Skip to content

Commit

Permalink
QUIC: TLS_AES_128_CCM_SHA256 cipher suite support.
Browse files Browse the repository at this point in the history
  • Loading branch information
@arut
arut committed Jun 20, 2023
1 parent 3ee1051 commit 69826dd
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 11 deletions.
58 changes: 48 additions & 10 deletions src/event/quic/ngx_event_quic_protection.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,15 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers,
len = 32;
break;

#ifndef OPENSSL_IS_BORINGSSL
case TLS1_3_CK_AES_128_CCM_SHA256:
ciphers->c = EVP_aes_128_ccm();
ciphers->hp = EVP_aes_128_ctr();
ciphers->d = EVP_sha256();
len = 16;
break;
#endif

default:
return NGX_ERROR;
}
Expand Down Expand Up @@ -384,6 +393,17 @@ ngx_quic_tls_open(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
return NGX_ERROR;
}

tag = in->data + in->len - NGX_QUIC_TAG_LEN;

if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, NGX_QUIC_TAG_LEN, tag)
== 0)
{
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0,
"EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed");
return NGX_ERROR;
}

if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, s->iv.len, NULL)
== 0)
{
Expand All @@ -399,6 +419,15 @@ ngx_quic_tls_open(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
return NGX_ERROR;
}

if (EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE
&& EVP_DecryptUpdate(ctx, NULL, &len, NULL, in->len - NGX_QUIC_TAG_LEN)
!= 1)
{
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptUpdate() failed");
return NGX_ERROR;
}

if (EVP_DecryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptUpdate() failed");
Expand All @@ -415,16 +444,6 @@ ngx_quic_tls_open(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
}

out->len = len;
tag = in->data + in->len - NGX_QUIC_TAG_LEN;

if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, NGX_QUIC_TAG_LEN, tag)
== 0)
{
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0,
"EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed");
return NGX_ERROR;
}

if (EVP_DecryptFinal_ex(ctx, out->data + len, &len) <= 0) {
EVP_CIPHER_CTX_free(ctx);
Expand Down Expand Up @@ -482,6 +501,17 @@ ngx_quic_tls_seal(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
return NGX_ERROR;
}

if (EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE
&& EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, NGX_QUIC_TAG_LEN,
NULL)
== 0)
{
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0,
"EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed");
return NGX_ERROR;
}

if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, s->iv.len, NULL)
== 0)
{
Expand All @@ -497,6 +527,14 @@ ngx_quic_tls_seal(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
return NGX_ERROR;
}

if (EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE
&& EVP_EncryptUpdate(ctx, NULL, &len, NULL, in->len) != 1)
{
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptUpdate() failed");
return NGX_ERROR;
}

if (EVP_EncryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptUpdate() failed");
Expand Down
2 changes: 1 addition & 1 deletion src/event/quic/ngx_event_quic_protection.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@

#define NGX_QUIC_ENCRYPTION_LAST ((ssl_encryption_application) + 1)

/* RFC 5116, 5.1 and RFC 8439, 2.3/2.5 for all supported ciphers */
/* RFC 5116, 5.1/5.3 and RFC 8439, 2.3/2.5 for all supported ciphers */
#define NGX_QUIC_IV_LEN 12
#define NGX_QUIC_TAG_LEN 16

Expand Down

0 comments on commit 69826dd

Please sign in to comment.