diff options
| author | Sergey Kandaurov <pluknet@nginx.com> | 2022-01-26 14:15:40 +0300 |
|---|---|---|
| committer | Sergey Kandaurov <pluknet@nginx.com> | 2022-01-26 14:15:40 +0300 |
| commit | 846a386c7ebc78424ed14993e28d30d26bd26318 (patch) | |
| tree | 496f6403a96639f4fc0ad681de89821d54b40013 /src | |
| parent | 5efdec71581f9402dd7132267d68240ab2f8870b (diff) | |
| download | nginx-846a386c7ebc78424ed14993e28d30d26bd26318.tar.gz nginx-846a386c7ebc78424ed14993e28d30d26bd26318.zip | |
QUIC: removed draft versions support.
Diffstat (limited to 'src')
| -rw-r--r-- | src/event/quic/ngx_event_quic.c | 3 | ||||
| -rw-r--r-- | src/event/quic/ngx_event_quic_output.c | 3 | ||||
| -rw-r--r-- | src/event/quic/ngx_event_quic_protection.c | 17 | ||||
| -rw-r--r-- | src/event/quic/ngx_event_quic_protection.h | 2 | ||||
| -rw-r--r-- | src/event/quic/ngx_event_quic_transport.c | 6 |
5 files changed, 7 insertions, 24 deletions
diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c index 544cbd3cb..f1d96a58a 100644 --- a/src/event/quic/ngx_event_quic.c +++ b/src/event/quic/ngx_event_quic.c @@ -329,8 +329,7 @@ ngx_quic_new_connection(ngx_connection_t *c, ngx_quic_conf_t *conf, } } - if (ngx_quic_keys_set_initial_secret(c->pool, qc->keys, &pkt->dcid, - qc->version) + if (ngx_quic_keys_set_initial_secret(c->pool, qc->keys, &pkt->dcid) != NGX_OK) { return NULL; diff --git a/src/event/quic/ngx_event_quic_output.c b/src/event/quic/ngx_event_quic_output.c index da75aa3de..0f7eff26d 100644 --- a/src/event/quic/ngx_event_quic_output.c +++ b/src/event/quic/ngx_event_quic_output.c @@ -950,8 +950,7 @@ ngx_quic_send_early_cc(ngx_connection_t *c, ngx_quic_header_t *inpkt, return NGX_ERROR; } - if (ngx_quic_keys_set_initial_secret(c->pool, pkt.keys, &inpkt->dcid, - inpkt->version) + if (ngx_quic_keys_set_initial_secret(c->pool, pkt.keys, &inpkt->dcid) != NGX_OK) { return NGX_ERROR; diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c index 3db510eef..bbf85af9a 100644 --- a/src/event/quic/ngx_event_quic_protection.c +++ b/src/event/quic/ngx_event_quic_protection.c @@ -146,7 +146,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers, ngx_int_t ngx_quic_keys_set_initial_secret(ngx_pool_t *pool, ngx_quic_keys_t *keys, - ngx_str_t *secret, uint32_t version) + ngx_str_t *secret) { size_t is_len; uint8_t is[SHA256_DIGEST_LENGTH]; @@ -157,9 +157,6 @@ ngx_quic_keys_set_initial_secret(ngx_pool_t *pool, ngx_quic_keys_t *keys, static const uint8_t salt[20] = "\x38\x76\x2c\xf7\xf5\x59\x34\xb3\x4d\x17" "\x9a\xe6\xa4\xc8\x0c\xad\xcc\xbb\x7f\x0a"; - static const uint8_t salt29[20] = - "\xaf\xbf\xec\x28\x99\x93\xd2\x4c\x9e\x97" - "\x86\xf1\x9c\x61\x11\xe0\x43\x90\xa8\x99"; client = &keys->secrets[ssl_encryption_initial].client; server = &keys->secrets[ssl_encryption_initial].server; @@ -175,7 +172,7 @@ ngx_quic_keys_set_initial_secret(ngx_pool_t *pool, ngx_quic_keys_t *keys, is_len = SHA256_DIGEST_LENGTH; if (ngx_hkdf_extract(is, &is_len, digest, secret->data, secret->len, - (version & 0xff000000) ? salt29 : salt, sizeof(salt)) + salt, sizeof(salt)) != NGX_OK) { return NGX_ERROR; @@ -892,12 +889,8 @@ ngx_quic_create_retry_packet(ngx_quic_header_t *pkt, ngx_str_t *res) /* 5.8. Retry Packet Integrity */ static u_char key[16] = "\xbe\x0c\x69\x0b\x9f\x66\x57\x5a\x1d\x76\x6b\x54\xe3\x68\xc8\x4e"; - static u_char key29[16] = - "\xcc\xce\x18\x7e\xd0\x9a\x09\xd0\x57\x28\x15\x5a\x6c\xb9\x6b\xe1"; static u_char nonce[NGX_QUIC_IV_LEN] = "\x46\x15\x99\xd3\x5d\x63\x2b\xf2\x23\x98\x25\xbb"; - static u_char nonce29[NGX_QUIC_IV_LEN] = - "\xe5\x49\x30\xf9\x7f\x21\x36\xf0\x53\x0a\x8c\x1c"; static ngx_str_t in = ngx_string(""); ad.data = res->data; @@ -916,12 +909,10 @@ ngx_quic_create_retry_packet(ngx_quic_header_t *pkt, ngx_str_t *res) } secret.key.len = sizeof(key); - secret.key.data = (pkt->version & 0xff000000) ? key29 : key; + secret.key.data = key; secret.iv.len = NGX_QUIC_IV_LEN; - if (ngx_quic_tls_seal(ciphers.c, &secret, &itag, - (pkt->version & 0xff000000) ? nonce29 : nonce, - &in, &ad, pkt->log) + if (ngx_quic_tls_seal(ciphers.c, &secret, &itag, nonce, &in, &ad, pkt->log) != NGX_OK) { return NGX_ERROR; diff --git a/src/event/quic/ngx_event_quic_protection.h b/src/event/quic/ngx_event_quic_protection.h index 92491f02a..ff375b510 100644 --- a/src/event/quic/ngx_event_quic_protection.h +++ b/src/event/quic/ngx_event_quic_protection.h @@ -19,7 +19,7 @@ ngx_quic_keys_t *ngx_quic_keys_new(ngx_pool_t *pool); ngx_int_t ngx_quic_keys_set_initial_secret(ngx_pool_t *pool, - ngx_quic_keys_t *keys, ngx_str_t *secret, uint32_t version); + ngx_quic_keys_t *keys, ngx_str_t *secret); ngx_int_t ngx_quic_keys_set_encryption_secret(ngx_pool_t *pool, ngx_uint_t is_write, ngx_quic_keys_t *keys, enum ssl_encryption_level_t level, const SSL_CIPHER *cipher, diff --git a/src/event/quic/ngx_event_quic_transport.c b/src/event/quic/ngx_event_quic_transport.c index 949d2691b..5cf6bc207 100644 --- a/src/event/quic/ngx_event_quic_transport.c +++ b/src/event/quic/ngx_event_quic_transport.c @@ -73,8 +73,6 @@ #define ngx_quic_build_int_set(p, value, len, bits) \ (*(p)++ = ((value >> ((len) * 8)) & 0xff) | ((bits) << 6)) -#define NGX_QUIC_VERSION(c) (0xff000000 + (c)) - static u_char *ngx_quic_parse_int(u_char *pos, u_char *end, uint64_t *out); static ngx_uint_t ngx_quic_varint_len(uint64_t value); @@ -137,10 +135,6 @@ static ngx_int_t ngx_quic_parse_transport_param(u_char *p, u_char *end, uint32_t ngx_quic_versions[] = { /* QUICv1 */ 0x00000001, - NGX_QUIC_VERSION(29), - NGX_QUIC_VERSION(30), - NGX_QUIC_VERSION(31), - NGX_QUIC_VERSION(32), }; #define NGX_QUIC_NVERSIONS \ |