[PATCH] QUIC: OpenSSL compatibility layer

Sergey Kandaurov pluknet at nginx.com
Wed Feb 8 12:28:10 UTC 2023


On Mon, Feb 06, 2023 at 06:27:01PM +0400, Roman Arutyunyan wrote:
> # HG changeset patch
> # User Roman Arutyunyan <arut at nginx.com>
> # Date 1675427689 -14400
> #      Fri Feb 03 16:34:49 2023 +0400
> # Branch quic
> # Node ID 9cf1fc42260e7e0e19fe5707f1b054d6499a4157
> # Parent  def8e398d7c50131f8dac844814fff729da5c86c
> QUIC: OpenSSL compatibility layer.
> 
> The change allows to compile QUIC with OpenSSL which lacks BoringSSL QUIC API.
> 
> This implementation does not support 0-RTT.
> 
> diff --git a/README b/README
> --- a/README
> +++ b/README
> @@ -53,7 +53,7 @@ 1. Introduction
>  
>  2. Installing
>  
> -    A library that provides QUIC support is required to build nginx, there
> +    A library that provides QUIC support is recommended to build nginx, there
>      are several of those available on the market:
>      + BoringSSL [4]
>      + LibreSSL [5]
> @@ -85,6 +85,10 @@ 2. Installing
>                         --with-cc-opt="-I../libressl/build/include" \
>                         --with-ld-opt="-L../libressl/build/lib"
>  
> +    Alternatively, nginx can be configured with OpenSSL compatibility
> +    layer, which emulates BoringSSL QUIC API for OpenSSL.  This mode is
> +    enabled by default if native QUIC support is not detected.
> +
>      When configuring nginx, it's possible to enable QUIC and HTTP/3
>      using the following new configuration options:
>  
> diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf
> --- a/auto/lib/openssl/conf
> +++ b/auto/lib/openssl/conf
> @@ -10,6 +10,7 @@ if [ $OPENSSL != NONE ]; then
>  
>      if [ $USE_OPENSSL_QUIC = YES ]; then
>          have=NGX_QUIC . auto/have
> +        have=NGX_QUIC_OPENSSL_COMPAT . auto/have
>      fi
>  
>      case "$CC" in
> @@ -124,6 +125,43 @@ else
>              CORE_INCS="$CORE_INCS $ngx_feature_path"
>              CORE_LIBS="$CORE_LIBS $ngx_feature_libs"
>              OPENSSL=YES

Given that you moved these tests under OpenSSL tests, some things
can be simplified, such as ngx_feature_run and ngx_feature_incs.

> +
> +            if [ $USE_OPENSSL_QUIC = YES ]; then
> +
> +                ngx_feature="OpenSSL QUIC support"
> +                ngx_feature_name="NGX_OPENSSL_QUIC"

This seems to revive NGX_OPENSSL_QUIC unused since 7603284f7af5.
It could be replaced with NGX_QUIC feature name, but this makes
hard to co-exist with NGX_QUIC_OPENSSL_COMPAT feature name below.
So the simplifiest is just to remove this line.

> +                ngx_feature_run=no
> +                ngx_feature_incs="#include <openssl/ssl.h>"
> +                ngx_feature_test="SSL_set_quic_method(NULL, NULL)"
> +                . auto/feature
> +
> +                if [ $ngx_found = no ]; then
> +
> +                    ngx_feature="OpenSSL QUIC compatibility"
> +                    ngx_feature_name="NGX_QUIC_OPENSSL_COMPAT"
> +                    ngx_feature_run=no
> +                    ngx_feature_incs="#include <openssl/ssl.h>"
> +                    ngx_feature_test="
> +                        (void) TLS1_3_VERSION;

Note that SSL_CTX_add_custom_ext() seems to be enough there, because
this API was added in OpenSSL 1.1.1 only, which has TLSv1.3 support.
This makes testing TLS1_3_VERSION redundant.
Though, I don't insist against such explicit test.

So this can be simplified to:

diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf
--- a/auto/lib/openssl/conf
+++ b/auto/lib/openssl/conf
@@ -129,9 +129,6 @@ else
             if [ $USE_OPENSSL_QUIC = YES ]; then
 
                 ngx_feature="OpenSSL QUIC support"
-                ngx_feature_name="NGX_OPENSSL_QUIC"
-                ngx_feature_run=no
-                ngx_feature_incs="#include <openssl/ssl.h>"
                 ngx_feature_test="SSL_set_quic_method(NULL, NULL)"
                 . auto/feature
 
@@ -139,10 +136,7 @@ else
 
                     ngx_feature="OpenSSL QUIC compatibility"
                     ngx_feature_name="NGX_QUIC_OPENSSL_COMPAT"
-                    ngx_feature_run=no
-                    ngx_feature_incs="#include <openssl/ssl.h>"
                     ngx_feature_test="
-                        (void) TLS1_3_VERSION;
                         SSL_CTX_add_custom_ext(NULL, 0, 0, NULL, NULL,
                                                NULL, NULL, NULL)"
                     . auto/feature

> +                        SSL_CTX_add_custom_ext(NULL, 0, 0, NULL, NULL,
> +                                               NULL, NULL, NULL)"
> +                    . auto/feature
> +                fi
> +
> +                if [ $ngx_found = no ]; then
> +cat << END
> +
> +$0: error: certain modules require OpenSSL QUIC support.
> +You can either do not enable the modules, or install the OpenSSL library with
> +QUIC support into the system, or build the OpenSSL library with QUIC support
> +statically from the source with nginx by using --with-openssl=<path> option.
> +
> +END
> +                        exit 1
> +                fi
> +
> +                have=NGX_QUIC . auto/have
> +            fi
>          fi
>      fi
>  
> @@ -139,29 +177,4 @@ with nginx by using --with-openssl=<path
>  END
>          exit 1
>      fi
> -
> -    if [ $USE_OPENSSL_QUIC = YES ]; then
> -
> -        ngx_feature="OpenSSL QUIC support"
> -        ngx_feature_name="NGX_QUIC"
> -        ngx_feature_run=no
> -        ngx_feature_incs="#include <openssl/ssl.h>"
> -        ngx_feature_path=
> -        ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD"
> -        ngx_feature_test="SSL_set_quic_method(NULL, NULL)"
> -        . auto/feature
> -
> -        if [ $ngx_found = no ]; then
> -
> -cat << END
> -
> -$0: error: certain modules require OpenSSL QUIC support.
> -You can either do not enable the modules, or install the OpenSSL library with
> -QUIC support into the system, or build the OpenSSL library with QUIC support
> -statically from the source with nginx by using --with-openssl=<path> option.
> -
> -END
> -            exit 1
> -        fi
> -    fi

N.B. there is an empty line in the default branch

>  fi
> diff --git a/auto/modules b/auto/modules
> --- a/auto/modules
> +++ b/auto/modules
> @@ -1342,7 +1342,8 @@ if [ $USE_OPENSSL_QUIC = YES ]; then
>                       src/event/quic/ngx_event_quic_tokens.h \
>                       src/event/quic/ngx_event_quic_ack.h \
>                       src/event/quic/ngx_event_quic_output.h \
> -                     src/event/quic/ngx_event_quic_socket.h"
> +                     src/event/quic/ngx_event_quic_socket.h \
> +                     src/event/quic/ngx_event_quic_openssl_compat.h"
>      ngx_module_srcs="src/event/quic/ngx_event_quic.c \
>                       src/event/quic/ngx_event_quic_udp.c \
>                       src/event/quic/ngx_event_quic_transport.c \
> @@ -1355,7 +1356,8 @@ if [ $USE_OPENSSL_QUIC = YES ]; then
>                       src/event/quic/ngx_event_quic_tokens.c \
>                       src/event/quic/ngx_event_quic_ack.c \
>                       src/event/quic/ngx_event_quic_output.c \
> -                     src/event/quic/ngx_event_quic_socket.c"
> +                     src/event/quic/ngx_event_quic_socket.c \
> +                     src/event/quic/ngx_event_quic_openssl_compat.c"
>  
>      ngx_module_libs=
>      ngx_module_link=YES
> diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c
> +++ b/src/event/ngx_event_openssl.c
> @@ -9,6 +9,10 @@
>  #include <ngx_core.h>
>  #include <ngx_event.h>
>  
> +#if (NGX_QUIC_OPENSSL_COMPAT)
> +#include <ngx_event_quic_openssl_compat.h>
> +#endif
> +

This is unused now and can be removed.

[..]

The rest of the patch looks good.


More information about the nginx-devel mailing list