From f07d7d24d3bc1950adf3ef5d9af51504d48b5234 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=97=E5=AD=90?= Date: Thu, 5 Sep 2024 23:48:25 +0800 Subject: [PATCH 01/17] feature: support AWS-LC SSL Library. --- src/ngx_http_lua_ssl_certby.c | 4 ++-- src/ngx_http_lua_ssl_export_keying_material.c | 11 +++++++---- src/ngx_http_lua_ssl_ocsp.c | 2 +- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/src/ngx_http_lua_ssl_certby.c b/src/ngx_http_lua_ssl_certby.c index 0901f06eab..eaf55062b3 100644 --- a/src/ngx_http_lua_ssl_certby.c +++ b/src/ngx_http_lua_ssl_certby.c @@ -1345,7 +1345,7 @@ ngx_http_lua_ffi_set_cert(ngx_http_request_t *r, # else -#ifdef OPENSSL_IS_BORINGSSL +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) size_t i; #else int i; @@ -1487,7 +1487,7 @@ ngx_http_lua_ffi_ssl_verify_client(ngx_http_request_t *r, void *client_certs, X509 *x509 = NULL; X509_NAME *subject = NULL; X509_STORE *ca_store = NULL; -#ifdef OPENSSL_IS_BORINGSSL +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) size_t i; #else int i; diff --git a/src/ngx_http_lua_ssl_export_keying_material.c b/src/ngx_http_lua_ssl_export_keying_material.c index ec64c049a9..27e1189357 100644 --- a/src/ngx_http_lua_ssl_export_keying_material.c +++ b/src/ngx_http_lua_ssl_export_keying_material.c @@ -31,7 +31,7 @@ ngx_http_lua_ffi_ssl_export_keying_material(ngx_http_request_t *r, u_char *out, size_t out_size, const char *label, size_t llen, const u_char *context, size_t ctxlen, int use_ctx, char **err) { -#if defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_NUMBER < 0x10101000L +#if defined(OPENSSL_IS_BORINGSSL) *err = "BoringSSL does not support SSL_export_keying_material"; return NGX_ERROR; #elif defined(LIBRESSL_VERSION_NUMBER) @@ -79,11 +79,14 @@ ngx_http_lua_ffi_ssl_export_keying_material_early(ngx_http_request_t *r, u_char *out, size_t out_size, const char *label, size_t llen, const u_char *context, size_t ctxlen, char **err) { -#if defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_NUMBER < 0x10101000L - *err = "BoringSSL does not support SSL_export_keying_material"; +#if defined(OPENSSL_IS_BORINGSSL) + *err = "BoringSSL does not support SSL_export_keying_material_early"; return NGX_ERROR; #elif defined(LIBRESSL_VERSION_NUMBER) - *err = "LibreSSL does not support SSL_export_keying_material"; + *err = "LibreSSL does not support SSL_export_keying_material_early"; + return NGX_ERROR; +#elif defined(OPENSSL_IS_AWSLC) + *err = "AWS-LC does not support SSL_export_keying_material_early"; return NGX_ERROR; #elif OPENSSL_VERSION_NUMBER < 0x10101000L *err = "OpenSSL too old"; diff --git a/src/ngx_http_lua_ssl_ocsp.c b/src/ngx_http_lua_ssl_ocsp.c index 73e1b9c7f5..bdbccc8f62 100644 --- a/src/ngx_http_lua_ssl_ocsp.c +++ b/src/ngx_http_lua_ssl_ocsp.c @@ -511,7 +511,7 @@ ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r, return NGX_ERROR; } -#ifdef SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE +#if defined(SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE) || defined(OPENSSL_IS_AWSLC) if (SSL_get_tlsext_status_type(ssl_conn) == -1) { #else if (ssl_conn->tlsext_status_type == -1) { From 340b496609dc869fc262fffcf19ba76dd5969c4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=97=E5=AD=90?= Date: Fri, 6 Sep 2024 14:13:43 +0800 Subject: [PATCH 02/17] feature: add AWS-LC patches and tests --- .travis.yml | 4 + util/aws-lc-nginx-tests.patch | 120 +++++++++++++++ util/aws-lc-nginx.patch | 272 ++++++++++++++++++++++++++++++++++ util/build-aws-lc.sh | 10 ++ util/build-with-dd.sh | 7 +- util/build.sh | 7 +- 6 files changed, 418 insertions(+), 2 deletions(-) create mode 100644 util/aws-lc-nginx-tests.patch create mode 100644 util/aws-lc-nginx.patch create mode 100644 util/build-aws-lc.sh diff --git a/.travis.yml b/.travis.yml index 177d6488ca..1ee525fa00 100644 --- a/.travis.yml +++ b/.travis.yml @@ -29,6 +29,7 @@ addons: - libunwind-dev - wget - libbrotli1 + - ninja-build # for aws-lc cache: directories: @@ -66,6 +67,7 @@ env: - NGINX_VERSION=1.21.4 OPENSSL_VER=1.1.1w OPENSSL_PATCH_VER=1.1.1f - NGINX_VERSION=1.27.1 OPENSSL_VER=1.1.1w OPENSSL_PATCH_VER=1.1.1f USE_PCRE2=Y TEST_NGINX_TIMEOUT=5 - NGINX_VERSION=1.27.1 BORINGSSL=1 TEST_NGINX_USE_HTTP3=1 USE_PCRE2=Y TEST_NGINX_QUIC_IDLE_TIMEOUT=3 + - NGINX_VERSION=1.27.1 AWSLC=1 TEST_NGINX_USE_HTTP3=1 USE_PCRE2=Y TEST_NGINX_QUIC_IDLE_TIMEOUT=3 #- NGINX_VERSION=1.25.1 OPENSSL_VER=1.1.1w TEST_NGINX_USE_HTTP2=1 services: @@ -85,6 +87,7 @@ install: - if [ -n "$OPENSSL_VER" ] && [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/old/${OPENSSL_VER//[a-z]/}/openssl-$OPENSSL_VER.tar.gz; fi - if [ -n "$OPENSSL_VER" ] && [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/old/${OPENSSL_VER//[a-z]/}/openssl-$OPENSSL_VER.tar.gz; fi - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/boringssl-20230902-x64-focal.tar.gz + - wget -O aws-lc-1.34.2.tar.gz https://github.com/aws/aws-lc/archive/refs/tags/v1.34.2.tar.gz - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/curl-h3-x64-focal.tar.gz - git clone https://github.com/openresty/test-nginx.git - git clone https://github.com/openresty/openresty.git ../openresty @@ -139,6 +142,7 @@ script: - if [ "$USE_PCRE2" = "Y" ]; then tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi - if [ -n "$OPENSSL_VER" ]; then tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch; ./config shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi - if [ -n "$BORINGSSL" ]; then sudo mkdir -p /opt/ssl && sudo tar -C /opt/ssl -xf boringssl-20230902-x64-focal.tar.gz --strip-components=1; fi + - if [ -n "$AWSLC" ]; then sudo mkdir -p /opt/ssl; sudo sh util/build-aws-lc.sh; cd