Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic_protection.c @ 9152:2880f60a80c3
QUIC: posted generating TLS Key Update next keys.
Since at least f9fbeb4ee0de and certainly after 924882f42dea, which
TLS Key Update support predates, queued data output is deferred to a
posted push handler. To address timing signals after these changes,
generating next keys is now posted to run after the push handler.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Fri, 25 Aug 2023 13:51:38 +0400 |
parents | f73dfa6c0696 |
children | ff98ae7d261e |
comparison
equal
deleted
inserted
replaced
9151:933f37273282 | 9152:2880f60a80c3 |
---|---|
698 *current = *next; | 698 *current = *next; |
699 *next = tmp; | 699 *next = tmp; |
700 } | 700 } |
701 | 701 |
702 | 702 |
703 ngx_int_t | 703 void |
704 ngx_quic_keys_update(ngx_connection_t *c, ngx_quic_keys_t *keys) | 704 ngx_quic_keys_update(ngx_event_t *ev) |
705 { | 705 { |
706 ngx_uint_t i; | 706 ngx_uint_t i; |
707 ngx_quic_hkdf_t seq[6]; | 707 ngx_quic_hkdf_t seq[6]; |
708 ngx_quic_ciphers_t ciphers; | 708 ngx_quic_keys_t *keys; |
709 ngx_quic_secrets_t *current, *next; | 709 ngx_connection_t *c; |
710 ngx_quic_ciphers_t ciphers; | |
711 ngx_quic_secrets_t *current, *next; | |
712 ngx_quic_connection_t *qc; | |
713 | |
714 c = ev->data; | |
715 qc = ngx_quic_get_connection(c); | |
716 keys = qc->keys; | |
710 | 717 |
711 current = &keys->secrets[ssl_encryption_application]; | 718 current = &keys->secrets[ssl_encryption_application]; |
712 next = &keys->next_key; | 719 next = &keys->next_key; |
713 | 720 |
714 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic key update"); | 721 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic key update"); |
715 | 722 |
723 c->log->action = "updating keys"; | |
724 | |
716 if (ngx_quic_ciphers(keys->cipher, &ciphers, ssl_encryption_application) | 725 if (ngx_quic_ciphers(keys->cipher, &ciphers, ssl_encryption_application) |
717 == NGX_ERROR) | 726 == NGX_ERROR) |
718 { | 727 { |
719 return NGX_ERROR; | 728 goto failed; |
720 } | 729 } |
721 | 730 |
722 next->client.secret.len = current->client.secret.len; | 731 next->client.secret.len = current->client.secret.len; |
723 next->client.key.len = current->client.key.len; | 732 next->client.key.len = current->client.key.len; |
724 next->client.iv.len = NGX_QUIC_IV_LEN; | 733 next->client.iv.len = NGX_QUIC_IV_LEN; |
742 ngx_quic_hkdf_set(&seq[5], "tls13 quic iv", | 751 ngx_quic_hkdf_set(&seq[5], "tls13 quic iv", |
743 &next->server.iv, &next->server.secret); | 752 &next->server.iv, &next->server.secret); |
744 | 753 |
745 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { | 754 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { |
746 if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, c->log) != NGX_OK) { | 755 if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, c->log) != NGX_OK) { |
747 return NGX_ERROR; | 756 goto failed; |
748 } | 757 } |
749 } | 758 } |
750 | 759 |
751 return NGX_OK; | 760 return; |
761 | |
762 failed: | |
763 | |
764 ngx_quic_close_connection(c, NGX_ERROR); | |
752 } | 765 } |
753 | 766 |
754 | 767 |
755 static ngx_int_t | 768 static ngx_int_t |
756 ngx_quic_create_packet(ngx_quic_header_t *pkt, ngx_str_t *res) | 769 ngx_quic_create_packet(ngx_quic_header_t *pkt, ngx_str_t *res) |