QUIC: removed use of SSL_quic_read_level and SSL_quic_write_level.

As explained in BoringSSL change[1], levels were introduced in the original
QUIC API to draw a line between when keys are released and when are active.
In the new QUIC API they are released in separate calls when it's needed.
BoringSSL has then a consideration to remove levels API, hence the change.

If not available e.g. from a QUIC packet header, levels can be taken based on
keys availability.  The only real use of levels is to prevent using app keys
before they are active in QuicTLS that provides the old BoringSSL QUIC API,
it is replaced with an equivalent check of c->ssl->handshaked.

This change also removes OpenSSL compat shims since they are no longer used.
The only exception left is caching write level from the keylog callback in
the internal field which is a handy equivalent of checking keys availability.

[1] https://boringssl.googlesource.com/boringssl/+/1e859054

diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c
index cd8beb3528352d80c0f00e41aad3c7e43aa41144..6852bb070aa38522985e5479d6218e956822e99e 100644 (file)
--- a/src/event/quic/ngx_event_quic.c
+++ b/src/event/quic/ngx_event_quic.c
@@ -963,10 +963,7 @@ ngx_quic_handle_payload(ngx_connection_t *c, ngx_quic_header_t *pkt)
 #if !defined (OPENSSL_IS_BORINGSSL)
     /* OpenSSL provides read keys for an application level before it's ready */
 
-    if (pkt->level == ssl_encryption_application
-        && SSL_quic_read_level(c->ssl->connection)
-           < ssl_encryption_application)
-    {
+    if (pkt->level == ssl_encryption_application && !c->ssl->handshaked) {
         ngx_log_error(NGX_LOG_INFO, c->log, 0,
                       "quic no %s keys ready, ignoring packet",
                       ngx_quic_level_name(pkt->level));

diff --git a/src/event/quic/ngx_event_quic_openssl_compat.c b/src/event/quic/ngx_event_quic_openssl_compat.c
index 318feda10f3c954e5f46f4d75f0bb6cbdc559978..e970cfb9be7362933c0c61ff4eba7b54ed321a3e 100644 (file)
--- a/src/event/quic/ngx_event_quic_openssl_compat.c
+++ b/src/event/quic/ngx_event_quic_openssl_compat.c
@@ -44,7 +44,6 @@ struct ngx_quic_compat_s {
     const SSL_QUIC_METHOD        *method;
 
     enum ssl_encryption_level_t   write_level;
-    enum ssl_encryption_level_t   read_level;
 
     uint64_t                      read_record;
     ngx_quic_compat_keys_t        keys;
@@ -213,7 +212,6 @@ ngx_quic_compat_keylog_callback(const SSL *ssl, const char *line)
 
     } else {
         com->method->set_read_secret((SSL *) ssl, level, cipher, secret, n);
-        com->read_level = level;
         com->read_record = 0;
 
         (void) ngx_quic_compat_set_encryption_secret(c->log, &com->keys, level,
@@ -583,32 +581,6 @@ ngx_quic_compat_create_record(ngx_quic_compat_record_t *rec, ngx_str_t *res)
 }
 
 
-enum ssl_encryption_level_t
-SSL_quic_read_level(const SSL *ssl)
-{
-    ngx_connection_t       *c;
-    ngx_quic_connection_t  *qc;
-
-    c = ngx_ssl_get_connection(ssl);
-    qc = ngx_quic_get_connection(c);
-
-    return qc->compat->read_level;
-}
-
-
-enum ssl_encryption_level_t
-SSL_quic_write_level(const SSL *ssl)
-{
-    ngx_connection_t       *c;
-    ngx_quic_connection_t  *qc;
-
-    c = ngx_ssl_get_connection(ssl);
-    qc = ngx_quic_get_connection(c);
-
-    return qc->compat->write_level;
-}
-
-
 int
 SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params,
     size_t params_len)

