Mercurial > hg > nginx
comparison src/http/ngx_http_request.c @ 8180:01dc595de244 quic
Cleanup.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Fri, 28 Feb 2020 13:09:52 +0300 |
| parents | 7ee1ada04c8a |
| children | 3cb4f16426a5 |
comparison
equal
deleted
inserted
replaced
| 8179:7ee1ada04c8a | 8180:01dc595de244 |
|---|---|
| 676 | 676 |
| 677 c = rev->data; | 677 c = rev->data; |
| 678 hc = c->data; | 678 hc = c->data; |
| 679 b = c->buffer; | 679 b = c->buffer; |
| 680 | 680 |
| 681 qc = ngx_pcalloc(c->pool, sizeof(ngx_quic_connection_t)); | |
| 682 if (qc == NULL) { | |
| 683 ngx_http_close_connection(c); | |
| 684 return; | |
| 685 } | |
| 686 | |
| 687 c->quic = qc; | |
| 688 | |
| 689 printf("buffer %p %p:%p:%p:%p \n", b, b->start, b->pos, b->last, b->end); | |
| 690 | |
| 691 if ((b->pos[0] & 0xf0) != 0xc0) { | 681 if ((b->pos[0] & 0xf0) != 0xc0) { |
| 692 ngx_log_error(NGX_LOG_INFO, rev->log, 0, "invalid initial packet"); | 682 ngx_log_error(NGX_LOG_INFO, rev->log, 0, "invalid initial packet"); |
| 693 ngx_http_close_connection(c); | 683 ngx_http_close_connection(c); |
| 694 return; | 684 return; |
| 695 } | 685 } |
| 710 if (version != 0xff000018) { | 700 if (version != 0xff000018) { |
| 711 ngx_log_error(NGX_LOG_INFO, rev->log, 0, "unsupported quic version"); | 701 ngx_log_error(NGX_LOG_INFO, rev->log, 0, "unsupported quic version"); |
| 712 ngx_http_close_connection(c); | 702 ngx_http_close_connection(c); |
| 713 return; | 703 return; |
| 714 } | 704 } |
| 705 | |
| 706 qc = ngx_pcalloc(c->pool, sizeof(ngx_quic_connection_t)); | |
| 707 if (qc == NULL) { | |
| 708 ngx_http_close_connection(c); | |
| 709 return; | |
| 710 } | |
| 711 | |
| 712 c->quic = qc; | |
| 715 | 713 |
| 716 qc->dcid.len = *b->pos++; | 714 qc->dcid.len = *b->pos++; |
| 717 qc->dcid.data = ngx_pnalloc(c->pool, qc->dcid.len); | 715 qc->dcid.data = ngx_pnalloc(c->pool, qc->dcid.len); |
| 718 if (qc->dcid.data == NULL) { | 716 if (qc->dcid.data == NULL) { |
| 719 ngx_http_close_connection(c); | 717 ngx_http_close_connection(c); |
| 785 | 783 |
| 786 size_t is_len; | 784 size_t is_len; |
| 787 uint8_t is[SHA256_DIGEST_LENGTH]; | 785 uint8_t is[SHA256_DIGEST_LENGTH]; |
| 788 ngx_uint_t i; | 786 ngx_uint_t i; |
| 789 const EVP_MD *digest; | 787 const EVP_MD *digest; |
| 790 const ngx_aead_cipher_t *cipher; | 788 const EVP_CIPHER *cipher; |
| 791 static const uint8_t salt[20] = | 789 static const uint8_t salt[20] = |
| 792 "\xc3\xee\xf7\x12\xc7\x2e\xbb\x5a\x11\xa7" | 790 "\xc3\xee\xf7\x12\xc7\x2e\xbb\x5a\x11\xa7" |
| 793 "\xd2\x43\x2b\xb4\x63\x65\xbe\xf9\xf5\x02"; | 791 "\xd2\x43\x2b\xb4\x63\x65\xbe\xf9\xf5\x02"; |
| 794 | 792 |
| 795 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */ | 793 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */ |
| 796 | 794 |
| 797 cipher = NGX_QUIC_INITIAL_CIPHER; | 795 cipher = EVP_aes_128_gcm(); |
| 798 digest = EVP_sha256(); | 796 digest = EVP_sha256(); |
| 799 | 797 |
| 800 if (ngx_hkdf_extract(is, &is_len, digest, qc->dcid.data, qc->dcid.len, | 798 if (ngx_hkdf_extract(is, &is_len, digest, qc->dcid.data, qc->dcid.len, |
| 801 salt, sizeof(salt)) | 799 salt, sizeof(salt)) |
| 802 != NGX_OK) | 800 != NGX_OK) |
| 824 | 822 |
| 825 /* draft-ietf-quic-tls-23#section-5.2 */ | 823 /* draft-ietf-quic-tls-23#section-5.2 */ |
