Mercurial > hg > nginx-quic

comparison src/event/ngx_event_quic.c @ 7670:9e0c30e1f7fb quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Compatibility with BoringSSL revised QUIC encryption secret APIs. See for details: https://boringssl.googlesource.com/boringssl/+/1e85905%5E!/
author Sergey Kandaurov <pluknet@nginx.com>
date Wed, 11 Mar 2020 21:53:02 +0300
parents ec0c44aa2881
children a5423632d67b
comparison
equal deleted inserted replaced
7669:ec0c44aa2881 7670:9e0c30e1f7fb
232 static ngx_int_t ngx_quic_new_connection(ngx_connection_t *c, ngx_ssl_t *ssl, 232 static ngx_int_t ngx_quic_new_connection(ngx_connection_t *c, ngx_ssl_t *ssl,
233 ngx_buf_t *b); 233 ngx_buf_t *b);
234 static ngx_int_t ngx_quic_handshake_input(ngx_connection_t *c, ngx_buf_t *b); 234 static ngx_int_t ngx_quic_handshake_input(ngx_connection_t *c, ngx_buf_t *b);
235 static ngx_int_t ngx_quic_app_input(ngx_connection_t *c, ngx_buf_t *b); 235 static ngx_int_t ngx_quic_app_input(ngx_connection_t *c, ngx_buf_t *b);
236 236
237 #if BORINGSSL_API_VERSION >= 10
238 static int ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn,
239 enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
240 const uint8_t *secret, size_t secret_len);
241 static int ngx_quic_set_write_secret(ngx_ssl_conn_t *ssl_conn,
242 enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
243 const uint8_t *secret, size_t secret_len);
244 #else
237 static int ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn, 245 static int ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn,
238 enum ssl_encryption_level_t level, const uint8_t *read_secret, 246 enum ssl_encryption_level_t level, const uint8_t *read_secret,
239 const uint8_t *write_secret, size_t secret_len); 247 const uint8_t *write_secret, size_t secret_len);
248 #endif
240 static int ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn, 249 static int ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
241 enum ssl_encryption_level_t level, const uint8_t *data, size_t len); 250 enum ssl_encryption_level_t level, const uint8_t *data, size_t len);
242 static ngx_int_t ngx_quic_create_long_packet(ngx_connection_t *c, 251 static ngx_int_t ngx_quic_create_long_packet(ngx_connection_t *c,
243 ngx_ssl_conn_t *ssl_conn, ngx_quic_header_t *pkt, ngx_str_t *in, 252 ngx_ssl_conn_t *ssl_conn, ngx_quic_header_t *pkt, ngx_str_t *in,
244 ngx_str_t *res); 253 ngx_str_t *res);
286 295
287 static ngx_int_t ngx_quic_ciphers(ngx_connection_t *c, 296 static ngx_int_t ngx_quic_ciphers(ngx_connection_t *c,
288 ngx_quic_ciphers_t *ciphers, enum ssl_encryption_level_t level); 297 ngx_quic_ciphers_t *ciphers, enum ssl_encryption_level_t level);
289 298
290 static SSL_QUIC_METHOD quic_method = { 299 static SSL_QUIC_METHOD quic_method = {
300 #if BORINGSSL_API_VERSION >= 10
301 ngx_quic_set_read_secret,
302 ngx_quic_set_write_secret,
303 #else
291 ngx_quic_set_encryption_secrets, 304 ngx_quic_set_encryption_secrets,
305 #endif
292 ngx_quic_add_handshake_data, 306 ngx_quic_add_handshake_data,
293 ngx_quic_flush_flight, 307 ngx_quic_flush_flight,
294 ngx_quic_send_alert, 308 ngx_quic_send_alert,
295 }; 309 };
296 310
526 qc->frames = NULL; 540 qc->frames = NULL;
527 541
528 return NGX_OK; 542 return NGX_OK;
529 } 543 }
530 544
545
546 #if BORINGSSL_API_VERSION >= 10
547
548 static int
549 ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn,
550 enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
551 const uint8_t *secret, size_t secret_len)
552 {
553 ngx_int_t key_len;
554 ngx_uint_t i;
555 ngx_connection_t *c;
556 ngx_quic_secret_t *client;
557 ngx_quic_ciphers_t ciphers;
558
559 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
560
561 ngx_quic_hexdump(c->log, "level:%d read", secret, secret_len, level);
562
563 key_len = ngx_quic_ciphers(c, &ciphers, level);
564
565 if (key_len == NGX_ERROR) {
566 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher");
567 return 0;
568 }
569
570 switch (level) {
571
572 case ssl_encryption_handshake:
573 client = &c->quic->client_hs;
574 break;
575
576 case ssl_encryption_application:
577 client = &c->quic->client_ad;
578 break;
579
580 default:
581 return 0;
582 }
583
584 client->key.len = key_len;
585 client->iv.len = NGX_QUIC_IV_LEN;
586 client->hp.len = key_len;
587
588 struct {
589 ngx_str_t label;
590 ngx_str_t *key;
591 const uint8_t *secret;
592 } seq[] = {
593 { ngx_string("tls13 quic key"), &client->key, secret },
594 { ngx_string("tls13 quic iv"), &client->iv, secret },
595 { ngx_string("tls13 quic hp"), &client->hp, secret },
596 };
597
598 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
599
600 if (ngx_quic_hkdf_expand(c, ciphers.d, seq[i].key, &seq[i].label,
601 seq[i].secret, secret_len)
602 != NGX_OK)
603 {
604 return 0;
605 }
606 }
607
608 return 1;
609 }
610
611
612 static int
613 ngx_quic_set_write_secret(ngx_ssl_conn_t *ssl_conn,
614 enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
615 const uint8_t *secret, size_t secret_len)
616 {
617 ngx_int_t key_len;
618 ngx_uint_t i;
619 ngx_connection_t *c;
620 ngx_quic_secret_t *server;
621 ngx_quic_ciphers_t ciphers;
622
623 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
624
625 ngx_quic_hexdump(c->log, "level:%d write", secret, secret_len, level);
626
627 key_len = ngx_quic_ciphers(c, &ciphers, level);
628
629 if (key_len == NGX_ERROR) {
630 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher");
631 return 0;
632 }
633
634 switch (level) {
635
636 case ssl_encryption_handshake:
637 server = &c->quic->server_hs;
638 break;
639
640 case ssl_encryption_application:
641 server = &c->quic->server_ad;
642 break;
643
644 default:
645 return 0;
646 }
647
648 server->key.len = key_len;
649 server->iv.len = NGX_QUIC_IV_LEN;
650 server->hp.len = key_len;
651
652 struct {
653 ngx_str_t label;
654 ngx_str_t *key;
655 const uint8_t *secret;
656 } seq[] = {
657 { ngx_string("tls13 quic key"), &server->key, secret },
658 { ngx_string("tls13 quic iv"), &server->iv, secret },
659 { ngx_string("tls13 quic hp"), &server->hp, secret },
660 };
661
662 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
663
664 if (ngx_quic_hkdf_expand(c, ciphers.d, seq[i].key, &seq[i].label,
665 seq[i].secret, secret_len)
666 != NGX_OK)
667 {
668 return 0;
669 }
670 }
671
672 return 1;
673 }
674
675 #else
531 676
532 static int 677 static int
533 ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn, 678 ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn,
534 enum ssl_encryption_level_t level, const uint8_t *read_secret, 679 enum ssl_encryption_level_t level, const uint8_t *read_secret,
535 const uint8_t *write_secret, size_t secret_len) 680 const uint8_t *write_secret, size_t secret_len)
602 } 747 }
603 } 748 }
604 749
605 return 1; 750 return 1;
606 } 751 }
752
753 #endif
607 754
608 755
609 static ngx_int_t 756 static ngx_int_t
610 ngx_quic_create_long_packet(ngx_connection_t *c, ngx_ssl_conn_t *ssl_conn, 757 ngx_quic_create_long_packet(ngx_connection_t *c, ngx_ssl_conn_t *ssl_conn,
611 ngx_quic_header_t *pkt, ngx_str_t *payload, ngx_str_t *res) 758 ngx_quic_header_t *pkt, ngx_str_t *payload, ngx_str_t *res)