Mercurial > hg > nginx
annotate src/event/ngx_event_quic.c @ 8178:a9ff4392ecde quic
QUIC header protection routines, introduced ngx_quic_tls_hp().
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Fri, 28 Feb 2020 13:09:52 +0300 |
parents | 76e29ff31cd3 |
children | 7ee1ada04c8a |
rev | line source |
---|---|
8171 | 1 #include <ngx_config.h> |
2 #include <ngx_core.h> | |
3 #include <ngx_event.h> | |
4 | |
5 | |
6 uint64_t | |
7 ngx_quic_parse_int(u_char **pos) | |
8 { | |
9 u_char *p; | |
10 uint64_t value; | |
11 ngx_uint_t len; | |
12 | |
13 p = *pos; | |
14 len = 1 << ((*p & 0xc0) >> 6); | |
15 value = *p++ & 0x3f; | |
16 | |
17 while (--len) { | |
18 value = (value << 8) + *p++; | |
19 } | |
20 | |
21 *pos = p; | |
22 return value; | |
23 } | |
24 | |
25 | |
26 void | |
27 ngx_quic_build_int(u_char **pos, uint64_t value) | |
28 { | |
29 u_char *p; | |
30 ngx_uint_t len;//, len2; | |
31 | |
32 p = *pos; | |
33 len = 0; | |
34 | |
35 while (value >> ((1 << len) * 8 - 2)) { | |
36 len++; | |
37 } | |
38 | |
39 *p = len << 6; | |
40 | |
41 // len2 = | |
42 len = (1 << len); | |
43 len--; | |
44 *p |= value >> (len * 8); | |
45 p++; | |
46 | |
47 while (len) { | |
48 *p++ = value >> ((len-- - 1) * 8); | |
49 } | |
50 | |
51 *pos = p; | |
52 // return len2; | |
53 } | |
54 | |
55 | |
56 uint64_t | |
57 ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask) | |
58 { | |
59 u_char *p; | |
60 uint64_t value; | |
61 | |
62 p = *pos; | |
63 value = *p++ ^ *mask++; | |
64 | |
65 while (--len) { | |
66 value = (value << 8) + (*p++ ^ *mask++); | |
67 } | |
68 | |
69 *pos = p; | |
70 return value; | |
71 } | |
72 | |
73 | |
74 ngx_int_t | |
75 ngx_hkdf_extract(u_char *out_key, size_t *out_len, const EVP_MD *digest, | |
76 const u_char *secret, size_t secret_len, const u_char *salt, | |
77 size_t salt_len) | |
78 { | |
79 #ifdef OPENSSL_IS_BORINGSSL | |
80 if (HKDF_extract(out_key, out_len, digest, secret, secret_len, salt, | |
81 salt_len) | |
82 == 0) | |
83 { | |
84 return NGX_ERROR; | |
85 } | |
86 #else | |
87 | |
88 EVP_PKEY_CTX *pctx; | |
89 | |
90 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); | |
91 | |
92 if (EVP_PKEY_derive_init(pctx) <= 0) { | |
93 return NGX_ERROR; | |
94 } | |
95 | |
96 if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) <= 0) { | |
97 return NGX_ERROR; | |
98 } | |
99 | |
100 if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) { | |
101 return NGX_ERROR; | |
102 } | |
103 | |
104 if (EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, secret_len) <= 0) { | |
105 return NGX_ERROR; | |
106 } | |
107 | |
108 if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, salt_len) <= 0) { | |
109 return NGX_ERROR; | |
110 } | |
111 | |
112 if (EVP_PKEY_derive(pctx, out_key, out_len) <= 0) { | |
113 return NGX_ERROR; | |
114 } | |
115 | |
116 #endif | |
117 | |
118 return NGX_OK; | |
119 } | |
120 | |
121 | |
122 ngx_int_t | |
123 ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest, | |
124 const u_char *prk, size_t prk_len, const u_char *info, size_t info_len) | |
125 { | |
126 #ifdef OPENSSL_IS_BORINGSSL | |
127 if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len) | |
128 == 0) | |
129 { | |
130 return NGX_ERROR; | |
131 } | |
132 #else | |
133 | |
134 EVP_PKEY_CTX *pctx; | |
135 | |
136 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); | |
137 | |
138 if (EVP_PKEY_derive_init(pctx) <= 0) { | |
139 return NGX_ERROR; | |
140 } | |
141 | |
142 if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0) { | |
143 return NGX_ERROR; | |
144 } | |
145 | |
146 if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) { | |
147 return NGX_ERROR; | |
148 } | |
149 | |
150 if (EVP_PKEY_CTX_set1_hkdf_key(pctx, prk, prk_len) <= 0) { | |
151 return NGX_ERROR; | |
152 } | |
153 | |
154 if (EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len) <= 0) { | |
155 return NGX_ERROR; | |
156 } | |
157 | |
158 if (EVP_PKEY_derive(pctx, out_key, &out_len) <= 0) { | |
159 return NGX_ERROR; | |
160 } | |
161 | |
162 #endif | |
163 | |
164 return NGX_OK; | |
165 } | |
8177
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
166 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
167 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
168 ngx_int_t |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
169 ngx_quic_tls_open(ngx_connection_t *c, const ngx_aead_cipher_t *cipher, |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
170 ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in, |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
171 ngx_str_t *ad) |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
172 { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
173 out->len = in->len - EVP_GCM_TLS_TAG_LEN; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
174 out->data = ngx_pnalloc(c->pool, out->len); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
175 if (out->data == NULL) { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
176 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
177 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
178 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
179 #ifdef OPENSSL_IS_BORINGSSL |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
180 EVP_AEAD_CTX *ctx; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
181 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
182 ctx = EVP_AEAD_CTX_new(cipher, s->key.data, s->key.len, |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
183 EVP_AEAD_DEFAULT_TAG_LENGTH); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
184 if (ctx == NULL) { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
185 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_AEAD_CTX_new() failed"); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
186 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
187 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
188 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
189 if (EVP_AEAD_CTX_open(ctx, out->data, &out->len, out->len, nonce, s->iv.len, |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
190 in->data, in->len, ad->data, ad->len) |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
191 != 1) |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
192 { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
193 EVP_AEAD_CTX_free(ctx); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
194 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_AEAD_CTX_open() failed"); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
195 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
196 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
197 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
198 EVP_AEAD_CTX_free(ctx); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
199 #else |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
200 int len; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
201 u_char *tag; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
202 EVP_CIPHER_CTX *ctx; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
203 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
204 ctx = EVP_CIPHER_CTX_new(); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
205 if (ctx == NULL) { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
206 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_CIPHER_CTX_new() failed"); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
207 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
208 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
209 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
210 if (EVP_DecryptInit_ex(ctx, cipher, NULL, NULL, NULL) != 1) { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
