mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2024-12-12 18:29:00 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Generic function for HKDF expansion.

Browse Source
This commit is contained in:
Vladimir Homutov 2020-02-26 16:56:47 +03:00
parent a3620d469f
commit eb464a7feb
4 changed files with 176 additions and 510 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

264
src/event/ngx_event_openssl.c
View File

@ -153,15 +153,6 @@ quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn,
return 0;
}
size_t hkdfl_len, llen;
uint8_t hkdfl[20];
uint8_t *p;
const char *label;
#if (NGX_DEBUG)
u_char buf[512];
size_t m;
#endif
ngx_str_t *client_key, *client_iv, *client_hp;
ngx_str_t *server_key, *server_iv, *server_hp;
@ -219,231 +210,60 @@ quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn,
ngx_memcpy(*wsec, write_secret, secret_len);
// client keys
#ifdef OPENSSL_IS_BORINGSSL
client_key->len = EVP_AEAD_key_length(evp);
#else
client_key->len = EVP_CIPHER_key_length(evp);
#endif
client_key->data = ngx_pnalloc(c->pool, client_key->len);
if (client_key->data == NULL) {
return 0;
}
label = "tls13 quic key";
llen = sizeof("tls13 quic key") - 1;
hkdfl_len = 2 + 1 + llen + 1;
hkdfl[0] = client_key->len / 256;
hkdfl[1] = client_key->len % 256;
hkdfl[2] = llen;
p = ngx_cpymem(&hkdfl[3], label, llen);
*p = '\0';
if (ngx_hkdf_expand(client_key->data, client_key->len,
digest, *rsec, *rlen, hkdfl, hkdfl_len)
!= NGX_OK)
{
ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
"ngx_hkdf_expand(client_key) failed");
return 0;
}
m = ngx_hex_dump(buf, client_key->data, client_key->len) - buf;
ngx_log_debug4(NGX_LOG_DEBUG_HTTP, c->log, 0,
"quic client key: %*s, len: %uz, level: %d",
m, buf, client_key->len, level);
m = ngx_hex_dump(buf, hkdfl, hkdfl_len) - buf;
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0,
"hkdf: %*s, len: %uz", m, buf, hkdfl_len);
#ifdef OPENSSL_IS_BORINGSSL
client_iv->len = EVP_AEAD_nonce_length(evp);
#else
client_iv->len = EVP_CIPHER_iv_length(evp);
#endif
client_iv->data = ngx_pnalloc(c->pool, client_iv->len);
if (client_iv->data == NULL) {
return 0;
}
label = "tls13 quic iv";
llen = sizeof("tls13 quic iv") - 1;
hkdfl_len = 2 + 1 + llen + 1;
hkdfl[0] = client_iv->len / 256;
hkdfl[1] = client_iv->len % 256;
hkdfl[2] = llen;
p = ngx_cpymem(&hkdfl[3], label, llen);
*p = '\0';
if (ngx_hkdf_expand(client_iv->data, client_iv->len,
digest, *rsec, *rlen, hkdfl, hkdfl_len)
!= NGX_OK)
{
ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
"ngx_hkdf_expand(client_iv) failed");
return 0;
}
m = ngx_hex_dump(buf, client_iv->data, client_iv->len) - buf;
ngx_log_debug4(NGX_LOG_DEBUG_HTTP, c->log, 0,
"quic client iv: %*s, len: %uz, level: %d",
m, buf, client_iv->len, level);
m = ngx_hex_dump(buf, hkdfl, hkdfl_len) - buf;
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0,
"hkdf: %*s, len: %uz", m, buf, hkdfl_len);
#ifdef OPENSSL_IS_BORINGSSL
client_hp->len = EVP_AEAD_key_length(evp);
#else
client_hp->len = EVP_CIPHER_key_length(evp);
