nginx: src/event/quic/ngx_event_quic_openssl

annotate src/event/quic/ngx_event_quic_openssl_compat.c @ 9178:b74f891053c7

QUIC: explicitly zero out unused keying material.

author	Sergey Kandaurov <pluknet@nginx.com>
date	Fri, 20 Oct 2023 18:05:07 +0400
parents	22d110af473c
children

rev	line source
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	1
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	2 /*
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	3 * Copyright (C) Nginx, Inc.
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	4 */
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	5
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	6
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	7 #include <ngx_config.h>
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	8 #include <ngx_core.h>
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	9 #include <ngx_event.h>
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	10 #include <ngx_event_quic_connection.h>
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	11
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	12
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	13 #if (NGX_QUIC_OPENSSL_COMPAT)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	14
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	15 #define NGX_QUIC_COMPAT_RECORD_SIZE 1024
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	16
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	17 #define NGX_QUIC_COMPAT_SSL_TP_EXT 0x39
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	18
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	19 #define NGX_QUIC_COMPAT_CLIENT_HANDSHAKE "CLIENT_HANDSHAKE_TRAFFIC_SECRET"
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	20 #define NGX_QUIC_COMPAT_SERVER_HANDSHAKE "SERVER_HANDSHAKE_TRAFFIC_SECRET"
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	21 #define NGX_QUIC_COMPAT_CLIENT_APPLICATION "CLIENT_TRAFFIC_SECRET_0"
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	22 #define NGX_QUIC_COMPAT_SERVER_APPLICATION "SERVER_TRAFFIC_SECRET_0"
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	23
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	24
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	25 typedef struct {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	26 ngx_quic_secret_t secret;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	27 ngx_uint_t cipher;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	28 } ngx_quic_compat_keys_t;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	29
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	30
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	31 typedef struct {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	32 ngx_log_t *log;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	33
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	34 u_char type;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	35 ngx_str_t payload;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	36 uint64_t number;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	37 ngx_quic_compat_keys_t *keys;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	38
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	39 enum ssl_encryption_level_t level;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	40 } ngx_quic_compat_record_t;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	41
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	42
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	43 struct ngx_quic_compat_s {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	44 const SSL_QUIC_METHOD *method;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	45
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	46 enum ssl_encryption_level_t write_level;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	47
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	48 uint64_t read_record;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	49 ngx_quic_compat_keys_t keys;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	50
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	51 ngx_str_t tp;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	52 ngx_str_t ctp;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	53 };
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	54
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	55
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	56 static void ngx_quic_compat_keylog_callback(const SSL ssl, const char line);
9172 4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	57 static ngx_int_t ngx_quic_compat_set_encryption_secret(ngx_connection_t *c,
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	58 ngx_quic_compat_keys_t *keys, enum ssl_encryption_level_t level,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	59 const SSL_CIPHER cipher, const uint8_t secret, size_t secret_len);
9172 4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	60 static void ngx_quic_compat_cleanup_encryption_secret(void *data);
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	61 static int ngx_quic_compat_add_transport_params_callback(SSL *ssl,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	62 unsigned int ext_type, unsigned int context, const unsigned char **out,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	63 size_t outlen, X509 x, size_t chainidx, int al, void add_arg);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	64 static int ngx_quic_compat_parse_transport_params_callback(SSL *ssl,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	65 unsigned int ext_type, unsigned int context, const unsigned char *in,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	66 size_t inlen, X509 x, size_t chainidx, int al, void *parse_arg);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	67 static void ngx_quic_compat_message_callback(int write_p, int version,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	68 int content_type, const void buf, size_t len, SSL ssl, void *arg);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	69 static size_t ngx_quic_compat_create_header(ngx_quic_compat_record_t *rec,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	70 u_char *out, ngx_uint_t plain);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	71 static ngx_int_t ngx_quic_compat_create_record(ngx_quic_compat_record_t *rec,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	72 ngx_str_t *res);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	73
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	74
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	75 ngx_int_t
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	76 ngx_quic_compat_init(ngx_conf_t cf, SSL_CTX ctx)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	77 {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	78 SSL_CTX_set_keylog_callback(ctx, ngx_quic_compat_keylog_callback);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	79
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	80 if (SSL_CTX_has_client_custom_ext(ctx, NGX_QUIC_COMPAT_SSL_TP_EXT)) {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	81 return NGX_OK;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	82 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	83
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	84 if (SSL_CTX_add_custom_ext(ctx, NGX_QUIC_COMPAT_SSL_TP_EXT,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	85 SSL_EXT_CLIENT_HELLO
