Mercurial > hg > nginx-quic
annotate src/event/quic/ngx_event_quic_protection.h @ 9090:7d67fe09bcad quic tip
QUIC: style.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 11 May 2023 18:48:01 +0300 |
parents | 7da4791e0264 |
children |
rev | line source |
---|---|
7687
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
1 |
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
2 /* |
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
3 * Copyright (C) Nginx, Inc. |
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
4 */ |
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
5 |
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
6 |
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
7 #ifndef _NGX_EVENT_QUIC_PROTECTION_H_INCLUDED_ |
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
8 #define _NGX_EVENT_QUIC_PROTECTION_H_INCLUDED_ |
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
9 |
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
10 |
7824
a5141e6b3214
Fixed includes in quic headers.
Roman Arutyunyan <arut@nginx.com>
parents:
7816
diff
changeset
|
11 #include <ngx_config.h> |
a5141e6b3214
Fixed includes in quic headers.
Roman Arutyunyan <arut@nginx.com>
parents:
7816
diff
changeset
|
12 #include <ngx_core.h> |
a5141e6b3214
Fixed includes in quic headers.
Roman Arutyunyan <arut@nginx.com>
parents:
7816
diff
changeset
|
13 |
8287
cef042935003
QUIC: the "quic_host_key" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8266
diff
changeset
|
14 #include <ngx_event_quic_transport.h> |
cef042935003
QUIC: the "quic_host_key" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8266
diff
changeset
|
15 |
7824
a5141e6b3214
Fixed includes in quic headers.
Roman Arutyunyan <arut@nginx.com>
parents:
7816
diff
changeset
|
16 |
7772
058a5af7ddfc
Refactored QUIC secrets storage.
Vladimir Homutov <vl@nginx.com>
parents:
7769
diff
changeset
|
17 #define NGX_QUIC_ENCRYPTION_LAST ((ssl_encryption_application) + 1) |
058a5af7ddfc
Refactored QUIC secrets storage.
Vladimir Homutov <vl@nginx.com>
parents:
7769
diff
changeset
|
18 |
8917
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
19 /* RFC 5116, 5.1 and RFC 8439, 2.3 for all supported ciphers */ |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
20 #define NGX_QUIC_IV_LEN 12 |
7772
058a5af7ddfc
Refactored QUIC secrets storage.
Vladimir Homutov <vl@nginx.com>
parents:
7769
diff
changeset
|
21 |
8917
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
22 /* largest hash used in TLS is SHA-384 */ |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
23 #define NGX_QUIC_MAX_MD_SIZE 48 |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
24 |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
25 |
9046
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
26 #ifdef OPENSSL_IS_BORINGSSL |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
27 #define ngx_quic_cipher_t EVP_AEAD |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
28 #else |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
29 #define ngx_quic_cipher_t EVP_CIPHER |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
30 #endif |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
31 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
32 |
8917
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
33 typedef struct { |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
34 size_t len; |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
35 u_char data[NGX_QUIC_MAX_MD_SIZE]; |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
36 } ngx_quic_md_t; |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
37 |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
38 |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
39 typedef struct { |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
40 size_t len; |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
41 u_char data[NGX_QUIC_IV_LEN]; |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
42 } ngx_quic_iv_t; |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
43 |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
44 |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
45 typedef struct { |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
46 ngx_quic_md_t secret; |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
47 ngx_quic_md_t key; |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
48 ngx_quic_iv_t iv; |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
49 ngx_quic_md_t hp; |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
50 } ngx_quic_secret_t; |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
51 |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
52 |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
53 typedef struct { |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
54 ngx_quic_secret_t client; |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
55 ngx_quic_secret_t server; |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
56 } ngx_quic_secrets_t; |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
57 |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
58 |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
59 struct ngx_quic_keys_s { |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
60 ngx_quic_secrets_t secrets[NGX_QUIC_ENCRYPTION_LAST]; |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
61 ngx_quic_secrets_t next_key; |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
62 ngx_uint_t cipher; |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
63 }; |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
64 |
e50f77a2d0b0
QUIC: removed ngx_quic_keys_new().
Vladimir Homutov <vl@nginx.com>
parents:
8916
diff
changeset
|
65 |
9046
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
66 typedef struct { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
67 const ngx_quic_cipher_t *c; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
68 const EVP_CIPHER *hp; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
69 const EVP_MD *d; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
70 } ngx_quic_ciphers_t; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
71 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
72 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
73 typedef struct { |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
74 size_t out_len; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
75 u_char *out; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
76 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
77 size_t prk_len; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
78 const uint8_t *prk; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
79 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
80 size_t label_len; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
81 const u_char *label; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
82 } ngx_quic_hkdf_t; |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
83 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
84 #define ngx_quic_hkdf_set(seq, _label, _out, _prk) \ |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
85 (seq)->out_len = (_out)->len; (seq)->out = (_out)->data; \ |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
86 (seq)->prk_len = (_prk)->len, (seq)->prk = (_prk)->data, \ |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
87 (seq)->label_len = (sizeof(_label) - 1); (seq)->label = (u_char *)(_label); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
88 |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
89 |
8916
f2925c80401c
QUIC: avoided pool usage in ngx_quic_protection.c.
Vladimir Homutov <vl@nginx.com>
parents:
8815
diff
changeset
|
90 ngx_int_t ngx_quic_keys_set_initial_secret(ngx_quic_keys_t *keys, |
f2925c80401c
QUIC: avoided pool usage in ngx_quic_protection.c.
Vladimir Homutov <vl@nginx.com>
parents:
8815
diff
changeset
|
91 ngx_str_t *secret, ngx_log_t *log); |
f2925c80401c
QUIC: avoided pool usage in ngx_quic_protection.c.
Vladimir Homutov <vl@nginx.com>
parents:
8815
diff
changeset
|
92 ngx_int_t ngx_quic_keys_set_encryption_secret(ngx_log_t *log, |
8715
3341e4089c6c
QUIC: converted ngx_quic_keys_set_encryption_secret() to NGX codes.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8415
diff
changeset
|
93 ngx_uint_t is_write, ngx_quic_keys_t *keys, |
3341e4089c6c
QUIC: converted ngx_quic_keys_set_encryption_secret() to NGX codes.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8415
diff
changeset
|
94 enum ssl_encryption_level_t level, const SSL_CIPHER *cipher, |
3341e4089c6c
QUIC: converted ngx_quic_keys_set_encryption_secret() to NGX codes.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8415
diff
changeset
|
95 const uint8_t *secret, size_t secret_len); |
8191
9c3be23ddbe7
QUIC: refactored key handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8100
diff
changeset
|
96 ngx_uint_t ngx_quic_keys_available(ngx_quic_keys_t *keys, |
8295
d4e02b3b734f
QUIC: fixed indentation.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8287
diff
changeset
|
97 enum ssl_encryption_level_t level); |
8191
9c3be23ddbe7
QUIC: refactored key handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8100
diff
changeset
|
98 void ngx_quic_keys_discard(ngx_quic_keys_t *keys, |
8295
d4e02b3b734f
QUIC: fixed indentation.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8287
diff
changeset
|
99 enum ssl_encryption_level_t level); |
8191
9c3be23ddbe7
QUIC: refactored key handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8100
diff
changeset
|
100 void ngx_quic_keys_switch(ngx_connection_t *c, ngx_quic_keys_t *keys); |
9c3be23ddbe7
QUIC: refactored key handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8100
diff
changeset
|
101 ngx_int_t ngx_quic_keys_update(ngx_connection_t *c, ngx_quic_keys_t *keys); |
9c3be23ddbe7
QUIC: refactored key handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8100
diff
changeset
|
102 ngx_int_t ngx_quic_encrypt(ngx_quic_header_t *pkt, ngx_str_t *res); |
9c3be23ddbe7
QUIC: refactored key handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8100
diff
changeset
|
103 ngx_int_t ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn); |
9046
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
104 void ngx_quic_compute_nonce(u_char *nonce, size_t len, uint64_t pn); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
105 ngx_int_t ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
106 enum ssl_encryption_level_t level); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
107 ngx_int_t ngx_quic_tls_seal(const ngx_quic_cipher_t *cipher, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
108 ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
109 ngx_str_t *ad, ngx_log_t *log); |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
110 ngx_int_t ngx_quic_hkdf_expand(ngx_quic_hkdf_t *hkdf, const EVP_MD *digest, |
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
8917
diff
changeset
|
111 ngx_log_t *log); |
7687
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
112 |
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
113 |
69345a26ba69
Split transport and crypto parts into separate files.
Vladimir Homutov <vl@nginx.com>
parents:
diff
changeset
|
114 #endif /* _NGX_EVENT_QUIC_PROTECTION_H_INCLUDED_ */ |