mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-20 03:51:09 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

QUIC: using native TLSv1.3 cipher suite constants.

Browse Source 
After BoringSSL aligned[1] with OpenSSL on TLS1_3_CK_* macros, and
LibreSSL uses OpenSSL naming, our own variants can be dropped now.
Compatibility is preserved with libraries that lack these macros.

Additionally, transition to SSL_CIPHER_get_id() fixes build error
with LibreSSL that doesn't implement SSL_CIPHER_get_protocol_id().

[1] https://boringssl.googlesource.com/boringssl/+/dfddbc4ded
This commit is contained in:
Sergey Kandaurov 2022-10-20 16:21:05 +04:00
parent fcba3d1458
commit 00468d71bf
1 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/event/quic/ngx_event_quic_protection.c
View File

@ -15,9 +15,12 @@
#define NGX_QUIC_AES_128_KEY_LEN 16 #define NGX_QUIC_AES_128_KEY_LEN 16
#define NGX_AES_128_GCM_SHA256 0x1301 #ifndef TLS1_3_CK_AES_128_GCM_SHA256
#define NGX_AES_256_GCM_SHA384 0x1302 #define TLS1_3_CK_AES_128_GCM_SHA256 0x03001301
#define NGX_CHACHA20_POLY1305_SHA256 0x1303 #define TLS1_3_CK_AES_256_GCM_SHA384 0x03001302
#define TLS1_3_CK_CHACHA20_POLY1305_SHA256 \
0x03001303
#endif
#ifdef OPENSSL_IS_BORINGSSL #ifdef OPENSSL_IS_BORINGSSL
@ -90,12 +93,12 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers,
ngx_int_t len; ngx_int_t len;
if (level == ssl_encryption_initial) { if (level == ssl_encryption_initial) {
id = NGX_AES_128_GCM_SHA256; id = TLS1_3_CK_AES_128_GCM_SHA256;
} }
switch (id) { switch (id) {
case NGX_AES_128_GCM_SHA256: case TLS1_3_CK_AES_128_GCM_SHA256:
#ifdef OPENSSL_IS_BORINGSSL #ifdef OPENSSL_IS_BORINGSSL
ciphers->c = EVP_aead_aes_128_gcm(); ciphers->c = EVP_aead_aes_128_gcm();
#else #else
@ -106,7 +109,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers,
len = 16; len = 16;
break; break;
case NGX_AES_256_GCM_SHA384: case TLS1_3_CK_AES_256_GCM_SHA384:
#ifdef OPENSSL_IS_BORINGSSL #ifdef OPENSSL_IS_BORINGSSL
ciphers->c = EVP_aead_aes_256_gcm(); ciphers->c = EVP_aead_aes_256_gcm();
#else #else
@ -117,7 +120,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers,
len = 32; len = 32;
break; break;
case NGX_CHACHA20_POLY1305_SHA256: case TLS1_3_CK_CHACHA20_POLY1305_SHA256:
#ifdef OPENSSL_IS_BORINGSSL #ifdef OPENSSL_IS_BORINGSSL
ciphers->c = EVP_aead_chacha20_poly1305(); ciphers->c = EVP_aead_chacha20_poly1305();
#else #else
@ -642,7 +645,7 @@ ngx_quic_keys_set_encryption_secret(ngx_log_t *log, ngx_uint_t is_write,
peer_secret = is_write ? &keys->secrets[level].server peer_secret = is_write ? &keys->secrets[level].server
: &keys->secrets[level].client; : &keys->secrets[level].client;
keys->cipher = SSL_CIPHER_get_protocol_id(cipher); keys->cipher = SSL_CIPHER_get_id(cipher);
key_len = ngx_quic_ciphers(keys->cipher, &ciphers, level); key_len = ngx_quic_ciphers(keys->cipher, &ciphers, level);