IntenseWebs/nginx
3
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

PN-aware AEAD nonce, feeding proper CRYPTO length.

Browse Source
This commit is contained in:
Sergey Kandaurov 2020-02-28 13:09:52 +03:00
parent ac640641a6
commit 0ddf4a2e67
2 changed files with 62 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
src/event/ngx_event_openssl.c
View File

@ -452,7 +452,7 @@ static int
quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
enum ssl_encryption_level_t level, const uint8_t *data, size_t len)
{
u_char buf[512], *p, *ciphertext, *clear, *ad, *name;
u_char buf[2048], *p, *ciphertext, *clear, *ad, *name;
size_t ad_len, clear_len;
ngx_int_t m;
ngx_str_t *server_key, *server_iv, *server_hp;
@ -463,6 +463,7 @@ quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
#endif
ngx_connection_t *c;
ngx_quic_connection_t *qc;
static int pn = 0;
c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
@ -488,10 +489,10 @@ quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
return 0;
}
m = ngx_hex_dump(buf, (u_char *) data, ngx_min(len, 256)) - buf;
m = ngx_hex_dump(buf, (u_char *) data, ngx_min(len, 1024)) - buf;
ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0,
"quic_add_handshake_data: %*s%s, len: %uz, level:%d",
m, buf, len < 512 ? "" : "...", len, (int) level);
m, buf, len < 2048 ? "" : "...", len, (int) level);
clear = ngx_alloc(4 + len + 5 /*minimal ACK*/, c->log);
if (clear == 0) {
@ -504,15 +505,21 @@ quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
ngx_quic_build_int(&p, len);
p = ngx_cpymem(p, data, len);
if (level == ssl_encryption_initial) {
ngx_quic_build_int(&p, 2); // ack frame
ngx_quic_build_int(&p, 0);
ngx_quic_build_int(&p, 0);
ngx_quic_build_int(&p, 0);
ngx_quic_build_int(&p, 0);
}
clear_len = p - clear;
size_t ciphertext_len = clear_len + 16 /*expansion*/;
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
"quic_add_handshake_data: clear_len:%uz, ciphertext_len:%uz",
clear_len, ciphertext_len);
ad = ngx_alloc(346 /*max header*/, c->log);
if (ad == 0) {
return 0;
@ -537,8 +544,14 @@ quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
}
ngx_quic_build_int(&p, ciphertext_len + 1); // length (inc. pnl)
u_char *pnp = p;
if (level == ssl_encryption_initial) {
*p++ = 0; // packet number 0
} else if (level == ssl_encryption_handshake) {
*p++ = pn++;
}
ad_len = p - ad;
m = ngx_hex_dump(buf, (u_char *) ad, ad_len) - buf;
@ -575,6 +588,21 @@ quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
return 0;
}
uint8_t *nonce = ngx_pstrdup(c->pool, server_iv);
if (level == ssl_encryption_handshake) {
nonce[11] ^= (pn - 1);
}
m = ngx_hex_dump(buf, (u_char *) server_iv->data, 12) - buf;
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
"quic_add_handshake_data sample: server_iv %*s",
m, buf);
m = ngx_hex_dump(buf, (u_char *) nonce, 12) - buf;
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
"quic_add_handshake_data sample: n=%d nonce %*s",
pn - 1, m, buf);
#ifdef OPENSSL_IS_BORINGSSL
size_t out_len;
EVP_AEAD_CTX *aead = EVP_AEAD_CTX_new(cipher,
@ -583,7 +611,7 @@ quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
EVP_AEAD_DEFAULT_TAG_LENGTH);
if (EVP_AEAD_CTX_seal(aead, ciphertext, &out_len, ciphertext_len,
server_iv->data, server_iv->len,
nonce, server_iv->len,
clear, clear_len, ad, ad_len)
!= 1)
{
@ -619,7 +647,7 @@ quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
return 0;
}
if (EVP_EncryptInit_ex(aead, NULL, NULL, server_key->data, server_iv->data)
if (EVP_EncryptInit_ex(aead, NULL, NULL, server_key->data, nonce)
!= 1)
{
EVP_CIPHER_CTX_free(aead);
@ -717,10 +745,10 @@ clear_len, ciphertext_len, (size_t) out_len, ad_len);
p = ngx_cpymem(packet, ad, ad_len);
p = ngx_cpymem(p, ciphertext, out_len);
m = ngx_hex_dump(buf, (u_char *) packet, ngx_min(256, p - packet)) - buf;
m = ngx_hex_dump(buf, (u_char *) packet, ngx_min(1024, p - packet)) - buf;
ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
"quic_add_handshake_data packet: %*s%s, len: %uz",
m, buf, len < 512 ? "" : "...", p - packet);
m, buf, len < 2048 ? "" : "...", p - packet);
c->send(c, packet, p - packet);

22
src/http/ngx_http_request.c
View File

@ -1324,6 +1324,26 @@ ngx_http_quic_handshake(ngx_event_t *rev)
}
#endif
if (cleartext[0] != 0x06) {
ngx_log_error(NGX_LOG_INFO, rev->log, 0,
"unexpected frame in initial packet");
ngx_http_close_connection(c);
return;
}
if (cleartext[1] != 0x00) {
ngx_log_error(NGX_LOG_INFO, rev->log, 0,
"unexpected CRYPTO offset in initial packet");
ngx_http_close_connection(c);
return;
}
uint8_t *crypto = &cleartext[2];
uint64_t crypto_len = ngx_quic_parse_int(&crypto);
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0,
"quic initial packet CRYPTO length: %uL pp:%p:%p", crypto_len, cleartext, crypto);
sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
if (ngx_ssl_create_connection(&sscf->ssl, c, NGX_SSL_BUFFER)
@ -1351,7 +1371,7 @@ ngx_http_quic_handshake(ngx_event_t *rev)
if (!SSL_provide_quic_data(c->ssl->connection,
SSL_quic_read_level(c->ssl->connection),
&cleartext[4], cleartext_len - 4))
crypto, crypto_len))
{
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
"SSL_provide_quic_data() failed");