647 lines
16 KiB
C
647 lines
16 KiB
C
|
|
/*
|
|
* Copyright (C) Nginx, Inc.
|
|
*/
|
|
|
|
|
|
#include <ngx_config.h>
|
|
#include <ngx_core.h>
|
|
#include <ngx_event.h>
|
|
#include <ngx_event_quic_connection.h>
|
|
|
|
|
|
#if (NGX_QUIC_OPENSSL_COMPAT)
|
|
|
|
#define NGX_QUIC_COMPAT_RECORD_SIZE 1024
|
|
|
|
#define NGX_QUIC_COMPAT_SSL_TP_EXT 0x39
|
|
|
|
#define NGX_QUIC_COMPAT_CLIENT_HANDSHAKE "CLIENT_HANDSHAKE_TRAFFIC_SECRET"
|
|
#define NGX_QUIC_COMPAT_SERVER_HANDSHAKE "SERVER_HANDSHAKE_TRAFFIC_SECRET"
|
|
#define NGX_QUIC_COMPAT_CLIENT_APPLICATION "CLIENT_TRAFFIC_SECRET_0"
|
|
#define NGX_QUIC_COMPAT_SERVER_APPLICATION "SERVER_TRAFFIC_SECRET_0"
|
|
|
|
|
|
typedef struct {
|
|
ngx_quic_secret_t secret;
|
|
ngx_uint_t cipher;
|
|
} ngx_quic_compat_keys_t;
|
|
|
|
|
|
typedef struct {
|
|
ngx_log_t *log;
|
|
|
|
u_char type;
|
|
ngx_str_t payload;
|
|
uint64_t number;
|
|
ngx_quic_compat_keys_t *keys;
|
|
|
|
enum ssl_encryption_level_t level;
|
|
} ngx_quic_compat_record_t;
|
|
|
|
|
|
struct ngx_quic_compat_s {
|
|
const SSL_QUIC_METHOD *method;
|
|
|
|
enum ssl_encryption_level_t write_level;
|
|
enum ssl_encryption_level_t read_level;
|
|
|
|
uint64_t read_record;
|
|
ngx_quic_compat_keys_t keys;
|
|
|
|
ngx_str_t tp;
|
|
ngx_str_t ctp;
|
|
};
|
|
|
|
|
|
static void ngx_quic_compat_keylog_callback(const SSL *ssl, const char *line);
|
|
static ngx_int_t ngx_quic_compat_set_encryption_secret(ngx_log_t *log,
|
|
ngx_quic_compat_keys_t *keys, enum ssl_encryption_level_t level,
|
|
const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len);
|
|
static int ngx_quic_compat_add_transport_params_callback(SSL *ssl,
|
|
unsigned int ext_type, unsigned int context, const unsigned char **out,
|
|
size_t *outlen, X509 *x, size_t chainidx, int *al, void *add_arg);
|
|
static int ngx_quic_compat_parse_transport_params_callback(SSL *ssl,
|
|
unsigned int ext_type, unsigned int context, const unsigned char *in,
|
|
size_t inlen, X509 *x, size_t chainidx, int *al, void *parse_arg);
|
|
static void ngx_quic_compat_message_callback(int write_p, int version,
|
|
int content_type, const void *buf, size_t len, SSL *ssl, void *arg);
|
|
static size_t ngx_quic_compat_create_header(ngx_quic_compat_record_t *rec,
|
|
u_char *out, ngx_uint_t plain);
|
|
static ngx_int_t ngx_quic_compat_create_record(ngx_quic_compat_record_t *rec,
|
|
ngx_str_t *res);
|
|
|
|
|
|
ngx_int_t
|
|
ngx_quic_compat_init(ngx_conf_t *cf, SSL_CTX *ctx)
|
|
{
|
|
SSL_CTX_set_keylog_callback(ctx, ngx_quic_compat_keylog_callback);
|
|
|
|
if (SSL_CTX_has_client_custom_ext(ctx, NGX_QUIC_COMPAT_SSL_TP_EXT)) {
|
|
return NGX_OK;
|
|
}
|
|
|
|
if (SSL_CTX_add_custom_ext(ctx, NGX_QUIC_COMPAT_SSL_TP_EXT,
|
|
SSL_EXT_CLIENT_HELLO
|
|
|SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
|
|
ngx_quic_compat_add_transport_params_callback,
|
|
NULL,
|
|
NULL,
|
|
ngx_quic_compat_parse_transport_params_callback,
|
|
NULL)
|
|
== 0)
|
|
{
|
|
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
|
"SSL_CTX_add_custom_ext() failed");
|
|
return NGX_ERROR;
|
|
}
|
|
|
|
return NGX_OK;
|
|
}
|
|
|
|
|
|
static void
|
|
ngx_quic_compat_keylog_callback(const SSL *ssl, const char *line)
|
|
{
|
|
u_char ch, *p, *start, value;
|
|
size_t n;
|
|
ngx_uint_t write;
|
|
const SSL_CIPHER *cipher;
|
|
ngx_quic_compat_t *com;
|
|
ngx_connection_t *c;
|
|
ngx_quic_connection_t *qc;
|
|
enum ssl_encryption_level_t level;
|
|
u_char secret[EVP_MAX_MD_SIZE];
|
|
|
|
c = ngx_ssl_get_connection(ssl);
|
|
if (c->type != SOCK_DGRAM) {
|
|
return;
|
|
}
|
|
|
|
p = (u_char *) line;
|
|
|
|
for (start = p; *p && *p != ' '; p++);
|
|
|
|
n = p - start;
|
|
|
|
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
|
"quic compat secret %*s", n, start);
|
|
|
|
if (n == sizeof(NGX_QUIC_COMPAT_CLIENT_HANDSHAKE) - 1
|
|
&& ngx_strncmp(start, NGX_QUIC_COMPAT_CLIENT_HANDSHAKE, n) == 0)
|
|
{
|
|
level = ssl_encryption_handshake;
|
|
write = 0;
|
|
|
|
} else if (n == sizeof(NGX_QUIC_COMPAT_SERVER_HANDSHAKE) - 1
|
|
&& ngx_strncmp(start, NGX_QUIC_COMPAT_SERVER_HANDSHAKE, n) == 0)
|
|
{
|
|
level = ssl_encryption_handshake;
|
|
write = 1;
|
|
|
|
} else if (n == sizeof(NGX_QUIC_COMPAT_CLIENT_APPLICATION) - 1
|
|
&& ngx_strncmp(start, NGX_QUIC_COMPAT_CLIENT_APPLICATION, n)
|
|
== 0)
|
|
{
|
|
level = ssl_encryption_application;
|
|
write = 0;
|
|
|
|
} else if (n == sizeof(NGX_QUIC_COMPAT_SERVER_APPLICATION) - 1
|
|
&& ngx_strncmp(start, NGX_QUIC_COMPAT_SERVER_APPLICATION, n)
|
|
== 0)
|
|
{
|
|
level = ssl_encryption_application;
|
|
write = 1;
|
|
|
|
} else {
|
|
return;
|
|
}
|
|
|
|
if (*p++ == '\0') {
|
|
return;
|
|
}
|
|
|
|
for ( /* void */ ; *p && *p != ' '; p++);
|
|
|
|
if (*p++ == '\0') {
|
|
return;
|
|
}
|
|
|
|
for (n = 0, start = p; *p; p++) {
|
|
ch = *p;
|
|
|
|
if (ch >= '0' && ch <= '9') {
|
|
value = ch - '0';
|
|
goto next;
|
|
}
|
|
|
|
ch = (u_char) (ch | 0x20);
|
|
|
|
if (ch >= 'a' && ch <= 'f') {
|
|
value = ch - 'a' + 10;
|
|
goto next;
|
|
}
|
|
|
|
ngx_log_error(NGX_LOG_EMERG, c->log, 0,
|
|
"invalid OpenSSL QUIC secret format");
|
|
|
|
return;
|
|
|
|
next:
|
|
|
|
if ((p - start) % 2) {
|
|
secret[n++] += value;
|
|
|
|
} else {
|
|
if (n >= EVP_MAX_MD_SIZE) {
|
|
ngx_log_error(NGX_LOG_EMERG, c->log, 0,
|
|
