IntenseWebs/nginx
3
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().

Browse Source
This commit is contained in:
Sergey Kandaurov 2020-02-28 13:09:52 +03:00
parent 8c90e6f440
commit 56eead6176
4 changed files with 284 additions and 376 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

160
src/event/ngx_event_openssl.c
View File

@ -452,17 +452,13 @@ static int
quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
enum ssl_encryption_level_t level, const uint8_t *data, size_t len)
{
u_char buf[2048], *p, *ciphertext, *clear, *ad, *name;
size_t ad_len, clear_len;
u_char buf[2048], *p, *name;
ngx_int_t m;
ngx_str_t *server_key, *server_iv, *server_hp;
#ifdef OPENSSL_IS_BORINGSSL
const EVP_AEAD *cipher;
#else
const EVP_CIPHER *cipher;
#endif
ngx_str_t in, out, ad;
ngx_quic_secret_t *secret;
ngx_connection_t *c;
ngx_quic_connection_t *qc;
const ngx_aead_cipher_t *cipher;
static int pn = 0;
c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
@ -474,15 +470,11 @@ quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
switch (level) {
case ssl_encryption_initial:
server_key = &qc->server_in.key;
server_iv = &qc->server_in.iv;
server_hp = &qc->server_in.hp;
secret = &qc->server_in;
break;
case ssl_encryption_handshake:
server_key = &qc->server_hs.key;
server_iv = &qc->server_hs.iv;
server_hp = &qc->server_hs.hp;
secret = &qc->server_hs;
break;
default:
@ -494,12 +486,12 @@ quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
"quic_add_handshake_data: %*s%s, len: %uz, level:%d",
m, buf, len < 2048 ? "" : "...", len, (int) level);
clear = ngx_alloc(4 + len + 5 /*minimal ACK*/, c->log);
if (clear == 0) {
in.data = ngx_alloc(4 + len + 5 /*minimal ACK*/, c->log);
if (in.data == 0) {
return 0;
}
p = clear;
p = in.data;
ngx_quic_build_int(&p, 6); // crypto frame
ngx_quic_build_int(&p, 0);
ngx_quic_build_int(&p, len);
@ -513,19 +505,19 @@ quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
ngx_quic_build_int(&p, 0);
}
clear_len = p - clear;
size_t ciphertext_len = clear_len + 16 /*expansion*/;
in.len = p - in.data;
out.len = in.len + EVP_GCM_TLS_TAG_LEN;
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
"quic_add_handshake_data: clear_len:%uz, ciphertext_len:%uz",
clear_len, ciphertext_len);
in.len, out.len);
ad = ngx_alloc(346 /*max header*/, c->log);
if (ad == 0) {
ad.data = ngx_alloc(346 /*max header*/, c->log);
if (ad.data == 0) {
return 0;
}
p = ad;
p = ad.data;
if (level == ssl_encryption_initial) {
*p++ = 0xc0; // initial, packet number len
} else if (level == ssl_encryption_handshake) {
@ -542,7 +534,7 @@ quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
if (level == ssl_encryption_initial) {
ngx_quic_build_int(&p, 0); // token length
}
ngx_quic_build_int(&p, ciphertext_len + 1); // length (inc. pnl)
ngx_quic_build_int(&p, out.len + 1); // length (inc. pnl)
u_char *pnp = p;
if (level == ssl_encryption_initial) {
@ -552,12 +544,12 @@ quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
*p++ = pn++;
}
ad_len = p - ad;
ad.len = p - ad.data;
m = ngx_hex_dump(buf, (u_char *) ad, ad_len) - buf;
m = ngx_hex_dump(buf, ad.data, ad.len) - buf;
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
"quic_add_handshake_data ad: %*s, len: %uz",
m, buf, ad_len);
m, buf, ad.len);
name = (u_char *) SSL_get_cipher(ssl_conn);
@ -582,18 +574,12 @@ quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
return 0;
}
ciphertext = ngx_alloc(ciphertext_len, c->log);
if (ciphertext == 0) {
return 0;
}
uint8_t *nonce = ngx_pstrdup(c->pool, server_iv);
uint8_t *nonce = ngx_pstrdup(c->pool, &secret->iv);
if (level == ssl_encryption_handshake) {
nonce[11] ^= (pn - 1);
}
m = ngx_hex_dump(buf, (u_char *) server_iv->data, 12) - buf;
m = ngx_hex_dump(buf, (u_char *) secret->iv.data, 12) - buf;
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
"quic_add_handshake_data sample: server_iv %*s",
m, buf);
@ -602,102 +588,17 @@ quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
"quic_add_handshake_data sample: n=%d nonce %*s",
pn - 1, m, buf);
#ifdef OPENSSL_IS_BORINGSSL
size_t out_len;
EVP_AEAD_CTX *aead = EVP_AEAD_CTX_new(cipher,
server_key->data,
server_key->len,
EVP_AEAD_DEFAULT_TAG_LENGTH);
if (EVP_AEAD_CTX_seal(aead, ciphertext, &out_len, ciphertext_len,
nonce, server_iv->len,
clear, clear_len, ad, ad_len)
!= 1)
if (ngx_quic_tls_seal(c, cipher, secret, &out, nonce, &in, &ad) != NGX_OK)
{
EVP_AEAD_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
"EVP_AEAD_CTX_seal() failed");
return 0;
}
EVP_AEAD_CTX_free(aead);
#else
int out_len;
EVP_CIPHER_CTX *aead;
aead = EVP_CIPHER_CTX_new();
if (aead == NULL) {
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_CIPHER_CTX_new() failed");
return 0;
}
if (EVP_EncryptInit_ex(aead, cipher, NULL, NULL, NULL) != 1) {
EVP_CIPHER_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed");
return 0;
}
if (EVP_CIPHER_CTX_ctrl(aead, EVP_CTRL_GCM_SET_IVLEN, server_iv->len, NULL)
== 0)
{
EVP_CIPHER_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
"EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed");
return 0;
}
if (EVP_EncryptInit_ex(aead, NULL, NULL, server_key->data, nonce)
!= 1)
{
EVP_CIPHER_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed");
return 0;
}
if (EVP_EncryptUpdate(aead, NULL, &out_len, ad, ad_len) != 1) {
EVP_CIPHER_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed");
return 0;
}
if (EVP_EncryptUpdate(aead, ciphertext, &out_len, clear, clear_len) != 1) {
EVP_CIPHER_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed");
return 0;
}
ciphertext_len = out_len;
if (EVP_EncryptFinal_ex(aead, ciphertext + out_len, &out_len) <= 0) {
EVP_CIPHER_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptFinal_ex failed");
return 0;
}
ciphertext_len += out_len;
if (EVP_CIPHER_CTX_ctrl(aead, EVP_CTRL_GCM_GET_TAG, EVP_GCM_TLS_TAG_LEN,
ciphertext + clear_len)
== 0)
{
EVP_CIPHER_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
"EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_GET_TAG) failed");
return 0;
}
EVP_CIPHER_CTX_free(aead);
out_len = ciphertext_len + EVP_GCM_TLS_TAG_LEN;
#endif
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
u_char *sample = ciphertext + 3; // pnl=0
u_char *sample = &out.data[3]; // pnl=0
uint8_t mask[16];
int outlen;
if (EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL, server_hp->data, NULL)
if (EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL, secret->hp.data, NULL)
!= 1)
{
EVP_CIPHER_CTX_free(ctx);
@ -725,25 +626,24 @@ quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
"quic_add_handshake_data mask: %*s, len: %uz",
m, buf, 16);
m = ngx_hex_dump(buf, (u_char *) server_hp->data, 16) - buf;
m = ngx_hex_dump(buf, (u_char *) secret->hp.data, 16) - buf;
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
"quic_add_handshake_data hp_key: %*s, len: %uz",
m, buf, 16);
// header protection, pnl = 0
ad[0] ^= mask[0] & 0x0f;
ad.data[0] ^= mask[0] & 0x0f;
*pnp ^= mask[1];
printf("clear_len %ld ciphertext_len %ld out_len %ld ad_len %ld\n",
clear_len, ciphertext_len, (size_t) out_len, ad_len);
printf("clear_len %ld ciphertext_len %ld ad_len %ld\n", in.len, out.len, ad.len);
u_char *packet = ngx_alloc(ad_len + out_len, c->log);
u_char *packet = ngx_alloc(ad.len + out.len, c->log);
if (packet == 0) {
return 0;
}
p = ngx_cpymem(packet, ad, ad_len);
p = ngx_cpymem(p, ciphertext, out_len);
