Welcome! Log In Create A New Profile

Advanced

Re: [PATCH 1 of 8] QUIC: split keys availability checks to read and write sides

Roman Arutyunyan
September 21, 2023 09:30AM
Hi,

On Thu, Sep 07, 2023 at 07:13:53PM +0400, Sergey Kandaurov wrote:
> # HG changeset patch
> # User Sergey Kandaurov <pluknet@nginx.com>
> # Date 1693497250 -14400
> # Thu Aug 31 19:54:10 2023 +0400
> # Node ID be1862a28fd8575a88475215ccfce995e392dfab
> # Parent daf8f5ba23d8e9955b22782d945f9c065f4b6baa
> QUIC: split keys availability checks to read and write sides.
>
> Keys may be released by TLS stack in different time, so it makes sense
> to check this independently as well. This allows to fine-tune what key
> direction is used when checking keys availability.
>
> When discarding, server keys are now marked in addition to client keys.
>
> diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c
> --- a/src/event/quic/ngx_event_quic.c
> +++ b/src/event/quic/ngx_event_quic.c
> @@ -524,7 +524,7 @@ ngx_quic_close_connection(ngx_connection
> for (i = 0; i < NGX_QUIC_SEND_CTX_LAST; i++) {
> ctx = &qc->send_ctx[i];
>
> - if (!ngx_quic_keys_available(qc->keys, ctx->level)) {
> + if (!ngx_quic_keys_available(qc->keys, ctx->level, 1)) {
> continue;
> }
>
> @@ -953,7 +953,7 @@ ngx_quic_handle_payload(ngx_connection_t
>
> c->log->action = "decrypting packet";
>
> - if (!ngx_quic_keys_available(qc->keys, pkt->level)) {
> + if (!ngx_quic_keys_available(qc->keys, pkt->level, 0)) {
> ngx_log_error(NGX_LOG_INFO, c->log, 0,
> "quic no %s keys, ignoring packet",
> ngx_quic_level_name(pkt->level));
> @@ -1076,7 +1076,9 @@ ngx_quic_discard_ctx(ngx_connection_t *c
>
> qc = ngx_quic_get_connection(c);
>
> - if (!ngx_quic_keys_available(qc->keys, level)) {
> + if (!ngx_quic_keys_available(qc->keys, level, 0)
> + && !ngx_quic_keys_available(qc->keys, level, 1))
> + {
> return;
> }
>
> diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
> --- a/src/event/quic/ngx_event_quic_protection.c
> +++ b/src/event/quic/ngx_event_quic_protection.c
> @@ -672,9 +672,13 @@ ngx_quic_keys_set_encryption_secret(ngx_
>
> ngx_uint_t
> ngx_quic_keys_available(ngx_quic_keys_t *keys,
> - enum ssl_encryption_level_t level)
> + enum ssl_encryption_level_t level, ngx_uint_t is_write)
> {
> - return keys->secrets[level].client.key.len != 0;
> + if (is_write == 0) {
> + return keys->secrets[level].client.key.len != 0;
> + }
> +
> + return keys->secrets[level].server.key.len != 0;
> }
>
>
> @@ -683,6 +687,7 @@ ngx_quic_keys_discard(ngx_quic_keys_t *k
> enum ssl_encryption_level_t level)
> {
> keys->secrets[level].client.key.len = 0;
> + keys->secrets[level].server.key.len = 0;
> }
>
>
> diff --git a/src/event/quic/ngx_event_quic_protection.h b/src/event/quic/ngx_event_quic_protection.h
> --- a/src/event/quic/ngx_event_quic_protection.h
> +++ b/src/event/quic/ngx_event_quic_protection.h
> @@ -95,7 +95,7 @@ ngx_int_t ngx_quic_keys_set_encryption_s
> enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
> const uint8_t *secret, size_t secret_len);
> ngx_uint_t ngx_quic_keys_available(ngx_quic_keys_t *keys,
> - enum ssl_encryption_level_t level);
> + enum ssl_encryption_level_t level, ngx_uint_t is_write);
> void ngx_quic_keys_discard(ngx_quic_keys_t *keys,
> enum ssl_encryption_level_t level);
> void ngx_quic_keys_switch(ngx_connection_t *c, ngx_quic_keys_t *keys);
> diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
> --- a/src/event/quic/ngx_event_quic_ssl.c
> +++ b/src/event/quic/ngx_event_quic_ssl.c
> @@ -434,7 +434,7 @@ ngx_quic_crypto_input(ngx_connection_t *
> }
>
> if (n <= 0 || SSL_in_init(ssl_conn)) {
> - if (ngx_quic_keys_available(qc->keys, ssl_encryption_early_data)
> + if (ngx_quic_keys_available(qc->keys, ssl_encryption_early_data, 0)
> && qc->client_tp_done)
> {
> if (ngx_quic_init_streams(c) != NGX_OK) {
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx-devel

Looks ok
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH 0 of 8] [quic] reusing crypto contexts, and more

