diff --git a/include/haproxy/quic_tls-t.h b/include/haproxy/quic_tls-t.h index 3a0c27ac5..ef3232aea 100644 --- a/include/haproxy/quic_tls-t.h +++ b/include/haproxy/quic_tls-t.h @@ -26,7 +26,7 @@ /* It seems TLS 1.3 ciphersuites macros differ between openssl and boringssl */ -#if defined(OPENSSL_IS_BORINGSSL) +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) #if !defined(TLS1_3_CK_AES_128_GCM_SHA256) #define TLS1_3_CK_AES_128_GCM_SHA256 TLS1_CK_AES_128_GCM_SHA256 #endif diff --git a/include/haproxy/quic_tls.h b/include/haproxy/quic_tls.h index f82f3f397..1a316b282 100644 --- a/include/haproxy/quic_tls.h +++ b/include/haproxy/quic_tls.h @@ -141,9 +141,11 @@ static inline const EVP_CIPHER *tls_aead(const SSL_CIPHER *cipher) return EVP_aes_128_gcm(); case TLS1_3_CK_AES_256_GCM_SHA384: return EVP_aes_256_gcm(); +#if !defined(OPENSSL_IS_AWSLC) case TLS1_3_CK_CHACHA20_POLY1305_SHA256: return EVP_chacha20_poly1305(); -#ifndef USE_OPENSSL_WOLFSSL +#endif +#if !defined(USE_OPENSSL_WOLFSSL) && !defined(OPENSSL_IS_AWSLC) case TLS1_3_CK_AES_128_CCM_SHA256: return EVP_aes_128_ccm(); #endif @@ -169,8 +171,10 @@ static inline const EVP_MD *tls_md(const SSL_CIPHER *cipher) static inline const EVP_CIPHER *tls_hp(const SSL_CIPHER *cipher) { switch (SSL_CIPHER_get_id(cipher)) { +#if !defined(OPENSSL_IS_AWSLC) case TLS1_3_CK_CHACHA20_POLY1305_SHA256: return EVP_chacha20(); +#endif case TLS1_3_CK_AES_128_CCM_SHA256: case TLS1_3_CK_AES_128_GCM_SHA256: return EVP_aes_128_ctr(); @@ -367,7 +371,7 @@ static inline const char *ssl_error_str(int err) return "WANT_CONNECT"; case SSL_ERROR_WANT_ACCEPT: return "WANT_ACCEPT"; -#if !defined(LIBRESSL_VERSION_NUMBER) && !defined(USE_OPENSSL_WOLFSSL) +#if !defined(LIBRESSL_VERSION_NUMBER) && !defined(USE_OPENSSL_WOLFSSL) && !defined(OPENSSL_IS_AWSLC) case SSL_ERROR_WANT_ASYNC: return "WANT_ASYNC"; case SSL_ERROR_WANT_ASYNC_JOB: diff --git a/src/quic_ssl.c b/src/quic_ssl.c index 7043c8c62..37116ca1a 100644 --- a/src/quic_ssl.c +++ b/src/quic_ssl.c @@ -302,6 +302,27 @@ write: return ret; } +#if defined(OPENSSL_IS_AWSLC) +/* compatibility function for split read/write encryption secrets to be used + * with the API which uses 2 callbacks. */ +static inline int ha_quic_set_read_secret(SSL *ssl, enum ssl_encryption_level_t level, + const SSL_CIPHER *cipher, const uint8_t *secret, + size_t secret_len) +{ + return ha_quic_set_encryption_secrets(ssl, level, secret, NULL, secret_len); + +} + +static inline int ha_quic_set_write_secret(SSL *ssl, enum ssl_encryption_level_t level, + const SSL_CIPHER *cipher, const uint8_t *secret, + size_t secret_len) +{ + + return ha_quic_set_encryption_secrets(ssl, level, NULL, secret, secret_len); + +} +#endif + /* ->add_handshake_data QUIC TLS callback used by the QUIC TLS stack when it * wants to provide the QUIC layer with CRYPTO data. * Returns 1 if succeeded, 0 if not. @@ -367,12 +388,25 @@ static int ha_quic_send_alert(SSL *ssl, enum ssl_encryption_level_t level, uint8 } /* QUIC TLS methods */ +#if defined(OPENSSL_IS_AWSLC) +/* write/read set secret splitted */ +static SSL_QUIC_METHOD ha_quic_method = { + .set_read_secret = ha_quic_set_read_secret, + .set_write_secret = ha_quic_set_write_secret, + .add_handshake_data = ha_quic_add_handshake_data, + .flush_flight = ha_quic_flush_flight, + .send_alert = ha_quic_send_alert, +}; + +#else + static SSL_QUIC_METHOD ha_quic_method = { .set_encryption_secrets = ha_quic_set_encryption_secrets, .add_handshake_data = ha_quic_add_handshake_data, .flush_flight = ha_quic_flush_flight, .send_alert = ha_quic_send_alert, }; +#endif /* Initialize the TLS context of a listener with as configuration. * Returns an error count. @@ -401,7 +435,7 @@ int ssl_quic_initial_ctx(struct bind_conf *bind_conf) # if defined(SSL_OP_NO_ANTI_REPLAY) if (bind_conf->ssl_conf.early_data) { SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY); -# ifdef USE_QUIC_OPENSSL_COMPAT +# if defined(USE_QUIC_OPENSSL_COMPAT) || defined(OPENSSL_IS_AWSLC) ha_warning("Binding [%s:%d] for %s %s: 0-RTT is not supported in limited QUIC compatibility mode, ignored.\n", bind_conf->file, bind_conf->line, proxy_type_str(bind_conf->frontend), bind_conf->frontend->id); # else @@ -662,7 +696,7 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc) if (qc_is_listener(qc)) { if (qc_ssl_sess_init(qc, bc->initial_ctx, &ctx->ssl) == -1) goto err; -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(OPENSSL_IS_AWSLC) #ifndef USE_QUIC_OPENSSL_COMPAT /* Enabling 0-RTT */ if (bc->ssl_conf.early_data)