"too big OpenSSL QUIC secret");
|
|
return;
|
|
}
|
|
|
|
secret[n] = (value << 4);
|
|
}
|
|
}
|
|
|
|
qc = ngx_quic_get_connection(c);
|
|
com = qc->compat;
|
|
cipher = SSL_get_current_cipher(ssl);
|
|
|
|
if (write) {
|
|
com->method->set_write_secret((SSL *) ssl, level, cipher, secret, n);
|
|
com->write_level = level;
|
|
|
|
} else {
|
|
com->method->set_read_secret((SSL *) ssl, level, cipher, secret, n);
|
|
com->read_level = level;
|
|
com->read_record = 0;
|
|
|
|
(void) ngx_quic_compat_set_encryption_secret(c->log, &com->keys, level,
|
|
cipher, secret, n);
|
|
}
|
|
}
|
|
|
|
|
|
static ngx_int_t
|
|
ngx_quic_compat_set_encryption_secret(ngx_log_t *log,
|
|
ngx_quic_compat_keys_t *keys, enum ssl_encryption_level_t level,
|
|
const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len)
|
|
{
|
|
ngx_int_t key_len;
|
|
ngx_str_t secret_str;
|
|
ngx_uint_t i;
|
|
ngx_quic_hkdf_t seq[2];
|
|
ngx_quic_secret_t *peer_secret;
|
|
ngx_quic_ciphers_t ciphers;
|
|
|
|
peer_secret = &keys->secret;
|
|
|
|
keys->cipher = SSL_CIPHER_get_id(cipher);
|
|
|
|
key_len = ngx_quic_ciphers(keys->cipher, &ciphers, level);
|
|
|
|
if (key_len == NGX_ERROR) {
|
|
ngx_ssl_error(NGX_LOG_INFO, log, 0, "unexpected cipher");
|
|
return NGX_ERROR;
|
|
}
|
|
|
|
if (sizeof(peer_secret->secret.data) < secret_len) {
|
|
ngx_log_error(NGX_LOG_ALERT, log, 0,
|
|
"unexpected secret len: %uz", secret_len);
|
|
return NGX_ERROR;
|
|
}
|
|
|
|
peer_secret->secret.len = secret_len;
|
|
ngx_memcpy(peer_secret->secret.data, secret, secret_len);
|
|
|
|
peer_secret->key.len = key_len;
|
|
peer_secret->iv.len = NGX_QUIC_IV_LEN;
|
|
|
|
secret_str.len = secret_len;
|
|
secret_str.data = (u_char *) secret;
|
|
|
|
ngx_quic_hkdf_set(&seq[0], "tls13 key", &peer_secret->key, &secret_str);
|
|
ngx_quic_hkdf_set(&seq[1], "tls13 iv", &peer_secret->iv, &secret_str);
|
|
|
|
for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
|
|
if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, log) != NGX_OK) {
|
|
return NGX_ERROR;
|
|
}
|
|
}
|
|
|
|
return NGX_OK;
|
|
}
|
|
|
|
|
|
static int
|
|
ngx_quic_compat_add_transport_params_callback(SSL *ssl, unsigned int ext_type,
|
|
unsigned int context, const unsigned char **out, size_t *outlen, X509 *x,
|
|
size_t chainidx, int *al, void *add_arg)
|
|
{
|
|
ngx_connection_t *c;
|
|
ngx_quic_compat_t *com;
|
|
ngx_quic_connection_t *qc;
|
|
|
|
c = ngx_ssl_get_connection(ssl);
|
|
if (c->type != SOCK_DGRAM) {
|
|
return 0;
|
|
}
|
|
|
|
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
|
"quic compat add transport params");
|
|
|
|
qc = ngx_quic_get_connection(c);
|
|
com = qc->compat;
|
|
|
