forked from openssl/openssl
-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open ssl 1 1 1m+quic #68
Merged
tmshort
merged 34 commits into
quictls:OpenSSL_1_1_1m+quic
from
tmshort:OpenSSL_1_1_1m+quic
Dec 14, 2021
Merged
Changes from 33 commits
Commits
Show all changes
34 commits
Select commit
Hold shift + click to select a range
4d4cd37
QUIC: Add support for BoringSSL QUIC APIs
tmshort 35e49b6
QUIC: Fix resumption secret
tmshort af71ccc
QUIC: Handle EndOfEarlyData and MaxEarlyData
tmshort 48503b1
QUIC: Increase HKDF_MAXBUF to 2048
tmshort 1ffdf71
QUIC: Fall-through for 0RTT
tmshort d4f4c54
QUIC: Some cleanup for the main QUIC changes
kaduk 0f84d89
QUIC: Prevent KeyUpdate for QUIC
kaduk 3669e90
QUIC: Test KeyUpdate rejection
kaduk eda855f
QUIC: Test HKDF with empty IKM
kaduk 24ea1af
QUIC: Allow zero-length HKDF keys
kaduk f4b0194
QUIC: Buffer all provided quic data
kaduk 6a5be53
QUIC: enforce consistent encryption level for handshake messages
kaduk 5233a6d
QUIC: add v1 quic_transport_parameters
tmshort e45b6c6
QUIC: return success when no post-handshake data
tmshort 13a21ad
QUIC: Update shared library version
tmshort 01d5c6b
QUIC: Swap around README files
tmshort 5d62d39
QUIC: Fix 1.1.1 GitHub CI
tmshort 928b58d
QUIC: Add compile/run-time checking for QUIC
tmshort be51461
QUIC: Add early data support (#8)
tatsuhiro-t 257041c
QUIC: Make SSL_provide_quic_data accept 0 length data (#10)
tatsuhiro-t 9b62b2b
QUIC: Process multiple post-handshake messages in a single call (#14)
tatsuhiro-t 0a6abde
QUIC: Tighten up some language in SSL_CTX_set_quic_method.pod (#12)
kaduk 099060d
QUIC: Fix typo in README.md (#21)
NanXiao 17a9991
QUIC: Add SSL_new_session_ticket() API
kaduk adaeddb
QUIC: Add test for SSL_new_session_ticket()
kaduk 49de233
QUIC: make update for SSL_new_session_ticket()
kaduk 77231e8
QUIC: Fix up whitespace nits introduced by PR #11416
kaduk f78d874
QUIC: SSL_new_session_ticket() support (#26)
kaduk 4f527dd
QUIC: Fix no-quic builds
tmshort a7b3570
QUIC: Error when non-empty session_id in CH (fixes #29)
tmshort cbd25f5
QUIC: Update SSL_clear() to clear quic data
tmshort 5ee222c
QUIC: Better SSL_clear()
tmshort 2bca4de
QUIC: Update README
tmshort 3109721
fixup! QUIC: Update README
tmshort File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,105 @@ | ||
What This Is | ||
============ | ||
|
||
This is a fork of [OpenSSL](https://www.openssl.org) to enable QUIC. In addition | ||
to the website, the official source distribution is at | ||
<https://github.com/openssl/openssl>. The OpenSSL `README` can be found at | ||
[README-OpenSSL.md](https://github.com/quictls/openssl/blob/OpenSSL_1_1_1l%2Bquic/README-OpenSSL.md). | ||
|
||
This fork adds APIs that can be used by QUIC implementations for connection | ||
handshakes. Quoting the IETF Working group | ||
[charter](https://datatracker.ietf.org/wg/quic/about/), QUIC is a "UDP-based, | ||
stream-multiplexing, encrypted transport protocol." If you don't need QUIC, you | ||
should use the official OpenSSL distributions. | ||
|
||
The APIs here are used by Microsoft's | ||
[MsQuic](https://github.com/microsoft/msquic) and Google's | ||
[Chromium QUIC](https://chromium.googlesource.com/chromium/src/+/master/net/quic/) | ||
|
||
We are not in competition with OpenSSL project. We informed them of | ||
our plans to fork the code before we went public. We do not speak for the | ||
OpenSSL project, and can only point to a | ||
[blog post](https://www.openssl.org/blog/blog/2020/02/17/QUIC-and-OpenSSL/) and | ||
[openssl-project email](https://github.com/quictls/openssl/discussions/54) | ||
that provides their view of QUIC support. | ||
|
||
As stated in their blog post, the OpenSSL team is focused on their 3.0 release | ||
(released 2021-09-07), and does not intend to add QUIC functionality to 1.1.x. | ||
There is a community need for a QUIC-capable TLS library. This fork is intended | ||
as stopgap solution to enable higher level frameworks and runtimes to use QUIC | ||
with the proven and reliable TLS functionality from OpenSSL. This fork will be | ||
maintained until OpenSSL officially provides reasonable support for QUIC | ||
implementations. | ||
|
||
This fork can be considered a supported version of | ||
[OpenSSL PR 8797](https://github.com/openssl/openssl/pull/8797). | ||
We will endeavor to track OpenSSL releases within a day or so, and there is an | ||
item below about how we'll follow their tagging. | ||
|
||
On to the questions and answers. | ||
|
||
What about branches? | ||
-------------------- | ||
We don't want to conflict with OpenSSL branch names. Our current plan is to append | ||
`+quic`. Release tags are likely to be the QUIC branch with `-releaseX` appended. | ||
For example, the OpenSSL tag `openssl-3.0.0` would have a branch named | ||
`openssl-3.0.0+quic` and a release tag of `openssl-3.0.0+quic-release1`. | ||
|
||
How are you keeping current with OpenSSL? | ||
----------------------------------------- | ||
(In other words, "What about rebasing?") | ||
|
||
Our plan is to always rebase on top of an upstream release tag. In particular: | ||
- The changes for QUIC will always be at the tip of the branch -- you will know what | ||
is from the original OpenSSL and what is for QUIC. | ||
- New versions are quickly created once upstream creates a new tag. | ||
- The use of git commands (such as "cherry") can be used to ensure that all changes | ||
have moved forward with minimal or no changes. You will be able to see "QUIC: Add X" | ||
on all branches and the commit itself will be nearly identical on all branches, and | ||
any changes to that can be easily identified. | ||
|
||
What about library names? | ||
------------------------- | ||
Library names will be the same, but will use a different version number. The version | ||
numbers for the current OpenSSL libraries are `1.1` (for the 1.1.0 and 1.1.1 branches) | ||
and `3` (for the 3.0 branch). We will be prefixing `81` (ASCII for 'Q') to | ||
the version numbers to generate a unique version number. | ||
|
||
- `libcrypto.so.81.3` vs `libcrypto.so.3` | ||
- `libcrypto.so.81.1.1` vs `libcrypto.so.1.1` | ||
- `libssl.so.81.3` vs `libssl.so.3` | ||
- `libssl.so.81.1.1` vs `libssl.so.1.1` | ||
|
||
The SONAME of these libraries are all different, guaranteeing the correct library | ||
will be used. | ||
|
||
...and the executable? | ||
---------------------- | ||
We currently do not have any plans to change the name, mainly because we | ||
haven't made any changes there. If you see a need, please open an issue. | ||
|
||
The `openssl version` command will report that it is `+quic` enabled. | ||
|
||
...and FIPS? | ||
------------ | ||
We are not doing anything with FIPS. This is actually good news: you should | ||
be able to load the OpenSSL 3.0 FIPS module into an application built against | ||
this fork and everything should Just Work™. | ||
|
||
How can I contribute? | ||
--------------------- | ||
We want any code here to be acceptable to OpenSSL. This means that all contributors | ||
must have signed the appropriate | ||
[contributor license agreements](https://www.openssl.org/policies/cla.html). We | ||
will not ask for copies of any paperwork, you just need to tell us that you've | ||
done so (and we might verify with OpenSSL). We are only interested in making it | ||
easier and better for at least the mentioned QUIC implementations to use a variant | ||
of OpenSSL. If you have a pull request that changes the TLS protocol, or adds | ||
assembly support for a new CPU, or otherwise is not specific to enabling QUIC, | ||
please contribute that to OpenSSL. This fork is intended to be a clean extension | ||
to OpenSSL, with the deltas being specific to QUIC. | ||
|
||
Who are you? | ||
------------ | ||
This is a collaborative effort between [Akamai](https://www.akamai.com) and | ||
[Microsoft](https://www.microsoft.com). We welcome anyone to contribute! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should change to reference 1.1.1m.