Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic_protection.c @ 8673:046c951e393a quic
QUIC: moved all quic sources into src/event/quic.
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Fri, 25 Dec 2020 14:01:28 +0300 |
parents | src/event/ngx_event_quic_protection.c@a4c05aff8ec0 |
children | 3443ee341cc1 |
comparison
equal
deleted
inserted
replaced
8672:13c537def699 | 8673:046c951e393a |
---|---|
1 | |
2 /* | |
3 * Copyright (C) Nginx, Inc. | |
4 */ | |
5 | |
6 | |
7 #include <ngx_config.h> | |
8 #include <ngx_core.h> | |
9 #include <ngx_event.h> | |
10 #include <ngx_event_quic_transport.h> | |
11 #include <ngx_event_quic_protection.h> | |
12 | |
13 | |
14 #define NGX_QUIC_IV_LEN 12 | |
15 | |
16 #define NGX_AES_128_GCM_SHA256 0x1301 | |
17 #define NGX_AES_256_GCM_SHA384 0x1302 | |
18 #define NGX_CHACHA20_POLY1305_SHA256 0x1303 | |
19 | |
20 | |
21 #ifdef OPENSSL_IS_BORINGSSL | |
22 #define ngx_quic_cipher_t EVP_AEAD | |
23 #else | |
24 #define ngx_quic_cipher_t EVP_CIPHER | |
25 #endif | |
26 | |
27 | |
28 typedef struct { | |
29 const ngx_quic_cipher_t *c; | |
30 const EVP_CIPHER *hp; | |
31 const EVP_MD *d; | |
32 } ngx_quic_ciphers_t; | |
33 | |
34 | |
35 typedef struct ngx_quic_secret_s { | |
36 ngx_str_t secret; | |
37 ngx_str_t key; | |
38 ngx_str_t iv; | |
39 ngx_str_t hp; | |
40 } ngx_quic_secret_t; | |
41 | |
42 | |
43 typedef struct { | |
44 ngx_quic_secret_t client; | |
45 ngx_quic_secret_t server; | |
46 } ngx_quic_secrets_t; | |
47 | |
48 | |
49 struct ngx_quic_keys_s { | |
50 ngx_quic_secrets_t secrets[NGX_QUIC_ENCRYPTION_LAST]; | |
51 ngx_quic_secrets_t next_key; | |
52 ngx_uint_t cipher; | |
53 }; | |
54 | |
55 | |
56 static ngx_int_t ngx_hkdf_expand(u_char *out_key, size_t out_len, | |
57 const EVP_MD *digest, const u_char *prk, size_t prk_len, | |
58 const u_char *info, size_t info_len); | |
59 static ngx_int_t ngx_hkdf_extract(u_char *out_key, size_t *out_len, | |
60 const EVP_MD *digest, const u_char *secret, size_t secret_len, | |
61 const u_char *salt, size_t salt_len); | |
62 | |
63 static uint64_t ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask, | |
64 uint64_t *largest_pn); | |
65 static void ngx_quic_compute_nonce(u_char *nonce, size_t len, uint64_t pn); | |
66 static ngx_int_t ngx_quic_ciphers(ngx_uint_t id, | |
67 ngx_quic_ciphers_t *ciphers, enum ssl_encryption_level_t level); | |
68 | |
69 static ngx_int_t ngx_quic_tls_open(const ngx_quic_cipher_t *cipher, | |
70 ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in, | |
71 ngx_str_t *ad, ngx_log_t *log); | |
72 static ngx_int_t ngx_quic_tls_seal(const ngx_quic_cipher_t *cipher, | |
73 ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in, | |
74 ngx_str_t *ad, ngx_log_t *log); | |
75 static ngx_int_t ngx_quic_tls_hp(ngx_log_t *log, const EVP_CIPHER *cipher, | |
76 ngx_quic_secret_t *s, u_char *out, u_char *in); | |
77 static ngx_int_t ngx_quic_hkdf_expand(ngx_pool_t *pool, const EVP_MD *digest, | |
78 ngx_str_t *out, ngx_str_t *label, const uint8_t *prk, size_t prk_len); | |
79 | |
80 static ngx_int_t ngx_quic_create_packet(ngx_quic_header_t *pkt, | |
81 ngx_str_t *res); | |
82 static ngx_int_t ngx_quic_create_retry_packet(ngx_quic_header_t *pkt, | |
83 ngx_str_t *res); | |
84 | |
85 | |
86 static ngx_int_t | |
87 ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers, | |
88 enum ssl_encryption_level_t level) | |
89 { | |
90 ngx_int_t len; | |
91 | |
92 if (level == ssl_encryption_initial) { | |
93 id = NGX_AES_128_GCM_SHA256; | |
94 } | |
95 | |
96 switch (id) { | |
97 | |
98 case NGX_AES_128_GCM_SHA256: | |
99 #ifdef OPENSSL_IS_BORINGSSL | |
100 ciphers->c = EVP_aead_aes_128_gcm(); | |
101 #else | |
102 ciphers->c = EVP_aes_128_gcm(); | |
103 #endif | |
104 ciphers->hp = EVP_aes_128_ctr(); | |
105 ciphers->d = EVP_sha256(); | |
106 len = 16; | |
107 break; | |
108 | |
109 case NGX_AES_256_GCM_SHA384: | |
110 #ifdef OPENSSL_IS_BORINGSSL | |
111 ciphers->c = EVP_aead_aes_256_gcm(); | |
112 #else | |
113 ciphers->c = EVP_aes_256_gcm(); | |
114 #endif | |
115 ciphers->hp = EVP_aes_256_ctr(); | |
116 ciphers->d = EVP_sha384(); | |
117 len = 32; | |
118 break; | |
119 | |
120 case NGX_CHACHA20_POLY1305_SHA256: | |
121 #ifdef OPENSSL_IS_BORINGSSL | |
122 ciphers->c = EVP_aead_chacha20_poly1305(); | |
123 #else | |
124 ciphers->c = EVP_chacha20_poly1305(); | |
125 #endif | |
126 #ifdef OPENSSL_IS_BORINGSSL | |
127 ciphers->hp = (const EVP_CIPHER *) EVP_aead_chacha20_poly1305(); | |
128 #else | |
129 ciphers->hp = EVP_chacha20(); | |
