Mercurial > hg > nginx

comparison src/event/quic/ngx_event_quic_protection.c @ 9024:f2925c80401c quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
QUIC: avoided pool usage in ngx_quic_protection.c.
author Vladimir Homutov <vl@nginx.com>
date Wed, 27 Jul 2022 17:16:40 +0400
parents d8b3851f172c
children e50f77a2d0b0
comparison
equal deleted inserted replaced
9023:d8b3851f172c 9024:f2925c80401c
111 ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in, 111 ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in,
112 ngx_str_t *ad, ngx_log_t *log); 112 ngx_str_t *ad, ngx_log_t *log);
113 static ngx_int_t ngx_quic_tls_hp(ngx_log_t *log, const EVP_CIPHER *cipher, 113 static ngx_int_t ngx_quic_tls_hp(ngx_log_t *log, const EVP_CIPHER *cipher,
114 ngx_quic_secret_t *s, u_char *out, u_char *in); 114 ngx_quic_secret_t *s, u_char *out, u_char *in);
115 static ngx_int_t ngx_quic_hkdf_expand(ngx_quic_hkdf_t *hkdf, 115 static ngx_int_t ngx_quic_hkdf_expand(ngx_quic_hkdf_t *hkdf,
116 const EVP_MD *digest, ngx_pool_t *pool); 116 const EVP_MD *digest, ngx_log_t *log);
117 117
118 static ngx_int_t ngx_quic_create_packet(ngx_quic_header_t *pkt, 118 static ngx_int_t ngx_quic_create_packet(ngx_quic_header_t *pkt,
119 ngx_str_t *res); 119 ngx_str_t *res);
120 static ngx_int_t ngx_quic_create_retry_packet(ngx_quic_header_t *pkt, 120 static ngx_int_t ngx_quic_create_retry_packet(ngx_quic_header_t *pkt,
121 ngx_str_t *res); 121 ngx_str_t *res);
177 return len; 177 return len;
178 } 178 }
179 179
180 180
181 ngx_int_t 181 ngx_int_t
182 ngx_quic_keys_set_initial_secret(ngx_pool_t *pool, ngx_quic_keys_t *keys, 182 ngx_quic_keys_set_initial_secret(ngx_quic_keys_t *keys, ngx_str_t *secret,
183 ngx_str_t *secret) 183 ngx_log_t *log)
184 { 184 {
185 size_t is_len; 185 size_t is_len;
186 uint8_t is[SHA256_DIGEST_LENGTH]; 186 uint8_t is[SHA256_DIGEST_LENGTH];
187 ngx_uint_t i; 187 ngx_uint_t i;
188 const EVP_MD *digest; 188 const EVP_MD *digest;
215 ngx_str_t iss = { 215 ngx_str_t iss = {
216 .data = is, 216 .data = is,
217 .len = is_len 217 .len = is_len
218 }; 218 };
219 219
220 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pool->log, 0, 220 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, log, 0,
221 "quic ngx_quic_set_initial_secret"); 221 "quic ngx_quic_set_initial_secret");
222 #ifdef NGX_QUIC_DEBUG_CRYPTO 222 #ifdef NGX_QUIC_DEBUG_CRYPTO
223 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0, 223 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, log, 0,
224 "quic salt len:%uz %*xs", sizeof(salt), sizeof(salt), salt); 224 "quic salt len:%uz %*xs", sizeof(salt), sizeof(salt), salt);
225 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0, 225 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, log, 0,
226 "quic initial secret len:%uz %*xs", is_len, is_len, is); 226 "quic initial secret len:%uz %*xs", is_len, is_len, is);
227 #endif 227 #endif
228 228
229 client->secret.len = SHA256_DIGEST_LENGTH; 229 client->secret.len = SHA256_DIGEST_LENGTH;
230 server->secret.len = SHA256_DIGEST_LENGTH; 230 server->secret.len = SHA256_DIGEST_LENGTH;
249 ngx_quic_hkdf_set("tls13 quic iv", &server->iv, &server->secret), 249 ngx_quic_hkdf_set("tls13 quic iv", &server->iv, &server->secret),
250 ngx_quic_hkdf_set("tls13 quic hp", &server->hp, &server->secret), 250 ngx_quic_hkdf_set("tls13 quic hp", &server->hp, &server->secret),
251 }; 251 };
252 252
253 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { 253 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
254 if (ngx_quic_hkdf_expand(&seq[i], digest, pool) != NGX_OK) { 254 if (ngx_quic_hkdf_expand(&seq[i], digest, log) != NGX_OK) {
255 return NGX_ERROR; 255 return NGX_ERROR;
256 } 256 }
257 } 257 }
258 258
259 return NGX_OK; 259 return NGX_OK;
260 } 260 }
261 261
262 262
263 static ngx_int_t 263 static ngx_int_t
264 ngx_quic_hkdf_expand(ngx_quic_hkdf_t *h, const EVP_MD *digest, ngx_pool_t *pool) 264 ngx_quic_hkdf_expand(ngx_quic_hkdf_t *h, const EVP_MD *digest, ngx_log_t *log)
