BUILD: ssl: replace USE_OPENSSL_AWSLC by OPENSSL_IS_AWSLC

Replace USE_OPENSSL_AWSLC by OPENSSL_IS_AWSLC in the code source, so we
won't need to set USE_OPENSSL_AWSLC in the Makefile on the long term.

include/haproxy/openssl-compat.h

@@ -48,7 +48,7 @@
 #include <haproxy/quic_openssl_compat.h>
 #endif
 
-#if defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_AWSLC)
 #define OPENSSL_NO_DH
 #define SSL_CTX_set1_sigalgs_list SSL_CTX_set1_sigalgs_list
 #endif
@@ -75,7 +75,7 @@
 #define HAVE_SSL_EXTRACT_RANDOM
 #endif
 
-#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(OPENSSL_IS_BORINGSSL) && !defined(USE_OPENSSL_AWSLC) && !defined(LIBRESSL_VERSION_NUMBER))
+#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && !defined(LIBRESSL_VERSION_NUMBER))
 #define HAVE_SSL_RAND_KEEP_RANDOM_DEVICES_OPEN
 #endif
 
@@ -84,7 +84,7 @@
 #define HAVE_ASN1_TIME_TO_TM
 #endif
 
-#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC))
+#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))
 #define HAVE_SSL_CLIENT_HELLO_CB
 #endif
 
@@ -96,7 +96,7 @@
 #define HAVE_SSL_CTX_get0_privatekey
 #endif
 
-#if HA_OPENSSL_VERSION_NUMBER >= 0x1000104fL || defined(USE_OPENSSL_WOLFSSL) || defined(USE_OPENSSL_AWSLC)
+#if HA_OPENSSL_VERSION_NUMBER >= 0x1000104fL || defined(USE_OPENSSL_WOLFSSL) || defined(OPENSSL_IS_AWSLC)
 /* CRYPTO_memcmp() is present since openssl 1.0.1d */
 #define HAVE_CRYPTO_memcmp
 #endif
@@ -105,7 +105,7 @@
 #define HAVE_SSL_SCTL
 #endif
 
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(USE_OPENSSL_AWSLC) || (defined(USE_OPENSSL_WOLFSSL) && defined(HAVE_SECRET_CALLBACK))
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_AWSLC) || (defined(USE_OPENSSL_WOLFSSL) && defined(HAVE_SECRET_CALLBACK))
 #define HAVE_SSL_KEYLOG
 #endif
 
@@ -114,7 +114,7 @@
 #define HAVE_SSL_get0_verified_chain
 #endif
 
-#if defined(SSL_OP_NO_ANTI_REPLAY) || defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+#if defined(SSL_OP_NO_ANTI_REPLAY) || defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 #define HAVE_SSL_0RTT
 #endif
 
@@ -124,7 +124,7 @@
 #endif
 
 
-#if (defined(SSL_CTX_set_security_level) || HA_OPENSSL_VERSION_NUMBER >= 0x1010100fL) && !defined(USE_OPENSSL_AWSLC)
+#if (defined(SSL_CTX_set_security_level) || HA_OPENSSL_VERSION_NUMBER >= 0x1010100fL) && !defined(OPENSSL_IS_AWSLC)
 #define HAVE_SSL_SET_SECURITY_LEVEL
 #endif
 

include/haproxy/quic_tls-t.h

@@ -17,7 +17,7 @@
 #error "Must define USE_OPENSSL"
 #endif
 
-#if defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_AWSLC)
 #include <openssl/chacha.h>
 #endif
 #include <openssl/evp.h>
@@ -30,7 +30,7 @@
 #include <haproxy/openssl-compat.h>
 
 /* Use EVP_CIPHER or EVP_AEAD API depending on the library */
-#if defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_AWSLC)
 
 # define QUIC_AEAD_API
 

include/haproxy/ssl_sock.h

@@ -104,7 +104,7 @@ void ssl_unload_providers(void);
 
 #ifdef HAVE_SSL_CLIENT_HELLO_CB
 int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv);
-# if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+# if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx);
 # else /* ! OPENSSL_IS_BORINGSSL */
 int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg);

src/haproxy.c

@@ -1991,7 +1991,7 @@ static void init(int argc, char **argv)
         wolfSSL_Debugging_ON();
 #endif
 
