Mercurial > hg > nginx-quic
comparison src/event/ngx_event_quic.c @ 7687:69345a26ba69 quic
Split transport and crypto parts into separate files.
New files:
src/event/ngx_event_quic_protection.h
src/event/ngx_event_quic_protection.c
The protection.h header provides interface to the crypto part of the QUIC:
2 functions to initialize corresponding secrets:
ngx_quic_set_initial_secret()
ngx_quic_set_encryption_secret()
and 2 functions to deal with packet processing:
ngx_quic_encrypt()
ngx_quic_decrypt()
Also, structures representing secrets are defined there.
All functions require SSL connection and a pool, only crypto operations
inside, no access to nginx connections or events.
Currently pool->log is used for the logging (instead of original c->log).
| author | Vladimir Homutov <vl@nginx.com> |
|---|---|
| date | Mon, 16 Mar 2020 19:00:47 +0300 |
| parents | 7ada2feeac18 |
| children | bec4cd55361e |
comparison
equal
deleted
inserted
replaced
| 7686:7ada2feeac18 | 7687:69345a26ba69 |
|---|---|
| 6 | 6 |
| 7 #include <ngx_config.h> | 7 #include <ngx_config.h> |
| 8 #include <ngx_core.h> | 8 #include <ngx_core.h> |
| 9 #include <ngx_event.h> | 9 #include <ngx_event.h> |
| 10 | 10 |
| 11 | |
| 12 #define quic_version 0xff000018 | |
| 13 | |
| 14 #define NGX_AES_128_GCM_SHA256 0x1301 | |
| 15 #define NGX_AES_256_GCM_SHA384 0x1302 | |
| 16 #define NGX_CHACHA20_POLY1305_SHA256 0x1303 | |
| 17 | |
| 18 #define NGX_QUIC_IV_LEN 12 | |
| 19 | |
| 20 #ifdef OPENSSL_IS_BORINGSSL | |
| 21 #define ngx_quic_cipher_t EVP_AEAD | |
| 22 #else | |
| 23 #define ngx_quic_cipher_t EVP_CIPHER | |
| 24 #endif | |
| 25 | |
| 26 | |
| 27 #if (NGX_HAVE_NONALIGNED) | |
| 28 | |
| 29 #define ngx_quic_parse_uint16(p) ntohs(*(uint16_t *) (p)) | |
| 30 #define ngx_quic_parse_uint32(p) ntohl(*(uint32_t *) (p)) | |
| 31 | |
| 32 #define ngx_quic_write_uint16 ngx_quic_write_uint16_aligned | |
| 33 #define ngx_quic_write_uint32 ngx_quic_write_uint32_aligned | |
| 34 | |
| 35 #else | |
| 36 | |
| 37 #define ngx_quic_parse_uint16(p) ((p)[0] << 8 | (p)[1]) | |
| 38 #define ngx_quic_parse_uint32(p) \ | |
| 39 ((uint32_t) (p)[0] << 24 | (p)[1] << 16 | (p)[2] << 8 | (p)[3]) | |
| 40 | |
| 41 #define ngx_quic_write_uint16(p, s) \ | |
| 42 ((p)[0] = (u_char) ((s) >> 8), \ | |
| 43 (p)[1] = (u_char) (s), \ | |
| 44 (p) + sizeof(uint16_t)) | |
| 45 | |
| 46 #define ngx_quic_write_uint32(p, s) \ | |
| 47 ((p)[0] = (u_char) ((s) >> 24), \ | |
| 48 (p)[1] = (u_char) ((s) >> 16), \ | |
| 49 (p)[2] = (u_char) ((s) >> 8), \ | |
| 50 (p)[3] = (u_char) (s), \ | |
| 51 (p) + sizeof(uint32_t)) | |
| 52 | |
| 53 #endif | |
| 54 | |
| 55 | |
| 56 #define ngx_quic_write_uint16_aligned(p, s) \ | |
| 57 (*(uint16_t *) (p) = htons((uint16_t) (s)), (p) + sizeof(uint16_t)) | |
| 58 | |
| 59 #define ngx_quic_write_uint32_aligned(p, s) \ | |
| 60 (*(uint32_t *) (p) = htonl((uint32_t) (s)), (p) + sizeof(uint32_t)) | |
| 61 | |
| 62 #define ngx_quic_varint_len(value) \ | |
| 63 ((value) <= 63 ? 1 : ((uint32_t)value) <= 16383 ? 2 : ((uint64_t)value) <= 1073741823 ? 4 : 8) | |
| 64 | |
| 65 | |
| 66 #if (NGX_DEBUG) | |
| 67 | |
| 68 #define ngx_quic_hexdump(log, fmt, data, len, ...) \ | |
| 69 do { \ | |
| 70 ngx_int_t m; \ | |
| 71 u_char buf[2048]; \ | |
| 72 \ | |
| 73 if (log->log_level & NGX_LOG_DEBUG_EVENT) { \ | |
| 74 m = ngx_hex_dump(buf, (u_char *) data, ngx_min(len, 1024)) - buf; \ | |
| 75 ngx_log_debug(NGX_LOG_DEBUG_EVENT, log, 0, \ | |
| 76 "%s: " fmt " %*s%s, len: %uz", \ | |
| 77 __FUNCTION__, __VA_ARGS__, m, buf, \ | |
| 78 len < 2048 ? "" : "...", len); \ | |
| 79 } \ | |
| 80 } while (0) | |
| 81 | |
| 82 #else | |
| 83 | |
| 84 #define ngx_quic_hexdump(log, fmt, data, len, ...) | |
| 85 | |
| 86 #endif | |
| 87 | |
| 88 #define ngx_quic_hexdump0(log, fmt, data, len) \ | |
| 89 ngx_quic_hexdump(log, fmt "%s", data, len, "") \ | |
| 90 | |
| 91 | |
| 92 /* 17.2. Long Header Packets */ | |
| 93 | |
| 94 #define NGX_QUIC_PKT_LONG 0x80 | |
| 95 | |
| 96 #define NGX_QUIC_PKT_INITIAL 0xc0 | |
| 97 #define NGX_QUIC_PKT_HANDSHAKE 0xe0 | |
| 98 | 11 |
| 99 /* 12.4. Frames and Frame Types */ | 12 /* 12.4. Frames and Frame Types */ |
| 100 #define NGX_QUIC_FT_PADDING 0x00 | 13 #define NGX_QUIC_FT_PADDING 0x00 |
| 101 #define NGX_QUIC_FT_PING 0x01 | 14 #define NGX_QUIC_FT_PING 0x01 |
| 102 #define NGX_QUIC_FT_ACK 0x02 | 15 #define NGX_QUIC_FT_ACK 0x02 |
| 178 NGX_QUIC_ST_HANDSHAKE, | 91 NGX_QUIC_ST_HANDSHAKE, |
| 179 NGX_QUIC_ST_APP_DATA | 92 NGX_QUIC_ST_APP_DATA |
| 180 } ngx_quic_state_t; | 93 } ngx_quic_state_t; |
| 181 | 94 |
| 182 | 95 |
| 183 typedef struct { | |
| 184 ngx_str_t secret; | |
| 185 ngx_str_t key; | |
| 186 ngx_str_t iv; | |
| 187 ngx_str_t hp; | |
| 188 } ngx_quic_secret_t; | |
| 189 | |
| 190 typedef struct { | |
| 191 const ngx_quic_cipher_t *c; | |
| 192 const EVP_CIPHER *hp; | |
| 193 const EVP_MD *d; | |
| 194 } ngx_quic_ciphers_t; | |
| 195 | |
| 196 typedef enum ssl_encryption_level_t ngx_quic_level_t; | |
| 197 | |
| 198 typedef struct ngx_quic_frame_s ngx_quic_frame_t; | 96 typedef struct ngx_quic_frame_s ngx_quic_frame_t; |
| 199 | 97 |
| 200 typedef struct { | 98 typedef struct { |
| 201 ngx_uint_t pn; | 99 ngx_uint_t pn; |
| 202 | 100 |
| 272 /* current packet numbers for each namespace */ | 170 /* current packet numbers for each namespace */ |
| 273 ngx_uint_t initial_pn; | 171 ngx_uint_t initial_pn; |
| 274 ngx_uint_t handshake_pn; | 172 ngx_uint_t handshake_pn; |
| 275 ngx_uint_t appdata_pn; | 173 ngx_uint_t appdata_pn; |
| 276 | 174 |
| 277 ngx_quic_secret_t client_in; | 175 ngx_quic_secrets_t secrets; |
| 278 ngx_quic_secret_t client_hs; | |
| 279 ngx_quic_secret_t client_ad; | |
| 280 ngx_quic_secret_t server_in; | |
| 281 ngx_quic_secret_t server_hs; | |
| 282 ngx_quic_secret_t server_ad; | |
| 283 | 176 |
| 284 /* streams */ | 177 /* streams */ |
| 285 ngx_rbtree_t stree; | 178 ngx_rbtree_t stree; |
| 286 ngx_rbtree_node_t stree_sentinel; | 179 ngx_rbtree_node_t stree_sentinel; |
| 287 ngx_msec_t stream_timeout; | 180 ngx_msec_t stream_timeout; |
| 295 ngx_connection_t *c; | 188 ngx_connection_t *c; |
| 296 ngx_quic_stream_t s; | 189 ngx_quic_stream_t s; |
| 297 } ngx_quic_stream_node_t; | 190 } ngx_quic_stream_node_t; |
| 298 | 191 |
| 299 | 192 |
| 300 typedef struct { | 193 static ngx_int_t ngx_quic_input(ngx_connection_t *c, ngx_buf_t *b); |
| 301 ngx_quic_secret_t *secret; | 194 static ngx_int_t ngx_quic_output(ngx_connection_t *c); |
| 302 ngx_uint_t type; | |
| 303 ngx_uint_t *number; | |
| 304 ngx_uint_t flags; | |
| 305 uint32_t version; | |
| 306 ngx_str_t token; | |
| 307 ngx_quic_level_t level; | |
| 308 | |
| 309 /* filled in by parser */ | |
| 310 ngx_buf_t *raw; /* udp datagram from wire */ | |
| 311 | |
| 312 u_char *data; /* quic packet */ | |
| 313 size_t len; | |
| 314 | |
| 315 /* cleartext fields */ | |
| 316 ngx_str_t dcid; | |
