nghttp2/nghttp2
1
0
Fork 0
mirror of https://github.com/nghttp2/nghttp2.git synced 2025-12-07 02:28:53 +08:00
Code Issues Projects Releases Wiki Activity

Merge pull request #2333 from nghttp2/quic-ossl

Browse Source 
h2load, nghttpx: Add libngtcp2_crypto_ossl support
This commit is contained in:
Tatsuhiro Tsujikawa
2025-04-22 20:35:51 +09:00
committed by GitHub
parent aa96bfcb27 32eeffcd11
commit 5265110509
17 changed files with 233 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
.github/workflows/build.yml vendored
View File

@@ -7,7 +7,7 @@ permissions: read-all
env: env:
LIBBPF_VERSION: v1.5.0 LIBBPF_VERSION: v1.5.0
OPENSSL1_VERSION: 1_1_1w+quic OPENSSL1_VERSION: 1_1_1w+quic
OPENSSL3_VERSION: 3.1.7+quic OPENSSL3_VERSION: 3.5.0
BORINGSSL_VERSION: 23018360710de333b3343e63cbb3bd2dceb3287d BORINGSSL_VERSION: 23018360710de333b3343e63cbb3bd2dceb3287d
AWSLC_VERSION: v1.49.1 AWSLC_VERSION: v1.49.1
NGHTTP3_VERSION: v1.9.0 NGHTTP3_VERSION: v1.9.0
@@ -133,12 +133,12 @@ jobs:
./config --prefix=$PWD/build ./config --prefix=$PWD/build
make -j"$(nproc 2> /dev/null || sysctl -n hw.ncpu)" make -j"$(nproc 2> /dev/null || sysctl -n hw.ncpu)"
make install_sw make install_sw
- name: Build quictls/openssl v3.x - name: Build openssl/openssl v3.x
if: steps.cache-openssl3.outputs.cache-hit != 'true' if: steps.cache-openssl3.outputs.cache-hit != 'true'
run: | run: |
git clone --recursive --shallow-submodules --depth 1 -b openssl-${{ env.OPENSSL3_VERSION }} https://github.com/quictls/openssl openssl3 git clone --recursive --shallow-submodules --depth 1 -b openssl-${{ env.OPENSSL3_VERSION }} https://github.com/openssl/openssl openssl3
cd openssl3 cd openssl3
./config enable-ktls --prefix=$PWD/build --libdir=$PWD/build/lib ./config enable-ktls --prefix=$PWD/build
make -j"$(nproc 2> /dev/null || sysctl -n hw.ncpu)" make -j"$(nproc 2> /dev/null || sysctl -n hw.ncpu)"
make install_sw make install_sw
- name: Build BoringSSL - name: Build BoringSSL
@@ -203,7 +203,7 @@ jobs:
cd ngtcp2-openssl3 cd ngtcp2-openssl3
autoreconf -i autoreconf -i
./configure --prefix=$PWD/build --enable-lib-only \ ./configure --prefix=$PWD/build --enable-lib-only \
PKG_CONFIG_PATH="../openssl3/build/lib/pkgconfig" \ PKG_CONFIG_PATH="../openssl3/build/lib64/pkgconfig:../openssl3/build/lib/pkgconfig" \
BORINGSSL_CFLAGS="-I$PWD/../aws-lc/include/" \ BORINGSSL_CFLAGS="-I$PWD/../aws-lc/include/" \
BORINGSSL_LIBS="-L$PWD/../aws-lc/build/ssl -lssl -L$PWD/../aws-lc/build/crypto -lcrypto" \ BORINGSSL_LIBS="-L$PWD/../aws-lc/build/ssl -lssl -L$PWD/../aws-lc/build/crypto -lcrypto" \
--disable-dependency-tracking \ --disable-dependency-tracking \
@@ -223,10 +223,6 @@ jobs:
http3: [http3, no-http3] http3: [http3, no-http3]
openssl: [openssl1, openssl3, boringssl, awslc, wolfssl] openssl: [openssl1, openssl3, boringssl, awslc, wolfssl]
exclude: exclude:
- os: macos-14
openssl: openssl3
- os: macos-15
openssl: openssl3
- http3: no-http3 - http3: no-http3
openssl: openssl3 openssl: openssl3
- os: macos-14 - os: macos-14
@@ -365,7 +361,7 @@ jobs:
path: openssl1/build path: openssl1/build
key: ${{ matrix.os }}-openssl-${{ env.OPENSSL1_VERSION }} key: ${{ matrix.os }}-openssl-${{ env.OPENSSL1_VERSION }}
fail-on-cache-miss: true fail-on-cache-miss: true
- name: Restore quictls/openssl v3.x cache - name: Restore openssl/openssl v3.x cache
uses: actions/cache/restore@v4 uses: actions/cache/restore@v4
if: matrix.openssl == 'openssl3' if: matrix.openssl == 'openssl3'
with: with:
@@ -459,16 +455,16 @@ jobs:
- name: Setup extra environment variables - name: Setup extra environment variables
if: matrix.http3 == 'no-http3' if: matrix.http3 == 'no-http3'
run: | run: |
PKG_CONFIG_PATH="$PWD/openssl1/build/lib/pkgconfig:$PWD/openssl3/build/lib/pkgconfig:$PWD/wolfssl/build/lib/pkgconfig:$PKG_CONFIG_PATH" PKG_CONFIG_PATH="$PWD/openssl1/build/lib/pkgconfig:$PWD/openssl3/build/lib64/pkgconfig:$PWD/openssl3/build/lib/pkgconfig:$PWD/wolfssl/build/lib/pkgconfig:$PKG_CONFIG_PATH"
LDFLAGS="$LDFLAGS -Wl,-rpath,$PWD/openssl1/build/lib -Wl,-rpath,$PWD/openssl3/build/lib" LDFLAGS="$LDFLAGS -Wl,-rpath,$PWD/openssl1/build/lib -Wl,-rpath,$PWD/openssl3/build/lib64 -Wl,-rpath,$PWD/openssl3/build/lib"
echo 'PKG_CONFIG_PATH='"$PKG_CONFIG_PATH" >> $GITHUB_ENV echo 'PKG_CONFIG_PATH='"$PKG_CONFIG_PATH" >> $GITHUB_ENV
echo 'LDFLAGS='"$LDFLAGS" >> $GITHUB_ENV echo 'LDFLAGS='"$LDFLAGS" >> $GITHUB_ENV
- name: Setup extra environment variables for HTTP/3 - name: Setup extra environment variables for HTTP/3
if: matrix.http3 == 'http3' if: matrix.http3 == 'http3'
run: | run: |
PKG_CONFIG_PATH="$PWD/openssl1/build/lib/pkgconfig:$PWD/openssl3/build/lib/pkgconfig:$PWD/wolfssl/build/lib/pkgconfig:$PWD/nghttp3/build/lib/pkgconfig:$PWD/ngtcp2-openssl1/build/lib/pkgconfig:$PWD/ngtcp2-openssl3/build/lib/pkgconfig:$PWD/libbpf/build/lib64/pkgconfig:$PKG_CONFIG_PATH" PKG_CONFIG_PATH="$PWD/openssl1/build/lib/pkgconfig:$PWD/openssl3/build/lib64/pkgconfig:$PWD/openssl3/build/lib/pkgconfig:$PWD/wolfssl/build/lib/pkgconfig:$PWD/nghttp3/build/lib/pkgconfig:$PWD/ngtcp2-openssl1/build/lib/pkgconfig:$PWD/ngtcp2-openssl3/build/lib/pkgconfig:$PWD/libbpf/build/lib64/pkgconfig:$PKG_CONFIG_PATH"
LDFLAGS="$LDFLAGS -Wl,-rpath,$PWD/openssl1/build/lib -Wl,-rpath,$PWD/openssl3/build/lib -Wl,-rpath,$PWD/libbpf/build/lib64" LDFLAGS="$LDFLAGS -Wl,-rpath,$PWD/openssl1/build/lib -Wl,-rpath,$PWD/openssl3/build/lib64 -Wl,-rpath,$PWD/openssl3/build/lib -Wl,-rpath,$PWD/libbpf/build/lib64"
EXTRA_AUTOTOOLS_OPTS="$EXTRA_AUTOTOOLS_OPTS --enable-http3" EXTRA_AUTOTOOLS_OPTS="$EXTRA_AUTOTOOLS_OPTS --enable-http3"
EXTRA_CMAKE_OPTS="$EXTRA_CMAKE_OPTS -DENABLE_HTTP3=1" EXTRA_CMAKE_OPTS="$EXTRA_CMAKE_OPTS -DENABLE_HTTP3=1"

22
CMakeLists.txt
View File

@@ -71,15 +71,19 @@ if(WITH_WOLFSSL)
else() else()
find_package(OpenSSL 1.1.1) find_package(OpenSSL 1.1.1)
endif() endif()
find_package(Libngtcp2 1.0.0) find_package(Libngtcp2 1.12.0)
if(OPENSSL_FOUND) if(OPENSSL_FOUND)
find_package(Libngtcp2_crypto_quictls 1.0.0) find_package(Libngtcp2_crypto_quictls 1.12.0)
if(LIBNGTCP2_CRYPTO_QUICTLS_FOUND) if(LIBNGTCP2_CRYPTO_QUICTLS_FOUND)
set(HAVE_LIBNGTCP2_CRYPTO_QUICTLS 1) set(HAVE_LIBNGTCP2_CRYPTO_QUICTLS 1)
endif() endif()
find_package(Libngtcp2_crypto_ossl 1.12.0)
if(LIBNGTCP2_CRYPTO_OSSL_FOUND)
set(HAVE_LIBNGTCP2_CRYPTO_OSSL 1)
endif()
endif() endif()
if(WOLFSSL_FOUND) if(WOLFSSL_FOUND)
find_package(Libngtcp2_crypto_wolfssl 1.0.0) find_package(Libngtcp2_crypto_wolfssl 1.12.0)
if(LIBNGTCP2_CRYPTO_WOLFSSL_FOUND) if(LIBNGTCP2_CRYPTO_WOLFSSL_FOUND)
set(HAVE_LIBNGTCP2_CRYPTO_WOLFSSL 1) set(HAVE_LIBNGTCP2_CRYPTO_WOLFSSL 1)
endif() endif()
@@ -199,7 +203,10 @@ if(NOT ENABLE_LIB_ONLY AND OPENSSL_FOUND)
if(ENABLE_HTTP3) if(ENABLE_HTTP3)
check_symbol_exists(SSL_provide_quic_data "openssl/ssl.h" HAVE_SSL_PROVIDE_QUIC_DATA) check_symbol_exists(SSL_provide_quic_data "openssl/ssl.h" HAVE_SSL_PROVIDE_QUIC_DATA)
if(NOT HAVE_SSL_PROVIDE_QUIC_DATA) if(NOT HAVE_SSL_PROVIDE_QUIC_DATA)
message(WARNING "OpenSSL in ${OPENSSL_LIBRARIES} does not have SSL_provide_quic_data. HTTP/3 support cannot be enabled") check_symbol_exists(SSL_set_quic_tls_cbs "openssl/ssl.h" HAVE_SSL_SET_QUIC_TLS_CBS)
if(NOT HAVE_SSL_SET_QUIC_TLS_CBS)
message(WARNING "OpenSSL in ${OPENSSL_LIBRARIES} has neither SSL_provide_quic_data nor SSL_set_quic_tls_cbs. HTTP/3 support cannot be enabled")
endif()
endif() endif()
endif() endif()
cmake_pop_check_state() cmake_pop_check_state()
@@ -280,11 +287,12 @@ if(ENABLE_APP AND NOT (ZLIB_FOUND AND (OPENSSL_FOUND OR WOLFSSL_FOUND) AND LIBEV
endif() endif()
# HTTP/3 requires libngtcp2 + (quictls/openssl + # HTTP/3 requires libngtcp2 + (quictls/openssl +
# libngtcp2_crypto_quictls or wolfSSL + libngtcp2_crypto_wolfssl) and # libngtcp2_crypto_quictls, wolfSSL + libngtcp2_crypto_wolfssl, or
# libnghttp3. # openssl/openssl + libngtcp2_crypto_ossl) and libnghttp3.
if(ENABLE_HTTP3 AND NOT (LIBNGTCP2_FOUND AND LIBNGHTTP3_FOUND AND if(ENABLE_HTTP3 AND NOT (LIBNGTCP2_FOUND AND LIBNGHTTP3_FOUND AND
((HAVE_SSL_PROVIDE_QUIC_DATA AND LIBNGTCP2_CRYPTO_QUICTLS_FOUND) OR ((HAVE_SSL_PROVIDE_QUIC_DATA AND LIBNGTCP2_CRYPTO_QUICTLS_FOUND) OR
(HAVE_WOLFSSL_SSL_PROVIDE_QUIC_DATA AND LIBNGTCP2_CRYPTO_WOLFSSL_FOUND)))) (HAVE_WOLFSSL_SSL_PROVIDE_QUIC_DATA AND LIBNGTCP2_CRYPTO_WOLFSSL_FOUND) OR
(HAVE_SSL_SET_QUIC_TLS_CBS AND LIBNGTCP2_CRYPTO_OSSL_FOUND))))
message(FATAL_ERROR "HTTP/3 was requested (ENABLE_HTTP3=1) but dependencies are not met.") message(FATAL_ERROR "HTTP/3 was requested (ENABLE_HTTP3=1) but dependencies are not met.")
endif() endif()

1
Makefile.am
View File

@@ -47,6 +47,7 @@ EXTRA_DIST = nghttpx.conf.sample proxy.pac.sample android-config android-env \
cmake/FindLibbrotlienc.cmake \ cmake/FindLibbrotlienc.cmake \
cmake/FindLibbrotlidec.cmake \ cmake/FindLibbrotlidec.cmake \
cmake/FindLibngtcp2_crypto_wolfssl.cmake \ cmake/FindLibngtcp2_crypto_wolfssl.cmake \
cmake/FindLibngtcp2_crypto_ossl.cmake \
cmake/FindWolfSSL.cmake \ cmake/FindWolfSSL.cmake \
cmake/PickyWarningsC.cmake \ cmake/PickyWarningsC.cmake \
cmake/PickyWarningsCXX.cmake cmake/PickyWarningsCXX.cmake

6
README.rst
View File

@@ -123,12 +123,12 @@ exploited. The neverbleed is disabled by default. To enable it, use
To enable the experimental HTTP/3 support for h2load and nghttpx, the To enable the experimental HTTP/3 support for h2load and nghttpx, the
following libraries are required: following libraries are required:
* `OpenSSL with QUIC support * `quictls
<https://github.com/quictls/openssl/tree/OpenSSL_1_1_1w+quic>`_; or <https://github.com/quictls/openssl/tree/OpenSSL_1_1_1w+quic>`_; or
wolfSSL; or LibreSSL (does not support 0RTT); or aws-lc; or wolfSSL; or LibreSSL (does not support 0RTT); or aws-lc; or
`BoringSSL <https://boringssl.googlesource.com/boringssl/>`_ (commit `BoringSSL <https://boringssl.googlesource.com/boringssl/>`_ (commit
23018360710de333b3343e63cbb3bd2dceb3287d) 23018360710de333b3343e63cbb3bd2dceb3287d); or OpenSSL >= 3.5.0
* `ngtcp2 <https://github.com/ngtcp2/ngtcp2>`_ >= 1.4.0 * `ngtcp2 <https://github.com/ngtcp2/ngtcp2>`_ >= 1.12.0
* `nghttp3 <https://github.com/ngtcp2/nghttp3>`_ >= 1.1.0 * `nghttp3 <https://github.com/ngtcp2/nghttp3>`_ >= 1.1.0
Use ``--enable-http3`` configure option to enable HTTP/3 feature for Use ``--enable-http3`` configure option to enable HTTP/3 feature for

43
cmake/FindLibngtcp2_crypto_ossl.cmake Normal file
View File

@@ -0,0 +1,43 @@
# - Try to find libngtcp2_crypto_ossl
# Once done this will define
# LIBNGTCP2_CRYPTO_OSSL_FOUND - System has libngtcp2_crypto_ossl
# LIBNGTCP2_CRYPTO_OSSL_INCLUDE_DIRS - The libngtcp2_crypto_ossl include directories
# LIBNGTCP2_CRYPTO_OSSL_LIBRARIES - The libraries needed to use libngtcp2_crypto_ossl
find_package(PkgConfig QUIET)
pkg_check_modules(PC_LIBNGTCP2_CRYPTO_OSSL QUIET libngtcp2_crypto_ossl)
find_path(LIBNGTCP2_CRYPTO_OSSL_INCLUDE_DIR
NAMES ngtcp2/ngtcp2_crypto_ossl.h
HINTS ${PC_LIBNGTCP2_CRYPTO_OSSL_INCLUDE_DIRS}
)
find_library(LIBNGTCP2_CRYPTO_OSSL_LIBRARY
NAMES ngtcp2_crypto_ossl
HINTS ${PC_LIBNGTCP2_CRYPTO_OSSL_LIBRARY_DIRS}
)
if(LIBNGTCP2_CRYPTO_OSSL_INCLUDE_DIR)
set(_version_regex "^#define[ \t]+NGTCP2_VERSION[ \t]+\"([^\"]+)\".*")
file(STRINGS "${LIBNGTCP2_CRYPTO_OSSL_INCLUDE_DIR}/ngtcp2/version.h"
LIBNGTCP2_CRYPTO_OSSL_VERSION REGEX "${_version_regex}")
string(REGEX REPLACE "${_version_regex}" "\\1"
LIBNGTCP2_CRYPTO_OSSL_VERSION "${LIBNGTCP2_CRYPTO_OSSL_VERSION}")
unset(_version_regex)
endif()
include(FindPackageHandleStandardArgs)
# handle the QUIETLY and REQUIRED arguments and set
# LIBNGTCP2_CRYPTO_OSSL_FOUND to TRUE if all listed variables are
# TRUE and the requested version matches.
find_package_handle_standard_args(Libngtcp2_crypto_ossl REQUIRED_VARS
LIBNGTCP2_CRYPTO_OSSL_LIBRARY
LIBNGTCP2_CRYPTO_OSSL_INCLUDE_DIR
VERSION_VAR LIBNGTCP2_CRYPTO_OSSL_VERSION)
if(LIBNGTCP2_CRYPTO_OSSL_FOUND)
set(LIBNGTCP2_CRYPTO_OSSL_LIBRARIES ${LIBNGTCP2_CRYPTO_OSSL_LIBRARY})
set(LIBNGTCP2_CRYPTO_OSSL_INCLUDE_DIRS ${LIBNGTCP2_CRYPTO_OSSL_INCLUDE_DIR})
endif()
mark_as_advanced(LIBNGTCP2_CRYPTO_OSSL_INCLUDE_DIR
LIBNGTCP2_CRYPTO_OSSL_LIBRARY)

