From f76e8e50f4604dd86b3edc2a9afdbed825dbe046 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Tue, 30 Jul 2024 15:51:59 +0200 Subject: [PATCH] BUILD: ssl: replace USE_OPENSSL_AWSLC by OPENSSL_IS_AWSLC Replace USE_OPENSSL_AWSLC by OPENSSL_IS_AWSLC in the code source, so we won't need to set USE_OPENSSL_AWSLC in the Makefile on the long term. --- include/haproxy/openssl-compat.h | 14 +++++++------- include/haproxy/quic_tls-t.h | 4 ++-- include/haproxy/ssl_sock.h | 2 +- src/haproxy.c | 2 +- src/quic_ssl.c | 4 ++-- src/ssl_clienthello.c | 20 ++++++++++---------- src/ssl_sock.c | 4 ++-- 7 files changed, 25 insertions(+), 25 deletions(-) diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h index dc903063e..acbce0c14 100644 --- a/include/haproxy/openssl-compat.h +++ b/include/haproxy/openssl-compat.h @@ -48,7 +48,7 @@ #include #endif -#if defined(USE_OPENSSL_AWSLC) +#if defined(OPENSSL_IS_AWSLC) #define OPENSSL_NO_DH #define SSL_CTX_set1_sigalgs_list SSL_CTX_set1_sigalgs_list #endif @@ -75,7 +75,7 @@ #define HAVE_SSL_EXTRACT_RANDOM #endif -#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(OPENSSL_IS_BORINGSSL) && !defined(USE_OPENSSL_AWSLC) && !defined(LIBRESSL_VERSION_NUMBER)) +#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && !defined(LIBRESSL_VERSION_NUMBER)) #define HAVE_SSL_RAND_KEEP_RANDOM_DEVICES_OPEN #endif @@ -84,7 +84,7 @@ #define HAVE_ASN1_TIME_TO_TM #endif -#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)) +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)) #define HAVE_SSL_CLIENT_HELLO_CB #endif @@ -96,7 +96,7 @@ #define HAVE_SSL_CTX_get0_privatekey #endif -#if HA_OPENSSL_VERSION_NUMBER >= 0x1000104fL || defined(USE_OPENSSL_WOLFSSL) || defined(USE_OPENSSL_AWSLC) +#if HA_OPENSSL_VERSION_NUMBER >= 0x1000104fL || defined(USE_OPENSSL_WOLFSSL) || defined(OPENSSL_IS_AWSLC) /* CRYPTO_memcmp() is present since openssl 1.0.1d */ #define HAVE_CRYPTO_memcmp #endif @@ -105,7 +105,7 @@ #define HAVE_SSL_SCTL #endif -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(USE_OPENSSL_AWSLC) || (defined(USE_OPENSSL_WOLFSSL) && defined(HAVE_SECRET_CALLBACK)) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_AWSLC) || (defined(USE_OPENSSL_WOLFSSL) && defined(HAVE_SECRET_CALLBACK)) #define HAVE_SSL_KEYLOG #endif @@ -114,7 +114,7 @@ #define HAVE_SSL_get0_verified_chain #endif -#if defined(SSL_OP_NO_ANTI_REPLAY) || defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC) +#if defined(SSL_OP_NO_ANTI_REPLAY) || defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) #define HAVE_SSL_0RTT #endif @@ -124,7 +124,7 @@ #endif -#if (defined(SSL_CTX_set_security_level) || HA_OPENSSL_VERSION_NUMBER >= 0x1010100fL) && !defined(USE_OPENSSL_AWSLC) +#if (defined(SSL_CTX_set_security_level) || HA_OPENSSL_VERSION_NUMBER >= 0x1010100fL) && !defined(OPENSSL_IS_AWSLC) #define HAVE_SSL_SET_SECURITY_LEVEL #endif diff --git a/include/haproxy/quic_tls-t.h b/include/haproxy/quic_tls-t.h index 9eb97529e..edeab59eb 100644 --- a/include/haproxy/quic_tls-t.h +++ b/include/haproxy/quic_tls-t.h @@ -17,7 +17,7 @@ #error "Must define USE_OPENSSL" #endif -#if defined(USE_OPENSSL_AWSLC) +#if defined(OPENSSL_IS_AWSLC) #include #endif #include @@ -30,7 +30,7 @@ #include /* Use EVP_CIPHER or EVP_AEAD API depending on the library */ -#if defined(USE_OPENSSL_AWSLC) +#if defined(OPENSSL_IS_AWSLC) # define QUIC_AEAD_API diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h index c846fe034..f02e46490 100644 --- a/include/haproxy/ssl_sock.h +++ b/include/haproxy/ssl_sock.h @@ -104,7 +104,7 @@ void ssl_unload_providers(void); #ifdef HAVE_SSL_CLIENT_HELLO_CB int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv); -# if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC) +# if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx); # else /* ! OPENSSL_IS_BORINGSSL */ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg); diff --git a/src/haproxy.c b/src/haproxy.c index 629a56fa9..76aa9a5c1 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -1991,7 +1991,7 @@ static void init(int argc, char **argv) wolfSSL_Debugging_ON(); #endif -#ifdef USE_OPENSSL_AWSLC +#ifdef OPENSSL_IS_AWSLC const char *version_str = OpenSSL_version(OPENSSL_VERSION); if (strncmp(version_str, "AWS-LC", 6) != 0) { ha_alert("HAPRoxy built with AWS-LC but running with %s.\n", version_str); diff --git a/src/quic_ssl.c b/src/quic_ssl.c index 73b19bfa1..3d3f8e77b 100644 --- a/src/quic_ssl.c +++ b/src/quic_ssl.c @@ -452,7 +452,7 @@ int ssl_quic_initial_ctx(struct bind_conf *bind_conf) #if !defined(HAVE_SSL_0RTT_QUIC) ha_warning("Binding [%s:%d] for %s %s: 0-RTT with QUIC is not supported by this SSL library, ignored.