[PATCH 2 of 4] QUIC: avoided pool usage in ngx_quic_protection.c

Roman Arutyunyan arut at nginx.com
Tue May 31 07:06:32 UTC 2022


# HG changeset patch
# User Vladimir Homutov <vl at nginx.com>
# Date 1653644250 -14400
#      Fri May 27 13:37:30 2022 +0400
# Branch quic
# Node ID 41f47332273e0350157258cc40dd0ede4ee86c69
# Parent  a881ff28070262f3810517d5d3cb4ff67a4b7121
QUIC: avoided pool usage in ngx_quic_protection.c.

diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c
--- a/src/event/quic/ngx_event_quic.c
+++ b/src/event/quic/ngx_event_quic.c
@@ -325,7 +325,7 @@ ngx_quic_new_connection(ngx_connection_t
         }
     }
 
-    if (ngx_quic_keys_set_initial_secret(c->pool, qc->keys, &pkt->dcid)
+    if (ngx_quic_keys_set_initial_secret(qc->keys, &pkt->dcid, c->log)
         != NGX_OK)
     {
         return NULL;
diff --git a/src/event/quic/ngx_event_quic_output.c b/src/event/quic/ngx_event_quic_output.c
--- a/src/event/quic/ngx_event_quic_output.c
+++ b/src/event/quic/ngx_event_quic_output.c
@@ -961,7 +961,7 @@ ngx_quic_send_early_cc(ngx_connection_t 
         return NGX_ERROR;
     }
 
-    if (ngx_quic_keys_set_initial_secret(c->pool, pkt.keys, &inpkt->dcid)
+    if (ngx_quic_keys_set_initial_secret(pkt.keys, &inpkt->dcid, c->log)
         != NGX_OK)
     {
         return NGX_ERROR;
diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
--- a/src/event/quic/ngx_event_quic_protection.c
+++ b/src/event/quic/ngx_event_quic_protection.c
@@ -113,7 +113,7 @@ static ngx_int_t ngx_quic_tls_seal(const
 static ngx_int_t ngx_quic_tls_hp(ngx_log_t *log, const EVP_CIPHER *cipher,
     ngx_quic_secret_t *s, u_char *out, u_char *in);
 static ngx_int_t ngx_quic_hkdf_expand(ngx_quic_hkdf_t *hkdf,
-    const EVP_MD *digest, ngx_pool_t *pool);
+    const EVP_MD *digest, ngx_log_t *log);
 
 static ngx_int_t ngx_quic_create_packet(ngx_quic_header_t *pkt,
     ngx_str_t *res);
@@ -179,8 +179,8 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic
 
 
 ngx_int_t
-ngx_quic_keys_set_initial_secret(ngx_pool_t *pool, ngx_quic_keys_t *keys,
-    ngx_str_t *secret)
+ngx_quic_keys_set_initial_secret(ngx_quic_keys_t *keys, ngx_str_t *secret,
+    ngx_log_t *log)
 {
     size_t              is_len;
     uint8_t             is[SHA256_DIGEST_LENGTH];
@@ -217,12 +217,12 @@ ngx_quic_keys_set_initial_secret(ngx_poo
         .len = is_len
     };
 
-    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pool->log, 0,
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, log, 0,
                    "quic ngx_quic_set_initial_secret");
 #ifdef NGX_QUIC_DEBUG_CRYPTO
-    ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0,
+    ngx_log_debug3(NGX_LOG_DEBUG_EVENT, log, 0,
                    "quic salt len:%uz %*xs", sizeof(salt), sizeof(salt), salt);
-    ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0,
+    ngx_log_debug3(NGX_LOG_DEBUG_EVENT, log, 0,
                    "quic initial secret len:%uz %*xs", is_len, is_len, is);
 #endif
 
@@ -251,7 +251,7 @@ ngx_quic_keys_set_initial_secret(ngx_poo
     };
 
     for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
-        if (ngx_quic_hkdf_expand(&seq[i], digest, pool) != NGX_OK) {
+        if (ngx_quic_hkdf_expand(&seq[i], digest, log) != NGX_OK) {
             return NGX_ERROR;
         }
     }
@@ -261,19 +261,12 @@ ngx_quic_keys_set_initial_secret(ngx_poo
 
 
 static ngx_int_t
-ngx_quic_hkdf_expand(ngx_quic_hkdf_t *h, const EVP_MD *digest, ngx_pool_t *pool)
+ngx_quic_hkdf_expand(ngx_quic_hkdf_t *h, const EVP_MD *digest, ngx_log_t *log)
 {
     size_t    info_len;
     uint8_t  *p;
     uint8_t   info[20];
 
-    if (h->out == NULL) {
-        h->out = ngx_pnalloc(pool, h->out_len);
-        if (h->out == NULL) {
-            return NGX_ERROR;
-        }
-    }
-
     info_len = 2 + 1 + h->label_len + 1;
 
     info[0] = 0;
@@ -287,13 +280,13 @@ ngx_quic_hkdf_expand(ngx_quic_hkdf_t *h,
                         h->prk, h->prk_len, info, info_len)
         != NGX_OK)
     {
-        ngx_ssl_error(NGX_LOG_INFO, pool->log, 0,
+        ngx_ssl_error(NGX_LOG_INFO, log, 0,
                       "ngx_hkdf_expand(%*s) failed", h->label_len, h->label);
         return NGX_ERROR;
     }
 
