diff --git a/src/h2load.cc b/src/h2load.cc index e7f368c8..6a58d1ae 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -2845,19 +2845,26 @@ int main(int argc, char **argv) { exit(EXIT_FAILURE); } -#if OPENSSL_1_1_1_API +#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL) if (SSL_CTX_set_ciphersuites(ssl_ctx, config.tls13_ciphers.c_str()) == 0) { std::cerr << "SSL_CTX_set_ciphersuites with " << config.tls13_ciphers << " failed: " << ERR_error_string(ERR_get_error(), nullptr) << std::endl; exit(EXIT_FAILURE); } -#endif // OPENSSL_1_1_1_API +#endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL) +#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL) if (SSL_CTX_set1_groups_list(ssl_ctx, config.groups.c_str()) != 1) { std::cerr << "SSL_CTX_set1_groups_list failed" << std::endl; exit(EXIT_FAILURE); } +#else // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)) + if (SSL_CTX_set1_curves_list(ssl_ctx, config.groups.c_str()) != 1) { + std::cerr << "SSL_CTX_set1_curves_list failed" << std::endl; + exit(EXIT_FAILURE); + } +#endif // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)) #ifndef OPENSSL_NO_NEXTPROTONEG SSL_CTX_set_next_proto_select_cb(ssl_ctx, client_select_next_proto_cb, diff --git a/src/shrpx_connection.cc b/src/shrpx_connection.cc index d07314b6..fc108bbd 100644 --- a/src/shrpx_connection.cc +++ b/src/shrpx_connection.cc @@ -397,7 +397,7 @@ int Connection::tls_handshake() { ERR_clear_error(); -#if OPENSSL_1_1_1_API +#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL) if (!tls.server_handshake || tls.early_data_finish) { rv = SSL_do_handshake(tls.ssl); } else { @@ -449,9 +449,9 @@ int Connection::tls_handshake() { } } } -#else // !OPENSSL_1_1_1_API +#else // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)) rv = SSL_do_handshake(tls.ssl); -#endif // !OPENSSL_1_1_1_API +#endif // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)) if (rv <= 0) { auto err = SSL_get_error(tls.ssl, rv); @@ -698,7 +698,7 @@ ssize_t Connection::write_tls(const void *data, size_t len) { ERR_clear_error(); -#if OPENSSL_1_1_1_API +#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL) int rv; if (SSL_is_init_finished(tls.ssl)) { rv = SSL_write(tls.ssl, data, len); @@ -710,9 +710,9 @@ ssize_t Connection::write_tls(const void *data, size_t len) { rv = nwrite; } } -#else // !OPENSSL_1_1_1_API +#else // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)) auto rv = SSL_write(tls.ssl, data, len); -#endif // !OPENSSL_1_1_1_API +#endif // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)) if (rv <= 0) { auto err = SSL_get_error(tls.ssl, rv); @@ -772,7 +772,7 @@ ssize_t Connection::read_tls(void *data, size_t len) { tls.last_readlen = 0; } -#if OPENSSL_1_1_1_API +#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL) if (!tls.early_data_finish) { // TLSv1.3 handshake is still going on. size_t nread; @@ -811,7 +811,7 @@ ssize_t Connection::read_tls(void *data, size_t len) { } return nread; } -#endif // OPENSSL_1_1_1_API +#endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL) auto rv = SSL_read(tls.ssl, data, len); diff --git a/src/shrpx_tls.cc b/src/shrpx_tls.cc index a933b660..12539ad5 100644 --- a/src/shrpx_tls.cc +++ b/src/shrpx_tls.cc @@ -731,7 +731,8 @@ int quic_alpn_select_proto_cb(SSL *ssl, const unsigned char **out, # endif // OPENSSL_VERSION_NUMBER >= 0x10002000L #endif // ENABLE_HTTP3 -#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L +#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L && \ + !defined(OPENSSL_IS_BORINGSSL) # ifndef TLSEXT_TYPE_signed_certificate_timestamp # define TLSEXT_TYPE_signed_certificate_timestamp 18 @@ -821,7 +822,8 @@ int legacy_sct_parse_cb(SSL *ssl, unsigned int ext_type, } // namespace # endif // !OPENSSL_1_1_1_API -#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L +#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L && + // !defined(OPENSSL_IS_BORINGSSL) #ifndef OPENSSL_NO_PSK namespace { @@ -931,14 +933,14 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE | SSL_OP_CIPHER_SERVER_PREFERENCE -#if OPENSSL_1_1_1_API +#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL) // The reason for disabling built-in anti-replay in OpenSSL is // that it only works if client gets back to the same server. // The freshness check described in // https://tools.ietf.org/html/rfc8446#section-8.3 is still // performed. | SSL_OP_NO_ANTI_REPLAY -#endif // OPENSSL_1_1_1_API +#endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL) ; auto config = mod_config(); @@ -969,13 +971,13 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file, DIE(); } -#if OPENSSL_1_1_1_API +#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL) if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.tls13_ciphers.c_str()) == 0) { LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.tls13_ciphers << " failed: " << ERR_error_string(ERR_get_error(), nullptr); DIE(); } -#endif // OPENSSL_1_1_1_API +#endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL) #ifndef OPENSSL_NO_EC # if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L @@ -1172,13 +1174,13 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file, #endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L && // !defined(OPENSSL_IS_BORINGSSL) -#if OPENSSL_1_1_1_API +#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL) if (SSL_CTX_set_max_early_data(ssl_ctx, tlsconf.max_early_data) != 1) { LOG(FATAL) << "SSL_CTX_set_max_early_data failed: " << ERR_error_string(ERR_get_error(), nullptr); DIE(); } -#endif // OPENSSL_1_1_1_API +#endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL) #ifndef OPENSSL_NO_PSK SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb); @@ -1616,14 +1618,14 @@ SSL_CTX *create_ssl_client_context( DIE(); } -#if OPENSSL_1_1_1_API +#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL) if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.client.tls13_ciphers.c_str()) == 0) { LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.client.tls13_ciphers << " failed: " << ERR_error_string(ERR_get_error(), nullptr); DIE(); } -#endif // OPENSSL_1_1_1_API +#endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL) SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS); @@ -2625,7 +2627,7 @@ namespace { int time_t_from_asn1_time(time_t &t, const ASN1_TIME *at) { int rv; -#if OPENSSL_1_1_1_API +#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL) struct tm tm; rv = ASN1_TIME_to_tm(at, &tm); if (rv != 1) { @@ -2633,7 +2635,7 @@ int time_t_from_asn1_time(time_t &t, const ASN1_TIME *at) { } t = nghttp2_timegm(&tm); -#else // !OPENSSL_1_1_1_API +#else // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)) auto b = BIO_new(BIO_s_mem()); if (!b) { return -1; @@ -2659,7 +2661,7 @@ int time_t_from_asn1_time(time_t &t, const ASN1_TIME *at) { } t = tt; -#endif // !OPENSSL_1_1_1_API +#endif // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)) return 0; } diff --git a/src/tls.h b/src/tls.h index ee8a5d7f..8b785ffc 100644 --- a/src/tls.h +++ b/src/tls.h @@ -57,11 +57,11 @@ constexpr char DEFAULT_CIPHER_LIST[] = "AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"; constexpr char DEFAULT_TLS13_CIPHER_LIST[] = -#if OPENSSL_1_1_1_API +#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL) TLS_DEFAULT_CIPHERSUITES -#else // !OPENSSL_1_1_1_API +#else // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)) "" -#endif // !OPENSSL_1_1_1_API +#endif // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)) ; constexpr auto NGHTTP2_TLS_MIN_VERSION = TLS1_VERSION;