# HG changeset patch # User Sergey Kandaurov # Date 1582884592 -10800 # Node ID a9ff4392ecde0b88476e84333d8ca6711aae7055 # Parent 76e29ff31cd3621915e4689e2f2c520bd851f687 QUIC header protection routines, introduced ngx_quic_tls_hp(). diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -593,29 +593,12 @@ quic_add_handshake_data(ngx_ssl_conn_t * return 0; } - EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); u_char *sample = &out.data[3]; // pnl=0 uint8_t mask[16]; - int outlen; - - if (EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL, secret->hp.data, NULL) - != 1) - { - EVP_CIPHER_CTX_free(ctx); - ngx_ssl_error(NGX_LOG_INFO, c->log, 0, - "EVP_EncryptInit_ex() failed"); + if (ngx_quic_tls_hp(c, EVP_aes_128_ecb(), secret, mask, sample) != NGX_OK) { return 0; } - if (!EVP_EncryptUpdate(ctx, mask, &outlen, sample, 16)) { - EVP_CIPHER_CTX_free(ctx); - ngx_ssl_error(NGX_LOG_INFO, c->log, 0, - "EVP_EncryptUpdate() failed"); - return 0; - } - - EVP_CIPHER_CTX_free(ctx); - m = ngx_hex_dump(buf, (u_char *) sample, 16) - buf; ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic_add_handshake_data sample: %*s, len: %uz", diff --git a/src/event/ngx_event_quic.c b/src/event/ngx_event_quic.c --- a/src/event/ngx_event_quic.c +++ b/src/event/ngx_event_quic.c @@ -371,3 +371,37 @@ ngx_quic_tls_seal(ngx_connection_t *c, c return NGX_OK; } + + +ngx_int_t +ngx_quic_tls_hp(ngx_connection_t *c, const EVP_CIPHER *cipher, + ngx_quic_secret_t *s, u_char *out, u_char *in) +{ + int outlen; + EVP_CIPHER_CTX *ctx; + + ctx = EVP_CIPHER_CTX_new(); + if (ctx == NULL) { + return NGX_ERROR; + } + + if (EVP_EncryptInit_ex(ctx, cipher, NULL, s->hp.data, NULL) != 1) { + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed"); + goto failed; + } + + if (!EVP_EncryptUpdate(ctx, out, &outlen, in, 16)) { + ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed"); + goto failed; + } + + EVP_CIPHER_CTX_free(ctx); + + return NGX_OK; + +failed: + + EVP_CIPHER_CTX_free(ctx); + + return NGX_ERROR; +} diff --git a/src/event/ngx_event_quic.h b/src/event/ngx_event_quic.h --- a/src/event/ngx_event_quic.h +++ b/src/event/ngx_event_quic.h @@ -60,5 +60,8 @@ ngx_int_t ngx_quic_tls_seal(ngx_connecti const ngx_aead_cipher_t *cipher, ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in, ngx_str_t *ad); +ngx_int_t +ngx_quic_tls_hp(ngx_connection_t *c, const EVP_CIPHER *cipher, + ngx_quic_secret_t *s, u_char *out, u_char *in); #endif /* _NGX_EVENT_QUIC_H_INCLUDED_ */ diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -1124,31 +1124,14 @@ ngx_http_quic_handshake(ngx_event_t *rev // header protection - EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); uint8_t mask[16]; - int outlen; - - if (EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL, - qc->client_in.hp.data, NULL) - != 1) + if (ngx_quic_tls_hp(c, EVP_aes_128_ecb(), &qc->client_in, mask, sample) + != NGX_OK) { - EVP_CIPHER_CTX_free(ctx); - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, - "EVP_EncryptInit_ex() failed"); ngx_http_close_connection(c); return; } - if (!EVP_EncryptUpdate(ctx, mask, &outlen, sample, 16)) { - EVP_CIPHER_CTX_free(ctx); - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, - "EVP_EncryptUpdate() failed"); - ngx_http_close_connection(c); - return; - } - - EVP_CIPHER_CTX_free(ctx); - u_char clearflags = flags ^ (mask[0] & 0x0f); ngx_int_t pnl = (clearflags & 0x03) + 1; uint64_t pn = ngx_quic_parse_pn(&b->pos, pnl, &mask[1]); @@ -1422,31 +1405,14 @@ ngx_http_quic_handshake_handler(ngx_even // header protection - EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); uint8_t mask[16]; - int outlen; - - if (EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL, - qc->client_hs.hp.data, NULL) - != 1) + if (ngx_quic_tls_hp(c, EVP_aes_128_ecb(), &qc->client_hs, mask, sample) + != NGX_OK) { - EVP_CIPHER_CTX_free(ctx); - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, - "EVP_EncryptInit_ex() failed"); ngx_http_close_connection(c); return; } - if (!EVP_EncryptUpdate(ctx, mask, &outlen, sample, 16)) { - EVP_CIPHER_CTX_free(ctx); - ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, - "EVP_EncryptUpdate() failed"); - ngx_http_close_connection(c); - return; - } - - EVP_CIPHER_CTX_free(ctx); - u_char clearflags = flags ^ (mask[0] & 0x0f); ngx_int_t pnl = (clearflags & 0x03) + 1; uint64_t pn = ngx_quic_parse_pn(&p, pnl, &mask[1]);