, out->len, digest, + prk->data, prk->len, hkdfl, hkdfl_len) + != NGX_OK) + { + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, + "ngx_hkdf_expand(%V) failed", name); + return NGX_ERROR; + } + + if (c->log->log_level & NGX_LOG_DEBUG_EVENT) { + m = ngx_hex_dump(buf, out->data, out->len) - buf; + ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0, + "%V: %*s, len: %uz", name, m, buf, out->len); + + m = ngx_hex_dump(buf, hkdfl, hkdfl_len) - buf; + ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0, + "%V hkdf: %*s, len: %uz", name, m, buf, hkdfl_len); + } + + return NGX_OK; +} + + +ngx_int_t ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest, const u_char *prk, size_t prk_len, const u_char *info, size_t info_len) { diff --git a/src/event/ngx_event_quic.h b/src/event/ngx_event_quic.h --- a/src/event/ngx_event_quic.h +++ b/src/event/ngx_event_quic.h @@ -53,6 +53,9 @@ ngx_int_t ngx_hkdf_expand(u_char *out_ke const EVP_MD *digest, const u_char *prk, size_t prk_len, const u_char *info, size_t info_len); +ngx_int_t ngx_quic_hkdf_expand(ngx_connection_t *c, const EVP_MD *digest, + ngx_str_t *out, ngx_str_t *prk, ngx_str_t *name, ngx_uint_t sender); + ngx_int_t ngx_quic_tls_open(ngx_connection_t *c, const ngx_aead_cipher_t *cipher, ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in, ngx_str_t *ad); diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -785,6 +785,7 @@ ngx_http_quic_handshake(ngx_event_t *rev size_t is_len; uint8_t is[SHA256_DIGEST_LENGTH]; + ngx_uint_t i; const EVP_MD *digest; const ngx_aead_cipher_t *cipher; static const uint8_t salt[20] = @@ -804,6 +805,11 @@ ngx_http_quic_handshake(ngx_event_t *rev return; } + ngx_str_t iss = { + .data = is, + .len = is_len + }; + #if (NGX_DEBUG) if (c->log->log_level & NGX_LOG_DEBUG_EVENT) { m = ngx_hex_dump(buf, (uint8_t *) salt, sizeof(salt)) - buf; @@ -816,47 +822,30 @@ ngx_http_quic_handshake(ngx_event_t *rev } #endif - size_t hkdfl_len; - uint8_t hkdfl[20]; - uint8_t *p; - /* draft-ietf-quic-tls-23#section-5.2 */ - qc->client_in.secret.len = SHA256_DIGEST_LENGTH; - qc->client_in.secret.data = ngx_pnalloc(c->pool, qc->client_in.secret.len); - if (qc->client_in.secret.data == NULL) { - ngx_http_close_connection(c); - return; - } - - hkdfl_len = 2 + 1 + sizeof("tls13 client in") - 1 + 1; - bzero(hkdfl, sizeof(hkdfl)); - hkdfl[0] = 0; - hkdfl[1] = qc->client_in.secret.len; - hkdfl[2] = sizeof("tls13 client in") - 1; - p = ngx_cpymem(&hkdfl[3], "tls13 client in", sizeof("tls13 client in") - 1); - *p = '\0'; - -#if 0 - ngx_memcpy(hkdfl, "\x00\x20\x0f\x74\x6c\x73\x31\x33\x20\x63" - "\x6c\x69\x65\x6e\x74\x20\x69\x6e\x00\x00", 20); - - m = ngx_hex_dump(buf, hkdfl, sizeof(hkdfl)) - buf; - ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0, - "quic initial secret hkdf: %*s, len: %uz", - m, buf, sizeof(hkdfl)); + qc->server_in.secret.len = SHA256_DIGEST_LENGTH; + +#ifdef OPENSSL_IS_BORINGSSL + qc->client_in.key.len = EVP_AEAD_key_length(cipher); + qc->server_in.key.len = EVP_AEAD_key_length(cipher); + + qc->client_in.hp.len = EVP_AEAD_key_length(cipher); + qc->server_in.hp.len = EVP_AEAD_key_length(cipher); + + qc->client_in.iv.len = EVP_AEAD_nonce_length(cipher); + qc->server_in.iv.len = EVP_AEAD_nonce_length(cipher); +#else + qc->client_in.key.len = EVP_CIPHER_key_length(cipher); + qc->server_in.key.len = EVP_CIPHER_key_length(cipher); + + qc->client_in.hp.len = EVP_CIPHER_key_length(cipher); + qc->server_in.hp.len = EVP_CIPHER_key_length(cipher); + + qc->client_in.iv.len = EVP_CIPHER_iv_length(cipher); + qc->server_in.iv.len = EVP_CIPHER_iv_length(cipher); #endif - if (ngx_hkdf_expand(qc->client_in.secret.data, qc->client_in.secret.len, - digest, is, is_len, hkdfl, hkdfl_len) - != NGX_OK) - { - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, - "ngx_hkdf_expand(client_in) failed"); - ngx_http_close_connection(c); - return; - } - #ifdef OPENSSL_IS_BORINGSSL ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0, "quic EVP key:%d tag:%d nonce:%d", @@ -865,262 +854,60 @@ ngx_http_quic_handshake(ngx_event_t *rev EVP_AEAD_nonce_length(cipher)); #endif - -#ifdef OPENSSL_IS_BORINGSSL - qc->client_in.key.len = EVP_AEAD_key_length(cipher); -#else - qc->client_in.key.len = EVP_CIPHER_key_length(cipher); -#endif - qc->client_in.key.data = ngx_pnalloc(c->pool, qc->client_in.key.len); - if (qc->client_in.key.data == NULL) { - ngx_http_close_connection(c); - return; - } - - hkdfl_len = 2 + 1 + sizeof("tls13 quic key") - 1 + 1; - hkdfl[1] = qc->client_in.key.len; - hkdfl[2] = sizeof("tls13 quic key") - 1; - p = ngx_cpymem(&hkdfl[3], "tls13 quic key", sizeof("tls13 quic key") - 1); - *p = '\0'; - - if (ngx_hkdf_expand(qc->client_in.key.data, qc->client_in.key.len, - digest, qc->client_in.secret.data, qc->client_in.secret.len, - hkdfl, hkdfl_len) - != NGX_OK) - { - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, - "ngx_hkdf_expand(client_in.key) failed"); - ngx_http_close_connection(c); - return; - } - -#ifdef OPENSSL_IS_BORINGSSL - qc->client_in.iv.len = EVP_AEAD_nonce_length(cipher); -#else - qc->client_in.iv.len = EVP_CIPHER_iv_length(cipher); -#endif - qc->client_in.iv.data = ngx_pnalloc(c->pool, qc->client_in.iv.len); - if (qc->client_in.iv.data == NULL) { - ngx_http_close_connection(c); - return; - } - - hkdfl_len = 2 + 1 + sizeof("tls13 quic iv") - 1 + 1; - hkdfl[1] = qc->client_in.iv.len; - hkdfl[2] = sizeof("tls13 quic iv") - 1; - p = ngx_cpymem(&hkdfl[3], "tls13 quic iv", sizeof("tls13 quic iv") - 1); - *p = '\0'; - - if (ngx_hkdf_expand(qc->client_in.iv.data, qc->client_in.iv.len, - digest, qc->client_in.secret.data, qc->client_in.secret.len, - hkdfl, hkdfl_len) - != NGX_OK) - { - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, - "ngx_hkdf_expand(client_in.iv) failed"); - ngx_http_close_connection(c); - return; - } - - /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */ - -#ifdef OPENSSL_IS_BORINGSSL - qc->client_in.hp.len = EVP_AEAD_key_length(cipher); -#else - qc->client_in.hp.len = EVP_CIPHER_key_length(cipher); -#endif - qc->client_in.hp.data = ngx_pnalloc(c->pool, qc->client_in.hp.len); - if (qc->client_in.hp.data == NULL) { - ngx_http_close_connection(c); - return; - } - - hkdfl_len = 2 + 1 + sizeof("tls13 quic hp") - 1 + 1; - hkdfl[1] = qc->client_in.hp.len; - hkdfl[2] = sizeof("tls13 quic hp") - 1; - p = ngx_cpymem(&hkdfl[3], "tls13 quic hp", sizeof("tls13 quic hp") - 1); - *p = '\0'; - - if (ngx_hkdf_expand(qc->client_in.hp.data, qc->client_in.hp.len, - digest, qc->client_in.secret.data, qc->client_in.secret.len, - hkdfl, hkdfl_len) - != NGX_OK) - { - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, - "ngx_hkdf_expand(client_in.hp) failed"); - ngx_http_close_connection(c); - return; - } - -#if (NGX_DEBUG) - if (c->log->log_level & NGX_LOG_DEBUG_EVENT) { - m = ngx_hex_dump(buf, qc->client_in.secret.data, qc->client_in.secret.len) - buf; - ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0, - "quic client initial secret: %*s, len: %uz", - m, buf, qc->client_in.secret.len); - - m = ngx_hex_dump(buf, qc->client_in.key.data, qc->client_in.key.len) - - buf; - ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0, - "quic client key: %*s, len: %uz", - m, buf, qc->client_in.key.len); - - m = ngx_hex_dump(buf, qc->client_in.iv.data, qc->client_in.iv.len) - - buf; - ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0, - "quic client iv: %*s, len: %uz", - m, buf, qc->client_in.iv.len); - - m = ngx_hex_dump(buf, qc->client_in.hp.data, qc->client_in.hp.len) - - buf; - ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0, - "quic client hp: %*s, len: %uz", - m, buf, qc->client_in.hp.len); - } -#endif - -// server initial - - /* draft-ietf-quic-tls-23#section-5.2 */ - - qc->server_in.secret.len = SHA256_DIGEST_LENGTH; - qc->server_in.secret.data = ngx_pnalloc(c->pool, qc->server_in.secret.len); - if (qc->server_in.secret.data == NULL) { - ngx_http_close_connection(c); - return; - } - - hkdfl_len = 2 + 1 + sizeof("tls13 server in") - 1 + 1; - hkdfl[0] = 0; - hkdfl[1] = qc->server_in.secret.len; - hkdfl[2] = sizeof("tls13 server in") - 1; - p = ngx_cpymem(&hkdfl[3], "tls13 server in", sizeof("tls13 server in") - 1); - *p = '\0'; - - if (ngx_hkdf_expand(qc->server_in.secret.data, qc->server_in.secret.len, - digest, is, is_len, hkdfl, hkdfl_len) - != NGX_OK) - { - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, - "ngx_hkdf_expand(server_in) failed"); - ngx_http_close_connection(c); - return; - } - - /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */ - -#ifdef OPENSSL_IS_BORINGSSL - qc->server_in.key.len = EVP_AEAD_key_length(cipher); -#else - qc->server_in.key.len = EVP_CIPHER_key_length(cipher); -#endif - qc->server_in.key.data = ngx_pnalloc(c->pool, qc->server_in.key.len); - if (qc->server_in.key.data == NULL) { - ngx_http_close_connection(c); - return; - } - - hkdfl_len = 2 + 1 + sizeof("tls13 quic key") - 1 + 1; - hkdfl[1] = qc->server_in.key.len; - hkdfl[2] = sizeof("tls13 quic key") - 1; - p = ngx_cpymem(&hkdfl[3], "tls13 quic key", sizeof("tls13 quic key") - 1); - *p = '\0'; - - if (ngx_hkdf_expand(qc->server_in.key.data, qc->server_in.key.len, - digest, qc->server_in.secret.data, qc->server_in.secret.len, - hkdfl, hkdfl_len) - != NGX_OK) - { - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, - "ngx_hkdf_expand(server_in.key) failed"); - ngx_http_close_connection(c); - return; - } - -#ifdef OPENSSL_IS_BORINGSSL - qc->server_in.iv.len = EVP_AEAD_nonce_length(cipher); -#else - qc->server_in.iv.len = EVP_CIPHER_iv_length(cipher); -#endif - qc->server_in.iv.data = ngx_pnalloc(c->pool, qc->server_in.iv.len); - if (qc->server_in.iv.data == NULL) { - ngx_http_close_connection(c); - return; - } - - hkdfl_len = 2 + 1 + sizeof("tls13 quic iv") - 1 + 1; - hkdfl[1] = qc->server_in.iv.len; - hkdfl[2] = sizeof("tls13 quic iv") - 1; - p = ngx_cpymem(&hkdfl[3], "tls13 quic iv", sizeof("tls13 quic iv") - 1); - *p = '\0'; - - if (ngx_hkdf_expand(qc->server_in.iv.data, qc->server_in.iv.len, - digest, qc->server_in.secret.data, qc->server_in.secret.len, - hkdfl, hkdfl_len) - != NGX_OK) - { - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, - "ngx_hkdf_expand(server_in.iv) failed"); - ngx_http_close_connection(c); - return; - } - - /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */ - -#ifdef OPENSSL_IS_BORINGSSL - qc->server_in.hp.len = EVP_AEAD_key_length(cipher); -#else - qc->server_in.hp.len = EVP_CIPHER_key_length(cipher); -#endif - qc->server_in.hp.data = ngx_pnalloc(c->pool, qc->server_in.hp.len); - if (qc->server_in.hp.data == NULL) { - ngx_http_close_connection(c); - return; - } - - hkdfl_len = 2 + 1 + sizeof("tls13 quic hp") - 1 + 1; - hkdfl[1] = qc->server_in.hp.len; - hkdfl[2] = sizeof("tls13 quic hp") - 1; - p = ngx_cpymem(&hkdfl[3], "tls13 quic hp", sizeof("tls13 quic hp") - 1); - *p = '\0'; - - if (ngx_hkdf_expand(qc->server_in.hp.data, qc->server_in.hp.len, - digest, qc->server_in.secret.data, qc->server_in.secret.len, - hkdfl, hkdfl_len) - != NGX_OK) - { - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, - "ngx_hkdf_expand(server_in.hp) failed"); - ngx_http_close_connection(c); - return; - } - -#if (NGX_DEBUG) - if (c->log->log_level & NGX_LOG_DEBUG_EVENT) { - m = ngx_hex_dump(buf, qc->server_in.secret.data, qc->server_in.secret.len) - buf; - ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0, - "quic server initial secret: %*s, len: %uz", - m, buf, qc->server_in.secret.len); - - m = ngx_hex_dump(buf, qc->server_in.key.data, qc->server_in.key.len) - - buf; - ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0, - "quic server key: %*s, len: %uz", - m, buf, qc->server_in.key.len); - - m = ngx_hex_dump(buf, qc->server_in.iv.data, qc->server_in.iv.len) - - buf; - ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0, - "quic server iv: %*s, len: %uz", - m, buf, qc->server_in.iv.len); - - m = ngx_hex_dump(buf, qc->server_in.hp.data, qc->server_in.hp.len) - - buf; - ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0, - "quic server hp: %*s, len: %uz", - m, buf, qc->server_in.hp.len); - } -#endif + struct { + ngx_str_t id; + ngx_str_t *in; + ngx_str_t *prk; + } seq[] = { + + /* draft-ietf-quic-tls-23#section-5.2 */ + { ngx_string("tls13 client in"), &qc->client_in.secret, &iss }, + { + ngx_string("tls13 quic key"), + &qc->client_in.key, + &qc->client_in.secret, + }, + { + ngx_string("tls13 quic iv"), + &qc->client_in.iv, + &qc->client_in.secret, + }, + { + /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */ + ngx_string("tls13 quic hp"), + &qc->client_in.hp, + &qc->client_in.secret, + }, + { ngx_string("tls13 server in"), &qc->server_in.secret, &iss }, + { + /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */ + ngx_string("tls13 quic key"), + &qc->server_in.key, + &qc->server_in.secret, + }, + { + ngx_string("tls13 quic iv"), + &qc->server_in.iv, + &qc->server_in.secret, + }, + { + /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */ + ngx_string("tls13 quic hp"), + &qc->server_in.hp, + &qc->server_in.secret + }, + + }; + + for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { + + if (ngx_quic_hkdf_expand(c, digest, seq[i].in, seq[i].prk, &seq[i].id, 0) + != NGX_OK) + { + ngx_http_close_connection(c); + return; + } + } // header protection