Hi Piotr,

On Wed, Feb 28, 2024 at 01:22:14AM +0000, Piotr Sikora via nginx-devel wrote:
> # HG changeset patch
> # User Piotr Sikora <piotr@aviatrix.com>
> # Date 1708977630 0
> # Mon Feb 26 20:00:30 2024 +0000
> # Branch patch009
> # Node ID 5e923992006199748e79b08b1e65c4ef41f07495
> # Parent 3cde11b747c08c69889edc014a700317fe4d1d88
> SSL: add support for AWS-LC.
>
> AWS-LC is a fork of BoringSSL with some performance improvements,
> useful features (OCSP and multiple certificates), and support for
> more platforms.
>
> Signed-off-by: Piotr Sikora <piotr@aviatrix.com>
>
> diff -r 3cde11b747c0 -r 5e9239920061 src/event/ngx_event_openssl.h
> --- a/src/event/ngx_event_openssl.h Mon Feb 26 20:00:28 2024 +0000
> +++ b/src/event/ngx_event_openssl.h Mon Feb 26 20:00:30 2024 +0000
> @@ -25,7 +25,7 @@
> #endif
> #include <openssl/evp.h>
> #if (NGX_QUIC)
> -#ifdef OPENSSL_IS_BORINGSSL
> +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
> #include <openssl/hkdf.h>
> #include <openssl/chacha.h>
> #else
> diff -r 3cde11b747c0 -r 5e9239920061 src/event/quic/ngx_event_quic.c
> --- a/src/event/quic/ngx_event_quic.c Mon Feb 26 20:00:28 2024 +0000
> +++ b/src/event/quic/ngx_event_quic.c Mon Feb 26 20:00:30 2024 +0000
> @@ -962,7 +962,7 @@
> return NGX_DECLINED;
> }
>
> -#if !defined (OPENSSL_IS_BORINGSSL)
> +#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
> /* OpenSSL provides read keys for an application level before it's ready */
>
> if (pkt->level == ssl_encryption_application && !c->ssl->handshaked) {
> diff -r 3cde11b747c0 -r 5e9239920061 src/event/quic/ngx_event_quic_protection.c
> --- a/src/event/quic/ngx_event_quic_protection.c Mon Feb 26 20:00:28 2024 +0000
> +++ b/src/event/quic/ngx_event_quic_protection.c Mon Feb 26 20:00:30 2024 +0000
> @@ -30,7 +30,7 @@
>
> static ngx_int_t ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out,
> u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
> -#ifndef OPENSSL_IS_BORINGSSL
> +#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
> static ngx_int_t ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out,
> u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
> #endif
> @@ -55,7 +55,7 @@
> switch (id) {
>
> case TLS1_3_CK_AES_128_GCM_SHA256:
> -#ifdef OPENSSL_IS_BORINGSSL
> +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
> ciphers->c = EVP_aead_aes_128_gcm();
> #else
> ciphers->c = EVP_aes_128_gcm();
> @@ -66,7 +66,7 @@
> break;
>
> case TLS1_3_CK_AES_256_GCM_SHA384:
> -#ifdef OPENSSL_IS_BORINGSSL
> +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
> ciphers->c = EVP_aead_aes_256_gcm();
> #else
> ciphers->c = EVP_aes_256_gcm();
> @@ -77,12 +77,12 @@
> break;
>
> case TLS1_3_CK_CHACHA20_POLY1305_SHA256:
> -#ifdef OPENSSL_IS_BORINGSSL
> +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
> ciphers->c = EVP_aead_chacha20_poly1305();
> #else
> ciphers->c = EVP_chacha20_poly1305();
> #endif
> -#ifdef OPENSSL_IS_BORINGSSL
> +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
> ciphers->hp = (const EVP_CIPHER *) EVP_aead_chacha20_poly1305();
> #else
> ciphers->hp = EVP_chacha20();
> @@ -91,7 +91,7 @@
> len = 32;
> break;
>
> -#ifndef OPENSSL_IS_BORINGSSL
> +#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
> case TLS1_3_CK_AES_128_CCM_SHA256:
> ciphers->c = EVP_aes_128_ccm();
> ciphers->hp = EVP_aes_128_ctr();
> @@ -259,7 +259,7 @@
> ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest,
> const uint8_t *prk, size_t prk_len, const u_char *info, size_t info_len)
> {
> -#ifdef OPENSSL_IS_BORINGSSL
> +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
>
