WIP

Author: cjpatton

.github/workflows/nightly.yml

@@ -7,7 +7,10 @@ permissions:
   pull-requests: write
 
 env:
-  FEATURES: "async,ffi,qlog"
+  # `rpk` covers the boring 4 vs 5 RPK arms in
+  # `tokio-quiche/src/settings/config.rs`; see the same comment in
+  # `stable.yml`.
+  FEATURES: "async,ffi,qlog,rpk"
   RUSTFLAGS: "-D warnings"
   RUSTDOCFLAGS: "--cfg docsrs"
   RUSTTOOLCHAIN: "nightly"

.github/workflows/stable.yml

@@ -7,7 +7,11 @@ permissions:
   pull-requests: write
 
 env:
-  DEFAULT_OPTIONS: "--features=async,ffi,qlog --workspace"
+  # `rpk` is included so the boring 4 vs 5 RPK arms in
+  # `tokio-quiche/src/settings/config.rs` are exercised by CI;
+  # without it neither arm is compiled and a regression on either
+  # version would slip through.
+  DEFAULT_OPTIONS: "--features=async,ffi,qlog,rpk --workspace"
   # Used by `quiche_multiarch`, which can't link `boring` for foreign targets.
   NO_BORING_OPTIONS: "--features=ffi,qlog --workspace --exclude h3i --exclude tokio-quiche"
   RUSTFLAGS: "-D warnings"
@@ -20,6 +24,10 @@ concurrency:
 jobs:
   quiche:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        boring_version: ["latest", "4"]
     # Only run on "pull_request" event for external PRs. This is to avoid
     # duplicate builds for PRs created from internal branches.
     if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
@@ -38,6 +46,17 @@ jobs:
           sudo apt-get update
           sudo apt-get install libexpat1-dev libfreetype6-dev libfontconfig1-dev
 
+      - name: Maybe pin boring to latest 4.x
+        if: matrix.boring_version == '4'
+        run: |
+          # Pin boring 4. cargo's resolver normally picks the highest match
+          # (5). Generate the lockfile first, then downgrade to a known-good
+          # 4.x via `--precise`. `quiche/src/build.rs` and
+          # `tokio-quiche/build.rs` then read the lockfile and flip
+          # `cfg(boring_v4)` on.
+          cargo generate-lockfile
+          cargo update -p boring --precise 4.22.0
+
       - name: Unused dependency check
         uses: bnjbvr/cargo-machete@main
 

Cargo.toml

@@ -27,6 +27,7 @@ categories = ["network-programming"]
 unexpected_cfgs = { level = "warn", check-cfg = [
   'cfg(capture_keylogs)',
   'cfg(test_invalid_len_compilation_fail)',
+  'cfg(boring_v4)',
 ] }
 
 [workspace.metadata.release]
@@ -40,7 +41,20 @@ publish = false
 [workspace.dependencies]
 anyhow = { version = "1" }
 assert_matches = { version = "1" }
-boring = { version = "5.1.0" }
+# Accept both `boring` 4.x (>= 4.21, where the APIs we use stabilised)
+# and `boring` 5.x. The active version is picked by cargo's resolver
+# based on the lockfile / downstream constraints; quiche's `build.rs`
+# detects which one was selected and emits `cfg(boring_v4)` for the
+# legacy 4.x case so source code can switch on it. The `boring_v4`
+# cfg is meant to be a transitional flag; new code should live in the
+# `not(boring_v4)` arm so the cfg can be retired by simply deleting
+# the legacy arms once internal users have moved off 4.x. See
+# `quiche/src/build.rs` and the `boringssl-boring-crate` feature in
+# `quiche/Cargo.toml`.
+#
+# `boring-sys` uses `links = "boringssl"`, so only one major version
+# can ever be in the dep graph at a time.
+boring = { version = ">=4.21, <6" }
 buffer-pool = { version = "0.2.1", path = "./buffer-pool" }
 bytes = { version = "1.11.1" }
 crossbeam = { version = "0.8.1", default-features = false }

quiche/Cargo.toml

@@ -28,6 +28,22 @@ workspace = true
 default = ["boringssl-boring-crate"]
 
 # Use the BoringSSL library provided by the boring crate.
+#
+# Both `boring` 4.x (>= 4.21) and 5.x are supported. Cargo's resolver
+# picks the version based on the lockfile and downstream constraints;
+# `build.rs` detects which major version was selected at compile time
+# and emits a `cfg(boring_v4)` flag for the legacy 4.x case. The two
+# majors differ in their default TLS curve list (5.x advertises
+# post-quantum key shares) and in their Rust API for raw public
+# keys; see `tokio-quiche/src/settings/config.rs` for the per-version
+# code. `boring_v4` is a transitional cfg meant to be retired once
+# internal users have moved off 4.x.
+#
+# Downstream code that depends on `boring` directly (e.g. to construct
+# an `SslContextBuilder` for `Config::with_boring_ssl_ctx_builder`)
+# will resolve to the same `boring` version as quiche, since
+# `boring-sys` uses `links = "boringssl"` and cargo allows only one
+# copy in the dep graph.
 boringssl-boring-crate = ["boring", "foreign-types-shared"]
 
 # Allow client connections to provide a custom DCID when initiating a

quiche/src/build.rs

@@ -30,6 +30,83 @@ Cflags: -I${{includedir}}
     out_file.write_all(output.as_bytes()).unwrap();
 }
 
+/// Returns true if cargo resolved `boring` to a 4.x version.
+///
+/// Walks up from `OUT_DIR` looking for a `Cargo.lock`, then scans it
+/// for the `boring` package. We use `Cargo.lock` rather than shelling
+/// out to `cargo metadata` because (a) the lockfile is guaranteed to
+/// exist at this point in the build, (b) parsing it is cheap and has
+/// no extra dependencies, and (c) it avoids re-entering cargo from a
+/// build script.
+fn detect_boring_v4() -> bool {
+    let Some(lockfile) = find_cargo_lock() else {
+        // No lockfile (shouldn't happen in normal cargo builds, but
+        // be conservative). Assume 5.x — the default and forward-
+        // looking version. Downstream can fix this by generating a
+        // lockfile (`cargo generate-lockfile`).
+        println!(
+            "cargo:warning=quiche: Cargo.lock not found; assuming boring 5.x"
+        );
+        return false;
+    };
+
+    println!("cargo:rerun-if-changed={}", lockfile.display());
+
+    let contents = match std::fs::read_to_string(&lockfile) {
+        Ok(s) => s,
+        Err(e) => {
+            println!(
+                "cargo:warning=quiche: failed to read {}: {e}; assuming boring 5.x",
+                lockfile.display(),
+            );
+            return false;
+        },
+    };
+
+    // The lockfile is TOML but a regex-light scan is enough: find a
+    // `[[package]]` whose `name = "boring"` (not "boring-sys") and
+    // read its `version`.
+    let mut in_boring = false;
+    for line in contents.lines() {
+        let line = line.trim();
+        if line == "[[package]]" {
+            in_boring = false;
+            continue;
+        }
+        if line == "name = \"boring\"" {
+            in_boring = true;
+            continue;
+        }
+        if in_boring {
+            if let Some(rest) = line.strip_prefix("version = \"") {
+                let version = rest.trim_end_matches('"');
+                let major = version.split('.').next().unwrap_or("");
+                return major == "4";
+            }
+        }
+    }
+
+    // `boring` not present in the lockfile (e.g.
+    // `boringssl-boring-crate` is off). Doesn't matter what we return
+    // since the `cfg` won't be observed.
+    false
+}
+
+fn find_cargo_lock() -> Option<std::path::PathBuf> {
+    // Start from `CARGO_MANIFEST_DIR` and walk up. Cargo guarantees
+    // the lockfile lives at the workspace root, which is an ancestor
+    // of the manifest dir.
+    let manifest_dir =
+        std::path::PathBuf::from(std::env::var_os("CARGO_MANIFEST_DIR")?);
+    for dir in manifest_dir.ancestors() {
+        let candidate = dir.join("Cargo.lock");
+        if candidate.is_file() {
+            return Some(candidate);
+        }
+    }
+    None
+}
+
 fn target_dir_path() -> std::path::PathBuf {
     let out_dir = std::env::var("OUT_DIR").unwrap();
     let out_dir = std::path::Path::new(&out_dir);
@@ -44,7 +121,18 @@ fn target_dir_path() -> std::path::PathBuf {
 }
 
 fn main() {
+    // Emit `cfg(boring_v4)` if boring version 4.x is detected. This is used to
+    // pick which APIs to expect and to guide test expectations. (Larger post
+    // quantum key shares are enabled by default in boring 5.x but not boring
+    // 4.x.)
+    //
+    // The cfg is always registered (even when the backend feature is
+    // off) so rustc doesn't warn about unknown cfg names.
+    println!("cargo::rustc-check-cfg=cfg(boring_v4)");
     if cfg!(feature = "boringssl-boring-crate") {
+        if detect_boring_v4() {
+            println!("cargo:rustc-cfg=boring_v4");
+        }
         println!("cargo:rustc-link-lib=static=ssl");
         println!("cargo:rustc-link-lib=static=crypto");
     }