Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic_openssl_compat.c @ 9157:daf8f5ba23d8
QUIC: removed use of SSL_quic_read_level and SSL_quic_write_level.
As explained in BoringSSL change[1], levels were introduced in the original
QUIC API to draw a line between when keys are released and when are active.
In the new QUIC API they are released in separate calls when it's needed.
BoringSSL has then a consideration to remove levels API, hence the change.
If not available e.g. from a QUIC packet header, levels can be taken based on
keys availability. The only real use of levels is to prevent using app keys
before they are active in QuicTLS that provides the old BoringSSL QUIC API,
it is replaced with an equivalent check of c->ssl->handshaked.
This change also removes OpenSSL compat shims since they are no longer used.
The only exception left is caching write level from the keylog callback in
the internal field which is a handy equivalent of checking keys availability.
[1] https://boringssl.googlesource.com/boringssl/+/1e859054
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Fri, 01 Sep 2023 20:31:46 +0400 |
parents | 29a6c0e11f75 |
children | 3db945fda515 |
comparison
equal
deleted
inserted
replaced
9156:36b59521a41c | 9157:daf8f5ba23d8 |
---|---|
42 | 42 |
43 struct ngx_quic_compat_s { | 43 struct ngx_quic_compat_s { |
44 const SSL_QUIC_METHOD *method; | 44 const SSL_QUIC_METHOD *method; |
45 | 45 |
46 enum ssl_encryption_level_t write_level; | 46 enum ssl_encryption_level_t write_level; |
47 enum ssl_encryption_level_t read_level; | |
48 | 47 |
49 uint64_t read_record; | 48 uint64_t read_record; |
50 ngx_quic_compat_keys_t keys; | 49 ngx_quic_compat_keys_t keys; |
51 | 50 |
52 ngx_str_t tp; | 51 ngx_str_t tp; |
211 com->method->set_write_secret((SSL *) ssl, level, cipher, secret, n); | 210 com->method->set_write_secret((SSL *) ssl, level, cipher, secret, n); |
212 com->write_level = level; | 211 com->write_level = level; |
213 | 212 |
214 } else { | 213 } else { |
215 com->method->set_read_secret((SSL *) ssl, level, cipher, secret, n); | 214 com->method->set_read_secret((SSL *) ssl, level, cipher, secret, n); |
216 com->read_level = level; | |
217 com->read_record = 0; | 215 com->read_record = 0; |
218 | 216 |
219 (void) ngx_quic_compat_set_encryption_secret(c->log, &com->keys, level, | 217 (void) ngx_quic_compat_set_encryption_secret(c->log, &com->keys, level, |
220 cipher, secret, n); | 218 cipher, secret, n); |
221 } | 219 } |
581 | 579 |
582 return NGX_OK; | 580 return NGX_OK; |
583 } | 581 } |
584 | 582 |
585 | 583 |
586 enum ssl_encryption_level_t | |
587 SSL_quic_read_level(const SSL *ssl) | |
588 { | |
589 ngx_connection_t *c; | |
590 ngx_quic_connection_t *qc; | |
591 | |
592 c = ngx_ssl_get_connection(ssl); | |
593 qc = ngx_quic_get_connection(c); | |
594 | |
595 return qc->compat->read_level; | |
596 } | |
597 | |
598 | |
599 enum ssl_encryption_level_t | |
600 SSL_quic_write_level(const SSL *ssl) | |
601 { | |
602 ngx_connection_t *c; | |
603 ngx_quic_connection_t *qc; | |
604 | |
605 c = ngx_ssl_get_connection(ssl); | |
606 qc = ngx_quic_get_connection(c); | |
607 | |
608 return qc->compat->write_level; | |
609 } | |
610 | |
611 | |
612 int | 584 int |
613 SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params, | 585 SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params, |
614 size_t params_len) | 586 size_t params_len) |
615 { | 587 { |
616 ngx_connection_t *c; | 588 ngx_connection_t *c; |