nghttpx: Set SCT data when built with boringssl

This commit is contained in:
Tatsuhiro Tsujikawa 2021-10-15 23:03:09 +09:00
parent 7055501efd
commit 1ce9efc644
1 changed files with 32 additions and 16 deletions

View File

@ -1145,6 +1145,12 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_proto_cb, nullptr); SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_proto_cb, nullptr);
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
auto tls_ctx_data = new TLSContextData();
tls_ctx_data->cert_file = cert_file;
tls_ctx_data->sct_data = sct_data;
SSL_CTX_set_app_data(ssl_ctx, tls_ctx_data);
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L && \ #if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L && \
!defined(OPENSSL_IS_BORINGSSL) !defined(OPENSSL_IS_BORINGSSL)
// SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp) // SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp)
@ -1177,8 +1183,16 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
} }
# endif // !OPENSSL_1_1_1_API # endif // !OPENSSL_1_1_1_API
} }
#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L && #elif defined(OPENSSL_IS_BORINGSSL)
// !defined(OPENSSL_IS_BORINGSSL) if (!tls_ctx_data->sct_data.empty() &&
SSL_CTX_set_signed_cert_timestamp_list(
ssl_ctx, tls_ctx_data->sct_data.data(),
tls_ctx_data->sct_data.size()) != 1) {
LOG(FATAL) << "SSL_CTX_set_signed_cert_timestamp_list failed: "
<< ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
#endif // defined(OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL) #if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
if (SSL_CTX_set_max_early_data(ssl_ctx, tlsconf.max_early_data) != 1) { if (SSL_CTX_set_max_early_data(ssl_ctx, tlsconf.max_early_data) != 1) {
@ -1192,12 +1206,6 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb); SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb);
#endif // !LIBRESSL_NO_PSK #endif // !LIBRESSL_NO_PSK
auto tls_ctx_data = new TLSContextData();
tls_ctx_data->cert_file = cert_file;
tls_ctx_data->sct_data = sct_data;
SSL_CTX_set_app_data(ssl_ctx, tls_ctx_data);
return ssl_ctx; return ssl_ctx;
} }
@ -1553,6 +1561,12 @@ SSL_CTX *create_quic_ssl_context(const char *private_key_file,
SSL_CTX_set_alpn_select_cb(ssl_ctx, quic_alpn_select_proto_cb, nullptr); SSL_CTX_set_alpn_select_cb(ssl_ctx, quic_alpn_select_proto_cb, nullptr);
# endif // OPENSSL_VERSION_NUMBER >= 0x10002000L # endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
auto tls_ctx_data = new TLSContextData();
tls_ctx_data->cert_file = cert_file;
tls_ctx_data->sct_data = sct_data;
SSL_CTX_set_app_data(ssl_ctx, tls_ctx_data);
# if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L && \ # if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L && \
!defined(OPENSSL_IS_BORINGSSL) !defined(OPENSSL_IS_BORINGSSL)
// SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp) // SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp)
@ -1585,8 +1599,16 @@ SSL_CTX *create_quic_ssl_context(const char *private_key_file,
} }
# endif // !OPENSSL_1_1_1_API # endif // !OPENSSL_1_1_1_API
} }
# endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L && # elif defined(OPENSSL_IS_BORINGSSL)
// !defined(OPENSSL_IS_BORINGSSL) if (!tls_ctx_data->sct_data.empty() &&
SSL_CTX_set_signed_cert_timestamp_list(
ssl_ctx, tls_ctx_data->sct_data.data(),
tls_ctx_data->sct_data.size()) != 1) {
LOG(FATAL) << "SSL_CTX_set_signed_cert_timestamp_list failed: "
<< ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
# endif // defined(OPENSSL_IS_BORINGSSL)
# if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL) # if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
auto &quicconf = config->quic; auto &quicconf = config->quic;
@ -1606,12 +1628,6 @@ SSL_CTX *create_quic_ssl_context(const char *private_key_file,
SSL_CTX_set_quic_method(ssl_ctx, &quic_method); SSL_CTX_set_quic_method(ssl_ctx, &quic_method);
auto tls_ctx_data = new TLSContextData();
tls_ctx_data->cert_file = cert_file;
tls_ctx_data->sct_data = sct_data;
SSL_CTX_set_app_data(ssl_ctx, tls_ctx_data);
return ssl_ctx; return ssl_ctx;
} }
#endif // ENABLE_HTTP3 #endif // ENABLE_HTTP3