test-nginx; patch -p1 < ../util/aws-lc-nginx-tests.patch; cd ..; fi - export NGX_BUILD_CC=$CC - sh util/build-without-ssl.sh $NGINX_VERSION > build.log 2>&1 || (cat build.log && exit 1) - sh util/build-with-dd.sh $NGINX_VERSION > build.log 2>&1 || (cat build.log && exit 1) diff --git a/util/aws-lc-nginx-tests.patch b/util/aws-lc-nginx-tests.patch new file mode 100644 index 0000000000..81660945bb --- /dev/null +++ b/util/aws-lc-nginx-tests.patch @@ -0,0 +1,120 @@ +diff --git a/h3_ssl_early_data.t b/h3_ssl_early_data.t +index 064ffad..b06acd1 100644 +--- a/h3_ssl_early_data.t ++++ b/h3_ssl_early_data.t +@@ -89,6 +89,7 @@ $s = Test::Nginx::HTTP3->new(8980, psk_list => $psk_list, early_data => {}); + TODO: { + local $TODO = 'no 0-RTT in OpenSSL compat layer' + unless $t->has_module('OpenSSL [.0-9]+\+quic') ++ or $t->has_module('AWS-LC') + or $t->has_module('BoringSSL') + or $t->has_module('LibreSSL'); + +diff --git a/h3_ssl_session_reuse.t b/h3_ssl_session_reuse.t +index e9ef846..eaac4de 100644 +--- a/h3_ssl_session_reuse.t ++++ b/h3_ssl_session_reuse.t +@@ -139,6 +139,8 @@ is(test_reuse(8944), 1, 'tickets and cache reused'); + + local $TODO = 'no TLSv1.3 session cache in BoringSSL' + if $t->has_module('BoringSSL'); ++local $TODO = 'no TLSv1.3 session cache in AWS-LC' ++ if $t->has_module('AWS-LC'); + + is(test_reuse(8945), 1, 'cache shared reused'); + is(test_reuse(8946), 1, 'cache builtin reused'); +diff --git a/mail_ssl_session_reuse.t b/mail_ssl_session_reuse.t +index 96330cc..30ed758 100644 +--- a/mail_ssl_session_reuse.t ++++ b/mail_ssl_session_reuse.t +@@ -147,6 +147,8 @@ is(test_reuse(8994), 1, 'tickets and cache reused'); + TODO: { + local $TODO = 'no TLSv1.3 session cache in BoringSSL' + if $t->has_module('BoringSSL') && test_tls13(); ++local $TODO = 'no TLSv1.3 session cache in AWS-LC' ++ if $t->has_module('AWS-LC') && test_tls13(); + + is(test_reuse(8995), 1, 'cache shared reused'); + is(test_reuse(8996), 1, 'cache builtin reused'); +diff --git a/ssl.t b/ssl.t +index 6055e08..bbbe4dd 100644 +--- a/ssl.t ++++ b/ssl.t +@@ -218,6 +218,8 @@ local $TODO = 'no TLSv1.3 sessions in LibreSSL' + if $t->has_module('LibreSSL') && test_tls13(); + local $TODO = 'no TLSv1.3 sessions ids in BoringSSL' + if $t->has_module('BoringSSL') && test_tls13(); ++local $TODO = 'no TLSv1.3 sessions ids in AWS-LC' ++ if $t->has_module('AWS-LC') && test_tls13(); + + like(get('/id', 8085, $ctx), qr/^body \w{64}$/m, 'session id reused'); + +@@ -229,6 +231,7 @@ like(get('/cipher', 8085), qr/^body [\w-]+$/m, 'cipher'); + + SKIP: { + skip 'BoringSSL', 1 if $t->has_module('BoringSSL'); ++skip 'AWS-LC', 1 if $t->has_module('AWS-LC'); + + like(get('/ciphers', 8085), qr/^body [:\w-]+$/m, 'ciphers'); + +diff --git a/ssl_ocsp.t b/ssl_ocsp.t +index 8f6b26d..ee9a82d 100644 +--- a/ssl_ocsp.t ++++ b/ssl_ocsp.t +@@ -363,6 +363,8 @@ local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' + if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); + local $TODO = 'no TLSv1.3 sessions in LibreSSL' + if $t->has_module('LibreSSL') && test_tls13(); ++local $TODO = 'no TLSv1.3 session cache in AWS-LC' ++ if $t->has_module('AWS-LC') && test_tls13(); + + like(get('ec-end', ses => $s), + qr/200 OK.*SUCCESS:r/s, 'session reused'); +@@ -395,6 +397,8 @@ local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' + if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); + local $TODO = 'no TLSv1.3 sessions in LibreSSL' + if $t->has_module('LibreSSL') && test_tls13(); ++local $TODO = 'no TLSv1.3 session cache in AWS-LC' ++ if $t->has_module('AWS-LC') && test_tls13(); + + like(get('ec-end', ses => $s), + qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked'); +diff --git a/ssl_session_reuse.t b/ssl_session_reuse.t +index 163de3d..d22282b 100644 +--- a/ssl_session_reuse.t ++++ b/ssl_session_reuse.t +@@ -174,6 +174,8 @@ is(test_reuse(8444), 1, 'tickets and cache reused'); + TODO: { + local $TODO = 'no TLSv1.3 session cache in BoringSSL' + if $t->has_module('BoringSSL') && test_tls13(); ++local $TODO = 'no TLSv1.3 session cache in AWS-LC' ++ if $t->has_module('AWS-LC') && test_tls13(); + + is(test_reuse(8445), 1, 'cache shared reused'); + is(test_reuse(8446), 1, 'cache builtin reused'); +diff --git a/ssl_sni_sessions.t b/ssl_sni_sessions.t +index 7ff5fa0..958bfaa 100644 +--- a/ssl_sni_sessions.t ++++ b/ssl_sni_sessions.t +@@ -118,6 +118,8 @@ plan(skip_all => 'no TLSv1.3 sessions in LibreSSL') + if $t->has_module('LibreSSL') && test_tls13(); + plan(skip_all => 'no TLS 1.3 session cache in BoringSSL') + if $t->has_module('BoringSSL') && test_tls13(); ++plan(skip_all => 'no TLS 1.3 session cache in AWS-LC') ++ if $t->has_module('AWS-LC') && test_tls13(); + + $t->plan(6); + +diff --git a/stream_ssl_session_reuse.t b/stream_ssl_session_reuse.t +index 53f24d2..39b7d62 100644 +--- a/stream_ssl_session_reuse.t ++++ b/stream_ssl_session_reuse.t +@@ -151,6 +151,8 @@ is(test_reuse(8444), 1, 'tickets and cache reused'); + TODO: { + local $TODO = 'no TLSv1.3 session cache in BoringSSL' + if $t->has_module('BoringSSL') && test_tls13(); ++local $TODO = 'no TLSv1.3 session cache in AWS-LC' ++ if $t->has_module('AWS-LC') && test_tls13(); + + is(test_reuse(8445), 1, 'cache shared reused'); + is(test_reuse(8446), 1, 'cache builtin reused'); \ No newline at end of file diff --git a/util/aws-lc-nginx.patch b/util/aws-lc-nginx.patch new file mode 100644 index 0000000000..5fd510460d --- /dev/null +++ b/util/aws-lc-nginx.patch @@ -0,0 +1,272 @@ +diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h +index c062f91..447f003 100644 +--- a/src/event/ngx_event_openssl.h ++++ b/src/event/ngx_event_openssl.h +@@ -25,7 +25,7 @@ + #endif + #include + #if (NGX_QUIC) +-#ifdef OPENSSL_IS_BORINGSSL ++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) + #include + #include + #else +diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c +index b0cf056..c1ba43f 100644 +--- a/src/event/quic/ngx_event_quic.c ++++ b/src/event/quic/ngx_event_quic.c +@@ -969,7 +969,7 @@ ngx_quic_handle_payload(ngx_connection_t *c, ngx_quic_header_t *pkt) + return NGX_DECLINED; + } + +-#if !defined (OPENSSL_IS_BORINGSSL) ++#if !defined (OPENSSL_IS_BORINGSSL) && !defined (OPENSSL_IS_AWSLC) + /* OpenSSL provides read keys for an application level before it's ready */ + + if (pkt->level == ssl_encryption_application && !c->ssl->handshaked) { +diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c +index 88e6954..cd67eac 100644 +--- a/src/event/quic/ngx_event_quic_protection.c ++++ b/src/event/quic/ngx_event_quic_protection.c +@@ -30,7 +30,7 @@ static uint64_t ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask, + + static ngx_int_t ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out, + u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log); +-#ifndef OPENSSL_IS_BORINGSSL ++#if !defined (OPENSSL_IS_BORINGSSL) && !defined (OPENSSL_IS_AWSLC) + static ngx_int_t ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out, + u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log); + #endif +@@ -55,7 +55,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers) + switch (id) { + + case TLS1_3_CK_AES_128_GCM_SHA256: +-#ifdef OPENSSL_IS_BORINGSSL ++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) + ciphers->c = EVP_aead_aes_128_gcm(); + #else + ciphers->c = EVP_aes_128_gcm(); +@@ -66,7 +66,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers) + break; + + case TLS1_3_CK_AES_256_GCM_SHA384: +-#ifdef OPENSSL_IS_BORINGSSL ++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) + ciphers->c = EVP_aead_aes_256_gcm(); + #else + ciphers->c = EVP_aes_256_gcm(); +@@ -77,12 +77,12 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers) + break; + + case TLS1_3_CK_CHACHA20_POLY1305_SHA256: +-#ifdef OPENSSL_IS_BORINGSSL ++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) + ciphers->c = EVP_aead_chacha20_poly1305(); + #else + ciphers->c = EVP_chacha20_poly1305(); + #endif +-#ifdef OPENSSL_IS_BORINGSSL ++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) + ciphers->hp = (const EVP_CIPHER *) EVP_aead_chacha20_poly1305(); + #else + ciphers->hp = EVP_chacha20(); +@@ -91,7 +91,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers) + len = 32; + break; + +-#ifndef OPENSSL_IS_BORINGSSL ++#if !defined (OPENSSL_IS_BORINGSSL) && !defined (OPENSSL_IS_AWSLC) + case TLS1_3_CK_AES_128_CCM_SHA256: + ciphers->c = EVP_aes_128_ccm(); + ciphers->hp = EVP_aes_128_ctr(); +@@ -259,7 +259,7 @@ static ngx_int_t + ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest, + const uint8_t *prk, size_t prk_len, const u_char *info, size_t info_len) + { +-#ifdef OPENSSL_IS_BORINGSSL ++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) + + if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len) + == 0) +@@ -321,7 +321,7 @@ ngx_hkdf_extract(u_char *out_key, size_t *out_len, const EVP_MD *digest, + const u_char *secret, size_t secret_len, const u_char *salt, + size_t salt_len) + { +-#ifdef OPENSSL_IS_BORINGSSL ++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) + + if (HKDF_extract(out_key, out_len, digest, secret, secret_len, salt, + salt_len) +@@ -384,7 +384,7 @@ ngx_quic_crypto_init(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s, + ngx_quic_md_t *key, ngx_int_t enc, ngx_log_t *log) + { + +-#ifdef OPENSSL_IS_BORINGSSL ++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) + EVP_AEAD_CTX *ctx; + + ctx = EVP_AEAD_CTX_new(cipher, key->data, key->len, +@@ -444,7 +444,7 @@ static ngx_int_t + ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, + ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log) + { +-#ifdef OPENSSL_IS_BORINGSSL ++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) + if (EVP_AEAD_CTX_open(s->ctx, out->data, &out->len, out->len, nonce, + s->iv.len, in->data, in->len, ad->data, ad->len) + != 1) +@@ -464,7 +464,7 @@ ngx_int_t + ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, + ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log) + { +-#ifdef OPENSSL_IS_BORINGSSL ++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) + if (EVP_AEAD_CTX_seal(s->ctx, out->data, &out->len, out->len, nonce, + s->iv.len, in->data, in->len, ad->data, ad->len) + != 1) +@@ -480,7 +480,7 @@ ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, + } + + +-#ifndef OPENSSL_IS_BORINGSSL ++#if !defined (OPENSSL_IS_BORINGSSL) && !defined (OPENSSL_IS_AWSLC) + + static ngx_int_t + ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, +@@ -559,7 +559,7 @@ void + ngx_quic_crypto_cleanup(ngx_quic_secret_t *s) + { + if (s->ctx) { +-#ifdef OPENSSL_IS_BORINGSSL ++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) + EVP_AEAD_CTX_free(s->ctx); + #else + EVP_CIPHER_CTX_free(s->ctx); +@@ -575,7 +575,7 @@ ngx_quic_crypto_hp_init(const EVP_CIPHER *cipher, ngx_quic_secret_t *s, + { + EVP_CIPHER_CTX *ctx; + +-#ifdef OPENSSL_IS_BORINGSSL ++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) + if (cipher == (EVP_CIPHER *) EVP_aead_chacha20_poly1305()) { + /* no EVP interface */ + s->hp_ctx = NULL; +@@ -610,7 +610,7 @@ ngx_quic_crypto_hp(ngx_quic_secret_t *s, u_char *out, u_char *in, + + ctx = s->hp_ctx; + +-#ifdef OPENSSL_IS_BORINGSSL ++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) + uint32_t cnt; + + if (ctx == NULL) { +diff --git a/src/event/quic/ngx_event_quic_protection.h