Mercurial > hg > nginx-quic

annotate src/event/ngx_event_quic.c @ 7645:7ee1ada04c8a quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Generic function for HKDF expansion.
author Vladimir Homutov <vl@nginx.com>
date Wed, 26 Feb 2020 16:56:47 +0300
parents a9ff4392ecde
children 01dc595de244
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
7637
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
1 #include <ngx_config.h>
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
2 #include <ngx_core.h>
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
3 #include <ngx_event.h>
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
4
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
5
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
6 uint64_t
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
7 ngx_quic_parse_int(u_char **pos)
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
8 {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
9 u_char *p;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
10 uint64_t value;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
11 ngx_uint_t len;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
12
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
13 p = *pos;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
14 len = 1 << ((*p & 0xc0) >> 6);
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
15 value = *p++ & 0x3f;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
16
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
17 while (--len) {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
18 value = (value << 8) + *p++;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
19 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
20
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
21 *pos = p;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
22 return value;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
23 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
24
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
25
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
26 void
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
27 ngx_quic_build_int(u_char **pos, uint64_t value)
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
28 {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
29 u_char *p;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
30 ngx_uint_t len;//, len2;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
31
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
32 p = *pos;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
33 len = 0;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
34
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
35 while (value >> ((1 << len) * 8 - 2)) {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
36 len++;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
37 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
38
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
39 *p = len << 6;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
40
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
41 // len2 =
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
42 len = (1 << len);
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
43 len--;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
44 *p |= value >> (len * 8);
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
45 p++;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
46
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
47 while (len) {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
48 *p++ = value >> ((len-- - 1) * 8);
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
49 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
50
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
51 *pos = p;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
52 // return len2;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
53 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
54
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
55
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
56 uint64_t
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
57 ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask)
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
58 {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
59 u_char *p;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
60 uint64_t value;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
61
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
62 p = *pos;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
63 value = *p++ ^ *mask++;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
64
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
65 while (--len) {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
66 value = (value << 8) + (*p++ ^ *mask++);
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
67 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
68
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
69 *pos = p;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
70 return value;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
71 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
72
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
73
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
74 ngx_int_t
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
75 ngx_hkdf_extract(u_char *out_key, size_t *out_len, const EVP_MD *digest,
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
76 const u_char *secret, size_t secret_len, const u_char *salt,
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
77 size_t salt_len)
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
78 {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
79 #ifdef OPENSSL_IS_BORINGSSL
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
80 if (HKDF_extract(out_key, out_len, digest, secret, secret_len, salt,
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
81 salt_len)
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
82 == 0)
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
83 {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
84 return NGX_ERROR;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
85 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
86 #else
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
87
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
88 EVP_PKEY_CTX *pctx;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
89
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
90 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
91
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
92 if (EVP_PKEY_derive_init(pctx) <= 0) {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
93 return NGX_ERROR;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
94 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
95
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
96 if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) <= 0) {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
97 return NGX_ERROR;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
98 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
99
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
100 if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
101 return NGX_ERROR;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
102 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
103
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
104 if (EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, secret_len) <= 0) {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
105 return NGX_ERROR;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
106 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
107
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
108 if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, salt_len) <= 0) {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
109 return NGX_ERROR;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
110 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
111
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
112 if (EVP_PKEY_derive(pctx, out_key, out_len) <= 0) {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
113 return NGX_ERROR;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
114 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
115
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
116 #endif
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
117
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
118 return NGX_OK;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
119 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
120
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
121
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
122 ngx_int_t
7645
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
123 ngx_quic_hkdf_expand(ngx_connection_t *c, const EVP_MD *digest, ngx_str_t *out,
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
124 ngx_str_t *prk, ngx_str_t *name, ngx_uint_t sender)
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
125 {
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
126 uint8_t *p;
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
127 size_t hkdfl_len;
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
128 uint8_t hkdfl[20];
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
129
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
130 #if (NGX_DEBUG)
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
131 u_char buf[512];
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
132 size_t m;
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
133 #endif
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
134
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
135 out->data = ngx_pnalloc(c->pool, out->len);
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
136 if (out->data == NULL) {
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
137 return NGX_ERROR;
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
138 }
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
139
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
140 hkdfl_len = 2 + 1 + name->len + 1;
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
141
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
142 if (sender) {
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
143 hkdfl[0] = out->len / 256;
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
144 hkdfl[1] = out->len % 256;
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
145
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
146 } else {
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
147 hkdfl[0] = 0;
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
148 hkdfl[1] = out->len;
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
149 }
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
150
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
151 hkdfl[2] = name->len;
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
152 p = ngx_cpymem(&hkdfl[3], name->data, name->len);
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
153 *p = '\0';
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
154
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
155 if (ngx_hkdf_expand(out->data, out->len, digest,
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
156 prk->data, prk->len, hkdfl, hkdfl_len)
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
157 != NGX_OK)
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
158 {
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
159 ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
160 "ngx_hkdf_expand(%V) failed", name);
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
161 return NGX_ERROR;
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
162 }
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
163
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
164 if (c->log->log_level & NGX_LOG_DEBUG_EVENT) {
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
165 m = ngx_hex_dump(buf, out->data, out->len) - buf;
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
166 ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
167 "%V: %*s, len: %uz", name, m, buf, out->len);
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
168
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
169 m = ngx_hex_dump(buf, hkdfl, hkdfl_len) - buf;
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
170 ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
171 "%V hkdf: %*s, len: %uz", name, m, buf, hkdfl_len);
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
172 }
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
173
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
174 return NGX_OK;
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
175 }
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
176
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
177
7ee1ada04c8a Generic function for HKDF expansion.
Vladimir Homutov <vl@nginx.com>
parents: 7644
diff changeset
178 ngx_int_t
7637
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
179 ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest,
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
180 const u_char *prk, size_t prk_len, const u_char *info, size_t info_len)
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
181 {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
182 #ifdef OPENSSL_IS_BORINGSSL
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
183 if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len)
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
184 == 0)
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
185 {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
186 return NGX_ERROR;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
187 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
188 #else
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
189
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
190 EVP_PKEY_CTX *pctx;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
191
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
192 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
193
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
194 if (EVP_PKEY_derive_init(pctx) <= 0) {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
195 return NGX_ERROR;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
196 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
197
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
198 if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0) {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
199 return NGX_ERROR;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
200 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
201
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
202 if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
203 return NGX_ERROR;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
204 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
205
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
206 if (EVP_PKEY_CTX_set1_hkdf_key(pctx, prk, prk_len) <= 0) {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
207 return NGX_ERROR;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
208 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
209
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
210 if (EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len) <= 0) {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
211 return NGX_ERROR;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
212 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
213
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
214 if (EVP_PKEY_derive(pctx, out_key, &out_len) <= 0) {
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
215 return NGX_ERROR;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
216 }
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
217
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
218 #endif
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
219
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
220 return NGX_OK;
4daf03d2bd0a OpenSSL compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
221 }
7643
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
222
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
223
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
224 ngx_int_t
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
225 ngx_quic_tls_open(ngx_connection_t *c, const ngx_aead_cipher_t *cipher,
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
226 ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in,
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
227 ngx_str_t *ad)
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
228 {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
229 out->len = in->len - EVP_GCM_TLS_TAG_LEN;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
230 out->data = ngx_pnalloc(c->pool, out->len);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
231 if (out->data == NULL) {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
232 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
233 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
234
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
235 #ifdef OPENSSL_IS_BORINGSSL
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
236 EVP_AEAD_CTX *ctx;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
237
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
238 ctx = EVP_AEAD_CTX_new(cipher, s->key.data, s->key.len,
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
239 EVP_AEAD_DEFAULT_TAG_LENGTH);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
240 if (ctx == NULL) {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
241 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_AEAD_CTX_new() failed");
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
242 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
243 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
244
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
245 if (EVP_AEAD_CTX_open(ctx, out->data, &out->len, out->len, nonce, s->iv.len,
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
246 in->data, in->len, ad->data, ad->len)
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
247 != 1)
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
248 {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
249 EVP_AEAD_CTX_free(ctx);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
250 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_AEAD_CTX_open() failed");
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
251 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
252 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
253
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
254 EVP_AEAD_CTX_free(ctx);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
255 #else
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
256 int len;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
257 u_char *tag;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
258 EVP_CIPHER_CTX *ctx;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
259
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
260 ctx = EVP_CIPHER_CTX_new();
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
261 if (ctx == NULL) {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
262 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_CIPHER_CTX_new() failed");
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
263 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
264 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
265
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
266 if (EVP_DecryptInit_ex(ctx, cipher, NULL, NULL, NULL) != 1) {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
267 EVP_CIPHER_CTX_free(ctx);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
268 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptInit_ex() failed");
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
269 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
270 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
271
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
272 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, s->iv.len, NULL)
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
273 == 0)
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
274 {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
275 EVP_CIPHER_CTX_free(ctx);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
276 ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
277 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed");
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
278 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
279 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
280
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
281 if (EVP_DecryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
282 EVP_CIPHER_CTX_free(ctx);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
283 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptInit_ex() failed");
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
284 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
285 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
286
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
287 if (EVP_DecryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
288 EVP_CIPHER_CTX_free(ctx);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
289 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptUpdate() failed");
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
290 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
291 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
292
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
293 if (EVP_DecryptUpdate(ctx, out->data, &len, in->data,
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
294 in->len - EVP_GCM_TLS_TAG_LEN)
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
295 != 1)
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
296 {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
297 EVP_CIPHER_CTX_free(ctx);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
298 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptUpdate() failed");
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
299 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
300 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
301
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
302 out->len = len;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
303 tag = in->data + in->len - EVP_GCM_TLS_TAG_LEN;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
304
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
305 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, EVP_GCM_TLS_TAG_LEN, tag)
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
306 == 0)
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
307 {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
308 EVP_CIPHER_CTX_free(ctx);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
309 ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
310 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_TAG) failed");
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
311 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
312 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
313
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
314 if (EVP_DecryptFinal_ex(ctx, out->data + len, &len) <= 0) {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
315 EVP_CIPHER_CTX_free(ctx);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
316 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptFinal_ex failed");
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
317 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
318 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
319
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
