Fijxu/nginx-quic
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Split transport and crypto parts into separate files.

Browse source 
New files:
    src/event/ngx_event_quic_protection.h
    src/event/ngx_event_quic_protection.c

The protection.h header provides interface to the crypto part of the QUIC:

2 functions to initialize corresponding secrets:

ngx_quic_set_initial_secret()
ngx_quic_set_encryption_secret()

and 2 functions to deal with packet processing:

ngx_quic_encrypt()
ngx_quic_decrypt()

Also, structures representing secrets are defined there.

All functions require SSL connection and a pool, only crypto operations
inside, no access to nginx connections or events.

Currently pool->log is used for the logging (instead of original c->log).
This commit is contained in:
Vladimir Homutov 2020-03-16 19:00:47 +03:00
parent 4c90b01897
commit aaa0d454bf
6 changed files with 1207 additions and 1220 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
auto/modules
View file

@ -1264,10 +1264,12 @@ if [ $USE_OPENSSL = YES ]; then
ngx_module_name=ngx_openssl_module
ngx_module_incs=
ngx_module_deps="src/event/ngx_event_openssl.h \
src/event/ngx_event_quic.h"
src/event/ngx_event_quic.h \
src/event/ngx_event_quic_protection.h"
ngx_module_srcs="src/event/ngx_event_openssl.c
src/event/ngx_event_openssl_stapling.c
src/event/ngx_event_quic.c"
src/event/ngx_event_quic.c
src/event/ngx_event_quic_protection.c"
ngx_module_libs=
ngx_module_link=YES
ngx_module_order=

1
src/core/ngx_core.h
View file

@ -85,6 +85,7 @@ typedef void (*ngx_connection_handler_pt)(ngx_connection_t *c);
#if (NGX_OPENSSL)
#include <ngx_event_openssl.h>
#include <ngx_event_quic.h>
#include <ngx_event_quic_protection.h>
#endif
#include <ngx_process_cycle.h>
#include <ngx_conf_file.h>

1273
src/event/ngx_event_quic.c
View file

File diff suppressed because it is too large Load diff

114
src/event/ngx_event_quic.h
View file

@ -10,6 +10,59 @@
#include <ngx_event_openssl.h>
#define quic_version 0xff000018 /* draft-24 */
/* 17.2. Long Header Packets */
#define NGX_QUIC_PKT_LONG 0x80
#define NGX_QUIC_PKT_INITIAL 0xc0
#define NGX_QUIC_PKT_HANDSHAKE 0xe0
#if (NGX_HAVE_NONALIGNED)
#define ngx_quic_parse_uint16(p) ntohs(*(uint16_t *) (p))
#define ngx_quic_parse_uint32(p) ntohl(*(uint32_t *) (p))
#define ngx_quic_write_uint16 ngx_quic_write_uint16_aligned
#define ngx_quic_write_uint32 ngx_quic_write_uint32_aligned
#else
#define ngx_quic_parse_uint16(p) ((p)[0] << 8 | (p)[1])
#define ngx_quic_parse_uint32(p) \
((uint32_t) (p)[0] << 24 | (p)[1] << 16 | (p)[2] << 8 | (p)[3])
#define ngx_quic_write_uint16(p, s) \
((p)[0] = (u_char) ((s) >> 8), \
(p)[1] = (u_char) (s), \
(p) + sizeof(uint16_t))
#define ngx_quic_write_uint32(p, s) \
((p)[0] = (u_char) ((s) >> 24), \
(p)[1] = (u_char) ((s) >> 16), \
(p)[2] = (u_char) ((s) >> 8), \
(p)[3] = (u_char) (s), \
(p) + sizeof(uint32_t))
#endif
#define ngx_quic_write_uint16_aligned(p, s) \
(*(uint16_t *) (p) = htons((uint16_t) (s)), (p) + sizeof(uint16_t))
#define ngx_quic_write_uint32_aligned(p, s) \
(*(uint32_t *) (p) = htonl((uint32_t) (s)), (p) + sizeof(uint32_t))
#define ngx_quic_varint_len(value) \
((value) <= 63 ? 1 \
: ((uint32_t) value) <= 16383 ? 2 \
: ((uint64_t) value) <= 1073741823 ? 4 \
: 8)
struct ngx_quic_stream_s {
uint64_t id;
ngx_uint_t unidirectional:1;
@ -17,9 +70,35 @@ struct ngx_quic_stream_s {
void *data;
};
/* TODO: get rid somehow of ssl argument? */
ngx_int_t ngx_quic_input(ngx_connection_t *c, ngx_ssl_t *ssl, ngx_buf_t *b);
ngx_int_t ngx_quic_output(ngx_connection_t *c);
typedef struct ngx_quic_secret_s ngx_quic_secret_t;
typedef enum ssl_encryption_level_t ngx_quic_level_t;
typedef struct {
ngx_quic_secret_t *secret;
ngx_uint_t type;
ngx_uint_t *number;
ngx_uint_t flags;
uint32_t version;
ngx_str_t token;
ngx_quic_level_t level;
/* filled in by parser */
ngx_buf_t *raw; /* udp datagram from wire */
u_char *data; /* quic packet */
size_t len;
/* cleartext fields */
ngx_str_t dcid;
ngx_str_t scid;
uint64_t pn;
ngx_str_t payload; /* decrypted payload */
} ngx_quic_header_t;
void ngx_quic_build_int(u_char **pos, uint64_t value);
void ngx_quic_init_ssl_methods(SSL_CTX* ctx);
@ -27,4 +106,33 @@ void ngx_quic_run(ngx_connection_t *c, ngx_ssl_t *ssl, ngx_msec_t timeout,
ngx_connection_handler_pt handler);
ngx_connection_t *ngx_quic_create_uni_stream(ngx_connection_t *c);
/********************************* DEBUG *************************************/
#if (NGX_DEBUG)
#define ngx_quic_hexdump(log, fmt, data, len, ...) \
do { \
ngx_int_t m; \
u_char buf[2048]; \
\
if (log->log_level & NGX_LOG_DEBUG_EVENT) { \
m = ngx_hex_dump(buf, (u_char *) data, ngx_min(len, 1024)) - buf; \
ngx_log_debug(NGX_LOG_DEBUG_EVENT, log, 0, \
"%s: " fmt " %*s%s, len: %uz", \
__FUNCTION__, __VA_ARGS__, m, buf, \
len < 2048 ? "" : "...", len); \
} \
} while (0)
#else
#define ngx_quic_hexdump(log, fmt, data, len, ...)
#endif
#define ngx_quic_hexdump0(log, fmt, data, len) \
ngx_quic_hexdump(log, fmt "%s", data, len, "") \
#endif /* _NGX_EVENT_QUIC_H_INCLUDED_ */

