From nobody Fri Sep 16 18:40:55 2022 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MTjZJ1Tgzz4cqZ8; Fri, 16 Sep 2022 18:40:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MTjZJ1Cdgz49wB; Fri, 16 Sep 2022 18:40:56 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1663353656; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HKf448JEijmYARESiZD64EdHMd1wLeSXAvjMSX3SPc0=; b=cR5EUaQx49QQzEwANujuD2RTBsSA29b3khFCCNB1n7YvxXMFWO5c6poOZWJWeK0QH6k125 Evz69XyYJN4njTxPRD4xQwsk79xXdWbMU/vtn7dxy23mW5gjuWXdxHPzgUt6tthjOh4kTH MTFkajQR+IDWWGGeS95+l5S0fVAFeTPzQhoIr3KyJReTEGZvS8YAbSoF4hoNSd5z84qxJ2 KSxynyPeYVzuU9BfXNkgbhVBgNkoYu7ECssJFgADli34wqFIvGHpCG5wjSawoxPho1qLRd 0JougYsP7ljJnuNiLCq5bI6QXoTsMr6ScDKaWfyyaO6bgMw8rAZyQJ4oSU45aQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MTjZJ0GKPzRs4; Fri, 16 Sep 2022 18:40:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 28GIetOQ097779; Fri, 16 Sep 2022 18:40:55 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 28GIetVP097778; Fri, 16 Sep 2022 18:40:55 GMT (envelope-from git) Date: Fri, 16 Sep 2022 18:40:55 GMT Message-Id: <202209161840.28GIetVP097778@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: "Sergey A. Osokin" Subject: git: f4638b16605d - main - www/nginx-devel: update HTTPv3/QUIC patch List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: osa X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: f4638b16605dbdba268739de753a76eeeb9e405d Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1663353656; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HKf448JEijmYARESiZD64EdHMd1wLeSXAvjMSX3SPc0=; b=mGnhNAiEgIEs+9vGjNgA+Q3s8icWmsGGTCcLk3NAdT1/xEAwJZcknOT6EabIAUNRtHKSE5 IZZxQX4oQ9R7EgDlWCqAwrgAqgJgb2YQbWos1VrH98WE6bNycIuAXKeq+arBqoeZVhrs9W zFR0ApXoN4eUd/S/GpgLQSEOcJIV/2nH3PMOkBIeKu/LoJ2bPO6/Wr0weqw0swixixp9Og i3JFWL0odTjovQuEYhmDGo4T6MmRxRK82v1uJQJEkD8IIOxsLUTyr3pnsy+hCVTPmAIhvo 5nk9+gTskjmn8gIeUnUWoFr9+z470ExB2ZWYtByPlzNbBOc8WC9MSrBhYdymjA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1663353656; a=rsa-sha256; cv=none; b=XrTQqcEl91iql20Na6exUWWvloX8B5pebeh0L0IfAYPFFe49uBrWYWM4Nf8PGPeKeYFClT OEGCsy4lEFV7S+vKR/oj7Zkb45tqdURZNKwimC7/GYUvnZiby9L/ntiGxqhMIZpW8a5BeV bHk8nymBPIStO6GKjAisA2xfMaDI56pF35dY2LPuREMPurJIsu5b1rdsM18DYRQqryLa0m vj/mKKOGsm+CUHWHpduV+lHz62KrWtCJLvWiYET1qHEVmX59ZsHTet22n4/4NpqpLLNEll 6qiTxW3Rs84E/OTjwvbw7emVHCydR7sePVhokxFSBrwmMqdZGFnF2xmDvRe9LA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by osa: URL: https://cgit.FreeBSD.org/ports/commit/?id=f4638b16605dbdba268739de753a76eeeb9e405d commit f4638b16605dbdba268739de753a76eeeb9e405d Author: Sergey A. Osokin AuthorDate: 2022-09-16 18:39:57 +0000 Commit: Sergey A. Osokin CommitDate: 2022-09-16 18:40:48 +0000 www/nginx-devel: update HTTPv3/QUIC patch Bump PORTREVISION. --- www/nginx-devel/Makefile | 2 +- www/nginx-devel/files/extra-patch-httpv3 | 756 +++++++++++++++---------------- 2 files changed, 377 insertions(+), 381 deletions(-) diff --git a/www/nginx-devel/Makefile b/www/nginx-devel/Makefile index f925fecee702..95a7f019f86c 100644 --- a/www/nginx-devel/Makefile +++ b/www/nginx-devel/Makefile @@ -1,6 +1,6 @@ PORTNAME?= nginx PORTVERSION= 1.23.1 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= www MASTER_SITES= https://nginx.org/download/ \ LOCAL/osa diff --git a/www/nginx-devel/files/extra-patch-httpv3 b/www/nginx-devel/files/extra-patch-httpv3 index 10d7ebf7df4c..d6cada768b21 100644 --- a/www/nginx-devel/files/extra-patch-httpv3 +++ b/www/nginx-devel/files/extra-patch-httpv3 @@ -1,7 +1,7 @@ -diff -r 5da2c0902e8e README +diff -r a63d0a70afea README --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/README Tue Jul 19 12:13:58 2022 -0400 -@@ -0,0 +1,232 @@ ++++ b/README Fri Sep 16 14:00:14 2022 -0400 +@@ -0,0 +1,230 @@ +Experimental QUIC support for nginx +----------------------------------- + @@ -24,15 +24,13 @@ diff -r 5da2c0902e8e README + + The project code base is under the same BSD license as nginx. + -+ The code is currently at a beta level of quality and should not -+ be used in production. ++ The code is currently at a beta level of quality, however ++ there are several production deployments with it. + -+ We are working on improving HTTP/3 support with the goal of -+ integrating it to the main NGINX codebase. Expect frequent -+ updates of this code and don't rely on it for whatever purpose. -+ -+ We'll be grateful for any feedback and code submissions however -+ we don't bear any responsibilities for any issues with this code. ++ We are working on improving HTTP/3 support to integrate it into ++ the main NGINX codebase. Thus, expect further updates of this code, ++ including