Welcome! Log In Create A New Profile

Advanced

[nginx] QUIC: split keys availability checks to read and write sides.

Sergey Kandaurov
October 20, 2023 10:44AM
details: https://hg.nginx.org/nginx/rev/ff98ae7d261e
branches:
changeset: 9168:ff98ae7d261e
user: Sergey Kandaurov <pluknet@nginx.com>
date: Thu Aug 31 19:54:10 2023 +0400
description:
QUIC: split keys availability checks to read and write sides.

Keys may be released by TLS stack in different times, so it makes sense
to check this independently as well. This allows to fine-tune what key
direction is used when checking keys availability.

When discarding, server keys are now marked in addition to client keys.

diffstat:

src/event/quic/ngx_event_quic.c | 8 +++++---
src/event/quic/ngx_event_quic_protection.c | 9 +++++++--
src/event/quic/ngx_event_quic_protection.h | 2 +-
src/event/quic/ngx_event_quic_ssl.c | 2 +-
4 files changed, 14 insertions(+), 7 deletions(-)

diffs (83 lines):

diff -r 3038bd4d7816 -r ff98ae7d261e src/event/quic/ngx_event_quic.c
--- a/src/event/quic/ngx_event_quic.c Wed Oct 18 04:30:11 2023 +0300
+++ b/src/event/quic/ngx_event_quic.c Thu Aug 31 19:54:10 2023 +0400
@@ -530,7 +530,7 @@ ngx_quic_close_connection(ngx_connection
for (i = 0; i < NGX_QUIC_SEND_CTX_LAST; i++) {
ctx = &qc->send_ctx[i];

- if (!ngx_quic_keys_available(qc->keys, ctx->level)) {
+ if (!ngx_quic_keys_available(qc->keys, ctx->level, 1)) {
continue;
}

@@ -959,7 +959,7 @@ ngx_quic_handle_payload(ngx_connection_t

c->log->action = "decrypting packet";

- if (!ngx_quic_keys_available(qc->keys, pkt->level)) {
+ if (!ngx_quic_keys_available(qc->keys, pkt->level, 0)) {
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"quic no %s keys, ignoring packet",
ngx_quic_level_name(pkt->level));
@@ -1082,7 +1082,9 @@ ngx_quic_discard_ctx(ngx_connection_t *c

qc = ngx_quic_get_connection(c);

- if (!ngx_quic_keys_available(qc->keys, level)) {
+ if (!ngx_quic_keys_available(qc->keys, level, 0)
+ && !ngx_quic_keys_available(qc->keys, level, 1))
+ {
return;
}

diff -r 3038bd4d7816 -r ff98ae7d261e src/event/quic/ngx_event_quic_protection.c
--- a/src/event/quic/ngx_event_quic_protection.c Wed Oct 18 04:30:11 2023 +0300
+++ b/src/event/quic/ngx_event_quic_protection.c Thu Aug 31 19:54:10 2023 +0400
@@ -672,9 +672,13 @@ ngx_quic_keys_set_encryption_secret(ngx_

ngx_uint_t
ngx_quic_keys_available(ngx_quic_keys_t *keys,
- enum ssl_encryption_level_t level)
+ enum ssl_encryption_level_t level, ngx_uint_t is_write)
{
- return keys->secrets[level].client.key.len != 0;
+ if (is_write == 0) {
+ return keys->secrets[level].client.key.len != 0;
+ }
+
+ return keys->secrets[level].server.key.len != 0;
}


@@ -683,6 +687,7 @@ ngx_quic_keys_discard(ngx_quic_keys_t *k
enum ssl_encryption_level_t level)
{
keys->secrets[level].client.key.len = 0;
+ keys->secrets[level].server.key.len = 0;
}


diff -r 3038bd4d7816 -r ff98ae7d261e src/event/quic/ngx_event_quic_protection.h
--- a/src/event/quic/ngx_event_quic_protection.h Wed Oct 18 04:30:11 2023 +0300
+++ b/src/event/quic/ngx_event_quic_protection.h Thu Aug 31 19:54:10 2023 +0400
@@ -95,7 +95,7 @@ ngx_int_t ngx_quic_keys_set_encryption_s
enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
const uint8_t *secret, size_t secret_len);
ngx_uint_t ngx_quic_keys_available(ngx_quic_keys_t *keys,
- enum ssl_encryption_level_t level);
+ enum ssl_encryption_level_t level, ngx_uint_t is_write);
void ngx_quic_keys_discard(ngx_quic_keys_t *keys,
enum ssl_encryption_level_t level);
void ngx_quic_keys_switch(ngx_connection_t *c, ngx_quic_keys_t *keys);
diff -r 3038bd4d7816 -r ff98ae7d261e src/event/quic/ngx_event_quic_ssl.c
--- a/src/event/quic/ngx_event_quic_ssl.c Wed Oct 18 04:30:11 2023 +0300
+++ b/src/event/quic/ngx_event_quic_ssl.c Thu Aug 31 19:54:10 2023 +0400
@@ -434,7 +434,7 @@ ngx_quic_crypto_input(ngx_connection_t *
}

if (n <= 0 || SSL_in_init(ssl_conn)) {
- if (ngx_quic_keys_available(qc->keys, ssl_encryption_early_data)
+ if (ngx_quic_keys_available(qc->keys, ssl_encryption_early_data, 0)
&& qc->client_tp_done)
{
if (ngx_quic_init_streams(c) != NGX_OK) {
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] QUIC: split keys availability checks to read and write sides.

Sergey Kandaurov 224 October 20, 2023 10:44AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 84
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready