nghttp2/nghttp2
1
0
Fork 0
mirror of https://github.com/nghttp2/nghttp2.git synced 2025-12-06 18:18:52 +08:00
Code Issues Projects Releases Wiki Activity

src: Support building with aws-lc

Browse Source
This commit is contained in:
Tatsuhiro Tsujikawa
2023-12-18 19:50:57 +09:00
parent 2bbbbe207e
commit 9354d4a84f
14 changed files with 110 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
examples/client.c
View File

@@ -721,16 +721,16 @@ int main(int argc, char **argv) {
#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
/* No explicit initialization is required. */
#elif defined(OPENSSL_IS_BORINGSSL)
#elif defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
CRYPTO_library_init();
#else /* !(OPENSSL_VERSION_NUMBER >= 0x1010000fL) && \
!defined(OPENSSL_IS_BORINGSSL) */
!defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) */
OPENSSL_config(NULL);
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
#endif /* !(OPENSSL_VERSION_NUMBER >= 0x1010000fL) && \
!defined(OPENSSL_IS_BORINGSSL) */
!defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) */
rv = parse_uri(&uri, argv[1]);
if (rv != 0) {

6
examples/libevent-client.c
View File

@@ -619,16 +619,16 @@ int main(int argc, char **argv) {
#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
/* No explicit initialization is required. */
#elif defined(OPENSSL_IS_BORINGSSL)
#elif defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
CRYPTO_library_init();
#else /* !(OPENSSL_VERSION_NUMBER >= 0x1010000fL) && \
!defined(OPENSSL_IS_BORINGSSL) */
!defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) */
OPENSSL_config(NULL);
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
#endif /* !(OPENSSL_VERSION_NUMBER >= 0x1010000fL) && \
!defined(OPENSSL_IS_BORINGSSL) */
!defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) */
run(argv[1]);
return 0;

6
examples/libevent-server.c
View File

@@ -819,16 +819,16 @@ int main(int argc, char **argv) {
#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
/* No explicit initialization is required. */
#elif defined(OPENSSL_IS_BORINGSSL)
#elif defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
CRYPTO_library_init();
#else /* !(OPENSSL_VERSION_NUMBER >= 0x1010000fL) && \
!defined(OPENSSL_IS_BORINGSSL) */
!defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) */
OPENSSL_config(NULL);
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
#endif /* !(OPENSSL_VERSION_NUMBER >= 0x1010000fL) && \
!defined(OPENSSL_IS_BORINGSSL) */
!defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) */
run(argv[1], argv[2], argv[3]);
return 0;

11
src/h2load.cc
View File

@@ -71,6 +71,7 @@
#include "http2.h"
#include "util.h"
#include "template.h"
#include "ssl_compat.h"
#ifndef O_BINARY
# define O_BINARY (0)
@@ -2978,26 +2979,26 @@ int main(int argc, char **argv) {
exit(EXIT_FAILURE);
}
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
if (SSL_CTX_set_ciphersuites(ssl_ctx, config.tls13_ciphers.c_str()) == 0) {
std::cerr << "SSL_CTX_set_ciphersuites with " << config.tls13_ciphers
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr)
<< std::endl;
exit(EXIT_FAILURE);
}
#endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#endif // OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
if (SSL_CTX_set1_groups_list(ssl_ctx, config.groups.c_str()) != 1) {
std::cerr << "SSL_CTX_set1_groups_list failed" << std::endl;
exit(EXIT_FAILURE);
}
#else // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
#else // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL))
if (SSL_CTX_set1_curves_list(ssl_ctx, config.groups.c_str()) != 1) {
std::cerr << "SSL_CTX_set1_curves_list failed" << std::endl;
exit(EXIT_FAILURE);
}
#endif // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
#endif // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL))
#ifndef OPENSSL_NO_NEXTPROTONEG
SSL_CTX_set_next_proto_select_cb(ssl_ctx, client_select_next_proto_cb,

4
src/nghttp.cc
View File

@@ -699,14 +699,14 @@ int HttpClient::initiate_connection() {
#if LIBRESSL_2_7_API || \
(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L) || \
defined(OPENSSL_IS_BORINGSSL)
defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
auto param = SSL_get0_param(ssl);
X509_VERIFY_PARAM_set_hostflags(param, 0);
X509_VERIFY_PARAM_set1_host(param, host_string.c_str(),
host_string.size());
#endif // LIBRESSL_2_7_API || (!LIBRESSL_IN_USE &&
// OPENSSL_VERSION_NUMBER >= 0x10002000L) ||
// defined(OPENSSL_IS_BORINGSSL)
// defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb);
if (!util::numeric_host(host_string.c_str())) {

6
src/shrpx.cc
View File

@@ -1992,11 +1992,11 @@ void fill_default_config(Config *config) {
tlsconf.max_proto_version =
tls::proto_version_from_string(DEFAULT_TLS_MAX_PROTO_VERSION);
tlsconf.max_early_data = 16_k;
#if OPENSSL_1_1_API || defined(OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_API || defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
tlsconf.ecdh_curves = StringRef::from_lit("X25519:P-256:P-384:P-521");
#else // !OPENSSL_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#else // !OPENSSL_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
tlsconf.ecdh_curves = StringRef::from_lit("P-256:P-384:P-521");
#endif // !OPENSSL_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#endif // !OPENSSL_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
auto &httpconf = config->http;
httpconf.server_name = StringRef::from_lit("nghttpx");

42
src/shrpx_connection.cc
View File

@@ -407,7 +407,7 @@ int Connection::tls_handshake() {
ERR_clear_error();
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
if (!tls.server_handshake || tls.early_data_finish) {
rv = SSL_do_handshake(tls.ssl);
} else {
@@ -458,9 +458,9 @@ int Connection::tls_handshake() {
}
}
}
#else // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
#else // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL))
rv = SSL_do_handshake(tls.ssl);
#endif // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
#endif // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL))
if (rv <= 0) {
auto err = SSL_get_error(tls.ssl, rv);
@@ -509,9 +509,9 @@ int Connection::tls_handshake() {
// routine. We have to check HTTP/2 requirement if HTTP/2 was
// negotiated before sending finished message to the peer.
if ((rv != 1
#ifdef OPENSSL_IS_BORINGSSL
#ifdef NGHTTP2_OPENSSL_IS_BORINGSSL
|| SSL_in_init(tls.ssl)
#endif // OPENSSL_IS_BORINGSSL
#endif // NGHTTP2_OPENSSL_IS_BORINGSSL
) &&
tls.wbuf.rleft()) {
// First write indicates that resumption stuff has done.
@@ -549,7 +549,7 @@ int Connection::tls_handshake() {
return SHRPX_ERR_INPROGRESS;
}
#ifdef OPENSSL_IS_BORINGSSL
#ifdef NGHTTP2_OPENSSL_IS_BORINGSSL
if (!tlsconf.no_postpone_early_data && SSL_in_early_data(tls.ssl) &&
SSL_in_init(tls.ssl)) {
auto nread = SSL_read(tls.ssl, buf.data(), buf.size());
@@ -581,7 +581,7 @@ int Connection::tls_handshake() {
return SHRPX_ERR_INPROGRESS;
}
}
#endif // OPENSSL_IS_BORINGSSL
#endif // NGHTTP2_OPENSSL_IS_BORINGSSL
// Handshake was done
@@ -611,14 +611,14 @@ int Connection::tls_handshake_simple() {
}
int rv;
#if OPENSSL_1_1_1_API || defined(OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_1_API || defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
auto &tlsconf = get_config()->tls;
std::array<uint8_t, 16_k> buf;
#endif // OPENSSL_1_1_1_API || defined(OPENSSL_IS_BORINGSSL)
#endif // OPENSSL_1_1_1_API || defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
ERR_clear_error();
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
if (!tls.server_handshake || tls.early_data_finish) {
rv = SSL_do_handshake(tls.ssl);
} else {
@@ -663,9 +663,9 @@ int Connection::tls_handshake_simple() {
}
}
}
#else // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
#else // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL))
rv = SSL_do_handshake(tls.ssl);
#endif // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
#endif // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL))
if (rv <= 0) {
auto err = SSL_get_error(tls.ssl, rv);
@@ -704,7 +704,7 @@ int Connection::tls_handshake_simple() {
return SHRPX_ERR_INPROGRESS;
}
#ifdef OPENSSL_IS_BORINGSSL
#ifdef NGHTTP2_OPENSSL_IS_BORINGSSL
if (!tlsconf.no_postpone_early_data && SSL_in_early_data(tls.ssl) &&
SSL_in_init(tls.ssl)) {
auto nread = SSL_read(tls.ssl, buf.data(), buf.size());
@@ -736,7 +736,7 @@ int Connection::tls_handshake_simple() {
return SHRPX_ERR_INPROGRESS;
}
}
#endif // OPENSSL_IS_BORINGSSL
#endif // NGHTTP2_OPENSSL_IS_BORINGSSL
// Handshake was done
@@ -771,7 +771,7 @@ int Connection::write_tls_pending_handshake() {
tls.wbuf.drain(nwrite);
}
#ifdef OPENSSL_IS_BORINGSSL
#ifdef NGHTTP2_OPENSSL_IS_BORINGSSL
if (!SSL_in_init(tls.ssl)) {
// This will send a session ticket.
auto nwrite = SSL_write(tls.ssl, "", 0);
@@ -799,7 +799,7 @@ int Connection::write_tls_pending_handshake() {
}
}
}
#endif // OPENSSL_IS_BORINGSSL
#endif // NGHTTP2_OPENSSL_IS_BORINGSSL
// We have to start read watcher, since later stage of code expects
// this.
@@ -932,7 +932,7 @@ ssize_t Connection::write_tls(const void *data, size_t len) {
ERR_clear_error();
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
int rv;
if (SSL_is_init_finished(tls.ssl)) {
rv = SSL_write(tls.ssl, data, len);
@@ -944,9 +944,9 @@ ssize_t Connection::write_tls(const void *data, size_t len) {
rv = nwrite;
}
}
#else // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
#else // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL))
auto rv = SSL_write(tls.ssl, data, len);
#endif // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
#endif // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL))
if (rv <= 0) {
auto err = SSL_get_error(tls.ssl, rv);
@@ -1023,7 +1023,7 @@ ssize_t Connection::read_tls(void *data, size_t len) {
auto via_bio =
tls.server_handshake && !tlsconf.session_cache.memcached.host.empty();
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
if (!tls.early_data_finish) {
// TLSv1.3 handshake is still going on.
size_t nread;
@@ -1067,7 +1067,7 @@ ssize_t Connection::read_tls(void *data, size_t len) {
return nread;
}
#endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#endif // OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
auto rv = SSL_read(tls.ssl, data, len);

13
src/shrpx_connection_handler.cc
View File

@@ -48,6 +48,7 @@
#include "xsi_strerror.h"
#include "util.h"
#include "template.h"
#include "ssl_compat.h"
using namespace nghttp2;
@@ -738,7 +739,7 @@ void ConnectionHandler::handle_ocsp_complete() {
// that case we get nullptr.
auto quic_ssl_ctx = quic_all_ssl_ctx_[ocsp_.next];
if (quic_ssl_ctx) {
# ifndef OPENSSL_IS_BORINGSSL
# ifndef NGHTTP2_OPENSSL_IS_BORINGSSL
auto quic_tls_ctx_data = static_cast<tls::TLSContextData *>(
SSL_CTX_get_app_data(quic_ssl_ctx));
# ifdef HAVE_ATOMIC_STD_SHARED_PTR
@@ -751,14 +752,14 @@ void ConnectionHandler::handle_ocsp_complete() {
quic_tls_ctx_data->ocsp_data =
std::make_shared<std::vector<uint8_t>>(ocsp_.resp);
# endif // !HAVE_ATOMIC_STD_SHARED_PTR
# else // OPENSSL_IS_BORINGSSL
# else // NGHTTP2_OPENSSL_IS_BORINGSSL
SSL_CTX_set_ocsp_response(quic_ssl_ctx, ocsp_.resp.data(),
ocsp_.resp.size());
# endif // OPENSSL_IS_BORINGSSL
# endif // NGHTTP2_OPENSSL_IS_BORINGSSL
}
#endif // ENABLE_HTTP3
#ifndef OPENSSL_IS_BORINGSSL
#ifndef NGHTTP2_OPENSSL_IS_BORINGSSL
# ifdef HAVE_ATOMIC_STD_SHARED_PTR
std::atomic_store_explicit(
&tls_ctx_data->ocsp_data,
@@ -769,9 +770,9 @@ void ConnectionHandler::handle_ocsp_complete() {
tls_ctx_data->ocsp_data =
std::make_shared<std::vector<uint8_t>>(std::move(ocsp_.resp));
# endif // !HAVE_ATOMIC_STD_SHARED_PTR
#else // OPENSSL_IS_BORINGSSL
#else // NGHTTP2_OPENSSL_IS_BORINGSSL
SSL_CTX_set_ocsp_response(ssl_ctx, ocsp_.resp.data(), ocsp_.resp.size());
#endif // OPENSSL_IS_BORINGSSL
#endif // NGHTTP2_OPENSSL_IS_BORINGSSL
}
++ocsp_.next;

