Mercurial > hg > nginx-quic
comparison src/event/quic/ngx_event_quic_protection.c @ 8498:4715f3e669f1 quic
QUIC: updated specification references.
This includes updating citations and further clarification.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Wed, 16 Jun 2021 11:55:12 +0300 |
| parents | b4e6b7049984 |
| children | fc5719637aff |
comparison
equal
deleted
inserted
replaced
| 8497:1fec68e322d0 | 8498:4715f3e669f1 |
|---|---|
| 158 "\x86\xf1\x9c\x61\x11\xe0\x43\x90\xa8\x99"; | 158 "\x86\xf1\x9c\x61\x11\xe0\x43\x90\xa8\x99"; |
| 159 | 159 |
| 160 client = &keys->secrets[ssl_encryption_initial].client; | 160 client = &keys->secrets[ssl_encryption_initial].client; |
| 161 server = &keys->secrets[ssl_encryption_initial].server; | 161 server = &keys->secrets[ssl_encryption_initial].server; |
| 162 | 162 |
| 163 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */ | 163 /* |
| 164 * RFC 9001, section 5. Packet Protection | |
| 165 * | |
| 166 * Initial packets use AEAD_AES_128_GCM. The hash function | |
| 167 * for HKDF when deriving initial secrets and keys is SHA-256. | |
| 168 */ | |
| 164 | 169 |
| 165 cipher = EVP_aes_128_gcm(); | 170 cipher = EVP_aes_128_gcm(); |
| 166 digest = EVP_sha256(); | 171 digest = EVP_sha256(); |
| 167 is_len = SHA256_DIGEST_LENGTH; | 172 is_len = SHA256_DIGEST_LENGTH; |
| 168 | 173 |
| 185 "quic salt len:%uz %*xs", sizeof(salt), sizeof(salt), salt); | 190 "quic salt len:%uz %*xs", sizeof(salt), sizeof(salt), salt); |
| 186 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0, | 191 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0, |
| 187 "quic initial secret len:%uz %*xs", is_len, is_len, is); | 192 "quic initial secret len:%uz %*xs", is_len, is_len, is); |
| 188 #endif | 193 #endif |
| 189 | 194 |
| 190 /* draft-ietf-quic-tls-23#section-5.2 */ | |
| 191 client->secret.len = SHA256_DIGEST_LENGTH; | 195 client->secret.len = SHA256_DIGEST_LENGTH; |
| 192 server->secret.len = SHA256_DIGEST_LENGTH; | 196 server->secret.len = SHA256_DIGEST_LENGTH; |
| 193 | 197 |
| 194 client->key.len = EVP_CIPHER_key_length(cipher); | 198 client->key.len = EVP_CIPHER_key_length(cipher); |
| 195 server->key.len = EVP_CIPHER_key_length(cipher); | 199 server->key.len = EVP_CIPHER_key_length(cipher); |
| 204 ngx_str_t label; | 208 ngx_str_t label; |
| 205 ngx_str_t *key; | 209 ngx_str_t *key; |
| 206 ngx_str_t *prk; | 210 ngx_str_t *prk; |
| 207 } seq[] = { | 211 } seq[] = { |
| 208 | 212 |
| 209 /* draft-ietf-quic-tls-23#section-5.2 */ | 213 /* labels per RFC 9001, 5.1. Packet Protection Keys */ |
| 210 { ngx_string("tls13 client in"), &client->secret, &iss }, | 214 { ngx_string("tls13 client in"), &client->secret, &iss }, |
| 211 { | 215 { |
| 212 ngx_string("tls13 quic key"), | 216 ngx_string("tls13 quic key"), |
| 213 &client->key, | 217 &client->key, |
| 214 &client->secret, | 218 &client->secret, |
| 217 ngx_string("tls13 quic iv"), | 221 ngx_string("tls13 quic iv"), |
| 218 &client->iv, | 222 &client->iv, |
| 219 &client->secret, | 223 &client->secret, |
| 220 }, | 224 }, |
| 221 { | 225 { |
| 222 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */ | |
| 223 ngx_string("tls13 quic hp"), | 226 ngx_string("tls13 quic hp"), |
| 224 &client->hp, | 227 &client->hp, |
| 225 &client->secret, | 228 &client->secret, |
| 226 }, | 229 }, |
| 227 { ngx_string("tls13 server in"), &server->secret, &iss }, | 230 { ngx_string("tls13 server in"), &server->secret, &iss }, |
| 228 { | 231 { |
| 229 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */ | |
| 230 ngx_string("tls13 quic key"), | 232 ngx_string("tls13 quic key"), |
| 231 &server->key, | 233 &server->key, |
| 232 &server->secret, | 234 &server->secret, |
