Like my previous post, I used OpenSSL to simulate server initial of QUIC protocol, and the code can be downloaded here.
References:
stackoverflow;
EVP Authenticated Encryption and Decryption.
Duplicate EVP_MD structure when necessary
Many openssl APIs return const EVP_MD pointers (e.g., EVP_sha256), and sometimes you need to resolve following errors:
error: cast discards 'const' qualifier from pointer target type [-Werror=cast-qual]
You can either suppress the warning like this or duplicate EVP_MD:
EVP_MD *md = EVP_MD_meth_dup(EVP_sha256());
......
EVP_MD_meth_free(md);Use openssl APIs to generate initial secrets of QUIC
From QUIC draft 29:
The secrets for the Initial encryption level are computed based on the client’s initial Destination Connection ID, as described in Section 5.2.
There is also an example about the secrets of initial packets, and I used openssl APIs to demonstrate it:
# ./main
initial_secret(32): 1e7e7764529715b1e0ddc8e9753c61576769605187793ed366f8bbf8c9e986eb
client_in_secret(32): 0088119288f1d866733ceeed15ff9d50902cf82952eee27e9d4d4918ea371d87
quic_key(16): 175257a31eb09dea9366d8bb79ad80ba
quic_iv(12): 6b26114b9cba2b63a9e8dd4f
quic_hp(16): 9ddd12c994c0698b89374a9c077a3077
P.S., the code can be downloaded here.
References:
What am I doing wrong?;
HKDF context re-use issue;
HKDF实现.
Wireshark’s support of google QUIC
I am a newbie of QUIC protocol. Now that chrome has enabled supporting gQUIC be default, I want to capture some packets to check. Surprisingly, I opened wireshark, set gquic || quic filter, and tried to access youtube or google, nothing was displayed. But in fact, there were some packets which used gQUIC protocols, i.e., there is “Q050” in following diagram:
I checked wireshark code base, unfortunately, wireshark only supports gQUIC up to Q043(please refer this commit).
Be aware of blocking IO APIs
Yesterday, I did performance analysis for one project. This is the output of mpstat command for old version:
And this is the CPU utilisation for new version:
For new version, the iowait ratio is remarkably high. After Checking the code, I found the original serialisation was just a fflush, but now for some reasons, it was replaced by fdatasync which is a blocking API and only returns when the data is transferred to the storage device. Therefore the thread which invokes fdatasync will be stuck there and can’t process any other message. So we must pay attention to use blocking IO APIs, sometimes they may bring you results which you don’t want.