tls: add feature to build against OpenSSL

This adds a new feature "openssl" to build against OpenSSL instead of BoringSSL. We need this because the OpenSSL and BoringSSL APIs are not fully compatible (e.g. some "functions" are actually macros wrapping SSL_ctrl()). To build OpenSSL do: ``` % git clone --branch=master-quic-support https://github.com/akamai/openssl/ % cd openssl % export OPENSSL_INSTALL_PATH=$PWD/build % ./config enable-tls1_3 --prefix=$OPENSSL_INSTALL_PATH % make -j$(nproc) % make install_sw ``` To build quiche using the above OpenSSL build do: ``` % export PKG_CONFIG_PATH=$OPENSSL_INSTALL_PATH/lib/pkgconfig % export LD_LIBRARY_PATH=$OPENSSL_INSTALL_PATH/lib % cargo test --features openssl ```
cloudflare · Sep 28, 2019 · 70ad17d · 70ad17d
1 parent d646a60
commit 70ad17d
Show file tree

Hide file tree

Showing 3 changed files with 88 additions and 1 deletion.
diff --git a/Cargo.toml b/Cargo.toml
@@ -25,6 +25,9 @@ default = ["boringssl-vendored"]
 # Build vendored BoringSSL library.
 boringssl-vendored = []
 
+# Build quiche against OpenSSL instead of BoringSSL.
+openssl = ["pkg-config"]
+
 # Generate pkg-config metadata file for libquiche.
 pkg-config-meta = []
 
@@ -33,6 +36,7 @@ default-features = false
 
 [build-dependencies]
 cmake = "0.1"
+pkg-config = { version = "0.3", optional = true }
 
 [dependencies]
 log = "0.4"

diff --git a/src/build.rs b/src/build.rs
@@ -153,7 +153,7 @@ Cflags: -I${{includedir}}
 }
 
 fn main() {
-    if cfg!(feature = "boringssl-vendored") {
+    if cfg!(feature = "boringssl-vendored") && !cfg!(feature = "openssl") {
         let bssl_dir = std::env::var("QUICHE_BSSL_PATH").unwrap_or_else(|_| {
             get_boringssl_cmake_config()
                 .build_target("bssl")
@@ -173,6 +173,14 @@ fn main() {
         println!("cargo:rustc-link-lib=static=ssl");
     }
 
+    if cfg!(feature = "openssl") {
+        #[cfg(feature = "openssl")]
+        pkg_config::probe_library("libcrypto").unwrap();
+
+        #[cfg(feature = "openssl")]
+        pkg_config::probe_library("libssl").unwrap();
+    }
+
     if cfg!(feature = "pkg-config-meta") {
         write_pkg_config();
     }

diff --git a/src/tls.rs b/src/tls.rs
@@ -780,6 +780,7 @@ extern {
     );
 
     // SSL
+    #[cfg(not(feature = "openssl"))]
     fn SSL_get_ex_new_index(
         argl: c_long, argp: *const c_void, unused: *const c_void,
         dup_unused: *const c_void, free_func: *const c_void,
@@ -799,11 +800,14 @@ extern {
 
     fn SSL_get_current_cipher(ssl: *mut SSL) -> *const SSL_CIPHER;
 
+    #[cfg(not(feature = "openssl"))]
     fn SSL_set_min_proto_version(ssl: *mut SSL, version: u16);
+    #[cfg(not(feature = "openssl"))]
     fn SSL_set_max_proto_version(ssl: *mut SSL, version: u16);
 
     fn SSL_set_quiet_shutdown(ssl: *mut SSL, mode: c_int);
 
+    #[cfg(not(feature = "openssl"))]
     fn SSL_set_tlsext_host_name(ssl: *mut SSL, name: *const c_char) -> c_int;
 
     fn SSL_set_quic_transport_params(
@@ -834,6 +838,11 @@ extern {
 
     fn SSL_clear(ssl: *mut SSL) -> c_int;
 
+    #[cfg(feature = "openssl")]
+    fn SSL_ctrl(
+        ssl: *mut SSL, cmd: c_int, larg: c_long, parg: *mut c_void,
+    ) -> c_int;
+
     fn SSL_free(ssl: *mut SSL);
 
     // SSL_CIPHER
@@ -858,4 +867,70 @@ extern {
     fn ERR_peek_error() -> c_uint;
 
     fn ERR_error_string_n(err: c_uint, buf: *const u8, len: usize);
+
+    // CRYPTO
+    #[cfg(feature = "openssl")]
+    fn CRYPTO_get_ex_new_index(
+        class_index: c_int, argl: c_long, argp: *const c_void,
+        new_func: *const c_void, dup_func: *const c_void,
+        free_func: *const c_void,
+    ) -> c_int;
+}
+
+// OpenSSL compatibility functions.
+//
+// These don't 100% follow the OpenSSL API (e.g. some arguments have slightly
+// different types) in order to make them compatible with the BoringSSL API.
+
+#[cfg(feature = "openssl")]
+#[allow(non_snake_case)]
+unsafe fn SSL_set_min_proto_version(s: *mut SSL, version: u16) {
+    const SSL_CTRL_SET_MIN_PROTO_VERSION: c_int = 123;
+
+    SSL_ctrl(
+        s,
+        SSL_CTRL_SET_MIN_PROTO_VERSION,
+        version as c_long,
+        ptr::null_mut(),
+    );
+}
+
+#[cfg(feature = "openssl")]
+#[allow(non_snake_case)]
+unsafe fn SSL_set_max_proto_version(s: *mut SSL, version: u16) {
+    const SSL_CTRL_SET_MAX_PROTO_VERSION: c_int = 124;
+
+    SSL_ctrl(
+        s,
+        SSL_CTRL_SET_MAX_PROTO_VERSION,
+        version as c_long,
+        ptr::null_mut(),
+    );
+}
+
+#[cfg(feature = "openssl")]
+#[allow(non_snake_case)]
+unsafe fn SSL_set_tlsext_host_name(s: *mut SSL, name: *const c_char) -> c_int {
+    const SSL_CTRL_SET_TLSEXT_HOSTNAME: c_int = 55;
+
+    #[allow(non_upper_case_globals)]
+    const TLSEXT_NAMETYPE_host_name: c_long = 0;
+
+    SSL_ctrl(
+        s,
+        SSL_CTRL_SET_TLSEXT_HOSTNAME,
+        TLSEXT_NAMETYPE_host_name,
+        name as *mut c_void,
+    )
+}
+
+#[cfg(feature = "openssl")]
+#[allow(non_snake_case)]
+unsafe fn SSL_get_ex_new_index(
+    argl: c_long, argp: *const c_void, newf: *const c_void, dupf: *const c_void,
+    freef: *const c_void,
+) -> c_int {
+    const CRYPTO_EX_INDEX_SSL: c_int = 0;
+
+    CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp, newf, dupf, freef)
 }