Welcome! Log In Create A New Profile

Advanced

[PATCH] QUIC: removed use of SSL_quic_read_level and SSL_quic_write_level

Sergey Kandaurov
August 31, 2023 05:52AM
# HG changeset patch
# User Sergey Kandaurov <pluknet@nginx.com>
# Date 1693475261 -14400
# Thu Aug 31 13:47:41 2023 +0400
# Node ID 015353ca1be7acc176f6369ed92ec6c49975ee6a
# Parent 8f7e6d8c061e1f4b7656141d2fac85ce6846ac23
QUIC: removed use of SSL_quic_read_level and SSL_quic_write_level.

As explained in BoringSSL change[1], levels were introduced in the original
QUIC API to draw a line between when keys are released and when are active.
In the new QUIC API they are released in separate calls when it's needed.
BoringSSL has then a consideration to remove levels API, hence the change.

In most places such as feeding SSL handshake with CRYPTO payload, we already
have such information from a QUIC packet header. If not, it is taken based
on keys availability. The only real use of levels is to prevent using app
keys before they are active in QuicTLS that provides old BoringSSL QUIC API,
it is replaced with an equivalent check of c->ssl->handshaked.

This change also removes OpenSSL compat shims since they are no longer used.
The only exception left is keeping write level in the internal field which
is a handy equivalent of checking keys availability.

[1] https://boringssl.googlesource.com/boringssl/+/1e859054

diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c
--- a/src/event/quic/ngx_event_quic.c
+++ b/src/event/quic/ngx_event_quic.c
@@ -509,8 +509,17 @@ ngx_quic_close_connection(ngx_connection
* to terminate the connection immediately.
*/

- qc->error_level = c->ssl ? SSL_quic_read_level(c->ssl->connection)
- : ssl_encryption_initial;
+ if (ngx_quic_keys_available(qc->keys, ssl_encryption_application)) {
+ qc->error_level = ssl_encryption_application;
+
+ } else if (ngx_quic_keys_available(qc->keys,
+ ssl_encryption_handshake))
+ {
+ qc->error_level = ssl_encryption_handshake;
+
+ } else {
+ qc->error_level = ssl_encryption_initial;
+ }

if (qc->error == (ngx_uint_t) -1) {
qc->error = NGX_QUIC_ERR_INTERNAL_ERROR;
@@ -964,10 +973,7 @@ ngx_quic_handle_payload(ngx_connection_t
#if !defined (OPENSSL_IS_BORINGSSL)
/* OpenSSL provides read keys for an application level before it's ready */

- if (pkt->level == ssl_encryption_application
- && SSL_quic_read_level(c->ssl->connection)
- < ssl_encryption_application)
- {
+ if (pkt->level == ssl_encryption_application && !c->ssl->handshaked) {
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"quic no %s keys ready, ignoring packet",
ngx_quic_level_name(pkt->level));
diff --git a/src/event/quic/ngx_event_quic_openssl_compat.c b/src/event/quic/ngx_event_quic_openssl_compat.c
--- a/src/event/quic/ngx_event_quic_openssl_compat.c
+++ b/src/event/quic/ngx_event_quic_openssl_compat.c
@@ -44,7 +44,6 @@ struct ngx_quic_compat_s {
const SSL_QUIC_METHOD *method;

enum ssl_encryption_level_t write_level;
- enum ssl_encryption_level_t read_level;

uint64_t read_record;
ngx_quic_compat_keys_t keys;
@@ -213,7 +212,6 @@ ngx_quic_compat_keylog_callback(const SS

} else {
com->method->set_read_secret((SSL *) ssl, level, cipher, secret, n);
- com->read_level = level;
com->read_record = 0;

(void) ngx_quic_compat_set_encryption_secret(c->log, &com->keys, level,
@@ -583,32 +581,6 @@ ngx_quic_compat_create_record(ngx_quic_c
}


