luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

quic: require at least OpenSSL 3.3 for QUIC

Browse Source 
- when checking for QUIC support in OpenSSL, also check
  for it being at least 3.3.0
- remove workarounds for features buggy or missing in 3.2

Closes #14026
This commit is contained in:
Stefan Eissing 2024-06-26 11:19:26 +02:00 committed by Daniel Stenberg
parent 4d58ed2d2c
commit 411af83010
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
4 changed files with 5 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
configure.ac
View File

@ -3189,7 +3189,7 @@ if test "x$want_openssl_quic" = "xyes"; then
AC_MSG_ERROR([--with-openssl-quic and --with-ngtcp2 are mutually exclusive]) AC_MSG_ERROR([--with-openssl-quic and --with-ngtcp2 are mutually exclusive])
fi fi
if test "$HAVE_OPENSSL_QUIC" != 1; then if test "$HAVE_OPENSSL_QUIC" != 1; then
AC_MSG_ERROR([--with-openssl-quic requires quic support in OpenSSL]) AC_MSG_ERROR([--with-openssl-quic requires quic support and OpenSSL >= 3.3.0])
fi fi
AC_DEFINE(USE_OPENSSL_QUIC, 1, [if openssl QUIC is in use]) AC_DEFINE(USE_OPENSSL_QUIC, 1, [if openssl QUIC is in use])
AC_SUBST(USE_OPENSSL_QUIC, [1]) AC_SUBST(USE_OPENSSL_QUIC, [1])

6
lib/cf-socket.c
View File

@ -1856,18 +1856,12 @@ static CURLcode cf_udp_setup_quic(struct Curl_cfilter *cf,
/* QUIC needs a connected socket, nonblocking */ /* QUIC needs a connected socket, nonblocking */
DEBUGASSERT(ctx->sock != CURL_SOCKET_BAD); DEBUGASSERT(ctx->sock != CURL_SOCKET_BAD);
#if defined(__APPLE__) && defined(USE_OPENSSL_QUIC)
(void)rc;
/* On macOS OpenSSL QUIC fails on connected sockets.
* see: <https://github.com/openssl/openssl/issues/23251> */
#else
rc = connect(ctx->sock, &ctx->addr.sa_addr, rc = connect(ctx->sock, &ctx->addr.sa_addr,
(curl_socklen_t)ctx->addr.addrlen); (curl_socklen_t)ctx->addr.addrlen);
if(-1 == rc) { if(-1 == rc) {
return socket_connect_result(data, ctx->ip.remote_ip, SOCKERRNO); return socket_connect_result(data, ctx->ip.remote_ip, SOCKERRNO);
} }
ctx->sock_connected = TRUE; ctx->sock_connected = TRUE;
#endif
set_local_ip(cf, data); set_local_ip(cf, data);
CURL_TRC_CF(data, cf, "%s socket %" CURL_FORMAT_SOCKET_T CURL_TRC_CF(data, cf, "%s socket %" CURL_FORMAT_SOCKET_T
" connected: [%s:%d] -> [%s:%d]", " connected: [%s:%d] -> [%s:%d]",

7
lib/vquic/curl_osslq.c
View File

@ -1442,19 +1442,12 @@ static CURLcode h3_send_streams(struct Curl_cfilter *cf,
for(i = 0; (i < n) && !blocked; ++i) { for(i = 0; (i < n) && !blocked; ++i) {
/* Without stream->s.ssl, we closed that already, so /* Without stream->s.ssl, we closed that already, so
* pretend the write did succeed. */ * pretend the write did succeed. */
#ifdef SSL_WRITE_FLAG_CONCLUDE
/* Since OpenSSL v3.3.x, on last chunk set EOS if needed */
uint64_t flags = (eos && ((i + 1) == n))? SSL_WRITE_FLAG_CONCLUDE : 0; uint64_t flags = (eos && ((i + 1) == n))? SSL_WRITE_FLAG_CONCLUDE : 0;
written = vec[i].len; written = vec[i].len;
ok = !s->ssl || SSL_write_ex2(s->ssl, vec[i].base, vec[i].len, flags, ok = !s->ssl || SSL_write_ex2(s->ssl, vec[i].base, vec[i].len, flags,
&written); &written);
if(ok && flags & SSL_WRITE_FLAG_CONCLUDE) if(ok && flags & SSL_WRITE_FLAG_CONCLUDE)
eos_written = TRUE; eos_written = TRUE;
#else
written = vec[i].len;
ok = !s->ssl || SSL_write_ex(s->ssl, vec[i].base, vec[i].len,
&written);
#endif
if(ok) { if(ok) {
/* As OpenSSL buffers the data, we count this as acknowledged /* As OpenSSL buffers the data, we count this as acknowledged
* from nghttp3's point of view */ * from nghttp3's point of view */

5
m4/curl-openssl.m4
View File

@ -429,11 +429,14 @@ dnl ---
dnl We may use OpenSSL QUIC. dnl We may use OpenSSL QUIC.
dnl --- dnl ---
if test "$OPENSSL_ENABLED" = "1"; then if test "$OPENSSL_ENABLED" = "1"; then
AC_MSG_CHECKING([for QUIC support in OpenSSL]) AC_MSG_CHECKING([for QUIC support and OpenSSL >= 3.3])
AC_LINK_IFELSE([ AC_LINK_IFELSE([
AC_LANG_PROGRAM([[ AC_LANG_PROGRAM([[
#include <openssl/ssl.h> #include <openssl/ssl.h>
]],[[ ]],[[
#if (OPENSSL_VERSION_NUMBER < 0x30300000L)
#error need at least version 3.3.0
#endif
OSSL_QUIC_client_method(); OSSL_QUIC_client_method();
]]) ]])
],[ ],[