Mercurial > hg > nginx
annotate src/event/quic/ngx_event_quic_openssl_compat.h @ 9157:daf8f5ba23d8
QUIC: removed use of SSL_quic_read_level and SSL_quic_write_level.
As explained in BoringSSL change[1], levels were introduced in the original
QUIC API to draw a line between when keys are released and when are active.
In the new QUIC API they are released in separate calls when it's needed.
BoringSSL has then a consideration to remove levels API, hence the change.
If not available e.g. from a QUIC packet header, levels can be taken based on
keys availability. The only real use of levels is to prevent using app keys
before they are active in QuicTLS that provides the old BoringSSL QUIC API,
it is replaced with an equivalent check of c->ssl->handshaked.
This change also removes OpenSSL compat shims since they are no longer used.
The only exception left is caching write level from the keylog callback in
the internal field which is a handy equivalent of checking keys availability.
[1] https://boringssl.googlesource.com/boringssl/+/1e859054
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Fri, 01 Sep 2023 20:31:46 +0400 |
| parents | bddd3f76e3e5 |
| children |
| rev | line source |
|---|---|
|
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
1 |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
2 /* |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
3 * Copyright (C) Nginx, Inc. |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
4 */ |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
5 |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
6 |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
7 #ifndef _NGX_EVENT_QUIC_OPENSSL_COMPAT_H_INCLUDED_ |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
8 #define _NGX_EVENT_QUIC_OPENSSL_COMPAT_H_INCLUDED_ |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
9 |
|
9113
bddd3f76e3e5
QUIC: fixed OpenSSL compat layer with OpenSSL master branch.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9080
diff
changeset
|
10 #if defined SSL_R_MISSING_QUIC_TRANSPORT_PARAMETERS_EXTENSION \ |
|
bddd3f76e3e5
QUIC: fixed OpenSSL compat layer with OpenSSL master branch.
Sergey Kandaurov <pluknet@nginx.com>
parents:
9080
diff
changeset
|
11 || defined LIBRESSL_VERSION_NUMBER |
|
9080
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
12 #undef NGX_QUIC_OPENSSL_COMPAT |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
13 #else |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
14 |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
15 |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
16 #include <ngx_config.h> |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
17 #include <ngx_core.h> |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
18 |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
19 |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
20 typedef struct ngx_quic_compat_s ngx_quic_compat_t; |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
21 |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
22 |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
23 enum ssl_encryption_level_t { |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
24 ssl_encryption_initial = 0, |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
25 ssl_encryption_early_data, |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
26 ssl_encryption_handshake, |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
27 ssl_encryption_application |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
28 }; |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
29 |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
30 |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
31 typedef struct ssl_quic_method_st { |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
32 int (*set_read_secret)(SSL *ssl, enum ssl_encryption_level_t level, |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
33 const SSL_CIPHER *cipher, |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
34 const uint8_t *rsecret, size_t secret_len); |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
35 int (*set_write_secret)(SSL *ssl, enum ssl_encryption_level_t level, |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
36 const SSL_CIPHER *cipher, |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
37 const uint8_t *wsecret, size_t secret_len); |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
38 int (*add_handshake_data)(SSL *ssl, enum ssl_encryption_level_t level, |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
39 const uint8_t *data, size_t len); |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
40 int (*flush_flight)(SSL *ssl); |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
41 int (*send_alert)(SSL *ssl, enum ssl_encryption_level_t level, |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
42 uint8_t alert); |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
43 } SSL_QUIC_METHOD; |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
44 |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
45 |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
46 ngx_int_t ngx_quic_compat_init(ngx_conf_t *cf, SSL_CTX *ctx); |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
47 |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
48 int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method); |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
49 int SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level, |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
50 const uint8_t *data, size_t len); |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
51 int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params, |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
52 size_t params_len); |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
53 void SSL_get_peer_quic_transport_params(const SSL *ssl, |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
54 const uint8_t **out_params, size_t *out_params_len); |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
55 |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
56 |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
57 #endif /* TLSEXT_TYPE_quic_transport_parameters */ |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
58 |
|
7da4791e0264
QUIC: OpenSSL compatibility layer.
Roman Arutyunyan <arut@nginx.com>
parents:
diff
changeset
|
59 #endif /* _NGX_EVENT_QUIC_OPENSSL_COMPAT_H_INCLUDED_ */ |