flyskype
/
openresty
mirror of https://github.com/openresty/openresty
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

SSL: handled quic SSL_CTX_set_cert_cb() and SSL_CTX_set_client_hello_cb() and SSL_CTX_sess_set_new_cb session callback yielding.

Browse Source
pull/1058/head
Jun Ouyang 3 months ago
parent a17c6cb88b
commit ef87444a0c
2 changed files with 0 additions and 233 deletions
Show Stats Download Patch File Download Diff File

0
patches/nginx/1.27.1/nginx-1.27.1-quic_ssl_client_hello_and_ssl_cert_and_ssl_session_cb_yield.patch
Unescape Escape View File

233
patches/nginx/1.27.1/nginx-1.27.1-quic_ssl_client_hello_and_ssl_cert_cb_yield.patch
Unescape Escape View File

@ -1,233 +0,0 @@
diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c
index c03b1d0..9be67df 100644
--- a/src/event/quic/ngx_event_quic.c
+++ b/src/event/quic/ngx_event_quic.c
@@ -13,8 +13,7 @@
static ngx_quic_connection_t *ngx_quic_new_connection(ngx_connection_t *c,
ngx_quic_conf_t *conf, ngx_quic_header_t *pkt);
static ngx_int_t ngx_quic_handle_stateless_reset(ngx_connection_t *c,
- ngx_quic_header_t *pkt);
-static void ngx_quic_input_handler(ngx_event_t *rev);
+ ngx_quic_header_t *pkt);
static void ngx_quic_close_handler(ngx_event_t *ev);
static ngx_int_t ngx_quic_handle_datagram(ngx_connection_t *c, ngx_buf_t *b,
@@ -392,7 +391,7 @@ ngx_quic_handle_stateless_reset(ngx_connection_t *c, ngx_quic_header_t *pkt)
}
-static void
+void
ngx_quic_input_handler(ngx_event_t *rev)
{
ngx_int_t rc;
diff --git a/src/event/quic/ngx_event_quic.h b/src/event/quic/ngx_event_quic.h
index 1520167..344b867 100644
--- a/src/event/quic/ngx_event_quic.h
+++ b/src/event/quic/ngx_event_quic.h
@@ -125,5 +125,5 @@ ngx_int_t ngx_quic_get_packet_dcid(ngx_log_t *log, u_char *data, size_t len,
ngx_str_t *dcid);
ngx_int_t ngx_quic_derive_key(ngx_log_t *log, const char *label,
ngx_str_t *secret, ngx_str_t *salt, u_char *out, size_t len);
-
+void ngx_quic_input_handler(ngx_event_t *rev);
#endif /* _NGX_EVENT_QUIC_H_INCLUDED_ */
diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
index ba0b592..b53b3bc 100644
--- a/src/event/quic/ngx_event_quic_ssl.c
+++ b/src/event/quic/ngx_event_quic_ssl.c
@@ -8,6 +8,7 @@
#include <ngx_core.h>
#include <ngx_event.h>
#include <ngx_event_quic_connection.h>
+#include <ngx_event_quic_ssl.h>
#if defined OPENSSL_IS_BORINGSSL \
@@ -45,7 +46,8 @@ static int ngx_quic_send_alert(ngx_ssl_conn_t *ssl_conn,
enum ssl_encryption_level_t level, uint8_t alert);
static ngx_int_t ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data,
enum ssl_encryption_level_t level);
-
+static ngx_int_t
+ngx_quic_handshake(ngx_connection_t *c);
#if (NGX_QUIC_BORINGSSL_API)
@@ -314,6 +316,147 @@ ngx_quic_send_alert(ngx_ssl_conn_t *ssl_conn, enum ssl_encryption_level_t level,
return 1;
}
+static void
+ngx_quic_ssl_handshake_handler(ngx_event_t *ev)
+{
+ ngx_connection_t *c;
+
+ c = ev->data;
+
+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "quic SSL handshake handler: %d", ev->write);
+
+ if (ngx_quic_handshake(c) == NGX_AGAIN) {
+ return;
+ }
+
+ c->read->handler = ngx_quic_input_handler;
+ ngx_handle_read_event(c->read, 0);
+ return;
+}
+
+static ngx_int_t
+ngx_quic_handshake(ngx_connection_t *c)
