Mercurial > hg > nginx-quic

comparison src/event/quic/ngx_event_quic_protection.c @ 9046:7da4791e0264 quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
QUIC: OpenSSL compatibility layer. The change allows to compile QUIC with OpenSSL which lacks BoringSSL QUIC API. This implementation does not support 0-RTT.
author Roman Arutyunyan <arut@nginx.com>
date Wed, 22 Feb 2023 19:16:53 +0400
parents 70ce1e927715
children
comparison
equal deleted inserted replaced
9029:639fa6723700 9046:7da4791e0264
19 #define TLS1_3_CK_AES_128_GCM_SHA256 0x03001301 19 #define TLS1_3_CK_AES_128_GCM_SHA256 0x03001301
20 #define TLS1_3_CK_AES_256_GCM_SHA384 0x03001302 20 #define TLS1_3_CK_AES_256_GCM_SHA384 0x03001302
21 #define TLS1_3_CK_CHACHA20_POLY1305_SHA256 \ 21 #define TLS1_3_CK_CHACHA20_POLY1305_SHA256 \
22 0x03001303 22 0x03001303
23 #endif 23 #endif
24
25
26 #ifdef OPENSSL_IS_BORINGSSL
27 #define ngx_quic_cipher_t EVP_AEAD
28 #else
29 #define ngx_quic_cipher_t EVP_CIPHER
30 #endif
31
32
33 typedef struct {
34 const ngx_quic_cipher_t *c;
35 const EVP_CIPHER *hp;
36 const EVP_MD *d;
37 } ngx_quic_ciphers_t;
38
39
40 typedef struct {
41 size_t out_len;
42 u_char *out;
43
44 size_t prk_len;
45 const uint8_t *prk;
46
47 size_t label_len;
48 const u_char *label;
49 } ngx_quic_hkdf_t;
50
51 #define ngx_quic_hkdf_set(seq, _label, _out, _prk) \
52 (seq)->out_len = (_out)->len; (seq)->out = (_out)->data; \
53 (seq)->prk_len = (_prk)->len, (seq)->prk = (_prk)->data, \
54 (seq)->label_len = (sizeof(_label) - 1); (seq)->label = (u_char *)(_label);
55 24
56 25
57 static ngx_int_t ngx_hkdf_expand(u_char *out_key, size_t out_len, 26 static ngx_int_t ngx_hkdf_expand(u_char *out_key, size_t out_len,
58 const EVP_MD *digest, const u_char *prk, size_t prk_len, 27 const EVP_MD *digest, const u_char *prk, size_t prk_len,
59 const u_char *info, size_t info_len); 28 const u_char *info, size_t info_len);
61 const EVP_MD *digest, const u_char *secret, size_t secret_len, 30 const EVP_MD *digest, const u_char *secret, size_t secret_len,
62 const u_char *salt, size_t salt_len); 31 const u_char *salt, size_t salt_len);
63 32
64 static uint64_t ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask, 33 static uint64_t ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask,
65 uint64_t *largest_pn); 34 uint64_t *largest_pn);
66 static void ngx_quic_compute_nonce(u_char *nonce, size_t len, uint64_t pn);
67 static ngx_int_t ngx_quic_ciphers(ngx_uint_t id,
68 ngx_quic_ciphers_t *ciphers, enum ssl_encryption_level_t level);
69 35
70 static ngx_int_t ngx_quic_tls_open(const ngx_quic_cipher_t *cipher, 36 static ngx_int_t ngx_quic_tls_open(const ngx_quic_cipher_t *cipher,
71 ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in,
72 ngx_str_t *ad, ngx_log_t *log);
73 static ngx_int_t ngx_quic_tls_seal(const ngx_quic_cipher_t *cipher,
74 ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in, 37 ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in,
75 ngx_str_t *ad, ngx_log_t *log); 38 ngx_str_t *ad, ngx_log_t *log);
76 static ngx_int_t ngx_quic_tls_hp(ngx_log_t *log, const EVP_CIPHER *cipher, 39 static ngx_int_t ngx_quic_tls_hp(ngx_log_t *log, const EVP_CIPHER *cipher,
77 ngx_quic_secret_t *s, u_char *out, u_char *in); 40 ngx_quic_secret_t *s, u_char *out, u_char *in);
78 static ngx_int_t ngx_quic_hkdf_expand(ngx_quic_hkdf_t *hkdf,
79 const EVP_MD *digest, ngx_log_t *log);
80 41
81 static ngx_int_t ngx_quic_create_packet(ngx_quic_header_t *pkt, 42 static ngx_int_t ngx_quic_create_packet(ngx_quic_header_t *pkt,
82 ngx_str_t *res); 43 ngx_str_t *res);
83 static ngx_int_t ngx_quic_create_retry_packet(ngx_quic_header_t *pkt, 44 static ngx_int_t ngx_quic_create_retry_packet(ngx_quic_header_t *pkt,
84 ngx_str_t *res); 45 ngx_str_t *res);
85 46
86 47
87 static ngx_int_t 48 ngx_int_t
88 ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers, 49 ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers,
89 enum ssl_encryption_level_t level) 50 enum ssl_encryption_level_t level)
90 { 51 {
91 ngx_int_t len; 52 ngx_int_t len;
92 53
219 180
220 return NGX_OK; 181 return NGX_OK;
221 } 182 }
222 183
223 184
224 static ngx_int_t 185 ngx_int_t
225 ngx_quic_hkdf_expand(ngx_quic_hkdf_t *h, const EVP_MD *digest, ngx_log_t *log) 186 ngx_quic_hkdf_expand(ngx_quic_hkdf_t *h, const EVP_MD *digest, ngx_log_t *log)
226 { 187 {
227 size_t info_len; 188 size_t info_len;
228 uint8_t *p; 189 uint8_t *p;
229 uint8_t info[20]; 190 uint8_t info[20];
478 439
479 return NGX_OK; 440 return NGX_OK;
480 } 441 }
481 442
482 443
483 static ngx_int_t 444 ngx_int_t
484 ngx_quic_tls_seal(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s, 445 ngx_quic_tls_seal(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
485 ngx_str_t *out, u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log) 446 ngx_str_t *out, u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
486 { 447 {
487 448
488 #ifdef OPENSSL_IS_BORINGSSL 449 #ifdef OPENSSL_IS_BORINGSSL
959 920
960 return candidate_pn; 921 return candidate_pn;
961 } 922 }
962 923
963 924
964 static void 925 void
965 ngx_quic_compute_nonce(u_char *nonce, size_t len, uint64_t pn) 926 ngx_quic_compute_nonce(u_char *nonce, size_t len, uint64_t pn)
966 { 927 {
967 nonce[len - 8] ^= (pn >> 56) & 0x3f; 928 nonce[len - 8] ^= (pn >> 56) & 0x3f;
968 nonce[len - 7] ^= (pn >> 48) & 0xff; 929 nonce[len - 7] ^= (pn >> 48) & 0xff;
969 nonce[len - 6] ^= (pn >> 40) & 0xff; 930 nonce[len - 6] ^= (pn >> 40) & 0xff;