mirror of https://github.com/openresty/openresty
SSL: handled quic SSL_CTX_set_cert_cb() and SSL_CTX_set_client_hello_cb() and SSL_CTX_sess_set_new_cb session callback yielding.
Jun Ouyang
3 weeks ago
parent
ef87444a0c
commit
b6ce10f9e0
@ -0,0 +1,233 @@
|
||||
diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c
|
||||
index c03b1d0..9be67df 100644
|
||||
--- a/src/event/quic/ngx_event_quic.c
|
||||
+++ b/src/event/quic/ngx_event_quic.c
|
||||
@@ -13,8 +13,7 @@
|
||||
static ngx_quic_connection_t *ngx_quic_new_connection(ngx_connection_t *c,
|
||||
ngx_quic_conf_t *conf, ngx_quic_header_t *pkt);
|
||||
static ngx_int_t ngx_quic_handle_stateless_reset(ngx_connection_t *c,
|
||||
- ngx_quic_header_t *pkt);
|
||||
-static void ngx_quic_input_handler(ngx_event_t *rev);
|
||||
+ ngx_quic_header_t *pkt);
|
||||
static void ngx_quic_close_handler(ngx_event_t *ev);
|
||||
|
||||
static ngx_int_t ngx_quic_handle_datagram(ngx_connection_t *c, ngx_buf_t *b,
|
||||
@@ -392,7 +391,7 @@ ngx_quic_handle_stateless_reset(ngx_connection_t *c, ngx_quic_header_t *pkt)
|
||||
}
|
||||
|
||||
|
||||
-static void
|
||||
+void
|
||||
ngx_quic_input_handler(ngx_event_t *rev)
|
||||
{
|
||||
ngx_int_t rc;
|
||||
diff --git a/src/event/quic/ngx_event_quic.h b/src/event/quic/ngx_event_quic.h
|
||||
index 1520167..344b867 100644
|
||||
--- a/src/event/quic/ngx_event_quic.h
|
||||
+++ b/src/event/quic/ngx_event_quic.h
|
||||
@@ -125,5 +125,5 @@ ngx_int_t ngx_quic_get_packet_dcid(ngx_log_t *log, u_char *data, size_t len,
|
||||
ngx_str_t *dcid);
|
||||
ngx_int_t ngx_quic_derive_key(ngx_log_t *log, const char *label,
|
||||
ngx_str_t *secret, ngx_str_t *salt, u_char *out, size_t len);
|
||||
-
|
||||
+void ngx_quic_input_handler(ngx_event_t *rev);
|
||||
#endif /* _NGX_EVENT_QUIC_H_INCLUDED_ */
|
||||
diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
|
||||
index ba0b592..b53b3bc 100644
|
||||
--- a/src/event/quic/ngx_event_quic_ssl.c
|
||||
+++ b/src/event/quic/ngx_event_quic_ssl.c
|
||||
@@ -8,6 +8,7 @@
|
||||
#include <ngx_core.h>
|
||||
#include <ngx_event.h>
|
||||
#include <ngx_event_quic_connection.h>
|
||||
+#include <ngx_event_quic_ssl.h>
|
||||
|
||||
|
||||
#if defined OPENSSL_IS_BORINGSSL \
|
||||
@@ -45,7 +46,8 @@ static int ngx_quic_send_alert(ngx_ssl_conn_t *ssl_conn,
|
||||
enum ssl_encryption_level_t level, uint8_t alert);
|
||||
static ngx_int_t ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data,
|
||||
enum ssl_encryption_level_t level);
|
||||
-
|
||||
+static ngx_int_t
|
||||
+ngx_quic_handshake(ngx_connection_t *c);
|
||||
|
||||
#if (NGX_QUIC_BORINGSSL_API)
|
||||
|
||||
@@ -314,6 +316,147 @@ ngx_quic_send_alert(ngx_ssl_conn_t *ssl_conn, enum ssl_encryption_level_t level,
|
||||
return 1;
|
||||
}
|
||||
|
||||
+static void
|
||||
+ngx_quic_ssl_handshake_handler(ngx_event_t *ev)
|
||||
+{
|
||||
+ ngx_connection_t *c;
|
||||
+
|
||||
+ c = ev->data;
|
||||
+
|
||||
+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
+ "quic SSL handshake handler: %d", ev->write);
|
||||
+
|
||||
+ if (ngx_quic_handshake(c) == NGX_AGAIN) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ c->read->handler = ngx_quic_input_handler;
|
||||
+ ngx_handle_read_event(c->read, 0);
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
+static ngx_int_t
|
||||
+ngx_quic_handshake(ngx_connection_t *c)
|
||||
+{
|
||||
+ int n, sslerr;
|
||||
+ ngx_ssl_conn_t *ssl_conn;
|
||||
+ ngx_quic_frame_t *frame;
|
||||
+ ngx_quic_connection_t *qc;
|
||||
+
|
||||
+ qc = ngx_quic_get_connection(c);
|
||||
+
|
||||
+ ssl_conn = c->ssl->connection;
|
||||
+
|
||||
+ n = SSL_do_handshake(ssl_conn);
|
||||
+
|
||||
+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
|
||||
+
|
||||
+ if (n <= 0) {