| 826 qc->client_in.secret.len = SHA256_DIGEST_LENGTH; | 824 qc->client_in.secret.len = SHA256_DIGEST_LENGTH; |
| 827 qc->server_in.secret.len = SHA256_DIGEST_LENGTH; | 825 qc->server_in.secret.len = SHA256_DIGEST_LENGTH; |
| 828 | 826 |
| 829 #ifdef OPENSSL_IS_BORINGSSL | |
| 830 qc->client_in.key.len = EVP_AEAD_key_length(cipher); | |
| 831 qc->server_in.key.len = EVP_AEAD_key_length(cipher); | |
| 832 | |
| 833 qc->client_in.hp.len = EVP_AEAD_key_length(cipher); | |
| 834 qc->server_in.hp.len = EVP_AEAD_key_length(cipher); | |
| 835 | |
| 836 qc->client_in.iv.len = EVP_AEAD_nonce_length(cipher); | |
| 837 qc->server_in.iv.len = EVP_AEAD_nonce_length(cipher); | |
| 838 #else | |
| 839 qc->client_in.key.len = EVP_CIPHER_key_length(cipher); | 827 qc->client_in.key.len = EVP_CIPHER_key_length(cipher); |
| 840 qc->server_in.key.len = EVP_CIPHER_key_length(cipher); | 828 qc->server_in.key.len = EVP_CIPHER_key_length(cipher); |
| 841 | 829 |
| 842 qc->client_in.hp.len = EVP_CIPHER_key_length(cipher); | 830 qc->client_in.hp.len = EVP_CIPHER_key_length(cipher); |
| 843 qc->server_in.hp.len = EVP_CIPHER_key_length(cipher); | 831 qc->server_in.hp.len = EVP_CIPHER_key_length(cipher); |
| 844 | 832 |
| 845 qc->client_in.iv.len = EVP_CIPHER_iv_length(cipher); | 833 qc->client_in.iv.len = EVP_CIPHER_iv_length(cipher); |
| 846 qc->server_in.iv.len = EVP_CIPHER_iv_length(cipher); | 834 qc->server_in.iv.len = EVP_CIPHER_iv_length(cipher); |
| 847 #endif | |
| 848 | |
| 849 #ifdef OPENSSL_IS_BORINGSSL | |
| 850 ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0, | |
| 851 "quic EVP key:%d tag:%d nonce:%d", | |
| 852 EVP_AEAD_key_length(cipher), | |
| 853 EVP_AEAD_max_tag_len(cipher), | |
| 854 EVP_AEAD_nonce_length(cipher)); | |
| 855 #endif | |
| 856 | 835 |
| 857 struct { | 836 struct { |
| 858 ngx_str_t id; | 837 ngx_str_t label; |
| 859 ngx_str_t *in; | 838 ngx_str_t *key; |
| 860 ngx_str_t *prk; | 839 ngx_str_t *prk; |
| 861 } seq[] = { | 840 } seq[] = { |
| 862 | 841 |
| 863 /* draft-ietf-quic-tls-23#section-5.2 */ | 842 /* draft-ietf-quic-tls-23#section-5.2 */ |
| 864 { ngx_string("tls13 client in"), &qc->client_in.secret, &iss }, | 843 { ngx_string("tls13 client in"), &qc->client_in.secret, &iss }, |
| 892 }, | 871 }, |
| 893 { | 872 { |
| 894 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */ | 873 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */ |
| 895 ngx_string("tls13 quic hp"), | 874 ngx_string("tls13 quic hp"), |
| 896 &qc->server_in.hp, | 875 &qc->server_in.hp, |
| 897 &qc->server_in.secret | 876 &qc->server_in.secret, |
| 898 }, | 877 }, |
| 899 | 878 |
| 900 }; | 879 }; |
| 901 | 880 |
| 902 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { | 881 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { |
| 903 | 882 |
| 904 if (ngx_quic_hkdf_expand(c, digest, seq[i].in, seq[i].prk, &seq[i].id, 0) | 883 if (ngx_quic_hkdf_expand(c, digest, seq[i].key, &seq[i].label, |
| 884 seq[i].prk->data, seq[i].prk->len) | |
| 905 != NGX_OK) | 885 != NGX_OK) |
| 906 { | 886 { |
| 907 ngx_http_close_connection(c); | 887 ngx_http_close_connection(c); |
| 908 return; | 888 return; |
| 909 } | 889 } |
| 971 } | 951 } |
| 972 #endif | 952 #endif |
| 973 | 953 |
| 974 ngx_str_t out; | 954 ngx_str_t out; |
