[nginx] QUIC: defined SSL API macros in a single place.

noreply Mon, 26 May 2025 17:21:41 -0700

details:   
https://github.com/nginx/nginx/commit/e561f7dbcfc27f5f648e5151de0796e691cbc1b0
branches:  master
commit:    e561f7dbcfc27f5f648e5151de0796e691cbc1b0
user:      Sergey Kandaurov <pluk...@nginx.com>
date:      Wed, 21 May 2025 03:54:45 +0400
description:
QUIC: defined SSL API macros in a single place.


All definitions now set in ngx_event_quic.h, this includes moving
NGX_QUIC_OPENSSL_COMPAT from autotests to compile time.  Further,
to improve code readability, a new NGX_QUIC_QUICTLS_API macro is
used for QuicTLS that provides old BoringSSL QUIC API.

---
 auto/lib/openssl/conf                          |  3 ---
 src/event/quic/ngx_event_quic.c                |  4 ++--
 src/event/quic/ngx_event_quic.h                | 12 ++++++++++++
 src/event/quic/ngx_event_quic_openssl_compat.h |  8 --------
 src/event/quic/ngx_event_quic_ssl.c            | 13 +++----------
 5 files changed, 17 insertions(+), 23 deletions(-)

diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf
index fdf430dff..f4b00ebd6 100644
--- a/auto/lib/openssl/conf
+++ b/auto/lib/openssl/conf
@@ -12,7 +12,6 @@ if [ $OPENSSL != NONE ]; then
 
     if [ $USE_OPENSSL_QUIC = YES ]; then
         have=NGX_QUIC . auto/have
-        have=NGX_QUIC_OPENSSL_COMPAT . auto/have
     fi
 
     case "$CC" in
@@ -154,8 +153,6 @@ else
                 . auto/feature
 
                 if [ $ngx_found = no ]; then
-                    have=NGX_QUIC_OPENSSL_COMPAT . auto/have
-
                     ngx_feature="OpenSSL QUIC compatibility"
                     ngx_feature_test="SSL_CTX_add_custom_ext(NULL, 0, 0,
                                                  NULL, NULL, NULL, NULL, NULL)"
diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c
index 9f968d5fb..4f2e50240 100644
--- a/src/event/quic/ngx_event_quic.c
+++ b/src/event/quic/ngx_event_quic.c
@@ -973,8 +973,8 @@ ngx_quic_handle_payload(ngx_connection_t *c, 
ngx_quic_header_t *pkt)
         return NGX_DECLINED;
     }
 
-#if !defined (OPENSSL_IS_BORINGSSL)
-    /* OpenSSL provides read keys for an application level before it's ready */
+#if (NGX_QUIC_QUICTLS_API)
+    /* QuicTLS provides app read keys before completing handshake */
 
     if (pkt->level == ssl_encryption_application && !c->ssl->handshaked) {
         ngx_log_error(NGX_LOG_INFO, c->log, 0,
diff --git a/src/event/quic/ngx_event_quic.h b/src/event/quic/ngx_event_quic.h
index 15201671d..50a5c214e 100644
--- a/src/event/quic/ngx_event_quic.h
+++ b/src/event/quic/ngx_event_quic.h
@@ -12,6 +12,18 @@
 #include <ngx_core.h>
 
 
+#ifdef SSL_R_MISSING_QUIC_TRANSPORT_PARAMETERS_EXTENSION
+#define NGX_QUIC_QUICTLS_API                 1
+
+#elif (defined OPENSSL_IS_BORINGSSL || defined LIBRESSL_VERSION_NUMBER)
+#define NGX_QUIC_BORINGSSL_API               1
+
+#else
+#define NGX_QUIC_BORINGSSL_API               1
+#define NGX_QUIC_OPENSSL_COMPAT              1
+#endif
+
+
 #define NGX_QUIC_MAX_UDP_PAYLOAD_SIZE        65527
 
 #define NGX_QUIC_DEFAULT_ACK_DELAY_EXPONENT  3
diff --git a/src/event/quic/ngx_event_quic_openssl_compat.h 
b/src/event/quic/ngx_event_quic_openssl_compat.h
index 77cc3cb0d..89ee41e89 100644
--- a/src/event/quic/ngx_event_quic_openssl_compat.h
+++ b/src/event/quic/ngx_event_quic_openssl_compat.h
@@ -7,11 +7,6 @@
 #ifndef _NGX_EVENT_QUIC_OPENSSL_COMPAT_H_INCLUDED_
 #define _NGX_EVENT_QUIC_OPENSSL_COMPAT_H_INCLUDED_
 
-#if defined SSL_R_MISSING_QUIC_TRANSPORT_PARAMETERS_EXTENSION                 \
-    || defined LIBRESSL_VERSION_NUMBER
-#undef NGX_QUIC_OPENSSL_COMPAT
-#else
-
 
 #include <ngx_config.h>
 #include <ngx_core.h>
@@ -53,7 +48,4 @@ int SSL_set_quic_transport_params(SSL *ssl, const uint8_t 
*params,
 void SSL_get_peer_quic_transport_params(const SSL *ssl,
     const uint8_t **out_params, size_t *out_params_len);
 
-
-#endif /* TLSEXT_TYPE_quic_transport_parameters */
-
 #endif /* _NGX_EVENT_QUIC_OPENSSL_COMPAT_H_INCLUDED_ */
diff --git a/src/event/quic/ngx_event_quic_ssl.c 
b/src/event/quic/ngx_event_quic_ssl.c
index e5d481d1c..1bb34831c 100644
--- a/src/event/quic/ngx_event_quic_ssl.c
+++ b/src/event/quic/ngx_event_quic_ssl.c
@@ -10,13 +10,6 @@
 #include <ngx_event_quic_connection.h>
 
 
-#if defined OPENSSL_IS_BORINGSSL                                              \
-    || defined LIBRESSL_VERSION_NUMBER                                        \
-    || NGX_QUIC_OPENSSL_COMPAT
-#define NGX_QUIC_BORINGSSL_API   1
-#endif
-
-
 /*
  * RFC 9000, 7.5.  Cryptographic Message Buffering
  *
@@ -32,7 +25,7 @@ static int ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn,
 static int ngx_quic_set_write_secret(ngx_ssl_conn_t *ssl_conn,
     enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
     const uint8_t *secret, size_t secret_len);
-#else
+#else /* NGX_QUIC_QUICTLS_API */
 static int ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn,
     enum ssl_encryption_level_t level, const uint8_t *read_secret,
     const uint8_t *write_secret, size_t secret_len);
@@ -108,7 +101,7 @@ ngx_quic_set_write_secret(ngx_ssl_conn_t *ssl_conn,
     return 1;
 }
 
-#else
+#else /* NGX_QUIC_QUICTLS_API */
 
 static int
 ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn,
@@ -550,7 +543,7 @@ ngx_quic_init_connection(ngx_connection_t *c)
         return NGX_ERROR;
     }
 
-#ifdef OPENSSL_INFO_QUIC
+#if (NGX_QUIC_QUICTLS_API)
     if (SSL_CTX_get_max_early_data(qc->conf->ssl->ctx)) {
         SSL_set_quic_early_data_enabled(ssl_conn, 1);
     }
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

[nginx] QUIC: defined SSL API macros in a single place.

Reply via email to