Mercurial > hg > nginx

comparison src/event/quic/ngx_event_quic_protection.c @ 8673:046c951e393a quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
QUIC: moved all quic sources into src/event/quic.
author Vladimir Homutov <vl@nginx.com>
date Fri, 25 Dec 2020 14:01:28 +0300
parents src/event/ngx_event_quic_protection.c@a4c05aff8ec0
children 3443ee341cc1
comparison
equal deleted inserted replaced
8672:13c537def699 8673:046c951e393a
1
2 /*
3 * Copyright (C) Nginx, Inc.
4 */
5
6
7 #include <ngx_config.h>
8 #include <ngx_core.h>
9 #include <ngx_event.h>
10 #include <ngx_event_quic_transport.h>
11 #include <ngx_event_quic_protection.h>
12
13
14 #define NGX_QUIC_IV_LEN 12
15
16 #define NGX_AES_128_GCM_SHA256 0x1301
17 #define NGX_AES_256_GCM_SHA384 0x1302
18 #define NGX_CHACHA20_POLY1305_SHA256 0x1303
19
20
21 #ifdef OPENSSL_IS_BORINGSSL
22 #define ngx_quic_cipher_t EVP_AEAD
23 #else
24 #define ngx_quic_cipher_t EVP_CIPHER
25 #endif
26
27
28 typedef struct {
29 const ngx_quic_cipher_t *c;
30 const EVP_CIPHER *hp;
31 const EVP_MD *d;
32 } ngx_quic_ciphers_t;
33
34
35 typedef struct ngx_quic_secret_s {
36 ngx_str_t secret;
37 ngx_str_t key;
38 ngx_str_t iv;
39 ngx_str_t hp;
40 } ngx_quic_secret_t;
41
42
43 typedef struct {
44 ngx_quic_secret_t client;
45 ngx_quic_secret_t server;
46 } ngx_quic_secrets_t;
47
48
49 struct ngx_quic_keys_s {
50 ngx_quic_secrets_t secrets[NGX_QUIC_ENCRYPTION_LAST];
51 ngx_quic_secrets_t next_key;
52 ngx_uint_t cipher;
53 };
54
55
56 static ngx_int_t ngx_hkdf_expand(u_char *out_key, size_t out_len,
57 const EVP_MD *digest, const u_char *prk, size_t prk_len,
58 const u_char *info, size_t info_len);
59 static ngx_int_t ngx_hkdf_extract(u_char *out_key, size_t *out_len,
60 const EVP_MD *digest, const u_char *secret, size_t secret_len,
61 const u_char *salt, size_t salt_len);
62
63 static uint64_t ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask,
64 uint64_t *largest_pn);
65 static void ngx_quic_compute_nonce(u_char *nonce, size_t len, uint64_t pn);
66 static ngx_int_t ngx_quic_ciphers(ngx_uint_t id,
67 ngx_quic_ciphers_t *ciphers, enum ssl_encryption_level_t level);
68
69 static ngx_int_t ngx_quic_tls_open(const ngx_quic_cipher_t *cipher,
70 ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in,
71 ngx_str_t *ad, ngx_log_t *log);
72 static ngx_int_t ngx_quic_tls_seal(const ngx_quic_cipher_t *cipher,
73 ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in,
74 ngx_str_t *ad, ngx_log_t *log);
75 static ngx_int_t ngx_quic_tls_hp(ngx_log_t *log, const EVP_CIPHER *cipher,
76 ngx_quic_secret_t *s, u_char *out, u_char *in);
77 static ngx_int_t ngx_quic_hkdf_expand(ngx_pool_t *pool, const EVP_MD *digest,
78 ngx_str_t *out, ngx_str_t *label, const uint8_t *prk, size_t prk_len);
79
80 static ngx_int_t ngx_quic_create_packet(ngx_quic_header_t *pkt,
81 ngx_str_t *res);
82 static ngx_int_t ngx_quic_create_retry_packet(ngx_quic_header_t *pkt,
83 ngx_str_t *res);
84
85
86 static ngx_int_t
87 ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers,
88 enum ssl_encryption_level_t level)
89 {
90 ngx_int_t len;
91
92 if (level == ssl_encryption_initial) {
93 id = NGX_AES_128_GCM_SHA256;
94 }
95
96 switch (id) {
97
98 case NGX_AES_128_GCM_SHA256:
99 #ifdef OPENSSL_IS_BORINGSSL
100 ciphers->c = EVP_aead_aes_128_gcm();
101 #else
102 ciphers->c = EVP_aes_128_gcm();
103 #endif
104 ciphers->hp = EVP_aes_128_ctr();
105 ciphers->d = EVP_sha256();
106 len = 16;
107 break;
108
109 case NGX_AES_256_GCM_SHA384:
110 #ifdef OPENSSL_IS_BORINGSSL
111 ciphers->c = EVP_aead_aes_256_gcm();
112 #else
113 ciphers->c = EVP_aes_256_gcm();
114 #endif
115 ciphers->hp = EVP_aes_256_ctr();
116 ciphers->d = EVP_sha384();
117 len = 32;
118 break;
119
120 case NGX_CHACHA20_POLY1305_SHA256:
121 #ifdef OPENSSL_IS_BORINGSSL
122 ciphers->c = EVP_aead_chacha20_poly1305();
123 #else
124 ciphers->c = EVP_chacha20_poly1305();
125 #endif
126 #ifdef OPENSSL_IS_BORINGSSL