|
*out = com->tp.data;
|
|
*outlen = com->tp.len;
|
|
|
|
return 1;
|
|
}
|
|
|
|
|
|
static int
|
|
ngx_quic_compat_parse_transport_params_callback(SSL *ssl, unsigned int ext_type,
|
|
unsigned int context, const unsigned char *in, size_t inlen, X509 *x,
|
|
size_t chainidx, int *al, void *parse_arg)
|
|
{
|
|
u_char *p;
|
|
ngx_connection_t *c;
|
|
ngx_quic_compat_t *com;
|
|
ngx_quic_connection_t *qc;
|
|
|
|
c = ngx_ssl_get_connection(ssl);
|
|
if (c->type != SOCK_DGRAM) {
|
|
return 0;
|
|
}
|
|
|
|
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
|
"quic compat parse transport params");
|
|
|
|
qc = ngx_quic_get_connection(c);
|
|
com = qc->compat;
|
|
|
|
p = ngx_pnalloc(c->pool, inlen);
|
|
if (p == NULL) {
|
|
return 0;
|
|
}
|
|
|
|
ngx_memcpy(p, in, inlen);
|
|
|
|
com->ctp.data = p;
|
|
com->ctp.len = inlen;
|
|
|
|
return 1;
|
|
}
|
|
|
|
|
|
int
|
|
SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method)
|
|
{
|
|
BIO *rbio, *wbio;
|
|
ngx_connection_t *c;
|
|
ngx_quic_compat_t *com;
|
|
ngx_quic_connection_t *qc;
|
|
|
|
c = ngx_ssl_get_connection(ssl);
|
|
|
|
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic compat set method");
|
|
|
|
qc = ngx_quic_get_connection(c);
|
|
|
|
qc->compat = ngx_pcalloc(c->pool, sizeof(ngx_quic_compat_t));
|
|
if (qc->compat == NULL) {
|
|
return 0;
|
|
}
|
|
|
|
com = qc->compat;
|
|
com->method = quic_method;
|
|
|
|
rbio = BIO_new(BIO_s_mem());
|
|
if (rbio == NULL) {
|
|
return 0;
|
|
}
|
|
|
|
wbio = BIO_new(BIO_s_null());
|
|
if (wbio == NULL) {
|
|
return 0;
|
|
}
|
|
|
|
SSL_set_bio(ssl, rbio, wbio);
|
|
|
|
SSL_set_msg_callback(ssl, ngx_quic_compat_message_callback);
|
|
|
|
/* early data is not supported */
|
|
SSL_set_max_early_data(ssl, 0);
|
|
|
|
return 1;
|
|
}
|
|
|
|
|
|
static void
|
|
ngx_quic_compat_message_callback(int write_p, int version, int content_type,
|
|
const void *buf, size_t len, SSL *ssl, void *arg)
|
|
{
|
|
ngx_uint_t alert;
|
|
ngx_connection_t *c;
|
|
ngx_quic_compat_t *com;
|
|
ngx_quic_connection_t *qc;
|
|
enum ssl_encryption_level_t level;
|
|
|
|
if (!write_p) {
|
|
return;
|
|
}
|
|
|
|
c = ngx_ssl_get_connection(ssl);
|
|
qc = ngx_quic_get_connection(c);
|
|
|
|
if (qc == NULL) {
|
|
/* closing */
|
|
return;
|
|
}
|
|
|
|
com = qc->compat;
|
|
level = com->write_level;
|
|
|
|
switch (content_type) {
|
|
|
|
case SSL3_RT_HANDSHAKE:
|
|
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
|
"quic compat tx %s len:%uz ",
|
|
ngx_quic_level_name(level), len);
|
|
|
|
(void) com->method->add_handshake_data(ssl, level, buf, len);
|
|
|
|
break;
|
|
|
|
case SSL3_RT_ALERT:
|
|
