[nginx] QUIC: simplified ngx_quic_ciphers() API.

Sergey Kandaurov pluknet at nginx.com
Fri Oct 20 14:42:37 UTC 2023


details:   https://hg.nginx.org/nginx/rev/8dacf87e4007
branches:  
changeset: 9176:8dacf87e4007
user:      Sergey Kandaurov <pluknet at nginx.com>
date:      Fri Oct 20 18:05:07 2023 +0400
description:
QUIC: simplified ngx_quic_ciphers() API.

After conversion to reusable crypto ctx, now there's enough caller
context to remove the "level" argument from ngx_quic_ciphers().

diffstat:

 src/event/quic/ngx_event_quic_openssl_compat.c |   2 +-
 src/event/quic/ngx_event_quic_protection.c     |  19 +++++++------------
 src/event/quic/ngx_event_quic_protection.h     |   3 +--
 3 files changed, 9 insertions(+), 15 deletions(-)

diffs (92 lines):

diff -r f7c9cd726298 -r 8dacf87e4007 src/event/quic/ngx_event_quic_openssl_compat.c
--- a/src/event/quic/ngx_event_quic_openssl_compat.c	Fri Oct 20 18:05:07 2023 +0400
+++ b/src/event/quic/ngx_event_quic_openssl_compat.c	Fri Oct 20 18:05:07 2023 +0400
@@ -238,7 +238,7 @@ ngx_quic_compat_set_encryption_secret(ng
 
     keys->cipher = SSL_CIPHER_get_id(cipher);
 
-    key_len = ngx_quic_ciphers(keys->cipher, &ciphers, level);
+    key_len = ngx_quic_ciphers(keys->cipher, &ciphers);
 
     if (key_len == NGX_ERROR) {
         ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher");
diff -r f7c9cd726298 -r 8dacf87e4007 src/event/quic/ngx_event_quic_protection.c
--- a/src/event/quic/ngx_event_quic_protection.c	Fri Oct 20 18:05:07 2023 +0400
+++ b/src/event/quic/ngx_event_quic_protection.c	Fri Oct 20 18:05:07 2023 +0400
@@ -15,6 +15,8 @@
 
 #define NGX_QUIC_AES_128_KEY_LEN      16
 
+#define NGX_QUIC_INITIAL_CIPHER       TLS1_3_CK_AES_128_GCM_SHA256
+
 
 static ngx_int_t ngx_hkdf_expand(u_char *out_key, size_t out_len,
     const EVP_MD *digest, const u_char *prk, size_t prk_len,
@@ -46,15 +48,10 @@ static ngx_int_t ngx_quic_create_retry_p
 
 
 ngx_int_t
-ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers,
-    enum ssl_encryption_level_t level)
+ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers)
 {
     ngx_int_t  len;
 
-    if (level == ssl_encryption_initial) {
-        id = TLS1_3_CK_AES_128_GCM_SHA256;
-    }
-
     switch (id) {
 
     case TLS1_3_CK_AES_128_GCM_SHA256:
@@ -188,7 +185,7 @@ ngx_quic_keys_set_initial_secret(ngx_qui
         }
     }
 
-    if (ngx_quic_ciphers(0, &ciphers, ssl_encryption_initial) == NGX_ERROR) {
+    if (ngx_quic_ciphers(NGX_QUIC_INITIAL_CIPHER, &ciphers) == NGX_ERROR) {
         return NGX_ERROR;
     }
 
@@ -664,7 +661,7 @@ ngx_quic_keys_set_encryption_secret(ngx_
 
     keys->cipher = SSL_CIPHER_get_id(cipher);
 
-    key_len = ngx_quic_ciphers(keys->cipher, &ciphers, level);
+    key_len = ngx_quic_ciphers(keys->cipher, &ciphers);
 
     if (key_len == NGX_ERROR) {
         ngx_ssl_error(NGX_LOG_INFO, log, 0, "unexpected cipher");
@@ -780,9 +777,7 @@ ngx_quic_keys_update(ngx_event_t *ev)
 
     c->log->action = "updating keys";
 
-    if (ngx_quic_ciphers(keys->cipher, &ciphers, ssl_encryption_application)
-        == NGX_ERROR)
-    {
+    if (ngx_quic_ciphers(keys->cipher, &ciphers) == NGX_ERROR) {
         goto failed;
     }
 
@@ -927,7 +922,7 @@ ngx_quic_create_retry_packet(ngx_quic_he
                    "quic retry itag len:%uz %xV", ad.len, &ad);
 #endif
 
-    if (ngx_quic_ciphers(0, &ciphers, pkt->level) == NGX_ERROR) {
+    if (ngx_quic_ciphers(NGX_QUIC_INITIAL_CIPHER, &ciphers) == NGX_ERROR) {
         return NGX_ERROR;
     }
 
diff -r f7c9cd726298 -r 8dacf87e4007 src/event/quic/ngx_event_quic_protection.h
--- a/src/event/quic/ngx_event_quic_protection.h	Fri Oct 20 18:05:07 2023 +0400
+++ b/src/event/quic/ngx_event_quic_protection.h	Fri Oct 20 18:05:07 2023 +0400
@@ -108,8 +108,7 @@ void ngx_quic_keys_cleanup(ngx_quic_keys
 ngx_int_t ngx_quic_encrypt(ngx_quic_header_t *pkt, ngx_str_t *res);
 ngx_int_t ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn);
 void ngx_quic_compute_nonce(u_char *nonce, size_t len, uint64_t pn);
-ngx_int_t ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers,
-    enum ssl_encryption_level_t level);
+ngx_int_t ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers);
 ngx_int_t ngx_quic_crypto_init(const ngx_quic_cipher_t *cipher,
     ngx_quic_secret_t *s, ngx_int_t enc, ngx_log_t *log);
 ngx_int_t ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out,


More information about the nginx-devel mailing list