#endif
client_hp->data = ngx_pnalloc(c->pool, client_hp->len);
if (client_hp->data == NULL) {
return 0;
}
label = "tls13 quic hp";
llen = sizeof("tls13 quic hp") - 1;
hkdfl_len = 2 + 1 + llen + 1;
hkdfl[0] = client_hp->len / 256;
hkdfl[1] = client_hp->len % 256;
hkdfl[2] = llen;
p = ngx_cpymem(&hkdfl[3], label, llen);
*p = '\0';
if (ngx_hkdf_expand(client_hp->data, client_hp->len,
digest, *rsec, *rlen, hkdfl, hkdfl_len)
!= NGX_OK)
{
ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
"ngx_hkdf_expand(client_hp) failed");
return 0;
}
m = ngx_hex_dump(buf, client_hp->data, client_hp->len) - buf;
ngx_log_debug4(NGX_LOG_DEBUG_HTTP, c->log, 0,
"quic client hp: %*s, len: %uz, level: %d",
m, buf, client_hp->len, level);
m = ngx_hex_dump(buf, hkdfl, hkdfl_len) - buf;
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0,
"hkdf: %*s, len: %uz", m, buf, hkdfl_len);
// server keys
#ifdef OPENSSL_IS_BORINGSSL
server_key->len = EVP_AEAD_key_length(evp);
#else
server_key->len = EVP_CIPHER_key_length(evp);
#endif
server_key->data = ngx_pnalloc(c->pool, server_key->len);
if (server_key->data == NULL) {
return 0;
}
label = "tls13 quic key";
llen = sizeof("tls13 quic key") - 1;
hkdfl_len = 2 + 1 + llen + 1;
hkdfl[0] = server_key->len / 256;
hkdfl[1] = server_key->len % 256;
hkdfl[2] = llen;
p = ngx_cpymem(&hkdfl[3], label, llen);
*p = '\0';
if (ngx_hkdf_expand(server_key->data, server_key->len,
digest, *wsec, *wlen, hkdfl, hkdfl_len)
!= NGX_OK)
{
ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
"ngx_hkdf_expand(server_key) failed");
return 0;
}
m = ngx_hex_dump(buf, server_key->data, server_key->len) - buf;
ngx_log_debug4(NGX_LOG_DEBUG_HTTP, c->log, 0,
"quic server key: %*s, len: %uz, level: %d",
m, buf, server_key->len, level);
m = ngx_hex_dump(buf, hkdfl, hkdfl_len) - buf;
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0,
"hkdf: %*s, len: %uz", m, buf, hkdfl_len);
#ifdef OPENSSL_IS_BORINGSSL
client_iv->len = EVP_AEAD_nonce_length(evp);
server_iv->len = EVP_AEAD_nonce_length(evp);
#else
server_iv->len = EVP_CIPHER_iv_length(evp);
#endif
server_iv->data = ngx_pnalloc(c->pool, server_iv->len);
if (server_iv->data == NULL) {
return 0;
}
label = "tls13 quic iv";
llen = sizeof("tls13 quic iv") - 1;
hkdfl_len = 2 + 1 + llen + 1;
hkdfl[0] = server_iv->len / 256;
hkdfl[1] = server_iv->len % 256;
hkdfl[2] = llen;
p = ngx_cpymem(&hkdfl[3], label, llen);
*p = '\0';
if (ngx_hkdf_expand(server_iv->data, server_iv->len,
digest, *wsec, *wlen, hkdfl, hkdfl_len)
!= NGX_OK)
{
ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
"ngx_hkdf_expand(server_iv) failed");
return 0;
}
m = ngx_hex_dump(buf, server_iv->data, server_iv->len) - buf;
ngx_log_debug4(NGX_LOG_DEBUG_HTTP, c->log, 0,
"quic server iv: %*s, len: %uz, level: %d",
m, buf, server_iv->len, level);
m = ngx_hex_dump(buf, hkdfl, hkdfl_len) - buf;
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0,
"hkdf: %*s, len: %uz", m, buf, hkdfl_len);
#ifdef OPENSSL_IS_BORINGSSL
client_hp->len = EVP_AEAD_key_length(evp);
server_hp->len = EVP_AEAD_key_length(evp);
#else
client_key->len = EVP_CIPHER_key_length(evp);
server_key->len = EVP_CIPHER_key_length(evp);
client_iv->len = EVP_CIPHER_iv_length(evp);
server_iv->len = EVP_CIPHER_iv_length(evp);
client_hp->len = EVP_CIPHER_key_length(evp);
server_hp->len = EVP_CIPHER_key_length(evp);
#endif
server_hp->data = ngx_pnalloc(c->pool, server_hp->len);
if (server_hp->data == NULL) {
return 0;
ngx_str_t rss = {
.data = *rsec,
.len = *rlen
};
ngx_str_t wss = {
.data = *wsec,
.len = *wlen
};
struct {
ngx_str_t id;
ngx_str_t *in;
ngx_str_t *prk;
} seq[] = {
{ ngx_string("tls13 quic key"), client_key, &rss },
{ ngx_string("tls13 quic iv"), client_iv, &rss },
{ ngx_string("tls13 quic hp"), client_hp, &rss },
{ ngx_string("tls13 quic key"), server_key, &wss },
{ ngx_string("tls13 quic iv"), server_iv, &wss },
{ ngx_string("tls13 quic hp"), server_hp, &wss },
};
ngx_uint_t i;
for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
if (ngx_quic_hkdf_expand(c, digest, seq[i].in, seq[i].prk, &seq[i].id, 1)
!= NGX_OK)
{
return 0;
}
}
label = "tls13 quic hp";
llen = sizeof("tls13 quic hp") - 1;
hkdfl_len = 2 + 1 + llen + 1;
hkdfl[0] = server_hp->len / 256;
hkdfl[1] = server_hp->len % 256;
hkdfl[2] = llen;
p = ngx_cpymem(&hkdfl[3], label, llen);
*p = '\0';
if (ngx_hkdf_expand(server_hp->data, server_hp->len,
digest, *wsec, *wlen, hkdfl, hkdfl_len)
!= NGX_OK)
{
ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
"ngx_hkdf_expand(server_hp) failed");
return 0;
}
m = ngx_hex_dump(buf, server_hp->data, server_hp->len) - buf;
ngx_log_debug4(NGX_LOG_DEBUG_HTTP, c->log, 0,
"quic server hp: %*s, len: %uz, level: %d",
m, buf, server_hp->len, level);
m = ngx_hex_dump(buf, hkdfl, hkdfl_len) - buf;
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0,
"hkdf: %*s, len: %uz", m, buf, hkdfl_len);
return 1;
}

56
src/event/ngx_event_quic.c
View File

@ -119,6 +119,62 @@ ngx_hkdf_extract(u_char *out_key, size_t *out_len, const EVP_MD *digest,
}
ngx_int_t
ngx_quic_hkdf_expand(ngx_connection_t *c, const EVP_MD *digest, ngx_str_t *out,
ngx_str_t *prk, ngx_str_t *name, ngx_uint_t sender)
{
uint8_t *p;
size_t hkdfl_len;
uint8_t hkdfl[20];
#if (NGX_DEBUG)
u_char buf[512];
size_t m;
#endif
out->data = ngx_pnalloc(c->pool, out->len);
if (out->data == NULL) {
return NGX_ERROR;
}
hkdfl_len = 2 + 1 + name->len + 1;
if (sender) {
hkdfl[0] = out->len / 256;
hkdfl[1] = out->len % 256;
} else {
hkdfl[0] = 0;
hkdfl[1] = out->len;
}
hkdfl[2] = name->len;
p = ngx_cpymem(&hkdfl[3], name->data, name->len);
*p = '\0';
if (ngx_hkdf_expand(out->data, out->len, digest,
prk->data, prk->len, hkdfl, hkdfl_len)
!= NGX_OK)
{
ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
"ngx_hkdf_expand(%V) failed", name);
return NGX_ERROR;
}
if (c->log->log_level & NGX_LOG_DEBUG_EVENT) {
m = ngx_hex_dump(buf, out->data, out->len) - buf;
ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
"%V: %*s, len: %uz", name, m, buf, out->len);
m = ngx_hex_dump(buf, hkdfl, hkdfl_len) - buf;
ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
"%V hkdf: %*s, len: %uz", name, m, buf, hkdfl_len);
}
return NGX_OK;
}
ngx_int_t
ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest,
const u_char *prk, size_t prk_len, const u_char *info, size_t info_len)

3
src/event/ngx_event_quic.h
View File

@ -53,6 +53,9 @@ ngx_int_t ngx_hkdf_expand(u_char *out_key, size_t out_len,
const EVP_MD *digest, const u_char *prk, size_t prk_len,
const u_char *info, size_t info_len);
ngx_int_t ngx_quic_hkdf_expand(ngx_connection_t *c, const EVP_MD *digest,
ngx_str_t *out, ngx_str_t *prk, ngx_str_t *name, ngx_uint_t sender);
ngx_int_t ngx_quic_tls_open(ngx_connection_t *c,
const ngx_aead_cipher_t *cipher, ngx_quic_secret_t *s, ngx_str_t *out,
u_char *nonce, ngx_str_t *in, ngx_str_t *ad);

363
src/http/ngx_http_request.c
View File

@ -785,6 +785,7 @@ ngx_http_quic_handshake(ngx_event_t *rev)
size_t is_len;
uint8_t is[SHA256_DIGEST_LENGTH];
ngx_uint_t i;
const EVP_MD *digest;
const ngx_aead_cipher_t *cipher;
static const uint8_t salt[20] =
@ -804,6 +805,11 @@ ngx_http_quic_handshake(ngx_event_t *rev)
return;
}
ngx_str_t iss = {
.data = is,
.len = is_len
};
#if (NGX_DEBUG)
if (c->log->log_level & NGX_LOG_DEBUG_EVENT) {
m = ngx_hex_dump(buf, (uint8_t *) salt, sizeof(salt)) - buf;
@ -816,47 +822,30 @@ ngx_http_quic_handshake(ngx_event_t *rev)
}
#endif
size_t hkdfl_len;
uint8_t hkdfl[20];
uint8_t *p;
/* draft-ietf-quic-tls-23#section-5.2 */
qc->client_in.secret.len = SHA256_DIGEST_LENGTH;
qc->client_in.secret.data = ngx_pnalloc(c->pool, qc->client_in.secret.len);
if (qc->client_in.secret.data == NULL) {
ngx_http_close_connection(c);
return;
}
qc->server_in.secret.len = SHA256_DIGEST_LENGTH;
hkdfl_len = 2 + 1 + sizeof("tls13 client in") - 1 + 1;
bzero(hkdfl, sizeof(hkdfl));
hkdfl[0] = 0;
hkdfl[1] = qc->client_in.secret.len;
hkdfl[2] = sizeof("tls13 client in") - 1;
p = ngx_cpymem(&hkdfl[3], "tls13 client in", sizeof("tls13 client in") - 1);
*p = '\0';
#ifdef OPENSSL_IS_BORINGSSL
qc->client_in.key.len = EVP_AEAD_key_length(cipher);
qc->server_in.key.len = EVP_AEAD_key_length(cipher);
#if 0
ngx_memcpy(hkdfl, "\x00\x20\x0f\x74\x6c\x73\x31\x33\x20\x63"
"\x6c\x69\x65\x6e\x74\x20\x69\x6e\x00\x00", 20);
qc->client_in.hp.len = EVP_AEAD_key_length(cipher);
qc->server_in.hp.len = EVP_AEAD_key_length(cipher);
m = ngx_hex_dump(buf, hkdfl, sizeof(hkdfl)) - buf;
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0,
"quic initial secret hkdf: %*s, len: %uz",
m, buf, sizeof(hkdfl));
qc->client_in.iv.len = EVP_AEAD_nonce_length(cipher);
qc->server_in.iv.len = EVP_AEAD_nonce_length(cipher);
#else
qc->client_in.key.len = EVP_CIPHER_key_length(cipher);
qc->server_in.key.len = EVP_CIPHER_key_length(cipher);
qc->client_in.hp.len = EVP_CIPHER_key_length(cipher);
qc->server_in.hp.len = EVP_CIPHER_key_length(cipher);
qc->client_in.iv.len = EVP_CIPHER_iv_length(cipher);
qc->server_in.iv.len = EVP_CIPHER_iv_length(cipher);
#endif
if (ngx_hkdf_expand(qc->client_in.secret.data, qc->client_in.secret.len,
digest, is, is_len, hkdfl, hkdfl_len)
!= NGX_OK)
{
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
"ngx_hkdf_expand(client_in) failed");
ngx_http_close_connection(c);
return;
}
#ifdef OPENSSL_IS_BORINGSSL
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0,
"quic EVP key:%d tag:%d nonce:%d",
@ -865,263 +854,61 @@ ngx_http_quic_handshake(ngx_event_t *rev)
EVP_AEAD_nonce_length(cipher));
#endif
struct {
ngx_str_t id;
ngx_str_t *in;
ngx_str_t *prk;
} seq[] = {
#ifdef OPENSSL_IS_BORINGSSL
qc->client_in.key.len = EVP_AEAD_key_length(cipher);
#else
qc->client_in.key.len = EVP_CIPHER_key_length(cipher);
#endif
qc->client_in.key.data = ngx_pnalloc(c->pool, qc->client_in.key.len);
if (qc->client_in.key.data == NULL) {
ngx_http_close_connection(c);
return;
/* draft-ietf-quic-tls-23#section-5.2 */
{ ngx_string("tls13 client in"), &qc->client_in.secret, &iss },
{
ngx_string("tls13 quic key"),
&qc->client_in.key,
&qc->client_in.secret,
},
{
ngx_string("tls13 quic iv"),
&qc->client_in.iv,
&qc->client_in.secret,
},
{
/* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */
ngx_string("tls13 quic hp"),
&qc->client_in.hp,
&qc->client_in.secret,
},
{ ngx_string("tls13 server in"), &qc->server_in.secret, &iss },
{
/* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */
ngx_string("tls13 quic key"),
&qc->server_in.key,
&qc->server_in.secret,
},
{
ngx_string("tls13 quic iv"),
&qc->server_in.iv,
&qc->server_in.secret,
},
{
/* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */
ngx_string("tls13 quic hp"),
&qc->server_in.hp,
&qc->server_in.secret
},
};
for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
if (ngx_quic_hkdf_expand(c, digest, seq[i].in, seq[i].prk, &seq[i].id, 0)
!= NGX_OK)
{
ngx_http_close_connection(c);
return;
}
}
hkdfl_len = 2 + 1 + sizeof("tls13 quic key") - 1 + 1;
hkdfl[1] = qc->client_in.key.len;
hkdfl[2] = sizeof("tls13 quic key") - 1;
p = ngx_cpymem(&hkdfl[3], "tls13 quic key", sizeof("tls13 quic key") - 1);
*p = '\0';
if (ngx_hkdf_expand(qc->client_in.key.data, qc->client_in.key.len,
digest, qc->client_in.secret.data, qc->client_in.secret.len,
hkdfl, hkdfl_len)
!= NGX_OK)
{
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
"ngx_hkdf_expand(client_in.key) failed");
ngx_http_close_connection(c);
return;
}
#ifdef OPENSSL_IS_BORINGSSL
qc->client_in.iv.len = EVP_AEAD_nonce_length(cipher);
#else
qc->client_in.iv.len = EVP_CIPHER_iv_length(cipher);
#endif
qc->client_in.iv.data = ngx_pnalloc(c->pool, qc->client_in.iv.len);
if (qc->client_in.iv.data == NULL) {
ngx_http_close_connection(c);
return;
}
hkdfl_len = 2 + 1 + sizeof("tls13 quic iv") - 1 + 1;
hkdfl[1] = qc->client_in.iv.len;
hkdfl[2] = sizeof("tls13 quic iv") - 1;
p = ngx_cpymem(&hkdfl[3], "tls13 quic iv", sizeof("tls13 quic iv") - 1);
*p = '\0';
if (ngx_hkdf_expand(qc->client_in.iv.data, qc->client_in.iv.len,
digest, qc->client_in.secret.data, qc->client_in.secret.len,
hkdfl, hkdfl_len)
!= NGX_OK)
{
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
"ngx_hkdf_expand(client_in.iv) failed");
ngx_http_close_connection(c);
return;
}
/* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */
#ifdef OPENSSL_IS_BORINGSSL
qc->client_in.hp.len = EVP_AEAD_key_length(cipher);
#else
qc->client_in.hp.len = EVP_CIPHER_key_length(cipher);
#endif
qc->client_in.hp.data = ngx_pnalloc(c->pool, qc->client_in.hp.len);
if (qc->client_in.hp.data == NULL) {
ngx_http_close_connection(c);
return;
}
hkdfl_len = 2 + 1 + sizeof("tls13 quic hp") - 1 + 1;
hkdfl[1] = qc->client_in.hp.len;
hkdfl[2] = sizeof("tls13 quic hp") - 1;
p = ngx_cpymem(&hkdfl[3], "tls13 quic hp", sizeof("tls13 quic hp") - 1);
*p = '\0';
if (ngx_hkdf_expand(qc->client_in.hp.data, qc->client_in.hp.len,
digest, qc->client_in.secret.data, qc->client_in.secret.len,
hkdfl, hkdfl_len)
!= NGX_OK)
{
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
"ngx_hkdf_expand(client_in.hp) failed");
ngx_http_close_connection(c);
return;
}
#if (NGX_DEBUG)
if (c->log->log_level & NGX_LOG_DEBUG_EVENT) {
m = ngx_hex_dump(buf, qc->client_in.secret.data, qc->client_in.secret.len) - buf;
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0,
"quic client initial secret: %*s, len: %uz",
m, buf, qc->client_in.secret.len);
m = ngx_hex_dump(buf, qc->client_in.key.data, qc->client_in.key.len)
- buf;
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0,
"quic client key: %*s, len: %uz",
m, buf, qc->client_in.key.len);
m = ngx_hex_dump(buf, qc->client_in.iv.data, qc->client_in.iv.len)
- buf;
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0,
"quic client iv: %*s, len: %uz",
m, buf, qc->client_in.iv.len);
m = ngx_hex_dump(buf, qc->client_in.hp.data, qc->client_in.hp.len)
- buf;
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0,
"quic client hp: %*s, len: %uz",
m, buf, qc->client_in.hp.len);
}
#endif
// server initial
/* draft-ietf-quic-tls-23#section-5.2 */
qc->server_in.secret.len = SHA256_DIGEST_LENGTH;
qc->server_in.secret.data = ngx_pnalloc(c->pool, qc->server_in.secret.len);
if (qc->server_in.secret.data == NULL) {
ngx_http_close_connection(c);
return;
}
hkdfl_len = 2 + 1 + sizeof("tls13 server in") - 1 + 1;
hkdfl[0] = 0;
hkdfl[1] = qc->server_in.secret.len;
hkdfl[2] = sizeof("tls13 server in") - 1;
p = ngx_cpymem(&hkdfl[3], "tls13 server in", sizeof("tls13 server in") - 1);
*p = '\0';
if (ngx_hkdf_expand(qc->server_in.secret.data, qc->server_in.secret.len,
digest, is, is_len, hkdfl, hkdfl_len)
!= NGX_OK)
{
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
"ngx_hkdf_expand(server_in) failed");
ngx_http_close_connection(c);
return;
}
/* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */
#ifdef OPENSSL_IS_BORINGSSL
qc->server_in.key.len = EVP_AEAD_key_length(cipher);
#else
qc->server_in.key.len = EVP_CIPHER_key_length(cipher);
#endif
qc->server_in.key.data = ngx_pnalloc(c->pool, qc->server_in.key.len);
if (qc->server_in.key.data == NULL) {
ngx_http_close_connection(c);
return;
}
hkdfl_len = 2 + 1 + sizeof("tls13 quic key") - 1 + 1;
hkdfl[1] = qc->server_in.key.len;