b/src/event/quic/ngx_event_quic_protection.h +index 34cfee6..20cd910 100644 +--- a/src/event/quic/ngx_event_quic_protection.h ++++ b/src/event/quic/ngx_event_quic_protection.h +@@ -24,7 +24,7 @@ + #define NGX_QUIC_MAX_MD_SIZE 48 + + +-#ifdef OPENSSL_IS_BORINGSSL ++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) + #define ngx_quic_cipher_t EVP_AEAD + #define ngx_quic_crypto_ctx_t EVP_AEAD_CTX + #else +diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c +index 7872783..163e0c5 100644 +--- a/src/event/quic/ngx_event_quic_ssl.c ++++ b/src/event/quic/ngx_event_quic_ssl.c +@@ -11,6 +11,7 @@ + + + #if defined OPENSSL_IS_BORINGSSL \ ++ || defined OPENSSL_IS_AWSLC \ + || defined LIBRESSL_VERSION_NUMBER \ + || NGX_QUIC_OPENSSL_COMPAT + #define NGX_QUIC_BORINGSSL_API 1 +@@ -578,7 +579,7 @@ ngx_quic_init_connection(ngx_connection_t *c) + return NGX_ERROR; + } + +-#ifdef OPENSSL_IS_BORINGSSL ++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) + if (SSL_set_quic_early_data_context(ssl_conn, p, clen) == 0) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "quic SSL_set_quic_early_data_context() failed"); +diff -r 5e9239920061 -r dfffc67d286b src/event/ngx_event_openssl.c +--- a/src/event/ngx_event_openssl.c Mon Feb 26 20:00:30 2024 +0000 ++++ b/src/event/ngx_event_openssl.c Mon Feb 26 20:00:32 2024 +0000 +@@ -5163,6 +5163,72 @@ + return NGX_OK; + } + ++#elif defined(OPENSSL_IS_AWSLC) ++ ++ uint16_t curve_id; ++ ++ curve_id = SSL_get_curve_id(c->ssl->connection); ++ ++ /* ++ * Hardcoded table with ANSI / SECG curve names (e.g. "prime256v1"), ++ * which is the same format that OpenSSL returns for $ssl_curve. ++ * ++ * Without this table, we'd need to make 3 additional library calls ++ * to convert from curve_id to ANSI / SECG curve name: ++ * ++ * nist_name = SSL_get_curve_name(curve_id); ++ * nid = EC_curve_nist2nid(nist_name); ++ * ansi_name = OBJ_nid2sn(nid); ++ */ ++ ++ switch (curve_id) { ++ ++#ifdef SSL_CURVE_SECP224R1 ++ case SSL_CURVE_SECP224R1: ++ ngx_str_set(s, "secp224r1"); ++ return NGX_OK; ++#endif ++ ++#ifdef SSL_CURVE_SECP256R1 ++ case SSL_CURVE_SECP256R1: ++ ngx_str_set(s, "prime256v1"); ++ return NGX_OK; ++#endif ++ ++#ifdef SSL_CURVE_SECP384R1 ++ case SSL_CURVE_SECP384R1: ++ ngx_str_set(s, "secp384r1"); ++ return NGX_OK; ++#endif ++ ++#ifdef SSL_CURVE_SECP521R1 ++ case SSL_CURVE_SECP521R1: ++ ngx_str_set(s, "secp521r1"); ++ return NGX_OK; ++#endif ++ ++#ifdef SSL_CURVE_X25519 ++ case SSL_CURVE_X25519: ++ ngx_str_set(s, "x25519"); ++ return NGX_OK; ++#endif ++ ++ case 0: ++ break; ++ ++ default: ++ s->len = sizeof("0x0000") - 1; ++ ++ s->data = ngx_pnalloc(pool, s->len); ++ if (s->data == NULL) { ++ return NGX_ERROR; ++ } ++ ++ ngx_sprintf(s->data, "0x%04xd", curve_id); ++ ++ return NGX_OK; ++ } ++ + #endif + + ngx_str_null(s); diff --git a/util/build-aws-lc.sh b/util/build-aws-lc.sh new file mode 100644 index 0000000000..ad0541d8d9 --- /dev/null +++ b/util/build-aws-lc.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +# this script is for developers only. + +root=`pwd` + +tar -xzf aws-lc-1.34.2.tar.gz +mv aws-lc-1.34.2 aws-lc +cmake $root/aws-lc -GNinja -B$root/aws-lc-build -DCMAKE_INSTALL_PREFIX=/opt/ssl -DBUILD_TESTING=OFF -DDISABLE_GO=ON -DBUILD_TOOL=OFF -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=0 +ninja -C $root/aws-lc-build install diff --git a/util/build-with-dd.sh b/util/build-with-dd.sh index a56a89119b..93a7c7ba31 100755 --- a/util/build-with-dd.sh +++ b/util/build-with-dd.sh @@ -28,7 +28,12 @@ if [ "$USE_PCRE2" = "Y" ]; then PCRE_LIB=$PCRE2_LIB fi -time ngx-build $force $version \ +patch="" +if [ -n "$AWSLC" ]; then + patch="-p util/aws-lc-nginx.patch" +fi + +time ngx-build $force $version $patch \ --with-threads \ --with-pcre-jit \ $disable_pcre2 \ diff --git a/util/build.sh b/util/build.sh index fdf5c4d53d..d6b1e218d7 100755 --- a/util/build.sh +++ b/util/build.sh @@ -40,7 +40,12 @@ if [ "$USE_PCRE2" = "Y" ]; then PCRE_LIB=$PCRE2_LIB fi -time ngx-build $force $version \ +patch="" +if [ -n "$AWSLC" ]; then + patch="-p util/aws-lc-nginx.patch" +fi + +time ngx-build $force $version $patch \ --with-threads \ --with-pcre-jit \ $disable_pcre2 \ From 32b392da1c67b2b6ca87a4ae5f5bbe5519212563 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=97=E5=AD=90?= Date: Fri, 6 Sep 2024 14:22:29 +0800 Subject: [PATCH 03/17] fix: remove test patch --- .travis.yml | 2 +- util/build-aws-lc.sh | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 1ee525fa00..b2f4243805 100644 --- a/.travis.yml +++ b/.travis.yml @@ -142,7 +142,7 @@ script: - if [ "$USE_PCRE2" = "Y" ]; then tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi - if [ -n "$OPENSSL_VER" ]; then tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch; ./config shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi - if [ -n "$BORINGSSL" ]; then sudo mkdir -p /opt/ssl && sudo tar -C /opt/ssl -xf boringssl-20230902-x64-focal.tar.gz --strip-components=1; fi - - if [ -n "$AWSLC" ]; then sudo mkdir -p /opt/ssl; sudo sh util/build-aws-lc.sh; cd test-nginx; patch -p1 < ../util/aws-lc-nginx-tests.patch; cd ..; fi + - if [ -n "$AWSLC" ]; then sudo mkdir -p /opt/ssl; sudo sh util/build-aws-lc.sh; fi - export NGX_BUILD_CC=$CC - sh util/build-without-ssl.sh $NGINX_VERSION > build.log 2>&1 || (cat build.log && exit 1) - sh util/build-with-dd.sh $NGINX_VERSION > build.log 2>&1 || (cat build.log && exit 1) diff --git a/util/build-aws-lc.sh b/util/build-aws-lc.sh index ad0541d8d9..dfb7c9b167 100644 --- a/util/build-aws-lc.sh +++ b/util/build-aws-lc.sh @@ -1,6 +1,12 @@ #!