[PATCH 3 of 4] QUIC: support for setting QUIC methods with LibreSSL
Sergey Kandaurov
pluknet at nginx.com
Mon Oct 17 14:26:41 UTC 2022
> On 17 Oct 2022, at 17:31, Roman Arutyunyan <arut at nginx.com> wrote:
>
> Hi,
>
> On Tue, Oct 11, 2022 at 02:35:52PM +0400, Sergey Kandaurov wrote:
>> # HG changeset patch
>> # User Sergey Kandaurov <pluknet at nginx.com>
>> # Date 1665484414 -14400
>> # Tue Oct 11 14:33:34 2022 +0400
>> # Branch quic
>> # Node ID c0165ddcb1c6981f8e5230081f03a277f62d20c3
>> # Parent caced81ce0a9cb218ae8cdd6176c12e0614acee9
>> QUIC: support for setting QUIC methods with LibreSSL.
>>
>> Setting QUIC methods is converted to use C99 designated initializers
>> for simplicity, as LibreSSL 3.6.0 has different SSL_QUIC_METHOD layout.
>>
>> Additionally, it's stick with set_read_secret/set_write_secret callbacks.
>> LibreSSL prefers set_encryption_secrets over them but has unexpectedly
>> incompatible behaviour expressed in passing read and write secrets split
>> in separate calls, unlike this is documented in old BoringSSL sources.
>
> Why do you think it prefres set_encryption_secrets()? The source code
> references it as "old", see this comment from tls13_quic_set_read_traffic_key():
>
> /* Handle both the new (BoringSSL) and old (quictls) APIs. */
>
Tnx, looks like a false memory from before applying the patch.
Anyway, it's still worth to leave only the new API.
This updates the last paragraph of the change description:
: Additionally, only set_read_secret/set_write_secret callbacks are set.
: Although they are preferred in LibreSSL over set_encryption_secrets,
: better be on a safe side as LibreSSL has unexpectedly incompatible
: set_encryption_secrets calling convention expressed in passing read
: and write secrets split in separate calls, unlike this is documented
: in old BoringSSL sources. To avoid introducing further changes for
: the old API, it is simply disabled.
>>
>> diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
>> --- a/src/event/quic/ngx_event_quic_ssl.c
>> +++ b/src/event/quic/ngx_event_quic_ssl.c
>> @@ -18,7 +18,7 @@
>> #define NGX_QUIC_MAX_BUFFERED 65535
>>
>>
>> -#if BORINGSSL_API_VERSION >= 10
>> +#if BORINGSSL_API_VERSION >= 10 || defined LIBRESSL_VERSION_NUMBER
>> static int ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn,
>> enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
>> const uint8_t *secret, size_t secret_len);
>> @@ -40,19 +40,19 @@ static ngx_int_t ngx_quic_crypto_input(n
>>
>>
>> static SSL_QUIC_METHOD quic_method = {
>> -#if BORINGSSL_API_VERSION >= 10
>> - ngx_quic_set_read_secret,
>> - ngx_quic_set_write_secret,
>> +#if BORINGSSL_API_VERSION >= 10 || defined LIBRESSL_VERSION_NUMBER
>> + .set_read_secret = ngx_quic_set_read_secret,
>> + .set_write_secret = ngx_quic_set_write_secret,
>> #else
>> - ngx_quic_set_encryption_secrets,
>> + .set_encryption_secrets = ngx_quic_set_encryption_secrets,
>> #endif
>> - ngx_quic_add_handshake_data,
>> - ngx_quic_flush_flight,
>> - ngx_quic_send_alert,
>> + .add_handshake_data = ngx_quic_add_handshake_data,
>> + .flush_flight = ngx_quic_flush_flight,
>> + .send_alert = ngx_quic_send_alert,
>> };
>>
>>
>> -#if BORINGSSL_API_VERSION >= 10
>> +#if BORINGSSL_API_VERSION >= 10 || defined LIBRESSL_VERSION_NUMBER
>>
>> static int
>> ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn,
>>
--
Sergey Kandaurov
More information about the nginx-devel
mailing list