| 317 ngx_str_t scid; | |
| 318 | |
| 319 uint64_t pn; | |
| 320 | |
| 321 ngx_str_t payload; /* decrypted payload */ | |
| 322 | |
| 323 } ngx_quic_header_t; | |
| 324 | |
| 325 | 195 |
| 326 static ngx_int_t ngx_quic_new_connection(ngx_connection_t *c, ngx_ssl_t *ssl, | 196 static ngx_int_t ngx_quic_new_connection(ngx_connection_t *c, ngx_ssl_t *ssl, |
| 327 ngx_quic_header_t *pkt); | 197 ngx_quic_header_t *pkt); |
| 328 static void ngx_quic_close_connection(ngx_connection_t *c); | 198 static void ngx_quic_close_connection(ngx_connection_t *c); |
| 329 | 199 |
| 351 enum ssl_encryption_level_t level, const uint8_t *read_secret, | 221 enum ssl_encryption_level_t level, const uint8_t *read_secret, |
| 352 const uint8_t *write_secret, size_t secret_len); | 222 const uint8_t *write_secret, size_t secret_len); |
| 353 #endif | 223 #endif |
| 354 static int ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn, | 224 static int ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn, |
| 355 enum ssl_encryption_level_t level, const uint8_t *data, size_t len); | 225 enum ssl_encryption_level_t level, const uint8_t *data, size_t len); |
| 356 static ngx_int_t ngx_quic_create_long_packet(ngx_connection_t *c, | |
| 357 ngx_ssl_conn_t *ssl_conn, ngx_quic_header_t *pkt, ngx_str_t *in, | |
| 358 ngx_str_t *res); | |
| 359 static ngx_int_t ngx_quic_create_short_packet(ngx_connection_t *c, | |
| 360 ngx_ssl_conn_t *ssl_conn, ngx_quic_header_t *pkt, ngx_str_t *in, | |
| 361 ngx_str_t *res); | |
| 362 static int ngx_quic_flush_flight(ngx_ssl_conn_t *ssl_conn); | 226 static int ngx_quic_flush_flight(ngx_ssl_conn_t *ssl_conn); |
| 363 static int ngx_quic_send_alert(ngx_ssl_conn_t *ssl_conn, | 227 static int ngx_quic_send_alert(ngx_ssl_conn_t *ssl_conn, |
| 364 enum ssl_encryption_level_t level, uint8_t alert); | 228 enum ssl_encryption_level_t level, uint8_t alert); |
| 365 | 229 |
| 366 static ngx_int_t ngx_quic_process_long_header(ngx_connection_t *c, | 230 static ngx_int_t ngx_quic_process_long_header(ngx_connection_t *c, |
| 369 ngx_quic_header_t *pkt); | 233 ngx_quic_header_t *pkt); |
| 370 static ngx_int_t ngx_quic_process_initial_header(ngx_connection_t *c, | 234 static ngx_int_t ngx_quic_process_initial_header(ngx_connection_t *c, |
| 371 ngx_quic_header_t *pkt); | 235 ngx_quic_header_t *pkt); |
| 372 static ngx_int_t ngx_quic_process_handshake_header(ngx_connection_t *c, | 236 static ngx_int_t ngx_quic_process_handshake_header(ngx_connection_t *c, |
| 373 ngx_quic_header_t *pkt); | 237 ngx_quic_header_t *pkt); |
| 374 static ngx_int_t ngx_quic_initial_secret(ngx_connection_t *c); | 238 |
| 375 static ngx_int_t ngx_quic_decrypt(ngx_connection_t *c, ngx_quic_header_t *pkt); | |
| 376 | |
| 377 static uint64_t ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask); | |
| 378 static uint64_t ngx_quic_parse_int(u_char **pos); | 239 static uint64_t ngx_quic_parse_int(u_char **pos); |
| 379 static void ngx_quic_build_int(u_char **pos, uint64_t value); | |
| 380 | |
| 381 static ngx_int_t ngx_hkdf_extract(u_char *out_key, size_t *out_len, | |
| 382 const EVP_MD *digest, const u_char *secret, size_t secret_len, | |
| 383 const u_char *salt, size_t salt_len); | |
| 384 static ngx_int_t ngx_hkdf_expand(u_char *out_key, size_t out_len, | |
| 385 const EVP_MD *digest, const u_char *prk, size_t prk_len, | |
| 386 const u_char *info, size_t info_len); | |
| 387 | |
| 388 static ngx_int_t ngx_quic_hkdf_expand(ngx_connection_t *c, const EVP_MD *digest, | |
| 389 ngx_str_t *out, ngx_str_t *label, const uint8_t *prk, size_t prk_len); | |
| 390 | |
| 391 static ngx_int_t ngx_quic_tls_open(ngx_connection_t *c, | |
| 392 const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s, ngx_str_t *out, | |
| 393 u_char *nonce, ngx_str_t *in, ngx_str_t *ad); | |
| 394 static ngx_int_t ngx_quic_tls_seal(ngx_connection_t *c, | |
| 395 const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s, ngx_str_t *out, | |
| 396 u_char *nonce, ngx_str_t *in, ngx_str_t *ad); | |
| 397 | |
| 398 static ngx_int_t ngx_quic_tls_hp(ngx_connection_t *c, const EVP_CIPHER *cipher, | |
| 399 ngx_quic_secret_t *s, u_char *out, u_char *in); | |
| 400 | |
| 401 static ngx_int_t ngx_quic_ciphers(ngx_connection_t *c, | |
| 402 ngx_quic_ciphers_t *ciphers, enum ssl_encryption_level_t level); | |
| 403 | 240 |
| 404 static ssize_t ngx_quic_stream_recv(ngx_connection_t *c, u_char *buf, | 241 static ssize_t ngx_quic_stream_recv(ngx_connection_t *c, u_char *buf, |
| 405 size_t size); | 242 size_t size); |
| 406 static ssize_t ngx_quic_stream_send(ngx_connection_t *c, u_char *buf, | 243 static ssize_t ngx_quic_stream_send(ngx_connection_t *c, u_char *buf, |
| 407 size_t size); | 244 size_t size); |
| 503 return; | 340 return; |
| 504 } | 341 } |
| 505 | 342 |
| 506 b.last += n; | 343 b.last += n; |
| 507 | 344 |
| 508 if (ngx_quic_input(c, NULL, &b) != NGX_OK) { | 345 if (ngx_quic_input(c, &b) != NGX_OK) { |
| 509 ngx_quic_close_connection(c); | 346 ngx_quic_close_connection(c); |
| 510 return; | 347 return; |
| 511 } | 348 } |
| 512 } | 349 } |
| 513 | 350 |
| 546 /* XXX */ | 383 /* XXX */ |
| 547 return NULL; | 384 return NULL; |
| 548 } | 385 } |
| 549 | 386 |
| 550 | 387 |
| 551 ngx_int_t | 388 static ngx_int_t |
| 552 ngx_quic_input(ngx_connection_t *c, ngx_ssl_t *ssl, ngx_buf_t *b) | 389 ngx_quic_input(ngx_connection_t *c, ngx_buf_t *b) |
| 553 { | 390 { |
| 554 u_char *p; | 391 u_char *p; |
| 555 ngx_quic_header_t pkt; | 392 ngx_quic_header_t pkt; |
| 556 | 393 |
| 557 if (c->quic == NULL) { | 394 if (c->quic == NULL) { |
| 600 | 437 |
| 601 ngx_memzero(&pkt, sizeof(ngx_quic_header_t)); | 438 ngx_memzero(&pkt, sizeof(ngx_quic_header_t)); |
| 602 ngx_quic_hexdump0(c->log, "payload", payload->data, payload->len); | 439 ngx_quic_hexdump0(c->log, "payload", payload->data, payload->len); |
| 603 | 440 |
| 604 pkt.level = level; | 441 pkt.level = level; |
| 442 pkt.dcid = qc->dcid; | |
| 443 pkt.scid = qc->scid; | |
| 605 | 444 |
| 606 if (level == ssl_encryption_initial) { | 445 if (level == ssl_encryption_initial) { |
| 607 pkt.number = &qc->initial_pn; | 446 pkt.number = &qc->initial_pn; |
| 608 pkt.flags = NGX_QUIC_PKT_INITIAL; | 447 pkt.flags = NGX_QUIC_PKT_INITIAL; |
| 609 pkt.secret = &qc->server_in; | 448 pkt.secret = &qc->secrets.server.in; |
| 610 pkt.token = initial_token; | 449 pkt.token = initial_token; |
| 611 | |
| 612 if (ngx_quic_create_long_packet(c, c->ssl->connection, | |
| 613 &pkt, payload, &res) | |
| 614 != NGX_OK) | |
| 615 { | |
| 616 return NGX_ERROR; | |
| 617 } | |
| 618 | 450 |
| 619 } else if (level == ssl_encryption_handshake) { | 451 } else if (level == ssl_encryption_handshake) { |
| 620 pkt.number = &qc->handshake_pn; | 452 pkt.number = &qc->handshake_pn; |
| 621 pkt.flags = NGX_QUIC_PKT_HANDSHAKE; | 453 pkt.flags = NGX_QUIC_PKT_HANDSHAKE; |
| 622 pkt.secret = &qc->server_hs; | 454 pkt.secret = &qc->secrets.server.hs; |
| 623 | |
| 624 if (ngx_quic_create_long_packet(c, c->ssl->connection, | |
| 625 &pkt, payload, &res) | |
| 626 != NGX_OK) | |
| 627 { | |
| 628 return NGX_ERROR; | |
| 629 } | |
| 630 | 455 |
| 631 } else { | 456 } else { |
| 632 pkt.number = &qc->appdata_pn; | 457 pkt.number = &qc->appdata_pn; |
| 633 pkt.secret = &qc->server_ad; | 458 pkt.secret = &qc->secrets.server.ad; |
| 634 | 459 } |
| 635 if (ngx_quic_create_short_packet(c, c->ssl->connection, | 460 |
| 636 &pkt, payload, &res) | 461 if (ngx_quic_encrypt(c->pool, c->ssl->connection, &pkt, payload, &res) |
| 637 != NGX_OK) | 462 != NGX_OK) |
| 638 { | 463 { |
| 639 return NGX_ERROR; | 464 return NGX_ERROR; |
| 640 } | |
| 641 } | 465 } |
| 642 | 466 |
| 643 ngx_quic_hexdump0(c->log, "packet to send", res.data, res.len); | 467 ngx_quic_hexdump0(c->log, "packet to send", res.data, res.len); |
| 644 | 468 |
| 645 c->send(c, res.data, res.len); // TODO: err handling | 469 c->send(c, res.data, res.len); // TODO: err handling |
| 470 | |
| 471 (*pkt.number)++; | |
| 646 | 472 |
| 647 return NGX_OK; | 473 return NGX_OK; |
| 648 } | 474 } |
| 649 | 475 |
| 650 | 476 |
| 838 | 664 |
| 839 return NGX_OK; | 665 return NGX_OK; |
| 840 } | 666 } |
| 841 | 667 |
| 842 | 668 |
| 843 ngx_int_t | 669 static ngx_int_t |
| 844 ngx_quic_output(ngx_connection_t *c) | 670 ngx_quic_output(ngx_connection_t *c) |
| 845 { | 671 { |
| 846 size_t len; | 672 size_t len; |
| 847 ngx_uint_t lvl; | 673 ngx_uint_t lvl; |
| 848 ngx_quic_frame_t *f, *start; | 674 ngx_quic_frame_t *f, *start; |
| 892 #if BORINGSSL_API_VERSION >= 10 | 718 #if BORINGSSL_API_VERSION >= 10 |
| 893 | 719 |
| 894 static int | 720 static int |
| 895 ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn, | 721 ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn, |
| 896 enum ssl_encryption_level_t level, const SSL_CIPHER *cipher, | 722 enum ssl_encryption_level_t level, const SSL_CIPHER *cipher, |
| 897 const uint8_t *secret, size_t secret_len) | 723 const uint8_t *rsecret, size_t secret_len) |
| 898 { | 724 { |
| 899 ngx_int_t key_len; | 725 ngx_connection_t *c; |
| 900 ngx_uint_t i; | |
| 901 ngx_connection_t *c; | |
| 902 ngx_quic_secret_t *client; | |
| 903 ngx_quic_ciphers_t ciphers; | |
| 904 | 726 |
| 905 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); | 727 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); |
| 906 | 728 |
| 907 ngx_quic_hexdump(c->log, "level:%d read", secret, secret_len, level); | 729 ngx_quic_hexdump(c->log, "level:%d read secret", |
| 908 | 730 rsecret, secret_len, level); |
| 909 key_len = ngx_quic_ciphers(c, &ciphers, level); | 731 |
| 910 | 732 return ngx_quic_set_encryption_secret(c->pool, ssl_conn, level, |
| 911 if (key_len == NGX_ERROR) { | 733 rsecret, secret_len, |
| 912 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher"); | 734 &c->quic->secrets.client); |
| 913 return 0; | |
| 914 } | |
| 915 | |
| 916 switch (level) { | |
| 917 | |
| 918 case ssl_encryption_handshake: | |
| 919 client = &c->quic->client_hs; | |
| 920 break; | |
| 921 | |
| 922 case ssl_encryption_application: | |
| 923 client = &c->quic->client_ad; | |
| 924 break; | |
| 925 | |
| 926 default: | |
| 927 return 0; | |
| 928 } | |
| 929 | |
| 930 client->key.len = key_len; | |
| 931 client->iv.len = NGX_QUIC_IV_LEN; | |
| 932 client->hp.len = key_len; | |
| 933 | |
| 934 struct { | |
| 935 ngx_str_t label; | |
| 936 ngx_str_t *key; | |
| 937 const uint8_t *secret; | |
| 938 } seq[] = { | |
| 939 { ngx_string("tls13 quic key"), &client->key, secret }, | |
| 940 { ngx_string("tls13 quic iv"), &client->iv, secret }, | |
| 941 { ngx_string("tls13 quic hp"), &client->hp, secret }, | |
| 942 }; | |
| 943 | |
| 944 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { | |
| 945 | |
| 946 if (ngx_quic_hkdf_expand(c, ciphers.d, seq[i].key, &seq[i].label, | |
| 947 seq[i].secret, secret_len) | |
| 948 != NGX_OK) | |
| 949 { | |
| 950 return 0; | |
| 951 } | |
| 952 } | |
| 953 | |
| 954 return 1; | |
| 955 } | 735 } |
| 956 | 736 |
| 957 | 737 |
| 958 static int | 738 static int |
| 959 ngx_quic_set_write_secret(ngx_ssl_conn_t *ssl_conn, | 739 ngx_quic_set_write_secret(ngx_ssl_conn_t *ssl_conn, |
| 960 enum ssl_encryption_level_t level, const SSL_CIPHER *cipher, | 740 enum ssl_encryption_level_t level, const SSL_CIPHER *cipher, |
| 961 const uint8_t *secret, size_t secret_len) | 741 const uint8_t *wsecret, size_t secret_len) |
| 962 { | 742 { |
| 963 ngx_int_t key_len; | 743 ngx_connection_t *c; |
| 964 ngx_uint_t i; | |
| 965 ngx_connection_t *c; | |
| 966 ngx_quic_secret_t *server; | |
| 967 ngx_quic_ciphers_t ciphers; | |
| 968 | 744 |
| 969 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); | 745 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); |
| 970 | 746 |
| 971 ngx_quic_hexdump(c->log, "level:%d write", secret, secret_len, level); | 747 ngx_quic_hexdump(c->log, "level:%d write secret", |
| 972 | 748 wsecret, secret_len, level); |
| 973 key_len = ngx_quic_ciphers(c, &ciphers, level); | 749 |
| 974 | 750 return ngx_quic_set_encryption_secret(c->pool, ssl_conn, level, |
| 975 if (key_len == NGX_ERROR) { | 751 wsecret, secret_len, |
| 976 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher"); | 752 &c->quic->secrets.server); |
| 977 return 0; | |
| 978 } | |
| 979 | |
| 980 switch (level) { | |
| 981 | |
| 982 case ssl_encryption_handshake: | |
| 983 server = &c->quic->server_hs; | |
| 984 break; | |
| 985 | |
| 986 case ssl_encryption_application: | |
| 987 server = &c->quic->server_ad; | |
| 988 break; | |
| 989 | |
| 990 default: | |
| 991 return 0; | |
| 992 } | |
| 993 | |
| 994 server->key.len = key_len; | |
| 995 server->iv.len = NGX_QUIC_IV_LEN; | |
| 996 server->hp.len = key_len; | |
| 997 | |
| 998 struct { | |
| 999 ngx_str_t label; | |
| 1000 ngx_str_t *key; | |
| 1001 const uint8_t *secret; | |
| 1002 } seq[] = { | |
| 1003 { ngx_string("tls13 quic key"), &server->key, secret }, | |
| 1004 { ngx_string("tls13 quic iv"), &server->iv, secret }, | |
| 1005 { ngx_string("tls13 quic hp"), &server->hp, secret }, | |
| 1006 }; | |
| 1007 | |
| 1008 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { | |
| 1009 | |
| 1010 if (ngx_quic_hkdf_expand(c, ciphers.d, seq[i].key, &seq[i].label, | |
| 1011 seq[i].secret, secret_len) | |
| 1012 != NGX_OK) | |
| 1013 { | |
| 1014 return 0; | |
| 1015 } | |
| 1016 } | |
| 1017 | |
| 1018 return 1; | |
| 1019 } | 753 } |
| 1020 | 754 |
| 1021 #else | 755 #else |
| 1022 | 756 |
| 1023 static int | 757 static int |
| 1024 ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn, | 758 ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn, |
| 1025 enum ssl_encryption_level_t level, const uint8_t *read_secret, | 759 enum ssl_encryption_level_t level, const uint8_t *rsecret, |
| 1026 const uint8_t *write_secret, size_t secret_len) | 760 const uint8_t *wsecret, size_t secret_len) |
| 1027 { | 761 { |
| 1028 ngx_int_t key_len; | 762 ngx_int_t rc; |
| 1029 ngx_uint_t i; | 763 ngx_connection_t *c; |
| 1030 ngx_connection_t *c; | |
| 1031 ngx_quic_secret_t *client, *server; | |
| 1032 ngx_quic_ciphers_t ciphers; | |
| 1033 | 764 |
| 1034 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); | 765 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); |
| 1035 | 766 |
| 1036 ngx_quic_hexdump(c->log, "level:%d read", read_secret, secret_len, level); | 767 ngx_quic_hexdump(c->log, "level:%d read", recret, secret_len, level); |
| 1037 ngx_quic_hexdump(c->log, "level:%d write", write_secret, secret_len, level); | 768 ngx_quic_hexdump(c->log, "level:%d write", wsecret, secret_len, level); |
| 1038 | 769 |
| 1039 key_len = ngx_quic_ciphers(c, &ciphers, level); | 770 rc = ngx_quic_set_encryption_secret(c->pool, ssl_conn, level, |
| 1040 | 771 rsecret, secret_len, |
| 1041 if (key_len == NGX_ERROR) { | 772 &c->quic->secrets.client); |
| 1042 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher"); | 773 if (rc != 1) { |
| 1043 return 0; | 774 return rc; |
| 1044 } | 775 } |
| 1045 | 776 |
| 1046 switch (level) { | 777 return ngx_quic_set_encryption_secret(c->pool, ssl_conn, level, |
| 1047 | 778 wsecret, secret_len, |
| 1048 case ssl_encryption_handshake: | 779 &c->quic->secrets.server); |
| 1049 client = &c->quic->client_hs; | |
| 1050 server = &c->quic->server_hs; | |
| 1051 | |
| 1052 break; | |
| 1053 | |
| 1054 case ssl_encryption_application: | |
| 1055 client = &c->quic->client_ad; | |
| 1056 server = &c->quic->server_ad; | |
| 1057 | |
| 1058 break; | |
| 1059 | |
| 1060 default: | |
| 1061 return 0; | |
| 1062 } | |
| 1063 | |
| 1064 client->key.len = key_len; | |
| 1065 server->key.len = key_len; | |
| 1066 | |
| 1067 client->iv.len = NGX_QUIC_IV_LEN; | |
| 1068 server->iv.len = NGX_QUIC_IV_LEN; | |
| 1069 | |
| 1070 client->hp.len = key_len; | |
| 1071 server->hp.len = key_len; | |
| 1072 | |
| 1073 struct { | |
| 1074 ngx_str_t label; | |
| 1075 ngx_str_t *key; | |
| 1076 const uint8_t *secret; | |
| 1077 } seq[] = { | |
| 1078 { ngx_string("tls13 quic key"), &client->key, read_secret }, | |
| 1079 { ngx_string("tls13 quic iv"), &client->iv, read_secret }, | |
| 1080 { ngx_string("tls13 quic hp"), &client->hp, read_secret }, | |
| 1081 { ngx_string("tls13 quic key"), &server->key, write_secret }, | |
| 1082 { ngx_string("tls13 quic iv"), &server->iv, write_secret }, | |
| 1083 { ngx_string("tls13 quic hp"), &server->hp, write_secret }, | |
| 1084 }; | |
| 1085 | |
| 1086 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { | |
| 1087 | |
| 1088 if (ngx_quic_hkdf_expand(c, ciphers.d, seq[i].key, &seq[i].label, | |
| 1089 seq[i].secret, secret_len) | |
| 1090 != NGX_OK) | |
| 1091 { | |
| 1092 return 0; | |
| 1093 } | |
| 1094 } | |
| 1095 | |
| 1096 return 1; | |
| 1097 } | 780 } |
| 1098 | 781 |
| 1099 #endif | 782 #endif |
| 1100 | |
| 1101 | |
| 1102 static ngx_int_t | |
| 1103 ngx_quic_create_long_packet(ngx_connection_t *c, ngx_ssl_conn_t *ssl_conn, | |
| 1104 ngx_quic_header_t *pkt, ngx_str_t *payload, ngx_str_t *res) | |
| 1105 { | |
| 1106 u_char *p, *pnp, *nonce, *sample, *packet; | |
| 1107 ngx_str_t ad, out; | |
| 1108 ngx_quic_ciphers_t ciphers; | |
| 1109 ngx_quic_connection_t *qc; | |
| 1110 u_char mask[16]; | |
| 1111 | |
| 1112 qc = c->quic; | |
| 1113 | |
| 1114 out.len = payload->len + EVP_GCM_TLS_TAG_LEN; | |
| 1115 | |
| 1116 ad.data = ngx_alloc(346 /*max header*/, c->log); | |
| 1117 if (ad.data == 0) { | |
| 1118 return NGX_ERROR; | |
| 1119 } | |
| 1120 | |
| 1121 p = ad.data; | |
| 1122 | |
| 1123 *p++ = pkt->flags; | |
| 1124 | |
| 1125 p = ngx_quic_write_uint32(p, quic_version); | |
| 1126 | |
| 1127 *p++ = qc->scid.len; | |
| 1128 p = ngx_cpymem(p, qc->scid.data, qc->scid.len); | |
| 1129 | |
| 1130 *p++ = qc->dcid.len; | |
| 1131 p = ngx_cpymem(p, qc->dcid.data, qc->dcid.len); | |
| 1132 | |
| 1133 if (pkt->level == ssl_encryption_initial) { | |
| 1134 ngx_quic_build_int(&p, pkt->token.len); | |
| 1135 } | |
| 1136 | |
| 1137 ngx_quic_build_int(&p, out.len + 1); // length (inc. pnl) | |
| 1138 pnp = p; | |
| 1139 | |
| 1140 *p++ = (*pkt->number)++; | |
| 1141 | |
| 1142 ad.len = p - ad.data; | |
| 1143 | |
| 1144 ngx_quic_hexdump0(c->log, "ad", ad.data, ad.len); | |
| 1145 | |
| 1146 if (ngx_quic_ciphers(c, &ciphers, pkt->level) == NGX_ERROR) { | |
| 1147 return NGX_ERROR; | |
| 1148 } | |
| 1149 | |
| 1150 nonce = ngx_pstrdup(c->pool, &pkt->secret->iv); | |
| 1151 if (pkt->level == ssl_encryption_handshake) { | |
| 1152 nonce[11] ^= (*pkt->number - 1); | |
| 1153 } | |
| 1154 | |
| 1155 ngx_quic_hexdump0(c->log, "server_iv", pkt->secret->iv.data, 12); | |
| 1156 ngx_quic_hexdump0(c->log, "nonce", nonce, 12); | |
| 1157 | |
| 1158 if (ngx_quic_tls_seal(c, ciphers.c, pkt->secret, &out, nonce, payload, &ad) | |
| 1159 != NGX_OK) | |
| 1160 { | |
| 1161 return NGX_ERROR; | |
| 1162 } | |
| 1163 | |
| 1164 sample = &out.data[3]; // pnl=0 | |
| 1165 if (ngx_quic_tls_hp(c, ciphers.hp, pkt->secret, mask, sample) != NGX_OK) { | |
| 1166 return NGX_ERROR; | |
| 1167 } | |
| 1168 | |
| 1169 ngx_quic_hexdump0(c->log, "sample", sample, 16); | |
| 1170 ngx_quic_hexdump0(c->log, "mask", mask, 16); | |
| 1171 ngx_quic_hexdump0(c->log, "hp_key", pkt->secret->hp.data, 16); | |
| 1172 | |
| 1173 // header protection, pnl = 0 | |
| 1174 ad.data[0] ^= mask[0] & 0x0f; | |
| 1175 *pnp ^= mask[1]; | |
| 1176 | |
| 1177 packet = ngx_alloc(ad.len + out.len, c->log); | |
| 1178 if (packet == 0) { | |
| 1179 return NGX_ERROR; | |
| 1180 } | |
| 1181 | |
| 1182 p = ngx_cpymem(packet, ad.data, ad.len); | |
| 1183 p = ngx_cpymem(p, out.data, out.len); | |
| 1184 | |
| 1185 res->data = packet; | |
| 1186 res->len = p - packet; | |
| 1187 | |
| 1188 return NGX_OK; | |
| 1189 } | |
| 1190 | |
| 1191 | |
| 1192 static ngx_int_t | |
| 1193 ngx_quic_create_short_packet(ngx_connection_t *c, ngx_ssl_conn_t *ssl_conn, | |
| 1194 ngx_quic_header_t *pkt, ngx_str_t *payload, ngx_str_t *res) | |
| 1195 { | |
| 1196 u_char *p, *pnp, *nonce, *sample, *packet; | |
| 1197 ngx_str_t ad, out; | |
| 1198 ngx_quic_ciphers_t ciphers; | |
| 1199 ngx_quic_connection_t *qc; | |
| 1200 u_char mask[16]; | |
| 1201 | |
| 1202 qc = c->quic; | |
| 1203 | |
| 1204 out.len = payload->len + EVP_GCM_TLS_TAG_LEN; | |
| 1205 | |
| 1206 ad.data = ngx_alloc(25 /*max header*/, c->log); | |
| 1207 if (ad.data == 0) { | |
| 1208 return NGX_ERROR; | |
| 1209 } | |
| 1210 | |
| 1211 p = ad.data; | |
| 1212 | |
| 1213 *p++ = 0x40; | |
| 1214 | |
| 1215 p = ngx_cpymem(p, qc->scid.data, qc->scid.len); | |
| 1216 | |
| 1217 pnp = p; | |
| 1218 | |
| 1219 *p++ = (*pkt->number)++; | |
| 1220 | |
| 1221 ad.len = p - ad.data; | |
| 1222 | |
| 1223 ngx_quic_hexdump0(c->log, "ad", ad.data, ad.len); | |
| 1224 | |
| 1225 if (ngx_quic_ciphers(c, &ciphers, pkt->level) == NGX_ERROR) { | |
| 1226 return NGX_ERROR; | |
| 1227 } | |
| 1228 | |
| 1229 nonce = ngx_pstrdup(c->pool, &pkt->secret->iv); | |
| 1230 if (pkt->level == ssl_encryption_handshake | |
| 1231 || pkt->level == ssl_encryption_application) | |
| 1232 { | |
| 1233 nonce[11] ^= (*pkt->number - 1); | |
| 1234 } | |
| 1235 | |
| 1236 ngx_quic_hexdump0(c->log, "server_iv", pkt->secret->iv.data, 12); | |
| 1237 ngx_quic_hexdump0(c->log, "nonce", nonce, 12); | |
| 1238 | |
| 1239 if (ngx_quic_tls_seal(c, ciphers.c, pkt->secret, &out, nonce, payload, &ad) | |
| 1240 != NGX_OK) | |
| 1241 { | |
| 1242 return NGX_ERROR; | |
| 1243 } | |
| 1244 | |
| 1245 ngx_quic_hexdump0(c->log, "out", out.data, out.len); | |
| 1246 | |
| 1247 sample = &out.data[3]; // pnl=0 | |
| 1248 if (ngx_quic_tls_hp(c, ciphers.hp, pkt->secret, mask, sample) != NGX_OK) { | |
| 1249 return NGX_ERROR; | |
| 1250 } | |
| 1251 | |
| 1252 ngx_quic_hexdump0(c->log, "sample", sample, 16); | |
| 1253 ngx_quic_hexdump0(c->log, "mask", mask, 16); | |
| 1254 ngx_quic_hexdump0(c->log, "hp_key", pkt->secret->hp.data, 16); | |
| 1255 | |
| 1256 // header protection, pnl = 0 | |
| 1257 ad.data[0] ^= mask[0] & 0x1f; | |
| 1258 *pnp ^= mask[1]; | |
| 1259 | |
| 1260 packet = ngx_alloc(ad.len + out.len, c->log); | |
| 1261 if (packet == 0) { | |
| 1262 return NGX_ERROR; | |
| 1263 } | |
| 1264 | |
| 1265 p = ngx_cpymem(packet, ad.data, ad.len); | |
| 1266 p = ngx_cpymem(p, out.data, out.len); | |
| 1267 | |
| 1268 ngx_quic_hexdump0(c->log, "packet", packet, p - packet); | |
| 1269 | |
| 1270 res->data = packet; | |
| 1271 res->len = p - packet; | |
| 1272 | |
| 1273 return NGX_OK; | |
| 1274 } | |
| 1275 | 783 |
| 1276 | 784 |
| 1277 static void | 785 static void |
| 1278 ngx_quic_queue_frame(ngx_quic_connection_t *qc, ngx_quic_frame_t *frame) | 786 ngx_quic_queue_frame(ngx_quic_connection_t *qc, ngx_quic_frame_t *frame) |
| 1279 { | 787 { |
| 1498 | 1006 |
| 1499 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, | 1007 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
| 1500 "quic packet length: %d", plen); | 1008 "quic packet length: %d", plen); |
| 1501 | 1009 |
| 1502 return NGX_OK; | 1010 return NGX_OK; |
| 1503 } | |
| 1504 | |
| 1505 | |
| 1506 static ngx_int_t | |
| 1507 ngx_quic_initial_secret(ngx_connection_t *c) | |
| 1508 { | |
| 1509 size_t is_len; | |
| 1510 uint8_t is[SHA256_DIGEST_LENGTH]; | |
| 1511 ngx_uint_t i; | |
| 1512 const EVP_MD *digest; | |
| 1513 const EVP_CIPHER *cipher; | |
| 1514 ngx_quic_connection_t *qc; | |
| 1515 | |
| 1516 static const uint8_t salt[20] = | |
| 1517 "\xc3\xee\xf7\x12\xc7\x2e\xbb\x5a\x11\xa7" | |
| 1518 "\xd2\x43\x2b\xb4\x63\x65\xbe\xf9\xf5\x02"; | |
| 1519 | |
| 1520 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */ | |
| 1521 | |
| 1522 cipher = EVP_aes_128_gcm(); | |
| 1523 digest = EVP_sha256(); | |
| 1524 | |
| 1525 qc = c->quic; | |
| 1526 | |
| 1527 if (ngx_hkdf_extract(is, &is_len, digest, qc->dcid.data, qc->dcid.len, | |
| 1528 salt, sizeof(salt)) | |
| 1529 != NGX_OK) | |
| 1530 { | |
| 1531 return NGX_ERROR; | |
| 1532 } | |
| 1533 | |
| 1534 ngx_str_t iss = { | |
| 1535 .data = is, | |
| 1536 .len = is_len | |
| 1537 }; | |
| 1538 | |
| 1539 ngx_quic_hexdump0(c->log, "salt", salt, sizeof(salt)); | |
| 1540 ngx_quic_hexdump0(c->log, "initial secret", is, is_len); | |
| 1541 | |
| 1542 /* draft-ietf-quic-tls-23#section-5.2 */ | |
| 1543 qc->client_in.secret.len = SHA256_DIGEST_LENGTH; | |
| 1544 qc->server_in.secret.len = SHA256_DIGEST_LENGTH; | |
| 1545 | |
| 1546 qc->client_in.key.len = EVP_CIPHER_key_length(cipher); | |
| 1547 qc->server_in.key.len = EVP_CIPHER_key_length(cipher); | |
| 1548 | |
| 1549 qc->client_in.hp.len = EVP_CIPHER_key_length(cipher); | |
| 1550 qc->server_in.hp.len = EVP_CIPHER_key_length(cipher); | |
| 1551 | |
| 1552 qc->client_in.iv.len = EVP_CIPHER_iv_length(cipher); | |
| 1553 qc->server_in.iv.len = EVP_CIPHER_iv_length(cipher); | |
| 1554 | |
| 1555 struct { | |
| 1556 ngx_str_t label; | |
| 1557 ngx_str_t *key; | |
| 1558 ngx_str_t *prk; | |
| 1559 } seq[] = { | |
| 1560 | |
| 1561 /* draft-ietf-quic-tls-23#section-5.2 */ | |
| 1562 { ngx_string("tls13 client in"), &qc->client_in.secret, &iss }, | |
| 1563 { | |
| 1564 ngx_string("tls13 quic key"), | |
| 1565 &qc->client_in.key, | |
| 1566 &qc->client_in.secret, | |
| 1567 }, | |
| 1568 { | |
| 1569 ngx_string("tls13 quic iv"), | |
| 1570 &qc->client_in.iv, | |
| 1571 &qc->client_in.secret, | |
| 1572 }, | |
| 1573 { | |
| 1574 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */ | |
| 1575 ngx_string("tls13 quic hp"), | |
| 1576 &qc->client_in.hp, | |
| 1577 &qc->client_in.secret, | |
| 1578 }, | |
| 1579 { ngx_string("tls13 server in"), &qc->server_in.secret, &iss }, | |
| 1580 { | |
| 1581 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */ | |
| 1582 ngx_string("tls13 quic key"), | |
| 1583 &qc->server_in.key, | |
| 1584 &qc->server_in.secret, | |
| 1585 }, | |
| 1586 { | |
| 1587 ngx_string("tls13 quic iv"), | |
| 1588 &qc->server_in.iv, | |
| 1589 &qc->server_in.secret, | |
| 1590 }, | |
| 1591 { | |
| 1592 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */ | |
| 1593 ngx_string("tls13 quic hp"), | |
| 1594 &qc->server_in.hp, | |
| 1595 &qc->server_in.secret, | |
| 1596 }, | |
| 1597 | |
| 1598 }; | |
| 1599 | |
| 1600 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { | |
| 1601 | |
| 1602 if (ngx_quic_hkdf_expand(c, digest, seq[i].key, &seq[i].label, | |
| 1603 seq[i].prk->data, seq[i].prk->len) | |
| 1604 != NGX_OK) | |
| 1605 { | |
| 1606 return NGX_ERROR; | |
| 1607 } | |
| 1608 } | |
| 1609 | |
| 1610 return NGX_OK; | |
| 1611 } | |
| 1612 | |
| 1613 | |
| 1614 static ngx_int_t | |
| 1615 ngx_quic_decrypt(ngx_connection_t *c, ngx_quic_header_t *pkt) | |
| 1616 { | |
| 1617 u_char clearflags, *p, *sample; | |
| 1618 uint8_t *nonce; | |
| 1619 uint64_t pn; | |
| 1620 ngx_int_t pnl, rc; | |
| 1621 ngx_str_t in, ad; | |
| 1622 ngx_quic_ciphers_t ciphers; | |
| 1623 uint8_t mask[16]; | |
| 1624 | |
| 1625 if (ngx_quic_ciphers(c, &ciphers, pkt->level) == NGX_ERROR) { | |
| 1626 return NGX_ERROR; | |
| 1627 } | |
| 1628 | |
| 1629 p = pkt->raw->pos; | |
| 1630 | |
| 1631 /* draft-ietf-quic-tls-23#section-5.4.2: | |
| 1632 * the Packet Number field is assumed to be 4 bytes long | |
| 1633 * draft-ietf-quic-tls-23#section-5.4.[34]: | |
| 1634 * AES-Based and ChaCha20-Based header protections sample 16 bytes | |
| 1635 */ | |
| 1636 | |
| 1637 sample = p + 4; | |
| 1638 | |
| 1639 ngx_quic_hexdump0(c->log, "sample", sample, 16); | |
| 1640 | |
| 1641 /* header protection */ | |
| 1642 | |
| 1643 if (ngx_quic_tls_hp(c, ciphers.hp, pkt->secret, mask, sample) != NGX_OK) { | |