130 #endif | |
131 ciphers->d = EVP_sha256(); | |
132 len = 32; | |
133 break; | |
134 | |
135 default: | |
136 return NGX_ERROR; | |
137 } | |
138 | |
139 return len; | |
140 } | |
141 | |
142 | |
143 ngx_int_t | |
144 ngx_quic_keys_set_initial_secret(ngx_pool_t *pool, ngx_quic_keys_t *keys, | |
145 ngx_str_t *secret) | |
146 { | |
147 size_t is_len; | |
148 uint8_t is[SHA256_DIGEST_LENGTH]; | |
149 ngx_uint_t i; | |
150 const EVP_MD *digest; | |
151 const EVP_CIPHER *cipher; | |
152 ngx_quic_secret_t *client, *server; | |
153 | |
154 static const uint8_t salt[20] = | |
155 #if (NGX_QUIC_DRAFT_VERSION >= 29) | |
156 "\xaf\xbf\xec\x28\x99\x93\xd2\x4c\x9e\x97" | |
157 "\x86\xf1\x9c\x61\x11\xe0\x43\x90\xa8\x99"; | |
158 #else | |
159 "\xc3\xee\xf7\x12\xc7\x2e\xbb\x5a\x11\xa7" | |
160 "\xd2\x43\x2b\xb4\x63\x65\xbe\xf9\xf5\x02"; | |
161 #endif | |
162 | |
163 client = &keys->secrets[ssl_encryption_initial].client; | |
164 server = &keys->secrets[ssl_encryption_initial].server; | |
165 | |
166 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */ | |
167 | |
168 cipher = EVP_aes_128_gcm(); | |
169 digest = EVP_sha256(); | |
170 | |
171 if (ngx_hkdf_extract(is, &is_len, digest, secret->data, secret->len, | |
172 salt, sizeof(salt)) | |
173 != NGX_OK) | |
174 { | |
175 return NGX_ERROR; | |
176 } | |
177 | |
178 ngx_str_t iss = { | |
179 .data = is, | |
180 .len = is_len | |
181 }; | |
182 | |
183 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pool->log, 0, | |
184 "quic ngx_quic_set_initial_secret"); | |
185 #ifdef NGX_QUIC_DEBUG_CRYPTO | |
186 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0, | |
187 "quic salt len:%uz %*xs", sizeof(salt), sizeof(salt), salt); | |
188 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0, | |
189 "quic initial secret len:%uz %*xs", is_len, is_len, is); | |
190 #endif | |
191 | |
192 /* draft-ietf-quic-tls-23#section-5.2 */ | |
193 client->secret.len = SHA256_DIGEST_LENGTH; | |
194 server->secret.len = SHA256_DIGEST_LENGTH; | |
195 | |
196 client->key.len = EVP_CIPHER_key_length(cipher); | |
197 server->key.len = EVP_CIPHER_key_length(cipher); | |
198 | |
199 client->hp.len = EVP_CIPHER_key_length(cipher); | |
200 server->hp.len = EVP_CIPHER_key_length(cipher); | |
201 | |
202 client->iv.len = EVP_CIPHER_iv_length(cipher); | |
203 server->iv.len = EVP_CIPHER_iv_length(cipher); | |
204 | |
205 struct { | |
206 ngx_str_t label; | |
207 ngx_str_t *key; | |
208 ngx_str_t *prk; | |
209 } seq[] = { | |
210 | |
211 /* draft-ietf-quic-tls-23#section-5.2 */ | |
212 { ngx_string("tls13 client in"), &client->secret, &iss }, | |
213 { | |
214 ngx_string("tls13 quic key"), | |
215 &client->key, | |
216 &client->secret, | |
217 }, | |
218 { | |
219 ngx_string("tls13 quic iv"), | |
220 &client->iv, | |
221 &client->secret, | |
222 }, | |
223 { | |
224 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */ | |
225 ngx_string("tls13 quic hp"), | |
226 &client->hp, | |
227 &client->secret, | |
228 }, | |
229 { ngx_string("tls13 server in"), &server->secret, &iss }, | |
230 { | |
231 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */ | |
232 ngx_string("tls13 quic key"), | |
233 &server->key, | |
234 &server->secret, | |
235 }, | |
236 { | |
237 ngx_string("tls13 quic iv"), | |
238 &server->iv, | |
239 &server->secret, | |
240 }, | |
241 { | |
242 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */ | |
243 ngx_string("tls13 quic hp"), | |
244 &server->hp, | |
245 &server->secret, | |
246 }, | |
247 | |
248 }; | |
249 | |
250 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { | |
251 | |
252 if (ngx_quic_hkdf_expand(pool, digest, seq[i].key, &seq[i].label, | |
253 seq[i].prk->data, seq[i].prk->len) | |
254 != NGX_OK) | |
255 { | |
256 return NGX_ERROR; | |
257 } | |
258 } | |
259 | |
260 return NGX_OK; | |
261 } | |
262 | |
263 | |
264 static ngx_int_t | |
265 ngx_quic_hkdf_expand(ngx_pool_t *pool, const EVP_MD *digest, ngx_str_t *out, | |
266 ngx_str_t *label, const uint8_t *prk, size_t prk_len) | |
267 { | |
268 size_t info_len; | |
269 uint8_t *p; | |
270 uint8_t info[20]; | |
271 | |
272 if (out->data == NULL) { | |
273 out->data = ngx_pnalloc(pool, out->len); | |
274 if (out->data == NULL) { | |
275 return NGX_ERROR; | |
276 } | |
277 } | |
278 | |
279 info_len = 2 + 1 + label->len + 1; | |
280 | |
281 info[0] = 0; | |
282 info[1] = out->len; | |
283 info[2] = label->len; | |
284 p = ngx_cpymem(&info[3], label->data, label->len); | |
285 *p = '\0'; | |
286 | |