127 ciphers->hp = (const EVP_CIPHER *) EVP_aead_chacha20_poly1305();
128 #else
129 ciphers->hp = EVP_chacha20();
130 #endif
131 ciphers->d = EVP_sha256();
132 len = 32;
133 break;
134
135 default:
136 return NGX_ERROR;
137 }
138
139 return len;
140 }
141
142
143 ngx_int_t
144 ngx_quic_keys_set_initial_secret(ngx_pool_t *pool, ngx_quic_keys_t *keys,
145 ngx_str_t *secret)
146 {
147 size_t is_len;
148 uint8_t is[SHA256_DIGEST_LENGTH];
149 ngx_uint_t i;
150 const EVP_MD *digest;
151 const EVP_CIPHER *cipher;
152 ngx_quic_secret_t *client, *server;
153
154 static const uint8_t salt[20] =
155 #if (NGX_QUIC_DRAFT_VERSION >= 29)
156 "\xaf\xbf\xec\x28\x99\x93\xd2\x4c\x9e\x97"
157 "\x86\xf1\x9c\x61\x11\xe0\x43\x90\xa8\x99";
158 #else
159 "\xc3\xee\xf7\x12\xc7\x2e\xbb\x5a\x11\xa7"
160 "\xd2\x43\x2b\xb4\x63\x65\xbe\xf9\xf5\x02";
161 #endif
162
163 client = &keys->secrets[ssl_encryption_initial].client;
164 server = &keys->secrets[ssl_encryption_initial].server;
165
166 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */
167
168 cipher = EVP_aes_128_gcm();
169 digest = EVP_sha256();
170
171 if (ngx_hkdf_extract(is, &is_len, digest, secret->data, secret->len,
172 salt, sizeof(salt))
173 != NGX_OK)
174 {
175 return NGX_ERROR;
176 }
177
178 ngx_str_t iss = {
179 .data = is,
180 .len = is_len
181 };
182
183 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pool->log, 0,
184 "quic ngx_quic_set_initial_secret");
185 #ifdef NGX_QUIC_DEBUG_CRYPTO
186 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0,
187 "quic salt len:%uz %*xs", sizeof(salt), sizeof(salt), salt);
188 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0,
189 "quic initial secret len:%uz %*xs", is_len, is_len, is);
190 #endif
191
192 /* draft-ietf-quic-tls-23#section-5.2 */
193 client->secret.len = SHA256_DIGEST_LENGTH;
194 server->secret.len = SHA256_DIGEST_LENGTH;
195
196 client->key.len = EVP_CIPHER_key_length(cipher);
197 server->key.len = EVP_CIPHER_key_length(cipher);
198
199 client->hp.len = EVP_CIPHER_key_length(cipher);
200 server->hp.len = EVP_CIPHER_key_length(cipher);
201
202 client->iv.len = EVP_CIPHER_iv_length(cipher);
203 server->iv.len = EVP_CIPHER_iv_length(cipher);
204
205 struct {
206 ngx_str_t label;
207 ngx_str_t *key;
208 ngx_str_t *prk;
209 } seq[] = {
210
211 /* draft-ietf-quic-tls-23#section-5.2 */
212 { ngx_string("tls13 client in"), &client->secret, &iss },
213 {
214 ngx_string("tls13 quic key"),
215 &client->key,
216 &client->secret,
217 },
218 {
219 ngx_string("tls13 quic iv"),
220 &client->iv,
221 &client->secret,
222 },
223 {
224 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */
225 ngx_string("tls13 quic hp"),
226 &client->hp,
227 &client->secret,
228 },
229 { ngx_string("tls13 server in"), &server->secret, &iss },
230 {
231 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */
232 ngx_string("tls13 quic key"),
233 &server->key,
234 &server->secret,
235 },
236 {
237 ngx_string("tls13 quic iv"),
238 &server->iv,
239 &server->secret,
240 },
241 {
242 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */
243 ngx_string("tls13 quic hp"),
244 &server->hp,
245 &server->secret,
246 },
247
248 };
249
250 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
251
252 if (ngx_quic_hkdf_expand(pool, digest, seq[i].key, &seq[i].label,
253 seq[i].prk->data, seq[i].prk->len)
254 != NGX_OK)
255 {
256 return NGX_ERROR;
257 }
258 }
259
260 return NGX_OK;
261 }
262
263
264 static ngx_int_t
265 ngx_quic_hkdf_expand(ngx_pool_t *pool, const EVP_MD *digest, ngx_str_t *out,
266 ngx_str_t *label, const uint8_t *prk, size_t prk_len)
267 {
268 size_t info_len;
269 uint8_t *p;
270 uint8_t info[20];
271
272 if (out->data == NULL) {
273 out->data = ngx_pnalloc(pool, out->len);
274 if (out->data == NULL) {
275 return NGX_ERROR;
276 }
277 }
278
279 info_len = 2 + 1 + label->len + 1;
280
281 info[0] = 0;
282 info[1] = out->len;
283 info[2] = label->len;
