mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-21 21:31:05 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

QUIC: added error handling to ngx_hkdf_extract()/ngx_hkdf_expand().

Browse Source 
The OpenSSL variant of functions lacked proper error processing.
This commit is contained in:
Vladimir Homutov 2021-03-11 14:43:01 +03:00
parent 7f348b2d1f
commit b8fd5dc640
1 changed files with 42 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
src/event/quic/ngx_event_quic_protection.c
View File

@ -305,44 +305,57 @@ ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest,
const uint8_t *prk, size_t prk_len, const u_char *info, size_t info_len) const uint8_t *prk, size_t prk_len, const u_char *info, size_t info_len)
{ {
#ifdef OPENSSL_IS_BORINGSSL #ifdef OPENSSL_IS_BORINGSSL
if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len) if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len)
== 0) == 0)
{ {
return NGX_ERROR; return NGX_ERROR;
} }
return NGX_OK;
#else #else
EVP_PKEY_CTX *pctx; EVP_PKEY_CTX *pctx;
pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
if (pctx == NULL) {
return NGX_ERROR;
}
if (EVP_PKEY_derive_init(pctx) <= 0) { if (EVP_PKEY_derive_init(pctx) <= 0) {
return NGX_ERROR; goto failed;
} }
if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0) { if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0) {
return NGX_ERROR; goto failed;
} }
if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) { if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) {
return NGX_ERROR; goto failed;
} }
if (EVP_PKEY_CTX_set1_hkdf_key(pctx, prk, prk_len) <= 0) { if (EVP_PKEY_CTX_set1_hkdf_key(pctx, prk, prk_len) <= 0) {
return NGX_ERROR; goto failed;
} }
if (EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len) <= 0) { if (EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len) <= 0) {
return NGX_ERROR; goto failed;
} }
if (EVP_PKEY_derive(pctx, out_key, &out_len) <= 0) { if (EVP_PKEY_derive(pctx, out_key, &out_len) <= 0) {
return NGX_ERROR; goto failed;
} }
#endif
return NGX_OK; return NGX_OK;
failed:
EVP_PKEY_CTX_free(pctx);
return NGX_ERROR;
#endif
} }
@ -352,45 +365,58 @@ ngx_hkdf_extract(u_char *out_key, size_t *out_len, const EVP_MD *digest,
size_t salt_len) size_t salt_len)
{ {
#ifdef OPENSSL_IS_BORINGSSL #ifdef OPENSSL_IS_BORINGSSL
if (HKDF_extract(out_key, out_len, digest, secret, secret_len, salt, if (HKDF_extract(out_key, out_len, digest, secret, secret_len, salt,
salt_len) salt_len)
== 0) == 0)
{ {
return NGX_ERROR; return NGX_ERROR;
} }
return NGX_OK;
#else #else
EVP_PKEY_CTX *pctx; EVP_PKEY_CTX *pctx;
pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
if (pctx == NULL) {
return NGX_ERROR;
}
if (EVP_PKEY_derive_init(pctx) <= 0) { if (EVP_PKEY_derive_init(pctx) <= 0) {
return NGX_ERROR; goto failed;
} }
if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) <= 0) { if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) <= 0) {
return NGX_ERROR; goto failed;
} }
if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) { if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) {
return NGX_ERROR; goto failed;
} }
if (EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, secret_len) <= 0) { if (EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, secret_len) <= 0) {
return NGX_ERROR; goto failed;
} }
if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, salt_len) <= 0) { if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, salt_len) <= 0) {
return NGX_ERROR; goto failed;
} }
if (EVP_PKEY_derive(pctx, out_key, out_len) <= 0) { if (EVP_PKEY_derive(pctx, out_key, out_len) <= 0) {
return NGX_ERROR; goto failed;
} }
#endif
return NGX_OK; return NGX_OK;
failed:
EVP_PKEY_CTX_free(pctx);
return NGX_ERROR;
#endif
} }