287 if (ngx_hkdf_expand(out->data, out->len, digest, | |
288 prk, prk_len, info, info_len) | |
289 != NGX_OK) | |
290 { | |
291 ngx_ssl_error(NGX_LOG_INFO, pool->log, 0, | |
292 "ngx_hkdf_expand(%V) failed", label); | |
293 return NGX_ERROR; | |
294 } | |
295 | |
296 #ifdef NGX_QUIC_DEBUG_CRYPTO | |
297 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0, | |
298 "quic expand %V key len:%uz %xV", label, out->len, out); | |
299 #endif | |
300 | |
301 return NGX_OK; | |
302 } | |
303 | |
304 | |
305 static ngx_int_t | |
306 ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest, | |
307 const uint8_t *prk, size_t prk_len, const u_char *info, size_t info_len) | |
308 { | |
309 #ifdef OPENSSL_IS_BORINGSSL | |
310 if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len) | |
311 == 0) | |
312 { | |
313 return NGX_ERROR; | |
314 } | |
315 #else | |
316 | |
317 EVP_PKEY_CTX *pctx; | |
318 | |
319 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); | |
320 | |
321 if (EVP_PKEY_derive_init(pctx) <= 0) { | |
322 return NGX_ERROR; | |
323 } | |
324 | |
325 if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0) { | |
326 return NGX_ERROR; | |
327 } | |
328 | |
329 if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) { | |
330 return NGX_ERROR; | |
331 } | |
332 | |
333 if (EVP_PKEY_CTX_set1_hkdf_key(pctx, prk, prk_len) <= 0) { | |
334 return NGX_ERROR; | |
335 } | |
336 | |
337 if (EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len) <= 0) { | |
338 return NGX_ERROR; | |
339 } | |
340 | |
341 if (EVP_PKEY_derive(pctx, out_key, &out_len) <= 0) { | |
342 return NGX_ERROR; | |
343 } | |
344 | |
345 #endif | |
346 | |
347 return NGX_OK; | |
348 } | |
349 | |
350 | |
351 static ngx_int_t | |
352 ngx_hkdf_extract(u_char *out_key, size_t *out_len, const EVP_MD *digest, | |
353 const u_char *secret, size_t secret_len, const u_char *salt, | |
354 size_t salt_len) | |
355 { | |
356 #ifdef OPENSSL_IS_BORINGSSL | |
357 if (HKDF_extract(out_key, out_len, digest, secret, secret_len, salt, | |
358 salt_len) | |
359 == 0) | |
360 { | |
361 return NGX_ERROR; | |
362 } | |
363 #else | |
364 | |
365 EVP_PKEY_CTX *pctx; | |
366 | |
367 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); | |
368 | |
369 if (EVP_PKEY_derive_init(pctx) <= 0) { | |
370 return NGX_ERROR; | |
371 } | |
372 | |
373 if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) <= 0) { | |
374 return NGX_ERROR; | |
375 } | |
376 | |
377 if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) { | |
378 return NGX_ERROR; | |
379 } | |
380 | |
381 if (EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, secret_len) <= 0) { | |
382 return NGX_ERROR; | |
383 } | |
384 | |
385 if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, salt_len) <= 0) { | |
386 return NGX_ERROR; | |
387 } | |
388 | |
389 if (EVP_PKEY_derive(pctx, out_key, out_len) <= 0) { | |
390 return NGX_ERROR; | |
391 } | |
392 | |
393 #endif | |
394 | |
395 return NGX_OK; | |
396 } | |
397 | |
398 | |
399 static ngx_int_t | |
400 ngx_quic_tls_open(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s, | |
401 ngx_str_t *out, u_char *nonce, ngx_str_t *in, ngx_str_t *ad, | |
402 ngx_log_t *log) | |
403 { | |
404 | |
405 #ifdef OPENSSL_IS_BORINGSSL | |
406 EVP_AEAD_CTX *ctx; | |
407 | |
408 ctx = EVP_AEAD_CTX_new(cipher, s->key.data, s->key.len, | |
409 EVP_AEAD_DEFAULT_TAG_LENGTH); | |
410 if (ctx == NULL) { | |
411 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_AEAD_CTX_new() failed"); | |
412 return NGX_ERROR; | |
413 } | |
414 | |
415 if (EVP_AEAD_CTX_open(ctx, out->data, &out->len, out->len, nonce, s->iv.len, | |
416 in->data, in->len, ad->data, ad->len) | |
417 != 1) | |
418 { | |
419 EVP_AEAD_CTX_free(ctx); | |
420 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_AEAD_CTX_open() failed"); | |
421 return NGX_ERROR; | |
422 } | |
423 | |
424 EVP_AEAD_CTX_free(ctx); | |
425 #else | |
426 int len; | |
427 u_char *tag; | |
428 EVP_CIPHER_CTX *ctx; | |
429 | |
430 ctx = EVP_CIPHER_CTX_new(); | |
431 if (ctx == NULL) { | |
432 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_CIPHER_CTX_new() failed"); | |
433 return NGX_ERROR; | |
434 } | |
435 | |
436 if (EVP_DecryptInit_ex(ctx, cipher, NULL, NULL, NULL) != 1) { | |
437 EVP_CIPHER_CTX_free(ctx); | |
438 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptInit_ex() failed"); | |
439 return NGX_ERROR; | |
440 } | |
441 | |
442 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, s->iv.len, NULL) | |
443 == 0) | |
444 { | |