if (len >= 2) {
|
|
alert = ((u_char *) buf)[1];
|
|
|
|
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
|
"quic compat %s alert:%ui len:%uz ",
|
|
ngx_quic_level_name(level), alert, len);
|
|
|
|
(void) com->method->send_alert(ssl, level, alert);
|
|
}
|
|
|
|
break;
|
|
}
|
|
}
|
|
|
|
|
|
int
|
|
SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level,
|
|
const uint8_t *data, size_t len)
|
|
{
|
|
BIO *rbio;
|
|
size_t n;
|
|
u_char *p;
|
|
ngx_str_t res;
|
|
ngx_connection_t *c;
|
|
ngx_quic_compat_t *com;
|
|
ngx_quic_connection_t *qc;
|
|
ngx_quic_compat_record_t rec;
|
|
u_char in[NGX_QUIC_COMPAT_RECORD_SIZE + 1];
|
|
u_char out[NGX_QUIC_COMPAT_RECORD_SIZE + 1
|
|
+ SSL3_RT_HEADER_LENGTH
|
|
+ EVP_GCM_TLS_TAG_LEN];
|
|
|
|
c = ngx_ssl_get_connection(ssl);
|
|
|
|
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic compat rx %s len:%uz",
|
|
ngx_quic_level_name(level), len);
|
|
|
|
qc = ngx_quic_get_connection(c);
|
|
com = qc->compat;
|
|
rbio = SSL_get_rbio(ssl);
|
|
|
|
while (len) {
|
|
ngx_memzero(&rec, sizeof(ngx_quic_compat_record_t));
|
|
|
|
rec.type = SSL3_RT_HANDSHAKE;
|
|
rec.log = c->log;
|
|
rec.number = com->read_record++;
|
|
rec.keys = &com->keys;
|
|
|
|
if (level == ssl_encryption_initial) {
|
|
n = ngx_min(len, 65535);
|
|
|
|
rec.payload.len = n;
|
|
rec.payload.data = (u_char *) data;
|
|
|
|
ngx_quic_compat_create_header(&rec, out, 1);
|
|
|
|
BIO_write(rbio, out, SSL3_RT_HEADER_LENGTH);
|
|
BIO_write(rbio, data, n);
|
|
|
|
#if defined(NGX_QUIC_DEBUG_CRYPTO) && defined(NGX_QUIC_DEBUG_PACKETS)
|
|
ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
|
"quic compat record len:%uz %*xs%*xs",
|
|
n + SSL3_RT_HEADER_LENGTH,
|
|
(size_t) SSL3_RT_HEADER_LENGTH, out, n, data);
|
|
#endif
|
|
|
|
} else {
|
|
n = ngx_min(len, NGX_QUIC_COMPAT_RECORD_SIZE);
|
|
|
|
p = ngx_cpymem(in, data, n);
|
|
*p++ = SSL3_RT_HANDSHAKE;
|
|
|
|
rec.payload.len = p - in;
|
|
rec.payload.data = in;
|
|
|
|
res.data = out;
|
|
|
|
if (ngx_quic_compat_create_record(&rec, &res) != NGX_OK) {
|
|
return 0;
|
|
}
|
|
|
|
#if defined(NGX_QUIC_DEBUG_CRYPTO) && defined(NGX_QUIC_DEBUG_PACKETS)
|
|
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
|
"quic compat record len:%uz %xV", res.len, &res);
|
|
#endif
|
|
|
|
BIO_write(rbio, res.data, res.len);
|
|
}
|
|
|
|
data += n;
|
|
len -= n;
|
|
}
|
|
|
|
return 1;
|
|
}
|
|
|
|
|
|
static size_t
|
|
ngx_quic_compat_create_header(ngx_quic_compat_record_t *rec, u_char *out,
|
|
ngx_uint_t plain)
|
|
{
|
|
u_char type;
|
|
size_t len;
|
|
|
|
len = rec->payload.len;
|
|
|
|
if (plain) {
|
|
type = rec->type;
|
|
|
|
} else {
|
|
