From b3f94f8b3b6747eac1c22318d03bdb80e008d5c1 Mon Sep 17 00:00:00 2001 From: Andrew Hopkins Date: Thu, 6 Jul 2023 15:41:46 -0700 Subject: [PATCH] BUILD: ssl: Build with new cryptographic library AWS-LC This adds a new option for the Makefile USE_OPENSSL_AWSLC, and update the documentation with instructions to use HAProxy with AWS-LC. Update the type of the OCSP callback retrieved with SSL_CTX_get_tlsext_status_cb with the actual type for libcrypto versions greater than 1.0.2. This doesn't affect OpenSSL which casts the callback to void* in SSL_CTX_ctrl. --- INSTALL | 36 ++++++++++++++++++++++---------- Makefile | 16 ++++++++++---- include/haproxy/openssl-compat.h | 7 +++++++ src/haproxy.c | 9 ++++++++ src/ssl_sock.c | 4 ++++ 5 files changed, 57 insertions(+), 15 deletions(-) diff --git a/INSTALL b/INSTALL index 8492a4f37..d80431ac5 100644 --- a/INSTALL +++ b/INSTALL @@ -244,16 +244,16 @@ https://github.com/openssl/openssl/issues/17627). If a migration to 3.x is mandated by support reasons, at least 3.1 recovers a small fraction of this important loss. -Three OpenSSL derivatives called LibreSSL, BoringSSL and QUICTLS are reported -to work as well. While there are some efforts from the community to ensure they -work well, OpenSSL remains the primary target and this means that in case of -conflicting choices, OpenSSL support will be favored over other options. Note -that QUIC is not fully supported when haproxy is built with OpenSSL. In this -case, QUICTLS is the preferred alternative. As of writing this, the QuicTLS -project follows OpenSSL very closely and provides update simultaneously, but -being a volunteer-driven project, its long-term future does not look certain -enough to convince operating systems to package it, so it needs to be build -locally. See the section about QUIC in this document. +Four OpenSSL derivatives called LibreSSL, BoringSSL, QUICTLS, and AWS-LC are +reported to work as well. While there are some efforts from the community to +ensure they work well, OpenSSL remains the primary target and this means that +in case of conflicting choices, OpenSSL support will be favored over other +options. Note that QUIC is not fully supported when haproxy is built with +OpenSSL. In this case, QUICTLS is the preferred alternative. As of writing +this, the QuicTLS project follows OpenSSL very closely and provides update +simultaneously, but being a volunteer-driven project, its long-term future does +not look certain enough to convince operating systems to package it, so it +needs to be build locally. See the section about QUIC in this document. A fifth option is wolfSSL (https://github.com/wolfSSL/wolfssl). It is the only supported alternative stack not based on OpenSSL, yet which implements almost @@ -281,7 +281,7 @@ SSL library files using SSL_LIB. Example : USE_OPENSSL=1 SSL_INC=/opt/ssl-1.1.1/include SSL_LIB=/opt/ssl-1.1.1/lib To use HAProxy with WolfSSL, WolfSSL must be built with haproxy support, at -least WolfSSL 5.6.0 is needed, but a development version migh be needed for +least WolfSSL 5.6.0 is needed, but a development version might be needed for some of the features: $ cd ~/build/wolfssl @@ -300,6 +300,20 @@ command line, for example: $ make -j $(nproc) TARGET=generic USE_OPENSSL_WOLFSSL=1 USE_QUIC=1 \ SSL_INC=/opt/wolfssl-5.6.0/include SSL_LIB=/opt/wolfssl-5.6.0/lib +To use HAProxy with AWS-LC you must have version v1.13.0 or newer of AWS-LC +built and installed locally. + $ cd ~/build/aws-lc + $ cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/opt/aws-lc + $ make -j $(nproc) + $ make install + +Building HAProxy with AWS-LC requires you to enable AWS-LC support, and specify +the path it was installed to when running make for HAPRoxy. + + $ cd ~/build/haproxy + $ make -j $(nproc) TARGET=generic USE_OPENSSL_AWSLC=1 \ + SSL_INC=/opt/aws-lc/include SSL_LIB=/opt/aws-lc/lib + In order to link OpenSSL statically against HAProxy, first download OpenSSL from https://www.openssl.org/ then build it with the "no-shared" keyword and install it to a local directory, so your system is not affected : diff --git a/Makefile b/Makefile index 74c6d7d4b..efdd10297 100644 --- a/Makefile +++ b/Makefile @@ -33,6 +33,7 @@ # USE_CRYPT_H : set it if your system requires including crypt.h # USE_GETADDRINFO : use getaddrinfo() to resolve IPv6 host names. # USE_OPENSSL : enable use of OpenSSL. Recommended, but see below. +# USE_OPENSSL_AWSLC : enable use of AWS-LC # USE_OPENSSL_WOLFSSL : enable use of wolfSSL with the OpenSSL API # USE_QUIC : enable use of QUIC with the quictls API (quictls, libressl, boringssl) # USE_QUIC_OPENSSL_COMPAT : enable use of QUIC with the standard openssl API (limited features) @@ -308,10 +309,10 @@ use_opts = USE_EPOLL USE_KQUEUE USE_NETFILTER USE_POLL \ USE_THREAD USE_PTHREAD_EMULATION USE_BACKTRACE \ USE_TPROXY USE_LINUX_TPROXY USE_LINUX_CAP \ USE_LINUX_SPLICE USE_LIBCRYPT USE_CRYPT_H USE_ENGINE \ - USE_GETADDRINFO USE_OPENSSL USE_OPENSSL_WOLFSSL USE_SSL USE_LUA \ - USE_ACCEPT4 USE_CLOSEFROM USE_ZLIB USE_SLZ USE_CPU_AFFINITY \ - USE_TFO USE_NS USE_DL USE_RT USE_LIBATOMIC USE_MATH \ - USE_DEVICEATLAS USE_51DEGREES \ + USE_GETADDRINFO USE_OPENSSL USE_OPENSSL_WOLFSSL USE_OPENSSL_AWSLC \ + USE_SSL USE_LUA USE_ACCEPT4 USE_CLOSEFROM USE_ZLIB USE_SLZ \ + USE_CPU_AFFINITY USE_TFO USE_NS USE_DL USE_RT USE_LIBATOMIC \ + USE_MATH USE_DEVICEATLAS USE_51DEGREES \ USE_WURFL USE_SYSTEMD USE_OBSOLETE_LINKER USE_PRCTL USE_PROCCTL \ USE_THREAD_DUMP USE_EVPORTS USE_OT USE_QUIC USE_PROMEX \ USE_MEMORY_PROFILING USE_SHM_OPEN \ @@ -583,6 +584,13 @@ ifneq ($(USE_OPENSSL_WOLFSSL),) USE_OPENSSL := $(if $(USE_OPENSSL),$(USE_OPENSSL),implicit) endif +# This is for the AWS-LC variant of the OpenSSL API. Setting it implies +# OPENSSL so it's not necessary to set the latter. +ifneq ($(USE_OPENSSL_AWSLC),) + # always automatically set USE_OPENSSL + USE_OPENSSL := $(if $(USE_OPENSSL),$(USE_OPENSSL),implicit) +endif + # This is for any variant of the OpenSSL API. By default it uses OpenSSL. ifneq ($(USE_OPENSSL),) # only preset these for the regular openssl diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h index 248ae284e..066db0cac 100644 --- a/include/haproxy/openssl-compat.h +++ b/include/haproxy/openssl-compat.h @@ -7,6 +7,13 @@ #include #endif +#ifdef USE_OPENSSL_AWSLC +#include +#if !defined(OPENSSL_IS_AWSLC) +#error "USE_OPENSSL_AWSLC is set but OPENSSL_IS_AWSLC is not defined, wrong header files detected" +#endif +#endif + #include #include #include diff --git a/src/haproxy.c b/src/haproxy.c index f2bb31e01..fd32c0c14 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -1957,6 +1957,15 @@ static void init(int argc, char **argv) wolfSSL_Init(); wolfSSL_Debugging_ON(); #endif + +#ifdef USE_OPENSSL_AWSLC + const char *version_str = OpenSSL_version(OPENSSL_VERSION); + if (strncmp(version_str, "AWS-LC", 6) != 0) { + ha_alert("HAPRoxy built with AWS-LC but running with %s.\n", version_str); + exit(1); + } +#endif + #if (HA_OPENSSL_VERSION_NUMBER < 0x1010000fL) /* Initialize the error strings of OpenSSL * It only needs to be done explicitly with older versions of the SSL diff --git a/src/ssl_sock.c b/src/ssl_sock.c index f68d0e318..aaa25008a 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1112,7 +1112,11 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data * char *warn = NULL; unsigned char *p; #ifndef USE_OPENSSL_WOLFSSL +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) + int (*callback) (SSL *, void *); +#else void (*callback) (void); +#endif #else tlsextStatusCb callback; #endif