987
src/event/ngx_event_quic_protection.c Normal file
View file

@ -0,0 +1,987 @@
/*
* Copyright (C) Nginx, Inc.
*/
#include <ngx_config.h>
#include <ngx_core.h>
#include <ngx_event.h>
#define NGX_QUIC_IV_LEN 12
#define NGX_AES_128_GCM_SHA256 0x1301
#define NGX_AES_256_GCM_SHA384 0x1302
#define NGX_CHACHA20_POLY1305_SHA256 0x1303
#ifdef OPENSSL_IS_BORINGSSL
#define ngx_quic_cipher_t EVP_AEAD
#else
#define ngx_quic_cipher_t EVP_CIPHER
#endif
typedef struct {
const ngx_quic_cipher_t *c;
const EVP_CIPHER *hp;
const EVP_MD *d;
} ngx_quic_ciphers_t;
static ngx_int_t ngx_hkdf_expand(u_char *out_key, size_t out_len,
const EVP_MD *digest, const u_char *prk, size_t prk_len,
const u_char *info, size_t info_len);
static ngx_int_t ngx_hkdf_extract(u_char *out_key, size_t *out_len,
const EVP_MD *digest, const u_char *secret, size_t secret_len,
const u_char *salt, size_t salt_len);
static uint64_t ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask);
static ngx_int_t ngx_quic_ciphers(ngx_ssl_conn_t *ssl_conn,
ngx_quic_ciphers_t *ciphers, enum ssl_encryption_level_t level);
static ngx_int_t ngx_quic_tls_open(ngx_pool_t *pool, const ngx_quic_cipher_t *cipher,
ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in,
ngx_str_t *ad);
static ngx_int_t ngx_quic_tls_seal(ngx_pool_t *pool,
const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s, ngx_str_t *out,
u_char *nonce, ngx_str_t *in, ngx_str_t *ad);
static ngx_int_t ngx_quic_tls_hp(ngx_log_t *log, const EVP_CIPHER *cipher,
ngx_quic_secret_t *s, u_char *out, u_char *in);
static ngx_int_t ngx_quic_hkdf_expand(ngx_pool_t *pool, const EVP_MD *digest,
ngx_str_t *out, ngx_str_t *label, const uint8_t *prk, size_t prk_len);
static ngx_int_t ngx_quic_create_long_packet(ngx_pool_t *pool,
ngx_ssl_conn_t *ssl_conn, ngx_quic_header_t *pkt, ngx_str_t *in,
ngx_str_t *res);
static ngx_int_t ngx_quic_create_short_packet(ngx_pool_t *pool,
ngx_ssl_conn_t *ssl_conn, ngx_quic_header_t *pkt, ngx_str_t *in,
ngx_str_t *res);
static ngx_int_t
ngx_quic_ciphers(ngx_ssl_conn_t *ssl_conn, ngx_quic_ciphers_t *ciphers,
enum ssl_encryption_level_t level)
{
ngx_int_t id, len;
if (level == ssl_encryption_initial) {
id = NGX_AES_128_GCM_SHA256;
} else {
id = SSL_CIPHER_get_id(SSL_get_current_cipher(ssl_conn)) & 0xffff;
}
switch (id) {
case NGX_AES_128_GCM_SHA256:
#ifdef OPENSSL_IS_BORINGSSL
ciphers->c = EVP_aead_aes_128_gcm();
#else
ciphers->c = EVP_aes_128_gcm();
#endif
ciphers->hp = EVP_aes_128_ctr();
ciphers->d = EVP_sha256();
len = 16;
break;
case NGX_AES_256_GCM_SHA384:
#ifdef OPENSSL_IS_BORINGSSL
ciphers->c = EVP_aead_aes_256_gcm();
#else
ciphers->c = EVP_aes_256_gcm();
#endif
ciphers->hp = EVP_aes_256_ctr();
ciphers->d = EVP_sha384();
len = 32;
break;
case NGX_CHACHA20_POLY1305_SHA256:
#ifdef OPENSSL_IS_BORINGSSL
ciphers->c = EVP_aead_chacha20_poly1305();
#else
ciphers->c = EVP_chacha20_poly1305();
#endif
#ifdef OPENSSL_IS_BORINGSSL
ciphers->hp = (const EVP_CIPHER *) EVP_aead_chacha20_poly1305();
#else
ciphers->hp = EVP_chacha20();
#endif
ciphers->d = EVP_sha256();
len = 32;
break;
default:
return NGX_ERROR;
}
return len;
}
ngx_int_t
ngx_quic_set_initial_secret(ngx_pool_t *pool, ngx_quic_secrets_t *qsec,
ngx_str_t *secret)
{
size_t is_len;
uint8_t is[SHA256_DIGEST_LENGTH];
ngx_uint_t i;
const EVP_MD *digest;
const EVP_CIPHER *cipher;
static const uint8_t salt[20] =
"\xc3\xee\xf7\x12\xc7\x2e\xbb\x5a\x11\xa7"
"\xd2\x43\x2b\xb4\x63\x65\xbe\xf9\xf5\x02";
/* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */
cipher = EVP_aes_128_gcm();
digest = EVP_sha256();
if (ngx_hkdf_extract(is, &is_len, digest, secret->data, secret->len,
salt, sizeof(salt))
!= NGX_OK)
{
return NGX_ERROR;
}
ngx_str_t iss = {
.data = is,
.len = is_len
};
ngx_quic_hexdump0(pool->log, "salt", salt, sizeof(salt));
ngx_quic_hexdump0(pool->log, "initial secret", is, is_len);
/* draft-ietf-quic-tls-23#section-5.2 */
qsec->client.in.secret.len = SHA256_DIGEST_LENGTH;
qsec->server.in.secret.len = SHA256_DIGEST_LENGTH;
qsec->client.in.key.len = EVP_CIPHER_key_length(cipher);
qsec->server.in.key.len = EVP_CIPHER_key_length(cipher);
qsec->client.in.hp.len = EVP_CIPHER_key_length(cipher);
qsec->server.in.hp.len = EVP_CIPHER_key_length(cipher);
qsec->client.in.iv.len = EVP_CIPHER_iv_length(cipher);
qsec->server.in.iv.len = EVP_CIPHER_iv_length(cipher);
struct {
ngx_str_t label;
ngx_str_t *key;
ngx_str_t *prk;
} seq[] = {
/* draft-ietf-quic-tls-23#section-5.2 */
{ ngx_string("tls13 client in"), &qsec->client.in.secret, &iss },
{
ngx_string("tls13 quic key"),
&qsec->client.in.key,
&qsec->client.in.secret,
},
{
ngx_string("tls13 quic iv"),
&qsec->client.in.iv,
&qsec->client.in.secret,
},
{
/* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */
ngx_string("tls13 quic hp"),
&qsec->client.in.hp,
&qsec->client.in.secret,
},
{ ngx_string("tls13 server in"), &qsec->server.in.secret, &iss },
{
/* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */
ngx_string("tls13 quic key"),
&qsec->server.in.key,
&qsec->server.in.secret,
},
{
ngx_string("tls13 quic iv"),
&qsec->server.in.iv,
&qsec->server.in.secret,
},
{
/* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */
ngx_string("tls13 quic hp"),
&qsec->server.in.hp,
&qsec->server.in.secret,
},
};
for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
if (ngx_quic_hkdf_expand(pool, digest, seq[i].key, &seq[i].label,
seq[i].prk->data, seq[i].prk->len)
!= NGX_OK)
{
return NGX_ERROR;
}
}
return NGX_OK;
}
static ngx_int_t
ngx_quic_hkdf_expand(ngx_pool_t *pool, const EVP_MD *digest, ngx_str_t *out,
ngx_str_t *label, const uint8_t *prk, size_t prk_len)
{
size_t info_len;
uint8_t *p;
uint8_t info[20];
out->data = ngx_pnalloc(pool, out->len);
if (out->data == NULL) {
return NGX_ERROR;
}
info_len = 2 + 1 + label->len + 1;
info[0] = 0;
info[1] = out->len;
info[2] = label->len;
p = ngx_cpymem(&info[3], label->data, label->len);
*p = '\0';
if (ngx_hkdf_expand(out->data, out->len, digest,
prk, prk_len, info, info_len)
!= NGX_OK)
{
ngx_ssl_error(NGX_LOG_INFO, pool->log, 0,
"ngx_hkdf_expand(%V) failed", label);
return NGX_ERROR;
}
ngx_quic_hexdump(pool->log, "%V info", info, info_len, label);
ngx_quic_hexdump(pool->log, "%V key", out->data, out->len, label);
return NGX_OK;
}
static ngx_int_t
ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest,
const uint8_t *prk, size_t prk_len, const u_char *info, size_t info_len)
{
#ifdef OPENSSL_IS_BORINGSSL
if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len)
== 0)
{
return NGX_ERROR;
}
#else
EVP_PKEY_CTX *pctx;
pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
if (EVP_PKEY_derive_init(pctx) <= 0) {
return NGX_ERROR;
}
if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0) {
return NGX_ERROR;
}
if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) {
return NGX_ERROR;
}
if (EVP_PKEY_CTX_set1_hkdf_key(pctx, prk, prk_len) <= 0) {
return NGX_ERROR;
}
if (EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len) <= 0) {
return NGX_ERROR;
}
if (EVP_PKEY_derive(pctx, out_key, &out_len) <= 0) {
