This is an automated email from the ASF dual-hosted git repository. cmcfarlen pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit bc043ea213ce0e0fb8cd4be42b9eacc2dcc06be7 Author: Masakazu Kitajo <[email protected]> AuthorDate: Fri Jun 7 12:15:53 2024 -0600 Make code buildable with AWS-LC (#11219) * Make code buildable with AWS-LC * Add CheckOpenSSLIsAwsLc.cmake * Add cmakedefine for HAVE_SSL_GET_SHARED_CURVE * Revert an unnecessary name change * Fix a build condition for HKDF (cherry picked from commit a966bc4cceeb9ebc88cb8d20b728dd9131f7f655) --- CMakeLists.txt | 29 ++++++++++++++++-------- cmake/CheckOpenSSLIsAwsLc.cmake | 43 ++++++++++++++++++++++++++++++++++++ include/tscore/ink_config.h.cmake.in | 1 + plugins/CMakeLists.txt | 2 +- src/iocore/net/OCSPStapling.cc | 4 ++-- src/iocore/net/P_OCSPStapling.h | 2 +- src/iocore/net/SSLUtils.cc | 6 ++--- src/tscore/CMakeLists.txt | 4 ++-- 8 files changed, 73 insertions(+), 18 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index df518379a5..0916dab4bf 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -251,26 +251,33 @@ pkg_check_modules(PCRE2 REQUIRED IMPORTED_TARGET libpcre2-8) include(CheckOpenSSLIsBoringSSL) include(CheckOpenSSLIsQuictls) +include(CheckOpenSSLIsAwsLc) find_package(OpenSSL REQUIRED) -check_openssl_is_boringssl(OPENSSL_IS_BORINGSSL BORINGSSL_VERSION "${OPENSSL_INCLUDE_DIR}") +check_openssl_is_boringssl(SSLLIB_IS_BORINGSSL BORINGSSL_VERSION "${OPENSSL_INCLUDE_DIR}") +check_openssl_is_awslc(SSLLIB_IS_AWSLC AWSLC_VERSION "${OPENSSL_INCLUDE_DIR}") -if(OPENSSL_IS_BORINGSSL) +if(SSLLIB_IS_BORINGSSL) # The consensus is a commit newer than a1843d660b47116207877614af53defa767be46a # The commit that changes API_VERSION to 27 is actually a little bit older than the commit but still a reasonable commit set(min_bssl "27") if(BORINGSSL_VERSION VERSION_LESS "${min_bssl}") - message(FATAL_ERROR "BoringSSL API version >= ${min_bssl} or OpenSSL required") + message(FATAL_ERROR "BoringSSL API version >= ${min_bssl} or another SSL library required") + endif() +elseif(SSLLIB_IS_AWSLC) + set(min_assl "27") + if(AWSLC_VERSION VERSION_LESS "${min_assl}") + message(FATAL_ERROR "AWS-LC API version >= ${min_assl} or anonther SSL library required") endif() else() set(min_ossl "1.1.1") if(OPENSSL_VERSION VERSION_LESS "${min_ossl}") - message(FATAL_ERROR "OpenSSL version >= ${min_ossl} or BoringSSL required") + message(FATAL_ERROR "OpenSSL version >= ${min_ossl} or another SSL library required") endif() endif() -check_openssl_is_quictls(OPENSSL_IS_QUICTLS "${OPENSSL_INCLUDE_DIR}") +check_openssl_is_quictls(SSLLIB_IS_QUICTLS "${OPENSSL_INCLUDE_DIR}") if(OPENSSL_VERSION VERSION_GREATER_EQUAL "3.0.0") - set(OPENSSL_IS_OPENSSL3 TRUE) + set(SSLLIB_IS_OPENSSL3 TRUE) add_compile_definitions(OPENSSL_API_COMPAT=10002 OPENSSL_IS_OPENSSL3) endif() @@ -294,11 +301,11 @@ if(ENABLE_QUICHE) set(TS_HAS_QUICHE ${quiche_FOUND}) set(TS_USE_QUIC ${TS_HAS_QUICHE}) - if(NOT OPENSSL_IS_BORINGSSL AND NOT OPENSSL_IS_QUICTLS) + if(NOT SSLLIB_IS_BORINGSSL AND NOT SSLLIB_IS_QUICTLS) message(FATAL_ERROR "Use of BoringSSL or OPENSSL/QUICTLS is required if quiche is used.") endif() - if(OPENSSL_IS_QUICTLS) + if(SSLLIB_IS_QUICTLS) # Until we get quictls support integrated with quiche, we just print this message. # Once the above that is done, then we can just validate the version. message( @@ -448,6 +455,7 @@ check_symbol_exists(DH_get_2048_256 "openssl/dh.h" TS_USE_GET_DH_2048_256) check_symbol_exists(OPENSSL_NO_TLS_3 "openssl/ssl.h" TS_NO_USE_TLS12) check_symbol_exists(SSL_CTX_set_client_hello_cb "openssl/ssl.h" TS_USE_HELLO_CB) check_symbol_exists(SSL_set1_verify_cert_store "openssl/ssl.h" TS_HAS_VERIFY_CERT_STORE) +check_symbol_exists(SSL_get_shared_curve "openssl/ssl.h" HAVE_SSL_GET_SHARED_CURVE) check_symbol_exists(SSL_set_max_early_data "openssl/ssl.h" HAVE_SSL_SET_MAX_EARLY_DATA) check_symbol_exists(SSL_read_early_data "openssl/ssl.h" HAVE_SSL_READ_EARLY_DATA) check_symbol_exists(SSL_write_early_data "openssl/ssl.h" HAVE_SSL_WRITE_EARLY_DATA) @@ -458,9 +466,12 @@ check_symbol_exists(SSL_CTX_set_tlsext_ticket_key_cb "openssl/ssl.h" HAVE_SSL_CT check_symbol_exists(SSL_get_all_async_fds openssl/ssl.h TS_USE_TLS_ASYNC) check_symbol_exists(TLS1_3_VERSION "openssl/ssl.h" TS_USE_TLS13) check_symbol_exists(MD5_Init "openssl/md5.h" HAVE_MD5_INIT) +check_symbol_exists(ENGINE_load_dynamic "include/openssl/engine.h" HAVE_ENGINE_LOAD_DYNAMIC) +check_symbol_exists(ENGINE_get_default_RSA "include/openssl/engine.h" HAVE_ENGINE_GET_DEFAULT_RSA) +check_symbol_exists(ENGINE_load_private_key "include/openssl/engine.h" HAVE_ENGINE_LOAD_PRIVATE_KEY) check_symbol_exists(sysctlbyname "sys/sysctl.h" HAVE_SYSCTLBYNAME) -if(OPENSSL_IS_OPENSSL3) +if(SSLLIB_IS_OPENSSL3) check_symbol_exists(SSL_CTX_set_tlsext_ticket_key_evp_cb "openssl/ssl.h" TS_HAS_TLS_SESSION_TICKET) else() check_symbol_exists(SSL_CTX_set_tlsext_ticket_key_cb "openssl/ssl.h" TS_HAS_TLS_SESSION_TICKET) diff --git a/cmake/CheckOpenSSLIsAwsLc.cmake b/cmake/CheckOpenSSLIsAwsLc.cmake new file mode 100644 index 0000000000..66969ee901 --- /dev/null +++ b/cmake/CheckOpenSSLIsAwsLc.cmake @@ -0,0 +1,43 @@ +####################### +# +# Licensed to the Apache Software Foundation (ASF) under one or more contributor license +# agreements. See the NOTICE file distributed with this work for additional information regarding +# copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed under the License +# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express +# or implied. See the License for the specific language governing permissions and limitations under +# the License. +# +####################### + +function(CHECK_OPENSSL_IS_AWSLC OUT_IS_AWSLC OUT_VERSION OPENSSL_INCLUDE_DIR) + set(CHECK_PROGRAM + " + #include <openssl/base.h> + + #ifndef OPENSSL_IS_AWSLC + #error check failed + #endif + + int main() { + return 0; + } + " + ) + set(CMAKE_REQUIRED_INCLUDES "${OPENSSL_INCLUDE_DIR}") + include(CheckCXXSourceCompiles) + check_cxx_source_compiles("${CHECK_PROGRAM}" ${OUT_IS_AWSLC}) + if(${${OUT_IS_AWSLC}}) + file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/base.h" version_line REGEX "^#define AWSLC_API_VERSION [0-9]+") + string(REGEX MATCH "[0-9]+" version ${version_line}) + set(${OUT_VERSION} + ${version} + PARENT_SCOPE + ) + endif() +endfunction() diff --git a/include/tscore/ink_config.h.cmake.in b/include/tscore/ink_config.h.cmake.in index 3f9d848632..554d19d630 100644 --- a/include/tscore/ink_config.h.cmake.in +++ b/include/tscore/ink_config.h.cmake.in @@ -162,6 +162,7 @@ const int DEFAULT_STACKSIZE = @DEFAULT_STACK_SIZE@; // TODO(cmcfarlen): Verify use of below in iocore/net/SSLNetVConnection (redunant) #cmakedefine01 HAVE_SSL_READ_EARLY_DATA #cmakedefine HAVE_SSL_SET_MAX_EARLY_DATA +#cmakedefine01 HAVE_SSL_GET_SHARED_CURVE #cmakedefine01 TS_USE_TLS_SET_CIPHERSUITES #define TS_BUILD_CANONICAL_HOST "@CMAKE_HOST@" diff --git a/plugins/CMakeLists.txt b/plugins/CMakeLists.txt index 499b18fc08..d211528a43 100644 --- a/plugins/CMakeLists.txt +++ b/plugins/CMakeLists.txt @@ -47,7 +47,7 @@ add_subdirectory(tcpinfo) add_subdirectory(traffic_dump) add_subdirectory(xdebug) -if(NOT OPENSSL_IS_BORINGSSL) +if(NOT SSLLIB_IS_BORINGSSL AND NOT SSLLIB_IS_AWSLC) add_subdirectory(ja3_fingerprint) endif() diff --git a/src/iocore/net/OCSPStapling.cc b/src/iocore/net/OCSPStapling.cc index 2093676d17..beb67cc5e5 100644 --- a/src/iocore/net/OCSPStapling.cc +++ b/src/iocore/net/OCSPStapling.cc @@ -1303,7 +1303,7 @@ ocsp_update() // RFC 6066 Section-8: Certificate Status Request int -#ifndef OPENSSL_IS_BORINGSSL +#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) ssl_callback_ocsp_stapling(SSL *ssl) #else ssl_callback_ocsp_stapling(SSL *ssl, void *) @@ -1331,7 +1331,7 @@ ssl_callback_ocsp_stapling(SSL *ssl, void *) } certinfo *cinf = nullptr; -#ifndef OPENSSL_IS_BORINGSSL +#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) certinfo_map::iterator iter = map->find(cert); if (iter != map->end()) { cinf = iter->second; diff --git a/src/iocore/net/P_OCSPStapling.h b/src/iocore/net/P_OCSPStapling.h index fd88b860b2..8caf132c97 100644 --- a/src/iocore/net/P_OCSPStapling.h +++ b/src/iocore/net/P_OCSPStapling.h @@ -29,7 +29,7 @@ void ssl_stapling_ex_init(); bool ssl_stapling_init_cert(SSL_CTX *ctx, X509 *cert, const char *certname, const char *rsp_file); void ocsp_update(); -#ifndef OPENSSL_IS_BORINGSSL +#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) int ssl_callback_ocsp_stapling(SSL *); #else int ssl_callback_ocsp_stapling(SSL *, void *); diff --git a/src/iocore/net/SSLUtils.cc b/src/iocore/net/SSLUtils.cc index f41e76f3bb..d9bb33b4bf 100644 --- a/src/iocore/net/SSLUtils.cc +++ b/src/iocore/net/SSLUtils.cc @@ -866,7 +866,7 @@ void SSLPostConfigInitialize() { if (SSLConfigParams::engine_conf_file) { -#ifndef OPENSSL_IS_BORINGSSL +#if HAVE_ENGINE_LOAD_DYNAMIC ENGINE_load_dynamic(); #endif @@ -948,7 +948,7 @@ static bool SSLPrivateKeyHandler(SSL_CTX *ctx, const SSLConfigParams *params, const char *keyPath, const char *secret_data, int secret_data_len) { EVP_PKEY *pkey = nullptr; -#ifndef OPENSSL_IS_BORINGSSL +#if HAVE_ENGINE_GET_DEFAULT_RSA && HAVE_ENGINE_LOAD_PRIVATE_KEY ENGINE *e = ENGINE_get_default_RSA(); if (e != nullptr) { pkey = ENGINE_load_private_key(e, keyPath, nullptr, nullptr); @@ -2552,7 +2552,7 @@ SSLMultiCertConfigLoader::clear_pw_references(SSL_CTX *ssl_ctx) ssl_curve_id SSLGetCurveNID(SSL *ssl) { -#ifndef OPENSSL_IS_BORINGSSL +#if HAVE_SSL_GET_SHARED_CURVE return SSL_get_shared_curve(ssl, 0); #else return SSL_get_curve_id(ssl); diff --git a/src/tscore/CMakeLists.txt b/src/tscore/CMakeLists.txt index 278eb76750..fcb80cf53e 100644 --- a/src/tscore/CMakeLists.txt +++ b/src/tscore/CMakeLists.txt @@ -101,9 +101,9 @@ add_library(ts::tscore ALIAS tscore) # position independent. set_target_properties(tscore PROPERTIES POSITION_INDEPENDENT_CODE TRUE) -if(OPENSSL_IS_BORINGSSL) +if(SSLLIB_IS_BORINGSSL OR SSLLIB_IS_AWSLC) target_sources(tscore PRIVATE HKDF_boringssl.cc) -elseif(OPENSSL_IS_OPENSSL3) +elseif(SSLLIB_IS_OPENSSL3) target_sources(tscore PRIVATE HKDF_openssl3.cc) else() target_sources(tscore PRIVATE HKDF_openssl.cc)
