[PATCH] QUIC: OpenSSL compatibility layer
Sergey Kandaurov
pluknet at nginx.com
Wed Feb 8 12:28:10 UTC 2023
On Mon, Feb 06, 2023 at 06:27:01PM +0400, Roman Arutyunyan wrote:
> # HG changeset patch
> # User Roman Arutyunyan <arut at nginx.com>
> # Date 1675427689 -14400
> # Fri Feb 03 16:34:49 2023 +0400
> # Branch quic
> # Node ID 9cf1fc42260e7e0e19fe5707f1b054d6499a4157
> # Parent def8e398d7c50131f8dac844814fff729da5c86c
> QUIC: OpenSSL compatibility layer.
>
> The change allows to compile QUIC with OpenSSL which lacks BoringSSL QUIC API.
>
> This implementation does not support 0-RTT.
>
> diff --git a/README b/README
> --- a/README
> +++ b/README
> @@ -53,7 +53,7 @@ 1. Introduction
>
> 2. Installing
>
> - A library that provides QUIC support is required to build nginx, there
> + A library that provides QUIC support is recommended to build nginx, there
> are several of those available on the market:
> + BoringSSL [4]
> + LibreSSL [5]
> @@ -85,6 +85,10 @@ 2. Installing
> --with-cc-opt="-I../libressl/build/include" \
> --with-ld-opt="-L../libressl/build/lib"
>
> + Alternatively, nginx can be configured with OpenSSL compatibility
> + layer, which emulates BoringSSL QUIC API for OpenSSL. This mode is
> + enabled by default if native QUIC support is not detected.
> +
> When configuring nginx, it's possible to enable QUIC and HTTP/3
> using the following new configuration options:
>
> diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf
> --- a/auto/lib/openssl/conf
> +++ b/auto/lib/openssl/conf
> @@ -10,6 +10,7 @@ if [ $OPENSSL != NONE ]; then
>
> if [ $USE_OPENSSL_QUIC = YES ]; then
> have=NGX_QUIC . auto/have
> + have=NGX_QUIC_OPENSSL_COMPAT . auto/have
> fi
>
> case "$CC" in
> @@ -124,6 +125,43 @@ else
> CORE_INCS="$CORE_INCS $ngx_feature_path"
> CORE_LIBS="$CORE_LIBS $ngx_feature_libs"
> OPENSSL=YES
Given that you moved these tests under OpenSSL tests, some things
can be simplified, such as ngx_feature_run and ngx_feature_incs.
> +
> + if [ $USE_OPENSSL_QUIC = YES ]; then
> +
> + ngx_feature="OpenSSL QUIC support"
> + ngx_feature_name="NGX_OPENSSL_QUIC"
This seems to revive NGX_OPENSSL_QUIC unused since 7603284f7af5.
It could be replaced with NGX_QUIC feature name, but this makes
hard to co-exist with NGX_QUIC_OPENSSL_COMPAT feature name below.
So the simplifiest is just to remove this line.
> + ngx_feature_run=no
> + ngx_feature_incs="#include <openssl/ssl.h>"
> + ngx_feature_test="SSL_set_quic_method(NULL, NULL)"
> + . auto/feature
> +
> + if [ $ngx_found = no ]; then
> +
> + ngx_feature="OpenSSL QUIC compatibility"
> + ngx_feature_name="NGX_QUIC_OPENSSL_COMPAT"
> + ngx_feature_run=no
> + ngx_feature_incs="#include <openssl/ssl.h>"
> + ngx_feature_test="
> + (void) TLS1_3_VERSION;
Note that SSL_CTX_add_custom_ext() seems to be enough there, because
this API was added in OpenSSL 1.1.1 only, which has TLSv1.3 support.
This makes testing TLS1_3_VERSION redundant.
Though, I don't insist against such explicit test.
