Mercurial > hg > nginx-quic

comparison src/event/ngx_event_quic.c @ 7655:80a07843c711 quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Using SSL cipher suite id to obtain cipher/digest, part 1. While here, log the negotiated cipher just once, - after handshake.
author Sergey Kandaurov <pluknet@nginx.com>
date Thu, 05 Mar 2020 13:00:59 +0300
parents bf555b94e387
children 2bc1f97c1c2d
comparison
equal deleted inserted replaced
7654:bf555b94e387 7655:80a07843c711
7 #include <ngx_config.h> 7 #include <ngx_config.h>
8 #include <ngx_core.h> 8 #include <ngx_core.h>
9 9
10 10
11 #define quic_version 0xff000018 11 #define quic_version 0xff000018
12
13 #define NGX_AES_128_GCM_SHA256 0x1301
14 #define NGX_AES_256_GCM_SHA384 0x1302
12 15
13 16
14 #if (NGX_HAVE_NONALIGNED) 17 #if (NGX_HAVE_NONALIGNED)
15 18
16 #define ngx_quic_parse_uint16(p) ntohs(*(uint16_t *) (p)) 19 #define ngx_quic_parse_uint16(p) ntohs(*(uint16_t *) (p))
483 static int 486 static int
484 ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn, 487 ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn,
485 enum ssl_encryption_level_t level, const uint8_t *read_secret, 488 enum ssl_encryption_level_t level, const uint8_t *read_secret,
486 const uint8_t *write_secret, size_t secret_len) 489 const uint8_t *write_secret, size_t secret_len)
487 { 490 {
488 u_char *name;
489 ngx_uint_t i; 491 ngx_uint_t i;
490 const EVP_MD *digest; 492 const EVP_MD *digest;
491 const EVP_CIPHER *cipher; 493 const EVP_CIPHER *cipher;
492 ngx_connection_t *c; 494 ngx_connection_t *c;
493 ngx_quic_secret_t *client, *server; 495 ngx_quic_secret_t *client, *server;
494 496
495 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); 497 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
496 498
497 //ngx_ssl_handshake_log(c); // TODO: enable again
498
499 ngx_quic_hexdump(c->log, "level:%d read", read_secret, secret_len, level); 499 ngx_quic_hexdump(c->log, "level:%d read", read_secret, secret_len, level);
500 ngx_quic_hexdump(c->log, "level:%d read", write_secret, secret_len, level); 500 ngx_quic_hexdump(c->log, "level:%d read", write_secret, secret_len, level);
501 501
502 name = (u_char *) SSL_get_cipher(ssl_conn); 502 switch (SSL_CIPHER_get_id(SSL_get_current_cipher(ssl_conn)) & 0xffff) {
503 503
504 if (ngx_strcasecmp(name, (u_char *) "TLS_AES_128_GCM_SHA256") == 0 504 case NGX_AES_128_GCM_SHA256:
505 || ngx_strcasecmp(name, (u_char *) "(NONE)") == 0)
506 {
507 cipher = EVP_aes_128_gcm(); 505 cipher = EVP_aes_128_gcm();
508 digest = EVP_sha256(); 506 digest = EVP_sha256();
509 507 break;
510 } else if (ngx_strcasecmp(name, (u_char *) "TLS_AES_256_GCM_SHA384") == 0) { 508
509 case NGX_AES_256_GCM_SHA384:
511 cipher = EVP_aes_256_gcm(); 510 cipher = EVP_aes_256_gcm();
512 digest = EVP_sha384(); 511 digest = EVP_sha384();
513 512 break;
514 } else { 513
514 default:
515 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher"); 515 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher");
516 return 0; 516 return 0;
517 } 517 }
518 518
519 switch (level) { 519 switch (level) {
572 572
573 static ngx_int_t 573 static ngx_int_t
574 ngx_quic_create_long_packet(ngx_connection_t *c, ngx_ssl_conn_t *ssl_conn, 574 ngx_quic_create_long_packet(ngx_connection_t *c, ngx_ssl_conn_t *ssl_conn,
575 ngx_quic_header_t *pkt, ngx_str_t *payload, ngx_str_t *res) 575 ngx_quic_header_t *pkt, ngx_str_t *payload, ngx_str_t *res)
576 { 576 {
577 u_char *p, *pnp, *name, *nonce, *sample, *packet; 577 u_char *p, *pnp, *nonce, *sample, *packet;
578 ngx_str_t ad, out; 578 ngx_str_t ad, out;
579 const EVP_CIPHER *cipher; 579 const EVP_CIPHER *cipher;
580 ngx_quic_connection_t *qc; 580 ngx_quic_connection_t *qc;
581 581
582 u_char mask[16]; 582 u_char mask[16];
613 613
614 ad.len = p - ad.data; 614 ad.len = p - ad.data;
615 615
616 ngx_quic_hexdump0(c->log, "ad", ad.data, ad.len); 616 ngx_quic_hexdump0(c->log, "ad", ad.data, ad.len);
617 617
618 name = (u_char *) SSL_get_cipher(ssl_conn); 618 switch (SSL_CIPHER_get_id(SSL_get_current_cipher(ssl_conn)) & 0xffff) {
619 619
620 if (ngx_strcasecmp(name, (u_char *) "TLS_AES_128_GCM_SHA256") == 0 620 case NGX_AES_128_GCM_SHA256:
621 || ngx_strcasecmp(name, (u_char *) "(NONE)") == 0)
622 {
623 cipher = EVP_aes_128_gcm(); 621 cipher = EVP_aes_128_gcm();
624 622 break;
625 } else if (ngx_strcasecmp(name, (u_char *) "TLS_AES_256_GCM_SHA384") == 0) { 623
624 case NGX_AES_256_GCM_SHA384:
626 cipher = EVP_aes_256_gcm(); 625 cipher = EVP_aes_256_gcm();
627 626 break;
628 } else { 627
628 default:
629 return NGX_ERROR; 629 return NGX_ERROR;
630 } 630 }
631 631
632 nonce = ngx_pstrdup(c->pool, &pkt->secret->iv); 632 nonce = ngx_pstrdup(c->pool, &pkt->secret->iv);
633 if (pkt->level == ssl_encryption_handshake) { 633 if (pkt->level == ssl_encryption_handshake) {
671 671
672 static ngx_int_t 672 static ngx_int_t
673 ngx_quic_create_short_packet(ngx_connection_t *c, ngx_ssl_conn_t *ssl_conn, 673 ngx_quic_create_short_packet(ngx_connection_t *c, ngx_ssl_conn_t *ssl_conn,
674 ngx_quic_header_t *pkt, ngx_str_t *payload, ngx_str_t *res) 674 ngx_quic_header_t *pkt, ngx_str_t *payload, ngx_str_t *res)
675 { 675 {
676 u_char *p, *pnp, *name, *nonce, *sample, *packet; 676 u_char *p, *pnp, *nonce, *sample, *packet;
677 ngx_str_t ad, out; 677 ngx_str_t ad, out;
678 const EVP_CIPHER *cipher; 678 const EVP_CIPHER *cipher;
679 ngx_quic_connection_t *qc; 679 ngx_quic_connection_t *qc;
680 680
681 u_char mask[16]; 681 u_char mask[16];
701 701
702 ad.len = p - ad.data; 702 ad.len = p - ad.data;
703 703
704 ngx_quic_hexdump0(c->log, "ad", ad.data, ad.len); 704 ngx_quic_hexdump0(c->log, "ad", ad.data, ad.len);
705 705
706 name = (u_char *) SSL_get_cipher(ssl_conn); 706 switch (SSL_CIPHER_get_id(SSL_get_current_cipher(ssl_conn)) & 0xffff) {
707 707
708 if (ngx_strcasecmp(name, (u_char *) "TLS_AES_128_GCM_SHA256") == 0 708 case NGX_AES_128_GCM_SHA256:
709 || ngx_strcasecmp(name, (u_char *) "(NONE)") == 0)
710 {
711 cipher = EVP_aes_128_gcm(); 709 cipher = EVP_aes_128_gcm();
712 710 break;
713 } else if (ngx_strcasecmp(name, (u_char *) "TLS_AES_256_GCM_SHA384") == 0) { 711
712 case NGX_AES_256_GCM_SHA384:
