Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic_protection.c @ 9152:2880f60a80c3
QUIC: posted generating TLS Key Update next keys.
Since at least f9fbeb4ee0de and certainly after 924882f42dea, which
TLS Key Update support predates, queued data output is deferred to a
posted push handler. To address timing signals after these changes,
generating next keys is now posted to run after the push handler.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Fri, 25 Aug 2023 13:51:38 +0400 |
| parents | f73dfa6c0696 |
| children | ff98ae7d261e |
comparison
equal
deleted
inserted
replaced
| 9151:933f37273282 | 9152:2880f60a80c3 |
|---|---|
| 698 *current = *next; | 698 *current = *next; |
| 699 *next = tmp; | 699 *next = tmp; |
| 700 } | 700 } |
| 701 | 701 |
| 702 | 702 |
| 703 ngx_int_t | 703 void |
| 704 ngx_quic_keys_update(ngx_connection_t *c, ngx_quic_keys_t *keys) | 704 ngx_quic_keys_update(ngx_event_t *ev) |
| 705 { | 705 { |
| 706 ngx_uint_t i; | 706 ngx_uint_t i; |
| 707 ngx_quic_hkdf_t seq[6]; | 707 ngx_quic_hkdf_t seq[6]; |
| 708 ngx_quic_ciphers_t ciphers; | 708 ngx_quic_keys_t *keys; |
| 709 ngx_quic_secrets_t *current, *next; | 709 ngx_connection_t *c; |
| 710 ngx_quic_ciphers_t ciphers; | |
| 711 ngx_quic_secrets_t *current, *next; | |
| 712 ngx_quic_connection_t *qc; | |
| 713 | |
| 714 c = ev->data; | |
| 715 qc = ngx_quic_get_connection(c); | |
| 716 keys = qc->keys; | |
| 710 | 717 |
| 711 current = &keys->secrets[ssl_encryption_application]; | 718 current = &keys->secrets[ssl_encryption_application]; |
| 712 next = &keys->next_key; | 719 next = &keys->next_key; |
| 713 | 720 |
| 714 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic key update"); | 721 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic key update"); |
| 715 | 722 |
| 723 c->log->action = "updating keys"; | |
| 724 | |
| 716 if (ngx_quic_ciphers(keys->cipher, &ciphers, ssl_encryption_application) | 725 if (ngx_quic_ciphers(keys->cipher, &ciphers, ssl_encryption_application) |
| 717 == NGX_ERROR) | 726 == NGX_ERROR) |
| 718 { | 727 { |
| 719 return NGX_ERROR; | 728 goto failed; |
| 720 } | 729 } |
| 721 | 730 |
| 722 next->client.secret.len = current->client.secret.len; | 731 next->client.secret.len = current->client.secret.len; |
| 723 next->client.key.len = current->client.key.len; | 732 next->client.key.len = current->client.key.len; |
| 724 next->client.iv.len = NGX_QUIC_IV_LEN; | 733 next->client.iv.len = NGX_QUIC_IV_LEN; |
| 742 ngx_quic_hkdf_set(&seq[5], "tls13 quic iv", | 751 ngx_quic_hkdf_set(&seq[5], "tls13 quic iv", |
| 743 &next->server.iv, &next->server.secret); | 752 &next->server.iv, &next->server.secret); |
| 744 | 753 |
| 745 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { | 754 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { |
| 746 if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, c->log) != NGX_OK) { | 755 if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, c->log) != NGX_OK) { |
| 747 return NGX_ERROR; | 756 goto failed; |
| 748 } | 757 } |
| 749 } | 758 } |
| 750 | 759 |
| 751 return NGX_OK; | 760 return; |
| 761 | |
| 762 failed: | |
| 763 | |
| 764 ngx_quic_close_connection(c, NGX_ERROR); | |
| 752 } | 765 } |
| 753 | 766 |
| 754 | 767 |
| 755 static ngx_int_t | 768 static ngx_int_t |
| 756 ngx_quic_create_packet(ngx_quic_header_t *pkt, ngx_str_t *res) | 769 ngx_quic_create_packet(ngx_quic_header_t *pkt, ngx_str_t *res) |