| 975 | 955 |
| 976 if (ngx_quic_tls_open(c, cipher, &qc->client_in, &out, nonce, &in, &ad) | 956 if (ngx_quic_tls_open(c, EVP_aes_128_gcm(), &qc->client_in, &out, nonce, |
| 957 &in, &ad) | |
| 977 != NGX_OK) | 958 != NGX_OK) |
| 978 { | 959 { |
| 979 ngx_http_close_connection(c); | 960 ngx_http_close_connection(c); |
| 980 return; | 961 return; |
| 981 } | 962 } |
| 1088 static void | 1069 static void |
| 1089 ngx_http_quic_handshake_handler(ngx_event_t *rev) | 1070 ngx_http_quic_handshake_handler(ngx_event_t *rev) |
| 1090 { | 1071 { |
| 1091 size_t m; | 1072 size_t m; |
| 1092 ssize_t n; | 1073 ssize_t n; |
| 1074 ngx_str_t out; | |
| 1093 ngx_connection_t *c; | 1075 ngx_connection_t *c; |
| 1076 const EVP_CIPHER *cipher; | |
| 1094 ngx_quic_connection_t *qc; | 1077 ngx_quic_connection_t *qc; |
| 1095 u_char buf[4096], b[512], *p; | 1078 u_char buf[4096], b[512], *p; |
| 1096 | 1079 |
| 1097 c = rev->data; | 1080 c = rev->data; |
| 1098 qc = c->quic; | 1081 qc = c->quic; |
| 1247 ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0, | 1230 ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0, |
| 1248 "quic ad: %*s, len: %uz", m, buf, ad.len); | 1231 "quic ad: %*s, len: %uz", m, buf, ad.len); |
| 1249 } | 1232 } |
| 1250 #endif | 1233 #endif |
| 1251 | 1234 |
| 1252 const ngx_aead_cipher_t *cipher; | |
| 1253 | |
| 1254 u_char *name = (u_char *) SSL_get_cipher(c->ssl->connection); | 1235 u_char *name = (u_char *) SSL_get_cipher(c->ssl->connection); |
| 1255 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, rev->log, 0, | 1236 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, rev->log, 0, |
| 1256 "quic ssl cipher: %s", name); | 1237 "quic ssl cipher: %s", name); |
| 1257 | 1238 |
| 1258 if (ngx_strcasecmp(name, (u_char *) "TLS_AES_128_GCM_SHA256") == 0 | 1239 if (ngx_strcasecmp(name, (u_char *) "TLS_AES_128_GCM_SHA256") == 0 |
| 1259 || ngx_strcasecmp(name, (u_char *) "(NONE)") == 0) | 1240 || ngx_strcasecmp(name, (u_char *) "(NONE)") == 0) |
| 1260 { | 1241 { |
| 1261 #ifdef OPENSSL_IS_BORINGSSL | |
| 1262 cipher = EVP_aead_aes_128_gcm(); | |
| 1263 #else | |
| 1264 cipher = EVP_aes_128_gcm(); | 1242 cipher = EVP_aes_128_gcm(); |
| 1265 #endif | |
| 1266 | 1243 |
| 1267 } else if (ngx_strcasecmp(name, (u_char *) "TLS_AES_256_GCM_SHA384") == 0) { | 1244 } else if (ngx_strcasecmp(name, (u_char *) "TLS_AES_256_GCM_SHA384") == 0) { |
| 1268 #ifdef OPENSSL_IS_BORINGSSL | |
| 1269 cipher = EVP_aead_aes_256_gcm(); | |
| 1270 #else | |
| 1271 cipher = EVP_aes_256_gcm(); | 1245 cipher = EVP_aes_256_gcm(); |
| 1272 #endif | |
| 1273 | 1246 |
| 1274 } else { | 1247 } else { |
| 1275 ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "unexpected cipher"); | 1248 ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "unexpected cipher"); |
| 1276 ngx_http_close_connection(c); | 1249 ngx_http_close_connection(c); |
| 1277 return; | 1250 return; |
| 1278 } | 1251 } |
| 1279 | |
| 1280 ngx_str_t out; | |
| 1281 | 1252 |
| 1282 if (ngx_quic_tls_open(c, cipher, &qc->client_hs, &out, nonce, &in, &ad) | 1253 if (ngx_quic_tls_open(c, cipher, &qc->client_hs, &out, nonce, &in, &ad) |
| 1283 != NGX_OK) | 1254 != NGX_OK) |
| 1284 { | 1255 { |
| 1285 ngx_http_close_connection(c); | 1256 ngx_http_close_connection(c); |