So this can be simplified to:
diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf
--- a/auto/lib/openssl/conf
+++ b/auto/lib/openssl/conf
@@ -129,9 +129,6 @@ else
if [ $USE_OPENSSL_QUIC = YES ]; then
ngx_feature="OpenSSL QUIC support"
- ngx_feature_name="NGX_OPENSSL_QUIC"
- ngx_feature_run=no
- ngx_feature_incs="#include <openssl/ssl.h>"
ngx_feature_test="SSL_set_quic_method(NULL, NULL)"
. auto/feature
@@ -139,10 +136,7 @@ else
ngx_feature="OpenSSL QUIC compatibility"
ngx_feature_name="NGX_QUIC_OPENSSL_COMPAT"
- ngx_feature_run=no
- ngx_feature_incs="#include <openssl/ssl.h>"
ngx_feature_test="
- (void) TLS1_3_VERSION;
SSL_CTX_add_custom_ext(NULL, 0, 0, NULL, NULL,
NULL, NULL, NULL)"
. auto/feature
> + SSL_CTX_add_custom_ext(NULL, 0, 0, NULL, NULL,
> + NULL, NULL, NULL)"
> + . auto/feature
> + fi
> +
> + if [ $ngx_found = no ]; then
> +cat << END
> +
> +$0: error: certain modules require OpenSSL QUIC support.
> +You can either do not enable the modules, or install the OpenSSL library with
> +QUIC support into the system, or build the OpenSSL library with QUIC support
> +statically from the source with nginx by using --with-openssl=<path> option.
> +
> +END
> + exit 1
> + fi
> +
> + have=NGX_QUIC . auto/have
> + fi
> fi
> fi
>
> @@ -139,29 +177,4 @@ with nginx by using --with-openssl=<path
> END
> exit 1
> fi
> -
> - if [ $USE_OPENSSL_QUIC = YES ]; then
> -
> - ngx_feature="OpenSSL QUIC support"
> - ngx_feature_name="NGX_QUIC"
> - ngx_feature_run=no
> - ngx_feature_incs="#include <openssl/ssl.h>"
> - ngx_feature_path=
> - ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD"
> - ngx_feature_test="SSL_set_quic_method(NULL, NULL)"
> - . auto/feature
> -
> - if [ $ngx_found = no ]; then
> -
> -cat << END
> -
> -$0: error: certain modules require OpenSSL QUIC support.
> -You can either do not enable the modules, or install the OpenSSL library with
> -QUIC support into the system, or build the OpenSSL library with QUIC support
> -statically from the source with nginx by using --with-openssl=<path> option.
> -
> -END
> - exit 1
> - fi
> - fi
N.B. there is an empty line in the default branch
> fi
> diff --git a/auto/modules b/auto/modules
> --- a/auto/modules
> +++ b/auto/modules
> @@ -1342,7 +1342,8 @@ if [ $USE_OPENSSL_QUIC = YES ]; then
> src/event/quic/ngx_event_quic_tokens.h \
> src/event/quic/ngx_event_quic_ack.h \
> src/event/quic/ngx_event_quic_output.h \
> - src/event/quic/ngx_event_quic_socket.h"
> + src/event/quic/ngx_event_quic_socket.h \
> + src/event/quic/ngx_event_quic_openssl_compat.h"
> ngx_module_srcs="src/event/quic/ngx_event_quic.c \
> src/event/quic/ngx_event_quic_udp.c \
> src/event/quic/ngx_event_quic_transport.c \
> @@ -1355,7 +1356,8 @@ if [ $USE_OPENSSL_QUIC = YES ]; then
> src/event/quic/ngx_event_quic_tokens.c \
> src/event/quic/ngx_event_quic_ack.c \
> src/event/quic/ngx_event_quic_output.c \
> - src/event/quic/ngx_event_quic_socket.c"
> + src/event/quic/ngx_event_quic_socket.c \
> + src/event/quic/ngx_event_quic_openssl_compat.c"
>
> ngx_module_libs=
> ngx_module_link=YES
> diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c
> +++ b/src/event/ngx_event_openssl.c
> @@ -9,6 +9,10 @@
> #include <ngx_core.h>
> #include <ngx_event.h>
>
> +#if (NGX_QUIC_OPENSSL_COMPAT)
> +#include <ngx_event_quic_openssl_compat.h>
> +#endif
> +
This is unused now and can be removed.
[..]
The rest of the patch looks good.
More information about the nginx-devel
mailing list