/usr/bin/env bash # this script is for developers only. +# to build nginx with aws-lc, need two patches: +# https://mailman.nginx.org/pipermail/nginx-devel/2024-February/3J4C2B5L67YSKARKNVLLQHHR7QXXMMRI.html +# https://mailman.nginx.org/pipermail/nginx-devel/2024-February/R2AD2Q4XEVNAYEZY6WEVQBAKTM45OMTG.html +# those patches are merged into one patch aws-lc-nginx.patch +# to test nginx with aws-lc, need one patch: +# https://github.com/aws/aws-lc/blob/main/tests/ci/integration/nginx_tests_patch/aws-lc-nginx-tests.patch root=`pwd` From 3095503e5ee48d5dcd2c171c3376cc78c066fe7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=97=E5=AD=90?= Date: Fri, 6 Sep 2024 14:35:23 +0800 Subject: [PATCH 04/17] fix: patch --- util/build-with-dd.sh | 4 ++-- util/build.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/util/build-with-dd.sh b/util/build-with-dd.sh index 93a7c7ba31..54aadb05f3 100755 --- a/util/build-with-dd.sh +++ b/util/build-with-dd.sh @@ -30,10 +30,10 @@ fi patch="" if [ -n "$AWSLC" ]; then - patch="-p util/aws-lc-nginx.patch" + patch="-p ../util/aws-lc-nginx.patch" fi -time ngx-build $force $version $patch \ +time ngx-build $force $patch $version \ --with-threads \ --with-pcre-jit \ $disable_pcre2 \ diff --git a/util/build.sh b/util/build.sh index d6b1e218d7..b1f92fd440 100755 --- a/util/build.sh +++ b/util/build.sh @@ -42,10 +42,10 @@ fi patch="" if [ -n "$AWSLC" ]; then - patch="-p util/aws-lc-nginx.patch" + patch="-p ../util/aws-lc-nginx.patch" fi -time ngx-build $force $version $patch \ +time ngx-build $force $patch $version \ --with-threads \ --with-pcre-jit \ $disable_pcre2 \ From 44fe44295781b38149697ec88cea27fc8656dc65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=97=E5=AD=90?= Date: Fri, 6 Sep 2024 14:41:55 +0800 Subject: [PATCH 05/17] fix: patch --- util/build-with-dd.sh | 2 +- util/build.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/util/build-with-dd.sh b/util/build-with-dd.sh index 54aadb05f3..fb55950e86 100755 --- a/util/build-with-dd.sh +++ b/util/build-with-dd.sh @@ -30,7 +30,7 @@ fi patch="" if [ -n "$AWSLC" ]; then - patch="-p ../util/aws-lc-nginx.patch" + patch="-p $root/util/aws-lc-nginx.patch" fi time ngx-build $force $patch $version \ diff --git a/util/build.sh b/util/build.sh index b1f92fd440..7b255ac2be 100755 --- a/util/build.sh +++ b/util/build.sh @@ -42,7 +42,7 @@ fi patch="" if [ -n "$AWSLC" ]; then - patch="-p ../util/aws-lc-nginx.patch" + patch="-p $root/util/aws-lc-nginx.patch" fi time ngx-build $force $patch $version \ From 870f0629283d7723f685fb65d8b240b363e70cb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=97=E5=AD=90?= Date: Fri, 6 Sep 2024 14:48:23 +0800 Subject: [PATCH 06/17] feature: update ci to jammy --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index b2f4243805..846172e641 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,4 +1,4 @@ -dist: focal +dist: jammy branches: only: From b42b0495840437fab0daf9b32a0d7023d9ba2b00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=97=E5=AD=90?= Date: Fri, 6 Sep 2024 15:03:22 +0800 Subject: [PATCH 07/17] fix: patch --- util/aws-lc-nginx-tests.patch | 120 ------------------ ...-nginx.patch => nginx-1.27.1-aws-lc.patch} | 36 +++--- 2 files changed, 18 insertions(+), 138 deletions(-) delete mode 100644 util/aws-lc-nginx-tests.patch rename util/{aws-lc-nginx.patch => nginx-1.27.1-aws-lc.patch} (85%) diff --git a/util/aws-lc-nginx-tests.patch b/util/aws-lc-nginx-tests.patch deleted file mode 100644 index 81660945bb..0000000000 --- a/util/aws-lc-nginx-tests.patch +++ /dev/null @@ -1,120 +0,0 @@ -diff --git a/h3_ssl_early_data.t b/h3_ssl_early_data.t -index 064ffad..b06acd1 100644 ---- a/h3_ssl_early_data.t -+++ b/h3_ssl_early_data.t -@@ -89,6 +89,7 @@ $s = Test::Nginx::HTTP3->new(8980, psk_list => $psk_list, early_data => {}); - TODO: { - local $TODO = 'no 0-RTT in OpenSSL compat layer' - unless $t->has_module('OpenSSL [.0-9]+\+quic') -+ or $t->has_module('AWS-LC') - or $t->has_module('BoringSSL') - or $t->has_module('LibreSSL'); - -diff --git a/h3_ssl_session_reuse.t b/h3_ssl_session_reuse.t -index e9ef846..eaac4de 100644 ---- a/h3_ssl_session_reuse.t -+++ b/h3_ssl_session_reuse.t -@@ -139,6 +139,8 @@ is(test_reuse(8944), 1, 'tickets and cache reused'); - - local $TODO = 'no TLSv1.3 session cache in BoringSSL' - if $t->has_module('BoringSSL'); -+local $TODO = 'no TLSv1.3 session cache in AWS-LC' -+ if $t->has_module('AWS-LC'); - - is(test_reuse(8945), 1, 'cache shared reused'); - is(test_reuse(8946), 1, 'cache builtin reused'); -diff --git a/mail_ssl_session_reuse.t b/mail_ssl_session_reuse.t -index 96330cc..30ed758 100644 ---- a/mail_ssl_session_reuse.t -+++ b/mail_ssl_session_reuse.t -@@ -147,6 +147,8 @@ is(test_reuse(8994), 1, 'tickets and cache reused'); - TODO: { - local $TODO = 'no TLSv1.3 session cache in BoringSSL' - if $t->has_module('BoringSSL') && test_tls13(); -+local $TODO = 'no TLSv1.3 session cache in AWS-LC' -+ if $t->has_module('AWS-LC') && test_tls13(); - - is(test_reuse(8995), 1, 'cache shared reused'); - is(test_reuse(8996), 1, 'cache builtin reused'); -diff --git a/ssl.t b/ssl.t -index 6055e08..bbbe4dd 100644 ---- a/ssl.t -+++ b/ssl.t -@@ -218,6 +218,8 @@ local $TODO = 'no TLSv1.3 sessions in LibreSSL' - if $t->has_module('LibreSSL') && test_tls13(); - local $TODO = 'no TLSv1.3 sessions ids in BoringSSL' - if $t->has_module('BoringSSL') && test_tls13(); -+local $TODO = 'no TLSv1.3 sessions ids in AWS-LC' -+ if $t->has_module('AWS-LC') && test_tls13(); - - like(get('/id', 8085, $ctx), qr/^body \w{64}$/m, 'session id reused'); - -@@ -229,6 +231,7 @@ like(get('/cipher', 8085), qr/^body [\w-]+$/m, 'cipher'); - - SKIP: { - skip 'BoringSSL', 1 if $t->has_module('BoringSSL'); -+skip 'AWS-LC', 1 if $t->has_module('AWS-LC'); - - like(get('/ciphers', 8085), qr/^body [:\w-]+$/m, 'ciphers'); - -diff --git a/ssl_ocsp.t b/ssl_ocsp.t -index 8f6b26d..ee9a82d 100644 ---- a/ssl_ocsp.t -+++ b/ssl_ocsp.t -@@ -363,6 +363,8 @@ local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' - if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); - local $TODO = 'no TLSv1.3 sessions in LibreSSL' - if $t->has_module('LibreSSL') && test_tls13(); -+local $TODO = 'no TLSv1.3 session cache in AWS-LC' -+ if $t->has_module('AWS-LC') && test_tls13(); - - like(get('ec-end', ses => $s), - qr/200 OK.*SUCCESS:r/s, 'session reused'); -@@ -395,6 +397,8 @@ local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' - if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); - local $TODO = 'no TLSv1.3 sessions in LibreSSL' - if $t->has_module('LibreSSL') && test_tls13(); -+local $TODO = 'no TLSv1.3 session cache in AWS-LC' -+ if $t->has_module('AWS-LC') && test_tls13(); - - like(get('ec-end', ses => $s), - qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked'); -diff --git a/ssl_session_reuse.t b/ssl_session_reuse.t -index 163de3d..d22282b 100644 ---- a/ssl_session_reuse.t -+++ b/ssl_session_reuse.t -@@ -174,6 +174,8 @@ is(test_reuse(8444), 1, 'tickets and cache reused'); - TODO: { - local $TODO = 'no TLSv1.3 session cache in BoringSSL' - if $t->has_module('BoringSSL') && test_tls13(); -+local $TODO = 'no TLSv1.3 session cache in AWS-LC' -+ if $t->has_module('AWS-LC') && test_tls13(); - - is(test_reuse(8445), 1, 'cache shared reused'); - is(test_reuse(8446), 1, 'cache builtin reused'); -diff --git a/ssl_sni_sessions.t b/ssl_sni_sessions.t -index 7ff5fa0..958bfaa 100644 ---- a/ssl_sni_sessions.t -+++ b/ssl_sni_sessions.t -@@ -118,6 +118,8 @@ plan(skip_all => 'no TLSv1.3 sessions in LibreSSL') - if $t->has_module('LibreSSL') && test_tls13(); - plan(skip_all => 'no TLS 1.3 session cache in BoringSSL') - if $t->has_module('BoringSSL') && test_tls13(); -+plan(skip_all => 'no TLS 1.3 session cache in AWS-LC') -+ if $t->has_module('AWS-LC') && test_tls13(); - - $t->plan(6); - -diff --git a/stream_ssl_session_reuse.t b/stream_ssl_session_reuse.t -index 53f24d2..39b7d62 100644 ---- a/stream_ssl_session_reuse.t -+++ b/stream_ssl_session_reuse.t -@@ -151,6 +151,8 @@ is(test_reuse(8444), 1, 'tickets and cache reused'); - TODO: { - local $TODO = 'no TLSv1.3 session cache in BoringSSL' - if $t->has_module('BoringSSL') && test_tls13(); -+local $TODO = 'no TLSv1.3 session cache in AWS-LC' -+ if $t->has_module('AWS-LC') && test_tls13(); - - is(test_reuse(8445), 1, 'cache shared reused'); - is(test_reuse(8446), 1, 'cache builtin reused'); \ No newline at end of file diff --git a/util/aws-lc-nginx.patch b/util/nginx-1.27.1-aws-lc.patch similarity index 85% rename from util/aws-lc-nginx.patch rename to util/nginx-1.27.1-aws-lc.patch index 5fd510460d..235786208f 100644 --- a/util/aws-lc-nginx.patch +++ b/util/nginx-1.27.1-aws-lc.patch @@ -1,7 +1,7 @@ -diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h +diff --git a/nginx-1.27.1/src/event/ngx_event_openssl.h b/nginx-1.27.1/src/event/ngx_event_openssl.h index c062f91..447f003 100644 ---- a/src/event/ngx_event_openssl.h -+++ b/src/event/ngx_event_openssl.h +--- a/nginx-1.27.1/src/event/ngx_event_openssl.h ++++ b/nginx-1.27.1/src/event/ngx_event_openssl.h @@ -25,7 +25,7 @@ #endif #include @@ -11,10 +11,10 @@ index c062f91..447f003 100644 #include #include #else -diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c +diff --git a/nginx-1.27.1/src/event/quic/ngx_event_quic.c b/nginx-1.27.1/src/event/quic/ngx_event_quic.c index b0cf056..c1ba43f 100644 ---- a/src/event/quic/ngx_event_quic.c -+++ b/src/event/quic/ngx_event_quic.c +--- a/nginx-1.27.1/src/event/quic/ngx_event_quic.c ++++ b/nginx-1.27.1/src/event/quic/ngx_event_quic.c @@ -969,7 +969,7 @@ ngx_quic_handle_payload(ngx_connection_t *c, ngx_quic_header_t *pkt) return NGX_DECLINED; } @@ -24,10 +24,10 @@ index b0cf056..c1ba43f 100644 /* OpenSSL provides read keys for an application level before it's ready */ if (pkt->level == ssl_encryption_application && !c->ssl->handshaked) { -diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c +diff --git a/nginx-1.27.1/src/event/quic/ngx_event_quic_protection.c b/nginx-1.27.1/src/event/quic/ngx_event_quic_protection.c index 88e6954..cd67eac 100644 ---- a/src/event/quic/ngx_event_quic_protection.c -+++ b/src/event/quic/ngx_event_quic_protection.c +--- a/nginx-1.27.1/src/event/quic/ngx_event_quic_protection.c ++++ b/nginx-1.27.1/src/event/quic/ngx_event_quic_protection.c @@ -30,7 +30,7 @@ static uint64_t ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask, static ngx_int_t ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out, @@ -160,10 +160,10 @@ index 88e6954..cd67eac 100644 uint32_t cnt; if (ctx == NULL) { -diff --git a/src/event/quic/ngx_event_quic_protection.h b/src/event/quic/ngx_event_quic_protection.h +diff --git a/nginx-1.27.1/src/event/quic/ngx_event_quic_protection.h b/nginx-1.27.1/src/event/quic/ngx_event_quic_protection.h index 34cfee6..20cd910 100644 ---- a/src/event/quic/ngx_event_quic_protection.h -+++ b/src/event/quic/ngx_event_quic_protection.h +--- a/nginx-1.27.1/src/event/quic/ngx_event_quic_protection.h ++++ b/nginx-1.27.1/src/event/quic/ngx_event_quic_protection.h @@ -24,7 +24,7 @@ #define NGX_QUIC_MAX_MD_SIZE 48 @@ -173,10 +173,10 @@ index 34cfee6..20cd910 100644 #define ngx_quic_cipher_t EVP_AEAD #define ngx_quic_crypto_ctx_t EVP_AEAD_CTX #else -diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c +diff --git a/nginx-1.27.1/src/event/quic/ngx_event_quic_ssl.c b/nginx-1.27.1/src/event/quic/ngx_event_quic_ssl.c index 7872783..163e0c5 