features, changes in behaviour, bug fixes, and refactoring. ++ We'll be grateful for any feedback and code submissions. + + You can always contact us via nginx-devel mailing list [3]. + @@ -234,9 +232,9 @@ diff -r 5da2c0902e8e README + [6] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen + [7] https://nginx.org/en/docs/debugging_log.html + [8] http://vger.kernel.org/lpc_net2018_talks/willemdebruijn-lpc2018-udpgso-paper-DRAFT-1.pdf -diff -r 5da2c0902e8e auto/lib/openssl/conf ---- a/auto/lib/openssl/conf Tue Jun 21 17:25:36 2022 +0300 -+++ b/auto/lib/openssl/conf Tue Jul 19 12:13:58 2022 -0400 +diff -r a63d0a70afea auto/lib/openssl/conf +--- a/auto/lib/openssl/conf Tue Jul 19 17:05:27 2022 +0300 ++++ b/auto/lib/openssl/conf Fri Sep 16 14:00:14 2022 -0400 @@ -5,12 +5,16 @@ if [ $OPENSSL != NONE ]; then @@ -296,9 +294,9 @@ diff -r 5da2c0902e8e auto/lib/openssl/conf + fi + fi fi -diff -r 5da2c0902e8e auto/make ---- a/auto/make Tue Jun 21 17:25:36 2022 +0300 -+++ b/auto/make Tue Jul 19 12:13:58 2022 -0400 +diff -r a63d0a70afea auto/make +--- a/auto/make Tue Jul 19 17:05:27 2022 +0300 ++++ b/auto/make Fri Sep 16 14:00:14 2022 -0400 @@ -6,9 +6,10 @@ echo "creating $NGX_MAKEFILE" @@ -312,9 +310,9 @@ diff -r 5da2c0902e8e auto/make $NGX_OBJS/src/mail \ $NGX_OBJS/src/stream \ $NGX_OBJS/src/misc -diff -r 5da2c0902e8e auto/modules ---- a/auto/modules Tue Jun 21 17:25:36 2022 +0300 -+++ b/auto/modules Tue Jul 19 12:13:58 2022 -0400 +diff -r a63d0a70afea auto/modules +--- a/auto/modules Tue Jul 19 17:05:27 2022 +0300 ++++ b/auto/modules Fri Sep 16 14:00:14 2022 -0400 @@ -102,7 +102,7 @@ if [ $HTTP = YES ]; then fi @@ -475,9 +473,9 @@ diff -r 5da2c0902e8e auto/modules if [ $USE_PCRE = YES ]; then ngx_module_type=CORE ngx_module_name=ngx_regex_module -diff -r 5da2c0902e8e auto/options ---- a/auto/options Tue Jun 21 17:25:36 2022 +0300 -+++ b/auto/options Tue Jul 19 12:13:58 2022 -0400 +diff -r a63d0a70afea auto/options +--- a/auto/options Tue Jul 19 17:05:27 2022 +0300 ++++ b/auto/options Fri Sep 16 14:00:14 2022 -0400 @@ -45,6 +45,8 @@ USE_THREADS=NO NGX_FILE_AIO=NO @@ -565,9 +563,9 @@ diff -r 5da2c0902e8e auto/options --with-stream_realip_module enable ngx_stream_realip_module --with-stream_geoip_module enable ngx_stream_geoip_module --with-stream_geoip_module=dynamic enable dynamic ngx_stream_geoip_module -diff -r 5da2c0902e8e auto/os/linux ---- a/auto/os/linux Tue Jun 21 17:25:36 2022 +0300 -+++ b/auto/os/linux Tue Jul 19 12:13:58 2022 -0400 +diff -r a63d0a70afea auto/os/linux +--- a/auto/os/linux Tue Jul 19 17:05:27 2022 +0300 ++++ b/auto/os/linux Fri Sep 16 14:00:14 2022 -0400 @@ -232,6 +232,50 @@ ngx_feature_test="struct crypt_data cd; ngx_include="sys/vfs.h"; . auto/include @@ -619,9 +617,9 @@ diff -r 5da2c0902e8e auto/os/linux # UDP segmentation offloading ngx_feature="UDP_SEGMENT" -diff -r 5da2c0902e8e auto/sources ---- a/auto/sources Tue Jun 21 17:25:36 2022 +0300 -+++ b/auto/sources Tue Jul 19 12:13:58 2022 -0400 +diff -r a63d0a70afea auto/sources +--- a/auto/sources Tue Jul 19 17:05:27 2022 +0300 ++++ b/auto/sources Fri Sep 16 14:00:14 2022 -0400 @@ -83,7 +83,7 @@ CORE_SRCS="src/core/nginx.c \ EVENT_MODULES="ngx_events_module ngx_event_core_module" @@ -631,9 +629,9 @@ diff -r 5da2c0902e8e auto/sources EVENT_DEPS="src/event/ngx_event.h \ src/event/ngx_event_timer.h \ -diff -r 5da2c0902e8e src/core/nginx.c ---- a/src/core/nginx.c Tue Jun 21 17:25:36 2022 +0300 -+++ b/src/core/nginx.c Tue Jul 19 12:13:58 2022 -0400 +diff -r a63d0a70afea src/core/nginx.c +--- a/src/core/nginx.c Tue Jul 19 17:05:27 2022 +0300 ++++ b/src/core/nginx.c Fri Sep 16 14:00:14 2022 -0400 @@ -680,6 +680,9 @@ ngx_exec_new_binary(ngx_cycle_t *cycle, ls = cycle->listening.elts; @@ -644,9 +642,9 @@ diff -r 5da2c0902e8e src/core/nginx.c p = ngx_sprintf(p, "%ud;", ls[i].fd); } -diff -r 5da2c0902e8e src/core/ngx_bpf.c +diff -r a63d0a70afea src/core/ngx_bpf.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/core/ngx_bpf.c Tue Jul 19 12:13:58 2022 -0400 ++++ b/src/core/ngx_bpf.c Fri Sep 16 14:00:14 2022 -0400 @@ -0,0 +1,143 @@ + +/* @@ -791,9 +789,9 @@ diff -r 5da2c0902e8e src/core/ngx_bpf.c + + return ngx_bpf(BPF_MAP_LOOKUP_ELEM, &attr, sizeof(attr)); +} -diff -r 5da2c0902e8e src/core/ngx_bpf.h +diff -r a63d0a70afea src/core/ngx_bpf.