Fijxu/nginx-quic
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Using SSL cipher suite id to obtain cipher/digest, part 1.

Browse source 
While here, log the negotiated cipher just once, - after handshake.
This commit is contained in:
Sergey Kandaurov 2020-03-05 13:00:59 +03:00
parent 36412471e2
commit 73fc9eba33
1 changed files with 32 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

65
src/event/ngx_event_quic.c
View file

@ -10,6 +10,9 @@
#define quic_version 0xff000018 #define quic_version 0xff000018
#define NGX_AES_128_GCM_SHA256 0x1301
#define NGX_AES_256_GCM_SHA384 0x1302
#if (NGX_HAVE_NONALIGNED) #if (NGX_HAVE_NONALIGNED)
@ -485,7 +488,6 @@ ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn,
enum ssl_encryption_level_t level, const uint8_t *read_secret, enum ssl_encryption_level_t level, const uint8_t *read_secret,
const uint8_t *write_secret, size_t secret_len) const uint8_t *write_secret, size_t secret_len)
{ {
u_char *name;
ngx_uint_t i; ngx_uint_t i;
const EVP_MD *digest; const EVP_MD *digest;
const EVP_CIPHER *cipher; const EVP_CIPHER *cipher;
@ -494,24 +496,22 @@ ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn,
c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
//ngx_ssl_handshake_log(c); // TODO: enable again
ngx_quic_hexdump(c->log, "level:%d read", read_secret, secret_len, level); ngx_quic_hexdump(c->log, "level:%d read", read_secret, secret_len, level);
ngx_quic_hexdump(c->log, "level:%d read", write_secret, secret_len, level); ngx_quic_hexdump(c->log, "level:%d read", write_secret, secret_len, level);
name = (u_char *) SSL_get_cipher(ssl_conn); switch (SSL_CIPHER_get_id(SSL_get_current_cipher(ssl_conn)) & 0xffff) {
if (ngx_strcasecmp(name, (u_char *) "TLS_AES_128_GCM_SHA256") == 0 case NGX_AES_128_GCM_SHA256:
|| ngx_strcasecmp(name, (u_char *) "(NONE)") == 0)
{
cipher = EVP_aes_128_gcm(); cipher = EVP_aes_128_gcm();
digest = EVP_sha256(); digest = EVP_sha256();
break;
} else if (ngx_strcasecmp(name, (u_char *) "TLS_AES_256_GCM_SHA384") == 0) { case NGX_AES_256_GCM_SHA384:
cipher = EVP_aes_256_gcm(); cipher = EVP_aes_256_gcm();
digest = EVP_sha384(); digest = EVP_sha384();
break;
} else { default:
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher"); ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher");
return 0; return 0;
} }
@ -574,7 +574,7 @@ static ngx_int_t
ngx_quic_create_long_packet(ngx_connection_t *c, ngx_ssl_conn_t *ssl_conn, ngx_quic_create_long_packet(ngx_connection_t *c, ngx_ssl_conn_t *ssl_conn,
ngx_quic_header_t *pkt, ngx_str_t *payload, ngx_str_t *res) ngx_quic_header_t *pkt, ngx_str_t *payload, ngx_str_t *res)
{ {
u_char *p, *pnp, *name, *nonce, *sample, *packet; u_char *p, *pnp, *nonce, *sample, *packet;
ngx_str_t ad, out; ngx_str_t ad, out;
const EVP_CIPHER *cipher; const EVP_CIPHER *cipher;
ngx_quic_connection_t *qc; ngx_quic_connection_t *qc;
@ -615,17 +615,17 @@ ngx_quic_create_long_packet(ngx_connection_t *c, ngx_ssl_conn_t *ssl_conn,
ngx_quic_hexdump0(c->log, "ad", ad.data, ad.len); ngx_quic_hexdump0(c->log, "ad", ad.data, ad.len);
name = (u_char *) SSL_get_cipher(ssl_conn); switch (SSL_CIPHER_get_id(SSL_get_current_cipher(ssl_conn)) & 0xffff) {
if (ngx_strcasecmp(name, (u_char *) "TLS_AES_128_GCM_SHA256") == 0 case NGX_AES_128_GCM_SHA256:
|| ngx_strcasecmp(name, (u_char *) "(NONE)") == 0)
{
cipher = EVP_aes_128_gcm(); cipher = EVP_aes_128_gcm();
break;
} else if (ngx_strcasecmp(name, (u_char *) "TLS_AES_256_GCM_SHA384") == 0) { case NGX_AES_256_GCM_SHA384:
cipher = EVP_aes_256_gcm(); cipher = EVP_aes_256_gcm();
break;
} else { default:
return NGX_ERROR; return NGX_ERROR;
} }
@ -673,7 +673,7 @@ static ngx_int_t
ngx_quic_create_short_packet(ngx_connection_t *c, ngx_ssl_conn_t *ssl_conn, ngx_quic_create_short_packet(ngx_connection_t *c, ngx_ssl_conn_t *ssl_conn,
ngx_quic_header_t *pkt, ngx_str_t *payload, ngx_str_t *res) ngx_quic_header_t *pkt, ngx_str_t *payload, ngx_str_t *res)
{ {
u_char *p, *pnp, *name, *nonce, *sample, *packet; u_char *p, *pnp, *nonce, *sample, *packet;
ngx_str_t ad, out; ngx_str_t ad, out;
const EVP_CIPHER *cipher; const EVP_CIPHER *cipher;
ngx_quic_connection_t *qc; ngx_quic_connection_t *qc;
@ -703,17 +703,17 @@ ngx_quic_create_short_packet(ngx_connection_t *c, ngx_ssl_conn_t *ssl_conn,
ngx_quic_hexdump0(c->log, "ad", ad.data, ad.len); ngx_quic_hexdump0(c->log, "ad", ad.data, ad.len);
name = (u_char *) SSL_get_cipher(ssl_conn); switch (SSL_CIPHER_get_id(SSL_get_current_cipher(ssl_conn)) & 0xffff) {
if (ngx_strcasecmp(name, (u_char *) "TLS_AES_128_GCM_SHA256") == 0 case NGX_AES_128_GCM_SHA256:
|| ngx_strcasecmp(name, (u_char *) "(NONE)") == 0)
{
cipher = EVP_aes_128_gcm(); cipher = EVP_aes_128_gcm();
break;
} else if (ngx_strcasecmp(name, (u_char *) "TLS_AES_256_GCM_SHA384") == 0) { case NGX_AES_256_GCM_SHA384:
cipher = EVP_aes_256_gcm(); cipher = EVP_aes_256_gcm();
break;
} else { default:
return NGX_ERROR; return NGX_ERROR;
} }
@ -793,8 +793,6 @@ ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
qc = c->quic; qc = c->quic;
//ngx_ssl_handshake_log(c); // TODO: enable again
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
"ngx_quic_add_handshake_data"); "ngx_quic_add_handshake_data");
@ -1304,19 +1302,17 @@ ngx_quic_handshake_input(ngx_connection_t *c, ngx_buf_t *bb)
ngx_quic_hexdump0(c->log, "nonce", nonce, 12); ngx_quic_hexdump0(c->log, "nonce", nonce, 12);
ngx_quic_hexdump0(c->log, "ad", ad.data, ad.len); ngx_quic_hexdump0(c->log, "ad", ad.data, ad.len);
u_char *name = (u_char *) SSL_get_cipher(ssl_conn); switch (SSL_CIPHER_get_id(SSL_get_current_cipher(ssl_conn)) & 0xffff) {
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
"quic ssl cipher: %s", name);
if (ngx_strcasecmp(name, (u_char *) "TLS_AES_128_GCM_SHA256") == 0 case NGX_AES_128_GCM_SHA256:
|| ngx_strcasecmp(name, (u_char *) "(NONE)") == 0)
{
cipher = EVP_aes_128_gcm(); cipher = EVP_aes_128_gcm();
break;
} else if (ngx_strcasecmp(name, (u_char *) "TLS_AES_256_GCM_SHA384") == 0) { case NGX_AES_256_GCM_SHA384:
cipher = EVP_aes_256_gcm(); cipher = EVP_aes_256_gcm();
break;
} else { default:
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher"); ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher");
return NGX_ERROR; return NGX_ERROR;
} }
@ -1381,6 +1377,9 @@ ngx_quic_handshake_input(ngx_connection_t *c, ngx_buf_t *bb)
(int) SSL_quic_read_level(ssl_conn), (int) SSL_quic_read_level(ssl_conn),
(int) SSL_quic_write_level(ssl_conn)); (int) SSL_quic_write_level(ssl_conn));
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
"quic ssl cipher: %s", SSL_get_cipher(ssl_conn));
// ACK Client Finished // ACK Client Finished
ngx_quic_frame_t *frame; ngx_quic_frame_t *frame;