nginx: src/event/quic/ngx_event_quic_openssl

comparison src/event/quic/ngx_event_quic_openssl_compat.c @ 9172:4ccb0d973206

QUIC: reusing crypto contexts for packet protection.

author	Sergey Kandaurov <pluknet@nginx.com>
date	Fri, 20 Oct 2023 18:05:07 +0400
parents	f98636db77ef
children	f7c9cd726298

comparison

equal deleted inserted replaced

-:f98636db77ef
+:4ccb0d973206
 ngx_str_t                     ctp;
 };
 static void ngx_quic_compat_keylog_callback(const SSL *ssl, const char *line);
-static ngx_int_t ngx_quic_compat_set_encryption_secret(ngx_log_t *log,
+static ngx_int_t ngx_quic_compat_set_encryption_secret(ngx_connection_t *c,
 ngx_quic_compat_keys_t *keys, enum ssl_encryption_level_t level,
 const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len);
+static void ngx_quic_compat_cleanup_encryption_secret(void *data);
 static int ngx_quic_compat_add_transport_params_callback(SSL *ssl,
 unsigned int ext_type, unsigned int context, const unsigned char **out,
 size_t *outlen, X509 *x, size_t chainidx, int *al, void *add_arg);
 static int ngx_quic_compat_parse_transport_params_callback(SSL *ssl,
 unsigned int ext_type, unsigned int context, const unsigned char *in,
 } else {
 com->method->set_read_secret((SSL *) ssl, level, cipher, secret, n);
 com->read_record = 0;
-(void) ngx_quic_compat_set_encryption_secret(c->log, &com->keys, level,
+(void) ngx_quic_compat_set_encryption_secret(c, &com->keys, level,
 cipher, secret, n);
 }
 }
 static ngx_int_t
-ngx_quic_compat_set_encryption_secret(ngx_log_t *log,
+ngx_quic_compat_set_encryption_secret(ngx_connection_t *c,
 ngx_quic_compat_keys_t *keys, enum ssl_encryption_level_t level,
 const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len)
 {
 ngx_int_t            key_len;
 ngx_str_t            secret_str;
 ngx_uint_t           i;
 ngx_quic_hkdf_t      seq[2];
 ngx_quic_secret_t   *peer_secret;
 ngx_quic_ciphers_t   ciphers;
+ngx_pool_cleanup_t  *cln;
 peer_secret = &keys->secret;
 keys->cipher = SSL_CIPHER_get_id(cipher);
 key_len = ngx_quic_ciphers(keys->cipher, &ciphers, level);
 if (key_len == NGX_ERROR) {
-ngx_ssl_error(NGX_LOG_INFO, log, 0, "unexpected cipher");
+ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher");
 return NGX_ERROR;
 }
 if (sizeof(peer_secret->secret.data) < secret_len) {
-ngx_log_error(NGX_LOG_ALERT, log, 0,
+ngx_log_error(NGX_LOG_ALERT, c->log, 0,
 "unexpected secret len: %uz", secret_len);
 return NGX_ERROR;
 }
 peer_secret->secret.len = secret_len;
 ngx_quic_hkdf_set(&seq[0], "tls13 key", &peer_secret->key, &secret_str);
 ngx_quic_hkdf_set(&seq[1], "tls13 iv", &peer_secret->iv, &secret_str);
 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
-if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, log) != NGX_OK) {
+if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, c->log) != NGX_OK) {
 return NGX_ERROR;
 }
 }
+/* register cleanup handler once */
+if (peer_secret->ctx) {
+ngx_quic_crypto_cleanup(peer_secret);
+} else {
+cln = ngx_pool_cleanup_add(c->pool, 0);
+if (cln == NULL) {
+return NGX_ERROR;
+}
+cln->handler = ngx_quic_compat_cleanup_encryption_secret;
+cln->data = peer_secret;
+}
+if (ngx_quic_crypto_init(ciphers.c, peer_secret, 1, c->log) == NGX_ERROR) {
+return NGX_ERROR;
+}
 return NGX_OK;
+}
+static void
+ngx_quic_compat_cleanup_encryption_secret(void *data)
+{
+ngx_quic_secret_t *secret = data;
+ngx_quic_crypto_cleanup(secret);
 }
 static int
 ngx_quic_compat_add_transport_params_callback(SSL *ssl, unsigned int ext_type,
 secret = &rec->keys->secret;
 ngx_memcpy(nonce, secret->iv.data, secret->iv.len);
 ngx_quic_compute_nonce(nonce, sizeof(nonce), rec->number);
-if (ngx_quic_crypto_seal(ciphers.c, secret, &out,
+if (ngx_quic_crypto_seal(secret, &out, nonce, &rec->payload, &ad, rec->log)
-nonce, &rec->payload, &ad, rec->log)
 != NGX_OK)
 {
 return NGX_ERROR;
 }

Mercurial > hg > nginx

comparison src/event/quic/ngx_event_quic_openssl_compat.c @ 9172:4ccb0d973206