deps: update ngtcp2 to 0.14.1

nodejs · Apr 16, 2023 · 061f635 · 061f635
1 parent a777bbd
commit 061f635
Show file tree

Hide file tree

Showing 45 changed files with 2,519 additions and 1,666 deletions.
diff --git a/deps/ngtcp2/ngtcp2/crypto/boringssl/boringssl.c b/deps/ngtcp2/ngtcp2/crypto/boringssl/boringssl.c
@@ -423,7 +423,10 @@ int ngtcp2_crypto_read_write_crypto_data(ngtcp2_conn *conn,
 
         SSL_reset_early_data_reject(ssl);
 
-        ngtcp2_conn_early_data_rejected(conn);
+        rv = ngtcp2_conn_early_data_rejected(conn);
+        if (rv != 0) {
+          return -1;
+        }
 
         goto retry;
       default:

diff --git a/deps/ngtcp2/ngtcp2/crypto/picotls/picotls.c b/deps/ngtcp2/ngtcp2/crypto/picotls/picotls.c
@@ -82,9 +82,11 @@ static uint64_t crypto_ptls_get_aead_max_encryption(ptls_t *ptls) {
     return NGTCP2_CRYPTO_MAX_ENCRYPTION_AES_GCM;
   }
 
+#ifdef PTLS_OPENSSL_HAVE_CHACHA20_POLY1305
   if (cs->aead == &ptls_openssl_chacha20poly1305) {
     return NGTCP2_CRYPTO_MAX_ENCRYPTION_CHACHA20_POLY1305;
   }
+#endif /* PTLS_OPENSSL_HAVE_CHACHA20_POLY1305 */
 
   return 0;
 }
@@ -97,9 +99,11 @@ static uint64_t crypto_ptls_get_aead_max_decryption_failure(ptls_t *ptls) {
     return NGTCP2_CRYPTO_MAX_DECRYPTION_FAILURE_AES_GCM;
   }
 
+#ifdef PTLS_OPENSSL_HAVE_CHACHA20_POLY1305
   if (cs->aead == &ptls_openssl_chacha20poly1305) {
     return NGTCP2_CRYPTO_MAX_DECRYPTION_FAILURE_CHACHA20_POLY1305;
   }
+#endif /* PTLS_OPENSSL_HAVE_CHACHA20_POLY1305 */
 
   return 0;
 }
@@ -115,9 +119,11 @@ static const ptls_cipher_algorithm_t *crypto_ptls_get_hp(ptls_t *ptls) {
     return &ptls_openssl_aes256ctr;
   }
 
+#ifdef PTLS_OPENSSL_HAVE_CHACHA20_POLY1305
   if (cs->aead == &ptls_openssl_chacha20poly1305) {
     return &ptls_openssl_chacha20;
   }
+#endif /* PTLS_OPENSSL_HAVE_CHACHA20_POLY1305 */
 
   return NULL;
 }
@@ -379,7 +385,11 @@ int ngtcp2_crypto_read_write_crypto_data(ngtcp2_conn *conn,
   if (!ngtcp2_conn_is_server(conn) &&
       cptls->handshake_properties.client.early_data_acceptance ==
           PTLS_EARLY_DATA_REJECTED) {
-    ngtcp2_conn_early_data_rejected(conn);
+    rv = ngtcp2_conn_early_data_rejected(conn);
+    if (rv != 0) {
+      rv = -1;
+      goto fin;
+    }
   }
 
   for (i = 0; i < 4; ++i) {

diff --git a/deps/ngtcp2/ngtcp2/crypto/shared.c b/deps/ngtcp2/ngtcp2/crypto/shared.c
@@ -66,9 +66,9 @@ int ngtcp2_crypto_hkdf_expand_label(uint8_t *dest, size_t destlen,
 
 #define NGTCP2_CRYPTO_INITIAL_SECRETLEN 32
 
-int ngtcp2_crypto_derive_initial_secrets(uint32_t version, uint8_t *rx_secret,
-                                         uint8_t *tx_secret,
+int ngtcp2_crypto_derive_initial_secrets(uint8_t *rx_secret, uint8_t *tx_secret,
                                          uint8_t *initial_secret,
+                                         uint32_t version,
                                          const ngtcp2_cid *client_dcid,
                                          ngtcp2_crypto_side side) {
   static const uint8_t CLABEL[] = "client in";
@@ -91,9 +91,9 @@ int ngtcp2_crypto_derive_initial_secrets(uint32_t version, uint8_t *rx_secret,
     salt = (const uint8_t *)NGTCP2_INITIAL_SALT_V1;
     saltlen = sizeof(NGTCP2_INITIAL_SALT_V1) - 1;
     break;
-  case NGTCP2_PROTO_VER_V2_DRAFT:
-    salt = (const uint8_t *)NGTCP2_INITIAL_SALT_V2_DRAFT;
-    saltlen = sizeof(NGTCP2_INITIAL_SALT_V2_DRAFT) - 1;
+  case NGTCP2_PROTO_VER_V2:
+    salt = (const uint8_t *)NGTCP2_INITIAL_SALT_V2;
+    saltlen = sizeof(NGTCP2_INITIAL_SALT_V2) - 1;
     break;
   default:
     salt = (const uint8_t *)NGTCP2_INITIAL_SALT_DRAFT;
@@ -139,9 +139,9 @@ int ngtcp2_crypto_derive_packet_protection_key(
   static const uint8_t KEY_LABEL_V1[] = "quic key";
   static const uint8_t IV_LABEL_V1[] = "quic iv";
   static const uint8_t HP_KEY_LABEL_V1[] = "quic hp";
-  static const uint8_t KEY_LABEL_V2_DRAFT[] = "quicv2 key";
-  static const uint8_t IV_LABEL_V2_DRAFT[] = "quicv2 iv";
-  static const uint8_t HP_KEY_LABEL_V2_DRAFT[] = "quicv2 hp";
+  static const uint8_t KEY_LABEL_V2[] = "quicv2 key";
+  static const uint8_t IV_LABEL_V2[] = "quicv2 iv";
+  static const uint8_t HP_KEY_LABEL_V2[] = "quicv2 hp";
   size_t keylen = ngtcp2_crypto_aead_keylen(aead);
   size_t ivlen = ngtcp2_crypto_packet_protection_ivlen(aead);
   const uint8_t *key_label;
@@ -152,13 +152,13 @@ int ngtcp2_crypto_derive_packet_protection_key(
   size_t hp_key_labellen;
 
   switch (version) {
-  case NGTCP2_PROTO_VER_V2_DRAFT:
-    key_label = KEY_LABEL_V2_DRAFT;
-    key_labellen = sizeof(KEY_LABEL_V2_DRAFT) - 1;
-    iv_label = IV_LABEL_V2_DRAFT;
-    iv_labellen = sizeof(IV_LABEL_V2_DRAFT) - 1;
-    hp_key_label = HP_KEY_LABEL_V2_DRAFT;
-    hp_key_labellen = sizeof(HP_KEY_LABEL_V2_DRAFT) - 1;
+  case NGTCP2_PROTO_VER_V2:
+    key_label = KEY_LABEL_V2;
+    key_labellen = sizeof(KEY_LABEL_V2) - 1;
+    iv_label = IV_LABEL_V2;
+    iv_labellen = sizeof(IV_LABEL_V2) - 1;
+    hp_key_label = HP_KEY_LABEL_V2;
+    hp_key_labellen = sizeof(HP_KEY_LABEL_V2) - 1;
     break;
   default:
     key_label = KEY_LABEL_V1;
@@ -188,14 +188,27 @@ int ngtcp2_crypto_derive_packet_protection_key(
   return 0;
 }
 