445 EVP_CIPHER_CTX_free(ctx); | |
446 ngx_ssl_error(NGX_LOG_INFO, log, 0, | |
447 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed"); | |
448 return NGX_ERROR; | |
449 } | |
450 | |
451 if (EVP_DecryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) { | |
452 EVP_CIPHER_CTX_free(ctx); | |
453 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptInit_ex() failed"); | |
454 return NGX_ERROR; | |
455 } | |
456 | |
457 if (EVP_DecryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) { | |
458 EVP_CIPHER_CTX_free(ctx); | |
459 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptUpdate() failed"); | |
460 return NGX_ERROR; | |
461 } | |
462 | |
463 if (EVP_DecryptUpdate(ctx, out->data, &len, in->data, | |
464 in->len - EVP_GCM_TLS_TAG_LEN) | |
465 != 1) | |
466 { | |
467 EVP_CIPHER_CTX_free(ctx); | |
468 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptUpdate() failed"); | |
469 return NGX_ERROR; | |
470 } | |
471 | |
472 out->len = len; | |
473 tag = in->data + in->len - EVP_GCM_TLS_TAG_LEN; | |
474 | |
475 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, EVP_GCM_TLS_TAG_LEN, tag) | |
476 == 0) | |
477 { | |
478 EVP_CIPHER_CTX_free(ctx); | |
479 ngx_ssl_error(NGX_LOG_INFO, log, 0, | |
480 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_TAG) failed"); | |
481 return NGX_ERROR; | |
482 } | |
483 | |
484 if (EVP_DecryptFinal_ex(ctx, out->data + len, &len) <= 0) { | |
485 EVP_CIPHER_CTX_free(ctx); | |
486 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptFinal_ex failed"); | |
487 return NGX_ERROR; | |
488 } | |
489 | |
490 out->len += len; | |
491 | |
492 EVP_CIPHER_CTX_free(ctx); | |
493 #endif | |
494 | |
495 return NGX_OK; | |
496 } | |
497 | |
498 | |
499 static ngx_int_t | |
500 ngx_quic_tls_seal(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s, | |
501 ngx_str_t *out, u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log) | |
502 { | |
503 | |
504 #ifdef OPENSSL_IS_BORINGSSL | |
505 EVP_AEAD_CTX *ctx; | |
506 | |
507 ctx = EVP_AEAD_CTX_new(cipher, s->key.data, s->key.len, | |
508 EVP_AEAD_DEFAULT_TAG_LENGTH); | |
509 if (ctx == NULL) { | |
510 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_AEAD_CTX_new() failed"); | |
511 return NGX_ERROR; | |
512 } | |
513 | |
514 if (EVP_AEAD_CTX_seal(ctx, out->data, &out->len, out->len, nonce, s->iv.len, | |
515 in->data, in->len, ad->data, ad->len) | |
516 != 1) | |
517 { | |
518 EVP_AEAD_CTX_free(ctx); | |
519 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_AEAD_CTX_seal() failed"); | |
520 return NGX_ERROR; | |
521 } | |
522 | |
523 EVP_AEAD_CTX_free(ctx); | |
524 #else | |
525 int len; | |
526 EVP_CIPHER_CTX *ctx; | |
527 | |
528 ctx = EVP_CIPHER_CTX_new(); | |
529 if (ctx == NULL) { | |
530 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_CIPHER_CTX_new() failed"); | |
531 return NGX_ERROR; | |
532 } | |
533 | |
534 if (EVP_EncryptInit_ex(ctx, cipher, NULL, NULL, NULL) != 1) { | |
535 EVP_CIPHER_CTX_free(ctx); | |
536 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptInit_ex() failed"); | |
537 return NGX_ERROR; | |
538 } | |
539 | |
540 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, s->iv.len, NULL) | |
541 == 0) | |
542 { | |
543 EVP_CIPHER_CTX_free(ctx); | |
544 ngx_ssl_error(NGX_LOG_INFO, log, 0, | |
545 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed"); | |
546 return NGX_ERROR; | |
547 } | |
548 | |
549 if (EVP_EncryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) { | |
550 EVP_CIPHER_CTX_free(ctx); | |
551 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptInit_ex() failed"); | |
552 return NGX_ERROR; | |
553 } | |
554 | |
555 if (EVP_EncryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) { | |
556 EVP_CIPHER_CTX_free(ctx); | |
557 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptUpdate() failed"); | |
558 return NGX_ERROR; | |
559 } | |
560 | |
561 if (EVP_EncryptUpdate(ctx, out->data, &len, in->data, in->len) != 1) { | |
562 EVP_CIPHER_CTX_free(ctx); | |
563 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptUpdate() failed"); | |
564 return NGX_ERROR; | |
565 } | |
566 | |
567 out->len = len; | |
568 | |
569 if (EVP_EncryptFinal_ex(ctx, out->data + out->len, &len) <= 0) { | |
570 EVP_CIPHER_CTX_free(ctx); | |
571 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptFinal_ex failed"); | |
572 return NGX_ERROR; | |
573 } | |
574 | |
575 out->len += len; | |
576 | |
577 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, EVP_GCM_TLS_TAG_LEN, | |