> if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len)
> == 0)
> @@ -321,7 +321,7 @@
> const u_char *secret, size_t secret_len, const u_char *salt,
> size_t salt_len)
> {
> -#ifdef OPENSSL_IS_BORINGSSL
> +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
>
> if (HKDF_extract(out_key, out_len, digest, secret, secret_len, salt,
> salt_len)
> @@ -384,7 +384,7 @@
> ngx_quic_md_t *key, ngx_int_t enc, ngx_log_t *log)
> {
>
> -#ifdef OPENSSL_IS_BORINGSSL
> +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
> EVP_AEAD_CTX *ctx;
>
> ctx = EVP_AEAD_CTX_new(cipher, key->data, key->len,
> @@ -444,7 +444,7 @@
> ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce,
> ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
> {
> -#ifdef OPENSSL_IS_BORINGSSL
> +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
> if (EVP_AEAD_CTX_open(s->ctx, out->data, &out->len, out->len, nonce,
> s->iv.len, in->data, in->len, ad->data, ad->len)
> != 1)
> @@ -464,7 +464,7 @@
> ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce,
> ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
> {
> -#ifdef OPENSSL_IS_BORINGSSL
> +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
> if (EVP_AEAD_CTX_seal(s->ctx, out->data, &out->len, out->len, nonce,
> s->iv.len, in->data, in->len, ad->data, ad->len)
> != 1)
> @@ -480,7 +480,7 @@
> }
>
>
> -#ifndef OPENSSL_IS_BORINGSSL
> +#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
>
> static ngx_int_t
> ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce,
> @@ -559,7 +559,7 @@
> ngx_quic_crypto_cleanup(ngx_quic_secret_t *s)
> {
> if (s->ctx) {
> -#ifdef OPENSSL_IS_BORINGSSL
> +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
> EVP_AEAD_CTX_free(s->ctx);
> #else
> EVP_CIPHER_CTX_free(s->ctx);
> @@ -575,7 +575,7 @@
> {
> EVP_CIPHER_CTX *ctx;
>
> -#ifdef OPENSSL_IS_BORINGSSL
> +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
> if (cipher == (EVP_CIPHER *) EVP_aead_chacha20_poly1305()) {
> /* no EVP interface */
> s->hp_ctx = NULL;
> @@ -610,7 +610,7 @@
>
> ctx = s->hp_ctx;
>
> -#ifdef OPENSSL_IS_BORINGSSL
> +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
> uint32_t cnt;
>
> if (ctx == NULL) {
> diff -r 3cde11b747c0 -r 5e9239920061 src/event/quic/ngx_event_quic_protection.h
> --- a/src/event/quic/ngx_event_quic_protection.h Mon Feb 26 20:00:28 2024 +0000
> +++ b/src/event/quic/ngx_event_quic_protection.h Mon Feb 26 20:00:30 2024 +0000
> @@ -24,7 +24,7 @@
> #define NGX_QUIC_MAX_MD_SIZE 48
>
>
> -#ifdef OPENSSL_IS_BORINGSSL
> +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
> #define ngx_quic_cipher_t EVP_AEAD
> #define ngx_quic_crypto_ctx_t EVP_AEAD_CTX
> #else
> diff -r 3cde11b747c0 -r 5e9239920061 src/event/quic/ngx_event_quic_ssl.c
> --- a/src/event/quic/ngx_event_quic_ssl.c Mon Feb 26 20:00:28 2024 +0000
> +++ b/src/event/quic/ngx_event_quic_ssl.c Mon Feb 26 20:00:30 2024 +0000
> @@ -11,6 +11,7 @@
>
>
> #if defined OPENSSL_IS_BORINGSSL \
> + || defined OPENSSL_IS_AWSLC \
> || defined LIBRESSL_VERSION_NUMBER \
> || NGX_QUIC_OPENSSL_COMPAT
> #define NGX_QUIC_BORINGSSL_API 1
> @@ -578,7 +579,7 @@
> return NGX_ERROR;
> }
>
> -#ifdef OPENSSL_IS_BORINGSSL
> +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
> if (SSL_set_quic_early_data_context(ssl_conn, p, clen) == 0) {
> ngx_log_error(NGX_LOG_INFO, c->log, 0,
> "quic SSL_set_quic_early_data_context() failed");

It looks like this library is not super popular, but the patch is relatively
large. Also, compiling nginx with -DOPENSSL_IS_BORINGSSL should probably solve
the issue.

--
Roman Arutyunyan
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel