IntenseWebs/nginx
3
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

Chacha20 header protection support with BoringSSL.

Browse Source 
BoringSSL lacks EVP for Chacha20.  Here we use CRYPTO_chacha_20() instead.
This commit is contained in:
Sergey Kandaurov 2020-03-10 19:15:12 +03:00
parent 7e417544bb
commit df544ee47d
2 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/event/ngx_event_openssl.h
View File

@ -25,6 +25,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#ifdef OPENSSL_IS_BORINGSSL #ifdef OPENSSL_IS_BORINGSSL
#include <openssl/hkdf.h> #include <openssl/hkdf.h>
#include <openssl/chacha.h>
#else #else
#include <openssl/kdf.h> #include <openssl/kdf.h>
#endif #endif

15
src/event/ngx_event_quic.c
View File

@ -2053,6 +2053,17 @@ ngx_quic_tls_hp(ngx_connection_t *c, const EVP_CIPHER *cipher,
EVP_CIPHER_CTX *ctx; EVP_CIPHER_CTX *ctx;
u_char zero[5] = {0}; u_char zero[5] = {0};
#ifdef OPENSSL_IS_BORINGSSL
uint32_t counter;
ngx_memcpy(&counter, in, sizeof(uint32_t));
if (cipher == (const EVP_CIPHER *) EVP_aead_chacha20_poly1305()) {
CRYPTO_chacha_20(out, zero, 5, s->hp.data, &in[4], counter);
return NGX_OK;
}
#endif
ctx = EVP_CIPHER_CTX_new(); ctx = EVP_CIPHER_CTX_new();
if (ctx == NULL) { if (ctx == NULL) {
return NGX_ERROR; return NGX_ERROR;
@ -2129,7 +2140,9 @@ ngx_quic_ciphers(ngx_connection_t *c, ngx_quic_ciphers_t *ciphers,
#else #else
ciphers->c = EVP_chacha20_poly1305(); ciphers->c = EVP_chacha20_poly1305();
#endif #endif
#ifndef OPENSSL_IS_BORINGSSL #ifdef OPENSSL_IS_BORINGSSL
ciphers->hp = (const EVP_CIPHER *) EVP_aead_chacha20_poly1305();
#else
ciphers->hp = EVP_chacha20(); ciphers->hp = EVP_chacha20();
#endif #endif
ciphers->d = EVP_sha256(); ciphers->d = EVP_sha256();