578 out->data + in->len) | |
579 == 0) | |
580 { | |
581 EVP_CIPHER_CTX_free(ctx); | |
582 ngx_ssl_error(NGX_LOG_INFO, log, 0, | |
583 "EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_GET_TAG) failed"); | |
584 return NGX_ERROR; | |
585 } | |
586 | |
587 EVP_CIPHER_CTX_free(ctx); | |
588 | |
589 out->len += EVP_GCM_TLS_TAG_LEN; | |
590 #endif | |
591 return NGX_OK; | |
592 } | |
593 | |
594 | |
595 static ngx_int_t | |
596 ngx_quic_tls_hp(ngx_log_t *log, const EVP_CIPHER *cipher, | |
597 ngx_quic_secret_t *s, u_char *out, u_char *in) | |
598 { | |
599 int outlen; | |
600 EVP_CIPHER_CTX *ctx; | |
601 u_char zero[5] = {0}; | |
602 | |
603 #ifdef OPENSSL_IS_BORINGSSL | |
604 uint32_t counter; | |
605 | |
606 ngx_memcpy(&counter, in, sizeof(uint32_t)); | |
607 | |
608 if (cipher == (const EVP_CIPHER *) EVP_aead_chacha20_poly1305()) { | |
609 CRYPTO_chacha_20(out, zero, 5, s->hp.data, &in[4], counter); | |
610 return NGX_OK; | |
611 } | |
612 #endif | |
613 | |
614 ctx = EVP_CIPHER_CTX_new(); | |
615 if (ctx == NULL) { | |
616 return NGX_ERROR; | |
617 } | |
618 | |
619 if (EVP_EncryptInit_ex(ctx, cipher, NULL, s->hp.data, in) != 1) { | |
620 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptInit_ex() failed"); | |
621 goto failed; | |
622 } | |
623 | |
624 if (!EVP_EncryptUpdate(ctx, out, &outlen, zero, 5)) { | |
625 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptUpdate() failed"); | |
626 goto failed; | |
627 } | |
628 | |
629 if (!EVP_EncryptFinal_ex(ctx, out + 5, &outlen)) { | |
630 ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptFinal_Ex() failed"); | |
631 goto failed; | |
632 } | |
633 | |
634 EVP_CIPHER_CTX_free(ctx); | |
635 | |
636 return NGX_OK; | |
637 | |
638 failed: | |
639 | |
640 EVP_CIPHER_CTX_free(ctx); | |
641 | |
642 return NGX_ERROR; | |
643 } | |
644 | |
645 | |
646 int ngx_quic_keys_set_encryption_secret(ngx_pool_t *pool, ngx_uint_t is_write, | |
647 ngx_quic_keys_t *keys, enum ssl_encryption_level_t level, | |
648 const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len) | |
649 { | |
650 ngx_int_t key_len; | |
651 ngx_uint_t i; | |
652 ngx_quic_secret_t *peer_secret; | |
653 ngx_quic_ciphers_t ciphers; | |
654 | |
655 peer_secret = is_write ? &keys->secrets[level].server | |
656 : &keys->secrets[level].client; | |
657 | |
658 keys->cipher = SSL_CIPHER_get_protocol_id(cipher); | |
659 | |
660 key_len = ngx_quic_ciphers(keys->cipher, &ciphers, level); | |
661 | |
662 if (key_len == NGX_ERROR) { | |
663 ngx_ssl_error(NGX_LOG_INFO, pool->log, 0, "unexpected cipher"); | |
664 return 0; | |
665 } | |
666 | |
667 if (level == ssl_encryption_initial) { | |
668 return 0; | |
669 } | |
670 | |
671 peer_secret->secret.data = ngx_pnalloc(pool, secret_len); | |
672 if (peer_secret->secret.data == NULL) { | |
673 return NGX_ERROR; | |
674 } | |
675 | |
676 peer_secret->secret.len = secret_len; | |
677 ngx_memcpy(peer_secret->secret.data, secret, secret_len); | |
678 | |
679 peer_secret->key.len = key_len; | |
680 peer_secret->iv.len = NGX_QUIC_IV_LEN; | |
681 peer_secret->hp.len = key_len; | |
682 | |
683 struct { | |
684 ngx_str_t label; | |
685 ngx_str_t *key; | |
686 const uint8_t *secret; | |
687 } seq[] = { | |
688 { ngx_string("tls13 quic key"), &peer_secret->key, secret }, | |
689 { ngx_string("tls13 quic iv"), &peer_secret->iv, secret }, | |
690 { ngx_string("tls13 quic hp"), &peer_secret->hp, secret }, | |
691 }; | |
692 | |
693 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { | |
694 | |
695 if (ngx_quic_hkdf_expand(pool, ciphers.d, seq[i].key, &seq[i].label, | |
696 seq[i].secret, secret_len) | |
697 != NGX_OK) | |
698 { | |
699 return 0; | |
700 } | |
701 } | |
702 | |
703 return 1; | |
704 } | |
705 | |
706 | |
707 ngx_quic_keys_t * | |
708 ngx_quic_keys_new(ngx_pool_t *pool) | |
709 { | |
710 return ngx_pcalloc(pool, sizeof(ngx_quic_keys_t)); | |
711 } | |
712 | |
713 | |
714 ngx_uint_t | |
715 ngx_quic_keys_available(ngx_quic_keys_t *keys, | |
716 enum ssl_encryption_level_t level) | |
717 { | |
718 return keys->secrets[level].client.key.len != 0; | |
719 } | |
720 | |
721 | |
722 void | |
723 ngx_quic_keys_discard(ngx_quic_keys_t *keys, | |
724 enum ssl_encryption_level_t level) | |
725 { | |
726 keys->secrets[level].client.key.len = 0; | |
727 } | |
728 | |
729 | |
730 void | |
731 ngx_quic_keys_switch(ngx_connection_t *c, ngx_quic_keys_t *keys) | |
732 { | |
733 ngx_quic_secrets_t *current, *next, tmp; | |
734 | |
735 current = &keys->secrets[ssl_encryption_application]; | |
