Mercurial > hg > nginx-quic
comparison src/event/quic/ngx_event_quic_protection.c @ 8498:4715f3e669f1 quic
QUIC: updated specification references.
This includes updating citations and further clarification.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Wed, 16 Jun 2021 11:55:12 +0300 |
parents | b4e6b7049984 |
children | fc5719637aff |
comparison
equal
deleted
inserted
replaced
8497:1fec68e322d0 | 8498:4715f3e669f1 |
---|---|
158 "\x86\xf1\x9c\x61\x11\xe0\x43\x90\xa8\x99"; | 158 "\x86\xf1\x9c\x61\x11\xe0\x43\x90\xa8\x99"; |
159 | 159 |
160 client = &keys->secrets[ssl_encryption_initial].client; | 160 client = &keys->secrets[ssl_encryption_initial].client; |
161 server = &keys->secrets[ssl_encryption_initial].server; | 161 server = &keys->secrets[ssl_encryption_initial].server; |
162 | 162 |
163 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */ | 163 /* |
164 * RFC 9001, section 5. Packet Protection | |
165 * | |
166 * Initial packets use AEAD_AES_128_GCM. The hash function | |
167 * for HKDF when deriving initial secrets and keys is SHA-256. | |
168 */ | |
164 | 169 |
165 cipher = EVP_aes_128_gcm(); | 170 cipher = EVP_aes_128_gcm(); |
166 digest = EVP_sha256(); | 171 digest = EVP_sha256(); |
167 is_len = SHA256_DIGEST_LENGTH; | 172 is_len = SHA256_DIGEST_LENGTH; |
168 | 173 |
185 "quic salt len:%uz %*xs", sizeof(salt), sizeof(salt), salt); | 190 "quic salt len:%uz %*xs", sizeof(salt), sizeof(salt), salt); |
186 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0, | 191 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0, |
187 "quic initial secret len:%uz %*xs", is_len, is_len, is); | 192 "quic initial secret len:%uz %*xs", is_len, is_len, is); |
188 #endif | 193 #endif |
189 | 194 |
190 /* draft-ietf-quic-tls-23#section-5.2 */ | |
191 client->secret.len = SHA256_DIGEST_LENGTH; | 195 client->secret.len = SHA256_DIGEST_LENGTH; |
192 server->secret.len = SHA256_DIGEST_LENGTH; | 196 server->secret.len = SHA256_DIGEST_LENGTH; |
193 | 197 |
194 client->key.len = EVP_CIPHER_key_length(cipher); | 198 client->key.len = EVP_CIPHER_key_length(cipher); |
195 server->key.len = EVP_CIPHER_key_length(cipher); | 199 server->key.len = EVP_CIPHER_key_length(cipher); |
204 ngx_str_t label; | 208 ngx_str_t label; |
205 ngx_str_t *key; | 209 ngx_str_t *key; |
206 ngx_str_t *prk; | 210 ngx_str_t *prk; |
207 } seq[] = { | 211 } seq[] = { |
208 | 212 |
209 /* draft-ietf-quic-tls-23#section-5.2 */ | 213 /* labels per RFC 9001, 5.1. Packet Protection Keys */ |
210 { ngx_string("tls13 client in"), &client->secret, &iss }, | 214 { ngx_string("tls13 client in"), &client->secret, &iss }, |
211 { | 215 { |
212 ngx_string("tls13 quic key"), | 216 ngx_string("tls13 quic key"), |
213 &client->key, | 217 &client->key, |
214 &client->secret, | 218 &client->secret, |
217 ngx_string("tls13 quic iv"), | 221 ngx_string("tls13 quic iv"), |
218 &client->iv, | 222 &client->iv, |
219 &client->secret, | 223 &client->secret, |
220 }, | 224 }, |
221 { | 225 { |
222 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */ | |
223 ngx_string("tls13 quic hp"), | 226 ngx_string("tls13 quic hp"), |
224 &client->hp, | 227 &client->hp, |
225 &client->secret, | 228 &client->secret, |
226 }, | 229 }, |
227 { ngx_string("tls13 server in"), &server->secret, &iss }, | 230 { ngx_string("tls13 server in"), &server->secret, &iss }, |
228 { | 231 { |
229 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */ | |
230 ngx_string("tls13 quic key"), | 232 ngx_string("tls13 quic key"), |
231 &server->key, | 233 &server->key, |