-#ifdef USE_OPENSSL_AWSLC
+#ifdef OPENSSL_IS_AWSLC
         const char *version_str = OpenSSL_version(OPENSSL_VERSION);
         if (strncmp(version_str, "AWS-LC", 6) != 0) {
             ha_alert("HAPRoxy built with AWS-LC but running with %s.\n", version_str);

src/quic_ssl.c

@@ -452,7 +452,7 @@ int ssl_quic_initial_ctx(struct bind_conf *bind_conf)
 #if !defined(HAVE_SSL_0RTT_QUIC)
 		ha_warning("Binding [%s:%d] for %s %s: 0-RTT with QUIC is not supported by this SSL library, ignored.\n",
 		           bind_conf->file, bind_conf->line, proxy_type_str(bind_conf->frontend), bind_conf->frontend->id);
-#elif defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+#elif defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 		SSL_CTX_set_early_data_enabled(ctx, 1);
 #else
 		SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY);
@@ -461,7 +461,7 @@ int ssl_quic_initial_ctx(struct bind_conf *bind_conf)
 	}
 
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
-# if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+# if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 	SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
 	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
 # elif defined(HAVE_SSL_CLIENT_HELLO_CB)

src/ssl_clienthello.c

@@ -131,7 +131,7 @@ int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
 	return SSL_TLSEXT_ERR_NOACK;
 }
 
-#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx)
 {
 	SSL *ssl = ctx->ssl;
@@ -170,7 +170,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 #ifdef USE_QUIC
 	if (qc) {
 		/* Look for the QUIC transport parameters. */
-#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 		if (!SSL_early_callback_ctx_extension_get(ctx, qc->tps_tls_ext,
 		                                          &extension_data, &extension_len))
 #else
@@ -182,7 +182,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 			 * <*al>, this has as side effect to generate another TLS alert
 			 * which would be set after calling quic_set_tls_alert().
 			 */
-#if !defined(OPENSSL_IS_BORINGSSL) && !defined(USE_OPENSSL_AWSLC)
+#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
 			*al = SSL_AD_MISSING_EXTENSION;
 #endif
 			quic_set_tls_alert(qc, SSL_AD_MISSING_EXTENSION);
@@ -199,7 +199,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 
 	if (s->ssl_conf.early_data)
 		allow_early = 1;
-#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 	if (SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_server_name,
 						 &extension_data, &extension_len)) {
 #else
@@ -253,7 +253,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 	}
 
 	/* extract/check clientHello information */
-#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 	if (SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_signature_algorithms, &extension_data, &extension_len)) {
 #else
 	if (SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_signature_algorithms, &extension_data, &extension_len)) {
@@ -298,7 +298,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 		ha_ciphers = SSL_get_ciphers(ssl);
 		has_ecdsa_sig = 0;
 
-#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 		len = ctx->cipher_suites_len;
 		cipher_suites = ctx->cipher_suites;
 #else
@@ -307,7 +307,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 		if (len % 2 != 0)
 			goto abort;
 		for (; len != 0; len -= 2, cipher_suites += 2) {
-#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 			uint16_t cipher_suite = (cipher_suites[0] << 8) | cipher_suites[1];
 			cipher = SSL_get_cipher_by_value(cipher_suite);
 #else
@@ -317,7 +317,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 				continue;
 
 			/* check if this cipher is available in haproxy configuration */
-#if defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_AWSLC)
                         /* because AWS-LC does not provide the TLSv1.3 ciphersuites (which are NID_auth_any) in ha_ciphers,
                          * does not check if it's available when it's an NID_auth_any
                          */
@@ -403,7 +403,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 	/* abort handshake (was SSL_TLSEXT_ERR_ALERT_FATAL) */
 	if (conn)
 		conn->err_code = CO_ER_SSL_HANDSHAKE;
-#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 	return ssl_select_cert_error;
 #else
 	*al = SSL_AD_UNRECOGNIZED_NAME;
@@ -411,7 +411,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 #endif
 
 allow_early:
-#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 	if (allow_early)
 		SSL_set_early_data_enabled(ssl, 1);
 #else

src/ssl_sock.c

@@ -3438,7 +3438,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
 		SSL_CTX_set_timeout(ctx, global_ssl.life_time);
 
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
-# if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+# if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 	SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
 	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
 	if (bind_conf->ssl_conf.early_data)
@@ -6945,7 +6945,7 @@ static void __ssl_sock_init(void)
 #ifdef HAVE_SSL_PROVIDERS
 	hap_register_post_deinit(ssl_unload_providers);
 #endif
-#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL) && !defined(USE_OPENSSL_AWSLC)
+#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL) && !defined(OPENSSL_IS_AWSLC)
 	/* Load SSL string for the verbose & debug mode. */
 	ERR_load_SSL_strings();
 #endif