\n", bind_conf->file, bind_conf->line, proxy_type_str(bind_conf->frontend), bind_conf->frontend->id); -#elif defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC) +#elif defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) SSL_CTX_set_early_data_enabled(ctx, 1); #else SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY); @@ -461,7 +461,7 @@ int ssl_quic_initial_ctx(struct bind_conf *bind_conf) } #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME -# if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC) +# if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk); SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); # elif defined(HAVE_SSL_CLIENT_HELLO_CB) diff --git a/src/ssl_clienthello.c b/src/ssl_clienthello.c index 1d5b8fa1b..43de8aad9 100644 --- a/src/ssl_clienthello.c +++ b/src/ssl_clienthello.c @@ -131,7 +131,7 @@ int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) return SSL_TLSEXT_ERR_NOACK; } -#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC) +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx) { SSL *ssl = ctx->ssl; @@ -170,7 +170,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg) #ifdef USE_QUIC if (qc) { /* Look for the QUIC transport parameters. */ -#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC) +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) if (!SSL_early_callback_ctx_extension_get(ctx, qc->tps_tls_ext, &extension_data, &extension_len)) #else @@ -182,7 +182,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg) * <*al>, this has as side effect to generate another TLS alert * which would be set after calling quic_set_tls_alert(). */ -#if !defined(OPENSSL_IS_BORINGSSL) && !defined(USE_OPENSSL_AWSLC) +#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) *al = SSL_AD_MISSING_EXTENSION; #endif quic_set_tls_alert(qc, SSL_AD_MISSING_EXTENSION); @@ -199,7 +199,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg) if (s->ssl_conf.early_data) allow_early = 1; -#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC) +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) if (SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_server_name, &extension_data, &extension_len)) { #else @@ -253,7 +253,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg) } /* extract/check clientHello information */ -#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC) +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) if (SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_signature_algorithms, &extension_data, &extension_len)) { #else if (SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_signature_algorithms, &extension_data, &extension_len)) { @@ -298,7 +298,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg) ha_ciphers = SSL_get_ciphers(ssl); has_ecdsa_sig = 0; -#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC) +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) len = ctx->cipher_suites_len; cipher_suites = ctx->cipher_suites; #else @@ -307,7 +307,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg) if (len % 2 != 0) goto abort; for (; len != 0; len -= 2, cipher_suites += 2) { -#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC) +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) uint16_t cipher_suite = (cipher_suites[0] << 8) | cipher_suites[1]; cipher = SSL_get_cipher_by_value(cipher_suite); #else @@ -317,7 +317,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg) continue; /* check if this cipher is available in haproxy configuration */ -#if defined(USE_OPENSSL_AWSLC) +#if defined(OPENSSL_IS_AWSLC) /* because AWS-LC does not provide the TLSv1.3 ciphersuites (which are NID_auth_any) in ha_ciphers, * does not check if it's available when it's an NID_auth_any */ @@ -403,7 +403,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg) /* abort handshake (was SSL_TLSEXT_ERR_ALERT_FATAL) */ if (conn) conn->err_code = CO_ER_SSL_HANDSHAKE; -#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC) +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) return ssl_select_cert_error; #else *al = SSL_AD_UNRECOGNIZED_NAME; @@ -411,7 +411,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg) #endif allow_early: -#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC) +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) if (allow_early) SSL_set_early_data_enabled(ssl, 1); #else diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 91c0dec6e..7ce9adb8d 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3438,7 +3438,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) SSL_CTX_set_timeout(ctx, global_ssl.life_time); #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME -# if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC) +# if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk); SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); if (bind_conf->ssl_conf.early_data) @@ -6945,7 +6945,7 @@ static void __ssl_sock_init(void) #ifdef HAVE_SSL_PROVIDERS hap_register_post_deinit(ssl_unload_providers); #endif -#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL) && !defined(USE_OPENSSL_AWSLC) +#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL) && !defined(OPENSSL_IS_AWSLC) /* Load SSL string for the verbose & debug mode. */ ERR_load_SSL_strings(); #endif