[nginx] QUIC: TLS_AES_128_CCM_SHA256 cipher suite support.
Roman Arutyunyan
arut at nginx.com
Tue Jun 20 13:51:30 UTC 2023
details: https://hg.nginx.org/nginx/rev/756ab66de10e
branches:
changeset: 9128:756ab66de10e
user: Roman Arutyunyan <arut at nginx.com>
date: Tue Jun 20 16:10:49 2023 +0400
description:
QUIC: TLS_AES_128_CCM_SHA256 cipher suite support.
diffstat:
src/event/quic/ngx_event_quic_protection.c | 58 ++++++++++++++++++++++++-----
src/event/quic/ngx_event_quic_protection.h | 2 +-
2 files changed, 49 insertions(+), 11 deletions(-)
diffs (115 lines):
diff -r a7b850a5d98d -r 756ab66de10e src/event/quic/ngx_event_quic_protection.c
--- a/src/event/quic/ngx_event_quic_protection.c Fri Jun 09 10:23:22 2023 +0400
+++ b/src/event/quic/ngx_event_quic_protection.c Tue Jun 20 16:10:49 2023 +0400
@@ -94,6 +94,15 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic
len = 32;
break;
+#ifndef OPENSSL_IS_BORINGSSL
+ case TLS1_3_CK_AES_128_CCM_SHA256:
+ ciphers->c = EVP_aes_128_ccm();
+ ciphers->hp = EVP_aes_128_ctr();
+ ciphers->d = EVP_sha256();
+ len = 16;
+ break;
+#endif
+
default:
return NGX_ERROR;
}
@@ -384,6 +393,17 @@ ngx_quic_tls_open(const ngx_quic_cipher_
return NGX_ERROR;
}
+ tag = in->data + in->len - NGX_QUIC_TAG_LEN;
+
+ if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, NGX_QUIC_TAG_LEN, tag)
+ == 0)
+ {
+ EVP_CIPHER_CTX_free(ctx);
+ ngx_ssl_error(NGX_LOG_INFO, log, 0,
+ "EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed");
+ return NGX_ERROR;
+ }
+
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, s->iv.len, NULL)
== 0)
{
@@ -399,6 +419,15 @@ ngx_quic_tls_open(const ngx_quic_cipher_
return NGX_ERROR;
}
+ if (EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE
+ && EVP_DecryptUpdate(ctx, NULL, &len, NULL, in->len - NGX_QUIC_TAG_LEN)
+ != 1)
+ {
+ EVP_CIPHER_CTX_free(ctx);
+ ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptUpdate() failed");
+ return NGX_ERROR;
+ }
+
if (EVP_DecryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptUpdate() failed");
@@ -415,16 +444,6 @@ ngx_quic_tls_open(const ngx_quic_cipher_
}
out->len = len;
- tag = in->data + in->len - NGX_QUIC_TAG_LEN;
-
- if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, NGX_QUIC_TAG_LEN, tag)
- == 0)
- {
- EVP_CIPHER_CTX_free(ctx);
- ngx_ssl_error(NGX_LOG_INFO, log, 0,
- "EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed");
- return NGX_ERROR;
- }
if (EVP_DecryptFinal_ex(ctx, out->data + len, &len) <= 0) {
EVP_CIPHER_CTX_free(ctx);
@@ -482,6 +501,17 @@ ngx_quic_tls_seal(const ngx_quic_cipher_
return NGX_ERROR;
}
+ if (EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE
+ && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, NGX_QUIC_TAG_LEN,
+ NULL)
+ == 0)
+ {
+ EVP_CIPHER_CTX_free(ctx);
+ ngx_ssl_error(NGX_LOG_INFO, log, 0,
+ "EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed");
+ return NGX_ERROR;
+ }
+
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, s->iv.len, NULL)
== 0)
{
@@ -497,6 +527,14 @@ ngx_quic_tls_seal(const ngx_quic_cipher_
return NGX_ERROR;
}
+ if (EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE
+ && EVP_EncryptUpdate(ctx, NULL, &len, NULL, in->len) != 1)
+ {
+ EVP_CIPHER_CTX_free(ctx);
+ ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptUpdate() failed");
+ return NGX_ERROR;
+ }
+
if (EVP_EncryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptUpdate() failed");
diff -r a7b850a5d98d -r 756ab66de10e src/event/quic/ngx_event_quic_protection.h
--- a/src/event/quic/ngx_event_quic_protection.h Fri Jun 09 10:23:22 2023 +0400
+++ b/src/event/quic/ngx_event_quic_protection.h Tue Jun 20 16:10:49 2023 +0400
@@ -16,7 +16,7 @@
#define NGX_QUIC_ENCRYPTION_LAST ((ssl_encryption_application) + 1)
-/* RFC 5116, 5.1 and RFC 8439, 2.3/2.5 for all supported ciphers */
+/* RFC 5116, 5.1/5.3 and RFC 8439, 2.3/2.5 for all supported ciphers */
#define NGX_QUIC_IV_LEN 12
#define NGX_QUIC_TAG_LEN 16
More information about the nginx-devel
mailing list