232 &server->secret, | 234 &server->secret, |
233 }, | 235 }, |
234 { | 236 { |
235 ngx_string("tls13 quic iv"), | 237 ngx_string("tls13 quic iv"), |
236 &server->iv, | 238 &server->iv, |
237 &server->secret, | 239 &server->secret, |
238 }, | 240 }, |
239 { | 241 { |
240 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */ | |
241 ngx_string("tls13 quic hp"), | 242 ngx_string("tls13 quic hp"), |
242 &server->hp, | 243 &server->hp, |
243 &server->secret, | 244 &server->secret, |
244 }, | 245 }, |
245 | 246 |
892 != NGX_OK) | 893 != NGX_OK) |
893 { | 894 { |
894 return NGX_ERROR; | 895 return NGX_ERROR; |
895 } | 896 } |
896 | 897 |
897 /* quic-tls: 5.4.1. Header Protection Application */ | 898 /* RFC 9001, 5.4.1. Header Protection Application */ |
898 ad.data[0] ^= mask[0] & ngx_quic_pkt_hp_mask(pkt->flags); | 899 ad.data[0] ^= mask[0] & ngx_quic_pkt_hp_mask(pkt->flags); |
899 | 900 |
900 for (i = 0; i < pkt->num_len; i++) { | 901 for (i = 0; i < pkt->num_len; i++) { |
901 pnp[i] ^= mask[i + 1]; | 902 pnp[i] ^= mask[i + 1]; |
902 } | 903 } |
1093 secret = &pkt->keys->secrets[pkt->level].client; | 1094 secret = &pkt->keys->secrets[pkt->level].client; |
1094 | 1095 |
1095 p = pkt->raw->pos; | 1096 p = pkt->raw->pos; |
1096 len = pkt->data + pkt->len - p; | 1097 len = pkt->data + pkt->len - p; |
1097 | 1098 |
1098 /* draft-ietf-quic-tls-23#section-5.4.2: | 1099 /* |
1100 * RFC 9001, 5.4.2. Header Protection Sample | |
1101 * 5.4.3. AES-Based Header Protection | |
1102 * 5.4.4. ChaCha20-Based Header Protection | |
1103 * | |
1099 * the Packet Number field is assumed to be 4 bytes long | 1104 * the Packet Number field is assumed to be 4 bytes long |
1100 * draft-ietf-quic-tls-23#section-5.4.[34]: | 1105 * AES and ChaCha20 algorithms sample 16 bytes |
1101 * AES-Based and ChaCha20-Based header protections sample 16 bytes | |
1102 */ | 1106 */ |
1103 | 1107 |
1104 if (len < EVP_GCM_TLS_TAG_LEN + 4) { | 1108 if (len < EVP_GCM_TLS_TAG_LEN + 4) { |
1105 return NGX_DECLINED; | 1109 return NGX_DECLINED; |
1106 } | 1110 } |
1170 return NGX_DECLINED; | 1174 return NGX_DECLINED; |
1171 } | 1175 } |
1172 | 1176 |
1173 if (pkt->payload.len == 0) { | 1177 if (pkt->payload.len == 0) { |
1174 /* | 1178 /* |
1179 * RFC 9000, 12.4. Frames and Frame Types | |
1180 * | |
1175 * An endpoint MUST treat receipt of a packet containing no | 1181 * An endpoint MUST treat receipt of a packet containing no |
1176 * frames as a connection error of type PROTOCOL_VIOLATION. | 1182 * frames as a connection error of type PROTOCOL_VIOLATION. |
1177 */ | 1183 */ |
1178 ngx_log_error(NGX_LOG_INFO, pkt->log, 0, "quic zero-length packet"); | 1184 ngx_log_error(NGX_LOG_INFO, pkt->log, 0, "quic zero-length packet"); |
1179 pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION; | 1185 pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION; |
1180 return NGX_ERROR; | 1186 return NGX_ERROR; |
1181 } | 1187 } |
1182 | 1188 |
1183 if (pkt->flags & ngx_quic_pkt_rb_mask(pkt->flags)) { | 1189 if (pkt->flags & ngx_quic_pkt_rb_mask(pkt->flags)) { |
1184 /* | 1190 /* |
1191 * RFC 9000, Reserved Bits | |
1192 * | |
1185 * An endpoint MUST treat receipt of a packet that has | 1193 * An endpoint MUST treat receipt of a packet that has |
1186 * a non-zero value for these bits, after removing both | 1194 * a non-zero value for these bits, after removing both |
1187 * packet and header protection, as a connection error | 1195 * packet and header protection, as a connection error |
1188 * of type PROTOCOL_VIOLATION. | 1196 * of type PROTOCOL_VIOLATION. |
1189 */ | 1197 */ |