211 EVP_CIPHER_CTX_free(ctx); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
212 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptInit_ex() failed"); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
213 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
214 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
215 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
216 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, s->iv.len, NULL) |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
217 == 0) |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
218 { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
219 EVP_CIPHER_CTX_free(ctx); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
220 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
221 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed"); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
222 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
223 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
224 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
225 if (EVP_DecryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
226 EVP_CIPHER_CTX_free(ctx); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
227 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptInit_ex() failed"); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
228 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
229 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
230 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
231 if (EVP_DecryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
232 EVP_CIPHER_CTX_free(ctx); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
233 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptUpdate() failed"); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
234 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
235 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
236 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
237 if (EVP_DecryptUpdate(ctx, out->data, &len, in->data, |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
238 in->len - EVP_GCM_TLS_TAG_LEN) |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
239 != 1) |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
240 { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
241 EVP_CIPHER_CTX_free(ctx); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
242 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptUpdate() failed"); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
243 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
244 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
245 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
246 out->len = len; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
247 tag = in->data + in->len - EVP_GCM_TLS_TAG_LEN; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
248 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
249 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, EVP_GCM_TLS_TAG_LEN, tag) |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
250 == 0) |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
251 { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
252 EVP_CIPHER_CTX_free(ctx); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
253 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
254 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_TAG) failed"); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
255 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
256 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
257 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
258 if (EVP_DecryptFinal_ex(ctx, out->data + len, &len) <= 0) { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
259 EVP_CIPHER_CTX_free(ctx); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
260 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_DecryptFinal_ex failed"); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
261 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
262 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
263 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
264 out->len += len; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
265 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
266 EVP_CIPHER_CTX_free(ctx); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
267 #endif |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
268 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
269 return NGX_OK; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
270 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
271 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
272 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
273 ngx_int_t |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
274 ngx_quic_tls_seal(ngx_connection_t *c, const ngx_aead_cipher_t *cipher, |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
275 ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in, |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
276 ngx_str_t *ad) |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
277 { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
278 out->len = in->len + EVP_GCM_TLS_TAG_LEN; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
279 out->data = ngx_pnalloc(c->pool, out->len); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
280 if (out->data == NULL) { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
281 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
282 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
283 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
284 #ifdef OPENSSL_IS_BORINGSSL |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
285 EVP_AEAD_CTX *ctx; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
286 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
287 ctx = EVP_AEAD_CTX_new(cipher, s->key.data, s->key.len, |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
288 EVP_AEAD_DEFAULT_TAG_LENGTH); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
289 if (ctx == NULL) { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
290 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_AEAD_CTX_new() failed"); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
291 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
292 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
293 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
294 if (EVP_AEAD_CTX_seal(ctx, out->data, &out->len, out->len, nonce, s->iv.len, |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
295 in->data, in->len, ad->data, ad->len) |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
296 != 1) |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
297 { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
298 EVP_AEAD_CTX_free(ctx); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
299 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_AEAD_CTX_seal() failed"); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
300 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
301 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
302 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
303 EVP_AEAD_CTX_free(ctx); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
304 #else |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
305 int len; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
306 EVP_CIPHER_CTX *ctx; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
307 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
308 ctx = EVP_CIPHER_CTX_new(); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
