Openssl 3.0.15+quic #171
Merged
Openssl 3.0.15+quic #171
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This adds a compatible API for BoringSSL's QUIC support, based on the current |draft-ietf-quic-tls|. Based on BoringSSL commit 3c034b2cf386b3131f75520705491871a2e0cafe Based on BoringSSL commit c8e0f90f83b9ec38ea833deb86b5a41360b62b6a Based on BoringSSL commit 3cbb0299a28a8bd0136257251a78b91a96c5eec8 Based on BoringSSL commit cc9d935256539af2d3b7f831abf57c0d685ffd81 Based on BoringSSL commit e6eef1ca16a022e476bbaedffef044597cfc8f4b Based on BoringSSL commit 6f733791148cf8a076bf0e95498235aadbe5926d Based on BoringSSL commit 384d0eaf1930af1ebc47eda751f0c78dfcba1c03 Based on BoringSSL commit a0373182eb5cc7b81d49f434596b473c7801c942 Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37
Create quic_change_cipher_state() that does the minimal required to generate the QUIC secrets. (e.g. encryption contexts are not initialized).
Try to reduce unneeded whitespace changes and wrap new code to 80 columns. Reword documentation to attempt to improve clarity. Add some more sanity checks and clarifying comments to the code. Update referenced I-D versions.
QUIC does not use the TLS KeyUpdate message/mechanism, and indeed it is an error to generate or receive such a message. Add the necessary checks (noting that the check for receipt should be redundant since SSL_provide_quic_data() is the only way to provide input to the TLS layer for a QUIC connection).
For now, just test that we don't generate any, since we don't really expose the mechanics for encrypting one and the QUIC API is not integrated into the TLSProxy setup.
Make all data supplied via SSL_provide_quic_data() pass through an internal buffer, so that we can handle data supplied with arbitrary framing and only parse complete TLS records onto the list of QUIC_DATA managed by quic_input_data_head/quic_input_data_tail. This lets us remove the concept of "incomplete" QUIC_DATA structures, and the 'offset' field needed to support them. However, we've already moved the provided data onto the buffer by the time we can check for KeyUpdate messages, so defer that check to quic_get_message() (where it is adjacent to the preexisting ChangeCipherSpec check). To avoid extra memory copies, we also make the QUIC_DATA structures just store offsets into the consolidated buffer instead of having copies of the TLS handshake messages themselves.
The QUIC-TLS spec requires that TLS handshake messages do not cross encryption level boundaries, but we were not previously enforcing this.
Prefix the shared library version with 17 (for 'Q'), to allow this version to be used alongside a standard OpenSSL distribution Add +quic to the version (i.e. build metadata)
Undo SSL_clear() changes in test Break apart SSL_clear() into SSL_clear_quic() and SSL_clear_not_quic() In SSL_clear(), call both functions In SSL_accept(), call SSL_clear_not_quic() Don't make the new functions public.
Add link to OMCs plans. OpenSSL 3.0 is released, update tense. Fix some typos. Make relative URLs absolute.
|
Are there any plans to release this soon? |
|
I was waiting for approvals... |
|
Sorry for the delay, looking now |
wbl
approved these changes
Sep 12, 2024
| @@ -73,3 +73,29 @@ jobs: | |||
| with: | |||
| name: fips_checksum | |||
| path: artifact/ | |||
| verify-checksums: | |||
There was a problem hiding this comment.
It's not clear this test is doing much for us anymore, and isn't redundant with above
richsalz
approved these changes
Sep 12, 2024
|
Hi, Thanks for the merge and hard work. When will the official release tarball be available ? Best regards |
|
Could we have the final release for it please ? |
|
I think I just fixed the tag typo. Please confirm |
|
@wbl Thank's, it's released now ;) Hopefully we will get a version 3.3.x too soon ;) |
|
i just released the one we've been working on. This was hard due to some major refactors. Note that we've decided to fork harder, so look at github.com/quictls/quictls. We'd appreciate your input in deciding what to do. |
|
What @wbl means, @rapsys, is that we are unlikely to do anything in the 3.3 line, and will instead be using https://github.com/quictls/quictls moving forward. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Checklist