-int ngtcp2_crypto_update_traffic_secret(uint8_t *dest,
+int ngtcp2_crypto_update_traffic_secret(uint8_t *dest, uint32_t version,
                                         const ngtcp2_crypto_md *md,
                                         const uint8_t *secret,
                                         size_t secretlen) {
   static const uint8_t LABEL[] = "quic ku";
+  static const uint8_t LABEL_V2[] = "quicv2 ku";
+  const uint8_t *label;
+  size_t labellen;
+
+  switch (version) {
+  case NGTCP2_PROTO_VER_V2:
+    label = LABEL_V2;
+    labellen = sizeof(LABEL_V2) - 1;
+    break;
+  default:
+    label = LABEL;
+    labellen = sizeof(LABEL) - 1;
+  }
 
   if (ngtcp2_crypto_hkdf_expand_label(dest, secretlen, md, secret, secretlen,
-                                      LABEL, sizeof(LABEL) - 1) != 0) {
+                                      label, labellen) != 0) {
     return -1;
   }
 
@@ -521,7 +534,7 @@ int ngtcp2_crypto_derive_and_install_initial_key(
   ngtcp2_conn_set_initial_crypto_ctx(conn, &ctx);
 
   if (ngtcp2_crypto_derive_initial_secrets(
-          version, rx_secret, tx_secret, initial_secret, client_dcid,
+          rx_secret, tx_secret, initial_secret, version, client_dcid,
           server ? NGTCP2_CRYPTO_SIDE_SERVER : NGTCP2_CRYPTO_SIDE_CLIENT) !=
       0) {
     return -1;
@@ -567,9 +580,9 @@ int ngtcp2_crypto_derive_and_install_initial_key(
       retry_key = (const uint8_t *)NGTCP2_RETRY_KEY_V1;
       retry_noncelen = sizeof(NGTCP2_RETRY_NONCE_V1) - 1;
       break;
-    case NGTCP2_PROTO_VER_V2_DRAFT:
-      retry_key = (const uint8_t *)NGTCP2_RETRY_KEY_V2_DRAFT;
-      retry_noncelen = sizeof(NGTCP2_RETRY_NONCE_V2_DRAFT) - 1;
+    case NGTCP2_PROTO_VER_V2:
+      retry_key = (const uint8_t *)NGTCP2_RETRY_KEY_V2;
+      retry_noncelen = sizeof(NGTCP2_RETRY_NONCE_V2) - 1;
       break;
     default:
       retry_key = (const uint8_t *)NGTCP2_RETRY_KEY_DRAFT;
@@ -657,7 +670,7 @@ int ngtcp2_crypto_derive_and_install_vneg_initial_key(
   }
 
   if (ngtcp2_crypto_derive_initial_secrets(
-          version, rx_secret, tx_secret, initial_secret, client_dcid,
+          rx_secret, tx_secret, initial_secret, version, client_dcid,
           server ? NGTCP2_CRYPTO_SIDE_SERVER : NGTCP2_CRYPTO_SIDE_CLIENT) !=
       0) {
     return -1;
@@ -725,8 +738,8 @@ int ngtcp2_crypto_update_key(
   size_t ivlen = ngtcp2_crypto_packet_protection_ivlen(aead);
   uint32_t version = ngtcp2_conn_get_negotiated_version(conn);
 
-  if (ngtcp2_crypto_update_traffic_secret(rx_secret, md, current_rx_secret,
-                                          secretlen) != 0) {
+  if (ngtcp2_crypto_update_traffic_secret(rx_secret, version, md,
+                                          current_rx_secret, secretlen) != 0) {
     return -1;
   }
 
@@ -735,8 +748,8 @@ int ngtcp2_crypto_update_key(
     return -1;
   }
 
-  if (ngtcp2_crypto_update_traffic_secret(tx_secret, md, current_tx_secret,
-                                          secretlen) != 0) {
+  if (ngtcp2_crypto_update_traffic_secret(tx_secret, version, md,
+                                          current_tx_secret, secretlen) != 0) {
     return -1;
   }
 