return NGX_ERROR;
}
#endif
return NGX_OK;
}
static ngx_int_t
ngx_hkdf_extract(u_char *out_key, size_t *out_len, const EVP_MD *digest,
const u_char *secret, size_t secret_len, const u_char *salt,
size_t salt_len)
{
#ifdef OPENSSL_IS_BORINGSSL
if (HKDF_extract(out_key, out_len, digest, secret, secret_len, salt,
salt_len)
== 0)
{
return NGX_ERROR;
}
#else
EVP_PKEY_CTX *pctx;
pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
if (EVP_PKEY_derive_init(pctx) <= 0) {
return NGX_ERROR;
}
if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) <= 0) {
return NGX_ERROR;
}
if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) {
return NGX_ERROR;
}
if (EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, secret_len) <= 0) {
return NGX_ERROR;
}
if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, salt_len) <= 0) {
return NGX_ERROR;
}
if (EVP_PKEY_derive(pctx, out_key, out_len) <= 0) {
return NGX_ERROR;
}
#endif
return NGX_OK;
}
static ngx_int_t
ngx_quic_tls_open(ngx_pool_t *pool, const ngx_quic_cipher_t *cipher,
ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in,
ngx_str_t *ad)
{
ngx_log_t *log;
log = pool->log; // TODO: pass log ?
out->len = in->len - EVP_GCM_TLS_TAG_LEN;
out->data = ngx_pnalloc(pool, out->len);
if (out->data == NULL) {
return NGX_ERROR;
}
#ifdef OPENSSL_IS_BORINGSSL
EVP_AEAD_CTX *ctx;
ctx = EVP_AEAD_CTX_new(cipher, s->key.data, s->key.len,
EVP_AEAD_DEFAULT_TAG_LENGTH);
if (ctx == NULL) {
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_AEAD_CTX_new() failed");
return NGX_ERROR;
}
if (EVP_AEAD_CTX_open(ctx, out->data, &out->len, out->len, nonce, s->iv.len,
in->data, in->len, ad->data, ad->len)
!= 1)
{
EVP_AEAD_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_AEAD_CTX_open() failed");
return NGX_ERROR;
}
EVP_AEAD_CTX_free(ctx);
#else
int len;
u_char *tag;
EVP_CIPHER_CTX *ctx;
ctx = EVP_CIPHER_CTX_new();
if (ctx == NULL) {
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_CIPHER_CTX_new() failed");
return NGX_ERROR;
}
if (EVP_DecryptInit_ex(ctx, cipher, NULL, NULL, NULL) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptInit_ex() failed");
return NGX_ERROR;
}
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, s->iv.len, NULL)
== 0)
{
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0,
"EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed");
return NGX_ERROR;
}
if (EVP_DecryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptInit_ex() failed");
return NGX_ERROR;
}
if (EVP_DecryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptUpdate() failed");
return NGX_ERROR;
}
if (EVP_DecryptUpdate(ctx, out->data, &len, in->data,
in->len - EVP_GCM_TLS_TAG_LEN)
!= 1)
{
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptUpdate() failed");
return NGX_ERROR;
}
out->len = len;
tag = in->data + in->len - EVP_GCM_TLS_TAG_LEN;
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, EVP_GCM_TLS_TAG_LEN, tag)
== 0)
{
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0,
"EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_TAG) failed");
return NGX_ERROR;
}
if (EVP_DecryptFinal_ex(ctx, out->data + len, &len) <= 0) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptFinal_ex failed");
return NGX_ERROR;
}
out->len += len;
EVP_CIPHER_CTX_free(ctx);
#endif
return NGX_OK;
}
static ngx_int_t
ngx_quic_tls_seal(ngx_pool_t *pool, const ngx_quic_cipher_t *cipher,
ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, ngx_str_t *in,
ngx_str_t *ad)
{
ngx_log_t *log;
log = pool->log; // TODO: pass log ?
out->len = in->len + EVP_GCM_TLS_TAG_LEN;
out->data = ngx_pnalloc(pool, out->len);
if (out->data == NULL) {
return NGX_ERROR;
}
#ifdef OPENSSL_IS_BORINGSSL
EVP_AEAD_CTX *ctx;
ctx = EVP_AEAD_CTX_new(cipher, s->key.data, s->key.len,
EVP_AEAD_DEFAULT_TAG_LENGTH);
if (ctx == NULL) {
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_AEAD_CTX_new() failed");
return NGX_ERROR;
}
if (EVP_AEAD_CTX_seal(ctx, out->data, &out->len, out->len, nonce, s->iv.len,
in->data, in->len, ad->data, ad->len)
!= 1)
{
EVP_AEAD_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_AEAD_CTX_seal() failed");
return NGX_ERROR;
}
EVP_AEAD_CTX_free(ctx);
#else
int len;
EVP_CIPHER_CTX *ctx;
ctx = EVP_CIPHER_CTX_new();
if (ctx == NULL) {
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_CIPHER_CTX_new() failed");
return NGX_ERROR;
}
if (EVP_EncryptInit_ex(ctx, cipher, NULL, NULL, NULL) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptInit_ex() failed");
return NGX_ERROR;
}
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, s->iv.len, NULL)
== 0)
{
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0,
"EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_SET_IVLEN) failed");
return NGX_ERROR;
}
if (EVP_EncryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptInit_ex() failed");
return NGX_ERROR;
}
if (EVP_EncryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptUpdate() failed");
return NGX_ERROR;
}
if (EVP_EncryptUpdate(ctx, out->data, &len, in->data, in->len) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptUpdate() failed");
return NGX_ERROR;
}
out->len = len;
if (EVP_EncryptFinal_ex(ctx, out->data + out->len, &len) <= 0) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptFinal_ex failed");
return NGX_ERROR;
}
out->len += len;
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, EVP_GCM_TLS_TAG_LEN,
out->data + in->len)
== 0)
{
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0,
"EVP_CIPHER_CTX_ctrl(EVP_CTRL_GCM_GET_TAG) failed");
return NGX_ERROR;
}
EVP_CIPHER_CTX_free(ctx);
out->len += EVP_GCM_TLS_TAG_LEN;
#endif
return NGX_OK;
}
static ngx_int_t
ngx_quic_tls_hp(ngx_log_t *log, const EVP_CIPHER *cipher,
ngx_quic_secret_t *s, u_char *out, u_char *in)
{
int outlen;
EVP_CIPHER_CTX *ctx;
u_char zero[5] = {0};
#ifdef OPENSSL_IS_BORINGSSL
uint32_t counter;
ngx_memcpy(&counter, in, sizeof(uint32_t));
if (cipher == (const EVP_CIPHER *) EVP_aead_chacha20_poly1305()) {
CRYPTO_chacha_20(out, zero, 5, s->hp.data, &in[4], counter);
return NGX_OK;
}
#endif
ctx = EVP_CIPHER_CTX_new();
if (ctx == NULL) {
return NGX_ERROR;
}
if (EVP_EncryptInit_ex(ctx, cipher, NULL, s->hp.data, in) != 1) {
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptInit_ex() failed");
goto failed;
}
if (!EVP_EncryptUpdate(ctx, out, &outlen, zero, 5)) {
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptUpdate() failed");
goto failed;
}
if (!EVP_EncryptFinal_ex(ctx, out + 5, &outlen)) {
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptFinal_Ex() failed");
goto failed;
}
EVP_CIPHER_CTX_free(ctx);
return NGX_OK;
failed:
EVP_CIPHER_CTX_free(ctx);
return NGX_ERROR;
}
int
ngx_quic_set_encryption_secret(ngx_pool_t *pool, ngx_ssl_conn_t *ssl_conn,
enum ssl_encryption_level_t level, const uint8_t *secret,
size_t secret_len, ngx_quic_peer_secrets_t *qsec)
{
ngx_int_t key_len;
ngx_uint_t i;
ngx_quic_secret_t *peer_secret;
ngx_quic_ciphers_t ciphers;
key_len = ngx_quic_ciphers(ssl_conn, &ciphers, level);
if (key_len == NGX_ERROR) {
ngx_ssl_error(NGX_LOG_INFO, pool->log, 0, "unexpected cipher");
return 0;
}
switch (level) {
case ssl_encryption_handshake:
peer_secret= &qsec->hs;
break;
case ssl_encryption_application:
peer_secret = &qsec->ad;
break;
default:
return 0;
}
peer_secret->key.len = key_len;
peer_secret->iv.len = NGX_QUIC_IV_LEN;
peer_secret->hp.len = key_len;
struct {
ngx_str_t label;
ngx_str_t *key;
const uint8_t *secret;
} seq[] = {
{ ngx_string("tls13 quic key"), &peer_secret->key, secret },
{ ngx_string("tls13 quic iv"), &peer_secret->iv, secret },
{ ngx_string("tls13 quic hp"), &peer_secret->hp, secret },
};
for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
if (ngx_quic_hkdf_expand(pool, ciphers.d, seq[i].key, &seq[i].label,
seq[i].secret, secret_len)
!= NGX_OK)
{
return 0;
}
}
return 1;
}
static ngx_int_t
ngx_quic_create_long_packet(ngx_pool_t *pool, ngx_ssl_conn_t *ssl_conn,
ngx_quic_header_t *pkt, ngx_str_t *payload, ngx_str_t *res)
{
u_char *p, *pnp, *nonce, *sample, *packet;
uint64_t pn;
ngx_log_t *log;
ngx_str_t ad, out;
ngx_quic_ciphers_t ciphers;
u_char mask[16];
log = pool->log;
out.len = payload->len + EVP_GCM_TLS_TAG_LEN;
ad.data = ngx_alloc(346 /*max header*/, log);
if (ad.data == 0) {
return NGX_ERROR;
}
p = ad.data;
*p++ = pkt->flags;
p = ngx_quic_write_uint32(p, quic_version);
*p++ = pkt->scid.len;
p = ngx_cpymem(p, pkt->scid.data, pkt->scid.len);
*p++ = pkt->dcid.len;
p = ngx_cpymem(p, pkt->dcid.data, pkt->dcid.len);
if (pkt->level == ssl_encryption_initial) {
ngx_quic_build_int(&p, pkt->token.len);
}
ngx_quic_build_int(&p, out.len + 1); // length (inc. pnl)
pnp = p;
pn = *pkt->number;
*p++ = pn;
ad.len = p - ad.data;
ngx_quic_hexdump0(log, "ad", ad.data, ad.len);
if (ngx_quic_ciphers(ssl_conn, &ciphers, pkt->level) == NGX_ERROR) {
return NGX_ERROR;
}
nonce = ngx_pstrdup(pool, &pkt->secret->iv);
if (pkt->level == ssl_encryption_handshake) {
nonce[11] ^= pn;
}
ngx_quic_hexdump0(log, "server_iv", pkt->secret->iv.data, 12);
ngx_quic_hexdump0(log, "nonce", nonce, 12);
if (ngx_quic_tls_seal(pool, ciphers.c, pkt->secret, &out,
nonce, payload, &ad)
!= NGX_OK)
{
return NGX_ERROR;
}
sample = &out.data[3]; // pnl=0
if (ngx_quic_tls_hp(log, ciphers.hp, pkt->secret, mask, sample) != NGX_OK) {
return NGX_ERROR;
}
ngx_quic_hexdump0(log, "sample", sample, 16);
ngx_quic_hexdump0(log, "mask", mask, 16);
ngx_quic_hexdump0(log, "hp_key", pkt->secret->hp.data, 16);
// header protection, pnl = 0
ad.data[0] ^= mask[0] & 0x0f;
*pnp ^= mask[1];
packet = ngx_alloc(ad.len + out.len, log);
if (packet == 0) {
return NGX_ERROR;
}
p = ngx_cpymem(packet, ad.data, ad.len);
p = ngx_cpymem(p, out.data, out.len);
res->data = packet;
res->len = p - packet;
return NGX_OK;
}
static ngx_int_t
ngx_quic_create_short_packet(ngx_pool_t *pool, ngx_ssl_conn_t *ssl_conn,
ngx_quic_header_t *pkt, ngx_str_t *payload, ngx_str_t *res)
{
u_char *p, *pnp, *nonce, *sample, *packet;
ngx_log_t *log;
ngx_str_t ad, out;
ngx_quic_ciphers_t ciphers;
u_char mask[16];
log = pool->log;
out.len = payload->len + EVP_GCM_TLS_TAG_LEN;
ad.data = ngx_alloc(25 /*max header*/, log);
if (ad.data == 0) {
return NGX_ERROR;
}
p = ad.data;
*p++ = 0x40;
p = ngx_cpymem(p, pkt->scid.data, pkt->scid.len);
pnp = p;
*p++ = (*pkt->number);
ad.len = p - ad.data;
ngx_quic_hexdump0(log, "ad", ad.data, ad.len);
if (ngx_quic_ciphers(ssl_conn, &ciphers, pkt->level) == NGX_ERROR) {
return NGX_ERROR;
}
nonce = ngx_pstrdup(pool, &pkt->secret->iv);
if (pkt->level == ssl_encryption_handshake
|| pkt->level == ssl_encryption_application)
{
nonce[11] ^= *pkt->number;
}
ngx_quic_hexdump0(log, "server_iv", pkt->secret->iv.data, 12);
ngx_quic_hexdump0(log, "nonce", nonce, 12);
if (ngx_quic_tls_seal(pool, ciphers.c, pkt->secret, &out,
nonce, payload, &ad)
!= NGX_OK)
{
return NGX_ERROR;
}
ngx_quic_hexdump0(log, "out", out.data, out.len);
sample = &out.data[3]; // pnl=0
if (ngx_quic_tls_hp(log, ciphers.hp, pkt->secret, mask, sample) != NGX_OK) {
return NGX_ERROR;
}
ngx_quic_hexdump0(log, "sample", sample, 16);
ngx_quic_hexdump0(log, "mask", mask, 16);
ngx_quic_hexdump0(log, "hp_key", pkt->secret->hp.data, 16);
// header protection, pnl = 0
ad.data[0] ^= mask[0] & 0x1f;
*pnp ^= mask[1];
packet = ngx_alloc(ad.len + out.len, log);
if (packet == 0) {
return NGX_ERROR;
}
p = ngx_cpymem(packet, ad.data, ad.len);
p = ngx_cpymem(p, out.data, out.len);
ngx_quic_hexdump0(log, "packet", packet, p - packet);
res->data = packet;
res->len = p - packet;
return NGX_OK;
}
static uint64_t
ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask)
{
u_char *p;
uint64_t value;
p = *pos;
value = *p++ ^ *mask++;
while (--len) {
value = (value << 8) + (*p++ ^ *mask++);
}
*pos = p;
return value;
}
ngx_int_t
ngx_quic_encrypt(ngx_pool_t *pool, ngx_ssl_conn_t *ssl_conn,
ngx_quic_header_t *pkt, ngx_str_t *payload, ngx_str_t *res)
{
if (pkt->level == ssl_encryption_application) {
return ngx_quic_create_short_packet(pool, ssl_conn, pkt, payload, res);
}
return ngx_quic_create_long_packet(pool, ssl_conn, pkt, payload, res);
}
ngx_int_t
ngx_quic_decrypt(ngx_pool_t *pool, ngx_ssl_conn_t *ssl_conn,
ngx_quic_header_t *pkt)
{
u_char clearflags, *p, *sample;
uint8_t *nonce;
uint64_t pn;
ngx_log_t *log;
ngx_int_t pnl, rc;
ngx_str_t in, ad;
ngx_quic_ciphers_t ciphers;
uint8_t mask[16];
log = pool->log;
if (ngx_quic_ciphers(ssl_conn, &ciphers, pkt->level) == NGX_ERROR) {
return NGX_ERROR;
}
p = pkt->raw->pos;
/* draft-ietf-quic-tls-23#section-5.4.2:
* the Packet Number field is assumed to be 4 bytes long
* draft-ietf-quic-tls-23#section-5.4.[34]:
* AES-Based and ChaCha20-Based header protections sample 16 bytes
*/
sample = p + 4;
ngx_quic_hexdump0(log, "sample", sample, 16);
/* header protection */
if (ngx_quic_tls_hp(log, ciphers.hp, pkt->secret, mask, sample) != NGX_OK) {
return NGX_ERROR;
}
if (pkt->flags & NGX_QUIC_PKT_LONG) {
clearflags = pkt->flags ^ (mask[0] & 0x0f);
} else {
clearflags = pkt->flags ^ (mask[0] & 0x1f);
}
pnl = (clearflags & 0x03) + 1;
pn = ngx_quic_parse_pn(&p, pnl, &mask[1]);
pkt->pn = pn;
ngx_quic_hexdump0(log, "mask", mask, 5);
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, log, 0,
"quic clear flags: %xi", clearflags);
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, log, 0,
"quic packet number: %uL, len: %xi", pn, pnl);
/* packet protection */
in.data = p;
if (pkt->flags & NGX_QUIC_PKT_LONG) {
in.len = pkt->len - pnl;
} else {
in.len = pkt->data + pkt->len - p;
}
ad.len = p - pkt->data;
ad.data = ngx_pnalloc(pool, ad.len);
if (ad.data == NULL) {
return NGX_ERROR;
}
ngx_memcpy(ad.data, pkt->data, ad.len);
ad.data[0] = clearflags;
do {
ad.data[ad.len - pnl] = pn >> (8 * (pnl - 1)) % 256;
} while (--pnl);
nonce = ngx_pstrdup(pool, &pkt->secret->iv);
nonce[11] ^= pn;
ngx_quic_hexdump0(log, "nonce", nonce, 12);
ngx_quic_hexdump0(log, "ad", ad.data, ad.len);
rc = ngx_quic_tls_open(pool, ciphers.c, pkt->secret, &pkt->payload,
nonce, &in, &ad);
ngx_quic_hexdump0(log, "packet payload",
pkt->payload.data, pkt->payload.len);
return rc;
}

46
src/event/ngx_event_quic_protection.h Normal file
View file

@ -0,0 +1,46 @@
/*
* Copyright (C) Nginx, Inc.
*/
#ifndef _NGX_EVENT_QUIC_PROTECTION_H_INCLUDED_
#define _NGX_EVENT_QUIC_PROTECTION_H_INCLUDED_
struct ngx_quic_secret_s {
ngx_str_t secret;
ngx_str_t key;
ngx_str_t iv;
ngx_str_t hp;
};
typedef struct {
ngx_quic_secret_t in;
ngx_quic_secret_t hs;
ngx_quic_secret_t ad;
} ngx_quic_peer_secrets_t;
typedef struct {
ngx_quic_peer_secrets_t client;
ngx_quic_peer_secrets_t server;
} ngx_quic_secrets_t;
ngx_int_t ngx_quic_set_initial_secret(ngx_pool_t *pool,
ngx_quic_secrets_t *secrets, ngx_str_t *secret);
int ngx_quic_set_encryption_secret(ngx_pool_t *pool, ngx_ssl_conn_t *ssl_conn,
enum ssl_encryption_level_t level, const uint8_t *secret, size_t secret_len,
ngx_quic_peer_secrets_t *qsec);
ngx_int_t ngx_quic_encrypt(ngx_pool_t *pool, ngx_ssl_conn_t *ssl_conn,
ngx_quic_header_t *pkt, ngx_str_t *payload, ngx_str_t *res);
ngx_int_t ngx_quic_decrypt(ngx_pool_t *pool, ngx_ssl_conn_t *ssl_conn,
ngx_quic_header_t *pkt);
#endif /* _NGX_EVENT_QUIC_PROTECTION_H_INCLUDED_ */