> On 7 Sep 2023, at 19:13, Sergey Kandaurov <pluknet@nginx.com> wrote:
>
> # HG changeset patch
> # User Sergey Kandaurov <pluknet@nginx.com>
> # Date 1694099425 -14400
> # Thu Sep 07 19:10:25 2023 +0400
> # Node ID 8bd0104b7e6b658a1696fe7f3e2f1868ac2ae1f9
> # Parent cdc5b59309dbdc234c71e53fca142502884e6177
> QUIC: cleaned up now unused ngx_quic_ciphers() calls.
> [..]
Additionally, as per the discussion with Roman,
below is the patch to simplify ngx_quic_ciphers() API.
# HG changeset patch
# User Sergey Kandaurov <pluknet@nginx.com>
# Date 1697208935 -14400
# Fri Oct 13 18:55:35 2023 +0400
# Node ID eb5d6ed379d112a7360991be298852f978ebdb01
# Parent 6b078bc722fffcf69437f8716c2cd610706cc776
QUIC: simplified ngx_quic_ciphers() API.
After conversion to reusable crypto ctx, now there's enough caller
context to remove the "level" argument from ngx_quic_ciphers().
diff --git a/src/event/quic/ngx_event_quic_openssl_compat.c b/src/event/quic/ngx_event_quic_openssl_compat.c
--- a/src/event/quic/ngx_event_quic_openssl_compat.c
+++ b/src/event/quic/ngx_event_quic_openssl_compat.c
@@ -239,7 +239,7 @@ ngx_quic_compat_set_encryption_secret(ng
keys->cipher = SSL_CIPHER_get_id(cipher);
- key_len = ngx_quic_ciphers(keys->cipher, &ciphers, level);
+ key_len = ngx_quic_ciphers(keys->cipher, &ciphers);
if (key_len == NGX_ERROR) {
ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher");
diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
--- a/src/event/quic/ngx_event_quic_protection.c
+++ b/src/event/quic/ngx_event_quic_protection.c
@@ -15,6 +15,8 @@
#define NGX_QUIC_AES_128_KEY_LEN 16
+#define NGX_QUIC_INITIAL_CIPHER TLS1_3_CK_AES_128_GCM_SHA256
+
static ngx_int_t ngx_hkdf_expand(u_char *out_key, size_t out_len,
const EVP_MD *digest, const u_char *prk, size_t prk_len,
@@ -46,15 +48,10 @@ static ngx_int_t ngx_quic_create_retry_p
ngx_int_t
-ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers,
- enum ssl_encryption_level_t level)
+ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers)
{
ngx_int_t len;
- if (level == ssl_encryption_initial) {
- id = TLS1_3_CK_AES_128_GCM_SHA256;
- }
-
switch (id) {
case TLS1_3_CK_AES_128_GCM_SHA256:
@@ -188,7 +185,7 @@ ngx_quic_keys_set_initial_secret(ngx_qui
}
}
- if (ngx_quic_ciphers(0, &ciphers, ssl_encryption_initial) == NGX_ERROR) {
+ if (ngx_quic_ciphers(NGX_QUIC_INITIAL_CIPHER, &ciphers) == NGX_ERROR) {
return NGX_ERROR;
}
@@ -664,7 +661,7 @@ ngx_quic_keys_set_encryption_secret(ngx_
keys->cipher = SSL_CIPHER_get_id(cipher);
- key_len = ngx_quic_ciphers(keys->cipher, &ciphers, level);
+ key_len = ngx_quic_ciphers(keys->cipher, &ciphers);
if (key_len == NGX_ERROR) {
ngx_ssl_error(NGX_LOG_INFO, log, 0, "unexpected cipher");
@@ -780,9 +777,7 @@ ngx_quic_keys_update(ngx_event_t *ev)
c->log->action = "updating keys";
- if (ngx_quic_ciphers(keys->cipher, &ciphers, ssl_encryption_application)
- == NGX_ERROR)
- {
+ if (ngx_quic_ciphers(keys->cipher, &ciphers) == NGX_ERROR) {
goto failed;
}
@@ -936,7 +931,7 @@ ngx_quic_create_retry_packet(ngx_quic_he
goto seal;
}
- if (ngx_quic_ciphers(0, &ciphers, pkt->level) == NGX_ERROR) {
+ if (ngx_quic_ciphers(NGX_QUIC_INITIAL_CIPHER, &ciphers) == NGX_ERROR) {
return NGX_ERROR;
}
diff --git a/src/event/quic/ngx_event_quic_protection.h b/src/event/quic/ngx_event_quic_protection.h
--- a/src/event/quic/ngx_event_quic_protection.h
+++ b/src/event/quic/ngx_event_quic_protection.h
@@ -108,8 +108,7 @@ void ngx_quic_keys_cleanup(ngx_quic_keys
ngx_int_t ngx_quic_encrypt(ngx_quic_header_t *pkt, ngx_str_t *res);
ngx_int_t ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn);
void ngx_quic_compute_nonce(u_char *nonce, size_t len, uint64_t pn);
-ngx_int_t ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers,
- enum ssl_encryption_level_t level);
+ngx_int_t ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers);
ngx_int_t ngx_quic_crypto_init(const ngx_quic_cipher_t *cipher,
ngx_quic_secret_t *s, ngx_int_t enc, ngx_log_t *log);
ngx_int_t ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out,
--
Sergey Kandaurov
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel