]> git.kaiwu.me - nginx.git/commitdiff
QUIC header protection routines, introduced ngx_quic_tls_hp().
authorSergey Kandaurov <pluknet@nginx.com>
Fri, 28 Feb 2020 10:09:52 +0000 (13:09 +0300)
committerSergey Kandaurov <pluknet@nginx.com>
Fri, 28 Feb 2020 10:09:52 +0000 (13:09 +0300)
src/event/ngx_event_openssl.c
src/event/ngx_event_quic.c
src/event/ngx_event_quic.h
src/http/ngx_http_request.c

index 561819e0b693af35e902d846601ded39417f3f35..7d12b962586626d3ff2c9d5bdac4986750f8bde2 100644 (file)
@@ -593,29 +593,12 @@ quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
         return 0;
     }
 
-    EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
     u_char *sample = &out.data[3]; // pnl=0
     uint8_t mask[16];
-    int outlen;
-
-    if (EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL, secret->hp.data, NULL)
-        != 1)
-    {
-        EVP_CIPHER_CTX_free(ctx);
-        ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
-                      "EVP_EncryptInit_ex() failed");
-        return 0;
-    }
-
-    if (!EVP_EncryptUpdate(ctx, mask, &outlen, sample, 16)) {
-        EVP_CIPHER_CTX_free(ctx);
-        ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
-                      "EVP_EncryptUpdate() failed");
+    if (ngx_quic_tls_hp(c, EVP_aes_128_ecb(), secret, mask, sample) != NGX_OK) {
         return 0;
     }
 
-    EVP_CIPHER_CTX_free(ctx);
-
     m = ngx_hex_dump(buf, (u_char *) sample, 16) - buf;
     ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
                    "quic_add_handshake_data sample: %*s, len: %uz",
index 106ca0d344fbf9d0c5d07c2b6d1751c9c17c0482..b453d95f89d3886ac78be4467baee0b7beb151c0 100644 (file)
@@ -371,3 +371,37 @@ ngx_quic_tls_seal(ngx_connection_t *c, const ngx_aead_cipher_t *cipher,
 
     return NGX_OK;
 }
+
+
+ngx_int_t
+ngx_quic_tls_hp(ngx_connection_t *c, const EVP_CIPHER *cipher,
+    ngx_quic_secret_t *s, u_char *out, u_char *in)
+{
+    int              outlen;
+    EVP_CIPHER_CTX  *ctx;
+
+    ctx = EVP_CIPHER_CTX_new();
+    if (ctx == NULL) {
+        return NGX_ERROR;
+    }
+
+    if (EVP_EncryptInit_ex(ctx, cipher, NULL, s->hp.data, NULL) != 1) {
+        ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed");
+        goto failed;
+    }
+
+    if (!EVP_EncryptUpdate(ctx, out, &outlen, in, 16)) {
+        ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed");
+        goto failed;
+    }
+
+    EVP_CIPHER_CTX_free(ctx);
+
+    return NGX_OK;
+
+failed:
+
+    EVP_CIPHER_CTX_free(ctx);
+
+    return NGX_ERROR;
+}
index c1b20f65b2f73658b153d044e74cc75aa39ad362..1b900208b4e84e338abf97bdf63d2b8ca375d351 100644 (file)
@@ -60,5 +60,8 @@ ngx_int_t ngx_quic_tls_seal(ngx_connection_t *c,
     const ngx_aead_cipher_t *cipher, ngx_quic_secret_t *s, ngx_str_t *out,
     u_char *nonce, ngx_str_t *in, ngx_str_t *ad);
 
+ngx_int_t
+ngx_quic_tls_hp(ngx_connection_t *c, const EVP_CIPHER *cipher,
+    ngx_quic_secret_t *s, u_char *out, u_char *in);
 
 #endif /* _NGX_EVENT_QUIC_H_INCLUDED_ */
index c9bddc6dd80aba817394a1f0b6d7501821c5b2d1..8fbc20424a3d022f78ed72f5fbdbe38f6c71f8bc 100644 (file)
@@ -1124,31 +1124,14 @@ ngx_http_quic_handshake(ngx_event_t *rev)
 
 // header protection
 
-    EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
     uint8_t mask[16];
-    int outlen;
-
-    if (EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL,
-                           qc->client_in.hp.data, NULL)
-        != 1)
+    if (ngx_quic_tls_hp(c, EVP_aes_128_ecb(), &qc->client_in, mask, sample)
+        != NGX_OK)
     {
-        EVP_CIPHER_CTX_free(ctx);
-        ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
-                      "EVP_EncryptInit_ex() failed");
         ngx_http_close_connection(c);
         return;
     }
 
-    if (!EVP_EncryptUpdate(ctx, mask, &outlen, sample, 16)) {
-        EVP_CIPHER_CTX_free(ctx);
-        ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
-                      "EVP_EncryptUpdate() failed");
-        ngx_http_close_connection(c);
-        return;
-    }
-
-    EVP_CIPHER_CTX_free(ctx);
-
     u_char  clearflags = flags ^ (mask[0] & 0x0f);
     ngx_int_t  pnl = (clearflags & 0x03) + 1;
     uint64_t  pn = ngx_quic_parse_pn(&b->pos, pnl, &mask[1]);
@@ -1422,31 +1405,14 @@ ngx_http_quic_handshake_handler(ngx_event_t *rev)
 
 // header protection
 
-    EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
     uint8_t mask[16];
-    int outlen;
-
-    if (EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL,
-                           qc->client_hs.hp.data, NULL)
-        != 1)
+    if (ngx_quic_tls_hp(c, EVP_aes_128_ecb(), &qc->client_hs, mask, sample)
+        != NGX_OK)
     {
-        EVP_CIPHER_CTX_free(ctx);
-        ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
-                      "EVP_EncryptInit_ex() failed");
         ngx_http_close_connection(c);
         return;
     }
 
-    if (!EVP_EncryptUpdate(ctx, mask, &outlen, sample, 16)) {
-        EVP_CIPHER_CTX_free(ctx);
-        ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
-                      "EVP_EncryptUpdate() failed");
-        ngx_http_close_connection(c);
-        return;
-    }
-
-    EVP_CIPHER_CTX_free(ctx);
-
     u_char  clearflags = flags ^ (mask[0] & 0x0f);
     ngx_int_t  pnl = (clearflags & 0x03) + 1;
     uint64_t  pn = ngx_quic_parse_pn(&p, pnl, &mask[1]);