5
src/shrpx_http3_upstream.cc
View File

@@ -46,6 +46,7 @@
#endif // HAVE_MRUBY
#include "http3.h"
#include "util.h"
#include "ssl_compat.h"
namespace shrpx {
@@ -671,7 +672,7 @@ int Http3Upstream::init(const UpstreamAddr *faddr, const Address &remote_addr,
params.max_idle_timeout = static_cast<ngtcp2_tstamp>(
quicconf.upstream.timeout.idle * NGTCP2_SECONDS);
#ifdef OPENSSL_IS_BORINGSSL
#ifdef NGHTTP2_OPENSSL_IS_BORINGSSL
if (quicconf.upstream.early_data) {
ngtcp2_transport_params early_data_params;
@@ -707,7 +708,7 @@ int Http3Upstream::init(const UpstreamAddr *faddr, const Address &remote_addr,
return -1;
}
}
#endif // OPENSSL_IS_BORINGSSL
#endif // NGHTTP2_OPENSSL_IS_BORINGSSL
if (odcid) {
params.original_dcid = *odcid;

11
src/shrpx_quic_connection_handler.cc
View File

@@ -34,6 +34,7 @@
#include "shrpx_log.h"
#include "shrpx_http3_upstream.h"
#include "shrpx_connection_handler.h"
#include "ssl_compat.h"
namespace shrpx {
@@ -390,9 +391,9 @@ ClientHandler *QUICConnectionHandler::handle_new_connection(
return nullptr;
}
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
assert(SSL_is_quic(ssl));
#endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#endif // OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
SSL_set_accept_state(ssl);
@@ -400,11 +401,11 @@ ClientHandler *QUICConnectionHandler::handle_new_connection(
auto &quicconf = config->quic;
if (quicconf.upstream.early_data) {
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
SSL_set_quic_early_data_enabled(ssl, 1);
#else // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
#else // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL))
SSL_set_early_data_enabled(ssl, 1);
#endif // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
#endif // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL))
}
// Disable TLS session ticket if we don't have working ticket

