Mercurial > hg > nginx
changeset 8172:640a13fc0f83 quic
PN-aware AEAD nonce, feeding proper CRYPTO length.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Fri, 28 Feb 2020 13:09:52 +0300 |
| parents | 4daf03d2bd0a |
| children | 02f331613232 |
| files | src/event/ngx_event_openssl.c src/http/ngx_http_request.c |
| diffstat | 2 files changed, 62 insertions(+), 14 deletions(-) [+] |
line wrap: on
line diff
--- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -452,7 +452,7 @@ static int quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn, enum ssl_encryption_level_t level, const uint8_t *data, size_t len) { - u_char buf[512], *p, *ciphertext, *clear, *ad, *name; + u_char buf[2048], *p, *ciphertext, *clear, *ad, *name; size_t ad_len, clear_len; ngx_int_t m; ngx_str_t *server_key, *server_iv, *server_hp; @@ -463,6 +463,7 @@ quic_add_handshake_data(ngx_ssl_conn_t * #endif ngx_connection_t *c; ngx_quic_connection_t *qc; + static int pn = 0; c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); @@ -488,10 +489,10 @@ quic_add_handshake_data(ngx_ssl_conn_t * return 0; } - m = ngx_hex_dump(buf, (u_char *) data, ngx_min(len, 256)) - buf; + m = ngx_hex_dump(buf, (u_char *) data, ngx_min(len, 1024)) - buf; ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic_add_handshake_data: %*s%s, len: %uz, level:%d", - m, buf, len < 512 ? "" : "...", len, (int) level); + m, buf, len < 2048 ? "" : "...", len, (int) level); clear = ngx_alloc(4 + len + 5 /*minimal ACK*/, c->log); if (clear == 0) { @@ -504,15 +505,21 @@ quic_add_handshake_data(ngx_ssl_conn_t * ngx_quic_build_int(&p, len); p = ngx_cpymem(p, data, len); - ngx_quic_build_int(&p, 2); // ack frame - ngx_quic_build_int(&p, 0); - ngx_quic_build_int(&p, 0); - ngx_quic_build_int(&p, 0); - ngx_quic_build_int(&p, 0); + if (level == ssl_encryption_initial) { + ngx_quic_build_int(&p, 2); // ack frame + ngx_quic_build_int(&p, 0); + ngx_quic_build_int(&p, 0); + ngx_quic_build_int(&p, 0); + ngx_quic_build_int(&p, 0); + } clear_len = p - clear; size_t ciphertext_len = clear_len + 16 /*expansion*/; + ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, + "quic_add_handshake_data: clear_len:%uz, ciphertext_len:%uz", + clear_len, ciphertext_len); + ad = ngx_alloc(346 /*max header*/, c->log); if (ad == 0) { return 0; @@ -537,7 +544,13 @@ quic_add_handshake_data(ngx_ssl_conn_t * } ngx_quic_build_int(&p, ciphertext_len + 1); // length (inc. pnl) u_char *pnp = p; - *p++ = 0; // packet number 0 + + if (level == ssl_encryption_initial) { + *p++ = 0; // packet number 0 + + } else if (level == ssl_encryption_handshake) { + *p++ = pn++; + } ad_len = p - ad; @@ -575,6 +588,21 @@ quic_add_handshake_data(ngx_ssl_conn_t * return 0; } + uint8_t *nonce = ngx_pstrdup(c->pool, server_iv); + if (level == ssl_encryption_handshake) { + nonce[11] ^= (pn - 1); + } + + m = ngx_hex_dump(buf, (u_char *) server_iv->data, 12) - buf; + ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, + "quic_add_handshake_data sample: server_iv %*s", + m, buf); + m = ngx_hex_dump(buf, (u_char *) nonce, 12) - buf; + ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, + "quic_add_handshake_data sample: n=%d nonce %*s", + pn - 1, m, buf); + + #ifdef OPENSSL_IS_BORINGSSL size_t out_len; EVP_AEAD_CTX *aead = EVP_AEAD_CTX_new(cipher, @@ -583,7 +611,7 @@ quic_add_handshake_data(ngx_ssl_conn_t * EVP_AEAD_DEFAULT_TAG_LENGTH); if (EVP_AEAD_CTX_seal(aead, ciphertext, &out_len, ciphertext_len, - server_iv->data, server_iv->len, + nonce, server_iv->len, clear, clear_len, ad, ad_len) != 1) { @@ -619,7 +647,7 @@ quic_add_handshake_data(ngx_ssl_conn_t * return 0; } - if (EVP_EncryptInit_ex(aead, NULL, NULL, server_key->data, server_iv->data) + if (EVP_EncryptInit_ex(aead, NULL, NULL, server_key->data, nonce) != 1) { EVP_CIPHER_CTX_free(aead); @@ -717,10 +745,10 @@ clear_len, ciphertext_len, (size_t) out_ p = ngx_cpymem(packet, ad, ad_len); p = ngx_cpymem(p, ciphertext, out_len); - m = ngx_hex_dump(buf, (u_char *) packet, ngx_min(256, p - packet)) - buf; + m = ngx_hex_dump(buf, (u_char *) packet, ngx_min(1024, p - packet)) - buf; ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic_add_handshake_data packet: %*s%s, len: %uz", - m, buf, len < 512 ? "" : "...", p - packet); + m, buf, len < 2048 ? "" : "...", p - packet); c->send(c, packet, p - packet);
--- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -1324,6 +1324,26 @@ ngx_http_quic_handshake(ngx_event_t *rev } #endif + if (cleartext[0] != 0x06) { + ngx_log_error(NGX_LOG_INFO, rev->log, 0, + "unexpected frame in initial packet"); + ngx_http_close_connection(c); + return; + } + + if (cleartext[1] != 0x00) { + ngx_log_error(NGX_LOG_INFO, rev->log, 0, + "unexpected CRYPTO offset in initial packet"); + ngx_http_close_connection(c); + return; + } + + uint8_t *crypto = &cleartext[2]; + uint64_t crypto_len = ngx_quic_parse_int(&crypto); + + ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0, + "quic initial packet CRYPTO length: %uL pp:%p:%p", crypto_len, cleartext, crypto); + sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); if (ngx_ssl_create_connection(&sscf->ssl, c, NGX_SSL_BUFFER) @@ -1351,7 +1371,7 @@ ngx_http_quic_handshake(ngx_event_t *rev if (!SSL_provide_quic_data(c->ssl->connection, SSL_quic_read_level(c->ssl->connection), - &cleartext[4], cleartext_len - 4)) + crypto, crypto_len)) { ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "SSL_provide_quic_data() failed");