284 p = ngx_cpymem(&info[3], label->data, label->len);
285 *p = '\0';
286
287 if (ngx_hkdf_expand(out->data, out->len, digest,
288 prk, prk_len, info, info_len)
289 != NGX_OK)
290 {
291 ngx_ssl_error(NGX_LOG_INFO, pool->log, 0,
292 "ngx_hkdf_expand(%V) failed", label);
293 return NGX_ERROR;
294 }
295
296 #ifdef NGX_QUIC_DEBUG_CRYPTO
297 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0,
298 "quic expand %V key len:%uz %xV", label, out->len, out);
299 #endif
300
301 return NGX_OK;
302 }
303
304
305 static ngx_int_t
306 ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest,
307 const uint8_t *prk, size_t prk_len, const u_char *info, size_t info_len)
308 {
309 #ifdef OPENSSL_IS_BORINGSSL
310 if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len)
311 == 0)
312 {
313 return NGX_ERROR;
314 }
315 #else
316
317 EVP_PKEY_CTX *pctx;
318
319 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
320
321 if (EVP_PKEY_derive_init(pctx) <= 0) {
322 return NGX_ERROR;
323 }
324
325 if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0) {
326 return NGX_ERROR;
327 }
328
329 if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) {
330 return NGX_ERROR;
331 }
332
333 if (EVP_PKEY_CTX_set1_hkdf_key(pctx, prk, prk_len) <= 0) {
334 return NGX_ERROR;
335 }
336
337 if (EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len) <= 0) {
338 return NGX_ERROR;
339 }
340
341 if (EVP_PKEY_derive(pctx, out_key, &out_len) <= 0) {
342 return NGX_ERROR;
343 }
344
345 #endif
346
347 return NGX_OK;
348 }
349
350
351 static ngx_int_t
352 ngx_hkdf_extract(u_char *out_key, size_t *out_len, const EVP_MD *digest,
353 const u_char *secret, size_t secret_len, const u_char *salt,
354 size_t salt_len)
355 {
356 #ifdef OPENSSL_IS_BORINGSSL
357 if (HKDF_extract(out_key, out_len, digest, secret, secret_len, salt,
358 salt_len)
359 == 0)
360 {
361 return NGX_ERROR;
362 }
363 #else
364
365 EVP_PKEY_CTX *pctx;
366
367 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
368
369 if (EVP_PKEY_derive_init(pctx) <= 0) {
370 return NGX_ERROR;
371 }
372
373 if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) <= 0) {
374 return NGX_ERROR;
375 }
376
377 if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) {
378 return NGX_ERROR;
379 }
380
381 if (EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, secret_len) <= 0) {
382 return NGX_ERROR;
383 }
384
385 if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, salt_len) <= 0) {
386 return NGX_ERROR;
387 }
388
389 if (EVP_PKEY_derive(pctx, out_key, out_len) <= 0) {
390 return NGX_ERROR;
391 }
392
393 #endif
394
395 return NGX_OK;
396 }
397
398
399 static ngx_int_t
400 ngx_quic_tls_open(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
401 ngx_str_t *out, u_char *nonce, ngx_str_t *in, ngx_str_t *ad,
402 ngx_log_t *log)
403 {
404
405 #ifdef OPENSSL_IS_BORINGSSL
406 EVP_AEAD_CTX *ctx;
407
408 ctx = EVP_AEAD_CTX_new(cipher, s->key.data, s->key.len,
409 EVP_AEAD_DEFAULT_TAG_LENGTH);
410 if (ctx == NULL) {
411 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_AEAD_CTX_new() failed");
412 return NGX_ERROR;
413 }
414
415 if (EVP_AEAD_CTX_open(ctx, out->data, &out->len, out->len, nonce, s->iv.len,
416 in->data, in->len, ad->data, ad->len)
417 != 1)
418 {
419 EVP_AEAD_CTX_free(ctx);
420 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_AEAD_CTX_open() failed");
421 return NGX_ERROR;
422 }
423
424 EVP_AEAD_CTX_free(ctx);
425 #else
426 int len;
427 u_char *tag;
428 EVP_CIPHER_CTX *ctx;
429
430 ctx = EVP_CIPHER_CTX_new();
431 if (ctx == NULL) {
432 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_CIPHER_CTX_new() failed");
433 return NGX_ERROR;
434 }
435
436 if (EVP_DecryptInit_ex(ctx, cipher, NULL, NULL, NULL) != 1) {
437 EVP_CIPHER_CTX_free(ctx);
438 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptInit_ex() failed");
439 return NGX_ERROR;
440 }
441
442 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, s->iv.len, NULL)