@@ -1234,8 +1247,8 @@ ngtcp2_ssize ngtcp2_crypto_write_connection_close(
 
   ngtcp2_crypto_ctx_initial(&ctx);
 
-  if (ngtcp2_crypto_derive_initial_secrets(version, rx_secret, tx_secret,
-                                           initial_secret, scid,
+  if (ngtcp2_crypto_derive_initial_secrets(rx_secret, tx_secret, initial_secret,
+                                           version, scid,
                                            NGTCP2_CRYPTO_SIDE_SERVER) != 0) {
     return -1;
   }
@@ -1290,9 +1303,9 @@ ngtcp2_ssize ngtcp2_crypto_write_retry(uint8_t *dest, size_t destlen,
     key = (const uint8_t *)NGTCP2_RETRY_KEY_V1;
     noncelen = sizeof(NGTCP2_RETRY_NONCE_V1) - 1;
     break;
-  case NGTCP2_PROTO_VER_V2_DRAFT:
-    key = (const uint8_t *)NGTCP2_RETRY_KEY_V2_DRAFT;
-    noncelen = sizeof(NGTCP2_RETRY_NONCE_V2_DRAFT) - 1;
+  case NGTCP2_PROTO_VER_V2:
+    key = (const uint8_t *)NGTCP2_RETRY_KEY_V2;
+    noncelen = sizeof(NGTCP2_RETRY_NONCE_V2) - 1;
     break;
   default:
     key = (const uint8_t *)NGTCP2_RETRY_KEY_DRAFT;

diff --git a/deps/ngtcp2/ngtcp2/crypto/shared.h b/deps/ngtcp2/ngtcp2/crypto/shared.h
@@ -54,12 +54,12 @@
 /**
  * @macro
  *
- * :macro:`NGTCP2_INITIAL_SALT_V2_DRAFT` is a salt value which is used to
- * derive initial secret.  It is used for QUIC v2 draft.
+ * :macro:`NGTCP2_INITIAL_SALT_V2` is a salt value which is used to
+ * derive initial secret.  It is used for QUIC v2.
  */
-#define NGTCP2_INITIAL_SALT_V2_DRAFT                                           \
-  "\xa7\x07\xc2\x03\xa5\x9b\x47\x18\x4a\x1d\x62\xca\x57\x04\x06\xea\x7a\xe3"   \
-  "\xe5\xd3"
+#define NGTCP2_INITIAL_SALT_V2                                                 \
+  "\x0d\xed\xe3\xde\xf7\x00\xa6\xdb\x81\x93\x81\xbe\x6e\x26\x9d\xcb\xf9\xbd"   \
+  "\x2e\xd9"
 
 /* Maximum key usage (encryption) limits */
 #define NGTCP2_CRYPTO_MAX_ENCRYPTION_AES_GCM (1ULL << 23)
@@ -122,9 +122,9 @@ ngtcp2_crypto_aead *ngtcp2_crypto_aead_retry(ngtcp2_crypto_aead *aead);
  *
  * This function returns 0 if it succeeds, or -1.
  */
-int ngtcp2_crypto_derive_initial_secrets(uint32_t version, uint8_t *rx_secret,
-                                         uint8_t *tx_secret,
+int ngtcp2_crypto_derive_initial_secrets(uint8_t *rx_secret, uint8_t *tx_secret,
                                          uint8_t *initial_secret,
+                                         uint32_t version,
                                          const ngtcp2_cid *client_dcid,
                                          ngtcp2_crypto_side side);
 
@@ -168,7 +168,7 @@ int ngtcp2_crypto_derive_packet_protection_key(uint8_t *key, uint8_t *iv,
  *
  * This function returns 0 if it succeeds, or -1.
  */
-int ngtcp2_crypto_update_traffic_secret(uint8_t *dest,
+int ngtcp2_crypto_update_traffic_secret(uint8_t *dest, uint32_t version,
                                         const ngtcp2_crypto_md *md,
                                         const uint8_t *secret,
                                         size_t secretlen);

diff --git a/deps/ngtcp2/ngtcp2/crypto/wolfssl/wolfssl.c b/deps/ngtcp2/ngtcp2/crypto/wolfssl/wolfssl.c
@@ -211,6 +211,7 @@ int ngtcp2_crypto_hkdf_extract(uint8_t *dest, const ngtcp2_crypto_md *md,
                                const uint8_t *salt, size_t saltlen) {
   if (wolfSSL_quic_hkdf_extract(dest, md->native_handle, secret, secretlen,
                                 salt, saltlen) != WOLFSSL_SUCCESS) {
+    DEBUG_MSG("WOLFSSL: wolfSSL_quic_hkdf_extract FAILED\n");
     return -1;
   }
   return 0;
@@ -222,6 +223,7 @@ int ngtcp2_crypto_hkdf_expand(uint8_t *dest, size_t destlen,
                               size_t infolen) {
   if (wolfSSL_quic_hkdf_expand(dest, destlen, md->native_handle, secret,
                                secretlen, info, infolen) != WOLFSSL_SUCCESS) {
+    DEBUG_MSG("WOLFSSL: wolfSSL_quic_hkdf_expand FAILED\n");
     return -1;
   }
   return 0;
@@ -233,6 +235,7 @@ int ngtcp2_crypto_hkdf(uint8_t *dest, size_t destlen,
                        const uint8_t *info, size_t infolen) {
   if (wolfSSL_quic_hkdf(dest, destlen, md->native_handle, secret, secretlen,
                         salt, saltlen, info, infolen) != WOLFSSL_SUCCESS) {
+    DEBUG_MSG("WOLFSSL: wolfSSL_quic_hkdf FAILED\n");
     return -1;
   }
   return 0;
@@ -286,6 +289,7 @@ int ngtcp2_crypto_hp_mask(uint8_t *dest, const ngtcp2_crypto_cipher *hp,
                                sizeof(PLAINTEXT) - 1) != WOLFSSL_SUCCESS ||
       wolfSSL_EVP_EncryptFinal_ex(actx, dest + sizeof(PLAINTEXT) - 1, &len) !=
           WOLFSSL_SUCCESS) {
+    DEBUG_MSG("WOLFSSL: hp_mask FAILED\n");
     return -1;
   }
 
@@ -313,9 +317,9 @@ int ngtcp2_crypto_read_write_crypto_data(ngtcp2_conn *conn,
 
   if (!ngtcp2_conn_get_handshake_completed(conn)) {
     rv = wolfSSL_quic_do_handshake(ssl);
-    DEBUG_MSG("WOLFSSL: do_handshake, rv=%d\n", rv);
     if (rv <= 0) {
       err = wolfSSL_get_error(ssl, rv);
+      DEBUG_MSG("WOLFSSL: do_handshake, rv=%d, err=%d\n", rv, err);
       switch (err) {
       case SSL_ERROR_WANT_READ:
       case SSL_ERROR_WANT_WRITE:
@@ -514,11 +518,17 @@ static void crypto_wolfssl_configure_context(WOLFSSL_CTX *ssl_ctx) {
 
 int ngtcp2_crypto_wolfssl_configure_server_context(WOLFSSL_CTX *ssl_ctx) {
   crypto_wolfssl_configure_context(ssl_ctx);
+#if PRINTF_DEBUG
+  wolfSSL_Debugging_ON();
+#endif
   return 0;
 }
 
 int ngtcp2_crypto_wolfssl_configure_client_context(WOLFSSL_CTX *ssl_ctx) {
   crypto_wolfssl_configure_context(ssl_ctx);
   wolfSSL_CTX_UseSessionTicket(ssl_ctx);
+#if PRINTF_DEBUG
+  wolfSSL_Debugging_ON();
+#endif
   return 0;
 }