| 233 }, | 235 }, |
| 234 { | 236 { |
| 235 ngx_string("tls13 quic iv"), | 237 ngx_string("tls13 quic iv"), |
| 236 &server->iv, | 238 &server->iv, |
| 237 &server->secret, | 239 &server->secret, |
| 238 }, | 240 }, |
| 239 { | 241 { |
| 240 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */ | |
| 241 ngx_string("tls13 quic hp"), | 242 ngx_string("tls13 quic hp"), |
| 242 &server->hp, | 243 &server->hp, |
| 243 &server->secret, | 244 &server->secret, |
| 244 }, | 245 }, |
| 245 | 246 |
| 892 != NGX_OK) | 893 != NGX_OK) |
| 893 { | 894 { |
| 894 return NGX_ERROR; | 895 return NGX_ERROR; |
| 895 } | 896 } |
| 896 | 897 |
| 897 /* quic-tls: 5.4.1. Header Protection Application */ | 898 /* RFC 9001, 5.4.1. Header Protection Application */ |
| 898 ad.data[0] ^= mask[0] & ngx_quic_pkt_hp_mask(pkt->flags); | 899 ad.data[0] ^= mask[0] & ngx_quic_pkt_hp_mask(pkt->flags); |
| 899 | 900 |
| 900 for (i = 0; i < pkt->num_len; i++) { | 901 for (i = 0; i < pkt->num_len; i++) { |
| 901 pnp[i] ^= mask[i + 1]; | 902 pnp[i] ^= mask[i + 1]; |
| 902 } | 903 } |
| 1093 secret = &pkt->keys->secrets[pkt->level].client; | 1094 secret = &pkt->keys->secrets[pkt->level].client; |
| 1094 | 1095 |
| 1095 p = pkt->raw->pos; | 1096 p = pkt->raw->pos; |
| 1096 len = pkt->data + pkt->len - p; | 1097 len = pkt->data + pkt->len - p; |
| 1097 | 1098 |
| 1098 /* draft-ietf-quic-tls-23#section-5.4.2: | 1099 /* |
| 1100 * RFC 9001, 5.4.2. Header Protection Sample | |
| 1101 * 5.4.3. AES-Based Header Protection | |
| 1102 * 5.4.4. ChaCha20-Based Header Protection | |
| 1103 * | |
| 1099 * the Packet Number field is assumed to be 4 bytes long | 1104 * the Packet Number field is assumed to be 4 bytes long |
| 1100 * draft-ietf-quic-tls-23#section-5.4.[34]: | 1105 * AES and ChaCha20 algorithms sample 16 bytes |
| 1101 * AES-Based and ChaCha20-Based header protections sample 16 bytes | |
| 1102 */ | 1106 */ |
| 1103 | 1107 |
| 1104 if (len < EVP_GCM_TLS_TAG_LEN + 4) { | 1108 if (len < EVP_GCM_TLS_TAG_LEN + 4) { |
| 1105 return NGX_DECLINED; | 1109 return NGX_DECLINED; |
| 1106 } | 1110 } |
| 1170 return NGX_DECLINED; | 1174 return NGX_DECLINED; |
| 1171 } | 1175 } |
| 1172 | 1176 |
| 1173 if (pkt->payload.len == 0) { | 1177 if (pkt->payload.len == 0) { |
| 1174 /* | 1178 /* |
| 1179 * RFC 9000, 12.4. Frames and Frame Types | |
| 1180 * | |
| 1175 * An endpoint MUST treat receipt of a packet containing no | 1181 * An endpoint MUST treat receipt of a packet containing no |
| 1176 * frames as a connection error of type PROTOCOL_VIOLATION. | 1182 * frames as a connection error of type PROTOCOL_VIOLATION. |
| 1177 */ | 1183 */ |
| 1178 ngx_log_error(NGX_LOG_INFO, pkt->log, 0, "quic zero-length packet"); | 1184 ngx_log_error(NGX_LOG_INFO, pkt->log, 0, "quic zero-length packet"); |
| 1179 pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION; | 1185 pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION; |
| 1180 return NGX_ERROR; | 1186 return NGX_ERROR; |
| 1181 } | 1187 } |
| 1182 | 1188 |
| 1183 if (pkt->flags & ngx_quic_pkt_rb_mask(pkt->flags)) { | 1189 if (pkt->flags & ngx_quic_pkt_rb_mask(pkt->flags)) { |
| 1184 /* | 1190 /* |
| 1191 * RFC 9000, Reserved Bits | |
| 1192 * | |
| 1185 * An endpoint MUST treat receipt of a packet that has | 1193 * An endpoint MUST treat receipt of a packet that has |
| 1186 * a non-zero value for these bits, after removing both | 1194 * a non-zero value for these bits, after removing both |
| 1187 * packet and header protection, as a connection error | 1195 * packet and header protection, as a connection error |
| 1188 * of type PROTOCOL_VIOLATION. | 1196 * of type PROTOCOL_VIOLATION. |
| 1189 */ | 1197 */ |