41
configure.ac
View File

@@ -450,6 +450,15 @@ if test "x${request_openssl}" != "xno" &&
[AC_MSG_RESULT([yes]); have_ssl_provide_quic_data=yes], [AC_MSG_RESULT([yes]); have_ssl_provide_quic_data=yes],
[AC_MSG_RESULT([no]); have_ssl_provide_quic_data=no]) [AC_MSG_RESULT([no]); have_ssl_provide_quic_data=no])
AC_MSG_CHECKING([for SSL_set_quic_tls_cbs])
AC_LINK_IFELSE([AC_LANG_PROGRAM([[
#include <openssl/ssl.h>
]], [[
SSL_set_quic_tls_cbs(NULL, NULL, NULL);
]])],
[AC_MSG_RESULT([yes]); have_ossl_quic=yes],
[AC_MSG_RESULT([no]); have_ossl_quic=no])
# boringssl has SSL_set_quic_early_data_context. # boringssl has SSL_set_quic_early_data_context.
AC_MSG_CHECKING([for SSL_set_quic_early_data_context]) AC_MSG_CHECKING([for SSL_set_quic_early_data_context])
AC_LINK_IFELSE([AC_LANG_PROGRAM([[ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
@@ -530,7 +539,7 @@ fi
# ngtcp2 (for src) # ngtcp2 (for src)
have_libngtcp2=no have_libngtcp2=no
if test "x${request_libngtcp2}" != "xno"; then if test "x${request_libngtcp2}" != "xno"; then
PKG_CHECK_MODULES([LIBNGTCP2], [libngtcp2 >= 1.4.0], [have_libngtcp2=yes], PKG_CHECK_MODULES([LIBNGTCP2], [libngtcp2 >= 1.12.0], [have_libngtcp2=yes],
[have_libngtcp2=no]) [have_libngtcp2=no])
if test "x${have_libngtcp2}" = "xno"; then if test "x${have_libngtcp2}" = "xno"; then
AC_MSG_NOTICE($LIBNGTCP2_PKG_ERRORS) AC_MSG_NOTICE($LIBNGTCP2_PKG_ERRORS)
@@ -547,7 +556,7 @@ have_libngtcp2_crypto_wolfssl=no
if test "x${have_wolfssl_quic}" = "xyes" && if test "x${have_wolfssl_quic}" = "xyes" &&
test "x${request_libngtcp2}" != "xno"; then test "x${request_libngtcp2}" != "xno"; then
PKG_CHECK_MODULES([LIBNGTCP2_CRYPTO_WOLFSSL], PKG_CHECK_MODULES([LIBNGTCP2_CRYPTO_WOLFSSL],
[libngtcp2_crypto_wolfssl >= 1.0.0], [libngtcp2_crypto_wolfssl >= 1.12.0],
[have_libngtcp2_crypto_wolfssl=yes], [have_libngtcp2_crypto_wolfssl=yes],
[have_libngtcp2_crypto_wolfssl=no]) [have_libngtcp2_crypto_wolfssl=no])
if test "x${have_libngtcp2_crypto_wolfssl}" = "xno"; then if test "x${have_libngtcp2_crypto_wolfssl}" = "xno"; then
@@ -570,7 +579,7 @@ if test "x${have_ssl_provide_quic_data}" = "xyes" &&
test "x${have_boringssl_quic}" != "xyes" && test "x${have_boringssl_quic}" != "xyes" &&
test "x${request_libngtcp2}" != "xno"; then test "x${request_libngtcp2}" != "xno"; then
PKG_CHECK_MODULES([LIBNGTCP2_CRYPTO_QUICTLS], PKG_CHECK_MODULES([LIBNGTCP2_CRYPTO_QUICTLS],
[libngtcp2_crypto_quictls >= 1.0.0], [libngtcp2_crypto_quictls >= 1.12.0],
[have_libngtcp2_crypto_quictls=yes], [have_libngtcp2_crypto_quictls=yes],
[have_libngtcp2_crypto_quictls=no]) [have_libngtcp2_crypto_quictls=no])
if test "x${have_libngtcp2_crypto_quictls}" = "xno"; then if test "x${have_libngtcp2_crypto_quictls}" = "xno"; then
@@ -610,6 +619,28 @@ if test "x${have_boringssl_quic}" = "xyes" &&
AC_MSG_ERROR([libngtcp2_crypto_boringssl was requested (--with-libngtcp2) but not found]) AC_MSG_ERROR([libngtcp2_crypto_boringssl was requested (--with-libngtcp2) but not found])
fi fi
# ngtcp2_crypto_ossl (for src)
have_libngtcp2_crypto_ossl=no
if test "x${have_ossl_quic}" = "xyes" &&
test "x${request_libngtcp2}" != "xno"; then
PKG_CHECK_MODULES([LIBNGTCP2_CRYPTO_OSSL],
[libngtcp2_crypto_ossl >= 1.12.0],
[have_libngtcp2_crypto_ossl=yes],
[have_libngtcp2_crypto_ossl=no])
if test "x${have_libngtcp2_crypto_ossl}" = "xno"; then
AC_MSG_NOTICE($LIBNGTCP2_CRYPTO_OSSL_PKG_ERRORS)
else
AC_DEFINE([HAVE_LIBNGTCP2_CRYPTO_OSSL], [1],
[Define to 1 if you have `libngtcp2_crypto_ossl` library.])
fi
fi
if test "x${have_ossl_quic}" = "xyes" &&
test "x${request_libngtcp2}" = "xyes" &&
test "x${have_libngtcp2_crypto_ossl}" != "xyes"; then
AC_MSG_ERROR([libngtcp2_crypto_ossl was requested (--with-libngtcp2) but not found])
fi
# nghttp3 (for src) # nghttp3 (for src)
have_libnghttp3=no have_libnghttp3=no
if test "x${request_libnghttp3}" != "xno"; then if test "x${request_libnghttp3}" != "xno"; then
@@ -842,7 +873,8 @@ if test "x${request_http3}" != "xno" &&
test "x${have_libngtcp2}" = "xyes" && test "x${have_libngtcp2}" = "xyes" &&
(test "x${have_libngtcp2_crypto_wolfssl}" = "xyes" || (test "x${have_libngtcp2_crypto_wolfssl}" = "xyes" ||
test "x${have_libngtcp2_crypto_quictls}" = "xyes" || test "x${have_libngtcp2_crypto_quictls}" = "xyes" ||
test "x${have_libngtcp2_crypto_boringssl}" = "xyes") && test "x${have_libngtcp2_crypto_boringssl}" = "xyes" ||
test "x${have_libngtcp2_crypto_ossl}" = "xyes") &&
test "x${have_libnghttp3}" = "xyes"; then test "x${have_libnghttp3}" = "xyes"; then
enable_http3=yes enable_http3=yes
AC_DEFINE([ENABLE_HTTP3], [1], [Define to 1 if HTTP/3 is enabled.]) AC_DEFINE([ENABLE_HTTP3], [1], [Define to 1 if HTTP/3 is enabled.])
@@ -1256,6 +1288,7 @@ AC_MSG_NOTICE([summary of build options:
libngtcp2: ${have_libngtcp2} (CFLAGS='${LIBNGTCP2_CFLAGS}' LIBS='${LIBNGTCP2_LIBS}') libngtcp2: ${have_libngtcp2} (CFLAGS='${LIBNGTCP2_CFLAGS}' LIBS='${LIBNGTCP2_LIBS}')
libngtcp2_crypto_quictls: ${have_libngtcp2_crypto_quictls} (CFLAGS='${LIBNGTCP2_CRYPTO_QUICTLS_CFLAGS}' LIBS='${LIBNGTCP2_CRYPTO_QUICTLS_LIBS}') libngtcp2_crypto_quictls: ${have_libngtcp2_crypto_quictls} (CFLAGS='${LIBNGTCP2_CRYPTO_QUICTLS_CFLAGS}' LIBS='${LIBNGTCP2_CRYPTO_QUICTLS_LIBS}')
libngtcp2_crypto_boringssl: ${have_libngtcp2_crypto_boringssl} (CFLAGS='${LIBNGTCP2_CRYPTO_BORINGSSL_CFLAGS}' LIBS='${LIBNGTCP2_CRYPTO_BORINGSSL_LIBS}') libngtcp2_crypto_boringssl: ${have_libngtcp2_crypto_boringssl} (CFLAGS='${LIBNGTCP2_CRYPTO_BORINGSSL_CFLAGS}' LIBS='${LIBNGTCP2_CRYPTO_BORINGSSL_LIBS}')
libngtcp2_crypto_ossl: ${have_libngtcp2_crypto_ossl} (CFLAGS='${LIBNGTCP2_CRYPTO_OSSL_CFLAGS}' LIBS='${LIBNGTCP2_CRYPTO_OSSL_LIBS}')
libnghttp3: ${have_libnghttp3} (CFLAGS='${LIBNGHTTP3_CFLAGS}' LIBS='${LIBNGHTTP3_LIBS}') libnghttp3: ${have_libnghttp3} (CFLAGS='${LIBNGHTTP3_CFLAGS}' LIBS='${LIBNGHTTP3_LIBS}')
libbpf: ${have_libbpf} (CFLAGS='${LIBBPF_CFLAGS}' LIBS='${LIBBPF_LIBS}') libbpf: ${have_libbpf} (CFLAGS='${LIBBPF_CFLAGS}' LIBS='${LIBBPF_LIBS}')
Libevent(SSL): ${have_libevent_openssl} (CFLAGS='${LIBEVENT_OPENSSL_CFLAGS}' LIBS='${LIBEVENT_OPENSSL_LIBS}') Libevent(SSL): ${have_libevent_openssl} (CFLAGS='${LIBEVENT_OPENSSL_CFLAGS}' LIBS='${LIBEVENT_OPENSSL_LIBS}')

2
src/CMakeLists.txt
View File

@@ -17,6 +17,7 @@ include_directories(
${LIBNGTCP2_INCLUDE_DIRS} ${LIBNGTCP2_INCLUDE_DIRS}
${LIBNGTCP2_CRYPTO_QUICTLS_INCLUDE_DIRS} ${LIBNGTCP2_CRYPTO_QUICTLS_INCLUDE_DIRS}
${LIBNGTCP2_CRYPTO_WOLFSSL_INCLUDE_DIRS} ${LIBNGTCP2_CRYPTO_WOLFSSL_INCLUDE_DIRS}
${LIBNGTCP2_CRYPTO_OSSL_INCLUDE_DIRS}
${OPENSSL_INCLUDE_DIRS} ${OPENSSL_INCLUDE_DIRS}
${WOLFSSL_INCLUDE_DIRS} ${WOLFSSL_INCLUDE_DIRS}
${LIBCARES_INCLUDE_DIRS} ${LIBCARES_INCLUDE_DIRS}
@@ -37,6 +38,7 @@ link_libraries(
${LIBNGTCP2_LIBRARIES} ${LIBNGTCP2_LIBRARIES}
${LIBNGTCP2_CRYPTO_QUICTLS_LIBRARIES} ${LIBNGTCP2_CRYPTO_QUICTLS_LIBRARIES}
${LIBNGTCP2_CRYPTO_WOLFSSL_LIBRARIES} ${LIBNGTCP2_CRYPTO_WOLFSSL_LIBRARIES}
${LIBNGTCP2_CRYPTO_OSSL_LIBRARIES}
${OPENSSL_LIBRARIES} ${OPENSSL_LIBRARIES}
${WOLFSSL_LIBRARIES} ${WOLFSSL_LIBRARIES}
${LIBCARES_LIBRARIES} ${LIBCARES_LIBRARIES}