309 if (ctx == NULL) { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
310 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_CIPHER_CTX_new() failed"); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
311 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
312 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
313 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
314 if (EVP_EncryptInit_ex(ctx, cipher, NULL, NULL, NULL) != 1) { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
315 EVP_CIPHER_CTX_free(ctx); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
316 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed"); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
317 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
318 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
319 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
320 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, s->iv.len, NULL) |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
321 == 0) |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
322 { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
323 EVP_CIPHER_CTX_free(ctx); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
324 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
325 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed"); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
326 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
327 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
328 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
329 if (EVP_EncryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
330 EVP_CIPHER_CTX_free(ctx); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
331 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed"); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
332 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
333 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
334 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
335 if (EVP_EncryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
336 EVP_CIPHER_CTX_free(ctx); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
337 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed"); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
338 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
339 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
340 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
341 if (EVP_EncryptUpdate(ctx, out->data, &len, in->data, in->len) != 1) { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
342 EVP_CIPHER_CTX_free(ctx); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
343 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed"); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
344 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
345 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
346 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
347 out->len = len; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
348 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
349 if (EVP_EncryptFinal_ex(ctx, out->data + out->len, &len) <= 0) { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
350 EVP_CIPHER_CTX_free(ctx); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
351 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptFinal_ex failed"); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
352 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
353 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
354 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
355 out->len += len; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
356 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
357 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, EVP_GCM_TLS_TAG_LEN, |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
358 out->data + in->len) |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
359 == 0) |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
360 { |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
361 EVP_CIPHER_CTX_free(ctx); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
362 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
363 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_GET_TAG) failed"); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
364 return NGX_ERROR; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
365 } |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
366 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
367 EVP_CIPHER_CTX_free(ctx); |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
368 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
369 out->len += EVP_GCM_TLS_TAG_LEN; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
370 #endif |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
371 |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
372 return NGX_OK; |
76e29ff31cd3
AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8171
diff
changeset
|
373 } |
8178
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
374 |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
375 |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
376 ngx_int_t |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
377 ngx_quic_tls_hp(ngx_connection_t *c, const EVP_CIPHER *cipher, |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
378 ngx_quic_secret_t *s, u_char *out, u_char *in) |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
379 { |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
380 int outlen; |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
381 EVP_CIPHER_CTX *ctx; |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
382 |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
383 ctx = EVP_CIPHER_CTX_new(); |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
384 if (ctx == NULL) { |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
385 return NGX_ERROR; |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
386 } |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
387 |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
388 if (EVP_EncryptInit_ex(ctx, cipher, NULL, s->hp.data, NULL) != 1) { |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
389 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed"); |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
390 goto failed; |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
391 } |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
392 |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
393 if (!EVP_EncryptUpdate(ctx, out, &outlen, in, 16)) { |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
394 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed"); |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
395 goto failed; |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
396 } |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
397 |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
398 EVP_CIPHER_CTX_free(ctx); |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
399 |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
400 return NGX_OK; |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
401 |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
402 failed: |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
403 |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
404 EVP_CIPHER_CTX_free(ctx); |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
405 |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
406 return NGX_ERROR; |
a9ff4392ecde
QUIC header protection routines, introduced ngx_quic_tls_hp().
Sergey Kandaurov <pluknet@nginx.com>
parents:
8177
diff
changeset
|
407 } |