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	86 \|SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	87 ngx_quic_compat_add_transport_params_callback,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	88 NULL,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	89 NULL,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	90 ngx_quic_compat_parse_transport_params_callback,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	91 NULL)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	92 == 0)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	93 {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	94 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	95 "SSL_CTX_add_custom_ext() failed");
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	96 return NGX_ERROR;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	97 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	98
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	99 return NGX_OK;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	100 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	101
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	102
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	103 static void
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	104 ngx_quic_compat_keylog_callback(const SSL ssl, const char line)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	105 {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	106 u_char ch, p, start, value;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	107 size_t n;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	108 ngx_uint_t write;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	109 const SSL_CIPHER *cipher;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	110 ngx_quic_compat_t *com;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	111 ngx_connection_t *c;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	112 ngx_quic_connection_t *qc;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	113 enum ssl_encryption_level_t level;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	114 u_char secret[EVP_MAX_MD_SIZE];
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	115
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	116 c = ngx_ssl_get_connection(ssl);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	117 if (c->type != SOCK_DGRAM) {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	118 return;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	119 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	120
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	121 p = (u_char *) line;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	122
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	123 for (start = p; p && p != ' '; p++);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	124
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	125 n = p - start;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	126
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	127 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	128 "quic compat secret %*s", n, start);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	129
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	130 if (n == sizeof(NGX_QUIC_COMPAT_CLIENT_HANDSHAKE) - 1
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	131 && ngx_strncmp(start, NGX_QUIC_COMPAT_CLIENT_HANDSHAKE, n) == 0)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	132 {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	133 level = ssl_encryption_handshake;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	134 write = 0;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	135
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	136 } else if (n == sizeof(NGX_QUIC_COMPAT_SERVER_HANDSHAKE) - 1
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	137 && ngx_strncmp(start, NGX_QUIC_COMPAT_SERVER_HANDSHAKE, n) == 0)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	138 {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	139 level = ssl_encryption_handshake;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	140 write = 1;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	141
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	142 } else if (n == sizeof(NGX_QUIC_COMPAT_CLIENT_APPLICATION) - 1
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	143 && ngx_strncmp(start, NGX_QUIC_COMPAT_CLIENT_APPLICATION, n)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	144 == 0)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	145 {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	146 level = ssl_encryption_application;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	147 write = 0;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	148
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	149 } else if (n == sizeof(NGX_QUIC_COMPAT_SERVER_APPLICATION) - 1
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	150 && ngx_strncmp(start, NGX_QUIC_COMPAT_SERVER_APPLICATION, n)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	151 == 0)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	152 {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	153 level = ssl_encryption_application;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	154 write = 1;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	155
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	156 } else {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	157 return;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	158 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	159
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	160 if (*p++ == '\0') {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	161 return;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	162 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	163
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	164 for ( /* void / ; p && *p != ' '; p++);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	165
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	166 if (*p++ == '\0') {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	167 return;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	168 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	169
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	170 for (n = 0, start = p; *p; p++) {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	171 ch = *p;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	172
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	173 if (ch >= '0' && ch <= '9') {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	174 value = ch - '0';
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	175 goto next;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	176 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	177
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	178 ch = (u_char) (ch \| 0x20);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	179
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	180 if (ch >= 'a' && ch <= 'f') {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	181 value = ch - 'a' + 10;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	182 goto next;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	183 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	184
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	185 ngx_log_error(NGX_LOG_EMERG, c->log, 0,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	186 "invalid OpenSSL QUIC secret format");