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/core/ngx_bpf.h Tue Jul 19 12:13:58 2022 -0400 ++++ b/src/core/ngx_bpf.h Fri Sep 16 14:00:14 2022 -0400 @@ -0,0 +1,43 @@ + +/* @@ -838,9 +836,9 @@ diff -r 5da2c0902e8e src/core/ngx_bpf.h +int ngx_bpf_map_lookup(int fd, const void *key, void *value); + +#endif /* _NGX_BPF_H_INCLUDED_ */ -diff -r 5da2c0902e8e src/core/ngx_connection.c ---- a/src/core/ngx_connection.c Tue Jun 21 17:25:36 2022 +0300 -+++ b/src/core/ngx_connection.c Tue Jul 19 12:13:58 2022 -0400 +diff -r a63d0a70afea src/core/ngx_connection.c +--- a/src/core/ngx_connection.c Tue Jul 19 17:05:27 2022 +0300 ++++ b/src/core/ngx_connection.c Fri Sep 16 14:00:14 2022 -0400 @@ -72,10 +72,6 @@ ngx_create_listening(ngx_conf_t *cf, str ngx_memcpy(ls->addr_text.data, text, len); @@ -865,9 +863,9 @@ diff -r 5da2c0902e8e src/core/ngx_connection.c c = ls[i].connection; if (c) { -diff -r 5da2c0902e8e src/core/ngx_connection.h ---- a/src/core/ngx_connection.h Tue Jun 21 17:25:36 2022 +0300 -+++ b/src/core/ngx_connection.h Tue Jul 19 12:13:58 2022 -0400 +diff -r a63d0a70afea src/core/ngx_connection.h +--- a/src/core/ngx_connection.h Tue Jul 19 17:05:27 2022 +0300 ++++ b/src/core/ngx_connection.h Fri Sep 16 14:00:14 2022 -0400 @@ -73,6 +73,7 @@ struct ngx_listening_s { unsigned reuseport:1; unsigned add_reuseport:1; @@ -887,9 +885,9 @@ diff -r 5da2c0902e8e src/core/ngx_connection.h #if (NGX_SSL || NGX_COMPAT) ngx_ssl_connection_t *ssl; #endif -diff -r 5da2c0902e8e src/core/ngx_core.h ---- a/src/core/ngx_core.h Tue Jun 21 17:25:36 2022 +0300 -+++ b/src/core/ngx_core.h Tue Jul 19 12:13:58 2022 -0400 +diff -r a63d0a70afea src/core/ngx_core.h +--- a/src/core/ngx_core.h Tue Jul 19 17:05:27 2022 +0300 ++++ b/src/core/ngx_core.h Fri Sep 16 14:00:14 2022 -0400 @@ -27,6 +27,7 @@ typedef struct ngx_connection_s ngx typedef struct ngx_thread_task_s ngx_thread_task_t; typedef struct ngx_ssl_s ngx_ssl_t; @@ -918,9 +916,9 @@ diff -r 5da2c0902e8e src/core/ngx_core.h #define LF (u_char) '\n' -diff -r 5da2c0902e8e src/event/ngx_event.c ---- a/src/event/ngx_event.c Tue Jun 21 17:25:36 2022 +0300 -+++ b/src/event/ngx_event.c Tue Jul 19 12:13:58 2022 -0400 +diff -r a63d0a70afea src/event/ngx_event.c +--- a/src/event/ngx_event.c Tue Jul 19 17:05:27 2022 +0300 ++++ b/src/event/ngx_event.c Fri Sep 16 14:00:14 2022 -0400 @@ -267,6 +267,18 @@ ngx_process_events_and_timers(ngx_cycle_ ngx_int_t ngx_handle_read_event(ngx_event_t *rev, ngx_uint_t flags) @@ -977,9 +975,9 @@ diff -r 5da2c0902e8e src/event/ngx_event.c #if (NGX_HAVE_REUSEPORT) -diff -r 5da2c0902e8e src/event/ngx_event_openssl.c ---- a/src/event/ngx_event_openssl.c Tue Jun 21 17:25:36 2022 +0300 -+++ b/src/event/ngx_event_openssl.c Tue Jul 19 12:13:58 2022 -0400 +diff -r a63d0a70afea src/event/ngx_event_openssl.c +--- a/src/event/ngx_event_openssl.c Tue Jul 19 17:05:27 2022 +0300 ++++ b/src/event/ngx_event_openssl.c Fri Sep 16 14:00:14 2022 -0400 @@ -3149,6 +3149,13 @@ ngx_ssl_shutdown(ngx_connection_t *c) ngx_err_t err; ngx_uint_t tries; @@ -994,9 +992,9 @@ diff -r 5da2c0902e8e src/event/ngx_event_openssl.c rc = NGX_OK; ngx_ssl_ocsp_cleanup(c); -diff -r 5da2c0902e8e src/event/ngx_event_openssl.h ---- a/src/event/ngx_event_openssl.h Tue Jun 21 17:25:36 2022 +0300 -+++ b/src/event/ngx_event_openssl.h Tue Jul 19 12:13:58 2022 -0400 +diff -r a63d0a70afea src/event/ngx_event_openssl.h +--- a/src/event/ngx_event_openssl.h Tue Jul 19 17:05:27 2022 +0300 ++++ b/src/event/ngx_event_openssl.h Fri Sep 16 14:00:14 2022 -0400 @@ -24,6 +24,14 @@ #include #endif @@ -1012,9 +1010,9 @@ diff -r 5da2c0902e8e src/event/ngx_event_openssl.h #include #ifndef OPENSSL_NO_OCSP #include -diff -r 5da2c0902e8e src/event/ngx_event_udp.c ---- a/src/event/ngx_event_udp.c Tue Jun 21 17:25:36 2022 +0300 -+++ b/src/event/ngx_event_udp.c Tue Jul 19 12:13:58 2022 -0400 +diff -r a63d0a70afea src/event/ngx_event_udp.c +--- a/src/event/ngx_event_udp.c Tue Jul 19 17:05:27 2022 +0300 ++++ b/src/event/ngx_event_udp.c Fri Sep 16 14:00:14 2022 -0400 @@ -12,13 +12,6 @@ #if !(NGX_WIN32) @@ -1029,9 +1027,9 @@ diff -r 5da2c0902e8e src/event/ngx_event_udp.c static void ngx_close_accepted_udp_connection(ngx_connection_t *c); static ssize_t ngx_udp_shared_recv(ngx_connection_t *c, u_char *buf, size_t size); -diff -r 5da2c0902e8e src/event/ngx_event_udp.h ---- a/src/event/ngx_event_udp.h Tue Jun 21 17:25:36 2022 +0300 -+++ b/src/event/ngx_event_udp.h Tue Jul 19 12:13:58 2022 -0400 +diff -r a63d0a70afea src/event/ngx_event_udp.h +--- a/src/event/ngx_event_udp.h Tue Jul 19 17:05:27 2022 +0300 ++++ b/src/event/ngx_event_udp.h Fri Sep 16 14:00:14 2022 -0400 @@ -23,6 +23,13 @@ #endif @@ -1046,9 +1044,9 @@ diff -r 5da2c0902e8e src/event/ngx_event_udp.h #if (NGX_HAVE_ADDRINFO_CMSG) typedef union { -diff -r 5da2c0902e8e src/event/quic/bpf/bpfgen.sh +diff -r a63d0a70afea src/event/quic/bpf/bpfgen.sh --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/event/quic/bpf/bpfgen.sh Tue Jul 19 12:13:58 2022 -0400 ++++ b/src/event/quic/bpf/bpfgen.sh Fri Sep 16 14:00:14 2022 -0400 @@ -0,0 +1,113 @@ +#!