[PATCH 2 of 2] SSL: add $ssl_curve when using AWS-LC
Piotr Sikora
piotr at aviatrix.com
Wed Feb 28 01:22:15 UTC 2024
# HG changeset patch
# User Piotr Sikora <piotr at aviatrix.com>
# Date 1708977632 0
# Mon Feb 26 20:00:32 2024 +0000
# Branch patch009
# Node ID dfffc67d286b788204f60701ef4179566d933a1b
# Parent 5e923992006199748e79b08b1e65c4ef41f07495
SSL: add $ssl_curve when using AWS-LC.
Signed-off-by: Piotr Sikora <piotr at aviatrix.com>
diff -r 5e9239920061 -r dfffc67d286b src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Mon Feb 26 20:00:30 2024 +0000
+++ b/src/event/ngx_event_openssl.c Mon Feb 26 20:00:32 2024 +0000
@@ -5163,6 +5163,72 @@
return NGX_OK;
}
+#elif defined(OPENSSL_IS_AWSLC)
+
+ uint16_t curve_id;
+
+ curve_id = SSL_get_curve_id(c->ssl->connection);
+
+ /*
+ * Hardcoded table with ANSI / SECG curve names (e.g. "prime256v1"),
+ * which is the same format that OpenSSL returns for $ssl_curve.
+ *
+ * Without this table, we'd need to make 3 additional library calls
+ * to convert from curve_id to ANSI / SECG curve name:
+ *
+ * nist_name = SSL_get_curve_name(curve_id);
+ * nid = EC_curve_nist2nid(nist_name);
+ * ansi_name = OBJ_nid2sn(nid);
+ */
+
+ switch (curve_id) {
+
+#ifdef SSL_CURVE_SECP224R1
+ case SSL_CURVE_SECP224R1:
+ ngx_str_set(s, "secp224r1");
+ return NGX_OK;
+#endif
+
+#ifdef SSL_CURVE_SECP256R1
+ case SSL_CURVE_SECP256R1:
+ ngx_str_set(s, "prime256v1");
+ return NGX_OK;
+#endif
+
+#ifdef SSL_CURVE_SECP384R1
+ case SSL_CURVE_SECP384R1:
+ ngx_str_set(s, "secp384r1");
+ return NGX_OK;
+#endif
+
+#ifdef SSL_CURVE_SECP521R1
+ case SSL_CURVE_SECP521R1:
+ ngx_str_set(s, "secp521r1");
+ return NGX_OK;
+#endif
+
+#ifdef SSL_CURVE_X25519
+ case SSL_CURVE_X25519:
+ ngx_str_set(s, "x25519");
+ return NGX_OK;
+#endif
+
+ case 0:
+ break;
+
+ default:
+ s->len = sizeof("0x0000") - 1;
+
+ s->data = ngx_pnalloc(pool, s->len);
+ if (s->data == NULL) {
+ return NGX_ERROR;
+ }
+
+ ngx_sprintf(s->data, "0x%04xd", curve_id);
+
+ return NGX_OK;
+ }
+
#endif
ngx_str_null(s);
More information about the nginx-devel
mailing list