Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic_protection.c @ 9024:f2925c80401c quic
QUIC: avoided pool usage in ngx_quic_protection.c.
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Wed, 27 Jul 2022 17:16:40 +0400 |
parents | d8b3851f172c |
children | e50f77a2d0b0 |
comparison
equal
deleted
inserted
replaced
9023:d8b3851f172c | 9024:f2925c80401c |
---|---|
111 ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in, | 111 ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in, |
112 ngx_str_t *ad, ngx_log_t *log); | 112 ngx_str_t *ad, ngx_log_t *log); |
113 static ngx_int_t ngx_quic_tls_hp(ngx_log_t *log, const EVP_CIPHER *cipher, | 113 static ngx_int_t ngx_quic_tls_hp(ngx_log_t *log, const EVP_CIPHER *cipher, |
114 ngx_quic_secret_t *s, u_char *out, u_char *in); | 114 ngx_quic_secret_t *s, u_char *out, u_char *in); |
115 static ngx_int_t ngx_quic_hkdf_expand(ngx_quic_hkdf_t *hkdf, | 115 static ngx_int_t ngx_quic_hkdf_expand(ngx_quic_hkdf_t *hkdf, |
116 const EVP_MD *digest, ngx_pool_t *pool); | 116 const EVP_MD *digest, ngx_log_t *log); |
117 | 117 |
118 static ngx_int_t ngx_quic_create_packet(ngx_quic_header_t *pkt, | 118 static ngx_int_t ngx_quic_create_packet(ngx_quic_header_t *pkt, |
119 ngx_str_t *res); | 119 ngx_str_t *res); |
120 static ngx_int_t ngx_quic_create_retry_packet(ngx_quic_header_t *pkt, | 120 static ngx_int_t ngx_quic_create_retry_packet(ngx_quic_header_t *pkt, |
121 ngx_str_t *res); | 121 ngx_str_t *res); |
177 return len; | 177 return len; |
178 } | 178 } |
179 | 179 |
180 | 180 |
181 ngx_int_t | 181 ngx_int_t |
182 ngx_quic_keys_set_initial_secret(ngx_pool_t *pool, ngx_quic_keys_t *keys, | 182 ngx_quic_keys_set_initial_secret(ngx_quic_keys_t *keys, ngx_str_t *secret, |
183 ngx_str_t *secret) | 183 ngx_log_t *log) |
184 { | 184 { |
185 size_t is_len; | 185 size_t is_len; |
186 uint8_t is[SHA256_DIGEST_LENGTH]; | 186 uint8_t is[SHA256_DIGEST_LENGTH]; |
187 ngx_uint_t i; | 187 ngx_uint_t i; |
188 const EVP_MD *digest; | 188 const EVP_MD *digest; |
215 ngx_str_t iss = { | 215 ngx_str_t iss = { |
216 .data = is, | 216 .data = is, |
217 .len = is_len | 217 .len = is_len |
218 }; | 218 }; |
219 | 219 |
220 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pool->log, 0, | 220 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, log, 0, |
221 "quic ngx_quic_set_initial_secret"); | 221 "quic ngx_quic_set_initial_secret"); |
222 #ifdef NGX_QUIC_DEBUG_CRYPTO | 222 #ifdef NGX_QUIC_DEBUG_CRYPTO |
223 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0, | 223 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, log, 0, |
224 "quic salt len:%uz %*xs", sizeof(salt), sizeof(salt), salt); | 224 "quic salt len:%uz %*xs", sizeof(salt), sizeof(salt), salt); |
225 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0, | 225 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, log, 0, |
226 "quic initial secret len:%uz %*xs", is_len, is_len, is); | 226 "quic initial secret len:%uz %*xs", is_len, is_len, is); |
227 #endif | 227 #endif |
228 | 228 |
229 client->secret.len = SHA256_DIGEST_LENGTH; | 229 client->secret.len = SHA256_DIGEST_LENGTH; |
230 server->secret.len = SHA256_DIGEST_LENGTH; | 230 server->secret.len = SHA256_DIGEST_LENGTH; |
249 ngx_quic_hkdf_set("tls13 quic iv", &server->iv, &server->secret), | 249 ngx_quic_hkdf_set("tls13 quic iv", &server->iv, &server->secret), |
250 ngx_quic_hkdf_set("tls13 quic hp", &server->hp, &server->secret), | 250 ngx_quic_hkdf_set("tls13 quic hp", &server->hp, &server->secret), |
251 }; | 251 }; |
252 | 252 |
253 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { | 253 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { |
254 if (ngx_quic_hkdf_expand(&seq[i], digest, pool) != NGX_OK) { | 254 if (ngx_quic_hkdf_expand(&seq[i], digest, log) != NGX_OK) { |
255 return NGX_ERROR; | 255 return NGX_ERROR; |
256 } | 256 } |
257 } | 257 } |
258 | 258 |
259 return NGX_OK; | 259 return NGX_OK; |
260 } | 260 } |
261 | 261 |
262 | 262 |
263 static ngx_int_t | 263 static ngx_int_t |
264 ngx_quic_hkdf_expand(ngx_quic_hkdf_t *h, const EVP_MD *digest, ngx_pool_t *pool) | 264 ngx_quic_hkdf_expand(ngx_quic_hkdf_t *h, const EVP_MD *digest, ngx_log_t *log) |
265 { | 265 { |