p = ngx_cpymem(packet, ad.data, ad.len);
p = ngx_cpymem(p, out.data, out.len);
m = ngx_hex_dump(buf, (u_char *) packet, ngx_min(1024, p - packet)) - buf;
ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,

208
src/event/ngx_event_quic.c
View File

@ -163,3 +163,211 @@ ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest,
return NGX_OK;
}
ngx_int_t
ngx_quic_tls_open(ngx_connection_t *c, const ngx_aead_cipher_t *cipher,
ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in,
ngx_str_t *ad)
{
out->len = in->len - EVP_GCM_TLS_TAG_LEN;
out->data = ngx_pnalloc(c->pool, out->len);
if (out->data == NULL) {
return NGX_ERROR;
}
#ifdef OPENSSL_IS_BORINGSSL
EVP_AEAD_CTX *ctx;
ctx = EVP_AEAD_CTX_new(cipher, s->key.data, s->key.len,
EVP_AEAD_DEFAULT_TAG_LENGTH);
if (ctx == NULL) {
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_AEAD_CTX_new() failed");
return NGX_ERROR;
}
if (EVP_AEAD_CTX_open(ctx, out->data, &out->len, out->len, nonce, s->iv.len,
in->data, in->len, ad->data, ad->len)
!= 1)
{
EVP_AEAD_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_AEAD_CTX_open() failed");
return NGX_ERROR;
}
EVP_AEAD_CTX_free(ctx);
#else
int len;
u_char *tag;
EVP_CIPHER_CTX *ctx;
ctx = EVP_CIPHER_CTX_new();
if (ctx == NULL) {
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_CIPHER_CTX_new() failed");
return NGX_ERROR;
}
if (EVP_DecryptInit_ex(ctx, cipher, NULL, NULL, NULL) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptInit_ex() failed");
return NGX_ERROR;
}
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, s->iv.len, NULL)
== 0)
{
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
"EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed");
return NGX_ERROR;
}
if (EVP_DecryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptInit_ex() failed");
return NGX_ERROR;
}
if (EVP_DecryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptUpdate() failed");
return NGX_ERROR;
}
if (EVP_DecryptUpdate(ctx, out->data, &len, in->data,
in->len - EVP_GCM_TLS_TAG_LEN)
!= 1)
{
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptUpdate() failed");
return NGX_ERROR;
}
out->len = len;
tag = in->data + in->len - EVP_GCM_TLS_TAG_LEN;
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, EVP_GCM_TLS_TAG_LEN, tag)
== 0)
{
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
"EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_TAG) failed");
return NGX_ERROR;
}
if (EVP_DecryptFinal_ex(ctx, out->data + len, &len) <= 0) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptFinal_ex failed");
return NGX_ERROR;
}
out->len += len;
EVP_CIPHER_CTX_free(ctx);
#endif
return NGX_OK;
}
ngx_int_t
ngx_quic_tls_seal(ngx_connection_t *c, const ngx_aead_cipher_t *cipher,
ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in,
ngx_str_t *ad)
{
out->len = in->len + EVP_GCM_TLS_TAG_LEN;
out->data = ngx_pnalloc(c->pool, out->len);
if (out->data == NULL) {
return NGX_ERROR;
}
#ifdef OPENSSL_IS_BORINGSSL
EVP_AEAD_CTX *ctx;
ctx = EVP_AEAD_CTX_new(cipher, s->key.data, s->key.len,
EVP_AEAD_DEFAULT_TAG_LENGTH);
if (ctx == NULL) {
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_AEAD_CTX_new() failed");
return NGX_ERROR;
}
if (EVP_AEAD_CTX_seal(ctx, out->data, &out->len, out->len, nonce, s->iv.len,
in->data, in->len, ad->data, ad->len)
!= 1)
{
EVP_AEAD_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_AEAD_CTX_seal() failed");
return NGX_ERROR;
}
EVP_AEAD_CTX_free(ctx);
#else
int len;
EVP_CIPHER_CTX *ctx;
ctx = EVP_CIPHER_CTX_new();
if (ctx == NULL) {
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_CIPHER_CTX_new() failed");
return NGX_ERROR;
}
