#include <haproxy/quic_openssl_compat.h>
#endif
-#if defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_AWSLC)
#define OPENSSL_NO_DH
#define SSL_CTX_set1_sigalgs_list SSL_CTX_set1_sigalgs_list
#endif
#define HAVE_SSL_EXTRACT_RANDOM
#endif
-#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(OPENSSL_IS_BORINGSSL) && !defined(USE_OPENSSL_AWSLC) && !defined(LIBRESSL_VERSION_NUMBER))
+#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && !defined(LIBRESSL_VERSION_NUMBER))
#define HAVE_SSL_RAND_KEEP_RANDOM_DEVICES_OPEN
#endif
#define HAVE_ASN1_TIME_TO_TM
#endif
-#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC))
+#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))
#define HAVE_SSL_CLIENT_HELLO_CB
#endif
#define HAVE_SSL_CTX_get0_privatekey
#endif
-#if HA_OPENSSL_VERSION_NUMBER >= 0x1000104fL || defined(USE_OPENSSL_WOLFSSL) || defined(USE_OPENSSL_AWSLC)
+#if HA_OPENSSL_VERSION_NUMBER >= 0x1000104fL || defined(USE_OPENSSL_WOLFSSL) || defined(OPENSSL_IS_AWSLC)
/* CRYPTO_memcmp() is present since openssl 1.0.1d */
#define HAVE_CRYPTO_memcmp
#endif
#define HAVE_SSL_SCTL
#endif
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(USE_OPENSSL_AWSLC) || (defined(USE_OPENSSL_WOLFSSL) && defined(HAVE_SECRET_CALLBACK))
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_AWSLC) || (defined(USE_OPENSSL_WOLFSSL) && defined(HAVE_SECRET_CALLBACK))
#define HAVE_SSL_KEYLOG
#endif
#define HAVE_SSL_get0_verified_chain
#endif
-#if defined(SSL_OP_NO_ANTI_REPLAY) || defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+#if defined(SSL_OP_NO_ANTI_REPLAY) || defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
#define HAVE_SSL_0RTT
#endif
#endif
-#if (defined(SSL_CTX_set_security_level) || HA_OPENSSL_VERSION_NUMBER >= 0x1010100fL) && !defined(USE_OPENSSL_AWSLC)
+#if (defined(SSL_CTX_set_security_level) || HA_OPENSSL_VERSION_NUMBER >= 0x1010100fL) && !defined(OPENSSL_IS_AWSLC)
#define HAVE_SSL_SET_SECURITY_LEVEL
#endif
#error "Must define USE_OPENSSL"
#endif
-#if defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_AWSLC)
#include <openssl/chacha.h>
#endif
#include <openssl/evp.h>
#include <haproxy/openssl-compat.h>
/* Use EVP_CIPHER or EVP_AEAD API depending on the library */
-#if defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_AWSLC)
# define QUIC_AEAD_API
#ifdef HAVE_SSL_CLIENT_HELLO_CB
int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv);
-# if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+# if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx);
# else /* ! OPENSSL_IS_BORINGSSL */
int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg);
wolfSSL_Debugging_ON();
#endif
-#ifdef USE_OPENSSL_AWSLC
+#ifdef OPENSSL_IS_AWSLC
const char *version_str = OpenSSL_version(OPENSSL_VERSION);
if (strncmp(version_str, "AWS-LC", 6) != 0) {
ha_alert("HAPRoxy built with AWS-LC but running with %s.\n", version_str);
#if !defined(HAVE_SSL_0RTT_QUIC)
ha_warning("Binding [%s:%d] for %s %s: 0-RTT with QUIC is not supported by this SSL library, ignored.\n",
bind_conf->file, bind_conf->line, proxy_type_str(bind_conf->frontend), bind_conf->frontend->id);
-#elif defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+#elif defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
SSL_CTX_set_early_data_enabled(ctx, 1);
#else
SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY);
}
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
-# if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+# if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
# elif defined(HAVE_SSL_CLIENT_HELLO_CB)
return SSL_TLSEXT_ERR_NOACK;
}
-#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx)
{
SSL *ssl = ctx->ssl;
#ifdef USE_QUIC
if (qc) {
/* Look for the QUIC transport parameters. */
-#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
if (!SSL_early_callback_ctx_extension_get(ctx, qc->tps_tls_ext,
&extension_data, &extension_len))
#else
* <*al>, this has as side effect to generate another TLS alert
* which would be set after calling quic_set_tls_alert().
*/
-#if !defined(OPENSSL_IS_BORINGSSL) && !defined(USE_OPENSSL_AWSLC)
+#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
*al = SSL_AD_MISSING_EXTENSION;
#endif
quic_set_tls_alert(qc, SSL_AD_MISSING_EXTENSION);
if (s->ssl_conf.early_data)
allow_early = 1;
-#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
if (SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_server_name,
&extension_data, &extension_len)) {
#else
}
/* extract/check clientHello information */
-#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
if (SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_signature_algorithms, &extension_data, &extension_len)) {
#else
if (SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_signature_algorithms, &extension_data, &extension_len)) {
ha_ciphers = SSL_get_ciphers(ssl);
has_ecdsa_sig = 0;
-#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
len = ctx->cipher_suites_len;
cipher_suites = ctx->cipher_suites;
#else
if (len % 2 != 0)
goto abort;
for (; len != 0; len -= 2, cipher_suites += 2) {
-#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
uint16_t cipher_suite = (cipher_suites[0] << 8) | cipher_suites[1];
cipher = SSL_get_cipher_by_value(cipher_suite);
#else
continue;
/* check if this cipher is available in haproxy configuration */
-#if defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_AWSLC)
/* because AWS-LC does not provide the TLSv1.3 ciphersuites (which are NID_auth_any) in ha_ciphers,
* does not check if it's available when it's an NID_auth_any
*/
/* abort handshake (was SSL_TLSEXT_ERR_ALERT_FATAL) */
if (conn)
conn->err_code = CO_ER_SSL_HANDSHAKE;
-#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
return ssl_select_cert_error;
#else
*al = SSL_AD_UNRECOGNIZED_NAME;
#endif
allow_early:
-#if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
if (allow_early)
SSL_set_early_data_enabled(ssl, 1);
#else
SSL_CTX_set_timeout(ctx, global_ssl.life_time);
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
-# if defined(OPENSSL_IS_BORINGSSL) || defined(USE_OPENSSL_AWSLC)
+# if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
if (bind_conf->ssl_conf.early_data)
#ifdef HAVE_SSL_PROVIDERS
hap_register_post_deinit(ssl_unload_providers);
#endif
-#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL) && !defined(USE_OPENSSL_AWSLC)
+#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL) && !defined(OPENSSL_IS_AWSLC)
/* Load SSL string for the verbose & debug mode. */
ERR_load_SSL_strings();
#endif
projects / thirdparty / haproxy.git / commitdiff