-enum ssl_encryption_level_t
-SSL_quic_read_level(const SSL *ssl)
-{
- ngx_connection_t *c;
- ngx_quic_connection_t *qc;
-
- c = ngx_ssl_get_connection(ssl);
- qc = ngx_quic_get_connection(c);
-
- return qc->compat->read_level;
-}
-
-
-enum ssl_encryption_level_t
-SSL_quic_write_level(const SSL *ssl)
-{
- ngx_connection_t *c;
- ngx_quic_connection_t *qc;
-
- c = ngx_ssl_get_connection(ssl);
- qc = ngx_quic_get_connection(c);
-
- return qc->compat->write_level;
-}
-
-
int
SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params,
size_t params_len)
diff --git a/src/event/quic/ngx_event_quic_openssl_compat.h b/src/event/quic/ngx_event_quic_openssl_compat.h
--- a/src/event/quic/ngx_event_quic_openssl_compat.h
+++ b/src/event/quic/ngx_event_quic_openssl_compat.h
@@ -48,8 +48,6 @@ ngx_int_t ngx_quic_compat_init(ngx_conf_
int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method);
int SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level,
const uint8_t *data, size_t len);
-enum ssl_encryption_level_t SSL_quic_read_level(const SSL *ssl);
-enum ssl_encryption_level_t SSL_quic_write_level(const SSL *ssl);
int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params,
size_t params_len);
void SSL_get_peer_quic_transport_params(const SSL *ssl,
diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
--- a/src/event/quic/ngx_event_quic_ssl.c
+++ b/src/event/quic/ngx_event_quic_ssl.c
@@ -43,7 +43,8 @@ static int ngx_quic_add_handshake_data(n
static int ngx_quic_flush_flight(ngx_ssl_conn_t *ssl_conn);
static int ngx_quic_send_alert(ngx_ssl_conn_t *ssl_conn,
enum ssl_encryption_level_t level, uint8_t alert);
-static ngx_int_t ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data);
+static ngx_int_t ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data,
+ enum ssl_encryption_level_t level);


#if (NGX_QUIC_BORINGSSL_API)
@@ -354,7 +355,7 @@ ngx_quic_handle_crypto_frame(ngx_connect
}

if (f->offset == ctx->crypto.offset) {
- if (ngx_quic_crypto_input(c, frame->data) != NGX_OK) {
+ if (ngx_quic_crypto_input(c, frame->data, pkt->level) != NGX_OK) {
return NGX_ERROR;
}

@@ -372,7 +373,7 @@ ngx_quic_handle_crypto_frame(ngx_connect
cl = ngx_quic_read_buffer(c, &ctx->crypto, (uint64_t) -1);

if (cl) {
- if (ngx_quic_crypto_input(c, cl) != NGX_OK) {
+ if (ngx_quic_crypto_input(c, cl, pkt->level) != NGX_OK) {
return NGX_ERROR;
}

@@ -384,7 +385,8 @@ ngx_quic_handle_crypto_frame(ngx_connect


static ngx_int_t
-ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data)
+ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data,
+ enum ssl_encryption_level_t level)
{
int n, sslerr;
ngx_buf_t *b;
@@ -397,15 +399,10 @@ ngx_quic_crypto_input(ngx_connection_t *

ssl_conn = c->ssl->connection;

- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
- "quic SSL_quic_read_level:%d SSL_quic_write_level:%d",
- (int) SSL_quic_read_level(ssl_conn),
- (int) SSL_quic_write_level(ssl_conn));
-
for (cl = data; cl; cl = cl->next) {
b = cl->buf;

- if (!SSL_provide_quic_data(ssl_conn, SSL_quic_read_level(ssl_conn),
+ if (!SSL_provide_quic_data(ssl_conn, level,
b->pos, b->last - b->pos))
{
ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
@@ -416,11 +413,6 @@ ngx_quic_crypto_input(ngx_connection_t *

n = SSL_do_handshake(ssl_conn);

- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
- "quic SSL_quic_read_level:%d SSL_quic_write_level:%d",
- (int) SSL_quic_read_level(ssl_conn),
- (int) SSL_quic_write_level(ssl_conn));
-
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);

if (n <= 0) {
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] QUIC: removed use of SSL_quic_read_level and SSL_quic_write_level

Sergey Kandaurov 208 August 31, 2023 05:52AM

Re: [PATCH] QUIC: removed use of SSL_quic_read_level and SSL_quic_write_level

Roman Arutyunyan 47 September 01, 2023 05:54AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 162
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready