summaryrefslogtreecommitdiffhomepage
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/event/ngx_event_openssl.c19
-rw-r--r--src/event/ngx_event_quic.c34
-rw-r--r--src/event/ngx_event_quic.h3
-rw-r--r--src/http/ngx_http_request.c42
4 files changed, 42 insertions, 56 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 561819e0b..7d12b9625 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -593,29 +593,12 @@ quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
return 0;
}
- EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
u_char *sample = &out.data[3]; // pnl=0
uint8_t mask[16];
- int outlen;
-
- if (EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL, secret->hp.data, NULL)
- != 1)
- {
- EVP_CIPHER_CTX_free(ctx);
- ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
- "EVP_EncryptInit_ex() failed");
- return 0;
- }
-
- if (!EVP_EncryptUpdate(ctx, mask, &outlen, sample, 16)) {
- EVP_CIPHER_CTX_free(ctx);
- ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
- "EVP_EncryptUpdate() failed");
+ if (ngx_quic_tls_hp(c, EVP_aes_128_ecb(), secret, mask, sample) != NGX_OK) {
return 0;
}
- EVP_CIPHER_CTX_free(ctx);
-
m = ngx_hex_dump(buf, (u_char *) sample, 16) - buf;
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
"quic_add_handshake_data sample: %*s, len: %uz",
diff --git a/src/event/ngx_event_quic.c b/src/event/ngx_event_quic.c
index 106ca0d34..b453d95f8 100644
--- a/src/event/ngx_event_quic.c
+++ b/src/event/ngx_event_quic.c
@@ -371,3 +371,37 @@ ngx_quic_tls_seal(ngx_connection_t *c, const ngx_aead_cipher_t *cipher,
return NGX_OK;
}
+
+
+ngx_int_t
+ngx_quic_tls_hp(ngx_connection_t *c, const EVP_CIPHER *cipher,
+ ngx_quic_secret_t *s, u_char *out, u_char *in)
+{
+ int outlen;
+ EVP_CIPHER_CTX *ctx;
+
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx == NULL) {
+ return NGX_ERROR;
+ }
+
+ if (EVP_EncryptInit_ex(ctx, cipher, NULL, s->hp.data, NULL) != 1) {
+ ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptInit_ex() failed");
+ goto failed;
+ }
+
+ if (!EVP_EncryptUpdate(ctx, out, &outlen, in, 16)) {
+ ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "EVP_EncryptUpdate() failed");
+ goto failed;
+ }
+
+ EVP_CIPHER_CTX_free(ctx);
+
+ return NGX_OK;
+
+failed:
+
+ EVP_CIPHER_CTX_free(ctx);
+
+ return NGX_ERROR;
+}
diff --git a/src/event/ngx_event_quic.h b/src/event/ngx_event_quic.h
index c1b20f65b..1b900208b 100644
--- a/src/event/ngx_event_quic.h
+++ b/src/event/ngx_event_quic.h
@@ -60,5 +60,8 @@ ngx_int_t ngx_quic_tls_seal(ngx_connection_t *c,
const ngx_aead_cipher_t *cipher, ngx_quic_secret_t *s, ngx_str_t *out,
u_char *nonce, ngx_str_t *in, ngx_str_t *ad);
+ngx_int_t
+ngx_quic_tls_hp(ngx_connection_t *c, const EVP_CIPHER *cipher,
+ ngx_quic_secret_t *s, u_char *out, u_char *in);
#endif /* _NGX_EVENT_QUIC_H_INCLUDED_ */
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index c9bddc6dd..8fbc20424 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1124,31 +1124,14 @@ ngx_http_quic_handshake(ngx_event_t *rev)
// header protection
- EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
uint8_t mask[16];
- int outlen;
-
- if (EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL,
- qc->client_in.hp.data, NULL)
- != 1)
+ if (ngx_quic_tls_hp(c, EVP_aes_128_ecb(), &qc->client_in, mask, sample)
+ != NGX_OK)
{
- EVP_CIPHER_CTX_free(ctx);
- ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
- "EVP_EncryptInit_ex() failed");
ngx_http_close_connection(c);
return;
}
- if (!EVP_EncryptUpdate(ctx, mask, &outlen, sample, 16)) {
- EVP_CIPHER_CTX_free(ctx);
- ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
- "EVP_EncryptUpdate() failed");
- ngx_http_close_connection(c);
- return;
- }
-
- EVP_CIPHER_CTX_free(ctx);
-
u_char clearflags = flags ^ (mask[0] & 0x0f);
ngx_int_t pnl = (clearflags & 0x03) + 1;
uint64_t pn = ngx_quic_parse_pn(&b->pos, pnl, &mask[1]);
@@ -1422,31 +1405,14 @@ ngx_http_quic_handshake_handler(ngx_event_t *rev)
// header protection
- EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
uint8_t mask[16];
- int outlen;
-
- if (EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL,
- qc->client_hs.hp.data, NULL)
- != 1)
+ if (ngx_quic_tls_hp(c, EVP_aes_128_ecb(), &qc->client_hs, mask, sample)
+ != NGX_OK)
{
- EVP_CIPHER_CTX_free(ctx);
- ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
- "EVP_EncryptInit_ex() failed");
ngx_http_close_connection(c);
return;
}
- if (!EVP_EncryptUpdate(ctx, mask, &outlen, sample, 16)) {
- EVP_CIPHER_CTX_free(ctx);
- ngx_ssl_error(NGX_LOG_INFO, rev->log, 0,
- "EVP_EncryptUpdate() failed");
- ngx_http_close_connection(c);
- return;
- }
-
- EVP_CIPHER_CTX_free(ctx);
-
u_char clearflags = flags ^ (mask[0] & 0x0f);
ngx_int_t pnl = (clearflags & 0x03) + 1;
uint64_t pn = ngx_quic_parse_pn(&p, pnl, &mask[1]);
generated by cgit (git 2.34.1) at 2025-12-28 21:57:53 +0000