type = SSL3_RT_APPLICATION_DATA;
|
|
len += EVP_GCM_TLS_TAG_LEN;
|
|
}
|
|
|
|
out[0] = type;
|
|
out[1] = 0x03;
|
|
out[2] = 0x03;
|
|
out[3] = (len >> 8);
|
|
out[4] = len;
|
|
|
|
return 5;
|
|
}
|
|
|
|
|
|
static ngx_int_t
|
|
ngx_quic_compat_create_record(ngx_quic_compat_record_t *rec, ngx_str_t *res)
|
|
{
|
|
ngx_str_t ad, out;
|
|
ngx_quic_secret_t *secret;
|
|
ngx_quic_ciphers_t ciphers;
|
|
u_char nonce[NGX_QUIC_IV_LEN];
|
|
|
|
ad.data = res->data;
|
|
ad.len = ngx_quic_compat_create_header(rec, ad.data, 0);
|
|
|
|
out.len = rec->payload.len + EVP_GCM_TLS_TAG_LEN;
|
|
out.data = res->data + ad.len;
|
|
|
|
#ifdef NGX_QUIC_DEBUG_CRYPTO
|
|
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, rec->log, 0,
|
|
"quic compat ad len:%uz %xV", ad.len, &ad);
|
|
#endif
|
|
|
|
if (ngx_quic_ciphers(rec->keys->cipher, &ciphers, rec->level) == NGX_ERROR)
|
|
{
|
|
return NGX_ERROR;
|
|
}
|
|
|
|
secret = &rec->keys->secret;
|
|
|
|
ngx_memcpy(nonce, secret->iv.data, secret->iv.len);
|
|
ngx_quic_compute_nonce(nonce, sizeof(nonce), rec->number);
|
|
|
|
if (ngx_quic_tls_seal(ciphers.c, secret, &out,
|
|
nonce, &rec->payload, &ad, rec->log)
|
|
!= NGX_OK)
|
|
{
|
|
return NGX_ERROR;
|
|
}
|
|
|
|
res->len = ad.len + out.len;
|
|
|
|
return NGX_OK;
|
|
}
|
|
|
|
|
|
enum ssl_encryption_level_t
|
|
SSL_quic_read_level(const SSL *ssl)
|
|
{
|
|
ngx_connection_t *c;
|
|
ngx_quic_connection_t *qc;
|
|
|
|
c = ngx_ssl_get_connection(ssl);
|
|
qc = ngx_quic_get_connection(c);
|
|
|
|
return qc->compat->read_level;
|
|
}
|
|
|
|
|
|
enum ssl_encryption_level_t
|
|
SSL_quic_write_level(const SSL *ssl)
|
|
{
|
|
ngx_connection_t *c;
|
|
ngx_quic_connection_t *qc;
|
|
|
|
c = ngx_ssl_get_connection(ssl);
|
|
qc = ngx_quic_get_connection(c);
|
|
|
|
return qc->compat->write_level;
|
|
}
|
|
|
|
|
|
int
|
|
SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params,
|
|
size_t params_len)
|
|
{
|
|
ngx_connection_t *c;
|
|
ngx_quic_compat_t *com;
|
|
ngx_quic_connection_t *qc;
|
|
|
|
c = ngx_ssl_get_connection(ssl);
|
|
qc = ngx_quic_get_connection(c);
|
|
com = qc->compat;
|
|
|
|
com->tp.len = params_len;
|
|
com->tp.data = (u_char *) params;
|
|
|
|
return 1;
|
|
}
|
|
|
|
|
|
void
|
|
SSL_get_peer_quic_transport_params(const SSL *ssl, const uint8_t **out_params,
|
|
size_t *out_params_len)
|
|
{
|
|
ngx_connection_t *c;
|
|
ngx_quic_compat_t *com;
|
|
ngx_quic_connection_t *qc;
|
|
|
|
c = ngx_ssl_get_connection(ssl);
|
|
qc = ngx_quic_get_connection(c);
|
|
com = qc->compat;
|
|
|
|
*out_params = com->ctp.data;
|
|
*out_params_len = com->ctp.len;
|
|
}
|
|
|
|
#endif /* NGX_QUIC_OPENSSL_COMPAT */
|