736 next = &keys->next_key; | |
737 | |
738 tmp = *current; | |
739 *current = *next; | |
740 *next = tmp; | |
741 } | |
742 | |
743 | |
744 ngx_int_t | |
745 ngx_quic_keys_update(ngx_connection_t *c, ngx_quic_keys_t *keys) | |
746 { | |
747 ngx_uint_t i; | |
748 ngx_quic_ciphers_t ciphers; | |
749 ngx_quic_secrets_t *current, *next; | |
750 | |
751 current = &keys->secrets[ssl_encryption_application]; | |
752 next = &keys->next_key; | |
753 | |
754 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic key update"); | |
755 | |
756 if (ngx_quic_ciphers(keys->cipher, &ciphers, ssl_encryption_application) | |
757 == NGX_ERROR) | |
758 { | |
759 return NGX_ERROR; | |
760 } | |
761 | |
762 next->client.secret.len = current->client.secret.len; | |
763 next->client.key.len = current->client.key.len; | |
764 next->client.iv.len = current->client.iv.len; | |
765 next->client.hp = current->client.hp; | |
766 | |
767 next->server.secret.len = current->server.secret.len; | |
768 next->server.key.len = current->server.key.len; | |
769 next->server.iv.len = current->server.iv.len; | |
770 next->server.hp = current->server.hp; | |
771 | |
772 struct { | |
773 ngx_str_t label; | |
774 ngx_str_t *key; | |
775 ngx_str_t *secret; | |
776 } seq[] = { | |
777 { | |
778 ngx_string("tls13 quic ku"), | |
779 &next->client.secret, | |
780 ¤t->client.secret, | |
781 }, | |
782 { | |
783 ngx_string("tls13 quic key"), | |
784 &next->client.key, | |
785 &next->client.secret, | |
786 }, | |
787 { | |
788 ngx_string("tls13 quic iv"), | |
789 &next->client.iv, | |
790 &next->client.secret, | |
791 }, | |
792 { | |
793 ngx_string("tls13 quic ku"), | |
794 &next->server.secret, | |
795 ¤t->server.secret, | |
796 }, | |
797 { | |
798 ngx_string("tls13 quic key"), | |
799 &next->server.key, | |
800 &next->server.secret, | |
801 }, | |
802 { | |
803 ngx_string("tls13 quic iv"), | |
804 &next->server.iv, | |
805 &next->server.secret, | |
806 }, | |
807 }; | |
808 | |
809 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { | |
810 | |
811 if (ngx_quic_hkdf_expand(c->pool, ciphers.d, seq[i].key, &seq[i].label, | |
812 seq[i].secret->data, seq[i].secret->len) | |
813 != NGX_OK) | |
814 { | |
815 return NGX_ERROR; | |
816 } | |
817 } | |
818 | |
819 return NGX_OK; | |
820 } | |
821 | |
822 | |
823 static ngx_int_t | |
824 ngx_quic_create_packet(ngx_quic_header_t *pkt, ngx_str_t *res) | |
825 { | |
826 u_char *pnp, *sample; | |
827 ngx_str_t ad, out; | |
828 ngx_uint_t i; | |
829 ngx_quic_secret_t *secret; | |
830 ngx_quic_ciphers_t ciphers; | |
831 u_char nonce[12], mask[16]; | |
832 | |
833 out.len = pkt->payload.len + EVP_GCM_TLS_TAG_LEN; | |
834 | |
835 ad.data = res->data; | |
836 ad.len = ngx_quic_create_header(pkt, ad.data, out.len, &pnp); | |
837 | |
838 out.data = res->data + ad.len; | |
839 | |
840 #ifdef NGX_QUIC_DEBUG_CRYPTO | |
841 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pkt->log, 0, | |
842 "quic ad len:%uz %xV", ad.len, &ad); | |
843 #endif | |
844 | |
845 if (ngx_quic_ciphers(pkt->keys->cipher, &ciphers, pkt->level) == NGX_ERROR) | |
846 { | |
847 return NGX_ERROR; | |
848 } | |
849 | |
850 secret = &pkt->keys->secrets[pkt->level].server; | |
851 | |
852 ngx_memcpy(nonce, secret->iv.data, secret->iv.len); | |
853 ngx_quic_compute_nonce(nonce, sizeof(nonce), pkt->number); | |
854 | |
855 if (ngx_quic_tls_seal(ciphers.c, secret, &out, | |
856 nonce, &pkt->payload, &ad, pkt->log) | |
857 != NGX_OK) | |
858 { | |
859 return NGX_ERROR; | |
860 } | |
861 | |
862 sample = &out.data[4 - pkt->num_len]; | |
863 if (ngx_quic_tls_hp(pkt->log, ciphers.hp, secret, mask, sample) | |
864 != NGX_OK) | |
865 { | |
866 return NGX_ERROR; | |
867 } | |
868 | |
869 /* quic-tls: 5.4.1. Header Protection Application */ | |
870 ad.data[0] ^= mask[0] & ngx_quic_pkt_hp_mask(pkt->flags); | |
871 | |
872 for (i = 0; i < pkt->num_len; i++) { | |
873 pnp[i] ^= mask[i + 1]; | |
874 } | |
875 | |
876 res->len = ad.len + out.len; | |
877 | |
878 return NGX_OK; | |
879 } | |
880 | |
881 | |
882 static ngx_int_t | |
883 ngx_quic_create_retry_packet(ngx_quic_header_t *pkt, ngx_str_t *res) | |
884 { | |
885 u_char *start; | |
886 ngx_str_t ad, itag; | |
887 ngx_quic_secret_t secret; | |
888 ngx_quic_ciphers_t ciphers; | |
889 | |
890 /* 5.8. Retry Packet Integrity */ | |
891 static u_char key[16] = | |
892 #if (NGX_QUIC_DRAFT_VERSION >= 29) | |
893 "\xcc\xce\x18\x7e\xd0\x9a\x09\xd0\x57\x28\x15\x5a\x6c\xb9\x6b\xe1"; | |
894 #else | |