265 { 265 {
266 size_t info_len; 266 size_t info_len;
267 uint8_t *p; 267 uint8_t *p;
268 uint8_t info[20]; 268 uint8_t info[20];
269 269
278 278
279 if (ngx_hkdf_expand(h->out, h->out_len, digest, 279 if (ngx_hkdf_expand(h->out, h->out_len, digest,
280 h->prk, h->prk_len, info, info_len) 280 h->prk, h->prk_len, info, info_len)
281 != NGX_OK) 281 != NGX_OK)
282 { 282 {
283 ngx_ssl_error(NGX_LOG_INFO, pool->log, 0, 283 ngx_ssl_error(NGX_LOG_INFO, log, 0,
284 "ngx_hkdf_expand(%*s) failed", h->label_len, h->label); 284 "ngx_hkdf_expand(%*s) failed", h->label_len, h->label);
285 return NGX_ERROR; 285 return NGX_ERROR;
286 } 286 }
287 287
288 #ifdef NGX_QUIC_DEBUG_CRYPTO 288 #ifdef NGX_QUIC_DEBUG_CRYPTO
289 ngx_log_debug5(NGX_LOG_DEBUG_EVENT, pool->log, 0, 289 ngx_log_debug5(NGX_LOG_DEBUG_EVENT, log, 0,
290 "quic expand \"%*s\" len:%uz %*xs", 290 "quic expand \"%*s\" len:%uz %*xs",
291 h->label_len, h->label, h->out_len, h->out_len, h->out); 291 h->label_len, h->label, h->out_len, h->out_len, h->out);
292 #endif 292 #endif
293 293
294 return NGX_OK; 294 return NGX_OK;
665 return NGX_ERROR; 665 return NGX_ERROR;
666 } 666 }
667 667
668 668
669 ngx_int_t 669 ngx_int_t
670 ngx_quic_keys_set_encryption_secret(ngx_pool_t *pool, ngx_uint_t is_write, 670 ngx_quic_keys_set_encryption_secret(ngx_log_t *log, ngx_uint_t is_write,
671 ngx_quic_keys_t *keys, enum ssl_encryption_level_t level, 671 ngx_quic_keys_t *keys, enum ssl_encryption_level_t level,
672 const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len) 672 const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len)
673 { 673 {
674 ngx_int_t key_len; 674 ngx_int_t key_len;
675 ngx_str_t secret_str; 675 ngx_str_t secret_str;
683 keys->cipher = SSL_CIPHER_get_protocol_id(cipher); 683 keys->cipher = SSL_CIPHER_get_protocol_id(cipher);
684 684
685 key_len = ngx_quic_ciphers(keys->cipher, &ciphers, level); 685 key_len = ngx_quic_ciphers(keys->cipher, &ciphers, level);
686 686
687 if (key_len == NGX_ERROR) { 687 if (key_len == NGX_ERROR) {
688 ngx_ssl_error(NGX_LOG_INFO, pool->log, 0, "unexpected cipher"); 688 ngx_ssl_error(NGX_LOG_INFO, log, 0, "unexpected cipher");
689 return NGX_ERROR; 689 return NGX_ERROR;
690 } 690 }
691 691
692 if (sizeof(peer_secret->secret.data) < secret_len) { 692 if (sizeof(peer_secret->secret.data) < secret_len) {
693 ngx_log_error(NGX_LOG_ALERT, pool->log, 0, 693 ngx_log_error(NGX_LOG_ALERT, log, 0,
694 "unexpected secret len: %uz", secret_len); 694 "unexpected secret len: %uz", secret_len);
695 return NGX_ERROR; 695 return NGX_ERROR;
696 } 696 }
697 697
698 peer_secret->secret.len = secret_len; 698 peer_secret->secret.len = secret_len;
710 ngx_quic_hkdf_set("tls13 quic iv", &peer_secret->iv, &secret_str), 710 ngx_quic_hkdf_set("tls13 quic iv", &peer_secret->iv, &secret_str),
711 ngx_quic_hkdf_set("tls13 quic hp", &peer_secret->hp, &secret_str), 711 ngx_quic_hkdf_set("tls13 quic hp", &peer_secret->hp, &secret_str),
712 }; 712 };
713 713
714 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { 714 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
715 if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, pool) != NGX_OK) { 715 if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, log) != NGX_OK) {
716 return NGX_ERROR; 716 return NGX_ERROR;
717 } 717 }
718 } 718 }
719 719
720 return NGX_OK; 720 return NGX_OK;
800 ngx_quic_hkdf_set("tls13 quic iv", 800 ngx_quic_hkdf_set("tls13 quic iv",
801 &next->server.iv, &next->server.secret), 801 &next->server.iv, &next->server.secret),
802 }; 802 };
803 803
804 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { 804 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
805 if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, c->pool) != NGX_OK) { 805 if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, c->log) != NGX_OK) {
806 return NGX_ERROR; 806 return NGX_ERROR;
807 } 807 }
808 } 808 }
809 809
810 return NGX_OK; 810 return NGX_OK;