320 out->len += len;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
321
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
322 EVP_CIPHER_CTX_free(ctx);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
323 #endif
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
324
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
325 return NGX_OK;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
326 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
327
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
328
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
329 ngx_int_t
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
330 ngx_quic_tls_seal(ngx_connection_t *c, const ngx_aead_cipher_t *cipher,
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
331 ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in,
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
332 ngx_str_t *ad)
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
333 {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
334 out->len = in->len + EVP_GCM_TLS_TAG_LEN;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
335 out->data = ngx_pnalloc(c->pool, out->len);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
336 if (out->data == NULL) {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
337 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
338 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
339
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
340 #ifdef OPENSSL_IS_BORINGSSL
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
341 EVP_AEAD_CTX *ctx;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
342
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
343 ctx = EVP_AEAD_CTX_new(cipher, s->key.data, s->key.len,
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
344 EVP_AEAD_DEFAULT_TAG_LENGTH);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
345 if (ctx == NULL) {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
346 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_AEAD_CTX_new() failed");
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
347 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
348 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
349
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
350 if (EVP_AEAD_CTX_seal(ctx, out->data, &out->len, out->len, nonce, s->iv.len,
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
351 in->data, in->len, ad->data, ad->len)
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
352 != 1)
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
353 {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
354 EVP_AEAD_CTX_free(ctx);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
355 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_AEAD_CTX_seal() failed");
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
356 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
357 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
358
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
359 EVP_AEAD_CTX_free(ctx);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
360 #else
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
361 int len;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
362 EVP_CIPHER_CTX *ctx;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
363
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
364 ctx = EVP_CIPHER_CTX_new();
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
365 if (ctx == NULL) {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
366 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_CIPHER_CTX_new() failed");
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
367 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
368 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
369
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
370 if (EVP_EncryptInit_ex(ctx, cipher, NULL, NULL, NULL) != 1) {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
371 EVP_CIPHER_CTX_free(ctx);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
372 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed");
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
373 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
374 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
375
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
376 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, s->iv.len, NULL)
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
377 == 0)
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
378 {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
379 EVP_CIPHER_CTX_free(ctx);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
380 ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
381 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed");
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
382 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
383 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
384
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
385 if (EVP_EncryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
386 EVP_CIPHER_CTX_free(ctx);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
387 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed");
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
388 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
389 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
390
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
391 if (EVP_EncryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
392 EVP_CIPHER_CTX_free(ctx);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
393 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed");
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
394 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
395 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
396
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
397 if (EVP_EncryptUpdate(ctx, out->data, &len, in->data, in->len) != 1) {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
398 EVP_CIPHER_CTX_free(ctx);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
399 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed");
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
400 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
401 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
402
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
403 out->len = len;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
404
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
405 if (EVP_EncryptFinal_ex(ctx, out->data + out->len, &len) <= 0) {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
406 EVP_CIPHER_CTX_free(ctx);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
407 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptFinal_ex failed");
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
408 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
409 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
410
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
411 out->len += len;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
412
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
413 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, EVP_GCM_TLS_TAG_LEN,
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
414 out->data + in->len)
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
415 == 0)
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
416 {
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
417 EVP_CIPHER_CTX_free(ctx);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
418 ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
419 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_GET_TAG) failed");
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
420 return NGX_ERROR;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
421 }
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
422
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
423 EVP_CIPHER_CTX_free(ctx);
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
424
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
425 out->len += EVP_GCM_TLS_TAG_LEN;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
426 #endif
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
427
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
428 return NGX_OK;
76e29ff31cd3 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7637
diff changeset
429 }
7644
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
430
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
431
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
432 ngx_int_t
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
433 ngx_quic_tls_hp(ngx_connection_t *c, const EVP_CIPHER *cipher,
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
434 ngx_quic_secret_t *s, u_char *out, u_char *in)
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
435 {
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
436 int outlen;
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
437 EVP_CIPHER_CTX *ctx;
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
438
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
439 ctx = EVP_CIPHER_CTX_new();
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
440 if (ctx == NULL) {
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
441 return NGX_ERROR;
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
442 }
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
443
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
444 if (EVP_EncryptInit_ex(ctx, cipher, NULL, s->hp.data, NULL) != 1) {
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
445 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed");
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
446 goto failed;
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
447 }
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
448
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
449 if (!EVP_EncryptUpdate(ctx, out, &outlen, in, 16)) {
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
450 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed");
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
451 goto failed;
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
452 }
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
453
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
454 EVP_CIPHER_CTX_free(ctx);
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
455
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
456 return NGX_OK;
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
457
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
458 failed:
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
459
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
460 EVP_CIPHER_CTX_free(ctx);
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
461
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
462 return NGX_ERROR;
a9ff4392ecde QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7643
diff changeset
463 }