895 "\x4d\x32\xec\xdb\x2a\x21\x33\xc8\x41\xe4\x04\x3d\xf2\x7d\x44\x30"; | |
896 #endif | |
897 static u_char nonce[12] = | |
898 #if (NGX_QUIC_DRAFT_VERSION >= 29) | |
899 "\xe5\x49\x30\xf9\x7f\x21\x36\xf0\x53\x0a\x8c\x1c"; | |
900 #else | |
901 "\x4d\x16\x11\xd0\x55\x13\xa5\x52\xc5\x87\xd5\x75"; | |
902 #endif | |
903 static ngx_str_t in = ngx_string(""); | |
904 | |
905 ad.data = res->data; | |
906 ad.len = ngx_quic_create_retry_itag(pkt, ad.data, &start); | |
907 | |
908 itag.data = ad.data + ad.len; | |
909 itag.len = EVP_GCM_TLS_TAG_LEN; | |
910 | |
911 #ifdef NGX_QUIC_DEBUG_CRYPTO | |
912 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pkt->log, 0, | |
913 "quic retry itag len:%uz %xV", ad.len, &ad); | |
914 #endif | |
915 | |
916 if (ngx_quic_ciphers(0, &ciphers, pkt->level) == NGX_ERROR) { | |
917 return NGX_ERROR; | |
918 } | |
919 | |
920 secret.key.len = sizeof(key); | |
921 secret.key.data = key; | |
922 secret.iv.len = sizeof(nonce); | |
923 | |
924 if (ngx_quic_tls_seal(ciphers.c, &secret, &itag, nonce, &in, &ad, pkt->log) | |
925 != NGX_OK) | |
926 { | |
927 return NGX_ERROR; | |
928 } | |
929 | |
930 res->len = itag.data + itag.len - start; | |
931 res->data = start; | |
932 | |
933 return NGX_OK; | |
934 } | |
935 | |
936 | |
937 ngx_int_t | |
938 ngx_quic_new_sr_token(ngx_connection_t *c, ngx_str_t *cid, ngx_str_t *secret, | |
939 u_char *token) | |
940 { | |
941 uint8_t *p; | |
942 size_t is_len, key_len, info_len; | |
943 ngx_str_t label; | |
944 const EVP_MD *digest; | |
945 uint8_t info[20]; | |
946 uint8_t is[SHA256_DIGEST_LENGTH]; | |
947 uint8_t key[SHA256_DIGEST_LENGTH]; | |
948 | |
949 /* 10.4.2. Calculating a Stateless Reset Token */ | |
950 | |
951 digest = EVP_sha256(); | |
952 ngx_str_set(&label, "sr_token_key"); | |
953 | |
954 if (ngx_hkdf_extract(is, &is_len, digest, secret->data, secret->len, | |
955 cid->data, cid->len) | |
956 != NGX_OK) | |
957 { | |
958 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, | |
959 "ngx_hkdf_extract(%V) failed", &label); | |
960 return NGX_ERROR; | |
961 } | |
962 | |
963 key_len = SHA256_DIGEST_LENGTH; | |
964 | |
965 info_len = 2 + 1 + label.len + 1; | |
966 | |
967 info[0] = 0; | |
968 info[1] = key_len; | |
969 info[2] = label.len; | |
970 | |
971 p = ngx_cpymem(&info[3], label.data, label.len); | |
972 *p = '\0'; | |
973 | |
974 if (ngx_hkdf_expand(key, key_len, digest, is, is_len, info, info_len) | |
975 != NGX_OK) | |
976 { | |
977 ngx_ssl_error(NGX_LOG_INFO, c->log, 0, | |
978 "ngx_hkdf_expand(%V) failed", &label); | |
979 return NGX_ERROR; | |
980 } | |
981 | |
982 ngx_memcpy(token, key, NGX_QUIC_SR_TOKEN_LEN); | |
983 | |
984 #if (NGX_DEBUG) | |
985 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, | |
986 "quic stateless reset token %*xs", | |
987 (size_t) NGX_QUIC_SR_TOKEN_LEN, token); | |
988 #endif | |
989 | |
990 return NGX_OK; | |
991 } | |
992 | |
993 | |
994 static uint64_t | |
995 ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask, | |
996 uint64_t *largest_pn) | |
997 { | |
998 u_char *p; | |
999 uint64_t truncated_pn, expected_pn, candidate_pn; | |
1000 uint64_t pn_nbits, pn_win, pn_hwin, pn_mask; | |
1001 | |
1002 pn_nbits = ngx_min(len * 8, 62); | |
1003 | |
1004 p = *pos; | |
1005 truncated_pn = *p++ ^ *mask++; | |
1006 | |
1007 while (--len) { | |
1008 truncated_pn = (truncated_pn << 8) + (*p++ ^ *mask++); | |
1009 } | |
1010 | |
1011 *pos = p; | |
1012 | |
1013 expected_pn = *largest_pn + 1; | |
1014 pn_win = 1ULL << pn_nbits; | |
1015 pn_hwin = pn_win / 2; | |
1016 pn_mask = pn_win - 1; | |
1017 | |
1018 candidate_pn = (expected_pn & ~pn_mask) | truncated_pn; | |
1019 | |
1020 if ((int64_t) candidate_pn <= (int64_t) (expected_pn - pn_hwin) | |
1021 && candidate_pn < (1ULL << 62) - pn_win) | |
1022 { | |
1023 candidate_pn += pn_win; | |
1024 | |
1025 } else if (candidate_pn > expected_pn + pn_hwin | |
1026 && candidate_pn >= pn_win) | |
1027 { | |
1028 candidate_pn -= pn_win; | |
1029 } | |
1030 | |
1031 *largest_pn = ngx_max((int64_t) *largest_pn, (int64_t) candidate_pn); | |
1032 | |
1033 return candidate_pn; | |
1034 } | |
1035 | |
1036 | |
1037 static void | |
1038 ngx_quic_compute_nonce(u_char *nonce, size_t len, uint64_t pn) | |
1039 { | |
1040 nonce[len - 4] ^= (pn & 0xff000000) >> 24; | |
1041 nonce[len - 3] ^= (pn & 0x00ff0000) >> 16; | |
1042 nonce[len - 2] ^= (pn & 0x0000ff00) >> 8; | |
1043 nonce[len - 1] ^= (pn & 0x000000ff); | |
1044 } | |
1045 | |
1046 | |
1047 ngx_int_t | |
1048 ngx_quic_encrypt(ngx_quic_header_t *pkt, ngx_str_t *res) | |