84
src/shrpx_tls.cc
View File

@@ -55,9 +55,9 @@
# include <openssl/core_names.h>
# include <openssl/decoder.h>
#endif // OPENSSL_3_0_0_API
#ifdef OPENSSL_IS_BORINGSSL
#ifdef NGHTTP2_OPENSSL_IS_BORINGSSL
# include <openssl/hmac.h>
#endif // OPENSSL_IS_BORINGSSL
#endif // NGHTTP2_OPENSSL_IS_BORINGSSL
#include <nghttp2/nghttp2.h>
@@ -231,7 +231,7 @@ int servername_callback(SSL *ssl, int *al, void *arg) {
assert(!ssl_ctx_list.empty());
#if !defined(OPENSSL_IS_BORINGSSL) && !LIBRESSL_IN_USE && \
#if !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) && !LIBRESSL_IN_USE && \
OPENSSL_VERSION_NUMBER >= 0x10002000L
auto num_sigalgs =
SSL_get_sigalgs(ssl, 0, nullptr, nullptr, nullptr, nullptr, nullptr);
@@ -322,7 +322,7 @@ int servername_callback(SSL *ssl, int *al, void *arg) {
# endif // !OPENSSL_3_0_0_API
}
}
#endif // !defined(OPENSSL_IS_BORINGSSL) && !LIBRESSL_IN_USE &&
#endif // !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) && !LIBRESSL_IN_USE &&
// OPENSSL_VERSION_NUMBER >= 0x10002000L
SSL_set_SSL_CTX(ssl, ssl_ctx_list[0]);
@@ -331,7 +331,7 @@ int servername_callback(SSL *ssl, int *al, void *arg) {
}
} // namespace
#ifndef OPENSSL_IS_BORINGSSL
#ifndef NGHTTP2_OPENSSL_IS_BORINGSSL
namespace {
std::shared_ptr<std::vector<uint8_t>>
get_ocsp_data(TLSContextData *tls_ctx_data) {
@@ -371,7 +371,7 @@ int ocsp_resp_cb(SSL *ssl, void *arg) {
return SSL_TLSEXT_ERR_OK;
}
} // namespace
#endif // OPENSSL_IS_BORINGSSL
#endif // NGHTTP2_OPENSSL_IS_BORINGSSL
constexpr auto MEMCACHED_SESSION_CACHE_KEY_PREFIX =
StringRef::from_lit("nghttpx:tls-session-cache:");
@@ -742,7 +742,7 @@ int quic_alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
#endif // ENABLE_HTTP3
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L && \
!defined(OPENSSL_IS_BORINGSSL)
!defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
# ifndef TLSEXT_TYPE_signed_certificate_timestamp
# define TLSEXT_TYPE_signed_certificate_timestamp 18
@@ -833,7 +833,7 @@ int legacy_sct_parse_cb(SSL *ssl, unsigned int ext_type,
# endif // !OPENSSL_1_1_1_API
#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L &&
// !defined(OPENSSL_IS_BORINGSSL)
// !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
#ifndef OPENSSL_NO_PSK
namespace {
@@ -942,7 +942,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE |
SSL_OP_CIPHER_SERVER_PREFERENCE
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
// The reason for disabling built-in anti-replay in
// OpenSSL is that it only works if client gets back
// to the same server. The freshness check
@@ -950,7 +950,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
// https://tools.ietf.org/html/rfc8446#section-8.3
// is still performed.
| SSL_OP_NO_ANTI_REPLAY
#endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#endif // OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
;
auto config = mod_config();
@@ -987,13 +987,13 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
DIE();
}
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.tls13_ciphers.c_str()) == 0) {
LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.tls13_ciphers
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
#endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#endif // OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
#ifndef OPENSSL_NO_EC
# if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
@@ -1002,11 +1002,11 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
<< " failed";
DIE();
}
# if !defined(OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API
# if !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API
// It looks like we need this function call for OpenSSL 1.0.2. This
// function was deprecated in OpenSSL 1.1.0 and BoringSSL.
SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
# endif // !defined(OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API
# endif // !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API
# else // LIBRESSL_LEGACY_API || OPENSSL_VERSION_NUBMER < 0x10002000L
// Use P-256, which is sufficiently secure at the time of this
// writing.
@@ -1141,14 +1141,14 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
#else // !OPENSSL_3_0_0_API
SSL_CTX_set_tlsext_ticket_key_cb(ssl_ctx, ticket_key_cb);
#endif // !OPENSSL_3_0_0_API
#ifndef OPENSSL_IS_BORINGSSL
#ifndef NGHTTP2_OPENSSL_IS_BORINGSSL
SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb);
#endif // OPENSSL_IS_BORINGSSL
#endif // NGHTTP2_OPENSSL_IS_BORINGSSL
SSL_CTX_set_info_callback(ssl_ctx, info_callback);
#ifdef OPENSSL_IS_BORINGSSL
#ifdef NGHTTP2_OPENSSL_IS_BORINGSSL
SSL_CTX_set_early_data_enabled(ssl_ctx, 1);
#endif // OPENSSL_IS_BORINGSSL
#endif // NGHTTP2_OPENSSL_IS_BORINGSSL
// NPN advertisement
#ifndef OPENSSL_NO_NEXTPROTONEG
@@ -1166,7 +1166,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
SSL_CTX_set_app_data(ssl_ctx, tls_ctx_data);
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L && \
!defined(OPENSSL_IS_BORINGSSL)
!defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
// SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp)
// returns 1, which means OpenSSL internally handles it. But
// OpenSSL handles signed_certificate_timestamp extension specially,
@@ -1197,7 +1197,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
}
# endif // !OPENSSL_1_1_1_API
}
#elif defined(OPENSSL_IS_BORINGSSL)
#elif defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
if (!tls_ctx_data->sct_data.empty() &&
SSL_CTX_set_signed_cert_timestamp_list(
ssl_ctx, tls_ctx_data->sct_data.data(),
@@ -1206,15 +1206,15 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
<< ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
#endif // defined(OPENSSL_IS_BORINGSSL)
#endif // defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
if (SSL_CTX_set_max_early_data(ssl_ctx, tlsconf.max_early_data) != 1) {
LOG(FATAL) << "SSL_CTX_set_max_early_data failed: "
<< ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
#endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#endif // OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
#ifndef OPENSSL_NO_PSK
SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb);
@@ -1243,14 +1243,14 @@ SSL_CTX *create_quic_ssl_context(const char *private_key_file,
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_SINGLE_ECDH_USE |
SSL_OP_SINGLE_DH_USE |
SSL_OP_CIPHER_SERVER_PREFERENCE
# if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
# if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
// The reason for disabling built-in anti-replay in OpenSSL is
// that it only works if client gets back to the same server.
// The freshness check described in
// https://tools.ietf.org/html/rfc8446#section-8.3 is still
// performed.
| SSL_OP_NO_ANTI_REPLAY
# endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
# endif // OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
;
auto config = mod_config();
@@ -1283,13 +1283,13 @@ SSL_CTX *create_quic_ssl_context(const char *private_key_file,
DIE();
}
# if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
# if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.tls13_ciphers.c_str()) == 0) {
LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.tls13_ciphers
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
# endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
# endif // OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
# ifndef OPENSSL_NO_EC
# if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
@@ -1298,11 +1298,11 @@ SSL_CTX *create_quic_ssl_context(const char *private_key_file,
<< " failed";
DIE();
}
# if !defined(OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API
# if !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API
// It looks like we need this function call for OpenSSL 1.0.2. This
// function was deprecated in OpenSSL 1.1.0 and BoringSSL.
SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
# endif // !defined(OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API
# endif // !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API
# else // LIBRESSL_LEGACY_API || OPENSSL_VERSION_NUBMER < 0x10002000L
// Use P-256, which is sufficiently secure at the time of this
// writing.
@@ -1437,9 +1437,9 @@ SSL_CTX *create_quic_ssl_context(const char *private_key_file,
# else // !OPENSSL_3_0_0_API
SSL_CTX_set_tlsext_ticket_key_cb(ssl_ctx, ticket_key_cb);
# endif // !OPENSSL_3_0_0_API
# ifndef OPENSSL_IS_BORINGSSL
# ifndef NGHTTP2_OPENSSL_IS_BORINGSSL
SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb);
# endif // OPENSSL_IS_BORINGSSL
# endif // NGHTTP2_OPENSSL_IS_BORINGSSL
# if OPENSSL_VERSION_NUMBER >= 0x10002000L
// ALPN selection callback
@@ -1453,7 +1453,7 @@ SSL_CTX *create_quic_ssl_context(const char *private_key_file,
SSL_CTX_set_app_data(ssl_ctx, tls_ctx_data);
# if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L && \
!defined(OPENSSL_IS_BORINGSSL)
!defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
// SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp)
// returns 1, which means OpenSSL internally handles it. But
// OpenSSL handles signed_certificate_timestamp extension specially,
@@ -1484,7 +1484,7 @@ SSL_CTX *create_quic_ssl_context(const char *private_key_file,
}
# endif // !OPENSSL_1_1_1_API
}
# elif defined(OPENSSL_IS_BORINGSSL)
# elif defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
if (!tls_ctx_data->sct_data.empty() &&
SSL_CTX_set_signed_cert_timestamp_list(
ssl_ctx, tls_ctx_data->sct_data.data(),
@@ -1493,9 +1493,9 @@ SSL_CTX *create_quic_ssl_context(const char *private_key_file,
<< ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
# endif // defined(OPENSSL_IS_BORINGSSL)
# endif // defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
# if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
# if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
auto &quicconf = config->quic;
if (quicconf.upstream.early_data &&
@@ -1505,7 +1505,7 @@ SSL_CTX *create_quic_ssl_context(const char *private_key_file,
<< ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
# endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
# endif // OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
# ifndef OPENSSL_NO_PSK
SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb);
@@ -1607,14 +1607,14 @@ SSL_CTX *create_ssl_client_context(
DIE();
}
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.client.tls13_ciphers.c_str()) ==
0) {
LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.client.tls13_ciphers
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
#endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#endif // OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
@@ -2620,7 +2620,7 @@ namespace {
int time_t_from_asn1_time(time_t &t, const ASN1_TIME *at) {
int rv;
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
struct tm tm;
rv = ASN1_TIME_to_tm(at, &tm);
if (rv != 1) {
@@ -2628,7 +2628,7 @@ int time_t_from_asn1_time(time_t &t, const ASN1_TIME *at) {
}
t = nghttp2_timegm(&tm);
#else // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
#else // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL))
auto b = BIO_new(BIO_s_mem());
if (!b) {
return -1;
@@ -2641,7 +2641,7 @@ int time_t_from_asn1_time(time_t &t, const ASN1_TIME *at) {
return -1;
}
# ifdef OPENSSL_IS_BORINGSSL
# ifdef NGHTTP2_OPENSSL_IS_BORINGSSL
char *s;
# else
unsigned char *s;
@@ -2654,7 +2654,7 @@ int time_t_from_asn1_time(time_t &t, const ASN1_TIME *at) {
}
t = tt;
#endif // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
#endif // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL))
return 0;
}