443 == 0)
444 {
445 EVP_CIPHER_CTX_free(ctx);
446 ngx_ssl_error(NGX_LOG_INFO, log, 0,
447 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed");
448 return NGX_ERROR;
449 }
450
451 if (EVP_DecryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) {
452 EVP_CIPHER_CTX_free(ctx);
453 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptInit_ex() failed");
454 return NGX_ERROR;
455 }
456
457 if (EVP_DecryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) {
458 EVP_CIPHER_CTX_free(ctx);
459 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptUpdate() failed");
460 return NGX_ERROR;
461 }
462
463 if (EVP_DecryptUpdate(ctx, out->data, &len, in->data,
464 in->len - EVP_GCM_TLS_TAG_LEN)
465 != 1)
466 {
467 EVP_CIPHER_CTX_free(ctx);
468 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptUpdate() failed");
469 return NGX_ERROR;
470 }
471
472 out->len = len;
473 tag = in->data + in->len - EVP_GCM_TLS_TAG_LEN;
474
475 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, EVP_GCM_TLS_TAG_LEN, tag)
476 == 0)
477 {
478 EVP_CIPHER_CTX_free(ctx);
479 ngx_ssl_error(NGX_LOG_INFO, log, 0,
480 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_TAG) failed");
481 return NGX_ERROR;
482 }
483
484 if (EVP_DecryptFinal_ex(ctx, out->data + len, &len) <= 0) {
485 EVP_CIPHER_CTX_free(ctx);
486 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptFinal_ex failed");
487 return NGX_ERROR;
488 }
489
490 out->len += len;
491
492 EVP_CIPHER_CTX_free(ctx);
493 #endif
494
495 return NGX_OK;
496 }
497
498
499 static ngx_int_t
500 ngx_quic_tls_seal(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
501 ngx_str_t *out, u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
502 {
503
504 #ifdef OPENSSL_IS_BORINGSSL
505 EVP_AEAD_CTX *ctx;
506
507 ctx = EVP_AEAD_CTX_new(cipher, s->key.data, s->key.len,
508 EVP_AEAD_DEFAULT_TAG_LENGTH);
509 if (ctx == NULL) {
510 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_AEAD_CTX_new() failed");
511 return NGX_ERROR;
512 }
513
514 if (EVP_AEAD_CTX_seal(ctx, out->data, &out->len, out->len, nonce, s->iv.len,
515 in->data, in->len, ad->data, ad->len)
516 != 1)
517 {
518 EVP_AEAD_CTX_free(ctx);
519 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_AEAD_CTX_seal() failed");
520 return NGX_ERROR;
521 }
522
523 EVP_AEAD_CTX_free(ctx);
524 #else
525 int len;
526 EVP_CIPHER_CTX *ctx;
527
528 ctx = EVP_CIPHER_CTX_new();
529 if (ctx == NULL) {
530 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_CIPHER_CTX_new() failed");
531 return NGX_ERROR;
532 }
533
534 if (EVP_EncryptInit_ex(ctx, cipher, NULL, NULL, NULL) != 1) {
535 EVP_CIPHER_CTX_free(ctx);
536 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptInit_ex() failed");
537 return NGX_ERROR;
538 }
539
540 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, s->iv.len, NULL)
541 == 0)
542 {
543 EVP_CIPHER_CTX_free(ctx);
544 ngx_ssl_error(NGX_LOG_INFO, log, 0,
545 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed");
546 return NGX_ERROR;
547 }
548
549 if (EVP_EncryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) {
550 EVP_CIPHER_CTX_free(ctx);
551 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptInit_ex() failed");
552 return NGX_ERROR;
553 }
554
555 if (EVP_EncryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) {
556 EVP_CIPHER_CTX_free(ctx);
557 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptUpdate() failed");
558 return NGX_ERROR;
559 }
560
561 if (EVP_EncryptUpdate(ctx, out->data, &len, in->data, in->len) != 1) {
562 EVP_CIPHER_CTX_free(ctx);
563 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptUpdate() failed");
564 return NGX_ERROR;
565 }
566
567 out->len = len;
568
569 if (EVP_EncryptFinal_ex(ctx, out->data + out->len, &len) <= 0) {
570 EVP_CIPHER_CTX_free(ctx);
571 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptFinal_ex failed");
572 return NGX_ERROR;
573 }
574
575 out->len += len;
576
