IntenseWebs/nginx
3
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

QUIC header protection routines, introduced ngx_quic_tls_hp().

Browse Source
This commit is contained in:
Sergey Kandaurov 2020-02-28 13:09:52 +03:00
parent 56eead6176
commit a3620d469f
4 changed files with 42 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/event/ngx_event_openssl.c
View File

@ -593,29 +593,12 @@ quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
return 0;
}
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
u_char *sample = &out.data[3]; // pnl=0
uint8_t mask[16];
int outlen;
if (EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL, secret->hp.data, NULL)
!= 1)
{
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
"EVP_EncryptInit_ex() failed");
if (ngx_quic_tls_hp(c, EVP_aes_128_ecb(), secret, mask, sample) != NGX_OK) {
return 0;
}
if (!EVP_EncryptUpdate(ctx, mask, &outlen, sample, 16)) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
"EVP_EncryptUpdate() failed");
return 0;
}
EVP_CIPHER_CTX_free(ctx);
m = ngx_hex_dump(buf, (u_char *) sample, 16) - buf;
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
"quic_add_handshake_data sample: %*s, len: %uz",

34
src/event/ngx_event_quic.c
View File

@ -371,3 +371,37 @@ ngx_quic_tls_seal(ngx_connection_t *c, const ngx_aead_cipher_t *cipher,
return NGX_OK;
}
ngx_int_t
ngx_quic_tls_hp(ngx_connection_t *c, const EVP_CIPHER *cipher,
ngx_quic_secret_t *s, u_char *out, u_char *in)
{
int outlen;
EVP_CIPHER_CTX *ctx;
ctx = EVP_CIPHER_CTX_new();
if (ctx == NULL) {
return NGX_ERROR;
}
if (EVP_EncryptInit_ex(ctx, cipher, NULL, s->hp.data, NULL) != 1) {
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed");
goto failed;
}
if (!EVP_EncryptUpdate(ctx, out, &outlen, in, 16)) {
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed");
goto failed;
}
EVP_CIPHER_CTX_free(ctx);
return NGX_OK;
failed:
EVP_CIPHER_CTX_free(ctx);
return NGX_ERROR;
}

3
src/event/ngx_event_quic.h
View File

@ -60,5 +60,8 @@ ngx_int_t ngx_quic_tls_seal(ngx_connection_t *c,
const ngx_aead_cipher_t *cipher, ngx_quic_secret_t *s, ngx_str_t *out,
u_char *nonce, ngx_str_t *in, ngx_str_t *ad);
ngx_int_t
ngx_quic_tls_hp(ngx_connection_t *c, const EVP_CIPHER *cipher,
ngx_quic_secret_t *s, u_char *out, u_char *in);
#endif /* _NGX_EVENT_QUIC_H_INCLUDED_ */

42
src/http/ngx_http_request.c
View File

@ -1124,31 +1124,14 @@ ngx_http_quic_handshake(ngx_event_t *rev)
// header protection
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
uint8_t mask[16];
int outlen;
if (EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL,
qc->client_in.hp.data, NULL)
!= 1)
if (ngx_quic_tls_hp(c, EVP_aes_128_ecb(), &qc->client_in, mask, sample)
!= NGX_OK)
{
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
"EVP_EncryptInit_ex() failed");
ngx_http_close_connection(c);
return;
}
if (!EVP_EncryptUpdate(ctx, mask, &outlen, sample, 16)) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
"EVP_EncryptUpdate() failed");
ngx_http_close_connection(c);
return;
}
EVP_CIPHER_CTX_free(ctx);
u_char clearflags = flags ^ (mask[0] & 0x0f);
ngx_int_t pnl = (clearflags & 0x03) + 1;
uint64_t pn = ngx_quic_parse_pn(&b->pos, pnl, &mask[1]);
@ -1422,31 +1405,14 @@ ngx_http_quic_handshake_handler(ngx_event_t *rev)
// header protection
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
uint8_t mask[16];
int outlen;
if (EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL,
qc->client_hs.hp.data, NULL)
!= 1)
if (ngx_quic_tls_hp(c, EVP_aes_128_ecb(), &qc->client_hs, mask, sample)
!= NGX_OK)
{
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
"EVP_EncryptInit_ex() failed");
ngx_http_close_connection(c);
return;
}
if (!EVP_EncryptUpdate(ctx, mask, &outlen, sample, 16)) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
"EVP_EncryptUpdate() failed");
ngx_http_close_connection(c);
return;
}
EVP_CIPHER_CTX_free(ctx);
u_char clearflags = flags ^ (mask[0] & 0x0f);
ngx_int_t pnl = (clearflags & 0x03) + 1;
uint64_t pn = ngx_quic_parse_pn(&p, pnl, &mask[1]);