266 size_t info_len; | 266 size_t info_len; |
267 uint8_t *p; | 267 uint8_t *p; |
268 uint8_t info[20]; | 268 uint8_t info[20]; |
269 | 269 |
278 | 278 |
279 if (ngx_hkdf_expand(h->out, h->out_len, digest, | 279 if (ngx_hkdf_expand(h->out, h->out_len, digest, |
280 h->prk, h->prk_len, info, info_len) | 280 h->prk, h->prk_len, info, info_len) |
281 != NGX_OK) | 281 != NGX_OK) |
282 { | 282 { |
283 ngx_ssl_error(NGX_LOG_INFO, pool->log, 0, | 283 ngx_ssl_error(NGX_LOG_INFO, log, 0, |
284 "ngx_hkdf_expand(%*s) failed", h->label_len, h->label); | 284 "ngx_hkdf_expand(%*s) failed", h->label_len, h->label); |
285 return NGX_ERROR; | 285 return NGX_ERROR; |
286 } | 286 } |
287 | 287 |
288 #ifdef NGX_QUIC_DEBUG_CRYPTO | 288 #ifdef NGX_QUIC_DEBUG_CRYPTO |
289 ngx_log_debug5(NGX_LOG_DEBUG_EVENT, pool->log, 0, | 289 ngx_log_debug5(NGX_LOG_DEBUG_EVENT, log, 0, |
290 "quic expand \"%*s\" len:%uz %*xs", | 290 "quic expand \"%*s\" len:%uz %*xs", |
291 h->label_len, h->label, h->out_len, h->out_len, h->out); | 291 h->label_len, h->label, h->out_len, h->out_len, h->out); |
292 #endif | 292 #endif |
293 | 293 |
294 return NGX_OK; | 294 return NGX_OK; |
665 return NGX_ERROR; | 665 return NGX_ERROR; |
666 } | 666 } |
667 | 667 |
668 | 668 |
669 ngx_int_t | 669 ngx_int_t |
670 ngx_quic_keys_set_encryption_secret(ngx_pool_t *pool, ngx_uint_t is_write, | 670 ngx_quic_keys_set_encryption_secret(ngx_log_t *log, ngx_uint_t is_write, |
671 ngx_quic_keys_t *keys, enum ssl_encryption_level_t level, | 671 ngx_quic_keys_t *keys, enum ssl_encryption_level_t level, |
672 const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len) | 672 const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len) |
673 { | 673 { |
674 ngx_int_t key_len; | 674 ngx_int_t key_len; |
675 ngx_str_t secret_str; | 675 ngx_str_t secret_str; |
683 keys->cipher = SSL_CIPHER_get_protocol_id(cipher); | 683 keys->cipher = SSL_CIPHER_get_protocol_id(cipher); |
684 | 684 |
685 key_len = ngx_quic_ciphers(keys->cipher, &ciphers, level); | 685 key_len = ngx_quic_ciphers(keys->cipher, &ciphers, level); |
686 | 686 |
687 if (key_len == NGX_ERROR) { | 687 if (key_len == NGX_ERROR) { |
688 ngx_ssl_error(NGX_LOG_INFO, pool->log, 0, "unexpected cipher"); | 688 ngx_ssl_error(NGX_LOG_INFO, log, 0, "unexpected cipher"); |
689 return NGX_ERROR; | 689 return NGX_ERROR; |
690 } | 690 } |
691 | 691 |
692 if (sizeof(peer_secret->secret.data) < secret_len) { | 692 if (sizeof(peer_secret->secret.data) < secret_len) { |
693 ngx_log_error(NGX_LOG_ALERT, pool->log, 0, | 693 ngx_log_error(NGX_LOG_ALERT, log, 0, |
694 "unexpected secret len: %uz", secret_len); | 694 "unexpected secret len: %uz", secret_len); |
695 return NGX_ERROR; | 695 return NGX_ERROR; |
696 } | 696 } |
697 | 697 |
698 peer_secret->secret.len = secret_len; | 698 peer_secret->secret.len = secret_len; |
710 ngx_quic_hkdf_set("tls13 quic iv", &peer_secret->iv, &secret_str), | 710 ngx_quic_hkdf_set("tls13 quic iv", &peer_secret->iv, &secret_str), |
711 ngx_quic_hkdf_set("tls13 quic hp", &peer_secret->hp, &secret_str), | 711 ngx_quic_hkdf_set("tls13 quic hp", &peer_secret->hp, &secret_str), |
712 }; | 712 }; |
713 | 713 |
714 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { | 714 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { |
715 if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, pool) != NGX_OK) { | 715 if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, log) != NGX_OK) { |
716 return NGX_ERROR; | 716 return NGX_ERROR; |
717 } | 717 } |
718 } | 718 } |
719 | 719 |
720 return NGX_OK; | 720 return NGX_OK; |
800 ngx_quic_hkdf_set("tls13 quic iv", | 800 ngx_quic_hkdf_set("tls13 quic iv", |
801 &next->server.iv, &next->server.secret), | 801 &next->server.iv, &next->server.secret), |
802 }; | 802 }; |
803 | 803 |
804 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { | 804 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { |
805 if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, c->pool) != NGX_OK) { | 805 if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, c->log) != NGX_OK) { |
806 return NGX_ERROR; | 806 return NGX_ERROR; |
807 } | 807 } |
808 } | 808 } |
809 | 809 |
810 return NGX_OK; | 810 return NGX_OK; |