nginx-quic: src/event/ngx_event

comparison src/event/ngx_event_quic.c @ 8191:9c3be23ddbe7 quic

QUIC: refactored key handling. All key handling functionality is moved into ngx_quic_protection.c. Public structures from ngx_quic_protection.h are now private and new methods are available to manipulate keys. A negotiated cipher is cached in QUIC connection from the set secret callback to avoid calling SSL_get_current_cipher() on each encrypt/decrypt operation. This also reduces the number of unwanted c->ssl->connection occurrences.

author	Sergey Kandaurov <pluknet@nginx.com>
date	Mon, 02 Nov 2020 18:21:34 +0300
parents	d10118e38943
children	183275308d9a

comparison

equal deleted inserted replaced

-:d10118e38943
+:9c3be23ddbe7
 *  can be processed and acknowledged.  Initial packets can only be sent
 *  with Initial packet protection keys and acknowledged in packets which
 *  are also Initial packets.
 */
 typedef struct {
-ngx_quic_secret_t                 client_secret;
-ngx_quic_secret_t                 server_secret;
 enum ssl_encryption_level_t       level;
 uint64_t                          pnum;        /* to be sent */
 uint64_t                          largest_ack; /* received from peer */
 uint64_t                          largest_pn;  /* received from peer */
 ngx_uint_t                        client_tp_done;
 ngx_quic_tp_t                     tp;
 ngx_quic_tp_t                     ctp;
 ngx_quic_send_ctx_t               send_ctx[NGX_QUIC_SEND_CTX_LAST];
-ngx_quic_secrets_t                keys[NGX_QUIC_ENCRYPTION_LAST];
-ngx_quic_secrets_t                next_key;
 ngx_quic_frames_stream_t          crypto[NGX_QUIC_ENCRYPTION_LAST];
+ngx_quic_keys_t                  *keys;
 ngx_quic_conf_t                  *conf;
 ngx_event_t                       push;
 ngx_event_t                       pto;
 static int
 ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn,
 enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
 const uint8_t *rsecret, size_t secret_len)
 {
-ngx_connection_t    *c;
+ngx_connection_t  *c;
-ngx_quic_secrets_t  *keys;
 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
 "quic ngx_quic_set_read_secret() level:%d", level);
 #ifdef NGX_QUIC_DEBUG_CRYPTO
 ngx_quic_hexdump(c->log, "quic read secret", rsecret, secret_len);
 #endif
-keys = &c->quic->keys[level];
+return ngx_quic_keys_set_encryption_secret(c->pool, 0, c->quic->keys, level,
+cipher, rsecret, secret_len);
-return ngx_quic_set_encryption_secret(c->pool, ssl_conn, level,
-rsecret, secret_len,
-&keys->client);
 }
 static int
 ngx_quic_set_write_secret(ngx_ssl_conn_t *ssl_conn,
 enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
 const uint8_t *wsecret, size_t secret_len)
 {
-ngx_connection_t    *c;
+ngx_connection_t  *c;
-ngx_quic_secrets_t  *keys;
 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
 "quic ngx_quic_set_write_secret() level:%d", level);
 #ifdef NGX_QUIC_DEBUG_CRYPTO
 ngx_quic_hexdump(c->log, "quic write secret", wsecret, secret_len);
 #endif
-keys = &c->quic->keys[level];
+return ngx_quic_keys_set_encryption_secret(c->pool, 1, c->quic->keys, level,
+cipher, wsecret, secret_len);
-return ngx_quic_set_encryption_secret(c->pool, ssl_conn, level,
-wsecret, secret_len,
-&keys->server);
 }
 #else
 static int
 ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn,
 enum ssl_encryption_level_t level, const uint8_t *rsecret,
 const uint8_t *wsecret, size_t secret_len)
 {
-ngx_int_t            rc;
+ngx_connection_t  *c;
-ngx_connection_t    *c;
+const SSL_CIPHER  *cipher;
-ngx_quic_secrets_t  *keys;
 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
 "quic ngx_quic_set_encryption_secrets() level:%d", level);
 #ifdef NGX_QUIC_DEBUG_CRYPTO
-ngx_quic_hexdump(c->log, "quic read", rsecret, secret_len);
+ngx_quic_hexdump(c->log, "quic read secret", rsecret, secret_len);
 #endif
-keys = &c->quic->keys[level];
+cipher = SSL_get_current_cipher(ssl_conn);
-rc = ngx_quic_set_encryption_secret(c->pool, ssl_conn, level,
+if (ngx_quic_keys_set_encryption_secret(c->pool, 0, c->quic->keys, level,
-rsecret, secret_len,
+cipher, rsecret, secret_len)
-&keys->client);
+!= 1)
-if (rc != 1) {
+{
-return rc;
+return 0;
 }
 if (level == ssl_encryption_early_data) {
 return 1;
 }
 #ifdef NGX_QUIC_DEBUG_CRYPTO
-ngx_quic_hexdump(c->log, "quic write", wsecret, secret_len);
+ngx_quic_hexdump(c->log, "quic write secret", wsecret, secret_len);
 #endif
-return ngx_quic_set_encryption_secret(c->pool, ssl_conn, level,
+return ngx_quic_keys_set_encryption_secret(c->pool, 1, c->quic->keys, level,
-wsecret, secret_len,
+cipher, wsecret, secret_len);
-&keys->server);
 }
 #endif
 qc = ngx_pcalloc(c->pool, sizeof(ngx_quic_connection_t));
 if (qc == NULL) {
 return NULL;
 }
+qc->keys = ngx_quic_keys_new(c->pool);
+if (qc->keys == NULL) {
+return NULL;
+}
 ngx_rbtree_init(&qc->streams.tree, &qc->streams.sentinel,
 ngx_quic_rbtree_insert_stream);
 for (i = 0; i < NGX_QUIC_SEND_CTX_LAST; i++) {
 ngx_queue_init(&qc->send_ctx[i].frames);
 pkt.scid = c->quic->dcid;
 pkt.token = token;
 res.data = buf;
-if (ngx_quic_encrypt(&pkt, NULL, &res) != NGX_OK) {
+if (ngx_quic_encrypt(&pkt, &res) != NGX_OK) {
 return NGX_ERROR;
 }
 #ifdef NGX_QUIC_DEBUG_PACKETS
 ngx_quic_hexdump(c->log, "quic packet to send", res.data, res.len);
 static ngx_int_t
 ngx_quic_process_packet(ngx_connection_t *c, ngx_quic_conf_t *conf,
 ngx_quic_header_t *pkt)
 {
 ngx_int_t               rc;
-ngx_ssl_conn_t         *ssl_conn;
-ngx_quic_secrets_t     *keys, *next, tmp;
 ngx_quic_send_ctx_t    *ctx;
 ngx_quic_connection_t  *qc;
 static u_char           buf[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE];
 }
 }
 c->log->action = "decrypting packet";
-keys = &qc->keys[pkt->level];
+if (!ngx_quic_keys_available(qc->keys, pkt->level)) {
-if (keys->client.key.len == 0) {
 ngx_log_error(NGX_LOG_INFO, c->log, 0,
 "quic no level %d keys yet, ignoring packet", pkt->level);
 return NGX_DECLINED;
 }
-next = &qc->next_key;
+pkt->keys = qc->keys;
-pkt->secret = &keys->client;
-pkt->next = &next->client;
 pkt->key_phase = qc->key_phase;
 pkt->plaintext = buf;
 ctx = ngx_quic_get_send_ctx(qc, pkt->level);
-ssl_conn = c->ssl ? c->ssl->connection : NULL;
+rc = ngx_quic_decrypt(pkt, &ctx->largest_pn);
-rc = ngx_quic_decrypt(pkt, ssl_conn, &ctx->largest_pn);
 if (rc != NGX_OK) {
 qc->error = pkt->error;
 qc->error_reason = "failed to decrypt packet";
 return rc;
 }
 if (pkt->level != ssl_encryption_application) {
 return ngx_quic_payload_handler(c, pkt);
 }
-/* switch keys on Key Phase change */
+if (!pkt->key_update) {
+return ngx_quic_payload_handler(c, pkt);
-if (pkt->key_update) {
+}
-qc->key_phase ^= 1;
+/* switch keys and generate next on Key Phase change */
-tmp = *keys;
-*keys = *next;
+qc->key_phase ^= 1;
-*next = tmp;
+ngx_quic_keys_switch(c, qc->keys);
-}
 rc = ngx_quic_payload_handler(c, pkt);
 if (rc != NGX_OK) {
 return rc;
 }
-/* generate next keys */
+return ngx_quic_keys_update(c, qc->keys);
-if (pkt->key_update) {
-if (ngx_quic_key_update(c, keys, next) != NGX_OK) {
-return NGX_ERROR;
-}
-}
-return NGX_OK;
 }
 static ngx_int_t
 ngx_quic_init_secrets(ngx_connection_t *c)
 {
-ngx_quic_secrets_t     *keys;
 ngx_quic_connection_t  *qc;
-qc =c->quic;
+qc = c->quic;
-keys = &qc->keys[ssl_encryption_initial];
+if (ngx_quic_keys_set_initial_secret(c->pool, qc->keys, &qc->odcid)
-if (ngx_quic_set_initial_secret(c->pool, &keys->client, &keys->server,
-&qc->odcid)
 != NGX_OK)
 {
 return NGX_ERROR;
 }
 ngx_quic_send_ctx_t    *ctx;
 ngx_quic_connection_t  *qc;
 qc = c->quic;
-if (qc->keys[level].client.key.len == 0) {
+if (!ngx_quic_keys_available(qc->keys, level)) {
 return;
 }
-qc->keys[level].client.key.len = 0;
+ngx_quic_keys_discard(qc->keys, level);
 qc->pto_count = 0;
 ctx = ngx_quic_get_send_ctx(qc, level);
 while (!ngx_queue_empty(&ctx->sent)) {
 /*
 * Generating next keys before a key update is received.
 * See quic-tls 9.4 Header Protection Timing Side-Channels.
 */
-if (ngx_quic_key_update(c, &c->quic->keys[ssl_encryption_application],
+if (ngx_quic_keys_update(c, c->quic->keys) != NGX_OK) {
-&c->quic->next_key)
-!= NGX_OK)
-{
 return NGX_ERROR;
 }
 /*
 * 4.10.2 An endpoint MUST discard its handshake keys
 size_t                  pad_len;
 ssize_t                 len;
 ngx_str_t               out, res;
 ngx_msec_t              now;
 ngx_queue_t            *q;
-ngx_ssl_conn_t         *ssl_conn;
 ngx_quic_frame_t       *f, *start;
 ngx_quic_header_t       pkt;
-ngx_quic_secrets_t     *keys;
 ngx_quic_connection_t  *qc;
 static u_char           src[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE];
 static u_char           dst[NGX_QUIC_MAX_UDP_PAYLOAD_SIZE];
 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
 "quic ngx_quic_send_frames");
-ssl_conn = c->ssl ? c->ssl->connection : NULL;
 q = ngx_queue_head(frames);
 start = ngx_queue_data(q, ngx_quic_frame_t, queue);
 ngx_memzero(&pkt, sizeof(ngx_quic_header_t));
 out.len = p - out.data;
 qc = c->quic;
-keys = &c->quic->keys[start->level];
+pkt.keys = qc->keys;
-pkt.secret = &keys->server;
 pkt.flags = NGX_QUIC_PKT_FIXED_BIT;
 if (start->level == ssl_encryption_initial) {
 pkt.flags |= NGX_QUIC_PKT_LONG | NGX_QUIC_PKT_INITIAL;
 "quic packet tx %s bytes:%ui"
 " need_ack:%d number:%L encoded nl:%d trunc:0x%xD",
 ngx_quic_level_name(start->level), out.len, pkt.need_ack,
 pkt.number, pkt.num_len, pkt.trunc);
-if (ngx_quic_encrypt(&pkt, ssl_conn, &res) != NGX_OK) {
+if (ngx_quic_encrypt(&pkt, &res) != NGX_OK) {
 ngx_quic_free_frames(c, frames);
 return NGX_ERROR;
 }
 len = c->send(c, res.data, res.len);

Mercurial > hg > nginx-quic

comparison src/event/ngx_event_quic.c @ 8191:9c3be23ddbe7 quic