Mercurial > hg > nginx

diff src/event/quic/ngx_event_quic_ssl.c @ 9157:daf8f5ba23d8

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
QUIC: removed use of SSL_quic_read_level and SSL_quic_write_level. As explained in BoringSSL change[1], levels were introduced in the original QUIC API to draw a line between when keys are released and when are active. In the new QUIC API they are released in separate calls when it's needed. BoringSSL has then a consideration to remove levels API, hence the change. If not available e.g. from a QUIC packet header, levels can be taken based on keys availability. The only real use of levels is to prevent using app keys before they are active in QuicTLS that provides the old BoringSSL QUIC API, it is replaced with an equivalent check of c->ssl->handshaked. This change also removes OpenSSL compat shims since they are no longer used. The only exception left is caching write level from the keylog callback in the internal field which is a handy equivalent of checking keys availability. [1] https://boringssl.googlesource.com/boringssl/+/1e859054
author Sergey Kandaurov <pluknet@nginx.com>
date Fri, 01 Sep 2023 20:31:46 +0400
parents 2880f60a80c3
children ff98ae7d261e
line wrap: on
line diff
--- a/src/event/quic/ngx_event_quic_ssl.c
+++ b/src/event/quic/ngx_event_quic_ssl.c
@@ -43,7 +43,8 @@ static int ngx_quic_add_handshake_data(n
 static int ngx_quic_flush_flight(ngx_ssl_conn_t *ssl_conn);
 static int ngx_quic_send_alert(ngx_ssl_conn_t *ssl_conn,
     enum ssl_encryption_level_t level, uint8_t alert);
-static ngx_int_t ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data);
+static ngx_int_t ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data,
+    enum ssl_encryption_level_t level);
 
 
 #if (NGX_QUIC_BORINGSSL_API)
@@ -354,7 +355,7 @@ ngx_quic_handle_crypto_frame(ngx_connect
     }
 
     if (f->offset == ctx->crypto.offset) {
-        if (ngx_quic_crypto_input(c, frame->data) != NGX_OK) {
+        if (ngx_quic_crypto_input(c, frame->data, pkt->level) != NGX_OK) {
             return NGX_ERROR;
         }
 
@@ -372,7 +373,7 @@ ngx_quic_handle_crypto_frame(ngx_connect
     cl = ngx_quic_read_buffer(c, &ctx->crypto, (uint64_t) -1);
 
     if (cl) {
-        if (ngx_quic_crypto_input(c, cl) != NGX_OK) {
+        if (ngx_quic_crypto_input(c, cl, pkt->level) != NGX_OK) {
             return NGX_ERROR;
         }
 
@@ -384,7 +385,8 @@ ngx_quic_handle_crypto_frame(ngx_connect
 
 
 static ngx_int_t
-ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data)
+ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data,
+    enum ssl_encryption_level_t level)
 {
     int                     n, sslerr;
     ngx_buf_t              *b;
@@ -397,17 +399,10 @@ ngx_quic_crypto_input(ngx_connection_t *
 
     ssl_conn = c->ssl->connection;
 
-    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
-                   "quic SSL_quic_read_level:%d SSL_quic_write_level:%d",
-                   (int) SSL_quic_read_level(ssl_conn),
-                   (int) SSL_quic_write_level(ssl_conn));
-
     for (cl = data; cl; cl = cl->next) {
         b = cl->buf;
 
-        if (!SSL_provide_quic_data(ssl_conn, SSL_quic_read_level(ssl_conn),
-                                   b->pos, b->last - b->pos))
-        {
+        if (!SSL_provide_quic_data(ssl_conn, level, b->pos, b->last - b->pos)) {
             ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
                           "SSL_provide_quic_data() failed");
             return NGX_ERROR;
@@ -416,11 +411,6 @@ ngx_quic_crypto_input(ngx_connection_t *
 
     n = SSL_do_handshake(ssl_conn);
 
-    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
-                   "quic SSL_quic_read_level:%d SSL_quic_write_level:%d",
-                   (int) SSL_quic_read_level(ssl_conn),
-                   (int) SSL_quic_write_level(ssl_conn));
-
     ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
 
     if (n <= 0) {