diff --git a/src/event/quic/ngx_event_quic_openssl_compat.h b/src/event/quic/ngx_event_quic_openssl_compat.h
index b04f6e0b5c744d991b579381144feea3bf3e2114..77cc3cb0d835f8856d49a3ac98763b2ff01dae39 100644 (file)
--- a/src/event/quic/ngx_event_quic_openssl_compat.h
+++ b/src/event/quic/ngx_event_quic_openssl_compat.h
@@ -48,8 +48,6 @@ ngx_int_t ngx_quic_compat_init(ngx_conf_t *cf, SSL_CTX *ctx);
 int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method);
 int SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level,
     const uint8_t *data, size_t len);
-enum ssl_encryption_level_t SSL_quic_read_level(const SSL *ssl);
-enum ssl_encryption_level_t SSL_quic_write_level(const SSL *ssl);
 int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params,
     size_t params_len);
 void SSL_get_peer_quic_transport_params(const SSL *ssl,

diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
index 316d6b5eb73171d44bce4f387dd94825fb383b3a..c719a1dd4aeb9009b3ce630e48628fc4a4e3c84f 100644 (file)
--- a/src/event/quic/ngx_event_quic_ssl.c
+++ b/src/event/quic/ngx_event_quic_ssl.c
@@ -43,7 +43,8 @@ static int ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
 static int ngx_quic_flush_flight(ngx_ssl_conn_t *ssl_conn);
 static int ngx_quic_send_alert(ngx_ssl_conn_t *ssl_conn,
     enum ssl_encryption_level_t level, uint8_t alert);
-static ngx_int_t ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data);
+static ngx_int_t ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data,
+    enum ssl_encryption_level_t level);
 
 
 #if (NGX_QUIC_BORINGSSL_API)
@@ -354,7 +355,7 @@ ngx_quic_handle_crypto_frame(ngx_connection_t *c, ngx_quic_header_t *pkt,
     }
 
     if (f->offset == ctx->crypto.offset) {
-        if (ngx_quic_crypto_input(c, frame->data) != NGX_OK) {
+        if (ngx_quic_crypto_input(c, frame->data, pkt->level) != NGX_OK) {
             return NGX_ERROR;
         }
 
@@ -372,7 +373,7 @@ ngx_quic_handle_crypto_frame(ngx_connection_t *c, ngx_quic_header_t *pkt,
     cl = ngx_quic_read_buffer(c, &ctx->crypto, (uint64_t) -1);
 
     if (cl) {
-        if (ngx_quic_crypto_input(c, cl) != NGX_OK) {
+        if (ngx_quic_crypto_input(c, cl, pkt->level) != NGX_OK) {
             return NGX_ERROR;
         }
 
@@ -384,7 +385,8 @@ ngx_quic_handle_crypto_frame(ngx_connection_t *c, ngx_quic_header_t *pkt,
 
 
 static ngx_int_t
-ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data)
+ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data,
+    enum ssl_encryption_level_t level)
 {
     int                     n, sslerr;
     ngx_buf_t              *b;
@@ -397,17 +399,10 @@ ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data)
 
     ssl_conn = c->ssl->connection;
 
-    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
-                   "quic SSL_quic_read_level:%d SSL_quic_write_level:%d",
-                   (int) SSL_quic_read_level(ssl_conn),
-                   (int) SSL_quic_write_level(ssl_conn));
-
     for (cl = data; cl; cl = cl->next) {
         b = cl->buf;
 
-        if (!SSL_provide_quic_data(ssl_conn, SSL_quic_read_level(ssl_conn),
-                                   b->pos, b->last - b->pos))
-        {
+        if (!SSL_provide_quic_data(ssl_conn, level, b->pos, b->last - b->pos)) {
             ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
                           "SSL_provide_quic_data() failed");
             return NGX_ERROR;
@@ -416,11 +411,6 @@ ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data)
 
     n = SSL_do_handshake(ssl_conn);
 
-    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
-                   "quic SSL_quic_read_level:%d SSL_quic_write_level:%d",
-                   (int) SSL_quic_read_level(ssl_conn),
-                   (int) SSL_quic_write_level(ssl_conn));
-
     ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
 
     if (n <= 0) {