577 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, EVP_GCM_TLS_TAG_LEN,
578 out->data + in->len)
579 == 0)
580 {
581 EVP_CIPHER_CTX_free(ctx);
582 ngx_ssl_error(NGX_LOG_INFO, log, 0,
583 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_GET_TAG) failed");
584 return NGX_ERROR;
585 }
586
587 EVP_CIPHER_CTX_free(ctx);
588
589 out->len += EVP_GCM_TLS_TAG_LEN;
590 #endif
591 return NGX_OK;
592 }
593
594
595 static ngx_int_t
596 ngx_quic_tls_hp(ngx_log_t *log, const EVP_CIPHER *cipher,
597 ngx_quic_secret_t *s, u_char *out, u_char *in)
598 {
599 int outlen;
600 EVP_CIPHER_CTX *ctx;
601 u_char zero[5] = {0};
602
603 #ifdef OPENSSL_IS_BORINGSSL
604 uint32_t counter;
605
606 ngx_memcpy(&counter, in, sizeof(uint32_t));
607
608 if (cipher == (const EVP_CIPHER *) EVP_aead_chacha20_poly1305()) {
609 CRYPTO_chacha_20(out, zero, 5, s->hp.data, &in[4], counter);
610 return NGX_OK;
611 }
612 #endif
613
614 ctx = EVP_CIPHER_CTX_new();
615 if (ctx == NULL) {
616 return NGX_ERROR;
617 }
618
619 if (EVP_EncryptInit_ex(ctx, cipher, NULL, s->hp.data, in) != 1) {
620 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptInit_ex() failed");
621 goto failed;
622 }
623
624 if (!EVP_EncryptUpdate(ctx, out, &outlen, zero, 5)) {
625 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptUpdate() failed");
626 goto failed;
627 }
628
629 if (!EVP_EncryptFinal_ex(ctx, out + 5, &outlen)) {
630 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptFinal_Ex() failed");
631 goto failed;
632 }
633
634 EVP_CIPHER_CTX_free(ctx);
635
636 return NGX_OK;
637
638 failed:
639
640 EVP_CIPHER_CTX_free(ctx);
641
642 return NGX_ERROR;
643 }
644
645
646 int ngx_quic_keys_set_encryption_secret(ngx_pool_t *pool, ngx_uint_t is_write,
647 ngx_quic_keys_t *keys, enum ssl_encryption_level_t level,
648 const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len)
649 {
650 ngx_int_t key_len;
651 ngx_uint_t i;
652 ngx_quic_secret_t *peer_secret;
653 ngx_quic_ciphers_t ciphers;
654
655 peer_secret = is_write ? &keys->secrets[level].server
656 : &keys->secrets[level].client;
657
658 keys->cipher = SSL_CIPHER_get_protocol_id(cipher);
659
660 key_len = ngx_quic_ciphers(keys->cipher, &ciphers, level);
661
662 if (key_len == NGX_ERROR) {
663 ngx_ssl_error(NGX_LOG_INFO, pool->log, 0, "unexpected cipher");
664 return 0;
665 }
666
667 if (level == ssl_encryption_initial) {
668 return 0;
669 }
670
671 peer_secret->secret.data = ngx_pnalloc(pool, secret_len);
672 if (peer_secret->secret.data == NULL) {
673 return NGX_ERROR;
674 }
675
676 peer_secret->secret.len = secret_len;
677 ngx_memcpy(peer_secret->secret.data, secret, secret_len);
678
679 peer_secret->key.len = key_len;
680 peer_secret->iv.len = NGX_QUIC_IV_LEN;
681 peer_secret->hp.len = key_len;
682
683 struct {
684 ngx_str_t label;
685 ngx_str_t *key;
686 const uint8_t *secret;
687 } seq[] = {
688 { ngx_string("tls13 quic key"), &peer_secret->key, secret },
689 { ngx_string("tls13 quic iv"), &peer_secret->iv, secret },
690 { ngx_string("tls13 quic hp"), &peer_secret->hp, secret },
691 };
692
693 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
694
695 if (ngx_quic_hkdf_expand(pool, ciphers.d, seq[i].key, &seq[i].label,
696 seq[i].secret, secret_len)
697 != NGX_OK)
698 {
699 return 0;
700 }
701 }
702
703 return 1;
704 }
705
706
707 ngx_quic_keys_t *
708 ngx_quic_keys_new(ngx_pool_t *pool)
709 {
710 return ngx_pcalloc(pool, sizeof(ngx_quic_keys_t));
711 }
712
713
714 ngx_uint_t
715 ngx_quic_keys_available(ngx_quic_keys_t *keys,
716 enum ssl_encryption_level_t level)
717 {
718 return keys->secrets[level].client.key.len != 0;
719 }
720
721
722 void
723 ngx_quic_keys_discard(ngx_quic_keys_t *keys,
724 enum ssl_encryption_level_t level)
725 {
726 keys->secrets[level].client.key.len = 0;
727 }
728
729
730 void
731 ngx_quic_keys_switch(ngx_connection_t *c, ngx_quic_keys_t *keys)
732 {
733 ngx_quic_secrets_t *current, *next, tmp;
734
735 current = &keys->secrets[ssl_encryption_application];
736 next = &keys->next_key;
737
738 tmp = *current;
739 *current = *next;
740 *next = tmp;
741 }
742
743
744 ngx_int_t
745 ngx_quic_keys_update(ngx_connection_t *c, ngx_quic_keys_t *keys)
746 {
747 ngx_uint_t i;
748 ngx_quic_ciphers_t ciphers;
749 ngx_quic_secrets_t *current, *next;
750
751 current = &keys->secrets[ssl_encryption_application];
752 next = &keys->next_key;
753
754 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic key update");
755
756 if (ngx_quic_ciphers(keys->cipher, &ciphers, ssl_encryption_application)
757 == NGX_ERROR)
758 {
759 return NGX_ERROR;
760 }
761
762 next->client.secret.len = current->client.secret.len;
763 next->client.key.len = current->client.key.len;
764 next->client.iv.len = current->client.iv.len;
765 next->client.hp = current->client.hp;
766
767 next->server.secret.len = current->server.secret.len;
768 next->server.key.len = current->server.key.len;
769 next->server.iv.len = current->server.iv.len;
770 next->server.hp = current->server.hp;
771
772 struct {
773 ngx_str_t label;
774 ngx_str_t *key;
775 ngx_str_t *secret;
776 } seq[] = {
777 {
778 ngx_string("tls13 quic ku"),
779 &next->client.secret,
780 &current->client.secret,
781 },
782 {
783 ngx_string("tls13 quic key"),
784 &next->client.key,
785 &next->client.secret,
786 },
787 {
788 ngx_string("tls13 quic iv"),
789 &next->client.iv,
790 &next->client.secret,
791 },
792 {
793 ngx_string("tls13 quic ku"),
794 &next->server.secret,
795 &current->server.secret,
796 },
797 {
798 ngx_string("tls13 quic key"),
799 &next->server.key,
800 &next->server.secret,
801 },
802 {
803 ngx_string("tls13 quic iv"),
804 &next->server.iv,
805 &next->server.secret,
806 },
807 };
808
809 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
810
811 if (ngx_quic_hkdf_expand(c->pool, ciphers.d, seq[i].key, &seq[i].label,
812 seq[i].secret->data, seq[i].secret->len)
813 != NGX_OK)
814 {
815 return NGX_ERROR;
816 }
817 }
818
819 return NGX_OK;
820 }
821
822
823 static ngx_int_t
824 ngx_quic_create_packet(ngx_quic_header_t *pkt, ngx_str_t *res)
825 {
826 u_char *pnp, *sample;
827 ngx_str_t ad, out;
828 ngx_uint_t i;
829 ngx_quic_secret_t *secret;
830 ngx_quic_ciphers_t ciphers;
831 u_char nonce[12], mask[16];
832
833 out.len = pkt->payload.len + EVP_GCM_TLS_TAG_LEN;
834
835 ad.data = res->data;
836 ad.len = ngx_quic_create_header(pkt, ad.data, out.len, &pnp);
837
838 out.data = res->data + ad.len;
839
840 #ifdef NGX_QUIC_DEBUG_CRYPTO
841 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
842 "quic ad len:%uz %xV", ad.len, &ad);
843 #endif
844
845 if (ngx_quic_ciphers(pkt->keys->cipher, &ciphers, pkt->level) == NGX_ERROR)
846 {
847 return NGX_ERROR;
848 }
849
850 secret = &pkt->keys->secrets[pkt->level].server;
851
852 ngx_memcpy(nonce, secret->iv.data, secret->iv.len);
853 ngx_quic_compute_nonce(nonce, sizeof(nonce), pkt->number);
854
855 if (ngx_quic_tls_seal(ciphers.c, secret, &out,
856 nonce, &pkt->payload, &ad, pkt->log)
857 != NGX_OK)
858 {
859 return NGX_ERROR;
860 }
861
862 sample = &out.data[4 - pkt->num_len];
863 if (ngx_quic_tls_hp(pkt->log, ciphers.hp, secret, mask, sample)
864 != NGX_OK)
865 {
866 return NGX_ERROR;
867 }
868
869 /* quic-tls: 5.4.1. Header Protection Application */
870 ad.data[0] ^= mask[0] & ngx_quic_pkt_hp_mask(pkt->flags);
871
872 for (i = 0; i < pkt->num_len; i++) {
873 pnp[i] ^= mask[i + 1];
874 }
875
876 res->len = ad.len + out.len;
877
878 return NGX_OK;
879 }
880
881
882 static ngx_int_t
883 ngx_quic_create_retry_packet(ngx_quic_header_t *pkt, ngx_str_t *res)
884 {
885 u_char *start;
886 ngx_str_t ad, itag;
887 ngx_quic_secret_t secret;
888 ngx_quic_ciphers_t ciphers;
889
890 /* 5.8. Retry Packet Integrity */
891 static u_char key[16] =
892 #if (NGX_QUIC_DRAFT_VERSION >= 29)
893 "\xcc\xce\x18\x7e\xd0\x9a\x09\xd0\x57\x28\x15\x5a\x6c\xb9\x6b\xe1";
894 #else