 #ifdef NGX_QUIC_DEBUG_CRYPTO
-    ngx_log_debug5(NGX_LOG_DEBUG_EVENT, pool->log, 0,
+    ngx_log_debug5(NGX_LOG_DEBUG_EVENT, log, 0,
                    "quic expand \"%*s\" key len:%uz %*xs",
                    h->label_len, h->label, h->out_len, h->out_len, h->out);
 #endif
@@ -674,7 +667,7 @@ failed:
 
 
 ngx_int_t
-ngx_quic_keys_set_encryption_secret(ngx_pool_t *pool, ngx_uint_t is_write,
+ngx_quic_keys_set_encryption_secret(ngx_log_t *log, ngx_uint_t is_write,
     ngx_quic_keys_t *keys, enum ssl_encryption_level_t level,
     const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len)
 {
@@ -692,12 +685,12 @@ ngx_quic_keys_set_encryption_secret(ngx_
     key_len = ngx_quic_ciphers(keys->cipher, &ciphers, level);
 
     if (key_len == NGX_ERROR) {
-        ngx_ssl_error(NGX_LOG_INFO, pool->log, 0, "unexpected cipher");
+        ngx_ssl_error(NGX_LOG_INFO, log, 0, "unexpected cipher");
         return NGX_ERROR;
     }
 
     if (sizeof(peer_secret->secret.data) < secret_len) {
-        ngx_log_error(NGX_LOG_ALERT, pool->log, 0,
+        ngx_log_error(NGX_LOG_ALERT, log, 0,
                       "unexpected secret len: %uz", secret_len);
         return NGX_ERROR;
     }
@@ -719,7 +712,7 @@ ngx_quic_keys_set_encryption_secret(ngx_
     };
 
     for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
-        if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, pool) != NGX_OK) {
+        if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, log) != NGX_OK) {
             return NGX_ERROR;
         }
     }
@@ -809,7 +802,7 @@ ngx_quic_keys_update(ngx_connection_t *c
     };
 
     for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
-        if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, c->pool) != NGX_OK) {
+        if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, c->log) != NGX_OK) {
             return NGX_ERROR;
         }
     }
diff --git a/src/event/quic/ngx_event_quic_protection.h b/src/event/quic/ngx_event_quic_protection.h
--- a/src/event/quic/ngx_event_quic_protection.h
+++ b/src/event/quic/ngx_event_quic_protection.h
@@ -18,9 +18,9 @@
 
 
 ngx_quic_keys_t *ngx_quic_keys_new(ngx_pool_t *pool);
-ngx_int_t ngx_quic_keys_set_initial_secret(ngx_pool_t *pool,
-    ngx_quic_keys_t *keys, ngx_str_t *secret);
-ngx_int_t ngx_quic_keys_set_encryption_secret(ngx_pool_t *pool,
+ngx_int_t ngx_quic_keys_set_initial_secret(ngx_quic_keys_t *keys,
+    ngx_str_t *secret, ngx_log_t *log);
+ngx_int_t ngx_quic_keys_set_encryption_secret(ngx_log_t *log,
     ngx_uint_t is_write, ngx_quic_keys_t *keys,
     enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
     const uint8_t *secret, size_t secret_len);
diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
--- a/src/event/quic/ngx_event_quic_ssl.c
+++ b/src/event/quic/ngx_event_quic_ssl.c
@@ -73,7 +73,7 @@ ngx_quic_set_read_secret(ngx_ssl_conn_t 
                    secret_len, rsecret);
 #endif
 
-    if (ngx_quic_keys_set_encryption_secret(c->pool, 0, qc->keys, level,
+    if (ngx_quic_keys_set_encryption_secret(c->log, 0, qc->keys, level,
                                             cipher, rsecret, secret_len)
         != NGX_OK)
     {
@@ -109,7 +109,7 @@ ngx_quic_set_write_secret(ngx_ssl_conn_t
                    secret_len, wsecret);
 #endif
 
-    if (ngx_quic_keys_set_encryption_secret(c->pool, 1, qc->keys, level,
+    if (ngx_quic_keys_set_encryption_secret(c->log, 1, qc->keys, level,
                                             cipher, wsecret, secret_len)
         != NGX_OK)
     {
@@ -143,7 +143,7 @@ ngx_quic_set_encryption_secrets(ngx_ssl_
 
     cipher = SSL_get_current_cipher(ssl_conn);
 
-    if (ngx_quic_keys_set_encryption_secret(c->pool, 0, qc->keys, level,
+    if (ngx_quic_keys_set_encryption_secret(c->log, 0, qc->keys, level,
                                             cipher, rsecret, secret_len)
         != NGX_OK)
     {
@@ -164,7 +164,7 @@ ngx_quic_set_encryption_secrets(ngx_ssl_
                    secret_len, wsecret);
 #endif
 
-    if (ngx_quic_keys_set_encryption_secret(c->pool, 1, qc->keys, level,
+    if (ngx_quic_keys_set_encryption_secret(c->log, 1, qc->keys, level,
                                             cipher, wsecret, secret_len)
         != NGX_OK)
     {



More information about the nginx-devel mailing list