feature: support AWS-LC SSL Library.

.travis.yml

@@ -29,6 +29,7 @@ addons:
  - libunwind-dev
  - wget
  - libbrotli1
+ - ninja-build # for aws-lc
 
 cache:
  directories:
@@ -67,6 +68,7 @@ env:
  - NGINX_VERSION=1.27.1 OPENSSL_VER=3.0.15 OPENSSL_PATCH_VER=3.0.15 TEST_NGINX_TIMEOUT=5 PCRE2_VER=10.42 TEST_NGINX_USE_HTTP2=1
  - NGINX_VERSION=1.27.1 OPENSSL_VER=3.0.15 OPENSSL_PATCH_VER=3.0.15 TEST_NGINX_USE_HTTP3=1 TEST_NGINX_QUIC_IDLE_TIMEOUT=3 PCRE2_VER=10.42
  - NGINX_VERSION=1.27.1 BORINGSSL=1 TEST_NGINX_USE_HTTP3=1 TEST_NGINX_QUIC_IDLE_TIMEOUT=3 PCRE2_VER=10.42
+ - NGINX_VERSION=1.27.1 AWSLC=1 TEST_NGINX_USE_HTTP3=1 TEST_NGINX_QUIC_IDLE_TIMEOUT=3 PCRE2_VER=10.42
 
 services:
  - memcached
@@ -87,6 +89,7 @@ install:
  - if [ -n "$PCRE_VER" ]; then wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v1.0.0/pcre-${PCRE_VER}-x64-focal.tar.gz; fi
  - if [ -n "$PCRE2_VER" ]; then wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v1.0.0/pcre2-${PCRE2_VER}-x64-focal.tar.gz; fi
  - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/boringssl-20230902-x64-focal.tar.gz
+ - wget -O aws-lc.tar.gz https://github.com/aws/aws-lc/archive/refs/tags/v1.49.1.tar.gz
  - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/curl-h3-x64-focal.tar.gz
  - git clone https://github.com/openresty/test-nginx.git
  - git clone https://github.com/openresty/openresty.git ../openresty
@@ -141,6 +144,7 @@ script:
  #- if [ -n "$PCRE2_VER" ]; then tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi
  #- if [ -n "$OPENSSL_VER" ]; then tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch; ./config shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX --libdir=lib -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi
  - if [ -n "$BORINGSSL" ]; then sudo mkdir -p /opt/ssl && sudo tar -C /opt/ssl -xf boringssl-20230902-x64-focal.tar.gz --strip-components=1; fi
+ - if [ -n "$AWSLC" ]; then sudo mkdir -p /opt/ssl; sudo sh util/build-aws-lc.sh; export ENABLE_AWS_LC="-DOPENSSL_IS_BORINGSSL " fi
  - if [ -n "$OPENSSL_VER" ]; then sudo mkdir -p /opt/ssl && sudo tar -C /opt/ssl -xf openssl-$OPENSSL_VER-x64-focal.tar.gz --strip-components=2; fi
  - if [ -n "$PCRE_VER" ]; then sudo mkdir -p $PCRE_PREFIX && sudo tar -C $PCRE_PREFIX -xf pcre-$PCRE_VER-x64-focal.tar.gz --strip-components=2; fi
  - if [ -n "$PCRE2_VER" ]; then sudo mkdir -p $PCRE2_PREFIX && sudo tar -C $PCRE2_PREFIX -xf pcre2-$PCRE2_VER-x64-focal.tar.gz --strip-components=2; fi

src/ngx_http_lua_ssl_client_helloby.c

@@ -544,6 +544,9 @@ ngx_http_lua_ffi_ssl_get_client_hello_server_name(ngx_http_request_t *r,
 #ifdef LIBRESSL_VERSION_NUMBER
  *err = "LibreSSL does not support by ssl_client_hello_by_lua*"
  return NGX_ERROR;
+#elif defined(OPENSSL_IS_AWSLC)
+ *err = "AWS-LC does not support by ssl_client_hello_by_lua*"
+ return NGX_ERROR;
 #else
  ngx_ssl_conn_t *ssl_conn;
 #ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB
@@ -634,6 +637,9 @@ ngx_http_lua_ffi_ssl_get_client_hello_ext(ngx_http_request_t *r,
 #ifdef LIBRESSL_VERSION_NUMBER
  *err = "LibreSSL does not support by ssl_client_hello_by_lua*"
  return NGX_ERROR;
+#elif defined(OPENSSL_IS_AWSLC)
+ *err = "AWSLC does not support by ssl_client_hello_by_lua*"
+ return NGX_ERROR;
 #else
  ngx_ssl_conn_t *ssl_conn;
 

src/ngx_http_lua_ssl_export_keying_material.c

@@ -31,7 +31,7 @@ ngx_http_lua_ffi_ssl_export_keying_material(ngx_http_request_t *r,
  u_char *out, size_t out_size, const char *label, size_t llen,
  const u_char *context, size_t ctxlen, int use_ctx, char **err)
 {
-#if defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_NUMBER < 0x10101000L
+#if defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
  *err = "BoringSSL does not support SSL_export_keying_material"
  return NGX_ERROR;
 #elif defined(LIBRESSL_VERSION_NUMBER)
@@ -79,11 +79,11 @@ ngx_http_lua_ffi_ssl_export_keying_material_early(ngx_http_request_t *r,
  u_char *out, size_t out_size, const char *label, size_t llen,
  const u_char *context, size_t ctxlen, char **err)
 {
-#if defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_NUMBER < 0x10101000L
- *err = "BoringSSL does not support SSL_export_keying_material"
+#if defined(OPENSSL_IS_BORINGSSL)
+ *err = "BoringSSL does not support SSL_export_keying_material_early"
  return NGX_ERROR;
 #elif defined(LIBRESSL_VERSION_NUMBER)
- *err = "LibreSSL does not support SSL_export_keying_material"
+ *err = "LibreSSL does not support SSL_export_keying_material_early"
  return NGX_ERROR;
 #elif OPENSSL_VERSION_NUMBER < 0x10101000L
  *err = "OpenSSL too old"

src/ngx_http_lua_ssl_ocsp.c

@@ -511,7 +511,7 @@ ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r,
  return NGX_ERROR;
  }
 
-#ifdef SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE
+#if defined(SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE) || defined(OPENSSL_IS_AWSLC)
  if (SSL_get_tlsext_status_type(ssl_conn) == -1){
 #else
  if (ssl_conn->tlsext_status_type == -1){

t/166-ssl-client-hello.t

@@ -12,6 +12,8 @@ if ($openssl_version =~ m/built with OpenSSL (0\S*|1\.0\S*|1\.1\.0\S*)/){
  plan(skip_all => "too old OpenSSL, need 1.1.1, was $1");
 } elsif ($openssl_version =~ m/running with BoringSSL/){
  plan(skip_all => "does not support BoringSSL");
+} elsif ($openssl_version =~ m/AWS-LC/){
+ plan(skip_all => "does not support AWS-LC");
 } else{
  plan tests => repeat_each() * (blocks() * 6 + 8);
 }

t/187-ssl-two-verification.t

@@ -12,6 +12,8 @@ if ($openssl_version =~ m/built with OpenSSL (0\S*|1\.0\S*|1\.1\.0\S*)/){
  plan(skip_all => "too old OpenSSL, need 1.1.1, was $1");
 } elsif ($openssl_version =~ m/running with BoringSSL/){
  plan(skip_all => "does not support BoringSSL");
+} elsif ($openssl_version =~ m/AWS-LC/){
+ plan(skip_all => "does not support AWS-LC");
 } else{
  plan tests => repeat_each() * (blocks() * 7);
 }

util/build-aws-lc.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+# this script is for developers only.
+
+root=`pwd`
+
+tar -xzf aws-lc.tar.gz
+mv aws-lc-* aws-lc
+cmake $root/aws-lc -GNinja -B$root/aws-lc-build -DCMAKE_INSTALL_PREFIX=/opt/ssl -DBUILD_TESTING=OFF -DDISABLE_GO=ON -DBUILD_TOOL=OFF -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=0
+ninja -C $root/aws-lc-build install

util/build-with-dd.sh

@@ -33,7 +33,7 @@ time ngx-build $force $version \
  --with-pcre-jit \
  $disable_pcre2 \
  --with-ipv6 \
- --with-cc-opt="-DNGX_LUA_USE_ASSERT -I$PCRE_INC -I$OPENSSL_INC -DDDEBUG=1" \
+ --with-cc-opt="$ENABLE_AWS_LC-DNGX_LUA_USE_ASSERT -I$PCRE_INC -I$OPENSSL_INC -DDDEBUG=1" \
  --with-http_v2_module \
  $add_http3_module \
  --with-http_realip_module \

util/build.sh

@@ -45,7 +45,7 @@ time ngx-build $force $version \
  --with-pcre-jit \
  $disable_pcre2 \
  --with-ipv6 \
- --with-cc-opt="-DNGX_LUA_USE_ASSERT -I$PCRE_INC -I$OPENSSL_INC" \
+ --with-cc-opt="$ENABLE_AWS_LC-DNGX_LUA_USE_ASSERT -I$PCRE_INC -I$OPENSSL_INC" \
  --with-http_v2_module \
  $add_http3_module \
  --with-http_realip_module \