| 1644 return NGX_ERROR; | |
| 1645 } | |
| 1646 | |
| 1647 if (pkt->flags & NGX_QUIC_PKT_LONG) { | |
| 1648 clearflags = pkt->flags ^ (mask[0] & 0x0f); | |
| 1649 | |
| 1650 } else { | |
| 1651 clearflags = pkt->flags ^ (mask[0] & 0x1f); | |
| 1652 } | |
| 1653 | |
| 1654 pnl = (clearflags & 0x03) + 1; | |
| 1655 pn = ngx_quic_parse_pn(&p, pnl, &mask[1]); | |
| 1656 | |
| 1657 pkt->pn = pn; | |
| 1658 | |
| 1659 ngx_quic_hexdump0(c->log, "mask", mask, 5); | |
| 1660 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, | |
| 1661 "quic clear flags: %xi", clearflags); | |
| 1662 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, | |
| 1663 "quic packet number: %uL, len: %xi", pn, pnl); | |
| 1664 | |
| 1665 /* packet protection */ | |
| 1666 | |
| 1667 in.data = p; | |
| 1668 | |
| 1669 if (pkt->flags & NGX_QUIC_PKT_LONG) { | |
| 1670 in.len = pkt->len - pnl; | |
| 1671 | |
| 1672 } else { | |
| 1673 in.len = pkt->data + pkt->len - p; | |
| 1674 } | |
| 1675 | |
| 1676 ad.len = p - pkt->data; | |
| 1677 ad.data = ngx_pnalloc(c->pool, ad.len); | |
| 1678 if (ad.data == NULL) { | |
| 1679 return NGX_ERROR; | |
| 1680 } | |
| 1681 | |
| 1682 ngx_memcpy(ad.data, pkt->data, ad.len); | |
| 1683 ad.data[0] = clearflags; | |
| 1684 | |
| 1685 do { | |
| 1686 ad.data[ad.len - pnl] = pn >> (8 * (pnl - 1)) % 256; | |
| 1687 } while (--pnl); | |
| 1688 | |
| 1689 nonce = ngx_pstrdup(c->pool, &pkt->secret->iv); | |
| 1690 nonce[11] ^= pn; | |
| 1691 | |
| 1692 ngx_quic_hexdump0(c->log, "nonce", nonce, 12); | |
| 1693 ngx_quic_hexdump0(c->log, "ad", ad.data, ad.len); | |
| 1694 | |
| 1695 rc = ngx_quic_tls_open(c, ciphers.c, pkt->secret, &pkt->payload, | |
| 1696 nonce, &in, &ad); | |
| 1697 | |
| 1698 ngx_quic_hexdump0(c->log, "packet payload", | |
| 1699 pkt->payload.data, pkt->payload.len); | |
| 1700 | |
| 1701 return rc; | |
| 1702 } | 1011 } |
| 1703 | 1012 |
| 1704 | 1013 |
| 1705 ssize_t | 1014 ssize_t |
| 1706 ngx_quic_read_frame(ngx_connection_t *c, u_char *start, u_char *end, | 1015 ngx_quic_read_frame(ngx_connection_t *c, u_char *start, u_char *end, |
| 1889 } | 1198 } |
| 1890 | 1199 |
| 1891 | 1200 |
| 1892 | 1201 |
| 1893 static ngx_int_t | 1202 static ngx_int_t |
| 1894 ngx_quic_init_connection(ngx_connection_t *c, ngx_quic_header_t *pkt) | 1203 ngx_quic_init_connection(ngx_connection_t *c) |
| 1895 { | 1204 { |
| 1896 int n, sslerr; | 1205 int n, sslerr; |
| 1897 ngx_ssl_conn_t *ssl_conn; | 1206 ngx_ssl_conn_t *ssl_conn; |
| 1898 ngx_quic_connection_t *qc; | 1207 ngx_quic_connection_t *qc; |
| 1899 | 1208 |
| 2442 return NGX_ERROR; | 1751 return NGX_ERROR; |
| 2443 } | 1752 } |
| 2444 ngx_memcpy(qc->token.data, pkt->token.data, qc->token.len); | 1753 ngx_memcpy(qc->token.data, pkt->token.data, qc->token.len); |
| 2445 | 1754 |
| 2446 | 1755 |
| 2447 if (ngx_quic_initial_secret(c) != NGX_OK) { | 1756 if (ngx_quic_set_initial_secret(c->pool, &qc->secrets, &qc->dcid) |
| 2448 return NGX_ERROR; | 1757 != NGX_OK) |
| 2449 } | 1758 { |
| 2450 | 1759 return NGX_ERROR; |
| 2451 pkt->secret = &qc->client_in; | 1760 } |
| 1761 | |
| 1762 pkt->secret = &qc->secrets.client.in; | |
| 2452 pkt->level = ssl_encryption_initial; | 1763 pkt->level = ssl_encryption_initial; |
| 2453 | 1764 |
| 2454 if (ngx_quic_decrypt(c, pkt) != NGX_OK) { | 1765 if (ngx_quic_decrypt(c->pool, NULL, pkt) != NGX_OK) { |
| 2455 return NGX_ERROR; | 1766 return NGX_ERROR; |
| 2456 } | 1767 } |
| 2457 | 1768 |
| 2458 if (ngx_quic_init_connection(c, pkt) != NGX_OK) { | 1769 if (ngx_quic_init_connection(c) != NGX_OK) { |
| 2459 return NGX_ERROR; | 1770 return NGX_ERROR; |
| 2460 } | 1771 } |
| 2461 | 1772 |
| 2462 return ngx_quic_payload_handler(c, pkt); | 1773 return ngx_quic_payload_handler(c, pkt); |
| 2463 } | 1774 } |
| 2505 | 1816 |
| 2506 if (ngx_quic_process_handshake_header(c, pkt) != NGX_OK) { | 1817 if (ngx_quic_process_handshake_header(c, pkt) != NGX_OK) { |
| 2507 return NGX_ERROR; | 1818 return NGX_ERROR; |
| 2508 } | 1819 } |
| 2509 | 1820 |
| 2510 pkt->secret = &qc->client_hs; | 1821 pkt->secret = &qc->secrets.client.hs; |
| 2511 pkt->level = ssl_encryption_handshake; | 1822 pkt->level = ssl_encryption_handshake; |
| 2512 | 1823 |
| 2513 if (ngx_quic_decrypt(c, pkt) != NGX_OK) { | 1824 if (ngx_quic_decrypt(c->pool, c->ssl->connection, pkt) != NGX_OK) { |
| 2514 return NGX_ERROR; | 1825 return NGX_ERROR; |
| 2515 } | 1826 } |
| 2516 | 1827 |
| 2517 return ngx_quic_payload_handler(c, pkt); | 1828 return ngx_quic_payload_handler(c, pkt); |
| 2518 } | 1829 } |
| 2529 | 1840 |
| 2530 if (ngx_quic_process_short_header(c, pkt) != NGX_OK) { | 1841 if (ngx_quic_process_short_header(c, pkt) != NGX_OK) { |
| 2531 return NGX_ERROR; | 1842 return NGX_ERROR; |
| 2532 } | 1843 } |
| 2533 | 1844 |
| 2534 pkt->secret = &qc->client_ad; | 1845 pkt->secret = &qc->secrets.client.ad; |
| 2535 pkt->level = ssl_encryption_application; | 1846 pkt->level = ssl_encryption_application; |
| 2536 | 1847 |
| 2537 if (ngx_quic_decrypt(c, pkt) != NGX_OK) { | 1848 if (ngx_quic_decrypt(c->pool, c->ssl->connection, pkt) != NGX_OK) { |
| 2538 return NGX_ERROR; | 1849 return NGX_ERROR; |
| 2539 } | 1850 } |
| 2540 | 1851 |
| 2541 return ngx_quic_payload_handler(c, pkt); | 1852 return ngx_quic_payload_handler(c, pkt); |
| 2542 } | 1853 } |
| 2589 | 1900 |
| 2590 *pos = p; | 1901 *pos = p; |
| 2591 // return len2; | 1902 // return len2; |
| 2592 } | 1903 } |
| 2593 | 1904 |
| 2594 | |
| 2595 static uint64_t | |
| 2596 ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask) | |
| 2597 { | |
| 2598 u_char *p; | |
| 2599 uint64_t value; | |
| 2600 | |
| 2601 p = *pos; | |
| 2602 value = *p++ ^ *mask++; | |
| 2603 | |
| 2604 while (--len) { | |
| 2605 value = (value << 8) + (*p++ ^ *mask++); | |
| 2606 } | |
| 2607 | |
| 2608 *pos = p; | |
| 2609 return value; | |
| 2610 } | |
| 2611 | |
| 2612 | |
| 2613 static ngx_int_t | |
| 2614 ngx_hkdf_extract(u_char *out_key, size_t *out_len, const EVP_MD *digest, | |
| 2615 const u_char *secret, size_t secret_len, const u_char *salt, | |
| 2616 size_t salt_len) | |
| 2617 { | |
| 2618 #ifdef OPENSSL_IS_BORINGSSL | |
| 2619 if (HKDF_extract(out_key, out_len, digest, secret, secret_len, salt, | |
| 2620 salt_len) | |
| 2621 == 0) | |
| 2622 { | |
| 2623 return NGX_ERROR; | |
| 2624 } | |
| 2625 #else | |
| 2626 | |
| 2627 EVP_PKEY_CTX *pctx; | |
| 2628 | |
| 2629 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); | |
| 2630 | |
| 2631 if (EVP_PKEY_derive_init(pctx) <= 0) { | |
| 2632 return NGX_ERROR; | |
| 2633 } | |
| 2634 | |
| 2635 if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) <= 0) { | |
| 2636 return NGX_ERROR; | |
| 2637 } | |
| 2638 | |
| 2639 if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) { | |
| 2640 return NGX_ERROR; | |
| 2641 } | |
| 2642 | |
| 2643 if (EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, secret_len) <= 0) { | |