/bin/bash + @@ -1163,9 +1161,9 @@ diff -r 5da2c0902e8e src/event/quic/bpf/bpfgen.sh +process_section +generate_tail + -diff -r 5da2c0902e8e src/event/quic/bpf/makefile +diff -r a63d0a70afea src/event/quic/bpf/makefile --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/event/quic/bpf/makefile Tue Jul 19 12:13:58 2022 -0400 ++++ b/src/event/quic/bpf/makefile Fri Sep 16 14:00:14 2022 -0400 @@ -0,0 +1,30 @@ +CFLAGS=-O2 -Wall + @@ -1197,9 +1195,9 @@ diff -r 5da2c0902e8e src/event/quic/bpf/makefile + llvm-objdump -S -no-show-raw-insn $< + +.DELETE_ON_ERROR: -diff -r 5da2c0902e8e src/event/quic/bpf/ngx_quic_reuseport_helper.c +diff -r a63d0a70afea src/event/quic/bpf/ngx_quic_reuseport_helper.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/event/quic/bpf/ngx_quic_reuseport_helper.c Tue Jul 19 12:13:58 2022 -0400 ++++ b/src/event/quic/bpf/ngx_quic_reuseport_helper.c Fri Sep 16 14:00:14 2022 -0400 @@ -0,0 +1,140 @@ +#include +#include @@ -1341,9 +1339,9 @@ diff -r 5da2c0902e8e src/event/quic/bpf/ngx_quic_reuseport_helper.c + */ + return SK_PASS; +} -diff -r 5da2c0902e8e src/event/quic/ngx_event_quic.c +diff -r a63d0a70afea src/event/quic/ngx_event_quic.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/event/quic/ngx_event_quic.c Tue Jul 19 12:13:58 2022 -0400 ++++ b/src/event/quic/ngx_event_quic.c Fri Sep 16 14:00:14 2022 -0400 @@ -0,0 +1,1459 @@ + +/* @@ -1585,7 +1583,7 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic.c + return NULL; + } + -+ qc->keys = ngx_quic_keys_new(c->pool); ++ qc->keys = ngx_pcalloc(c->pool, sizeof(ngx_quic_keys_t)); + if (qc->keys == NULL) { + return NULL; + } @@ -1672,7 +1670,7 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic.c + } + } + -+ if (ngx_quic_keys_set_initial_secret(c->pool, qc->keys, &pkt->dcid) ++ if (ngx_quic_keys_set_initial_secret(qc->keys, &pkt->dcid, c->log) + != NGX_OK) + { + return NULL; @@ -2804,9 +2802,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic.c + + ngx_quic_finalize_connection(c, qc->shutdown_code, qc->shutdown_reason); +} -diff -r 5da2c0902e8e src/event/quic/ngx_event_quic.h +diff -r a63d0a70afea src/event/quic/ngx_event_quic.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/event/quic/ngx_event_quic.h Tue Jul 19 12:13:58 2022 -0400 ++++ b/src/event/quic/ngx_event_quic.h Fri Sep 16 14:00:14 2022 -0400 @@ -0,0 +1,123 @@ + +/* @@ -2931,9 +2929,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic.h + ngx_str_t *secret, ngx_str_t *salt, u_char *out, size_t len); + +#endif /* _NGX_EVENT_QUIC_H_INCLUDED_ */ -diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_ack.c +diff -r a63d0a70afea src/event/quic/ngx_event_quic_ack.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/event/quic/ngx_event_quic_ack.c Tue Jul 19 12:13:58 2022 -0400 ++++ b/src/event/quic/ngx_event_quic_ack.c Fri Sep 16 14:00:14 2022 -0400 @@ -0,0 +1,1193 @@ + +/* @@ -4128,9 +4126,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_ack.c + + return NGX_OK; +} -diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_ack.h +diff -r a63d0a70afea src/event/quic/ngx_event_quic_ack.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/event/quic/ngx_event_quic_ack.h Tue Jul 19 12:13:58 2022 -0400 ++++ b/src/event/quic/ngx_event_quic_ack.h Fri Sep 16 14:00:14 2022 -0400 @@ -0,0 +1,30 @@ + +/* @@ -4162,9 +4160,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_ack.h + ngx_quic_send_ctx_t *ctx); + +#endif /* _NGX_EVENT_QUIC_ACK_H_INCLUDED_ */ -diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_bpf.c +diff -r a63d0a70afea src/event/quic/ngx_event_quic_bpf.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/event/quic/ngx_event_quic_bpf.c Tue Jul 19 12:13:58 2022 -0400 ++++ b/src/event/quic/ngx_event_quic_bpf.c Fri Sep 16 14:00:14 2022 -0400 @@ -0,0 +1,657 @@ + +/* @@ -4823,9 +4821,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_bpf.c + + return NGX_OK; +} -diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_bpf_code.c +diff -r a63d0a70afea src/event/quic/ngx_event_quic_bpf_code.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/event/quic/ngx_event_quic_bpf_code.c Tue Jul 19 12:13:58 2022 -0400 ++++ b/src/event/quic/ngx_event_quic_bpf_code.c Fri Sep 16 14:00:14 2022 -0400 @@ -0,0 +1,88 @@ +/* AUTO-GENERATED, DO NOT EDIT. */ + @@ -4915,9 +4913,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_bpf_code.c + .license = "BSD", + .type = BPF_PROG_TYPE_SK_REUSEPORT, +}; -diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_connection.h +diff -r a63d0a70afea src/event/quic/ngx_event_quic_connection.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/event/quic/ngx_event_quic_connection.h Tue Jul 19 12:13:58 2022 -0400 ++++ b/src/event/quic/ngx_event_quic_connection.h Fri Sep 16 14:00:14 2022 -0400 @@ -0,0 +1,276 @@ +/* + * Copyright (C) Nginx, Inc. @@ -5195,9 +5193,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_connection.h +#endif + +#endif /* _NGX_EVENT_QUIC_CONNECTION_H_INCLUDED_ */ -diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_connid.c +diff -r a63d0a70afea src/event/quic/ngx_event_quic_connid.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/event/quic/ngx_event_quic_connid.c Tue Jul 19 12:13:58 2022 -0400 ++++ b/src/event/quic/ngx_event_quic_connid.c Fri Sep 16 14:00:14 2022 -0400 @@ -0,0 +1,502 @@ + +/* @@ -5701,9 +5699,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_connid.c + + return NGX_OK; +} -diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_connid.h +diff -r a63d0a70afea src/event/quic/ngx_event_quic_connid.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/event/quic/ngx_event_quic_connid.h Tue Jul 19 12:13:58 2022 -0400 ++++ b/src/event/quic/ngx_event_quic_connid.h Fri Sep 16 14:00:14 2022 -0400 @@ -0,0 +1,29 @@ + +/* @@ -5734,9 +5732,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_connid.h + ngx_quic_client_id_t *cid); + +#endif /* _NGX_EVENT_QUIC_CONNID_H_INCLUDED_ */ -diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_frames.c +diff -r a63d0a70afea src/event/quic/ngx_event_quic_frames.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/event/quic/ngx_event_quic_frames.c Tue Jul 19 12:13:58 2022 -0400 ++++ b/src/event/quic/ngx_event_quic_frames.c Fri Sep 16 14:00:14 2022 -0400 @@ -0,0 +1,844 @@ + +/* @@ -6582,9 +6580,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_frames.c +} + +#endif -diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_frames.h +diff -r a63d0a70afea src/event/quic/ngx_event_quic_frames.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/event/quic/ngx_event_quic_frames.h Tue Jul 19 12:13:58 2022 -0400 ++++ b/src/event/quic/ngx_event_quic_frames.h Fri Sep 16 14:00:14 2022 -0400 @@ -0,0 +1,43 @@ + +/* @@ -6629,9 +6627,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_frames.h +#endif + +#endif /* _NGX_EVENT_QUIC_FRAMES_H_INCLUDED_ */ -diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_migration.c +diff -r a63d0a70afea src/event/quic/ngx_event_quic_migration.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/event/quic/ngx_event_quic_migration.c Tue Jul 19 12:13:58 2022 -0400 ++++ b/src/event/quic/ngx_event_quic_migration.c Fri Sep 16 14:00:14 2022 -0400 @@ -0,0 +1,671 @@ + +/* @@ -7304,9 +7302,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_migration.c + ngx_add_timer(&qc->path_validation, next); + } +} -diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_migration.h +diff -r a63d0a70afea src/event/quic/ngx_event_quic_migration.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/event/quic/ngx_event_quic_migration.h Tue Jul 19 12:13:58 2022 -0400 ++++ b/src/event/quic/ngx_event_quic_migration.h Fri Sep 16 14:00:14 2022 -0400 @@ -0,0 +1,42 @@ + +/* @@ -7350,10 +7348,10 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_migration.h +void ngx_quic_path_validation_handler(ngx_event_t *ev); + +#endif /* _NGX_EVENT_QUIC_MIGRATION_H_INCLUDED_ */ -diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_output.c +diff -r a63d0a70afea src/event/quic/ngx_event_quic_output.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/event/quic/ngx_event_quic_output.c Tue Jul 19 12:13:58 2022 -0400 -@@ -0,0 +1,1283 @@ ++++ b/src/event/quic/ngx_event_quic_output.c Fri Sep 16 14:00:14 2022 -0400 +@@ -0,0 +1,1292 @@ + +/* + * Copyright (C) Nginx, Inc. @@ -8284,6 +8282,7 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_output.c +{ + ssize_t len; + ngx_str_t res; ++ ngx_quic_keys_t keys; + ngx_quic_frame_t frame; + ngx_quic_header_t pkt; + @@ -8312,12 +8311,11 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_output.c + return NGX_ERROR; + } + -+ pkt.keys = ngx_quic_keys_new(c->pool); -+ if (pkt.keys == NULL) { -+ return NGX_ERROR; -+ } ++ ngx_memzero(&keys, sizeof(ngx_quic_keys_t)); ++ ++ pkt.keys = &keys; + -+ if (ngx_quic_keys_set_initial_secret(c->pool, pkt.keys, &inpkt->dcid) ++ if (ngx_quic_keys_set_initial_secret(pkt.keys, &inpkt->dcid, c->log) + != NGX_OK) + { + return NGX_ERROR; @@ -8365,10 +8363,14 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_output.c + + u_char buf[NGX_QUIC_RETRY_BUFFER_SIZE]; + u_char dcid[NGX_QUIC_SERVER_CID_LEN]; ++ u_char tbuf[NGX_QUIC_TOKEN_BUF_SIZE]; + + expires = ngx_time() + NGX_QUIC_RETRY_TOKEN_LIFETIME; + -+ if (ngx_quic_new_token(c, c->sockaddr, c->socklen, conf->av_token_key, ++ token.data = tbuf; ++ token.len = NGX_QUIC_TOKEN_BUF_SIZE; ++ ++ if (ngx_quic_new_token(c->log, c->sockaddr, c->socklen, conf->av_token_key, + &token, &inpkt->dcid, expires, 1) + != NGX_OK) + { @@ -8431,11 +8433,16 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_output.c + ngx_quic_frame_t *frame; + ngx_quic_connection_t *qc; + ++ u_char tbuf[NGX_QUIC_TOKEN_BUF_SIZE]; ++ + qc = ngx_quic_get_connection(c); + + expires = ngx_time() + NGX_QUIC_NEW_TOKEN_LIFETIME; + -+ if (ngx_quic_new_token(c, path->sockaddr, path->socklen, ++ token.data = tbuf; ++ token.len = NGX_QUIC_TOKEN_BUF_SIZE; ++ ++ if (ngx_quic_new_token(c->log, path->sockaddr, path->socklen, + qc->conf->av_token_key, &token, NULL, expires, 0) + != NGX_OK) + { @@ -8637,9 +8644,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_output.c + + return size; +} -diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_output.h +diff -r a63d0a70afea src/event/quic/ngx_event_quic_output.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/event/quic/ngx_event_quic_output.h Tue Jul 19 12:13:58 2022 -0400 ++++ b/src/event/quic/ngx_event_quic_output.h Fri Sep 16 14:00:14 2022 -0400 @@ -0,0 +1,40 @@ + +/* @@ -8681,10 +8688,10 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_output.h + size_t min, ngx_quic_path_t *path); + +#endif /* _NGX_EVENT_QUIC_OUTPUT_H_INCLUDED_ */ -diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c +diff -r a63d0a70afea src/event/quic/ngx_event_quic_protection.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/event/quic/ngx_event_quic_protection.c Tue Jul 19 12:13:58 2022 -0400 -@@ -0,0 +1,1177 @@ ++++ b/src/event/quic/ngx_event_quic_protection.c Fri Sep 16 14:00:14 2022 -0400 +@@ -0,0 +1,1123 @@ + +/* + * Copyright (C) Nginx, Inc. @@ -8697,8 +8704,6 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c +#include + + -+/* RFC 5116, 5.1 and RFC 8439, 2.3 for all supported ciphers */ -+#define NGX_QUIC_IV_LEN 12 +/* RFC 9001, 5.4.1. Header Protection Application: 5-byte mask */ +#define NGX_QUIC_HP_LEN 5 + @@ -8723,25 +8728,23 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c +} ngx_quic_ciphers_t; + + -+typedef struct ngx_quic_secret_s { -+ ngx_str_t secret; -+ ngx_str_t key; -+ ngx_str_t iv; -+ ngx_str_t hp; -+} ngx_quic_secret_t; -+ -+ +typedef struct { -+ ngx_quic_secret_t client; -+ ngx_quic_secret_t server; -+} ngx_quic_secrets_t; ++ size_t out_len; ++ u_char *out; + ++ size_t prk_len; ++ const uint8_t *prk; + -+struct ngx_quic_keys_s { -+ ngx_quic_secrets_t secrets[NGX_QUIC_ENCRYPTION_LAST]; -+ ngx_quic_secrets_t next_key; -+ ngx_uint_t cipher; -+}; ++ size_t label_len; ++ const u_char *label; ++} ngx_quic_hkdf_t; ++ ++#define ngx_quic_hkdf_set(label, out, prk) \ ++ { \ ++ (out)->len, (out)->data, \ ++ (prk)->len, (prk)->data, \ ++ (sizeof(label) - 1), (u_char *)(label), \ ++ } + + +static ngx_int_t ngx_hkdf_expand(u_char *out_key, size_t out_len, @@ -8765,8 +8768,8 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c + ngx_str_t *ad, ngx_log_t *log); +static ngx_int_t ngx_quic_tls_hp(ngx_log_t *log, const EVP_CIPHER *cipher, + ngx_quic_secret_t *s, u_char *out, u_char *in); -+static ngx_int_t ngx_quic_hkdf_expand(ngx_pool_t *pool, const EVP_MD *digest, -+ ngx_str_t *out, ngx_str_t *label, const uint8_t *prk, size_t prk_len); ++static ngx_int_t ngx_quic_hkdf_expand(ngx_quic_hkdf_t *hkdf, ++ const EVP_MD *digest, ngx_log_t *log); + +static ngx_int_t ngx_quic_create_packet(ngx_quic_header_t *pkt, + ngx_str_t *res); @@ -8832,8 +8835,8 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c + + +ngx_int_t -+ngx_quic_keys_set_initial_secret(ngx_pool_t *pool, ngx_quic_keys_t *keys, -+ ngx_str_t *secret) ++ngx_quic_keys_set_initial_secret(ngx_quic_keys_t *keys, ngx_str_t *secret, ++ ngx_log_t *log) +{ + size_t is_len; + uint8_t is[SHA256_DIGEST_LENGTH]; @@ -8870,12 +8873,12 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c + .len = is_len + }; + -+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pool->log, 0, ++ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, log, 0, + "quic ngx_quic_set_initial_secret"); +#ifdef NGX_QUIC_DEBUG_CRYPTO -+ ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0, ++ ngx_log_debug3(NGX_LOG_DEBUG_EVENT, log, 0, + "quic salt len:%uz %*xs", sizeof(salt), sizeof(salt), salt); -+ ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0, ++ ngx_log_debug3(NGX_LOG_DEBUG_EVENT, log, 0, + "quic initial secret len:%uz %*xs", is_len, is_len, is); +#endif + @@ -8891,28 +8894,20 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c + client->iv.len = NGX_QUIC_IV_LEN; + server->iv.len = NGX_QUIC_IV_LEN; + -+ struct { -+ ngx_str_t label; -+ ngx_str_t *key; -+ ngx_str_t *prk; -+ } seq[] = { ++ ngx_quic_hkdf_t seq[] = { + /* labels per RFC 9001, 5.1. Packet Protection Keys */ -+ { ngx_string("tls13 client in"), &client->secret, &iss }, -+ { ngx_string("tls13 quic key"), &client->key, &client->secret }, -+ { ngx_string("tls13 quic iv"), &client->iv, &client->secret }, -+ { ngx_string("tls13 quic hp"), &client->hp, &client->secret }, -+ { ngx_string("tls13 server in"), &server->secret, &iss }, -+ { ngx_string("tls13 quic key"), &server->key, &server->secret }, -+ { ngx_string("tls13 quic iv"), &server->iv, &server->secret }, -+ { ngx_string("tls13 quic hp"), &server->hp, &server->secret }, ++ ngx_quic_hkdf_set("tls13 client in", &client->secret, &iss), ++ ngx_quic_hkdf_set("tls13 quic key", &client->key, &client->secret), ++ ngx_quic_hkdf_set("tls13 quic iv", &client->iv, &client->secret), ++ ngx_quic_hkdf_set("tls13 quic hp", &client->hp, &client->secret), ++ ngx_quic_hkdf_set("tls13 server in", &server->secret, &iss), ++ ngx_quic_hkdf_set("tls13 quic key", &server->key, &server->secret), ++ ngx_quic_hkdf_set("tls13 quic iv", &server->iv, &server->secret), ++ ngx_quic_hkdf_set("tls13 quic hp", &server->hp, &server->secret), + }; + + for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { -+ -+ if (ngx_quic_hkdf_expand(pool, digest, seq[i].key, &seq[i].label, -+ seq[i].prk->data, seq[i].prk->len) -+ != NGX_OK) -+ { ++ if (ngx_quic_hkdf_expand(&seq[i], digest, log) != NGX_OK) { + return NGX_ERROR; + } + } @@ -8922,40 +8917,34 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c + + +static ngx_int_t -+ngx_quic_hkdf_expand(ngx_pool_t *pool, const EVP_MD *digest, ngx_str_t *out, -+ ngx_str_t *label, const uint8_t *prk, size_t prk_len) ++ngx_quic_hkdf_expand(ngx_quic_hkdf_t *h, const EVP_MD *digest, ngx_log_t *log) +{ + size_t info_len; + uint8_t *p; + uint8_t info[20]; + -+ if (out->data == NULL) { -+ out->data = ngx_pnalloc(pool, out->len); -+ if (out->data == NULL) { -+ return NGX_ERROR; -+ } -+ } -+ -+ info_len = 2 + 1 + label->len + 1; ++ info_len = 2 + 1 + h->label_len + 1; + + info[0] = 0; -+ info[1] = out->len; -+ info[2] = label->len; -+ p = ngx_cpymem(&info[3], label->data, label->len); ++ info[1] = h->out_len; ++ info[2] = h->label_len; ++ ++ p = ngx_cpymem(&info[3], h->label, h->label_len); + *p = '\0'; + -+ if (ngx_hkdf_expand(out->data, out->len, digest, -+ prk, prk_len, info, info_len) ++ if (ngx_hkdf_expand(h->out, h->out_len, digest, ++ h->prk, h->prk_len, info, info_len) + != NGX_OK) + { -+ ngx_ssl_error(NGX_LOG_INFO, pool->log, 0, -+ "ngx_hkdf_expand(%V) failed", label); ++ ngx_ssl_error(NGX_LOG_INFO, log, 0, ++ "ngx_hkdf_expand(%*s) failed", h->label_len, h->label); + return NGX_ERROR; + } + +#ifdef NGX_QUIC_DEBUG_CRYPTO -+ ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0, -+ "quic expand %V key len:%uz %xV", label, out->len, out); ++ ngx_log_debug5(NGX_LOG_DEBUG_EVENT, log, 0, ++ "quic expand \"%*s\" len:%uz %*xs", ++ h->label_len, h->label, h->out_len, h->out_len, h->out); +#endif + + return NGX_OK; @@ -9334,11 +9323,12 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c + + +ngx_int_t -+ngx_quic_keys_set_encryption_secret(ngx_pool_t *pool, ngx_uint_t is_write, ++ngx_quic_keys_set_encryption_secret(ngx_log_t *log, ngx_uint_t is_write, + ngx_quic_keys_t *keys, enum ssl_encryption_level_t level, + const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len) +{ + ngx_int_t key_len; ++ ngx_str_t secret_str; + ngx_uint_t i; + ngx_quic_secret_t *peer_secret; + ngx_quic_ciphers_t ciphers; @@ -9351,12 +9341,13 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c + key_len = ngx_quic_ciphers(keys->cipher, &ciphers, level); + + if (key_len == NGX_ERROR) { -+ ngx_ssl_error(NGX_LOG_INFO, pool->log, 0, "unexpected cipher"); ++ ngx_ssl_error(NGX_LOG_INFO, log, 0, "unexpected cipher"); + return NGX_ERROR; + } + -+ peer_secret->secret.data = ngx_pnalloc(pool, secret_len); -+ if (peer_secret->secret.data == NULL) { ++ if (sizeof(peer_secret->secret.data) < secret_len) { ++ ngx_log_error(NGX_LOG_ALERT, log, 0, ++ "unexpected secret len: %uz", secret_len); + return NGX_ERROR; + } + @@ -9367,22 +9358,17 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c + peer_secret->iv.len = NGX_QUIC_IV_LEN; + peer_secret->hp.len = key_len; + -+ struct { -+ ngx_str_t label; -+ ngx_str_t *key; -+ const uint8_t *secret; -+ } seq[] = { -+ { ngx_string("tls13 quic key"), &peer_secret->key, secret }, -+ { ngx_string("tls13 quic iv"), &peer_secret->iv, secret }, -+ { ngx_string("tls13 quic hp"), &peer_secret->hp, secret }, ++ secret_str.len = secret_len; ++ secret_str.data = (u_char *) secret; ++ ++ ngx_quic_hkdf_t seq[] = { ++ ngx_quic_hkdf_set("tls13 quic key", &peer_secret->key, &secret_str), ++ ngx_quic_hkdf_set("tls13 quic iv", &peer_secret->iv, &secret_str), ++ ngx_quic_hkdf_set("tls13 quic hp", &peer_secret->hp, &secret_str), + }; + + for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { -+ -+ if (ngx_quic_hkdf_expand(pool, ciphers.d, seq[i].key, &seq[i].label, -+ seq[i].secret, secret_len) -+ != NGX_OK) -+ { ++ if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, log) != NGX_OK) { + return NGX_ERROR; + } + } @@ -9391,13 +9377,6 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c +} + + -+ngx_quic_keys_t * -+ngx_quic_keys_new(ngx_pool_t *pool) -+{ -+ return ngx_pcalloc(pool, sizeof(ngx_quic_keys_t)); -+} -+ -+ +ngx_uint_t +ngx_quic_keys_available(ngx_quic_keys_t *keys, + enum ssl_encryption_level_t level) @@ -9456,49 +9435,23 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c + next->server.iv.len = NGX_QUIC_IV_LEN; + next->server.hp = current->server.hp; + -+ struct { -+ ngx_str_t label; -+ ngx_str_t *key; -+ ngx_str_t *secret; -+ } seq[] = { -+ { -+ ngx_string("tls13 quic ku"), -+ &next->client.secret, -+ ¤t->client.secret, -+ }, -+ { -+ ngx_string("tls13 quic key"), -+ &next->client.key, -+ &next->client.secret, -+ }, -+ { -+ ngx_string("tls13 quic iv"), -+ &next->client.iv, -+ &next->client.secret, -+ }, -+ { -+ ngx_string("tls13 quic ku"), -+ &next->server.secret, -+ ¤t->server.secret, -+ }, -+ { -+ ngx_string("tls13 quic key"), -+ &next->server.key, -+ &next->server.secret, -+ }, -+ { -+ ngx_string("tls13 quic iv"), -+ &next->server.iv, -+ &next->server.secret, -+ }, ++ ngx_quic_hkdf_t seq[] = { ++ ngx_quic_hkdf_set("tls13 quic ku", ++ &next->client.secret, ¤t->client.secret), ++ ngx_quic_hkdf_set("tls13 quic key", ++ &next->client.key, &next->client.secret), ++ ngx_quic_hkdf_set("tls13 quic iv", ++ &next->client.iv, &next->client.secret), ++ ngx_quic_hkdf_set("tls13 quic ku", ++ &next->server.secret, ¤t->server.secret), ++ ngx_quic_hkdf_set("tls13 quic key", ++ &next->server.key, &next->server.secret), ++ ngx_quic_hkdf_set("tls13 quic iv", ++ &next->server.iv, &next->server.secret), + }; + + for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { -+ -+ if (ngx_quic_hkdf_expand(c->pool, ciphers.d, seq[i].key, &seq[i].label, -+ seq[i].secret->data, seq[i].secret->len) -+ != NGX_OK) -+ { ++ if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, c->log) != NGX_OK) { + return NGX_ERROR; + } + } @@ -9596,7 +9549,7 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c + } + + secret.key.len = sizeof(key); -+ secret.key.data = key; ++ ngx_memcpy(secret.key.data, key, sizeof(key)); + secret.iv.len = NGX_QUIC_IV_LEN; + + if (ngx_quic_tls_seal(ciphers.c, &secret, &itag, nonce, &in, &ad, pkt->log) @@ -9862,10 +9815,10 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c + + return NGX_OK; +} -diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.h +diff -r a63d0a70afea src/event/quic/ngx_event_quic_protection.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/src/event/quic/ngx_event_quic_protection.h Tue Jul 19 12:13:58 2022 -0400 -@@ -0,0 +1,37 @@ ++++ b/src/event/quic/ngx_event_quic_protection.h Fri Sep 16 14:00:14 2022 -0400 +@@ -0,0 +1,75 @@ + +/* + * Copyright (C) Nginx, Inc. @@ -9884,11 +9837,49 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.h + +#define NGX_QUIC_ENCRYPTION_LAST ((ssl_encryption_application) + 1) + ++/* RFC 5116, 5.1 and RFC 8439, 2.3 for all supported ciphers */ ++#define NGX_QUIC_IV_LEN 12 ++ ++/* largest hash used in TLS is SHA-384 */ ++#define NGX_QUIC_MAX_MD_SIZE 48 ++ ++ ++typedef struct { ++ size_t len; ++ u_char data[NGX_QUIC_MAX_MD_SIZE]; ++} ngx_quic_md_t; ++ ++ ++typedef struct { ++ size_t len; ++ u_char data[NGX_QUIC_IV_LEN]; ++} ngx_quic_iv_t; ++ ++ ++typedef struct { ++ ngx_quic_md_t secret; ++ ngx_quic_md_t key; ++ ngx_quic_iv_t iv; ++ ngx_quic_md_t hp; ++} ngx_quic_secret_t; ++ ++ ++typedef struct { ++ ngx_quic_secret_t client; ++ ngx_quic_secret_t server; ++} ngx_quic_secrets_t; + -+ngx_quic_keys_t *ngx_quic_keys_new(ngx_pool_t *pool); -+ngx_int_t ngx_quic_keys_set_initial_secret(ngx_pool_t *pool, -+ ngx_quic_keys_t *keys, ngx_str_t *secret); -+ngx_int_t ngx_quic_keys_set_encryption_secret(ngx_pool_t *pool, ++ ++struct ngx_quic_keys_s { ++ ngx_quic_secrets_t secrets[NGX_QUIC_ENCRYPTION_LAST]; ++ ngx_quic_secrets_t next_key; ++ ngx_uint_t cipher; ++}; ++ ++ ++ngx_int_t ngx_quic_keys_set_initial_secret(ngx_quic_keys_t *keys, *** 698 LINES SKIPPED ***