BUILD: ssl: Build with new cryptographic library AWS-LC

This adds a new option for the Makefile USE_OPENSSL_AWSLC, and
update the documentation with instructions to use HAProxy with
AWS-LC.

Update the type of the OCSP callback retrieved with
SSL_CTX_get_tlsext_status_cb with the actual type for
libcrypto versions greater than 1.0.2. This doesn't affect
OpenSSL which casts the callback to void* in SSL_CTX_ctrl.

INSTALL

@@ -244,16 +244,16 @@ https://github.com/openssl/openssl/issues/17627). If a migration to 3.x is
 mandated by support reasons, at least 3.1 recovers a small fraction of this
 important loss.
 
-Three OpenSSL derivatives called LibreSSL, BoringSSL and QUICTLS are reported
+Four OpenSSL derivatives called LibreSSL, BoringSSL, QUICTLS, and AWS-LC are
-to work as well. While there are some efforts from the community to ensure they
+reported to work as well. While there are some efforts from the community to
-work well, OpenSSL remains the primary target and this means that in case of
+ensure they work well, OpenSSL remains the primary target and this means that
-conflicting choices, OpenSSL support will be favored over other options. Note
+in case of conflicting choices, OpenSSL support will be favored over other
-that QUIC is not fully supported when haproxy is built with OpenSSL. In this
+options.  Note that QUIC is not fully supported when haproxy is built with
-case, QUICTLS is the preferred alternative.  As of writing this, the QuicTLS
+OpenSSL. In this case, QUICTLS is the preferred alternative.  As of writing
-project follows OpenSSL very closely and provides update simultaneously, but
+this, the QuicTLS project follows OpenSSL very closely and provides update
-being a volunteer-driven project, its long-term future does not look certain
+simultaneously, but being a volunteer-driven project, its long-term future does
-enough to convince operating systems to package it, so it needs to be build
+not look certain enough to convince operating systems to package it, so it
-locally. See the section about QUIC in this document.
+needs to be build locally. See the section about QUIC in this document.
 
 A fifth option is wolfSSL (https://github.com/wolfSSL/wolfssl). It is the only
 supported alternative stack not based on OpenSSL, yet which implements almost
@@ -281,7 +281,7 @@ SSL library files using SSL_LIB. Example :
     USE_OPENSSL=1 SSL_INC=/opt/ssl-1.1.1/include SSL_LIB=/opt/ssl-1.1.1/lib
 
 To use HAProxy with WolfSSL, WolfSSL must be built with haproxy support, at
-least WolfSSL 5.6.0 is needed, but a development version migh be needed for
+least WolfSSL 5.6.0 is needed, but a development version might be needed for
 some of the features:
 
   $ cd ~/build/wolfssl
@@ -300,6 +300,20 @@ command line, for example:
   $ make -j $(nproc) TARGET=generic USE_OPENSSL_WOLFSSL=1 USE_QUIC=1 \
     SSL_INC=/opt/wolfssl-5.6.0/include SSL_LIB=/opt/wolfssl-5.6.0/lib
 
+To use HAProxy with AWS-LC you must have version v1.13.0 or newer of AWS-LC
+built and installed locally.
+ $ cd ~/build/aws-lc
+ $ cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/opt/aws-lc
+ $ make -j $(nproc)
+ $ make install
+
+Building HAProxy with AWS-LC requires you to enable AWS-LC support, and specify
+the path it was installed to when running make for HAPRoxy.
+
+ $ cd ~/build/haproxy
+ $ make -j $(nproc) TARGET=generic USE_OPENSSL_AWSLC=1 \
+   SSL_INC=/opt/aws-lc/include SSL_LIB=/opt/aws-lc/lib
+
 In order to link OpenSSL statically against HAProxy, first download OpenSSL
 from https://www.openssl.org/ then build it with the "no-shared" keyword and
 install it to a local directory, so your system is not affected :

Makefile

@@ -33,6 +33,7 @@
 #   USE_CRYPT_H             : set it if your system requires including crypt.h
 #   USE_GETADDRINFO         : use getaddrinfo() to resolve IPv6 host names.
 #   USE_OPENSSL             : enable use of OpenSSL. Recommended, but see below.
+#   USE_OPENSSL_AWSLC       : enable use of AWS-LC
 #   USE_OPENSSL_WOLFSSL     : enable use of wolfSSL with the OpenSSL API
 #   USE_QUIC                : enable use of QUIC with the quictls API (quictls, libressl, boringssl)
 #   USE_QUIC_OPENSSL_COMPAT : enable use of QUIC with the standard openssl API (limited features)
@@ -308,10 +309,10 @@ use_opts = USE_EPOLL USE_KQUEUE USE_NETFILTER USE_POLL                        \
            USE_THREAD USE_PTHREAD_EMULATION USE_BACKTRACE                     \
            USE_TPROXY USE_LINUX_TPROXY USE_LINUX_CAP                          \
            USE_LINUX_SPLICE USE_LIBCRYPT USE_CRYPT_H USE_ENGINE               \
-           USE_GETADDRINFO USE_OPENSSL USE_OPENSSL_WOLFSSL USE_SSL USE_LUA    \
+           USE_GETADDRINFO USE_OPENSSL USE_OPENSSL_WOLFSSL USE_OPENSSL_AWSLC  \
-           USE_ACCEPT4 USE_CLOSEFROM USE_ZLIB USE_SLZ USE_CPU_AFFINITY        \
+           USE_SSL USE_LUA USE_ACCEPT4 USE_CLOSEFROM USE_ZLIB USE_SLZ         \
-           USE_TFO USE_NS USE_DL USE_RT USE_LIBATOMIC USE_MATH                \
+           USE_CPU_AFFINITY USE_TFO USE_NS USE_DL USE_RT USE_LIBATOMIC        \
-           USE_DEVICEATLAS USE_51DEGREES                                      \
+           USE_MATH USE_DEVICEATLAS USE_51DEGREES                             \
            USE_WURFL USE_SYSTEMD USE_OBSOLETE_LINKER USE_PRCTL USE_PROCCTL    \
            USE_THREAD_DUMP USE_EVPORTS USE_OT USE_QUIC USE_PROMEX             \
            USE_MEMORY_PROFILING USE_SHM_OPEN                                  \
@@ -583,6 +584,13 @@ ifneq ($(USE_OPENSSL_WOLFSSL),)
   USE_OPENSSL     := $(if $(USE_OPENSSL),$(USE_OPENSSL),implicit)
 endif
 
+# This is for the AWS-LC variant of the OpenSSL API. Setting it implies
+# OPENSSL so it's not necessary to set the latter.
+ifneq ($(USE_OPENSSL_AWSLC),)
+  # always automatically set USE_OPENSSL
+  USE_OPENSSL     := $(if $(USE_OPENSSL),$(USE_OPENSSL),implicit)
+endif
+
 # This is for any variant of the OpenSSL API. By default it uses OpenSSL.
 ifneq ($(USE_OPENSSL),)
   # only preset these for the regular openssl

include/haproxy/openssl-compat.h

@@ -7,6 +7,13 @@
 #include <wolfssl/options.h>
 #endif
 
+#ifdef USE_OPENSSL_AWSLC
+#include <openssl/base.h>
+#if !defined(OPENSSL_IS_AWSLC)
+#error "USE_OPENSSL_AWSLC is set but OPENSSL_IS_AWSLC is not defined, wrong header files detected"
+#endif
+#endif
+
 #include <openssl/bn.h>
 #include <openssl/crypto.h>
 #include <openssl/ssl.h>

src/haproxy.c

@@ -1957,6 +1957,15 @@ static void init(int argc, char **argv)
         wolfSSL_Init();
         wolfSSL_Debugging_ON();
 #endif
+
+#ifdef USE_OPENSSL_AWSLC
+        const char *version_str = OpenSSL_version(OPENSSL_VERSION);
+        if (strncmp(version_str, "AWS-LC", 6) != 0) {
+            ha_alert("HAPRoxy built with AWS-LC but running with %s.\n", version_str);
+		    exit(1);
+        }
+#endif
+
 #if (HA_OPENSSL_VERSION_NUMBER < 0x1010000fL)
 	/* Initialize the error strings of OpenSSL
 	 * It only needs to be done explicitly with older versions of the SSL

src/ssl_sock.c

@@ -1112,7 +1112,11 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *
 	char *warn = NULL;
 	unsigned char *p;
 #ifndef USE_OPENSSL_WOLFSSL
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+    int (*callback) (SSL *, void *);
+#else
 	void (*callback) (void);
+#endif
 #else
 	tlsextStatusCb callback;
 #endif