2
src/Makefile.am
View File

@@ -48,6 +48,7 @@ AM_CPPFLAGS = \
@LIBNGTCP2_CRYPTO_WOLFSSL_CFLAGS@ \ @LIBNGTCP2_CRYPTO_WOLFSSL_CFLAGS@ \
@LIBNGTCP2_CRYPTO_QUICTLS_CFLAGS@ \ @LIBNGTCP2_CRYPTO_QUICTLS_CFLAGS@ \
@LIBNGTCP2_CRYPTO_BORINGSSL_CFLAGS@ \ @LIBNGTCP2_CRYPTO_BORINGSSL_CFLAGS@ \
@LIBNGTCP2_CRYPTO_OSSL_CFLAGS@ \
@LIBNGTCP2_CFLAGS@ \ @LIBNGTCP2_CFLAGS@ \
@WOLFSSL_CFLAGS@ \ @WOLFSSL_CFLAGS@ \
@OPENSSL_CFLAGS@ \ @OPENSSL_CFLAGS@ \
@@ -71,6 +72,7 @@ LDADD = $(top_builddir)/lib/libnghttp2.la \
@LIBNGTCP2_CRYPTO_WOLFSSL_LIBS@ \ @LIBNGTCP2_CRYPTO_WOLFSSL_LIBS@ \
@LIBNGTCP2_CRYPTO_QUICTLS_LIBS@ \ @LIBNGTCP2_CRYPTO_QUICTLS_LIBS@ \
@LIBNGTCP2_CRYPTO_BORINGSSL_LIBS@ \ @LIBNGTCP2_CRYPTO_BORINGSSL_LIBS@ \
@LIBNGTCP2_CRYPTO_OSSL_LIBS@ \
@LIBNGTCP2_LIBS@ \ @LIBNGTCP2_LIBS@ \
@WOLFSSL_LIBS@ \ @WOLFSSL_LIBS@ \
@OPENSSL_LIBS@ \ @OPENSSL_LIBS@ \

28
src/h2load.cc
View File

@@ -68,6 +68,9 @@
# ifdef HAVE_LIBNGTCP2_CRYPTO_WOLFSSL # ifdef HAVE_LIBNGTCP2_CRYPTO_WOLFSSL
# include <ngtcp2/ngtcp2_crypto_wolfssl.h> # include <ngtcp2/ngtcp2_crypto_wolfssl.h>
# endif // HAVE_LIBNGTCP2_CRYPTO_WOLFSSL # endif // HAVE_LIBNGTCP2_CRYPTO_WOLFSSL
# ifdef HAVE_LIBNGTCP2_CRYPTO_OSSL
# include <ngtcp2/ngtcp2_crypto_ossl.h>
# endif // HAVE_LIBNGTCP2_CRYPTO_OSSL
#endif // ENABLE_HTTP3 #endif // ENABLE_HTTP3
#include "urlparse.h" #include "urlparse.h"
@@ -514,16 +517,18 @@ Client::Client(uint32_t id, Worker *worker, size_t req_todo)
Client::~Client() { Client::~Client() {
disconnect(); disconnect();
// Free ssl before freeing QUIC resources because
// libngtcp2_crypto_ossl requires that ngtcp2_conn is still alive.
if (ssl) {
SSL_free(ssl);
}
#ifdef ENABLE_HTTP3 #ifdef ENABLE_HTTP3
if (config.is_quic()) { if (config.is_quic()) {
quic_free(); quic_free();
} }
#endif // ENABLE_HTTP3 #endif // ENABLE_HTTP3
if (ssl) {
SSL_free(ssl);
}
worker->sample_client_stat(&cstat); worker->sample_client_stat(&cstat);
++worker->client_smp.n; ++worker->client_smp.n;
} }
@@ -2923,6 +2928,21 @@ int main(int argc, char **argv) {
act.sa_handler = SIG_IGN; act.sa_handler = SIG_IGN;
sigaction(SIGPIPE, &act, nullptr); sigaction(SIGPIPE, &act, nullptr);
#ifdef ENABLE_HTTP3
# ifdef HAVE_LIBNGTCP2_CRYPTO_QUICTLS
if (ngtcp2_crypto_quictls_init() != 0) {
std::cerr << "ngtcp2_crypto_quictls_init failed" << std::endl;
exit(EXIT_FAILURE);
}
# endif // defined(HAVE_LIBNGTCP2_CRYPTO_QUICTLS)
# ifdef HAVE_LIBNGTCP2_CRYPTO_OSSL
if (ngtcp2_crypto_ossl_init() != 0) {
std::cerr << "ngtcp2_crypto_ossl_init failed" << std::endl;
exit(EXIT_FAILURE);
}
# endif // defined(HAVE_LIBNGTCP2_CRYPTO_OSSL)
#endif // defined(ENABLE_HTTP3)
auto ssl_ctx = SSL_CTX_new(TLS_client_method()); auto ssl_ctx = SSL_CTX_new(TLS_client_method());
if (!ssl_ctx) { if (!ssl_ctx) {
std::cerr << "Failed to create SSL_CTX: " std::cerr << "Failed to create SSL_CTX: "

7
src/h2load.h
View File

@@ -55,6 +55,10 @@
#include "ssl_compat.h" #include "ssl_compat.h"
#if defined(ENABLE_HTTP3) && OPENSSL_3_5_0_API
# include <ngtcp2/ngtcp2_crypto_ossl.h>
#endif // defined(ENABLE_HTTP3) && OPENSSL_3_5_0_API
#ifdef NGHTTP2_OPENSSL_IS_WOLFSSL #ifdef NGHTTP2_OPENSSL_IS_WOLFSSL
# include <wolfssl/options.h> # include <wolfssl/options.h>
# include <wolfssl/openssl/ssl.h> # include <wolfssl/openssl/ssl.h>
@@ -354,6 +358,9 @@ struct Client {
ev_timer pkt_timer; ev_timer pkt_timer;
ngtcp2_conn *conn; ngtcp2_conn *conn;
ngtcp2_ccerr last_error; ngtcp2_ccerr last_error;
# if OPENSSL_3_5_0_API
ngtcp2_crypto_ossl_ctx *ossl_ctx;
# endif // OPENSSL_3_5_0_API
bool close_requested; bool close_requested;
FILE *qlog_file; FILE *qlog_file;

23
src/h2load_quic.cc
View File

@@ -345,7 +345,22 @@ int Client::quic_init(const sockaddr *local_addr, socklen_t local_addrlen,
SSL_set_app_data(ssl, &quic.conn_ref); SSL_set_app_data(ssl, &quic.conn_ref);
SSL_set_connect_state(ssl); SSL_set_connect_state(ssl);
#if OPENSSL_3_5_0_API
if (ngtcp2_crypto_ossl_configure_client_session(ssl) != 0) {
std::cerr << "ngtcp2_crypto_ossl_configure_client_session failed"
<< std::endl;
return -1;
}
rv = ngtcp2_crypto_ossl_ctx_new(&quic.ossl_ctx, ssl);
if (rv != 0) {
std::cerr << "ngtcp2_crypto_ossl_ctx_new failed with error code " << rv
<< std::endl;
return -1;
}
#else // !OPENSSL_3_5_0_API
SSL_set_quic_use_legacy_codepoint(ssl, 0); SSL_set_quic_use_legacy_codepoint(ssl, 0);
#endif // !OPENSSL_3_5_0_API
} }
auto callbacks = ngtcp2_callbacks{ auto callbacks = ngtcp2_callbacks{
@@ -465,12 +480,20 @@ int Client::quic_init(const sockaddr *local_addr, socklen_t local_addrlen,
return -1; return -1;
} }
#if OPENSSL_3_5_0_API
ngtcp2_conn_set_tls_native_handle(quic.conn, quic.ossl_ctx);
#else // !OPENSSL_3_5_0_API
ngtcp2_conn_set_tls_native_handle(quic.conn, ssl); ngtcp2_conn_set_tls_native_handle(quic.conn, ssl);
#endif // !OPENSSL_3_5_0_API
return 0; return 0;
} }
void Client::quic_free() { void Client::quic_free() {
#if OPENSSL_3_5_0_API
ngtcp2_crypto_ossl_ctx_del(quic.ossl_ctx);
#endif // OPENSSL_3_5_0_API
ngtcp2_conn_del(quic.conn); ngtcp2_conn_del(quic.conn);
if (quic.qlog_file != nullptr) { if (quic.qlog_file != nullptr) {
fclose(quic.qlog_file); fclose(quic.qlog_file);

23
src/shrpx.cc
View File

@@ -92,7 +92,13 @@
#ifdef ENABLE_HTTP3 #ifdef ENABLE_HTTP3
# include <ngtcp2/ngtcp2.h> # include <ngtcp2/ngtcp2.h>
# include <nghttp3/nghttp3.h> # include <nghttp3/nghttp3.h>
#endif // ENABLE_HTTP3 # ifdef HAVE_LIBNGTCP2_CRYPTO_QUICTLS
# include <ngtcp2/ngtcp2_crypto_quictls.h>
# endif // HAVE_LIBNGTCP2_CRYPTO_QUICTLS
# ifdef HAVE_LIBNGTCP2_CRYPTO_OSSL
# include <ngtcp2/ngtcp2_crypto_ossl.h>
# endif // HAVE_LIBNGTCP2_CRYPTO_OSSL
#endif // ENABLE_HTTP3
#include "shrpx_config.h" #include "shrpx_config.h"
#include "shrpx_tls.h" #include "shrpx_tls.h"
@@ -5306,6 +5312,21 @@ int main(int argc, char **argv) {
cmdcfgs.emplace_back(SHRPX_OPT_CERTIFICATE_FILE, StringRef{argv[optind++]}); cmdcfgs.emplace_back(SHRPX_OPT_CERTIFICATE_FILE, StringRef{argv[optind++]});
} }
#ifdef ENABLE_HTTP3
# ifdef HAVE_LIBNGTCP2_CRYPTO_QUICTLS
if (ngtcp2_crypto_quictls_init() != 0) {
LOG(FATAL) << "ngtcp2_crypto_quictls_init failed";
exit(EXIT_FAILURE);
}
# endif // defined(HAVE_LIBNGTCP2_CRYPTO_QUICTLS)
# ifdef HAVE_LIBNGTCP2_CRYPTO_OSSL
if (ngtcp2_crypto_ossl_init() != 0) {
LOG(FATAL) << "ngtcp2_crypto_ossl_init failed";
exit(EXIT_FAILURE);
}
# endif // defined(HAVE_LIBNGTCP2_CRYPTO_OSSL)
#endif // defined(ENABLE_HTTP3)
rv = process_options(mod_config(), cmdcfgs); rv = process_options(mod_config(), cmdcfgs);
if (rv != 0) { if (rv != 0) {
return -1; return -1;

3
src/shrpx_connection.cc
View File

@@ -114,6 +114,9 @@ void Connection::disconnect() {
SSL_shutdown(tls.ssl); SSL_shutdown(tls.ssl);
} }
// Unset app data here, so that ngtcp2_conn never be used by
// libngtcp2_crypto_ossl that may be called by SSL_free.
SSL_set_app_data(tls.ssl, NULL);
SSL_free(tls.ssl); SSL_free(tls.ssl);
tls.ssl = nullptr; tls.ssl = nullptr;

