Hi,

On Thu, Sep 07, 2023 at 07:13:53PM +0400, Sergey Kandaurov wrote:
> # HG changeset patch
> # User Sergey Kandaurov <pluknet@nginx.com>
> # Date 1693497250 -14400
> # Thu Aug 31 19:54:10 2023 +0400
> # Node ID be1862a28fd8575a88475215ccfce995e392dfab
> # Parent daf8f5ba23d8e9955b22782d945f9c065f4b6baa
> QUIC: split keys availability checks to read and write sides.
>
> Keys may be released by TLS stack in different time, so it makes sense
> to check this independently as well. This allows to fine-tune what key
> direction is used when checking keys availability.
>
> When discarding, server keys are now marked in addition to client keys.
>
> diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c
> --- a/src/event/quic/ngx_event_quic.c
> +++ b/src/event/quic/ngx_event_quic.c
> @@ -524,7 +524,7 @@ ngx_quic_close_connection(ngx_connection
> for (i = 0; i < NGX_QUIC_SEND_CTX_LAST; i++) {
> ctx = &qc->send_ctx[i];
>
> - if (!ngx_quic_keys_available(qc->keys, ctx->level)) {
> + if (!ngx_quic_keys_available(qc->keys, ctx->level, 1)) {
> continue;
> }
>
> @@ -953,7 +953,7 @@ ngx_quic_handle_payload(ngx_connection_t
>
> c->log->action = "decrypting packet";
>
> - if (!ngx_quic_keys_available(qc->keys, pkt->level)) {
> + if (!ngx_quic_keys_available(qc->keys, pkt->level, 0)) {
> ngx_log_error(NGX_LOG_INFO, c->log, 0,
> "quic no %s keys, ignoring packet",
> ngx_quic_level_name(pkt->level));
> @@ -1076,7 +1076,9 @@ ngx_quic_discard_ctx(ngx_connection_t *c
>
> qc = ngx_quic_get_connection(c);
>
> - if (!ngx_quic_keys_available(qc->keys, level)) {
> + if (!ngx_quic_keys_available(qc->keys, level, 0)
> + && !ngx_quic_keys_available(qc->keys, level, 1))
> + {
> return;
> }
>
> diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
> --- a/src/event/quic/ngx_event_quic_protection.c
> +++ b/src/event/quic/ngx_event_quic_protection.c
> @@ -672,9 +672,13 @@ ngx_quic_keys_set_encryption_secret(ngx_
>
> ngx_uint_t
> ngx_quic_keys_available(ngx_quic_keys_t *keys,
> - enum ssl_encryption_level_t level)
> + enum ssl_encryption_level_t level, ngx_uint_t is_write)
> {
> - return keys->secrets[level].client.key.len != 0;
> + if (is_write == 0) {
> + return keys->secrets[level].client.key.len != 0;
> + }
> +
> + return keys->secrets[level].server.key.len != 0;
> }
>
>
> @@ -683,6 +687,7 @@ ngx_quic_keys_discard(ngx_quic_keys_t *k
> enum ssl_encryption_level_t level)
> {
> keys->secrets[level].client.key.len = 0;
> + keys->secrets[level].server.key.len = 0;
> }
>
>
> diff --git a/src/event/quic/ngx_event_quic_protection.h b/src/event/quic/ngx_event_quic_protection.h
> --- a/src/event/quic/ngx_event_quic_protection.h
> +++ b/src/event/quic/ngx_event_quic_protection.h
> @@ -95,7 +95,7 @@ ngx_int_t ngx_quic_keys_set_encryption_s
> enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
> const uint8_t *secret, size_t secret_len);
> ngx_uint_t ngx_quic_keys_available(ngx_quic_keys_t *keys,
> - enum ssl_encryption_level_t level);
> + enum ssl_encryption_level_t level, ngx_uint_t is_write);
> void ngx_quic_keys_discard(ngx_quic_keys_t *keys,
> enum ssl_encryption_level_t level);
> void ngx_quic_keys_switch(ngx_connection_t *c, ngx_quic_keys_t *keys);
> diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
> --- a/src/event/quic/ngx_event_quic_ssl.c
> +++ b/src/event/quic/ngx_event_quic_ssl.c
> @@ -434,7 +434,7 @@ ngx_quic_crypto_input(ngx_connection_t *
> }
>
> if (n <= 0 || SSL_in_init(ssl_conn)) {
> - if (ngx_quic_keys_available(qc->keys, ssl_encryption_early_data)
> + if (ngx_quic_keys_available(qc->keys, ssl_encryption_early_data, 0)
> && qc->client_tp_done)
> {
> if (ngx_quic_init_streams(c) != NGX_OK) {
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx-devel

Looks ok
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel