[PATCH 3 of 4] QUIC: support for setting QUIC methods with LibreSSL

Sergey Kandaurov pluknet at nginx.com
Mon Oct 17 14:26:41 UTC 2022 

> On 17 Oct 2022, at 17:31, Roman Arutyunyan <arut at nginx.com> wrote:
> 
> Hi,
> 
> On Tue, Oct 11, 2022 at 02:35:52PM +0400, Sergey Kandaurov wrote:
>> # HG changeset patch
>> # User Sergey Kandaurov <pluknet at nginx.com>
>> # Date 1665484414 -14400
>> #      Tue Oct 11 14:33:34 2022 +0400
>> # Branch quic
>> # Node ID c0165ddcb1c6981f8e5230081f03a277f62d20c3
>> # Parent  caced81ce0a9cb218ae8cdd6176c12e0614acee9
>> QUIC: support for setting QUIC methods with LibreSSL.
>> 
>> Setting QUIC methods is converted to use C99 designated initializers
>> for simplicity, as LibreSSL 3.6.0 has different SSL_QUIC_METHOD layout.
>> 
>> Additionally, it's stick with set_read_secret/set_write_secret callbacks.
>> LibreSSL prefers set_encryption_secrets over them but has unexpectedly
>> incompatible behaviour expressed in passing read and write secrets split
>> in separate calls, unlike this is documented in old BoringSSL sources.
> 
> Why do you think it prefres set_encryption_secrets()?  The source code
> references it as "old", see this comment from tls13_quic_set_read_traffic_key():
> 
> /* Handle both the new (BoringSSL) and old (quictls) APIs. */
> 

Tnx, looks like a false memory from before applying the patch.
Anyway, it's still worth to leave only the new API.

This updates the last paragraph of the change description:

: Additionally, only set_read_secret/set_write_secret callbacks are set.
: Although they are preferred in LibreSSL over set_encryption_secrets,
: better be on a safe side as LibreSSL has unexpectedly incompatible
: set_encryption_secrets calling convention expressed in passing read
: and write secrets split in separate calls, unlike this is documented
: in old BoringSSL sources.  To avoid introducing further changes for
: the old API, it is simply disabled.

>> 
>> diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
>> --- a/src/event/quic/ngx_event_quic_ssl.c
>> +++ b/src/event/quic/ngx_event_quic_ssl.c
>> @@ -18,7 +18,7 @@
>> #define NGX_QUIC_MAX_BUFFERED    65535
>> 
>> 
>> -#if BORINGSSL_API_VERSION >= 10
>> +#if BORINGSSL_API_VERSION >= 10 || defined LIBRESSL_VERSION_NUMBER
>> static int ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn,
>>     enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
>>     const uint8_t *secret, size_t secret_len);
>> @@ -40,19 +40,19 @@ static ngx_int_t ngx_quic_crypto_input(n
>> 
>> 
>> static SSL_QUIC_METHOD quic_method = {
>> -#if BORINGSSL_API_VERSION >= 10
>> -    ngx_quic_set_read_secret,
>> -    ngx_quic_set_write_secret,
>> +#if BORINGSSL_API_VERSION >= 10 || defined LIBRESSL_VERSION_NUMBER
>> +    .set_read_secret = ngx_quic_set_read_secret,
>> +    .set_write_secret = ngx_quic_set_write_secret,
>> #else
>> -    ngx_quic_set_encryption_secrets,
>> +    .set_encryption_secrets = ngx_quic_set_encryption_secrets,
>> #endif
>> -    ngx_quic_add_handshake_data,
>> -    ngx_quic_flush_flight,
>> -    ngx_quic_send_alert,
>> +    .add_handshake_data = ngx_quic_add_handshake_data,
>> +    .flush_flight = ngx_quic_flush_flight,
>> +    .send_alert = ngx_quic_send_alert,
>> };
>> 
>> 
>> -#if BORINGSSL_API_VERSION >= 10
>> +#if BORINGSSL_API_VERSION >= 10 || defined LIBRESSL_VERSION_NUMBER
>> 
>> static int
>> ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn,
>> 

-- 
Sergey Kandaurov

More information about the nginx-devel mailing list