if (EVP_EncryptInit_ex(ctx, cipher, NULL, NULL, NULL) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed");
return NGX_ERROR;
}
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, s->iv.len, NULL)
== 0)
{
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
"EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed");
return NGX_ERROR;
}
if (EVP_EncryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed");
return NGX_ERROR;
}
if (EVP_EncryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed");
return NGX_ERROR;
}
if (EVP_EncryptUpdate(ctx, out->data, &len, in->data, in->len) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed");
return NGX_ERROR;
}
out->len = len;
if (EVP_EncryptFinal_ex(ctx, out->data + out->len, &len) <= 0) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptFinal_ex failed");
return NGX_ERROR;
}
out->len += len;
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, EVP_GCM_TLS_TAG_LEN,
out->data + in->len)
== 0)
{
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
"EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_GET_TAG) failed");
return NGX_ERROR;
}
EVP_CIPHER_CTX_free(ctx);
out->len += EVP_GCM_TLS_TAG_LEN;
#endif
return NGX_OK;
}

16
src/event/ngx_event_quic.h
View File

@ -11,6 +11,15 @@
#include <ngx_event_openssl.h>
#ifdef OPENSSL_IS_BORINGSSL
#define ngx_aead_cipher_t EVP_AEAD
#define NGX_QUIC_INITIAL_CIPHER EVP_aead_aes_128_gcm()
#else
#define ngx_aead_cipher_t EVP_CIPHER
#define NGX_QUIC_INITIAL_CIPHER EVP_aes_128_gcm()
#endif
typedef struct {
ngx_str_t secret;
ngx_str_t key;
@ -44,5 +53,12 @@ ngx_int_t ngx_hkdf_expand(u_char *out_key, size_t out_len,
const EVP_MD *digest, const u_char *prk, size_t prk_len,
const u_char *info, size_t info_len);
ngx_int_t ngx_quic_tls_open(ngx_connection_t *c,
const ngx_aead_cipher_t *cipher, ngx_quic_secret_t *s, ngx_str_t *out,
u_char *nonce, ngx_str_t *in, ngx_str_t *ad);
ngx_int_t ngx_quic_tls_seal(ngx_connection_t *c,
const ngx_aead_cipher_t *cipher, ngx_quic_secret_t *s, ngx_str_t *out,
u_char *nonce, ngx_str_t *in, ngx_str_t *ad);
#endif /* _NGX_EVENT_QUIC_H_INCLUDED_ */

264
src/http/ngx_http_request.c
View File

@ -786,24 +786,15 @@ ngx_http_quic_handshake(ngx_event_t *rev)
size_t is_len;
uint8_t is[SHA256_DIGEST_LENGTH];
const EVP_MD *digest;
#ifdef OPENSSL_IS_BORINGSSL
const EVP_AEAD *cipher;
#else
const EVP_CIPHER *cipher;
#endif
const ngx_aead_cipher_t *cipher;
static const uint8_t salt[20] =
"\xc3\xee\xf7\x12\xc7\x2e\xbb\x5a\x11\xa7"
"\xd2\x43\x2b\xb4\x63\x65\xbe\xf9\xf5\x02";
digest = EVP_sha256();
/* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */
#ifdef OPENSSL_IS_BORINGSSL
cipher = EVP_aead_aes_128_gcm();
#else
cipher = EVP_aes_128_gcm();
#endif
cipher = NGX_QUIC_INITIAL_CIPHER;
digest = EVP_sha256();
if (ngx_hkdf_extract(is, &is_len, digest, qc->dcid.data, qc->dcid.len,
salt, sizeof(salt))
@ -1179,9 +1170,9 @@ ngx_http_quic_handshake(ngx_event_t *rev)
// packet protection
ngx_str_t ciphertext;
ciphertext.data = b->pos;
ciphertext.len = plen - pnl;
ngx_str_t in;
in.data = b->pos;
in.len = plen - pnl;
ngx_str_t ad;
ad.len = b->pos - b->start;
@ -1210,144 +1201,44 @@ ngx_http_quic_handshake(ngx_event_t *rev)
}
#endif
uint8_t cleartext[1600];
size_t cleartext_len;
ngx_str_t out;
#ifdef OPENSSL_IS_BORINGSSL
EVP_AEAD_CTX *aead = EVP_AEAD_CTX_new(cipher,
qc->client_in.key.data,
qc->client_in.key.len,
EVP_AEAD_DEFAULT_TAG_LENGTH);
if (aead == NULL) {
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_AEAD_CTX_new() failed");
ngx_http_close_connection(c);
return;
}
if (EVP_AEAD_CTX_open(aead, cleartext, &cleartext_len, sizeof(cleartext),
nonce, qc->client_in.iv.len, ciphertext.data,
ciphertext.len, ad.data, ad.len)
!= 1)