895 "\x4d\x32\xec\xdb\x2a\x21\x33\xc8\x41\xe4\x04\x3d\xf2\x7d\x44\x30";
896 #endif
897 static u_char nonce[12] =
898 #if (NGX_QUIC_DRAFT_VERSION >= 29)
899 "\xe5\x49\x30\xf9\x7f\x21\x36\xf0\x53\x0a\x8c\x1c";
900 #else
901 "\x4d\x16\x11\xd0\x55\x13\xa5\x52\xc5\x87\xd5\x75";
902 #endif
903 static ngx_str_t in = ngx_string("");
904
905 ad.data = res->data;
906 ad.len = ngx_quic_create_retry_itag(pkt, ad.data, &start);
907
908 itag.data = ad.data + ad.len;
909 itag.len = EVP_GCM_TLS_TAG_LEN;
910
911 #ifdef NGX_QUIC_DEBUG_CRYPTO
912 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
913 "quic retry itag len:%uz %xV", ad.len, &ad);
914 #endif
915
916 if (ngx_quic_ciphers(0, &ciphers, pkt->level) == NGX_ERROR) {
917 return NGX_ERROR;
918 }
919
920 secret.key.len = sizeof(key);
921 secret.key.data = key;
922 secret.iv.len = sizeof(nonce);
923
924 if (ngx_quic_tls_seal(ciphers.c, &secret, &itag, nonce, &in, &ad, pkt->log)
925 != NGX_OK)
926 {
927 return NGX_ERROR;
928 }
929
930 res->len = itag.data + itag.len - start;
931 res->data = start;
932
933 return NGX_OK;
934 }
935
936
937 ngx_int_t
938 ngx_quic_new_sr_token(ngx_connection_t *c, ngx_str_t *cid, ngx_str_t *secret,
939 u_char *token)
940 {
941 uint8_t *p;
942 size_t is_len, key_len, info_len;
943 ngx_str_t label;
944 const EVP_MD *digest;
945 uint8_t info[20];
946 uint8_t is[SHA256_DIGEST_LENGTH];
947 uint8_t key[SHA256_DIGEST_LENGTH];
948
949 /* 10.4.2. Calculating a Stateless Reset Token */
950
951 digest = EVP_sha256();
952 ngx_str_set(&label, "sr_token_key");
953
954 if (ngx_hkdf_extract(is, &is_len, digest, secret->data, secret->len,
955 cid->data, cid->len)
956 != NGX_OK)
957 {
958 ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
959 "ngx_hkdf_extract(%V) failed", &label);
960 return NGX_ERROR;
961 }
962
963 key_len = SHA256_DIGEST_LENGTH;
964
965 info_len = 2 + 1 + label.len + 1;
966
967 info[0] = 0;
968 info[1] = key_len;
969 info[2] = label.len;
970
971 p = ngx_cpymem(&info[3], label.data, label.len);
972 *p = '\0';
973
974 if (ngx_hkdf_expand(key, key_len, digest, is, is_len, info, info_len)
975 != NGX_OK)
976 {
977 ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
978 "ngx_hkdf_expand(%V) failed", &label);
979 return NGX_ERROR;
980 }
981
982 ngx_memcpy(token, key, NGX_QUIC_SR_TOKEN_LEN);
983
984 #if (NGX_DEBUG)
985 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
986 "quic stateless reset token %*xs",
987 (size_t) NGX_QUIC_SR_TOKEN_LEN, token);
988 #endif
989
990 return NGX_OK;
991 }
992
993
994 static uint64_t
995 ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask,
996 uint64_t *largest_pn)
997 {
998 u_char *p;
999 uint64_t truncated_pn, expected_pn, candidate_pn;
1000 uint64_t pn_nbits, pn_win, pn_hwin, pn_mask;
1001
1002 pn_nbits = ngx_min(len * 8, 62);
1003
1004 p = *pos;
1005 truncated_pn = *p++ ^ *mask++;
1006
1007 while (--len) {
1008 truncated_pn = (truncated_pn << 8) + (*p++ ^ *mask++);
1009 }
1010
1011 *pos = p;
1012
1013 expected_pn = *largest_pn + 1;
1014 pn_win = 1ULL << pn_nbits;
1015 pn_hwin = pn_win / 2;
1016 pn_mask = pn_win - 1;
1017
1018 candidate_pn = (expected_pn & ~pn_mask) | truncated_pn;
1019
1020 if ((int64_t) candidate_pn <= (int64_t) (expected_pn - pn_hwin)
1021 && candidate_pn < (1ULL << 62) - pn_win)
1022 {
1023 candidate_pn += pn_win;
1024
1025 } else if (candidate_pn > expected_pn + pn_hwin
1026 && candidate_pn >= pn_win)
1027 {
1028 candidate_pn -= pn_win;
1029 }
1030
1031 *largest_pn = ngx_max((int64_t) *largest_pn, (int64_t) candidate_pn);
1032
1033 return candidate_pn;
1034 }
1035
1036
1037 static void
1038 ngx_quic_compute_nonce(u_char *nonce, size_t len, uint64_t pn)
1039 {
1040 nonce[len - 4] ^= (pn & 0xff000000) >> 24;
1041 nonce[len - 3] ^= (pn & 0x00ff0000) >> 16;
1042 nonce[len - 2] ^= (pn & 0x0000ff00) >> 8;
1043 nonce[len - 1] ^= (pn & 0x000000ff);
1044 }
1045
1046
1047 ngx_int_t
1048 ngx_quic_encrypt(ngx_quic_header_t *pkt, ngx_str_t *res)
1049 {
1050 if (ngx_quic_pkt_retry(pkt->flags)) {
1051 return ngx_quic_create_retry_packet(pkt, res);
1052 }
1053
1054 return ngx_quic_create_packet(pkt, res);
1055 }
1056
1057
1058 ngx_int_t
1059 ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn)
1060 {
1061 u_char *p, *sample;
1062 size_t len;
1063 uint64_t pn, lpn;
1064 ngx_int_t pnl, rc, key_phase;
1065 ngx_str_t in, ad;
1066 ngx_quic_secret_t *secret;
1067 ngx_quic_ciphers_t ciphers;
1068 uint8_t mask[16], nonce[12];
1069
1070 if (ngx_quic_ciphers(pkt->keys->cipher, &ciphers, pkt->level) == NGX_ERROR)
1071 {
1072 return NGX_ERROR;
1073 }
1074
1075 secret = &pkt->keys->secrets[pkt->level].client;
1076
1077 p = pkt->raw->pos;
1078 len = pkt->data + pkt->len - p;
1079
1080 /* draft-ietf-quic-tls-23#section-5.4.2:
1081 * the Packet Number field is assumed to be 4 bytes long
1082 * draft-ietf-quic-tls-23#section-5.4.[34]:
1083 * AES-Based and ChaCha20-Based header protections sample 16 bytes
1084 */
1085
1086 if (len < EVP_GCM_TLS_TAG_LEN + 4) {
1087 return NGX_DECLINED;
1088 }
1089
1090 sample = p + 4;
1091
1092 /* header protection */
1093
1094 if (ngx_quic_tls_hp(pkt->log, ciphers.hp, secret, mask, sample)
1095 != NGX_OK)
1096 {
1097 return NGX_DECLINED;
1098 }
1099
1100 pkt->flags ^= mask[0] & ngx_quic_pkt_hp_mask(pkt->flags);
1101
1102 if (ngx_quic_short_pkt(pkt->flags)) {
1103 key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0;
1104
1105 if (key_phase != pkt->key_phase) {
1106 secret = &pkt->keys->next_key.client;
1107 pkt->key_update = 1;
1108 }
1109 }
1110
1111 lpn = *largest_pn;
1112
1113 pnl = (pkt->flags & 0x03) + 1;
1114 pn = ngx_quic_parse_pn(&p, pnl, &mask[1], &lpn);
1115
1116 pkt->pn = pn;
1117
1118 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
1119 "quic packet rx clearflags:%xd", pkt->flags);
1120 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
1121 "quic packet rx number:%uL len:%xi", pn, pnl);
1122
1123 /* packet protection */
1124
1125 in.data = p;
1126 in.len = len - pnl;
1127
1128 ad.len = p - pkt->data;
1129 ad.data = pkt->plaintext;
1130
1131 ngx_memcpy(ad.data, pkt->data, ad.len);
1132 ad.data[0] = pkt->flags;
1133
1134 do {
1135 ad.data[ad.len - pnl] = pn >> (8 * (pnl - 1)) % 256;
1136 } while (--pnl);
1137
1138 ngx_memcpy(nonce, secret->iv.data, secret->iv.len);
1139 ngx_quic_compute_nonce(nonce, sizeof(nonce), pn);
1140
1141 #ifdef NGX_QUIC_DEBUG_CRYPTO
1142 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
1143 "quic ad len:%uz %xV", ad.len, &ad);
1144 #endif
1145
1146 pkt->payload.len = in.len - EVP_GCM_TLS_TAG_LEN;
1147 pkt->payload.data = pkt->plaintext + ad.len;
1148
1149 rc = ngx_quic_tls_open(ciphers.c, secret, &pkt->payload,
1150 nonce, &in, &ad, pkt->log);
1151 if (rc != NGX_OK) {
1152 return NGX_DECLINED;
1153 }
1154
1155 if (pkt->payload.len == 0) {
1156 /*
1157 * An endpoint MUST treat receipt of a packet containing no
1158 * frames as a connection error of type PROTOCOL_VIOLATION.
1159 */
1160 ngx_log_error(NGX_LOG_INFO, pkt->log, 0, "quic zero-length packet");
1161 pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION;
1162 return NGX_ERROR;
1163 }
1164
1165 if (pkt->flags & ngx_quic_pkt_rb_mask(pkt->flags)) {
1166 /*
1167 * An endpoint MUST treat receipt of a packet that has
1168 * a non-zero value for these bits, after removing both
1169 * packet and header protection, as a connection error
1170 * of type PROTOCOL_VIOLATION.
1171 */
1172 ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
1173 "quic reserved bit set in packet");
1174 pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION;
1175 return NGX_ERROR;
1176 }
1177
1178 #if defined(NGX_QUIC_DEBUG_CRYPTO) && defined(NGX_QUIC_DEBUG_PACKETS)
1179 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
1180 "quic packet payload len:%uz %xV",
1181 pkt->payload.len, &pkt->payload);
1182 #endif
1183
1184 *largest_pn = lpn;
1185
1186 return NGX_OK;
1187 }
1188