[PATCH 01 of 11] QUIC: split keys availability checks to read and write sides

Sergey Kandaurov pluknet at nginx.com
Wed Oct 18 15:26:43 UTC 2023


# HG changeset patch
# User Sergey Kandaurov <pluknet at nginx.com>
# Date 1693497250 -14400
#      Thu Aug 31 19:54:10 2023 +0400
# Node ID ff98ae7d261e1a7f58963ac91eac9caecc9d6aee
# Parent  3038bd4d78169a5e8a2624d79cf76f45f0805ddc
QUIC: split keys availability checks to read and write sides.

Keys may be released by TLS stack in different times, so it makes sense
to check this independently as well.  This allows to fine-tune what key
direction is used when checking keys availability.

When discarding, server keys are now marked in addition to client keys.

diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c
--- a/src/event/quic/ngx_event_quic.c
+++ b/src/event/quic/ngx_event_quic.c
@@ -530,7 +530,7 @@ ngx_quic_close_connection(ngx_connection
             for (i = 0; i < NGX_QUIC_SEND_CTX_LAST; i++) {
                 ctx = &qc->send_ctx[i];
 
-                if (!ngx_quic_keys_available(qc->keys, ctx->level)) {
+                if (!ngx_quic_keys_available(qc->keys, ctx->level, 1)) {
                     continue;
                 }
 
@@ -959,7 +959,7 @@ ngx_quic_handle_payload(ngx_connection_t
 
     c->log->action = "decrypting packet";
 
-    if (!ngx_quic_keys_available(qc->keys, pkt->level)) {
+    if (!ngx_quic_keys_available(qc->keys, pkt->level, 0)) {
         ngx_log_error(NGX_LOG_INFO, c->log, 0,
                       "quic no %s keys, ignoring packet",
                       ngx_quic_level_name(pkt->level));
@@ -1082,7 +1082,9 @@ ngx_quic_discard_ctx(ngx_connection_t *c
 
     qc = ngx_quic_get_connection(c);
 
-    if (!ngx_quic_keys_available(qc->keys, level)) {
+    if (!ngx_quic_keys_available(qc->keys, level, 0)
+        && !ngx_quic_keys_available(qc->keys, level, 1))
+    {
         return;
     }
 
diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
--- a/src/event/quic/ngx_event_quic_protection.c
+++ b/src/event/quic/ngx_event_quic_protection.c
@@ -672,9 +672,13 @@ ngx_quic_keys_set_encryption_secret(ngx_
 
 ngx_uint_t
 ngx_quic_keys_available(ngx_quic_keys_t *keys,
-    enum ssl_encryption_level_t level)
+    enum ssl_encryption_level_t level, ngx_uint_t is_write)
 {
-    return keys->secrets[level].client.key.len != 0;
+    if (is_write == 0) {
+        return keys->secrets[level].client.key.len != 0;
+    }
+
+    return keys->secrets[level].server.key.len != 0;
 }
 
 
@@ -683,6 +687,7 @@ ngx_quic_keys_discard(ngx_quic_keys_t *k
     enum ssl_encryption_level_t level)
 {
     keys->secrets[level].client.key.len = 0;
+    keys->secrets[level].server.key.len = 0;
 }
 
 
diff --git a/src/event/quic/ngx_event_quic_protection.h b/src/event/quic/ngx_event_quic_protection.h
--- a/src/event/quic/ngx_event_quic_protection.h
+++ b/src/event/quic/ngx_event_quic_protection.h
@@ -95,7 +95,7 @@ ngx_int_t ngx_quic_keys_set_encryption_s
     enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
     const uint8_t *secret, size_t secret_len);
 ngx_uint_t ngx_quic_keys_available(ngx_quic_keys_t *keys,
-    enum ssl_encryption_level_t level);
+    enum ssl_encryption_level_t level, ngx_uint_t is_write);
 void ngx_quic_keys_discard(ngx_quic_keys_t *keys,
     enum ssl_encryption_level_t level);
 void ngx_quic_keys_switch(ngx_connection_t *c, ngx_quic_keys_t *keys);
diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
--- a/src/event/quic/ngx_event_quic_ssl.c
+++ b/src/event/quic/ngx_event_quic_ssl.c
@@ -434,7 +434,7 @@ ngx_quic_crypto_input(ngx_connection_t *
     }
 
     if (n <= 0 || SSL_in_init(ssl_conn)) {
-        if (ngx_quic_keys_available(qc->keys, ssl_encryption_early_data)
+        if (ngx_quic_keys_available(qc->keys, ssl_encryption_early_data, 0)
             && qc->client_tp_done)
         {
             if (ngx_quic_init_streams(c) != NGX_OK) {


More information about the nginx-devel mailing list