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	187
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	188 return;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	189
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	190 next:
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	191
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	192 if ((p - start) % 2) {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	193 secret[n++] += value;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	194
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	195 } else {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	196 if (n >= EVP_MAX_MD_SIZE) {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	197 ngx_log_error(NGX_LOG_EMERG, c->log, 0,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	198 "too big OpenSSL QUIC secret");
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	199 return;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	200 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	201
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	202 secret[n] = (value << 4);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	203 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	204 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	205
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	206 qc = ngx_quic_get_connection(c);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	207 com = qc->compat;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	208 cipher = SSL_get_current_cipher(ssl);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	209
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	210 if (write) {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	211 com->method->set_write_secret((SSL *) ssl, level, cipher, secret, n);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	212 com->write_level = level;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	213
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	214 } else {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	215 com->method->set_read_secret((SSL *) ssl, level, cipher, secret, n);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	216 com->read_record = 0;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	217
9172 4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	218 (void) ngx_quic_compat_set_encryption_secret(c, &com->keys, level,
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	219 cipher, secret, n);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	220 }
9178 b74f891053c7 QUIC: explicitly zero out unused keying material. Sergey Kandaurov <pluknet@nginx.com> parents: 9177 diff changeset	221
b74f891053c7 QUIC: explicitly zero out unused keying material. Sergey Kandaurov <pluknet@nginx.com> parents: 9177 diff changeset	222 ngx_explicit_memzero(secret, n);
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	223 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	224
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	225
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	226 static ngx_int_t
9172 4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	227 ngx_quic_compat_set_encryption_secret(ngx_connection_t *c,
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	228 ngx_quic_compat_keys_t *keys, enum ssl_encryption_level_t level,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	229 const SSL_CIPHER cipher, const uint8_t secret, size_t secret_len)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	230 {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	231 ngx_int_t key_len;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	232 ngx_str_t secret_str;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	233 ngx_uint_t i;
9177 22d110af473c QUIC: removed key field from ngx_quic_secret_t. Sergey Kandaurov <pluknet@nginx.com> parents: 9176 diff changeset	234 ngx_quic_md_t key;
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	235 ngx_quic_hkdf_t seq[2];
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	236 ngx_quic_secret_t *peer_secret;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	237 ngx_quic_ciphers_t ciphers;
9172 4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	238 ngx_pool_cleanup_t *cln;
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	239
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	240 peer_secret = &keys->secret;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	241
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	242 keys->cipher = SSL_CIPHER_get_id(cipher);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	243
9176 8dacf87e4007 QUIC: simplified ngx_quic_ciphers() API. Sergey Kandaurov <pluknet@nginx.com> parents: 9175 diff changeset	244 key_len = ngx_quic_ciphers(keys->cipher, &ciphers);
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	245
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	246 if (key_len == NGX_ERROR) {
9172 4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	247 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher");
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	248 return NGX_ERROR;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	249 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	250
9177 22d110af473c QUIC: removed key field from ngx_quic_secret_t. Sergey Kandaurov <pluknet@nginx.com> parents: 9176 diff changeset	251 key.len = key_len;
22d110af473c QUIC: removed key field from ngx_quic_secret_t. Sergey Kandaurov <pluknet@nginx.com> parents: 9176 diff changeset	252
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	253 peer_secret->iv.len = NGX_QUIC_IV_LEN;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	254
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	255 secret_str.len = secret_len;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	256 secret_str.data = (u_char *) secret;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	257
9177 22d110af473c QUIC: removed key field from ngx_quic_secret_t. Sergey Kandaurov <pluknet@nginx.com> parents: 9176 diff changeset	258 ngx_quic_hkdf_set(&seq[0], "tls13 key", &key, &secret_str);
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	259 ngx_quic_hkdf_set(&seq[1], "tls13 iv", &peer_secret->iv, &secret_str);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	260
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	261 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
9172 4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	262 if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, c->log) != NGX_OK) {
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	263 return NGX_ERROR;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	264 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	265 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	266
9172 4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	267 /* register cleanup handler once */
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	268
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	269 if (peer_secret->ctx) {
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	270 ngx_quic_crypto_cleanup(peer_secret);
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	271
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	272 } else {
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	273 cln = ngx_pool_cleanup_add(c->pool, 0);
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	274 if (cln == NULL) {
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	275 return NGX_ERROR;
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	276 }
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	277
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	278 cln->handler = ngx_quic_compat_cleanup_encryption_secret;
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	279 cln->data = peer_secret;
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	280 }
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	281
9177 22d110af473c QUIC: removed key field from ngx_quic_secret_t. Sergey Kandaurov <pluknet@nginx.com> parents: 9176 diff changeset	282 if (ngx_quic_crypto_init(ciphers.c, peer_secret, &key, 1, c->log)
22d110af473c QUIC: removed key field from ngx_quic_secret_t. Sergey Kandaurov <pluknet@nginx.com> parents: 9176 diff changeset	283 == NGX_ERROR)
22d110af473c QUIC: removed key field from ngx_quic_secret_t. Sergey Kandaurov <pluknet@nginx.com> parents: 9176 diff changeset	284 {
9172 4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	285 return NGX_ERROR;
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	286 }
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	287
9178 b74f891053c7 QUIC: explicitly zero out unused keying material. Sergey Kandaurov <pluknet@nginx.com> parents: 9177 diff changeset	288 ngx_explicit_memzero(key.data, key.len);
b74f891053c7 QUIC: explicitly zero out unused keying material. Sergey Kandaurov <pluknet@nginx.com> parents: 9177 diff changeset	289
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	290 return NGX_OK;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	291 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	292
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	293
9172 4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	294 static void
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	295 ngx_quic_compat_cleanup_encryption_secret(void *data)
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	296 {
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	297 ngx_quic_secret_t *secret = data;
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	298
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	299 ngx_quic_crypto_cleanup(secret);
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	300 }
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	301
4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	302
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	303 static int
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	304 ngx_quic_compat_add_transport_params_callback(SSL *ssl, unsigned int ext_type,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	305 unsigned int context, const unsigned char *out, size_t outlen, X509 *x,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	306 size_t chainidx, int al, void add_arg)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	307 {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	308 ngx_connection_t *c;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	309 ngx_quic_compat_t *com;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	310 ngx_quic_connection_t *qc;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	311
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	312 c = ngx_ssl_get_connection(ssl);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	313 if (c->type != SOCK_DGRAM) {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	314 return 0;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	315 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	316
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	317 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	318 "quic compat add transport params");
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	319
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	320 qc = ngx_quic_get_connection(c);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	321 com = qc->compat;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	322
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	323 *out = com->tp.data;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	324 *outlen = com->tp.len;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	325
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	326 return 1;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	327 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	328
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	329
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	330 static int
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	331 ngx_quic_compat_parse_transport_params_callback(SSL *ssl, unsigned int ext_type,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	332 unsigned int context, const unsigned char in, size_t inlen, X509 x,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	333 size_t chainidx, int al, void parse_arg)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	334 {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	335 u_char *p;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	336 ngx_connection_t *c;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	337 ngx_quic_compat_t *com;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	338 ngx_quic_connection_t *qc;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	339
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	340 c = ngx_ssl_get_connection(ssl);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	341 if (c->type != SOCK_DGRAM) {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	342 return 0;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	343 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	344
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	345 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	346 "quic compat parse transport params");
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	347
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	348 qc = ngx_quic_get_connection(c);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	349 com = qc->compat;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	350
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	351 p = ngx_pnalloc(c->pool, inlen);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	352 if (p == NULL) {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	353 return 0;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	354 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	355
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	356 ngx_memcpy(p, in, inlen);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	357
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	358 com->ctp.data = p;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	359 com->ctp.len = inlen;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	360
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	361 return 1;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	362 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	363
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	364
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	365 int
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	366 SSL_set_quic_method(SSL ssl, const SSL_QUIC_METHOD quic_method)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	367 {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	368 BIO rbio, wbio;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	369 ngx_connection_t *c;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	370 ngx_quic_compat_t *com;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	371 ngx_quic_connection_t *qc;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	372
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	373 c = ngx_ssl_get_connection(ssl);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	374
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	375 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic compat set method");
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	376
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	377 qc = ngx_quic_get_connection(c);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	378
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	379 qc->compat = ngx_pcalloc(c->pool, sizeof(ngx_quic_compat_t));
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	380 if (qc->compat == NULL) {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	381 return 0;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	382 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	383
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	384 com = qc->compat;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	385 com->method = quic_method;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	386
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	387 rbio = BIO_new(BIO_s_mem());
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	388 if (rbio == NULL) {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	389 return 0;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	390 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	391
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	392 wbio = BIO_new(BIO_s_null());
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	393 if (wbio == NULL) {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	394 return 0;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	395 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	396
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	397 SSL_set_bio(ssl, rbio, wbio);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	398
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	399 SSL_set_msg_callback(ssl, ngx_quic_compat_message_callback);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	400
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	401 /* early data is not supported */
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	402 SSL_set_max_early_data(ssl, 0);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	403
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	404 return 1;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	405 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	406
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	407
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	408 static void
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	409 ngx_quic_compat_message_callback(int write_p, int version, int content_type,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	410 const void buf, size_t len, SSL ssl, void *arg)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	411 {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	412 ngx_uint_t alert;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	413 ngx_connection_t *c;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	414 ngx_quic_compat_t *com;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	415 ngx_quic_connection_t *qc;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	416 enum ssl_encryption_level_t level;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	417
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	418 if (!write_p) {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	419 return;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	420 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	421
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	422 c = ngx_ssl_get_connection(ssl);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	423 qc = ngx_quic_get_connection(c);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	424
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	425 if (qc == NULL) {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	426 /* closing */
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	427 return;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	428 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	429
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	430 com = qc->compat;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	431 level = com->write_level;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	432
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	433 switch (content_type) {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	434
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	435 case SSL3_RT_HANDSHAKE:
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	436 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	437 "quic compat tx %s len:%uz ",
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	438 ngx_quic_level_name(level), len);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	439
9164 3db945fda515 QUIC: handle callback errors in compat. Vladimir Khomutov <vl@inspert.ru> parents: 9157 diff changeset	440 if (com->method->add_handshake_data(ssl, level, buf, len) != 1) {
3db945fda515 QUIC: handle callback errors in compat. Vladimir Khomutov <vl@inspert.ru> parents: 9157 diff changeset	441 goto failed;
3db945fda515 QUIC: handle callback errors in compat. Vladimir Khomutov <vl@inspert.ru> parents: 9157 diff changeset	442 }
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	443
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	444 break;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	445
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	446 case SSL3_RT_ALERT:
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	447 if (len >= 2) {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	448 alert = ((u_char *) buf)[1];
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	449
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	450 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	451 "quic compat %s alert:%ui len:%uz ",
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	452 ngx_quic_level_name(level), alert, len);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	453
9164 3db945fda515 QUIC: handle callback errors in compat. Vladimir Khomutov <vl@inspert.ru> parents: 9157 diff changeset	454 if (com->method->send_alert(ssl, level, alert) != 1) {
3db945fda515 QUIC: handle callback errors in compat. Vladimir Khomutov <vl@inspert.ru> parents: 9157 diff changeset	455 goto failed;
3db945fda515 QUIC: handle callback errors in compat. Vladimir Khomutov <vl@inspert.ru> parents: 9157 diff changeset	456 }
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	457 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	458
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	459 break;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	460 }
9164 3db945fda515 QUIC: handle callback errors in compat. Vladimir Khomutov <vl@inspert.ru> parents: 9157 diff changeset	461
3db945fda515 QUIC: handle callback errors in compat. Vladimir Khomutov <vl@inspert.ru> parents: 9157 diff changeset	462 return;
3db945fda515 QUIC: handle callback errors in compat. Vladimir Khomutov <vl@inspert.ru> parents: 9157 diff changeset	463
3db945fda515 QUIC: handle callback errors in compat. Vladimir Khomutov <vl@inspert.ru> parents: 9157 diff changeset	464 failed:
3db945fda515 QUIC: handle callback errors in compat. Vladimir Khomutov <vl@inspert.ru> parents: 9157 diff changeset	465
3db945fda515 QUIC: handle callback errors in compat. Vladimir Khomutov <vl@inspert.ru> parents: 9157 diff changeset	466 ngx_post_event(&qc->close, &ngx_posted_events);
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	467 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	468
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	469
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	470 int
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	471 SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	472 const uint8_t *data, size_t len)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	473 {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	474 BIO *rbio;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	475 size_t n;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	476 u_char *p;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	477 ngx_str_t res;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	478 ngx_connection_t *c;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	479 ngx_quic_compat_t *com;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	480 ngx_quic_connection_t *qc;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	481 ngx_quic_compat_record_t rec;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	482 u_char in[NGX_QUIC_COMPAT_RECORD_SIZE + 1];
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	483 u_char out[NGX_QUIC_COMPAT_RECORD_SIZE + 1
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	484 + SSL3_RT_HEADER_LENGTH
9126 29a6c0e11f75 QUIC: a new constant for AEAD tag length. Roman Arutyunyan <arut@nginx.com> parents: 9118 diff changeset	485 + NGX_QUIC_TAG_LEN];
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	486
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	487 c = ngx_ssl_get_connection(ssl);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	488
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	489 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic compat rx %s len:%uz",
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	490 ngx_quic_level_name(level), len);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	491
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	492 qc = ngx_quic_get_connection(c);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	493 com = qc->compat;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	494 rbio = SSL_get_rbio(ssl);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	495
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	496 while (len) {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	497 ngx_memzero(&rec, sizeof(ngx_quic_compat_record_t));
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	498
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	499 rec.type = SSL3_RT_HANDSHAKE;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	500 rec.log = c->log;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	501 rec.number = com->read_record++;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	502 rec.keys = &com->keys;
9118 b4a57278bf24 QUIC: fixed compat with ciphers other than AES128 (ticket #2500). Roman Arutyunyan <arut@nginx.com> parents: 9080 diff changeset	503 rec.level = level;
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	504
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	505 if (level == ssl_encryption_initial) {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	506 n = ngx_min(len, 65535);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	507
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	508 rec.payload.len = n;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	509 rec.payload.data = (u_char *) data;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	510
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	511 ngx_quic_compat_create_header(&rec, out, 1);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	512
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	513 BIO_write(rbio, out, SSL3_RT_HEADER_LENGTH);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	514 BIO_write(rbio, data, n);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	515
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	516 #if defined(NGX_QUIC_DEBUG_CRYPTO) && defined(NGX_QUIC_DEBUG_PACKETS)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	517 ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	518 "quic compat record len:%uz %xs%xs",
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	519 n + SSL3_RT_HEADER_LENGTH,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	520 (size_t) SSL3_RT_HEADER_LENGTH, out, n, data);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	521 #endif
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	522
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	523 } else {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	524 n = ngx_min(len, NGX_QUIC_COMPAT_RECORD_SIZE);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	525
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	526 p = ngx_cpymem(in, data, n);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	527 *p++ = SSL3_RT_HANDSHAKE;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	528
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	529 rec.payload.len = p - in;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	530 rec.payload.data = in;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	531
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	532 res.data = out;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	533
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	534 if (ngx_quic_compat_create_record(&rec, &res) != NGX_OK) {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	535 return 0;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	536 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	537
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	538 #if defined(NGX_QUIC_DEBUG_CRYPTO) && defined(NGX_QUIC_DEBUG_PACKETS)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	539 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	540 "quic compat record len:%uz %xV", res.len, &res);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	541 #endif
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	542
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	543 BIO_write(rbio, res.data, res.len);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	544 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	545
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	546 data += n;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	547 len -= n;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	548 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	549
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	550 return 1;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	551 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	552
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	553
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	554 static size_t
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	555 ngx_quic_compat_create_header(ngx_quic_compat_record_t rec, u_char out,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	556 ngx_uint_t plain)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	557 {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	558 u_char type;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	559 size_t len;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	560
