[PATCH 3 of 4] QUIC: support for setting QUIC methods with LibreSSL

Roman Arutyunyan arut at nginx.com
Mon Oct 17 13:31:30 UTC 2022 

Hi,

On Tue, Oct 11, 2022 at 02:35:52PM +0400, Sergey Kandaurov wrote:
> # HG changeset patch
> # User Sergey Kandaurov <pluknet at nginx.com>
> # Date 1665484414 -14400
> #      Tue Oct 11 14:33:34 2022 +0400
> # Branch quic
> # Node ID c0165ddcb1c6981f8e5230081f03a277f62d20c3
> # Parent  caced81ce0a9cb218ae8cdd6176c12e0614acee9
> QUIC: support for setting QUIC methods with LibreSSL.
> 
> Setting QUIC methods is converted to use C99 designated initializers
> for simplicity, as LibreSSL 3.6.0 has different SSL_QUIC_METHOD layout.
> 
> Additionally, it's stick with set_read_secret/set_write_secret callbacks.
> LibreSSL prefers set_encryption_secrets over them but has unexpectedly
> incompatible behaviour expressed in passing read and write secrets split
> in separate calls, unlike this is documented in old BoringSSL sources.

Why do you think it prefres set_encryption_secrets()?  The source code
references it as "old", see this comment from tls13_quic_set_read_traffic_key():

 /* Handle both the new (BoringSSL) and old (quictls) APIs. */

> 
> diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
> --- a/src/event/quic/ngx_event_quic_ssl.c
> +++ b/src/event/quic/ngx_event_quic_ssl.c
> @@ -18,7 +18,7 @@
>  #define NGX_QUIC_MAX_BUFFERED    65535
>  
>  
> -#if BORINGSSL_API_VERSION >= 10
> +#if BORINGSSL_API_VERSION >= 10 || defined LIBRESSL_VERSION_NUMBER
>  static int ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn,
>      enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
>      const uint8_t *secret, size_t secret_len);
> @@ -40,19 +40,19 @@ static ngx_int_t ngx_quic_crypto_input(n
>  
>  
>  static SSL_QUIC_METHOD quic_method = {
> -#if BORINGSSL_API_VERSION >= 10
> -    ngx_quic_set_read_secret,
> -    ngx_quic_set_write_secret,
> +#if BORINGSSL_API_VERSION >= 10 || defined LIBRESSL_VERSION_NUMBER
> +    .set_read_secret = ngx_quic_set_read_secret,
> +    .set_write_secret = ngx_quic_set_write_secret,
>  #else
> -    ngx_quic_set_encryption_secrets,
> +    .set_encryption_secrets = ngx_quic_set_encryption_secrets,
>  #endif
> -    ngx_quic_add_handshake_data,
> -    ngx_quic_flush_flight,
> -    ngx_quic_send_alert,
> +    .add_handshake_data = ngx_quic_add_handshake_data,
> +    .flush_flight = ngx_quic_flush_flight,
> +    .send_alert = ngx_quic_send_alert,
>  };
>  
>  
> -#if BORINGSSL_API_VERSION >= 10
> +#if BORINGSSL_API_VERSION >= 10 || defined LIBRESSL_VERSION_NUMBER
>  
>  static int
>  ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn,
> 
> _______________________________________________
> nginx-devel mailing list -- nginx-devel at nginx.org
> To unsubscribe send an email to nginx-devel-leave at nginx.org

--
Roman Arutyunyan

More information about the nginx-devel mailing list