hkdfl[2] = sizeof("tls13 quic key") - 1;
p = ngx_cpymem(&hkdfl[3], "tls13 quic key", sizeof("tls13 quic key") - 1);
*p = '\0';
if (ngx_hkdf_expand(qc->server_in.key.data, qc->server_in.key.len,
digest, qc->server_in.secret.data, qc->server_in.secret.len,
hkdfl, hkdfl_len)
!= NGX_OK)
{
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
"ngx_hkdf_expand(server_in.key) failed");
ngx_http_close_connection(c);
return;
}
#ifdef OPENSSL_IS_BORINGSSL
qc->server_in.iv.len = EVP_AEAD_nonce_length(cipher);
#else
qc->server_in.iv.len = EVP_CIPHER_iv_length(cipher);
#endif
qc->server_in.iv.data = ngx_pnalloc(c->pool, qc->server_in.iv.len);
if (qc->server_in.iv.data == NULL) {
ngx_http_close_connection(c);
return;
}
hkdfl_len = 2 + 1 + sizeof("tls13 quic iv") - 1 + 1;
hkdfl[1] = qc->server_in.iv.len;
hkdfl[2] = sizeof("tls13 quic iv") - 1;
p = ngx_cpymem(&hkdfl[3], "tls13 quic iv", sizeof("tls13 quic iv") - 1);
*p = '\0';
if (ngx_hkdf_expand(qc->server_in.iv.data, qc->server_in.iv.len,
digest, qc->server_in.secret.data, qc->server_in.secret.len,
hkdfl, hkdfl_len)
!= NGX_OK)
{
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
"ngx_hkdf_expand(server_in.iv) failed");
ngx_http_close_connection(c);
return;
}
/* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */
#ifdef OPENSSL_IS_BORINGSSL
qc->server_in.hp.len = EVP_AEAD_key_length(cipher);
#else
qc->server_in.hp.len = EVP_CIPHER_key_length(cipher);
#endif
qc->server_in.hp.data = ngx_pnalloc(c->pool, qc->server_in.hp.len);
if (qc->server_in.hp.data == NULL) {
ngx_http_close_connection(c);
return;
}
hkdfl_len = 2 + 1 + sizeof("tls13 quic hp") - 1 + 1;
hkdfl[1] = qc->server_in.hp.len;
hkdfl[2] = sizeof("tls13 quic hp") - 1;
p = ngx_cpymem(&hkdfl[3], "tls13 quic hp", sizeof("tls13 quic hp") - 1);
*p = '\0';
if (ngx_hkdf_expand(qc->server_in.hp.data, qc->server_in.hp.len,
digest, qc->server_in.secret.data, qc->server_in.secret.len,
hkdfl, hkdfl_len)
!= NGX_OK)
{
ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
"ngx_hkdf_expand(server_in.hp) failed");
ngx_http_close_connection(c);
return;
}
#if (NGX_DEBUG)
if (c->log->log_level & NGX_LOG_DEBUG_EVENT) {
m = ngx_hex_dump(buf, qc->server_in.secret.data, qc->server_in.secret.len) - buf;
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0,
"quic server initial secret: %*s, len: %uz",
m, buf, qc->server_in.secret.len);
m = ngx_hex_dump(buf, qc->server_in.key.data, qc->server_in.key.len)
- buf;
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0,
"quic server key: %*s, len: %uz",
m, buf, qc->server_in.key.len);
m = ngx_hex_dump(buf, qc->server_in.iv.data, qc->server_in.iv.len)
- buf;
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0,
"quic server iv: %*s, len: %uz",
m, buf, qc->server_in.iv.len);
m = ngx_hex_dump(buf, qc->server_in.hp.data, qc->server_in.hp.len)
- buf;
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0,
"quic server hp: %*s, len: %uz",
m, buf, qc->server_in.hp.len);
}
#endif
// header protection
uint8_t mask[16];