| 2644 return NGX_ERROR; | |
| 2645 } | |
| 2646 | |
| 2647 if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, salt_len) <= 0) { | |
| 2648 return NGX_ERROR; | |
| 2649 } | |
| 2650 | |
| 2651 if (EVP_PKEY_derive(pctx, out_key, out_len) <= 0) { | |
| 2652 return NGX_ERROR; | |
| 2653 } | |
| 2654 | |
| 2655 #endif | |
| 2656 | |
| 2657 return NGX_OK; | |
| 2658 } | |
| 2659 | |
| 2660 | |
| 2661 static ngx_int_t | |
| 2662 ngx_quic_hkdf_expand(ngx_connection_t *c, const EVP_MD *digest, ngx_str_t *out, | |
| 2663 ngx_str_t *label, const uint8_t *prk, size_t prk_len) | |
| 2664 { | |
| 2665 uint8_t *p; | |
| 2666 size_t info_len; | |
| 2667 uint8_t info[20]; | |
| 2668 | |
| 2669 out->data = ngx_pnalloc(c->pool, out->len); | |
| 2670 if (out->data == NULL) { | |
| 2671 return NGX_ERROR; | |
| 2672 } | |
| 2673 | |
| 2674 info_len = 2 + 1 + label->len + 1; | |
| 2675 | |
| 2676 info[0] = 0; | |
| 2677 info[1] = out->len; | |
| 2678 info[2] = label->len; | |
| 2679 p = ngx_cpymem(&info[3], label->data, label->len); | |
| 2680 *p = '\0'; | |
| 2681 | |
| 2682 if (ngx_hkdf_expand(out->data, out->len, digest, | |
| 2683 prk, prk_len, info, info_len) | |
| 2684 != NGX_OK) | |
| 2685 { | |
| 2686 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, | |
| 2687 "ngx_hkdf_expand(%V) failed", label); | |
| 2688 return NGX_ERROR; | |
| 2689 } | |
| 2690 | |
| 2691 ngx_quic_hexdump(c->log, "%V info", info, info_len, label); | |
| 2692 ngx_quic_hexdump(c->log, "%V key", out->data, out->len, label); | |
| 2693 | |
| 2694 return NGX_OK; | |
| 2695 } | |
| 2696 | |
| 2697 | |
| 2698 static ngx_int_t | |
| 2699 ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest, | |
| 2700 const uint8_t *prk, size_t prk_len, const u_char *info, size_t info_len) | |
| 2701 { | |
| 2702 #ifdef OPENSSL_IS_BORINGSSL | |
| 2703 if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len) | |
| 2704 == 0) | |
| 2705 { | |
| 2706 return NGX_ERROR; | |
| 2707 } | |
| 2708 #else | |
| 2709 | |
| 2710 EVP_PKEY_CTX *pctx; | |
| 2711 | |
| 2712 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); | |
| 2713 | |
| 2714 if (EVP_PKEY_derive_init(pctx) <= 0) { | |
| 2715 return NGX_ERROR; | |
| 2716 } | |
| 2717 | |
| 2718 if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0) { | |
| 2719 return NGX_ERROR; | |
| 2720 } | |
| 2721 | |
| 2722 if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) { | |
| 2723 return NGX_ERROR; | |
| 2724 } | |
| 2725 | |
| 2726 if (EVP_PKEY_CTX_set1_hkdf_key(pctx, prk, prk_len) <= 0) { | |
| 2727 return NGX_ERROR; | |
| 2728 } | |
| 2729 | |
| 2730 if (EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len) <= 0) { | |
| 2731 return NGX_ERROR; | |
| 2732 } | |
| 2733 | |
| 2734 if (EVP_PKEY_derive(pctx, out_key, &out_len) <= 0) { | |
| 2735 return NGX_ERROR; | |
| 2736 } | |
| 2737 | |
| 2738 #endif | |
| 2739 | |
| 2740 return NGX_OK; | |
| 2741 } | |
| 2742 | |
| 2743 | |
| 2744 static ngx_int_t | |
| 2745 ngx_quic_tls_open(ngx_connection_t *c, const ngx_quic_cipher_t *cipher, | |
| 2746 ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in, | |
| 2747 ngx_str_t *ad) | |
| 2748 { | |
| 2749 out->len = in->len - EVP_GCM_TLS_TAG_LEN; | |
| 2750 out->data = ngx_pnalloc(c->pool, out->len); | |
| 2751 if (out->data == NULL) { | |
| 2752 return NGX_ERROR; | |
| 2753 } | |
| 2754 | |
| 2755 #ifdef OPENSSL_IS_BORINGSSL | |
| 2756 EVP_AEAD_CTX *ctx; | |
| 2757 | |
| 2758 ctx = EVP_AEAD_CTX_new(cipher, s->key.data, s->key.len, | |
| 2759 EVP_AEAD_DEFAULT_TAG_LENGTH); | |
| 2760 if (ctx == NULL) { | |
| 2761 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_AEAD_CTX_new() failed"); | |
| 2762 return NGX_ERROR; | |
| 2763 } | |
| 2764 | |
| 2765 if (EVP_AEAD_CTX_open(ctx, out->data, &out->len, out->len, nonce, s->iv.len, | |
| 2766 in->data, in->len, ad->data, ad->len) | |
| 2767 != 1) | |
| 2768 { | |
| 2769 EVP_AEAD_CTX_free(ctx); | |
| 2770 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_AEAD_CTX_open() failed"); | |
| 2771 return NGX_ERROR; | |
| 2772 } | |
| 2773 | |
| 2774 EVP_AEAD_CTX_free(ctx); | |
| 2775 #else | |
| 2776 int len; | |
| 2777 u_char *tag; | |
| 2778 EVP_CIPHER_CTX *ctx; | |
| 2779 | |
| 2780 ctx = EVP_CIPHER_CTX_new(); | |
| 2781 if (ctx == NULL) { | |
| 2782 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_CIPHER_CTX_new() failed"); | |
| 2783 return NGX_ERROR; | |
| 2784 } | |
| 2785 | |
| 2786 if (EVP_DecryptInit_ex(ctx, cipher, NULL, NULL, NULL) != 1) { | |
| 2787 EVP_CIPHER_CTX_free(ctx); | |
| 2788 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptInit_ex() failed"); | |
| 2789 return NGX_ERROR; | |
| 2790 } | |
| 2791 | |
| 2792 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, s->iv.len, NULL) | |
| 2793 == 0) | |
| 2794 { | |
| 2795 EVP_CIPHER_CTX_free(ctx); | |
| 2796 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, | |
| 2797 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed"); | |
| 2798 return NGX_ERROR; | |
| 2799 } | |
| 2800 | |
| 2801 if (EVP_DecryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) { | |
| 2802 EVP_CIPHER_CTX_free(ctx); | |
| 2803 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptInit_ex() failed"); | |
| 2804 return NGX_ERROR; | |
| 2805 } | |
| 2806 | |
| 2807 if (EVP_DecryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) { | |
| 2808 EVP_CIPHER_CTX_free(ctx); | |
| 2809 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptUpdate() failed"); | |
| 2810 return NGX_ERROR; | |
| 2811 } | |
| 2812 | |
| 2813 if (EVP_DecryptUpdate(ctx, out->data, &len, in->data, | |
| 2814 in->len - EVP_GCM_TLS_TAG_LEN) | |
| 2815 != 1) | |
| 2816 { | |
| 2817 EVP_CIPHER_CTX_free(ctx); | |
| 2818 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptUpdate() failed"); | |
| 2819 return NGX_ERROR; | |
| 2820 } | |
| 2821 | |
| 2822 out->len = len; | |
| 2823 tag = in->data + in->len - EVP_GCM_TLS_TAG_LEN; | |
| 2824 | |
| 2825 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, EVP_GCM_TLS_TAG_LEN, tag) | |
| 2826 == 0) | |
| 2827 { | |
| 2828 EVP_CIPHER_CTX_free(ctx); | |
| 2829 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, | |
| 2830 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_TAG) failed"); | |
| 2831 return NGX_ERROR; | |
| 2832 } | |
| 2833 | |
| 2834 if (EVP_DecryptFinal_ex(ctx, out->data + len, &len) <= 0) { | |
| 2835 EVP_CIPHER_CTX_free(ctx); | |
| 2836 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptFinal_ex failed"); | |
| 2837 return NGX_ERROR; | |
| 2838 } | |
| 2839 | |
| 2840 out->len += len; | |
| 2841 | |
| 2842 EVP_CIPHER_CTX_free(ctx); | |
| 2843 #endif | |
| 2844 | |
| 2845 return NGX_OK; | |
| 2846 } | |
| 2847 | |
| 2848 | |
| 2849 static ngx_int_t | |
| 2850 ngx_quic_tls_seal(ngx_connection_t *c, const ngx_quic_cipher_t *cipher, | |