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	561 len = rec->payload.len;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	562
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	563 if (plain) {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	564 type = rec->type;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	565
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	566 } else {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	567 type = SSL3_RT_APPLICATION_DATA;
9126 29a6c0e11f75 QUIC: a new constant for AEAD tag length. Roman Arutyunyan <arut@nginx.com> parents: 9118 diff changeset	568 len += NGX_QUIC_TAG_LEN;
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	569 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	570
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	571 out[0] = type;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	572 out[1] = 0x03;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	573 out[2] = 0x03;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	574 out[3] = (len >> 8);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	575 out[4] = len;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	576
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	577 return 5;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	578 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	579
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	580
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	581 static ngx_int_t
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	582 ngx_quic_compat_create_record(ngx_quic_compat_record_t rec, ngx_str_t res)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	583 {
9175 f7c9cd726298 QUIC: cleaned up now unused ngx_quic_ciphers() calls. Sergey Kandaurov <pluknet@nginx.com> parents: 9172 diff changeset	584 ngx_str_t ad, out;
f7c9cd726298 QUIC: cleaned up now unused ngx_quic_ciphers() calls. Sergey Kandaurov <pluknet@nginx.com> parents: 9172 diff changeset	585 ngx_quic_secret_t *secret;
f7c9cd726298 QUIC: cleaned up now unused ngx_quic_ciphers() calls. Sergey Kandaurov <pluknet@nginx.com> parents: 9172 diff changeset	586 u_char nonce[NGX_QUIC_IV_LEN];
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	587
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	588 ad.data = res->data;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	589 ad.len = ngx_quic_compat_create_header(rec, ad.data, 0);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	590
9126 29a6c0e11f75 QUIC: a new constant for AEAD tag length. Roman Arutyunyan <arut@nginx.com> parents: 9118 diff changeset	591 out.len = rec->payload.len + NGX_QUIC_TAG_LEN;
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	592 out.data = res->data + ad.len;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	593
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	594 #ifdef NGX_QUIC_DEBUG_CRYPTO
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	595 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, rec->log, 0,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	596 "quic compat ad len:%uz %xV", ad.len, &ad);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	597 #endif
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	598
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	599 secret = &rec->keys->secret;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	600
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	601 ngx_memcpy(nonce, secret->iv.data, secret->iv.len);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	602 ngx_quic_compute_nonce(nonce, sizeof(nonce), rec->number);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	603
9172 4ccb0d973206 QUIC: reusing crypto contexts for packet protection. Sergey Kandaurov <pluknet@nginx.com> parents: 9171 diff changeset	604 if (ngx_quic_crypto_seal(secret, &out, nonce, &rec->payload, &ad, rec->log)
9080 7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	605 != NGX_OK)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	606 {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	607 return NGX_ERROR;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	608 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	609
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	610 res->len = ad.len + out.len;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	611
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	612 return NGX_OK;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	613 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	614
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	615
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	616 int
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	617 SSL_set_quic_transport_params(SSL ssl, const uint8_t params,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	618 size_t params_len)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	619 {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	620 ngx_connection_t *c;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	621 ngx_quic_compat_t *com;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	622 ngx_quic_connection_t *qc;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	623
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	624 c = ngx_ssl_get_connection(ssl);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	625 qc = ngx_quic_get_connection(c);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	626 com = qc->compat;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	627
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	628 com->tp.len = params_len;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	629 com->tp.data = (u_char *) params;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	630
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	631 return 1;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	632 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	633
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	634
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	635 void
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	636 SSL_get_peer_quic_transport_params(const SSL ssl, const uint8_t *out_params,
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	637 size_t *out_params_len)
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	638 {
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	639 ngx_connection_t *c;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	640 ngx_quic_compat_t *com;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	641 ngx_quic_connection_t *qc;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	642
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	643 c = ngx_ssl_get_connection(ssl);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	644 qc = ngx_quic_get_connection(c);
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	645 com = qc->compat;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	646
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	647 *out_params = com->ctp.data;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	648 *out_params_len = com->ctp.len;
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	649 }
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	650
7da4791e0264 QUIC: OpenSSL compatibility layer. Roman Arutyunyan <arut@nginx.com> parents: diff changeset	651 #endif /* NGX_QUIC_OPENSSL_COMPAT */

Mercurial > hg > nginx

annotate src/event/quic/ngx_event_quic_openssl_compat.c @ 9178:b74f891053c7