Mercurial > hg > nginx

diff src/event/ngx_event_quic_protection.h @ 8621:9c3be23ddbe7 quic
QUIC: refactored key handling. All key handling functionality is moved into ngx_quic_protection.c. Public structures from ngx_quic_protection.h are now private and new methods are available to manipulate keys. A negotiated cipher is cached in QUIC connection from the set secret callback to avoid calling SSL_get_current_cipher() on each encrypt/decrypt operation. This also reduces the number of unwanted c->ssl->connection occurrences.
author: Sergey Kandaurov <pluknet@nginx.com>
date: Mon, 02 Nov 2020 18:21:34 +0300
parents: b31c02454539
--- a/src/event/ngx_event_quic_protection.h
+++ b/src/event/ngx_event_quic_protection.h
@@ -15,37 +15,24 @@
 #define NGX_QUIC_ENCRYPTION_LAST  ((ssl_encryption_application) + 1)
 
 
-typedef struct ngx_quic_secret_s {
-    ngx_str_t                 secret;
-    ngx_str_t                 key;
-    ngx_str_t                 iv;
-    ngx_str_t                 hp;
-} ngx_quic_secret_t;
-
+ngx_quic_keys_t *ngx_quic_keys_new(ngx_pool_t *pool);
+ngx_int_t ngx_quic_keys_set_initial_secret(ngx_pool_t *pool,
+    ngx_quic_keys_t *keys, ngx_str_t *secret);
+int ngx_quic_keys_set_encryption_secret(ngx_pool_t *pool, ngx_uint_t is_write,
+    ngx_quic_keys_t *keys, enum ssl_encryption_level_t level,
+    const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len);
+ngx_uint_t ngx_quic_keys_available(ngx_quic_keys_t *keys,
+     enum ssl_encryption_level_t level);
+void ngx_quic_keys_discard(ngx_quic_keys_t *keys,
+     enum ssl_encryption_level_t level);
+void ngx_quic_keys_switch(ngx_connection_t *c, ngx_quic_keys_t *keys);
+ngx_int_t ngx_quic_keys_update(ngx_connection_t *c, ngx_quic_keys_t *keys);
 
-typedef struct {
-    ngx_quic_secret_t         client;
-    ngx_quic_secret_t         server;
-} ngx_quic_secrets_t;
-
-
-ngx_int_t ngx_quic_set_initial_secret(ngx_pool_t *pool,
-    ngx_quic_secret_t *client, ngx_quic_secret_t *server,
-    ngx_str_t *secret);
-
-int ngx_quic_set_encryption_secret(ngx_pool_t *pool, ngx_ssl_conn_t *ssl_conn,
-    enum ssl_encryption_level_t level, const uint8_t *secret, size_t secret_len,
-    ngx_quic_secret_t *peer_secret);
-
-ngx_int_t ngx_quic_key_update(ngx_connection_t *c,
-    ngx_quic_secrets_t *current, ngx_quic_secrets_t *next);
 ngx_int_t ngx_quic_new_sr_token(ngx_connection_t *c, ngx_str_t *cid,
     ngx_str_t *key, u_char *token);
 
-ngx_int_t ngx_quic_encrypt(ngx_quic_header_t *pkt, ngx_ssl_conn_t *ssl_conn,
-     ngx_str_t *res);
-ngx_int_t ngx_quic_decrypt(ngx_quic_header_t *pkt, ngx_ssl_conn_t *ssl_conn,
-     uint64_t *largest_pn);
+ngx_int_t ngx_quic_encrypt(ngx_quic_header_t *pkt, ngx_str_t *res);
+ngx_int_t ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn);
 
 
 #endif /* _NGX_EVENT_QUIC_PROTECTION_H_INCLUDED_ */
author	Sergey Kandaurov <pluknet@nginx.com>
date	Mon, 02 Nov 2020 18:21:34 +0300
parents	b31c02454539
children