| 2851 ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in, | |
| 2852 ngx_str_t *ad) | |
| 2853 { | |
| 2854 out->len = in->len + EVP_GCM_TLS_TAG_LEN; | |
| 2855 out->data = ngx_pnalloc(c->pool, out->len); | |
| 2856 if (out->data == NULL) { | |
| 2857 return NGX_ERROR; | |
| 2858 } | |
| 2859 | |
| 2860 #ifdef OPENSSL_IS_BORINGSSL | |
| 2861 EVP_AEAD_CTX *ctx; | |
| 2862 | |
| 2863 ctx = EVP_AEAD_CTX_new(cipher, s->key.data, s->key.len, | |
| 2864 EVP_AEAD_DEFAULT_TAG_LENGTH); | |
| 2865 if (ctx == NULL) { | |
| 2866 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_AEAD_CTX_new() failed"); | |
| 2867 return NGX_ERROR; | |
| 2868 } | |
| 2869 | |
| 2870 if (EVP_AEAD_CTX_seal(ctx, out->data, &out->len, out->len, nonce, s->iv.len, | |
| 2871 in->data, in->len, ad->data, ad->len) | |
| 2872 != 1) | |
| 2873 { | |
| 2874 EVP_AEAD_CTX_free(ctx); | |
| 2875 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_AEAD_CTX_seal() failed"); | |
| 2876 return NGX_ERROR; | |
| 2877 } | |
| 2878 | |
| 2879 EVP_AEAD_CTX_free(ctx); | |
| 2880 #else | |
| 2881 int len; | |
| 2882 EVP_CIPHER_CTX *ctx; | |
| 2883 | |
| 2884 ctx = EVP_CIPHER_CTX_new(); | |
| 2885 if (ctx == NULL) { | |
| 2886 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_CIPHER_CTX_new() failed"); | |
| 2887 return NGX_ERROR; | |
| 2888 } | |
| 2889 | |
| 2890 if (EVP_EncryptInit_ex(ctx, cipher, NULL, NULL, NULL) != 1) { | |
| 2891 EVP_CIPHER_CTX_free(ctx); | |
| 2892 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed"); | |
| 2893 return NGX_ERROR; | |
| 2894 } | |
| 2895 | |
| 2896 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, s->iv.len, NULL) | |
| 2897 == 0) | |
| 2898 { | |
| 2899 EVP_CIPHER_CTX_free(ctx); | |
| 2900 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, | |
| 2901 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed"); | |
| 2902 return NGX_ERROR; | |
| 2903 } | |
| 2904 | |
| 2905 if (EVP_EncryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) { | |
| 2906 EVP_CIPHER_CTX_free(ctx); | |
| 2907 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed"); | |
| 2908 return NGX_ERROR; | |
| 2909 } | |
| 2910 | |
| 2911 if (EVP_EncryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) { | |
| 2912 EVP_CIPHER_CTX_free(ctx); | |
| 2913 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed"); | |
| 2914 return NGX_ERROR; | |
| 2915 } | |
| 2916 | |
| 2917 if (EVP_EncryptUpdate(ctx, out->data, &len, in->data, in->len) != 1) { | |
| 2918 EVP_CIPHER_CTX_free(ctx); | |
| 2919 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed"); | |
| 2920 return NGX_ERROR; | |
| 2921 } | |
| 2922 | |
| 2923 out->len = len; | |
| 2924 | |
| 2925 if (EVP_EncryptFinal_ex(ctx, out->data + out->len, &len) <= 0) { | |
| 2926 EVP_CIPHER_CTX_free(ctx); | |
| 2927 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptFinal_ex failed"); | |
| 2928 return NGX_ERROR; | |
| 2929 } | |
| 2930 | |
| 2931 out->len += len; | |
| 2932 | |
| 2933 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, EVP_GCM_TLS_TAG_LEN, | |
| 2934 out->data + in->len) | |
| 2935 == 0) | |
| 2936 { | |
| 2937 EVP_CIPHER_CTX_free(ctx); | |
| 2938 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, | |
| 2939 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_GET_TAG) failed"); | |
| 2940 return NGX_ERROR; | |
| 2941 } | |
| 2942 | |
| 2943 EVP_CIPHER_CTX_free(ctx); | |
| 2944 | |
| 2945 out->len += EVP_GCM_TLS_TAG_LEN; | |
| 2946 #endif | |
| 2947 | |
| 2948 return NGX_OK; | |
| 2949 } | |
| 2950 | |
| 2951 | |
| 2952 static ngx_int_t | |
| 2953 ngx_quic_tls_hp(ngx_connection_t *c, const EVP_CIPHER *cipher, | |
| 2954 ngx_quic_secret_t *s, u_char *out, u_char *in) | |
| 2955 { | |
| 2956 int outlen; | |
| 2957 EVP_CIPHER_CTX *ctx; | |
| 2958 u_char zero[5] = {0}; | |
| 2959 | |
| 2960 #ifdef OPENSSL_IS_BORINGSSL | |
| 2961 uint32_t counter; | |
| 2962 | |
| 2963 ngx_memcpy(&counter, in, sizeof(uint32_t)); | |
| 2964 | |
| 2965 if (cipher == (const EVP_CIPHER *) EVP_aead_chacha20_poly1305()) { | |
| 2966 CRYPTO_chacha_20(out, zero, 5, s->hp.data, &in[4], counter); | |
| 2967 return NGX_OK; | |
| 2968 } | |
| 2969 #endif | |
| 2970 | |
| 2971 ctx = EVP_CIPHER_CTX_new(); | |
| 2972 if (ctx == NULL) { | |
| 2973 return NGX_ERROR; | |
| 2974 } | |
| 2975 | |
| 2976 if (EVP_EncryptInit_ex(ctx, cipher, NULL, s->hp.data, in) != 1) { | |
| 2977 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed"); | |
| 2978 goto failed; | |
| 2979 } | |
| 2980 | |
| 2981 if (!EVP_EncryptUpdate(ctx, out, &outlen, zero, 5)) { | |
| 2982 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed"); | |
| 2983 goto failed; | |
| 2984 } | |
| 2985 | |
| 2986 if (!EVP_EncryptFinal_ex(ctx, out + 5, &outlen)) { | |
| 2987 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptFinal_Ex() failed"); | |
| 2988 goto failed; | |
| 2989 } | |
| 2990 | |
| 2991 EVP_CIPHER_CTX_free(ctx); | |
| 2992 | |
| 2993 return NGX_OK; | |
| 2994 | |
| 2995 failed: | |
| 2996 | |
| 2997 EVP_CIPHER_CTX_free(ctx); | |
| 2998 | |
| 2999 return NGX_ERROR; | |
| 3000 } | |
| 3001 | |
| 3002 | |
| 3003 static ngx_int_t | |
| 3004 ngx_quic_ciphers(ngx_connection_t *c, ngx_quic_ciphers_t *ciphers, | |
| 3005 enum ssl_encryption_level_t level) | |
| 3006 { | |
| 3007 ngx_int_t id, len; | |
| 3008 | |
| 3009 if (level == ssl_encryption_initial) { | |
| 3010 id = NGX_AES_128_GCM_SHA256; | |
| 3011 | |
| 3012 } else { | |
| 3013 id = SSL_CIPHER_get_id(SSL_get_current_cipher(c->ssl->connection)) | |
| 3014 & 0xffff; | |
| 3015 } | |
| 3016 | |
| 3017 switch (id) { | |
| 3018 | |
| 3019 case NGX_AES_128_GCM_SHA256: | |
| 3020 #ifdef OPENSSL_IS_BORINGSSL | |
| 3021 ciphers->c = EVP_aead_aes_128_gcm(); | |
| 3022 #else | |
| 3023 ciphers->c = EVP_aes_128_gcm(); | |
| 3024 #endif | |
| 3025 ciphers->hp = EVP_aes_128_ctr(); | |
| 3026 ciphers->d = EVP_sha256(); | |
| 3027 len = 16; | |
| 3028 break; | |
| 3029 | |
| 3030 case NGX_AES_256_GCM_SHA384: | |
| 3031 #ifdef OPENSSL_IS_BORINGSSL | |
| 3032 ciphers->c = EVP_aead_aes_256_gcm(); | |
| 3033 #else | |
| 3034 ciphers->c = EVP_aes_256_gcm(); | |
| 3035 #endif | |
| 3036 ciphers->hp = EVP_aes_256_ctr(); | |
| 3037 ciphers->d = EVP_sha384(); | |
| 3038 len = 32; | |
| 3039 break; | |
| 3040 | |
| 3041 case NGX_CHACHA20_POLY1305_SHA256: | |
| 3042 #ifdef OPENSSL_IS_BORINGSSL | |
| 3043 ciphers->c = EVP_aead_chacha20_poly1305(); | |
| 3044 #else | |
| 3045 ciphers->c = EVP_chacha20_poly1305(); | |
| 3046 #endif | |
| 3047 #ifdef OPENSSL_IS_BORINGSSL | |
| 3048 ciphers->hp = (const EVP_CIPHER *) EVP_aead_chacha20_poly1305(); | |
| 3049 #else | |
| 3050 ciphers->hp = EVP_chacha20(); | |
| 3051 #endif | |
| 3052 ciphers->d = EVP_sha256(); | |
| 3053 len = 32; | |
| 3054 break; | |
| 3055 | |
| 3056 default: | |
| 3057 return NGX_ERROR; | |
| 3058 } | |
| 3059 | |
| 3060 return len; | |
| 3061 } |