714 cipher = EVP_aes_256_gcm(); 713 cipher = EVP_aes_256_gcm();
715 714 break;
716 } else { 715
716 default:
717 return NGX_ERROR; 717 return NGX_ERROR;
718 } 718 }
719 719
720 nonce = ngx_pstrdup(c->pool, &pkt->secret->iv); 720 nonce = ngx_pstrdup(c->pool, &pkt->secret->iv);
721 if (pkt->level == ssl_encryption_handshake) { 721 if (pkt->level == ssl_encryption_handshake) {
790 ngx_connection_t *c; 790 ngx_connection_t *c;
791 ngx_quic_connection_t *qc; 791 ngx_quic_connection_t *qc;
792 792
793 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); 793 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
794 qc = c->quic; 794 qc = c->quic;
795
796 //ngx_ssl_handshake_log(c); // TODO: enable again
797 795
798 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, 796 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
799 "ngx_quic_add_handshake_data"); 797 "ngx_quic_add_handshake_data");
800 798
801 frame = ngx_pcalloc(c->pool, sizeof(ngx_quic_frame_t)); 799 frame = ngx_pcalloc(c->pool, sizeof(ngx_quic_frame_t));
1302 nonce[11] ^= pn; 1300 nonce[11] ^= pn;
1303 1301
1304 ngx_quic_hexdump0(c->log, "nonce", nonce, 12); 1302 ngx_quic_hexdump0(c->log, "nonce", nonce, 12);
1305 ngx_quic_hexdump0(c->log, "ad", ad.data, ad.len); 1303 ngx_quic_hexdump0(c->log, "ad", ad.data, ad.len);
1306 1304
1307 u_char *name = (u_char *) SSL_get_cipher(ssl_conn); 1305 switch (SSL_CIPHER_get_id(SSL_get_current_cipher(ssl_conn)) & 0xffff) {
1308 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, 1306
1309 "quic ssl cipher: %s", name); 1307 case NGX_AES_128_GCM_SHA256:
1310
1311 if (ngx_strcasecmp(name, (u_char *) "TLS_AES_128_GCM_SHA256") == 0
1312 || ngx_strcasecmp(name, (u_char *) "(NONE)") == 0)
1313 {
1314 cipher = EVP_aes_128_gcm(); 1308 cipher = EVP_aes_128_gcm();
1315 1309 break;
1316 } else if (ngx_strcasecmp(name, (u_char *) "TLS_AES_256_GCM_SHA384") == 0) { 1310
1311 case NGX_AES_256_GCM_SHA384:
1317 cipher = EVP_aes_256_gcm(); 1312 cipher = EVP_aes_256_gcm();
1318 1313 break;
1319 } else { 1314
1315 default:
1320 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher"); 1316 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher");
1321 return NGX_ERROR; 1317 return NGX_ERROR;
1322 } 1318 }
1323 1319
1324 if (ngx_quic_tls_open(c, cipher, &qc->client_hs, &out, nonce, &in, &ad) 1320 if (ngx_quic_tls_open(c, cipher, &qc->client_hs, &out, nonce, &in, &ad)
1378 1374
1379 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, 1375 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
1380 "SSL_quic_read_level: %d, SSL_quic_write_level: %d", 1376 "SSL_quic_read_level: %d, SSL_quic_write_level: %d",
1381 (int) SSL_quic_read_level(ssl_conn), 1377 (int) SSL_quic_read_level(ssl_conn),
1382 (int) SSL_quic_write_level(ssl_conn)); 1378 (int) SSL_quic_write_level(ssl_conn));
1379
1380 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
1381 "quic ssl cipher: %s", SSL_get_cipher(ssl_conn));
1383 1382
1384 // ACK Client Finished 1383 // ACK Client Finished
1385 1384
1386 ngx_quic_frame_t *frame; 1385 ngx_quic_frame_t *frame;
1387 1386