QUIC for 3.3.0 #159
QUIC for 3.3.0 #159
Conversation
|
Looks like some more work needed for CI to work, will update in a bit. |
wbl
force-pushed
the
wladd/quic-on-3.3-dirty
branch
from
d84337d to
9f3c339
Compare
This adds a compatible API for BoringSSL's QUIC support, based on the current |draft-ietf-quic-tls|. Based on BoringSSL commit 3c034b2cf386b3131f75520705491871a2e0cafe Based on BoringSSL commit c8e0f90f83b9ec38ea833deb86b5a41360b62b6a Based on BoringSSL commit 3cbb0299a28a8bd0136257251a78b91a96c5eec8 Based on BoringSSL commit cc9d935256539af2d3b7f831abf57c0d685ffd81 Based on BoringSSL commit e6eef1ca16a022e476bbaedffef044597cfc8f4b Based on BoringSSL commit 6f733791148cf8a076bf0e95498235aadbe5926d Based on BoringSSL commit 384d0eaf1930af1ebc47eda751f0c78dfcba1c03 Based on BoringSSL commit a0373182eb5cc7b81d49f434596b473c7801c942 Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37
|
Looks like all checks pass modulo the fuzzer, but that seems to have run fine other times? |
|
I do not understand what the difference is between the two fuzzer builds. @tmshort any ideas? Going to fiddle with the docs some more, and then a review would be very appreciated. |
|
i wouldn't worry about it. The one tagged |
|
The |
|
Any updates here @wbl ? |
|
Sorry I think balls ended up on floors as Ive forgotten to poke. I've made the comparison branch and gotten this one to what I think is reviewable state but another set of eyes would be helpful. So take a look or reremind me what I need to do first. |
| The OpenSSL project does not distribute the toolkit in binary form. | ||
| The APIs here are used by Microsoft's | ||
| [MsQuic](https://github.com/microsoft/msquic) and Google's | ||
| [Chromium QUIC](https://chromium.googlesource.com/chromium/src/+/master/net/quic/) |
README.md
Outdated
| --------------------------- | ||
| This fork can be considered a supported version of | ||
| [OpenSSL PR 8797](https://github.com/openssl/openssl/pull/8797). | ||
| We will endeavor to track OpenSSL releases within a day or so, and there is an |
There was a problem hiding this comment.
s/within a day or so/within days/ ?
|
|
||
| int SSL_clear_quic(SSL *s) | ||
| { | ||
| SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); |
ssl/ssl_lib.c
Outdated
| sc->quic_write_level = ssl_encryption_initial; | ||
| sc->quic_latest_level_received = ssl_encryption_initial; | ||
| while (sc->quic_input_data_head != NULL) { | ||
| QUIC_DATA *qd; |
There was a problem hiding this comment.
could merge with the assignment on 584
ssl/ssl_lib.c
Outdated
| OPENSSL_free(s->ext.peer_quic_transport_params); | ||
| BUF_MEM_free(s->quic_buf); | ||
| while (s->quic_input_data_head != NULL) { | ||
| QUIC_DATA *qd; |
ssl/statem/statem_lib.c
Outdated
| s->init_num); | ||
| if (!ret) { | ||
| ret = -1; | ||
| /* QUIC can't sent anything out sice the above failed */ |
|
Thanks @richsalz for looking it over. I'll fix up the comments if no one else chimes in with more soon in a separate commit. |
|
Sorry, I haven't followed up here in a while. I just updated microsoft/msquic#4274 to use the latest commit here with the latest version of MsQuic and I am seeing build failures on Ubuntu 24.04. Note, the last time I tried this, we didn't build for 24.04 yet, so this isn't necessarily a recent break, but it is a regression from previous v3 openssl. https://github.com/microsoft/msquic/actions/runs/9974479617/job/27562154754#step:8:2184 |
|
@nibanks I'll look into that failure: if those things got redefined to be macros or functions across versions, maybe its a build picking up wrong things sort of issue, but we should know that for sure and I'll go attack it. What's the easiest way for me to locally reproduce where I can poke around the image/reproduce in CI: open a junk pr to MSQuic? |
Do you want to try to repro locally or just let MsQuic CI/CD do the heavy lifting? If you want to use MsQuic, yeah, just make a draft PR and I will approve the automation to run. |
|
I think I've got to play with it locally just to understand. But wait,
Is it just me or is it linking the new libssl.a to the system libcrypto.so? Then I'm not surprised it doesn't work, as those got introduced in patch openssl@5c42ced |
Ah, you're right! It's all our builds with the |
|
My first reaction is why on earth would you expect this to work out nicely, and why do you need it: is there some other way to get what you want here? Note that the fips module is entirely unaffected by this issue as that dynamically loads with a much more restricted interface. |
|
Alternatively try 3.3 as the system version, but that might have other issues |
We need to dynamically link to the system libcrypto for FIPS compliance (because we can't bring our own binary). But we cannot link to the system libssl because it's not the quictls fork. This has worked out so far for previous v1 and v3 versions of openssl.
I don't think we had to specify anything version specific in the past. Any suggestions on how we'd test this out? |
That's odd: they were supposed to have limited fips issues to fips.so, but maybe you're doing something different.
Ideally just an apt-get update and install the new version ahead of running the existing script. Not really sure about where it is in ubuntu. |
|
What's the status of this PR? |
|
I'd like more than just Rich's approval on it, given the size and scope and the number of decisions I had to make that people could possibly have issues with. Please take a look and either approve or say what you want to change. |
|
Built fine with the latest ngtcp2 and all tests passed. Thank you for great work. |
|
I just pushed the latest to microsoft/msquic#4274 to run it all again. If only our 'use system libcrypto' tests fail, I'm fine for merging this. I still need to figure out a solution for that though... |
|
@nibanks I agree, let's merge this once your results are known. |
|
@nibanks it looks like it's just the usesystem openssl tests failing, but I'm not that familiar with your tests. @tatsuhiro-t pkgconfig is a bit of a black box to me I'm afraid. If you would be so kind, open another issue after we merge this where we can solve that problem. |
|
I'm sorry. I just haven't had the time to follow up on this. I will see if I can make progress tomorrow morning, otherwise, don't wait on me. |
|
@wbl All right. Lets move on. Will check after the merge to check that it is still an issue. |
|
I have two questions related to this merge, not sure it's the best place to ask, sorry in advance. Would it be possible to get a release with quic patchset on top of openssl-3.3.2, it has two CVE fixed in it ? Do we need to build this quictls with enable-quic & no-boring-ssl-api ? I tried applying openssl 3.3.0->3.3.2 patchset on top of quictls-3.3.0 but when enabling quic with boring ssl api disable, I get these errors: |
|
It has been merged, but we're no longer actively working on 3.3+quic. We are instead focused on the quictls/quictls fork. If the community wants to take over maintenance of this branch, feel free. We can add committers as needed. |
Review carefully: we've tested the code decently well (thanks @nibanks). The branch wladd/quic-comparison-branch has everything squashed down to ease review. I renamed our feature to boring-quic-api in this branch as the first big change, hopefully everywhere it needed to happen in the build system.