[PATCH 1 of 4] QUIC: using native TLSv1.3 cipher suite constants

Sergey Kandaurov pluknet at nginx.com
Tue Oct 11 10:35:50 UTC 2022


# HG changeset patch
# User Sergey Kandaurov <pluknet at nginx.com>
# Date 1665442920 -14400
#      Tue Oct 11 03:02:00 2022 +0400
# Branch quic
# Node ID 82b03006a7bd93c3b5c962a3afac89e0639b0c12
# Parent  28fc35b71d7566d5a7e04968c70291a239f05b6f
QUIC: using native TLSv1.3 cipher suite constants.

After BoringSSL aligned[1] with OpenSSL on TLS1_3_CK_* macros, and
LibreSSL uses OpenSSL naming, our own variants can be dropped now.
Compatibility is preserved with libraries that lack these macros.

Additionally, transition to SSL_CIPHER_get_id() fixes build error
with LibreSSL that doesn't implement SSL_CIPHER_get_protocol_id().

[1] https://boringssl.googlesource.com/boringssl/+/dfddbc4ded

diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
--- a/src/event/quic/ngx_event_quic_protection.c
+++ b/src/event/quic/ngx_event_quic_protection.c
@@ -15,9 +15,12 @@
 
 #define NGX_QUIC_AES_128_KEY_LEN      16
 
-#define NGX_AES_128_GCM_SHA256        0x1301
-#define NGX_AES_256_GCM_SHA384        0x1302
-#define NGX_CHACHA20_POLY1305_SHA256  0x1303
+#ifndef TLS1_3_CK_AES_128_GCM_SHA256
+#define TLS1_3_CK_AES_128_GCM_SHA256  0x03001301
+#define TLS1_3_CK_AES_256_GCM_SHA384  0x03001302
+#define TLS1_3_CK_CHACHA20_POLY1305_SHA256                                   \
+                                      0x03001303
+#endif
 
 
 #ifdef OPENSSL_IS_BORINGSSL
@@ -90,12 +93,12 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic
     ngx_int_t  len;
 
     if (level == ssl_encryption_initial) {
-        id = NGX_AES_128_GCM_SHA256;
+        id = TLS1_3_CK_AES_128_GCM_SHA256;
     }
 
     switch (id) {
 
-    case NGX_AES_128_GCM_SHA256:
+    case TLS1_3_CK_AES_128_GCM_SHA256:
 #ifdef OPENSSL_IS_BORINGSSL
         ciphers->c = EVP_aead_aes_128_gcm();
 #else
@@ -106,7 +109,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic
         len = 16;
         break;
 
-    case NGX_AES_256_GCM_SHA384:
+    case TLS1_3_CK_AES_256_GCM_SHA384:
 #ifdef OPENSSL_IS_BORINGSSL
         ciphers->c = EVP_aead_aes_256_gcm();
 #else
@@ -117,7 +120,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic
         len = 32;
         break;
 
-    case NGX_CHACHA20_POLY1305_SHA256:
+    case TLS1_3_CK_CHACHA20_POLY1305_SHA256:
 #ifdef OPENSSL_IS_BORINGSSL
         ciphers->c = EVP_aead_chacha20_poly1305();
 #else
@@ -642,7 +645,7 @@ ngx_quic_keys_set_encryption_secret(ngx_
     peer_secret = is_write ? &keys->secrets[level].server
                            : &keys->secrets[level].client;
 
-    keys->cipher = SSL_CIPHER_get_protocol_id(cipher);
+    keys->cipher = SSL_CIPHER_get_id(cipher);
 
     key_len = ngx_quic_ciphers(keys->cipher, &ciphers, level);
 



More information about the nginx-devel mailing list