27
src/shrpx_http3_upstream.cc
View File

@@ -46,7 +46,6 @@
#endif // HAVE_MRUBY #endif // HAVE_MRUBY
#include "http3.h" #include "http3.h"
#include "util.h" #include "util.h"
#include "ssl_compat.h"
namespace shrpx { namespace shrpx {
@@ -115,6 +114,9 @@ Http3Upstream::Http3Upstream(ClientHandler *handler)
qlog_fd_{-1}, qlog_fd_{-1},
hashed_scid_{}, hashed_scid_{},
conn_{nullptr}, conn_{nullptr},
#if OPENSSL_3_5_0_API
ossl_ctx_{nullptr},
#endif // OPENSSL_3_5_0_API,
httpconn_{nullptr}, httpconn_{nullptr},
downstream_queue_{downstream_queue_size(handler->get_worker()), downstream_queue_{downstream_queue_size(handler->get_worker()),
!get_config()->http2_proxy}, !get_config()->http2_proxy},
@@ -149,6 +151,10 @@ Http3Upstream::~Http3Upstream() {
nghttp3_conn_del(httpconn_); nghttp3_conn_del(httpconn_);
#if OPENSSL_3_5_0_API
ngtcp2_crypto_ossl_ctx_del(ossl_ctx_);
#endif // OPENSSL_3_5_0_API
ngtcp2_conn_del(conn_); ngtcp2_conn_del(conn_);
if (qlog_fd_ != -1) { if (qlog_fd_ != -1) {
@@ -734,7 +740,26 @@ int Http3Upstream::init(const UpstreamAddr *faddr, const Address &remote_addr,
return -1; return -1;
} }
#if OPENSSL_3_5_0_API
auto ssl = handler_->get_ssl();
rv = ngtcp2_crypto_ossl_configure_server_session(ssl);
if (rv != 0) {
ULOG(ERROR, this) << "ngtcp2_crypto_ossl_configure_server_session failed";
return -1;
}
rv = ngtcp2_crypto_ossl_ctx_new(&ossl_ctx_, ssl);
if (rv != 0) {
ULOG(ERROR, this) << "ngtcp2_crypto_ossl_ctx_new failed with error code "
<< rv;
return -1;
}
ngtcp2_conn_set_tls_native_handle(conn_, ossl_ctx_);
#else // !OPENSSL_3_5_0_API
ngtcp2_conn_set_tls_native_handle(conn_, handler_->get_ssl()); ngtcp2_conn_set_tls_native_handle(conn_, handler_->get_ssl());
#endif // !OPENSSL_3_5_0_API
auto quic_connection_handler = worker->get_quic_connection_handler(); auto quic_connection_handler = worker->get_quic_connection_handler();

8
src/shrpx_http3_upstream.h
View File

@@ -34,6 +34,11 @@
#include "shrpx_downstream_queue.h" #include "shrpx_downstream_queue.h"
#include "quic.h" #include "quic.h"
#include "network.h" #include "network.h"
#include "ssl_compat.h"
#if defined(ENABLE_HTTP3) && OPENSSL_3_5_0_API
# include <ngtcp2/ngtcp2_crypto_ossl.h>
#endif // defined(ENABLE_HTTP3) && OPENSSL_3_5_0_API
using namespace nghttp2; using namespace nghttp2;
@@ -165,6 +170,9 @@ private:
ngtcp2_cid hashed_scid_; ngtcp2_cid hashed_scid_;
ngtcp2_conn *conn_; ngtcp2_conn *conn_;
ngtcp2_ccerr last_error_; ngtcp2_ccerr last_error_;
#if OPENSSL_3_5_0_API
ngtcp2_crypto_ossl_ctx *ossl_ctx_;
#endif // OPENSSL_3_5_0_API
nghttp3_conn *httpconn_; nghttp3_conn *httpconn_;
DownstreamQueue downstream_queue_; DownstreamQueue downstream_queue_;
std::vector<uint8_t> conn_close_; std::vector<uint8_t> conn_close_;

7
src/shrpx_quic_connection_handler.cc
View File

@@ -388,7 +388,8 @@ ClientHandler *QUICConnectionHandler::handle_new_connection(
return nullptr; return nullptr;
} }
#if defined(NGHTTP2_GENUINE_OPENSSL) || defined(NGHTTP2_OPENSSL_IS_WOLFSSL) #if !OPENSSL_3_5_0_API && \
(defined(NGHTTP2_GENUINE_OPENSSL) || defined(NGHTTP2_OPENSSL_IS_WOLFSSL))
assert(SSL_is_quic(ssl)); assert(SSL_is_quic(ssl));
#endif // NGHTTP2_GENUINE_OPENSSL || NGHTTP2_OPENSSL_IS_WOLFSSL #endif // NGHTTP2_GENUINE_OPENSSL || NGHTTP2_OPENSSL_IS_WOLFSSL
@@ -398,7 +399,9 @@ ClientHandler *QUICConnectionHandler::handle_new_connection(
auto &quicconf = config->quic; auto &quicconf = config->quic;
if (quicconf.upstream.early_data) { if (quicconf.upstream.early_data) {
#if defined(NGHTTP2_GENUINE_OPENSSL) || \ #if OPENSSL_3_5_0_API
SSL_set_quic_tls_early_data_enabled(ssl, 1);
#elif defined(NGHTTP2_GENUINE_OPENSSL) || \
(defined(NGHTTP2_OPENSSL_IS_WOLFSSL) && defined(WOLFSSL_EARLY_DATA)) (defined(NGHTTP2_OPENSSL_IS_WOLFSSL) && defined(WOLFSSL_EARLY_DATA))
SSL_set_quic_early_data_enabled(ssl, 1); SSL_set_quic_early_data_enabled(ssl, 1);
#elif defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #elif defined(NGHTTP2_OPENSSL_IS_BORINGSSL)

2
src/ssl_compat.h
View File

@@ -47,8 +47,10 @@
# ifdef NGHTTP2_GENUINE_OPENSSL # ifdef NGHTTP2_GENUINE_OPENSSL
# define OPENSSL_3_0_0_API (OPENSSL_VERSION_NUMBER >= 0x30000000L) # define OPENSSL_3_0_0_API (OPENSSL_VERSION_NUMBER >= 0x30000000L)
# define OPENSSL_3_5_0_API (OPENSSL_VERSION_NUMBER >= 0x30500000L)
# else // !NGHTTP2_GENUINE_OPENSSL # else // !NGHTTP2_GENUINE_OPENSSL
# define OPENSSL_3_0_0_API 0 # define OPENSSL_3_0_0_API 0
# define OPENSSL_3_5_0_API 0
# endif // !NGHTTP2_GENUINE_OPENSSL # endif // !NGHTTP2_GENUINE_OPENSSL
#endif // !HAVE_WOLFSSL #endif // !HAVE_WOLFSSL