Sergey Kandaurov 580 September 07, 2023 11:18AM

[PATCH 1 of 8] QUIC: split keys availability checks to read and write sides

Sergey Kandaurov 128 September 07, 2023 11:18AM

Re: [PATCH 1 of 8] QUIC: split keys availability checks to read and write sides

Roman Arutyunyan 123 September 21, 2023 09:30AM

[PATCH 2 of 8] QUIC: added check to prevent packet output with discarded keys

Sergey Kandaurov 128 September 07, 2023 11:18AM

Re: [PATCH 2 of 8] QUIC: added check to prevent packet output with discarded keys

Roman Arutyunyan 130 September 18, 2023 03:10AM

Re: [PATCH 2 of 8] QUIC: added check to prevent packet output with discarded keys

Sergey Kandaurov 153 October 13, 2023 11:10AM

[PATCH 3 of 8] QUIC: prevented output of ACK frame when discarding handshake keys

Sergey Kandaurov 123 September 07, 2023 11:18AM

[PATCH 4 of 8] QUIC: renamed protection functions

Sergey Kandaurov 126 September 07, 2023 11:18AM

Re: [PATCH 4 of 8] QUIC: renamed protection functions

Roman Arutyunyan 140 September 21, 2023 09:32AM

[PATCH 5 of 8] QUIC: reusing crypto contexts for packet protection

Sergey Kandaurov 127 September 07, 2023 11:18AM

Re: [PATCH 5 of 8] QUIC: reusing crypto contexts for packet protection

Roman Arutyunyan 169 September 19, 2023 09:54AM

Re: [PATCH 5 of 8] QUIC: reusing crypto contexts for packet protection

Sergey Kandaurov 140 October 13, 2023 11:14AM

Re: [PATCH 5 of 8] QUIC: reusing crypto contexts for packet protection

Sergey Kandaurov 130 October 17, 2023 06:40AM

Re: [PATCH 5 of 8] QUIC: reusing crypto contexts for packet protection

Sergey Kandaurov 164 October 23, 2023 06:38PM

[PATCH 6 of 8] QUIC: reusing crypto contexts for header protection

Sergey Kandaurov 114 September 07, 2023 11:18AM

Re: [PATCH 6 of 8] QUIC: reusing crypto contexts for header protection

Roman Arutyunyan 136 September 20, 2023 08:14AM

Re: [PATCH 6 of 8] QUIC: reusing crypto contexts for header protection

Sergey Kandaurov 121 October 13, 2023 11:14AM

[PATCH 7 of 8] QUIC: cleaned up now unused ngx_quic_ciphers() calls

Sergey Kandaurov 123 September 07, 2023 11:18AM

Re: [PATCH 7 of 8] QUIC: cleaned up now unused ngx_quic_ciphers() calls

Roman Arutyunyan 138 September 20, 2023 08:28AM

Re: [PATCH 7 of 8] QUIC: cleaned up now unused ngx_quic_ciphers() calls

Sergey Kandaurov 132 October 13, 2023 11:16AM

[PATCH 8 of 8] QUIC: explicitly zero out unused keying material

Sergey Kandaurov 121 September 07, 2023 11:18AM

Re: [PATCH 8 of 8] QUIC: explicitly zero out unused keying material

Roman Arutyunyan 120 September 21, 2023 09:30AM

Re: [PATCH 8 of 8] QUIC: explicitly zero out unused keying material

Sergey Kandaurov 123 October 13, 2023 11:16AM

[PATCH 00 of 11] [quic] reusing crypto contexts, and more #2

Sergey Kandaurov 122 October 18, 2023 11:28AM

[PATCH 01 of 11] QUIC: split keys availability checks to read and write sides

Sergey Kandaurov 121 October 18, 2023 11:28AM

[PATCH 02 of 11] QUIC: added safety belt to prevent using discarded keys

Sergey Kandaurov 136 October 18, 2023 11:28AM

[PATCH 03 of 11] QUIC: prevented generating ACK frames with discarded keys

Sergey Kandaurov 130 October 18, 2023 11:28AM

[PATCH 04 of 11] QUIC: renamed protection functions

Sergey Kandaurov 137 October 18, 2023 11:28AM

[PATCH 05 of 11] QUIC: reusing crypto contexts for packet protection

Sergey Kandaurov 125 October 18, 2023 11:28AM

[PATCH 06 of 11] QUIC: common code for crypto open and seal operations

Sergey Kandaurov 123 October 18, 2023 11:28AM

[PATCH 07 of 11] QUIC: reusing crypto contexts for header protection

Sergey Kandaurov 127 October 18, 2023 11:30AM

[PATCH 08 of 11] QUIC: cleaned up now unused ngx_quic_ciphers() calls

Sergey Kandaurov 123 October 18, 2023 11:30AM

[PATCH 09 of 11] QUIC: simplified ngx_quic_ciphers() API

Sergey Kandaurov 112 October 18, 2023 11:30AM

[PATCH 10 of 11] QUIC: removed key field from ngx_quic_secret_t

Sergey Kandaurov 121 October 18, 2023 11:30AM

[PATCH 11 of 11] QUIC: explicitly zero out unused keying material

Sergey Kandaurov 126 October 18, 2023 11:38AM

Re: [PATCH 00 of 11] [quic] reusing crypto contexts, and more #2

Roman Arutyunyan 134 October 20, 2023 03:28AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 73
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready