Welcome! Log In Create A New Profile

Re: [PATCH 3 of 4] QUIC: support for setting QUIC methods with LibreSSL

Forum List Message List New Topic Print View

Sergey Kandaurov

October 17, 2022 10:28AM

> On 17 Oct 2022, at 17:31, Roman Arutyunyan <arut@nginx.com> wrote:
>
> Hi,
>
> On Tue, Oct 11, 2022 at 02:35:52PM +0400, Sergey Kandaurov wrote:
>> # HG changeset patch
>> # User Sergey Kandaurov <pluknet@nginx.com>
>> # Date 1665484414 -14400
>> # Tue Oct 11 14:33:34 2022 +0400
>> # Branch quic
>> # Node ID c0165ddcb1c6981f8e5230081f03a277f62d20c3
>> # Parent caced81ce0a9cb218ae8cdd6176c12e0614acee9
>> QUIC: support for setting QUIC methods with LibreSSL.
>>
>> Setting QUIC methods is converted to use C99 designated initializers
>> for simplicity, as LibreSSL 3.6.0 has different SSL_QUIC_METHOD layout.
>>
>> Additionally, it's stick with set_read_secret/set_write_secret callbacks.
>> LibreSSL prefers set_encryption_secrets over them but has unexpectedly
>> incompatible behaviour expressed in passing read and write secrets split
>> in separate calls, unlike this is documented in old BoringSSL sources.
>
> Why do you think it prefres set_encryption_secrets()? The source code
> references it as "old", see this comment from tls13_quic_set_read_traffic_key():
>
> /* Handle both the new (BoringSSL) and old (quictls) APIs. */
>

Tnx, looks like a false memory from before applying the patch.
Anyway, it's still worth to leave only the new API.

This updates the last paragraph of the change description:

: Additionally, only set_read_secret/set_write_secret callbacks are set.
: Although they are preferred in LibreSSL over set_encryption_secrets,
: better be on a safe side as LibreSSL has unexpectedly incompatible
: set_encryption_secrets calling convention expressed in passing read
: and write secrets split in separate calls, unlike this is documented
: in old BoringSSL sources. To avoid introducing further changes for
: the old API, it is simply disabled.

>>
>> diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
>> --- a/src/event/quic/ngx_event_quic_ssl.c
>> +++ b/src/event/quic/ngx_event_quic_ssl.c
>> @@ -18,7 +18,7 @@
>> #define NGX_QUIC_MAX_BUFFERED 65535
>>
>>
>> -#if BORINGSSL_API_VERSION >= 10
>> +#if BORINGSSL_API_VERSION >= 10 || defined LIBRESSL_VERSION_NUMBER
>> static int ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn,
>> enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
>> const uint8_t *secret, size_t secret_len);
>> @@ -40,19 +40,19 @@ static ngx_int_t ngx_quic_crypto_input(n
>>
>>
>> static SSL_QUIC_METHOD quic_method = {
>> -#if BORINGSSL_API_VERSION >= 10
>> - ngx_quic_set_read_secret,
>> - ngx_quic_set_write_secret,
>> +#if BORINGSSL_API_VERSION >= 10 || defined LIBRESSL_VERSION_NUMBER
>> + .set_read_secret = ngx_quic_set_read_secret,
>> + .set_write_secret = ngx_quic_set_write_secret,
>> #else
>> - ngx_quic_set_encryption_secrets,
>> + .set_encryption_secrets = ngx_quic_set_encryption_secrets,
>> #endif
>> - ngx_quic_add_handshake_data,
>> - ngx_quic_flush_flight,
>> - ngx_quic_send_alert,
>> + .add_handshake_data = ngx_quic_add_handshake_data,
>> + .flush_flight = ngx_quic_flush_flight,
>> + .send_alert = ngx_quic_send_alert,
>> };
>>
>>
>> -#if BORINGSSL_API_VERSION >= 10
>> +#if BORINGSSL_API_VERSION >= 10 || defined LIBRESSL_VERSION_NUMBER
>>
>> static int
>> ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn,
>>

--
Sergey Kandaurov

_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-leave@nginx.org

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH 0 of 4] quic libressl support	Sergey Kandaurov	737	October 06, 2022 06:54PM
[PATCH 4 of 4] QUIC: removed compatibility with older BoringSSL API	Sergey Kandaurov	159	October 06, 2022 06:54PM
[PATCH 3 of 4] QUIC: support for setting QUIC methods with LibreSSL	Sergey Kandaurov	134	October 06, 2022 06:54PM
[PATCH 1 of 4] QUIC: using native TLSv1.3 cipher suite constants	Sergey Kandaurov	163	October 06, 2022 06:54PM
[PATCH 2 of 4] QUIC: do not use SSL_set_quic_early_data_enabled() with LibreSSL	Sergey Kandaurov	175	October 06, 2022 06:54PM
[PATCH 0 of 4] quic libressl support #2	Sergey Kandaurov	147	October 11, 2022 06:44AM
[PATCH 2 of 4] QUIC: do not use SSL_set_quic_early_data_enabled() with LibreSSL	Sergey Kandaurov	122	October 11, 2022 06:44AM
Re: [PATCH 2 of 4] QUIC: do not use SSL_set_quic_early_data_enabled() with LibreSSL	Roman Arutyunyan	107	October 17, 2022 07:10AM
Re: [PATCH 2 of 4] QUIC: do not use SSL_set_quic_early_data_enabled() with LibreSSL	Sergey Kandaurov	107	October 17, 2022 10:06AM
Re: [PATCH 2 of 4] QUIC: do not use SSL_set_quic_early_data_enabled() with LibreSSL	Roman Arutyunyan	137	October 18, 2022 07:48AM
[PATCH 1 of 4] QUIC: using native TLSv1.3 cipher suite constants	Sergey Kandaurov	125	October 11, 2022 06:44AM
[PATCH 3 of 4] QUIC: support for setting QUIC methods with LibreSSL	Sergey Kandaurov	134	October 11, 2022 06:44AM
Re: [PATCH 3 of 4] QUIC: support for setting QUIC methods with LibreSSL	Roman Arutyunyan	143	October 17, 2022 09:32AM
Re: [PATCH 3 of 4] QUIC: support for setting QUIC methods with LibreSSL	Sergey Kandaurov	145	October 17, 2022 10:28AM
Re: [PATCH 3 of 4] QUIC: support for setting QUIC methods with LibreSSL	Maxim Dounin	120	October 20, 2022 08:12PM
Re: [PATCH 3 of 4] QUIC: support for setting QUIC methods with LibreSSL	Sergey Kandaurov	111	November 15, 2022 07:30AM
Re: [PATCH 3 of 4] QUIC: support for setting QUIC methods with LibreSSL	Maxim Dounin	104	November 17, 2022 11:00PM
Re: [PATCH 3 of 4] QUIC: support for setting QUIC methods with LibreSSL	Sergey Kandaurov	117	November 21, 2022 06:28AM
[PATCH 4 of 4] QUIC: removed compatibility with older BoringSSL API	Sergey Kandaurov	202	October 11, 2022 06:44AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

itpp2012

Guests: 320

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018