Hi Piotr, On Wed, Feb 28, 2024 at 01:22:14AM +0000, Piotr Sikora via nginx-devel wrote: > # HG changeset patch > # User Piotr Sikora <pi...@aviatrix.com> > # Date 1708977630 0 > # Mon Feb 26 20:00:30 2024 +0000 > # Branch patch009 > # Node ID 5e923992006199748e79b08b1e65c4ef41f07495 > # Parent 3cde11b747c08c69889edc014a700317fe4d1d88 > SSL: add support for AWS-LC. > > AWS-LC is a fork of BoringSSL with some performance improvements, > useful features (OCSP and multiple certificates), and support for > more platforms. > > Signed-off-by: Piotr Sikora <pi...@aviatrix.com> > > diff -r 3cde11b747c0 -r 5e9239920061 src/event/ngx_event_openssl.h > --- a/src/event/ngx_event_openssl.h Mon Feb 26 20:00:28 2024 +0000 > +++ b/src/event/ngx_event_openssl.h Mon Feb 26 20:00:30 2024 +0000 > @@ -25,7 +25,7 @@ > #endif > #include <openssl/evp.h> > #if (NGX_QUIC) > -#ifdef OPENSSL_IS_BORINGSSL > +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) > #include <openssl/hkdf.h> > #include <openssl/chacha.h> > #else > diff -r 3cde11b747c0 -r 5e9239920061 src/event/quic/ngx_event_quic.c > --- a/src/event/quic/ngx_event_quic.c Mon Feb 26 20:00:28 2024 +0000 > +++ b/src/event/quic/ngx_event_quic.c Mon Feb 26 20:00:30 2024 +0000 > @@ -962,7 +962,7 @@ > return NGX_DECLINED; > } > > -#if !defined (OPENSSL_IS_BORINGSSL) > +#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) > /* OpenSSL provides read keys for an application level before it's ready > */ > > if (pkt->level == ssl_encryption_application && !c->ssl->handshaked) { > diff -r 3cde11b747c0 -r 5e9239920061 > src/event/quic/ngx_event_quic_protection.c > --- a/src/event/quic/ngx_event_quic_protection.c Mon Feb 26 20:00:28 > 2024 +0000 > +++ b/src/event/quic/ngx_event_quic_protection.c Mon Feb 26 20:00:30 > 2024 +0000 > @@ -30,7 +30,7 @@ > > static ngx_int_t ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out, > u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log); > -#ifndef OPENSSL_IS_BORINGSSL > +#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) > static ngx_int_t ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out, > u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log); > #endif > @@ -55,7 +55,7 @@ > switch (id) { > > case TLS1_3_CK_AES_128_GCM_SHA256: > -#ifdef OPENSSL_IS_BORINGSSL > +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) > ciphers->c = EVP_aead_aes_128_gcm(); > #else > ciphers->c = EVP_aes_128_gcm(); > @@ -66,7 +66,7 @@ > break; > > case TLS1_3_CK_AES_256_GCM_SHA384: > -#ifdef OPENSSL_IS_BORINGSSL > +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) > ciphers->c = EVP_aead_aes_256_gcm(); > #else > ciphers->c = EVP_aes_256_gcm(); > @@ -77,12 +77,12 @@ > break; > > case TLS1_3_CK_CHACHA20_POLY1305_SHA256: > -#ifdef OPENSSL_IS_BORINGSSL > +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) > ciphers->c = EVP_aead_chacha20_poly1305(); > #else > ciphers->c = EVP_chacha20_poly1305(); > #endif > -#ifdef OPENSSL_IS_BORINGSSL > +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) > ciphers->hp = (const EVP_CIPHER *) EVP_aead_chacha20_poly1305(); > #else > ciphers->hp = EVP_chacha20(); > @@ -91,7 +91,7 @@ > len = 32; > break; > > -#ifndef OPENSSL_IS_BORINGSSL > +#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) > case TLS1_3_CK_AES_128_CCM_SHA256: > ciphers->c = EVP_aes_128_ccm(); > ciphers->hp = EVP_aes_128_ctr(); > @@ -259,7 +259,7 @@ > ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest, > const uint8_t *prk, size_t prk_len, const u_char *info, size_t info_len) > { > -#ifdef OPENSSL_IS_BORINGSSL > +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) > > if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len) > == 0) > @@ -321,7 +321,7 @@ > const u_char *secret, size_t secret_len, const u_char *salt, > size_t salt_len) > { > -#ifdef OPENSSL_IS_BORINGSSL > +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) > > if (HKDF_extract(out_key, out_len, digest, secret, secret_len, salt, > salt_len) > @@ -384,7 +384,7 @@ > ngx_quic_md_t *key, ngx_int_t enc, ngx_log_t *log) > { > > -#ifdef OPENSSL_IS_BORINGSSL > +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) > EVP_AEAD_CTX *ctx; > > ctx = EVP_AEAD_CTX_new(cipher, key->data, key->len, > @@ -444,7 +444,7 @@ > ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, > ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log) > { > -#ifdef OPENSSL_IS_BORINGSSL > +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) > if (EVP_AEAD_CTX_open(s->ctx, out->data, &out->len, out->len, nonce, > s->iv.len, in->data, in->len, ad->data, ad->len) > != 1) > @@ -464,7 +464,7 @@ > ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, > ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log) > { > -#ifdef OPENSSL_IS_BORINGSSL > +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) > if (EVP_AEAD_CTX_seal(s->ctx, out->data, &out->len, out->len, nonce, > s->iv.len, in->data, in->len, ad->data, ad->len) > != 1) > @@ -480,7 +480,7 @@ > } > > > -#ifndef OPENSSL_IS_BORINGSSL > +#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) > > static ngx_int_t > ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, > @@ -559,7 +559,7 @@ > ngx_quic_crypto_cleanup(ngx_quic_secret_t *s) > { > if (s->ctx) { > -#ifdef OPENSSL_IS_BORINGSSL > +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) > EVP_AEAD_CTX_free(s->ctx); > #else > EVP_CIPHER_CTX_free(s->ctx); > @@ -575,7 +575,7 @@ > { > EVP_CIPHER_CTX *ctx; > > -#ifdef OPENSSL_IS_BORINGSSL > +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) > if (cipher == (EVP_CIPHER *) EVP_aead_chacha20_poly1305()) { > /* no EVP interface */ > s->hp_ctx = NULL; > @@ -610,7 +610,7 @@ > > ctx = s->hp_ctx; > > -#ifdef OPENSSL_IS_BORINGSSL > +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) > uint32_t cnt; > > if (ctx == NULL) { > diff -r 3cde11b747c0 -r 5e9239920061 > src/event/quic/ngx_event_quic_protection.h > --- a/src/event/quic/ngx_event_quic_protection.h Mon Feb 26 20:00:28 > 2024 +0000 > +++ b/src/event/quic/ngx_event_quic_protection.h Mon Feb 26 20:00:30 > 2024 +0000 > @@ -24,7 +24,7 @@ > #define NGX_QUIC_MAX_MD_SIZE 48 > > > -#ifdef OPENSSL_IS_BORINGSSL > +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) > #define ngx_quic_cipher_t EVP_AEAD > #define ngx_quic_crypto_ctx_t EVP_AEAD_CTX > #else > diff -r 3cde11b747c0 -r 5e9239920061 src/event/quic/ngx_event_quic_ssl.c > --- a/src/event/quic/ngx_event_quic_ssl.c Mon Feb 26 20:00:28 2024 +0000 > +++ b/src/event/quic/ngx_event_quic_ssl.c Mon Feb 26 20:00:30 2024 +0000 > @@ -11,6 +11,7 @@ > > > #if defined OPENSSL_IS_BORINGSSL > \ > + || defined OPENSSL_IS_AWSLC > \ > || defined LIBRESSL_VERSION_NUMBER > \ > || NGX_QUIC_OPENSSL_COMPAT > #define NGX_QUIC_BORINGSSL_API 1 > @@ -578,7 +579,7 @@ > return NGX_ERROR; > } > > -#ifdef OPENSSL_IS_BORINGSSL > +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) > if (SSL_set_quic_early_data_context(ssl_conn, p, clen) == 0) { > ngx_log_error(NGX_LOG_INFO, c->log, 0, > "quic SSL_set_quic_early_data_context() failed");
It looks like this library is not super popular, but the patch is relatively large. Also, compiling nginx with -DOPENSSL_IS_BORINGSSL should probably solve the issue. -- Roman Arutyunyan _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel