[PATCH 1 of 2] SSL: add support for AWS-LC

Piotr Sikora piotr at aviatrix.com
Wed Feb 28 01:22:14 UTC 2024


# HG changeset patch
# User Piotr Sikora <piotr at aviatrix.com>
# Date 1708977630 0
#      Mon Feb 26 20:00:30 2024 +0000
# Branch patch009
# Node ID 5e923992006199748e79b08b1e65c4ef41f07495
# Parent  3cde11b747c08c69889edc014a700317fe4d1d88
SSL: add support for AWS-LC.

AWS-LC is a fork of BoringSSL with some performance improvements,
useful features (OCSP and multiple certificates), and support for
more platforms.

Signed-off-by: Piotr Sikora <piotr at aviatrix.com>

diff -r 3cde11b747c0 -r 5e9239920061 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h	Mon Feb 26 20:00:28 2024 +0000
+++ b/src/event/ngx_event_openssl.h	Mon Feb 26 20:00:30 2024 +0000
@@ -25,7 +25,7 @@
 #endif
 #include <openssl/evp.h>
 #if (NGX_QUIC)
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 #include <openssl/hkdf.h>
 #include <openssl/chacha.h>
 #else
diff -r 3cde11b747c0 -r 5e9239920061 src/event/quic/ngx_event_quic.c
--- a/src/event/quic/ngx_event_quic.c	Mon Feb 26 20:00:28 2024 +0000
+++ b/src/event/quic/ngx_event_quic.c	Mon Feb 26 20:00:30 2024 +0000
@@ -962,7 +962,7 @@
         return NGX_DECLINED;
     }
 
-#if !defined (OPENSSL_IS_BORINGSSL)
+#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
     /* OpenSSL provides read keys for an application level before it's ready */
 
     if (pkt->level == ssl_encryption_application && !c->ssl->handshaked) {
diff -r 3cde11b747c0 -r 5e9239920061 src/event/quic/ngx_event_quic_protection.c
--- a/src/event/quic/ngx_event_quic_protection.c	Mon Feb 26 20:00:28 2024 +0000
+++ b/src/event/quic/ngx_event_quic_protection.c	Mon Feb 26 20:00:30 2024 +0000
@@ -30,7 +30,7 @@
 
 static ngx_int_t ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out,
     u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
-#ifndef OPENSSL_IS_BORINGSSL
+#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
 static ngx_int_t ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out,
     u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
 #endif
@@ -55,7 +55,7 @@
     switch (id) {
 
     case TLS1_3_CK_AES_128_GCM_SHA256:
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
         ciphers->c = EVP_aead_aes_128_gcm();
 #else
         ciphers->c = EVP_aes_128_gcm();
@@ -66,7 +66,7 @@
         break;
 
     case TLS1_3_CK_AES_256_GCM_SHA384:
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
         ciphers->c = EVP_aead_aes_256_gcm();
 #else
         ciphers->c = EVP_aes_256_gcm();
@@ -77,12 +77,12 @@
         break;
 
     case TLS1_3_CK_CHACHA20_POLY1305_SHA256:
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
         ciphers->c = EVP_aead_chacha20_poly1305();
 #else
         ciphers->c = EVP_chacha20_poly1305();
 #endif
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
         ciphers->hp = (const EVP_CIPHER *) EVP_aead_chacha20_poly1305();
 #else
         ciphers->hp = EVP_chacha20();
@@ -91,7 +91,7 @@
         len = 32;
         break;
 
-#ifndef OPENSSL_IS_BORINGSSL
+#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
     case TLS1_3_CK_AES_128_CCM_SHA256:
         ciphers->c = EVP_aes_128_ccm();
         ciphers->hp = EVP_aes_128_ctr();
@@ -259,7 +259,7 @@
 ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest,
     const uint8_t *prk, size_t prk_len, const u_char *info, size_t info_len)
 {
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 
     if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len)
         == 0)
@@ -321,7 +321,7 @@
     const u_char *secret, size_t secret_len, const u_char *salt,
     size_t salt_len)
 {
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 
     if (HKDF_extract(out_key, out_len, digest, secret, secret_len, salt,
                      salt_len)
@@ -384,7 +384,7 @@
     ngx_quic_md_t *key, ngx_int_t enc, ngx_log_t *log)
 {
 
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
     EVP_AEAD_CTX  *ctx;
 
     ctx = EVP_AEAD_CTX_new(cipher, key->data, key->len,
@@ -444,7 +444,7 @@
 ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce,
     ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
 {
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
     if (EVP_AEAD_CTX_open(s->ctx, out->data, &out->len, out->len, nonce,
                           s->iv.len, in->data, in->len, ad->data, ad->len)
         != 1)
@@ -464,7 +464,7 @@
 ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce,
     ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
 {
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
     if (EVP_AEAD_CTX_seal(s->ctx, out->data, &out->len, out->len, nonce,
                           s->iv.len, in->data, in->len, ad->data, ad->len)
         != 1)
@@ -480,7 +480,7 @@
 }
 
 
-#ifndef OPENSSL_IS_BORINGSSL
+#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
 
 static ngx_int_t
 ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce,
@@ -559,7 +559,7 @@
 ngx_quic_crypto_cleanup(ngx_quic_secret_t *s)
 {
     if (s->ctx) {
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
         EVP_AEAD_CTX_free(s->ctx);
 #else
         EVP_CIPHER_CTX_free(s->ctx);
@@ -575,7 +575,7 @@
 {
     EVP_CIPHER_CTX  *ctx;
 
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
     if (cipher == (EVP_CIPHER *) EVP_aead_chacha20_poly1305()) {
         /* no EVP interface */
         s->hp_ctx = NULL;
@@ -610,7 +610,7 @@
 
     ctx = s->hp_ctx;
 
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
     uint32_t         cnt;
 
     if (ctx == NULL) {
diff -r 3cde11b747c0 -r 5e9239920061 src/event/quic/ngx_event_quic_protection.h
--- a/src/event/quic/ngx_event_quic_protection.h	Mon Feb 26 20:00:28 2024 +0000
+++ b/src/event/quic/ngx_event_quic_protection.h	Mon Feb 26 20:00:30 2024 +0000
@@ -24,7 +24,7 @@
 #define NGX_QUIC_MAX_MD_SIZE          48
 
 
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 #define ngx_quic_cipher_t             EVP_AEAD
 #define ngx_quic_crypto_ctx_t         EVP_AEAD_CTX
 #else
diff -r 3cde11b747c0 -r 5e9239920061 src/event/quic/ngx_event_quic_ssl.c
--- a/src/event/quic/ngx_event_quic_ssl.c	Mon Feb 26 20:00:28 2024 +0000
+++ b/src/event/quic/ngx_event_quic_ssl.c	Mon Feb 26 20:00:30 2024 +0000
@@ -11,6 +11,7 @@
 
 
 #if defined OPENSSL_IS_BORINGSSL                                              \
+    || defined OPENSSL_IS_AWSLC                                               \
     || defined LIBRESSL_VERSION_NUMBER                                        \
     || NGX_QUIC_OPENSSL_COMPAT
 #define NGX_QUIC_BORINGSSL_API   1
@@ -578,7 +579,7 @@
         return NGX_ERROR;
     }
 
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
     if (SSL_set_quic_early_data_context(ssl_conn, p, clen) == 0) {
         ngx_log_error(NGX_LOG_INFO, c->log, 0,
                       "quic SSL_set_quic_early_data_context() failed");


More information about the nginx-devel mailing list