+{
+ int n, sslerr;
+ ngx_ssl_conn_t *ssl_conn;
+ ngx_quic_frame_t *frame;
+ ngx_quic_connection_t *qc;
+
+ qc = ngx_quic_get_connection(c);
+
+ ssl_conn = c->ssl->connection;
+
+ n = SSL_do_handshake(ssl_conn);
+
+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
+
+ if (n <= 0) {
+ sslerr = SSL_get_error(ssl_conn, n);
+
+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d",
+ sslerr);
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) {
+ c->read->handler = ngx_quic_ssl_handshake_handler;
+
+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ return NGX_AGAIN;
+ }
+#endif
+
+#ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB
+ if (sslerr == SSL_ERROR_WANT_CLIENT_HELLO_CB) {
+ c->read->handler = ngx_quic_ssl_handshake_handler;
+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ return NGX_AGAIN;
+ }
+#endif
+
+ if (sslerr != SSL_ERROR_WANT_READ) {
+ if (c->ssl->handshake_rejected) {
+ ngx_connection_error(c, 0, "handshake rejected");
+ ERR_clear_error();
+
+ return NGX_ERROR;
+ }
+
+ ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "SSL_do_handshake() failed");
+ return NGX_ERROR;
+ }
+ }
+
+ if (n <= 0 || SSL_in_init(ssl_conn)) {
+ if (ngx_quic_keys_available(qc->keys, ssl_encryption_early_data, 0)
+ && qc->client_tp_done)
+ {
+ if (ngx_quic_init_streams(c) != NGX_OK) {
+ return NGX_ERROR;
+ }
+ }
+
+ return NGX_OK;
+ }
+
+#if (NGX_DEBUG)
+ ngx_ssl_handshake_log(c);
+#endif
+
+ c->ssl->handshaked = 1;
+
+ frame = ngx_quic_alloc_frame(c);
+ if (frame == NULL) {
+ return NGX_ERROR;
+ }
+
+ frame->level = ssl_encryption_application;
+ frame->type = NGX_QUIC_FT_HANDSHAKE_DONE;
+ ngx_quic_queue_frame(qc, frame);
+
+ if (qc->conf->retry) {
+ if (ngx_quic_send_new_token(c, qc->path) != NGX_OK) {
+ return NGX_ERROR;
+ }
+ }
+
+ /*
+ * RFC 9001, 9.5. Header Protection Timing Side Channels
+ *
+ * Generating next keys before a key update is received.
+ */
+
+ ngx_post_event(&qc->key_update, &ngx_posted_events);
+
+ /*
+ * RFC 9001, 4.9.2. Discarding Handshake Keys
+ *
+ * An endpoint MUST discard its Handshake keys
+ * when the TLS handshake is confirmed.
+ */
+ ngx_quic_discard_ctx(c, ssl_encryption_handshake);
+
+ ngx_quic_discover_path_mtu(c, qc->path);
+
+ /* start accepting clients on negotiated number of server ids */
+ if (ngx_quic_create_sockets(c) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ if (ngx_quic_init_streams(c) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ return NGX_OK;
+}
+
+
+
ngx_int_t
ngx_quic_handle_crypto_frame(ngx_connection_t *c, ngx_quic_header_t *pkt,
@@ -423,6 +566,28 @@ ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data,
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d",
sslerr);
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) {
+ c->read->handler = ngx_quic_ssl_handshake_handler;
+
+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ return NGX_OK;
+ }
+#endif
+
+#ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB
+ if (sslerr == SSL_ERROR_WANT_CLIENT_HELLO_CB) {
+ c->read->handler = ngx_quic_ssl_handshake_handler;
+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ return NGX_OK;
+ }
+#endif
if (sslerr != SSL_ERROR_WANT_READ) {
Write Preview
Loading…
Cancel
Save