|
| 1 | +diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c |
| 2 | +index fbd38f3d..b4a37d42 100644 |
| 3 | +--- a/src/openvpn/crypto_openssl.c |
| 4 | ++++ b/src/openvpn/crypto_openssl.c |
| 5 | +@@ -1397,7 +1397,7 @@ out: |
| 6 | + |
| 7 | + return ret; |
| 8 | + } |
| 9 | +-#elif !defined(LIBRESSL_VERSION_NUMBER) && !defined(ENABLE_CRYPTO_WOLFSSL) |
| 10 | ++#elif !defined(LIBRESSL_VERSION_NUMBER) && !defined(ENABLE_CRYPTO_WOLFSSL) && !defined(OPENSSL_IS_AWSLC) |
| 11 | + bool |
| 12 | + ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, |
| 13 | + int secret_len, uint8_t *output, int output_len) |
| 14 | +@@ -1443,6 +1443,13 @@ out: |
| 15 | + EVP_PKEY_CTX_free(pctx); |
| 16 | + return ret; |
| 17 | + } |
| 18 | ++#elif defined(OPENSSL_IS_AWSLC) |
| 19 | ++bool |
| 20 | ++ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, |
| 21 | ++ int slen, uint8_t *out1, int olen) |
| 22 | ++{ |
| 23 | ++ CRYPTO_tls1_prf(EVP_md5_sha1(), out1, olen, sec, slen, label, label_len, NULL, 0, NULL, 0); |
| 24 | ++} |
| 25 | + #else /* if defined(LIBRESSL_VERSION_NUMBER) */ |
| 26 | + /* LibreSSL and wolfSSL do not expose a TLS 1.0/1.1 PRF via the same APIs as |
| 27 | + * OpenSSL does. As result they will only be able to support |
| 28 | +diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h |
| 29 | +index 95417b22..61b632dd 100644 |
| 30 | +--- a/src/openvpn/openssl_compat.h |
| 31 | ++++ b/src/openvpn/openssl_compat.h |
| 32 | +@@ -75,7 +75,7 @@ X509_OBJECT_free(X509_OBJECT *obj) |
| 33 | + #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT |
| 34 | + #endif |
| 35 | + |
| 36 | +-#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL |
| 37 | ++#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL || defined(OPENSSL_IS_AWSLC) |
| 38 | + #define SSL_get_peer_tmp_key SSL_get_server_tmp_key |
| 39 | + #endif |
| 40 | + |
| 41 | +diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c |
| 42 | +index 0d845f4a..c47a0c5d 100644 |
| 43 | +--- a/src/openvpn/ssl_openssl.c |
| 44 | ++++ b/src/openvpn/ssl_openssl.c |
| 45 | +@@ -1631,7 +1631,11 @@ tls_ctx_use_external_ec_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey) |
| 46 | + |
| 47 | + /* Among init methods, we only need the finish method */ |
| 48 | + EC_KEY_METHOD_set_init(ec_method, NULL, openvpn_extkey_ec_finish, NULL, NULL, NULL, NULL); |
| 49 | ++#ifdef OPENSSL_IS_AWSLC |
| 50 | ++ EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, NULL, ecdsa_sign_sig); |
| 51 | ++#else |
| 52 | + EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, ecdsa_sign_setup, ecdsa_sign_sig); |
| 53 | ++#endif |
| 54 | + |
| 55 | + ec = EC_KEY_dup(EVP_PKEY_get0_EC_KEY(pkey)); |
| 56 | + if (!ec) |
| 57 | +@@ -1857,9 +1861,11 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, |
| 58 | + } |
| 59 | + sk_X509_INFO_pop_free(info_stack, X509_INFO_free); |
| 60 | + } |
| 61 | +- |
| 62 | ++ |
| 63 | ++ int cnum; |
| 64 | + if (tls_server) |
| 65 | + { |
| 66 | ++ cnum = sk_X509_NAME_num(cert_names); |
| 67 | + SSL_CTX_set_client_CA_list(ctx->ctx, cert_names); |
| 68 | + } |
| 69 | + |
| 70 | +@@ -1872,7 +1878,6 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, |
| 71 | + |
| 72 | + if (tls_server) |
| 73 | + { |
| 74 | +- int cnum = sk_X509_NAME_num(cert_names); |
| 75 | + if (cnum != added) |
| 76 | + { |
| 77 | + crypto_msg(M_FATAL, "Cannot load CA certificate file %s (only %d " |
| 78 | +@@ -2520,7 +2525,7 @@ show_available_tls_ciphers_list(const char *cipher_list, |
| 79 | + crypto_msg(M_FATAL, "Cannot create SSL object"); |
| 80 | + } |
| 81 | + |
| 82 | +-#if OPENSSL_VERSION_NUMBER < 0x1010000fL |
| 83 | ++#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(OPENSSL_IS_AWSLC) |
| 84 | + STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl); |
| 85 | + #else |
| 86 | + STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl); |
0 commit comments