4
src/ssl_compat.h
View File

@@ -44,4 +44,8 @@
# define LIBRESSL_3_5_API 0
# endif // !LIBRESSL_VERSION_NUMBER
# if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
# define NGHTTP2_OPENSSL_IS_BORINGSSL
# endif // OPENSSL_IS_BORINGSSL || OPENSSL_IS_AWSLC
#endif // OPENSSL_COMPAT_H

12
src/tls.cc
View File

@@ -151,24 +151,24 @@ bool check_http2_requirement(SSL *ssl) {
void libssl_init() {
#if OPENSSL_1_1_API
// No explicit initialization is required.
#elif defined(OPENSSL_IS_BORINGSSL)
#elif defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
CRYPTO_library_init();
#else // !OPENSSL_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#else // !OPENSSL_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
OPENSSL_config(nullptr);
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
#endif // !OPENSSL_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#endif // !OPENSSL_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
}
int ssl_ctx_set_proto_versions(SSL_CTX *ssl_ctx, int min, int max) {
#if OPENSSL_1_1_API || defined(OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_API || defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
if (SSL_CTX_set_min_proto_version(ssl_ctx, min) != 1 ||
SSL_CTX_set_max_proto_version(ssl_ctx, max) != 1) {
return -1;
}
return 0;
#else // !OPENSSL_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#else // !OPENSSL_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
long int opts = 0;
// TODO We depends on the ordering of protocol version macro in
@@ -193,7 +193,7 @@ int ssl_ctx_set_proto_versions(SSL_CTX *ssl_ctx, int min, int max) {
SSL_CTX_set_options(ssl_ctx, opts);
return 0;
#endif // !OPENSSL_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#endif // !OPENSSL_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
}
} // namespace tls

2
src/tls.h
View File

@@ -61,7 +61,7 @@ constexpr char DEFAULT_CIPHER_LIST[] =
//
// https://wiki.mozilla.org/Security/Server_Side_TLS
constexpr char DEFAULT_TLS13_CIPHER_LIST[] =
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
"TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
#else
""