1049 { | |
1050 if (ngx_quic_pkt_retry(pkt->flags)) { | |
1051 return ngx_quic_create_retry_packet(pkt, res); | |
1052 } | |
1053 | |
1054 return ngx_quic_create_packet(pkt, res); | |
1055 } | |
1056 | |
1057 | |
1058 ngx_int_t | |
1059 ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn) | |
1060 { | |
1061 u_char *p, *sample; | |
1062 size_t len; | |
1063 uint64_t pn, lpn; | |
1064 ngx_int_t pnl, rc, key_phase; | |
1065 ngx_str_t in, ad; | |
1066 ngx_quic_secret_t *secret; | |
1067 ngx_quic_ciphers_t ciphers; | |
1068 uint8_t mask[16], nonce[12]; | |
1069 | |
1070 if (ngx_quic_ciphers(pkt->keys->cipher, &ciphers, pkt->level) == NGX_ERROR) | |
1071 { | |
1072 return NGX_ERROR; | |
1073 } | |
1074 | |
1075 secret = &pkt->keys->secrets[pkt->level].client; | |
1076 | |
1077 p = pkt->raw->pos; | |
1078 len = pkt->data + pkt->len - p; | |
1079 | |
1080 /* draft-ietf-quic-tls-23#section-5.4.2: | |
1081 * the Packet Number field is assumed to be 4 bytes long | |
1082 * draft-ietf-quic-tls-23#section-5.4.[34]: | |
1083 * AES-Based and ChaCha20-Based header protections sample 16 bytes | |
1084 */ | |
1085 | |
1086 if (len < EVP_GCM_TLS_TAG_LEN + 4) { | |
1087 return NGX_DECLINED; | |
1088 } | |
1089 | |
1090 sample = p + 4; | |
1091 | |
1092 /* header protection */ | |
1093 | |
1094 if (ngx_quic_tls_hp(pkt->log, ciphers.hp, secret, mask, sample) | |
1095 != NGX_OK) | |
1096 { | |
1097 return NGX_DECLINED; | |
1098 } | |
1099 | |
1100 pkt->flags ^= mask[0] & ngx_quic_pkt_hp_mask(pkt->flags); | |
1101 | |
1102 if (ngx_quic_short_pkt(pkt->flags)) { | |
1103 key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0; | |
1104 | |
1105 if (key_phase != pkt->key_phase) { | |
1106 secret = &pkt->keys->next_key.client; | |
1107 pkt->key_update = 1; | |
1108 } | |
1109 } | |
1110 | |
1111 lpn = *largest_pn; | |
1112 | |
1113 pnl = (pkt->flags & 0x03) + 1; | |
1114 pn = ngx_quic_parse_pn(&p, pnl, &mask[1], &lpn); | |
1115 | |
1116 pkt->pn = pn; | |
1117 | |
1118 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, pkt->log, 0, | |
1119 "quic packet rx clearflags:%xd", pkt->flags); | |
1120 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pkt->log, 0, | |
1121 "quic packet rx number:%uL len:%xi", pn, pnl); | |
1122 | |
1123 /* packet protection */ | |
1124 | |
1125 in.data = p; | |
1126 in.len = len - pnl; | |
1127 | |
1128 ad.len = p - pkt->data; | |
1129 ad.data = pkt->plaintext; | |
1130 | |
1131 ngx_memcpy(ad.data, pkt->data, ad.len); | |
1132 ad.data[0] = pkt->flags; | |
1133 | |
1134 do { | |
1135 ad.data[ad.len - pnl] = pn >> (8 * (pnl - 1)) % 256; | |
1136 } while (--pnl); | |
1137 | |
1138 ngx_memcpy(nonce, secret->iv.data, secret->iv.len); | |
1139 ngx_quic_compute_nonce(nonce, sizeof(nonce), pn); | |
1140 | |
1141 #ifdef NGX_QUIC_DEBUG_CRYPTO | |
1142 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pkt->log, 0, | |
1143 "quic ad len:%uz %xV", ad.len, &ad); | |
1144 #endif | |
1145 | |
1146 pkt->payload.len = in.len - EVP_GCM_TLS_TAG_LEN; | |
1147 pkt->payload.data = pkt->plaintext + ad.len; | |
1148 | |
1149 rc = ngx_quic_tls_open(ciphers.c, secret, &pkt->payload, | |
1150 nonce, &in, &ad, pkt->log); | |
1151 if (rc != NGX_OK) { | |
1152 return NGX_DECLINED; | |
1153 } | |
1154 | |
1155 if (pkt->payload.len == 0) { | |
1156 /* | |
1157 * An endpoint MUST treat receipt of a packet containing no | |
1158 * frames as a connection error of type PROTOCOL_VIOLATION. | |
1159 */ | |
1160 ngx_log_error(NGX_LOG_INFO, pkt->log, 0, "quic zero-length packet"); | |
1161 pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION; | |
1162 return NGX_ERROR; | |
1163 } | |
1164 | |
1165 if (pkt->flags & ngx_quic_pkt_rb_mask(pkt->flags)) { | |
1166 /* | |
1167 * An endpoint MUST treat receipt of a packet that has | |
1168 * a non-zero value for these bits, after removing both | |
1169 * packet and header protection, as a connection error | |
1170 * of type PROTOCOL_VIOLATION. | |
1171 */ | |
1172 ngx_log_error(NGX_LOG_INFO, pkt->log, 0, | |
1173 "quic reserved bit set in packet"); | |
1174 pkt->error = NGX_QUIC_ERR_PROTOCOL_VIOLATION; | |
1175 return NGX_ERROR; | |
1176 } | |
1177 | |
1178 #if defined(NGX_QUIC_DEBUG_CRYPTO) && defined(NGX_QUIC_DEBUG_PACKETS) | |
1179 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pkt->log, 0, | |
1180 "quic packet payload len:%uz %xV", | |
1181 pkt->payload.len, &pkt->payload); | |
1182 #endif | |
1183 | |
1184 *largest_pn = lpn; | |
1185 | |
1186 return NGX_OK; | |
1187 } | |
1188 |