diff options
| author | Vladimir Homutov <vl@nginx.com> | 2021-03-11 14:43:01 +0300 |
|---|---|---|
| committer | Vladimir Homutov <vl@nginx.com> | 2021-03-11 14:43:01 +0300 |
| commit | b8fd5dc640d809e87314fca2afbb43f6da28ea92 (patch) | |
| tree | 28d95c4ae3571e5091508d0c47c907eb6701f254 /src | |
| parent | 7f348b2d1f3bca54227c3d24fb017ec8787cd8a2 (diff) | |
| download | nginx-b8fd5dc640d809e87314fca2afbb43f6da28ea92.tar.gz nginx-b8fd5dc640d809e87314fca2afbb43f6da28ea92.zip | |
QUIC: added error handling to ngx_hkdf_extract()/ngx_hkdf_expand().
The OpenSSL variant of functions lacked proper error processing.
Diffstat (limited to 'src')
| -rw-r--r-- | src/event/quic/ngx_event_quic_protection.c | 58 |
1 files changed, 42 insertions, 16 deletions
diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c index 1e2818388..4b29869ce 100644 --- a/src/event/quic/ngx_event_quic_protection.c +++ b/src/event/quic/ngx_event_quic_protection.c @@ -305,44 +305,57 @@ ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest, const uint8_t *prk, size_t prk_len, const u_char *info, size_t info_len) { #ifdef OPENSSL_IS_BORINGSSL + if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len) == 0) { return NGX_ERROR; } + + return NGX_OK; + #else EVP_PKEY_CTX *pctx; pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); + if (pctx == NULL) { + return NGX_ERROR; + } if (EVP_PKEY_derive_init(pctx) <= 0) { - return NGX_ERROR; + goto failed; } if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0) { - return NGX_ERROR; + goto failed; } if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) { - return NGX_ERROR; + goto failed; } if (EVP_PKEY_CTX_set1_hkdf_key(pctx, prk, prk_len) <= 0) { - return NGX_ERROR; + goto failed; } if (EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len) <= 0) { - return NGX_ERROR; + goto failed; } if (EVP_PKEY_derive(pctx, out_key, &out_len) <= 0) { - return NGX_ERROR; + goto failed; } -#endif - return NGX_OK; + +failed: + + EVP_PKEY_CTX_free(pctx); + + return NGX_ERROR; + +#endif } @@ -352,45 +365,58 @@ ngx_hkdf_extract(u_char *out_key, size_t *out_len, const EVP_MD *digest, size_t salt_len) { #ifdef OPENSSL_IS_BORINGSSL + if (HKDF_extract(out_key, out_len, digest, secret, secret_len, salt, salt_len) == 0) { return NGX_ERROR; } + + return NGX_OK; + #else EVP_PKEY_CTX *pctx; pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); + if (pctx == NULL) { + return NGX_ERROR; + } if (EVP_PKEY_derive_init(pctx) <= 0) { - return NGX_ERROR; + goto failed; } if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) <= 0) { - return NGX_ERROR; + goto failed; } if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) { - return NGX_ERROR; + goto failed; } if (EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, secret_len) <= 0) { - return NGX_ERROR; + goto failed; } if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, salt_len) <= 0) { - return NGX_ERROR; + goto failed; } if (EVP_PKEY_derive(pctx, out_key, out_len) <= 0) { - return NGX_ERROR; + goto failed; } -#endif - return NGX_OK; + +failed: + + EVP_PKEY_CTX_free(pctx); + + return NGX_ERROR; + +#endif } |