Mercurial > hg > nginx

changeset 8178:a9ff4392ecde quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
QUIC header protection routines, introduced ngx_quic_tls_hp().
author Sergey Kandaurov <pluknet@nginx.com>
date Fri, 28 Feb 2020 13:09:52 +0300
parents 76e29ff31cd3
children 7ee1ada04c8a
files src/event/ngx_event_openssl.c src/event/ngx_event_quic.c src/event/ngx_event_quic.h src/http/ngx_http_request.c
diffstat 4 files changed, 42 insertions(+), 56 deletions(-) [+]
line wrap: on
line diff
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -593,29 +593,12 @@ quic_add_handshake_data(ngx_ssl_conn_t *
         return 0;
     }
 
-    EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
     u_char *sample = &out.data[3]; // pnl=0
     uint8_t mask[16];
-    int outlen;
-
-    if (EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL, secret->hp.data, NULL)
-        != 1)
-    {
-        EVP_CIPHER_CTX_free(ctx);
-        ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
-                      "EVP_EncryptInit_ex() failed");
+    if (ngx_quic_tls_hp(c, EVP_aes_128_ecb(), secret, mask, sample) != NGX_OK) {
         return 0;
     }
 
-    if (!EVP_EncryptUpdate(ctx, mask, &outlen, sample, 16)) {
-        EVP_CIPHER_CTX_free(ctx);
-        ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
-                      "EVP_EncryptUpdate() failed");
-        return 0;
-    }
-
-    EVP_CIPHER_CTX_free(ctx);
-
     m = ngx_hex_dump(buf, (u_char *) sample, 16) - buf;
     ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
                    "quic_add_handshake_data sample: %*s, len: %uz",
--- a/src/event/ngx_event_quic.c
+++ b/src/event/ngx_event_quic.c
@@ -371,3 +371,37 @@ ngx_quic_tls_seal(ngx_connection_t *c, c
 
     return NGX_OK;
 }
+
+
+ngx_int_t
+ngx_quic_tls_hp(ngx_connection_t *c, const EVP_CIPHER *cipher,
+    ngx_quic_secret_t *s, u_char *out, u_char *in)
+{
+    int              outlen;
+    EVP_CIPHER_CTX  *ctx;
+
+    ctx = EVP_CIPHER_CTX_new();
+    if (ctx == NULL) {
+        return NGX_ERROR;
+    }
+
+    if (EVP_EncryptInit_ex(ctx, cipher, NULL, s->hp.data, NULL) != 1) {
+        ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed");
+        goto failed;
+    }
+
+    if (!EVP_EncryptUpdate(ctx, out, &outlen, in, 16)) {
+        ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed");
+        goto failed;
+    }
+
+    EVP_CIPHER_CTX_free(ctx);
+
+    return NGX_OK;
+
+failed:
+
+    EVP_CIPHER_CTX_free(ctx);
+
+    return NGX_ERROR;
+}
--- a/src/event/ngx_event_quic.h
+++ b/src/event/ngx_event_quic.h
@@ -60,5 +60,8 @@ ngx_int_t ngx_quic_tls_seal(ngx_connecti
     const ngx_aead_cipher_t *cipher, ngx_quic_secret_t *s, ngx_str_t *out,
     u_char *nonce, ngx_str_t *in, ngx_str_t *ad);
 
+ngx_int_t
+ngx_quic_tls_hp(ngx_connection_t *c, const EVP_CIPHER *cipher,
+    ngx_quic_secret_t *s, u_char *out, u_char *in);
 
 #endif /* _NGX_EVENT_QUIC_H_INCLUDED_ */
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1124,31 +1124,14 @@ ngx_http_quic_handshake(ngx_event_t *rev
 
 // header protection
 
-    EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
     uint8_t mask[16];
-    int outlen;
-
-    if (EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL,
-                           qc->client_in.hp.data, NULL)
-        != 1)
+    if (ngx_quic_tls_hp(c, EVP_aes_128_ecb(), &qc->client_in, mask, sample)
+        != NGX_OK)
     {
-        EVP_CIPHER_CTX_free(ctx);
-        ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
-                      "EVP_EncryptInit_ex() failed");
         ngx_http_close_connection(c);
         return;
     }
 
-    if (!EVP_EncryptUpdate(ctx, mask, &outlen, sample, 16)) {
-        EVP_CIPHER_CTX_free(ctx);
-        ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
-                      "EVP_EncryptUpdate() failed");
-        ngx_http_close_connection(c);
-        return;
-    }
-
-    EVP_CIPHER_CTX_free(ctx);
-
     u_char  clearflags = flags ^ (mask[0] & 0x0f);
     ngx_int_t  pnl = (clearflags & 0x03) + 1;
     uint64_t  pn = ngx_quic_parse_pn(&b->pos, pnl, &mask[1]);
@@ -1422,31 +1405,14 @@ ngx_http_quic_handshake_handler(ngx_even
 
 // header protection
 
-    EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
     uint8_t mask[16];
-    int outlen;
-
-    if (EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL,
-                           qc->client_hs.hp.data, NULL)
-        != 1)
+    if (ngx_quic_tls_hp(c, EVP_aes_128_ecb(), &qc->client_hs, mask, sample)
+        != NGX_OK)
     {
-        EVP_CIPHER_CTX_free(ctx);
-        ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
-                      "EVP_EncryptInit_ex() failed");
         ngx_http_close_connection(c);
         return;
     }
 
-    if (!EVP_EncryptUpdate(ctx, mask, &outlen, sample, 16)) {
-        EVP_CIPHER_CTX_free(ctx);
-        ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
-                      "EVP_EncryptUpdate() failed");
-        ngx_http_close_connection(c);
-        return;
-    }
-
-    EVP_CIPHER_CTX_free(ctx);
-
     u_char  clearflags = flags ^ (mask[0] & 0x0f);
     ngx_int_t  pnl = (clearflags & 0x03) + 1;
     uint64_t  pn = ngx_quic_parse_pn(&p, pnl, &mask[1]);