From adde9f0e8c18b606e920ae399996ae480e757f39 Mon Sep 17 00:00:00 2001 From: vvb2060 on github Date: Wed, 4 May 2022 05:14:38 +0800 Subject: [PATCH] ngtcp2: support boringssl crypto backend Closes #8789 --- lib/vquic/ngtcp2.c | 75 ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 73 insertions(+), 2 deletions(-) diff --git a/lib/vquic/ngtcp2.c b/lib/vquic/ngtcp2.c index a6d577a7b..e8d919b4d 100644 --- a/lib/vquic/ngtcp2.c +++ b/lib/vquic/ngtcp2.c @@ -28,7 +28,11 @@ #include #ifdef USE_OPENSSL #include +#ifdef OPENSSL_IS_BORINGSSL +#include +#else #include +#endif #include "vtls/openssl.h" #elif defined(USE_GNUTLS) #include @@ -207,6 +211,58 @@ static int write_client_handshake(struct quicsocket *qs, } #ifdef USE_OPENSSL +#ifdef OPENSSL_IS_BORINGSSL +static int quic_set_read_secret(SSL *ssl, + enum ssl_encryption_level_t ssl_level, + const SSL_CIPHER *cipher UNUSED_PARAM, + const uint8_t *secret, + size_t secretlen) +{ + struct quicsocket *qs = (struct quicsocket *)SSL_get_app_data(ssl); + ngtcp2_crypto_level level = + ngtcp2_crypto_boringssl_from_ssl_encryption_level(ssl_level); + + if(ngtcp2_crypto_derive_and_install_rx_key( + qs->qconn, NULL, NULL, NULL, level, secret, secretlen) != 0) + return 0; + + if(level == NGTCP2_CRYPTO_LEVEL_APPLICATION) { + if(init_ngh3_conn(qs) != CURLE_OK) + return 0; + } + + return 1; +} + +static int quic_set_write_secret(SSL *ssl, + enum ssl_encryption_level_t ssl_level, + const SSL_CIPHER *cipher UNUSED_PARAM, + const uint8_t *secret, + size_t secretlen) +{ + struct quicsocket *qs = (struct quicsocket *)SSL_get_app_data(ssl); + ngtcp2_crypto_level level = + ngtcp2_crypto_boringssl_from_ssl_encryption_level(ssl_level); + + if(ngtcp2_crypto_derive_and_install_tx_key( + qs->qconn, NULL, NULL, NULL, level, secret, secretlen) != 0) + return 0; + + return 1; +} + +static int quic_add_handshake_data(SSL *ssl, + enum ssl_encryption_level_t ssl_level, + const uint8_t *data, + size_t len) +{ + struct quicsocket *qs = (struct quicsocket *)SSL_get_app_data(ssl); + ngtcp2_crypto_level level = + ngtcp2_crypto_boringssl_from_ssl_encryption_level(ssl_level); + + return write_client_handshake(qs, level, data, len); +} +#else static int quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL ossl_level, const uint8_t *rx_secret, @@ -214,7 +270,8 @@ static int quic_set_encryption_secrets(SSL *ssl, size_t secretlen) { struct quicsocket *qs = (struct quicsocket *)SSL_get_app_data(ssl); - int level = ngtcp2_crypto_openssl_from_ossl_encryption_level(ossl_level); + ngtcp2_crypto_level level = + ngtcp2_crypto_openssl_from_ossl_encryption_level(ossl_level); if(ngtcp2_crypto_derive_and_install_rx_key( qs->qconn, NULL, NULL, NULL, level, rx_secret, secretlen) != 0) @@ -241,6 +298,7 @@ static int quic_add_handshake_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL ossl_level, return write_client_handshake(qs, level, data, len); } +#endif static int quic_flush_flight(SSL *ssl) { @@ -258,7 +316,13 @@ static int quic_send_alert(SSL *ssl, enum ssl_encryption_level_t level, return 1; } -static SSL_QUIC_METHOD quic_method = {quic_set_encryption_secrets, +static SSL_QUIC_METHOD quic_method = { +#ifdef OPENSSL_IS_BORINGSSL + quic_set_read_secret, + quic_set_write_secret, +#else + quic_set_encryption_secrets, +#endif quic_add_handshake_data, quic_flush_flight, quic_send_alert}; @@ -272,6 +336,12 @@ static SSL_CTX *quic_ssl_ctx(struct Curl_easy *data) SSL_CTX_set_default_verify_paths(ssl_ctx); +#ifdef OPENSSL_IS_BORINGSSL + if(SSL_CTX_set1_curves_list(ssl_ctx, QUIC_GROUPS) != 1) { + failf(data, "SSL_CTX_set1_curves_list failed"); + return NULL; + } +#else if(SSL_CTX_set_ciphersuites(ssl_ctx, QUIC_CIPHERS) != 1) { char error_buffer[256]; ERR_error_string_n(ERR_get_error(), error_buffer, sizeof(error_buffer)); @@ -283,6 +353,7 @@ static SSL_CTX *quic_ssl_ctx(struct Curl_easy *data) failf(data, "SSL_CTX_set1_groups_list failed"); return NULL; } +#endif SSL_CTX_set_quic_method(ssl_ctx, &quic_method);