| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Encryption level values are decoupled from ssl_encryption_level_t,
which is now limited to BoringSSL QUIC callbacks, with mappings
provided. Although the values match, this provides a technically
safe approach, in particular, to access protection level sized arrays.
In preparation for using OpenSSL 3.5 TLS callbacks.
|
|
|
|
|
|
This follows OpenSSL and BoringSSL API, and gives a hint to compiler
that this parameter may not be modified.
|
|
Previously, this used to have extra ngx_explicit_memzero() calls
from within ngx_quic_keys_cleanup(), which might be suboptimal.
|
|
Inspired by RFC 9001, Section 6.3, trial packet decryption with the current
keys is now used to avoid a timing side-channel signal. Further, this fixes
segfault while accessing missing next keys (ticket #2585).
|
|
|
|
It is made local as it is only needed now when creating crypto context.
BoringSSL lacks EVP interface for ChaCha20, providing instead
a function for one-shot encryption, thus hp is still preserved.
Based on a patch by Roman Arutyunyan.
|
|
After conversion to reusable crypto ctx, now there's enough caller
context to remove the "level" argument from ngx_quic_ciphers().
|
|
|
|
|
|
|
|
|
|
Now these functions have names ngx_quic_crypto_XXX():
- ngx_quic_tls_open() -> ngx_quic_crypto_open()
- ngx_quic_tls_seal() -> ngx_quic_crypto_seal()
- ngx_quic_tls_hp() -> ngx_quic_crypto_hp()
|
|
Keys may be released by TLS stack in different times, so it makes sense
to check this independently as well. This allows to fine-tune what key
direction is used when checking keys availability.
When discarding, server keys are now marked in addition to client keys.
|
|
Since at least f9fbeb4ee0de and certainly after 924882f42dea, which
TLS Key Update support predates, queued data output is deferred to a
posted push handler. To address timing signals after these changes,
generating next keys is now posted to run after the push handler.
|
|
They were preserved in 172705615d04 to ease transition from older BoringSSL.
|
|
|
|
|
|
|
|
The constants are used for both GCM and CHACHAPOLY.
|
|
Previously used constant EVP_GCM_TLS_TAG_LEN had misleading name since it was
used not only with GCM, but also with CHACHAPOLY. Now a new constant
NGX_QUIC_TAG_LEN introduced. Luckily all AEAD algorithms used by QUIC have
the same tag length of 16.
|
|
The change allows to compile QUIC with OpenSSL which lacks BoringSSL QUIC API.
This implementation does not support 0-RTT.
|
|
Prodded by Yu Zhu.
|
|
|
|
They are not supported by MSVC till 2012.
SSL_QUIC_METHOD initialization is moved to run-time to preserve portability
among SSL library implementations, which allows to reduce its visibility.
Note using of a static storage to keep SSL_set_quic_method() reference valid.
|
|
Previously, ngx_quic_hkdf_t variables used declaration with assignment
in the middle of a function, which is not supported by MSVC 2010.
Fixing this also required to rewrite the ngx_quic_hkdf_set macro
and to switch to an explicit array size.
|
|
After BoringSSL aligned[1] with OpenSSL on TLS1_3_CK_* macros, and
LibreSSL uses OpenSSL naming, our own variants can be dropped now.
Compatibility is preserved with libraries that lack these macros.
Additionally, transition to SSL_CIPHER_get_id() fixes build error
with LibreSSL that doesn't implement SSL_CIPHER_get_protocol_id().
[1] https://boringssl.googlesource.com/boringssl/+/dfddbc4ded
|
|
The ngx_quic_keys_t structure is now exposed.
|
|
|
|
|
|
|
|
While here, removed check for encryption level zero, redundant by its nature.
|
|
The "min" and "max" arguments refer to UDP datagram size. Generating payload
requires to account properly for header size, which is variable and depends on
payload size and packet number.
|
|
|
|
|
|
AES-128 key length is known in compile time.
|
|
All supported cipher suites produce 96-bit IV (RFC 5116, 5.1, RFC 8439, 2.3).
This eliminates a few magic numbers and run-time overhead.
|
|
The output buffer is now also of 5 bytes. Header protection uses
stream ciphers, which don't produce extra output nor PKCS padding.
|
|
This includes updating citations and further clarification.
|
|
Stop including QUIC headers with no user-serviceable parts inside.
This allows to provide a much cleaner QUIC interface. To cope with that,
ngx_quic_derive_key() is now explicitly exported for v3 and quic modules.
Additionally, this completely hides the ngx_quic_keys_t internal type.
|
|
This fixes leak on successful path when built with OpenSSL.
|
|
OpenSSL 3.0 started to require HKDF-Extract output PRK length pointer
used to represent the amount of data written to contain the length of
the key buffer before the call. EVP_PKEY_derive() documents this.
See HKDF_Extract() internal implementation update in this change:
https://github.com/openssl/openssl/commit/5a285ad
|
|
The OpenSSL variant of functions lacked proper error processing.
|
|
Draft-29 and beyond are now supported simultaneously, no need to recompile.
|
|
|
|
|
|
The token generation in QUIC is reworked. Single host key is used to generate
all required keys of needed sizes using HKDF.
The "quic_stateless_reset_token_key" directive is removed. Instead, the
"quic_host_key" directive is used, which reads key from file, or sets it
to random bytes if not specified.
|
|
Notably, the version negotiation table is updated to reject draft-33/QUICv1
(which requires a new TLS codepoint) unless explicitly asked to built with.
|
|
|