if (ngx_quic_tls_open(c, cipher, &qc->client_in, &out, nonce, &in, &ad)
!= NGX_OK)
{
EVP_AEAD_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
"EVP_AEAD_CTX_open() failed");
ngx_http_close_connection(c);
return;
}
EVP_AEAD_CTX_free(aead);
#else
int len;
u_char *tag;
EVP_CIPHER_CTX *aead;
aead = EVP_CIPHER_CTX_new();
if (aead == NULL) {
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_CIPHER_CTX_new() failed");
ngx_http_close_connection(c);
return;
}
if (EVP_DecryptInit_ex(aead, cipher, NULL, NULL, NULL) != 1) {
EVP_CIPHER_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_DecryptInit_ex() failed");
ngx_http_close_connection(c);
return;
}
if (EVP_CIPHER_CTX_ctrl(aead, EVP_CTRL_GCM_SET_IVLEN, qc->client_in.iv.len,
NULL)
== 0)
{
EVP_CIPHER_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
"EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed");
ngx_http_close_connection(c);
return;
}
if (EVP_DecryptInit_ex(aead, NULL, NULL, qc->client_in.key.data, nonce)
!= 1)
{
EVP_CIPHER_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_DecryptInit_ex() failed");
ngx_http_close_connection(c);
return;
}
if (EVP_DecryptUpdate(aead, NULL, &len, ad.data, ad.len) != 1) {
EVP_CIPHER_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_DecryptUpdate() failed");
ngx_http_close_connection(c);
return;
}
if (EVP_DecryptUpdate(aead, cleartext, &len, ciphertext.data,
ciphertext.len - EVP_GCM_TLS_TAG_LEN)
!= 1)
{
EVP_CIPHER_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_DecryptUpdate() failed");
ngx_http_close_connection(c);
return;
}
cleartext_len = len;
tag = ciphertext.data + ciphertext.len - EVP_GCM_TLS_TAG_LEN;
if (EVP_CIPHER_CTX_ctrl(aead, EVP_CTRL_GCM_SET_TAG, EVP_GCM_TLS_TAG_LEN,
tag)
== 0)
{
EVP_CIPHER_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
"EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_TAG) failed");
ngx_http_close_connection(c);
return;
}
if (EVP_DecryptFinal_ex(aead, cleartext + len, &len) <= 0) {
EVP_CIPHER_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_DecryptFinal_ex failed");
ngx_http_close_connection(c);
return;
}
cleartext_len += len;
EVP_CIPHER_CTX_free(aead);
#endif
#if (NGX_DEBUG)
if (c->log->log_level & NGX_LOG_DEBUG_EVENT) {
m = ngx_hex_dump(buf, cleartext, ngx_min(cleartext_len, 256)) - buf;
m = ngx_hex_dump(buf, out.data, ngx_min(out.len, 256)) - buf;
ngx_log_debug4(NGX_LOG_DEBUG_HTTP, rev->log, 0,
"quic packet payload: %*s%s, len: %uz",
m, buf, m < 512 ? "" : "...", cleartext_len);
m, buf, m < 512 ? "" : "...", out.len);
}
#endif
if (cleartext[0] != 0x06) {
if (out.data[0] != 0x06) {
ngx_log_error(NGX_LOG_INFO, rev->log, 0,
"unexpected frame in initial packet");
ngx_http_close_connection(c);
return;
}
if (cleartext[1] != 0x00) {
if (out.data[1] != 0x00) {
ngx_log_error(NGX_LOG_INFO, rev->log, 0,
"unexpected CRYPTO offset in initial packet");
ngx_http_close_connection(c);
return;
}
uint8_t *crypto = &cleartext[2];
uint8_t *crypto = &out.data[2];
uint64_t crypto_len = ngx_quic_parse_int(&crypto);
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0,
"quic initial packet CRYPTO length: %uL pp:%p:%p",
crypto_len, cleartext, crypto);
crypto_len, out.data, crypto);
sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
@ -1466,8 +1357,6 @@ ngx_http_quic_handshake_handler(ngx_event_t *rev)
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0,
"quic handshake handler: %*s, len: %uz", m, buf, n);
/* XXX bug-for-bug compat - assuming initial ack in handshake pkt */
if ((p[0] & 0xf0) != 0xe0) {
ngx_log_error(NGX_LOG_INFO, rev->log, 0, "invalid packet type");
ngx_http_close_connection(c);
@ -1576,9 +1465,9 @@ ngx_http_quic_handshake_handler(ngx_event_t *rev)
// packet protection
ngx_str_t ciphertext;
ciphertext.data = p;
ciphertext.len = plen - pnl;
ngx_str_t in;
in.data = p;
in.len = plen - pnl;
ngx_str_t ad;
ad.len = p - b;
@ -1607,11 +1496,7 @@ ngx_http_quic_handshake_handler(ngx_event_t *rev)
}
#endif
#ifdef OPENSSL_IS_BORINGSSL
const EVP_AEAD *cipher;
#else
const EVP_CIPHER *cipher;
#endif
const ngx_aead_cipher_t *cipher;
u_char *name = (u_char *) SSL_get_cipher(c->ssl->connection);
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, rev->log, 0,
@ -1639,122 +1524,21 @@ ngx_http_quic_handshake_handler(ngx_event_t *rev)
return;
}
ngx_str_t out;
uint8_t cleartext[1600];
size_t cleartext_len;
#ifdef OPENSSL_IS_BORINGSSL
EVP_AEAD_CTX *aead = EVP_AEAD_CTX_new(cipher,
qc->client_hs.key.data,
qc->client_hs.key.len,
EVP_AEAD_DEFAULT_TAG_LENGTH);
if (aead == NULL) {
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_AEAD_CTX_new() failed");
ngx_http_close_connection(c);
return;
}
if (EVP_AEAD_CTX_open(aead, cleartext, &cleartext_len, sizeof(cleartext),
nonce, qc->client_hs.iv.len, ciphertext.data,
ciphertext.len, ad.data, ad.len)
!= 1)
if (ngx_quic_tls_open(c, cipher, &qc->client_hs, &out, nonce, &in, &ad)
!= NGX_OK)
{
EVP_AEAD_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
"EVP_AEAD_CTX_open() failed");
ngx_http_close_connection(c);
return;
}
EVP_AEAD_CTX_free(aead);
#else
int len;
u_char *tag;
EVP_CIPHER_CTX *aead;
aead = EVP_CIPHER_CTX_new();
if (aead == NULL) {
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_CIPHER_CTX_new() failed");
ngx_http_close_connection(c);
return;
}
if (EVP_DecryptInit_ex(aead, cipher, NULL, NULL, NULL) != 1) {
EVP_CIPHER_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_DecryptInit_ex() failed");
ngx_http_close_connection(c);
return;
}
if (EVP_CIPHER_CTX_ctrl(aead, EVP_CTRL_GCM_SET_IVLEN, qc->client_hs.iv.len,
NULL)
== 0)
{
EVP_CIPHER_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
"EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed");
ngx_http_close_connection(c);
return;
}
if (EVP_DecryptInit_ex(aead, NULL, NULL, qc->client_hs.key.data, nonce)
!= 1)
{
EVP_CIPHER_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_DecryptInit_ex() failed");
ngx_http_close_connection(c);
return;
}
if (EVP_DecryptUpdate(aead, NULL, &len, ad.data, ad.len) != 1) {
EVP_CIPHER_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_DecryptUpdate() failed");
ngx_http_close_connection(c);
return;
}
if (EVP_DecryptUpdate(aead, cleartext, &len, ciphertext.data,
ciphertext.len - EVP_GCM_TLS_TAG_LEN)
!= 1)
{
EVP_CIPHER_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_DecryptUpdate() failed");
ngx_http_close_connection(c);
return;
}
cleartext_len = len;
tag = ciphertext.data + ciphertext.len - EVP_GCM_TLS_TAG_LEN;
if (EVP_CIPHER_CTX_ctrl(aead, EVP_CTRL_GCM_SET_TAG, EVP_GCM_TLS_TAG_LEN,
tag)
== 0)
{
EVP_CIPHER_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
"EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_TAG) failed");
ngx_http_close_connection(c);
return;
}
if (EVP_DecryptFinal_ex(aead, cleartext + len, &len) <= 0) {
EVP_CIPHER_CTX_free(aead);
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "EVP_DecryptFinal_ex failed");
ngx_http_close_connection(c);
return;
}
cleartext_len += len;
EVP_CIPHER_CTX_free(aead);
#endif
#if (NGX_DEBUG)
if (c->log->log_level & NGX_LOG_DEBUG_EVENT) {
m = ngx_hex_dump(buf, cleartext, ngx_min(cleartext_len, 256)) - buf;
m = ngx_hex_dump(buf, out.data, ngx_min(out.len, 256)) - buf;
ngx_log_debug4(NGX_LOG_DEBUG_HTTP, rev->log, 0,
"quic packet payload: %*s%s, len: %uz",
m, buf, m < 512 ? "" : "...", cleartext_len);
m, buf, m < 512 ? "" : "...", out.len);
}
#endif