|
||||
+ sslerr = SSL_get_error(ssl_conn, n);
|
||||
+
|
||||
+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d",
|
||||
+ sslerr);
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||
+ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) {
|
||||
+ c->read->handler = ngx_quic_ssl_handshake_handler;
|
||||
+
|
||||
+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ return NGX_AGAIN;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+#ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB
|
||||
+ if (sslerr == SSL_ERROR_WANT_CLIENT_HELLO_CB) {
|
||||
+ c->read->handler = ngx_quic_ssl_handshake_handler;
|
||||
+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ return NGX_AGAIN;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ if (sslerr != SSL_ERROR_WANT_READ) {
|
||||
+ if (c->ssl->handshake_rejected) {
|
||||
+ ngx_connection_error(c, 0, "handshake rejected");
|
||||
+ ERR_clear_error();
|
||||
+
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "SSL_do_handshake() failed");
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (n <= 0 || SSL_in_init(ssl_conn)) {
|
||||
+ if (ngx_quic_keys_available(qc->keys, ssl_encryption_early_data, 0)
|
||||
+ && qc->client_tp_done)
|
||||
+ {
|
||||
+ if (ngx_quic_init_streams(c) != NGX_OK) {
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return NGX_OK;
|
||||
+ }
|
||||
+
|
||||
+#if (NGX_DEBUG)
|
||||
+ ngx_ssl_handshake_log(c);
|
||||
+#endif
|
||||
+
|
||||
+ c->ssl->handshaked = 1;
|
||||
+
|
||||
+ frame = ngx_quic_alloc_frame(c);
|
||||
+ if (frame == NULL) {
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ frame->level = ssl_encryption_application;
|
||||
+ frame->type = NGX_QUIC_FT_HANDSHAKE_DONE;
|
||||
+ ngx_quic_queue_frame(qc, frame);
|
||||
+
|
||||
+ if (qc->conf->retry) {
|
||||
+ if (ngx_quic_send_new_token(c, qc->path) != NGX_OK) {
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * RFC 9001, 9.5. Header Protection Timing Side Channels
|
||||
+ *
|
||||
+ * Generating next keys before a key update is received.
|
||||
+ */
|
||||
+
|
||||
+ ngx_post_event(&qc->key_update, &ngx_posted_events);
|
||||
+
|
||||
+ /*
|
||||
+ * RFC 9001, 4.9.2. Discarding Handshake Keys
|
||||
+ *
|
||||
+ * An endpoint MUST discard its Handshake keys
|
||||
+ * when the TLS handshake is confirmed.
|
||||
+ */
|
||||
+ ngx_quic_discard_ctx(c, ssl_encryption_handshake);
|
||||
+
|
||||
+ ngx_quic_discover_path_mtu(c, qc->path);
|
||||
+
|
||||
+ /* start accepting clients on negotiated number of server ids */
|
||||
+ if (ngx_quic_create_sockets(c) != NGX_OK) {
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ if (ngx_quic_init_streams(c) != NGX_OK) {
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ return NGX_OK;
|
||||
+}
|
||||
+
|
||||
+
|
||||
+
|
||||
|
||||
ngx_int_t
|
||||
ngx_quic_handle_crypto_frame(ngx_connection_t *c, ngx_quic_header_t *pkt,
|
||||
@@ -423,6 +566,28 @@ ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data,
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d",
|
||||
sslerr);
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||
+ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) {
|
||||
+ c->read->handler = ngx_quic_ssl_handshake_handler;
|
||||
+
|
||||
+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ return NGX_OK;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+#ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB
|
||||
+ if (sslerr == SSL_ERROR_WANT_CLIENT_HELLO_CB) {
|
||||
+ c->read->handler = ngx_quic_ssl_handshake_handler;
|
||||
+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ return NGX_OK;
|
||||
+ }
|
||||
+#endif
|
||||
|
||||
if (sslerr != SSL_ERROR_WANT_READ) {
|
||||
|
||||
Loading…
Reference in New Issue