100644 ---- a/src/event/quic/ngx_event_quic_ssl.c -+++ b/src/event/quic/ngx_event_quic_ssl.c +--- a/nginx-1.27.1/src/event/quic/ngx_event_quic_ssl.c ++++ b/nginx-1.27.1/src/event/quic/ngx_event_quic_ssl.c @@ -11,6 +11,7 @@ @@ -194,9 +194,9 @@ index 7872783..163e0c5 100644 if (SSL_set_quic_early_data_context(ssl_conn, p, clen) == 0) { ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic SSL_set_quic_early_data_context() failed"); -diff -r 5e9239920061 -r dfffc67d286b src/event/ngx_event_openssl.c ---- a/src/event/ngx_event_openssl.c Mon Feb 26 20:00:30 2024 +0000 -+++ b/src/event/ngx_event_openssl.c Mon Feb 26 20:00:32 2024 +0000 +diff --git a/nginx-1.27.1/src/event/ngx_event_openssl.h b/nginx-1.27.1/src/event/ngx_event_openssl.h +--- a/nginx-1.27.1/src/event/ngx_event_openssl.c Mon Feb 26 20:00:30 2024 +0000 ++++ b/nginx-1.27.1/src/event/ngx_event_openssl.c Mon Feb 26 20:00:32 2024 +0000 @@ -5163,6 +5163,72 @@ return NGX_OK; } From a01e9f78005a0745b572a289167d156c690f5a87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=97=E5=AD=90?= Date: Fri, 6 Sep 2024 15:03:43 +0800 Subject: [PATCH 08/17] fix: patch --- util/build-with-dd.sh | 2 +- util/build.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/util/build-with-dd.sh b/util/build-with-dd.sh index fb55950e86..74eeda2a45 100755 --- a/util/build-with-dd.sh +++ b/util/build-with-dd.sh @@ -30,7 +30,7 @@ fi patch="" if [ -n "$AWSLC" ]; then - patch="-p $root/util/aws-lc-nginx.patch" + patch="-p $root/util/nginx-$NGINX_VERSION-aws-lc.patch" fi time ngx-build $force $patch $version \ diff --git a/util/build.sh b/util/build.sh index 7b255ac2be..0d2bfbb67f 100755 --- a/util/build.sh +++ b/util/build.sh @@ -42,7 +42,7 @@ fi patch="" if [ -n "$AWSLC" ]; then - patch="-p $root/util/aws-lc-nginx.patch" + patch="-p $root/util/nginx-$NGINX_VERSION-aws-lc.patch" fi time ngx-build $force $patch $version \ From e7c8e2a4a3721d56b1b5d92e74b02230429dff4d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=97=E5=AD=90?= Date: Fri, 6 Sep 2024 15:15:47 +0800 Subject: [PATCH 09/17] fix: patch --- util/nginx-1.27.1-aws-lc.patch | 36 +++++++++++++++++----------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/util/nginx-1.27.1-aws-lc.patch b/util/nginx-1.27.1-aws-lc.patch index 235786208f..6f6ef31ee1 100644 --- a/util/nginx-1.27.1-aws-lc.patch +++ b/util/nginx-1.27.1-aws-lc.patch @@ -1,7 +1,7 @@ -diff --git a/nginx-1.27.1/src/event/ngx_event_openssl.h b/nginx-1.27.1/src/event/ngx_event_openssl.h +diff -upr nginx-1.27.1/src/event/ngx_event_openssl.h nginx-1.27.1-patched/src/event/ngx_event_openssl.h index c062f91..447f003 100644 ---- a/nginx-1.27.1/src/event/ngx_event_openssl.h -+++ b/nginx-1.27.1/src/event/ngx_event_openssl.h +--- nginx-1.27.1/src/event/ngx_event_openssl.h ++++ nginx-1.27.1-patched/src/event/ngx_event_openssl.h @@ -25,7 +25,7 @@ #endif #include @@ -11,10 +11,10 @@ index c062f91..447f003 100644 #include #include #else -diff --git a/nginx-1.27.1/src/event/quic/ngx_event_quic.c b/nginx-1.27.1/src/event/quic/ngx_event_quic.c +diff -upr nginx-1.27.1/src/event/quic/ngx_event_quic.c nginx-1.27.1-patched/src/event/quic/ngx_event_quic.c index b0cf056..c1ba43f 100644 ---- a/nginx-1.27.1/src/event/quic/ngx_event_quic.c -+++ b/nginx-1.27.1/src/event/quic/ngx_event_quic.c +--- nginx-1.27.1/src/event/quic/ngx_event_quic.c ++++ nginx-1.27.1-patched/src/event/quic/ngx_event_quic.c @@ -969,7 +969,7 @@ ngx_quic_handle_payload(ngx_connection_t *c, ngx_quic_header_t *pkt) return NGX_DECLINED; } @@ -24,10 +24,10 @@ index b0cf056..c1ba43f 100644 /* OpenSSL provides read keys for an application level before it's ready */ if (pkt->level == ssl_encryption_application && !c->ssl->handshaked) { -diff --git a/nginx-1.27.1/src/event/quic/ngx_event_quic_protection.c b/nginx-1.27.1/src/event/quic/ngx_event_quic_protection.c +diff -upr nginx-1.27.1/src/event/quic/ngx_event_quic_protection.c nginx-1.27.1-patched/src/event/quic/ngx_event_quic_protection.c index 88e6954..cd67eac 100644 ---- a/nginx-1.27.1/src/event/quic/ngx_event_quic_protection.c -+++ b/nginx-1.27.1/src/event/quic/ngx_event_quic_protection.c +--- nginx-1.27.1/src/event/quic/ngx_event_quic_protection.c ++++ nginx-1.27.1-patched/src/event/quic/ngx_event_quic_protection.c @@ -30,7 +30,7 @@ static uint64_t ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask, static ngx_int_t ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out, @@ -160,10 +160,10 @@ index 88e6954..cd67eac 100644 uint32_t cnt; if (ctx == NULL) { -diff --git a/nginx-1.27.1/src/event/quic/ngx_event_quic_protection.h b/nginx-1.27.1/src/event/quic/ngx_event_quic_protection.h +diff -upr nginx-1.27.1/src/event/quic/ngx_event_quic_protection.h nginx-1.27.1-patched/src/event/quic/ngx_event_quic_protection.h index 34cfee6..20cd910 100644 ---- a/nginx-1.27.1/src/event/quic/ngx_event_quic_protection.h -+++ b/nginx-1.27.1/src/event/quic/ngx_event_quic_protection.h +--- nginx-1.27.1/src/event/quic/ngx_event_quic_protection.h ++++ nginx-1.27.1-patched/src/event/quic/ngx_event_quic_protection.h @@ -24,7 +24,7 @@ #define NGX_QUIC_MAX_MD_SIZE 48 @@ -173,10 +173,10 @@ index 34cfee6..20cd910 100644 #define ngx_quic_cipher_t EVP_AEAD #define ngx_quic_crypto_ctx_t EVP_AEAD_CTX #else -diff --git a/nginx-1.27.1/src/event/quic/ngx_event_quic_ssl.c b/nginx-1.27.1/src/event/quic/ngx_event_quic_ssl.c +diff -upr nginx-1.27.1/src/event/quic/ngx_event_quic_ssl.c nginx-1.27.1-patched/src/event/quic/ngx_event_quic_ssl.c index 7872783..163e0c5 100644 ---- a/nginx-1.27.1/src/event/quic/ngx_event_quic_ssl.c -+++ b/nginx-1.27.1/src/event/quic/ngx_event_quic_ssl.c +--- nginx-1.27.1/src/event/quic/ngx_event_quic_ssl.c ++++ nginx-1.27.1-patched/src/event/quic/ngx_event_quic_ssl.c @@ -11,6 +11,7 @@ @@ -194,9 +194,9 @@ index 7872783..163e0c5 100644 if (SSL_set_quic_early_data_context(ssl_conn, p, clen) == 0) { ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic SSL_set_quic_early_data_context() failed"); -diff --git a/nginx-1.27.1/src/event/ngx_event_openssl.h b/nginx-1.27.1/src/event/ngx_event_openssl.h ---- a/nginx-1.27.1/src/event/ngx_event_openssl.c Mon Feb 26 20:00:30 2024 +0000 -+++ b/nginx-1.27.1/src/event/ngx_event_openssl.c Mon Feb 26 20:00:32 2024 +0000 +diff -upr nginx-1.27.1/src/event/ngx_event_openssl.h nginx-1.27.1-patched/src/event/ngx_event_openssl.h +--- nginx-1.27.1/src/event/ngx_event_openssl.c Mon Feb 26 20:00:30 2024 +0000 ++++ nginx-1.27.1-patched/src/event/ngx_event_openssl.c Mon Feb 26 20:00:32 2024 +0000 @@ -5163,6 +5163,72 @@ return NGX_OK; } From 6a6e085204e2badf5f48ccefd43826f7bcdfc0c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=97=E5=AD=90?= Date: Fri, 6 Sep 2024 15:18:18 +0800 Subject: [PATCH 10/17] fix: patch --- util/nginx-1.27.1-aws-lc.patch | 5 ----- 1 file changed, 5 deletions(-) diff --git a/util/nginx-1.27.1-aws-lc.patch b/util/nginx-1.27.1-aws-lc.patch index 6f6ef31ee1..1275e6dbf8 100644 --- a/util/nginx-1.27.1-aws-lc.patch +++ b/util/nginx-1.27.1-aws-lc.patch @@ -1,5 +1,4 @@ diff -upr nginx-1.27.1/src/event/ngx_event_openssl.h nginx-1.27.1-patched/src/event/ngx_event_openssl.h -index c062f91..447f003 100644 --- nginx-1.27.1/src/event/ngx_event_openssl.h +++ nginx-1.27.1-patched/src/event/ngx_event_openssl.h @@ -25,7 +25,7 @@ @@ -12,7 +11,6 @@ index c062f91..447f003 100644 #include #else diff -upr nginx-1.27.1/src/event/quic/ngx_event_quic.c nginx-1.27.1-patched/src/event/quic/ngx_event_quic.c -index b0cf056..c1ba43f 100644 --- nginx-1.27.1/src/event/quic/ngx_event_quic.c +++ nginx-1.27.1-patched/src/event/quic/ngx_event_quic.c @@ -969,7 +969,7 @@ ngx_quic_handle_payload(ngx_connection_t *c, ngx_quic_header_t *pkt) @@ -25,7 +23,6 @@ index b0cf056..c1ba43f 100644 if (pkt->level == ssl_encryption_application && !c->ssl->handshaked) { diff -upr nginx-1.27.1/src/event/quic/ngx_event_quic_protection.c nginx-1.27.1-patched/src/event/quic/ngx_event_quic_protection.c -index 88e6954..cd67eac 100644 --- nginx-1.27.1/src/event/quic/ngx_event_quic_protection.c +++ nginx-1.27.1-patched/src/event/quic/ngx_event_quic_protection.c @@ -30,7 +30,7 @@ static uint64_t ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask, @@ -161,7 +158,6 @@ index 88e6954..cd67eac 100644 if (ctx == NULL) { diff -upr nginx-1.27.1/src/event/quic/ngx_event_quic_protection.h nginx-1.27.1-patched/src/event/quic/ngx_event_quic_protection.h -index 34cfee6..20cd910 100644 --- nginx-1.27.1/src/event/quic/ngx_event_quic_protection.h +++ nginx-1.27.1-patched/src/event/quic/ngx_event_quic_protection.h @@ -24,7 +24,7 @@ @@ -174,7 +170,6 @@ index 34cfee6..20cd910 100644 #define ngx_quic_crypto_ctx_t EVP_AEAD_CTX #else diff -upr nginx-1.27.1/src/event/quic/ngx_event_quic_ssl.c nginx-1.27.1-patched/src/event/quic/ngx_event_quic_ssl.c -index 7872783..163e0c5 100644 --- nginx-1.27.1/src/event/quic/ngx_event_quic_ssl.c +++ nginx-1.27.1-patched/src/event/quic/ngx_event_quic_ssl.c @@ -11,6 +11,7 @@ From 696d948958107ba4d3aeb02f21d61d4c02a22739 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=97=E5=AD=90?= Date: Fri, 6 Sep 2024 15:40:14 +0800 Subject: [PATCH 11/17] chore: test stream-lua-nginx-module --- .travis.yml | 2 +- util/build-aws-lc.sh | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index 846172e641..e97d236e0f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -112,7 +112,7 @@ install: - git clone https://github.com/openresty/lua-resty-mysql.git ../lua-resty-mysql - git clone https://github.com/spacewander/lua-resty-rsa.git ../lua-resty-rsa - git clone https://github.com/openresty/lua-resty-string.git ../lua-resty-string - - git clone https://github.com/openresty/stream-lua-nginx-module.git ../stream-lua-nginx-module + - git clone https://github.com/devhaozi/stream-lua-nginx-module.git ../stream-lua-nginx-module - git clone -b v2.1-agentzh https://github.com/openresty/luajit2.git luajit2 before_script: diff --git a/util/build-aws-lc.sh b/util/build-aws-lc.sh index dfb7c9b167..f77418bd8d 100644 --- a/util/build-aws-lc.sh +++ b/util/build-aws-lc.sh @@ -4,9 +4,7 @@ # to build nginx with aws-lc, need two patches: # https://mailman.nginx.org/pipermail/nginx-devel/2024-February/3J4C2B5L67YSKARKNVLLQHHR7QXXMMRI.html # https://mailman.nginx.org/pipermail/nginx-devel/2024-February/R2AD2Q4XEVNAYEZY6WEVQBAKTM45OMTG.html -# those patches are merged into one patch aws-lc-nginx.patch -# to test nginx with aws-lc, need one patch: -# https://github.com/aws/aws-lc/blob/main/tests/ci/integration/nginx_tests_patch/aws-lc-nginx-tests.patch +# those patches are merged into nginx-*-aws-lc.patch root=`pwd` From a8e5bfc74107d7e47c4767eff3aa19749949c28b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=97=E5=AD=90?= Date: Fri, 6 Sep 2024 16:26:02 +0800 Subject: [PATCH 12/17] fix: skip some tests --- t/140-ssl-c-api.t | 12 ++++++++++++ t/166-ssl-client-hello.t | 2 ++ t/187-ssl-two-verification.t | 2 ++ 3 files changed, 16 insertions(+) diff --git a/t/140-ssl-c-api.t b/t/140-ssl-c-api.t index 4c81b4f05a..d04ef44ab5 100644 --- a/t/140-ssl-c-api.t +++ b/t/140-ssl-c-api.t @@ -17,6 +17,12 @@ if ($openssl_version =~ m/built with OpenSSL (0|1\.0\.(?:0|1[^\d]|2[a-d]).*)/) { $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); +my $NginxBinary = $ENV{'TEST_NGINX_BINARY'} || 'nginx'; +my $openssl_version = eval { `$NginxBinary -V 2>&1` }; +if ($openssl_version =~ m/AWS-LC/) { + $ENV{TEST_NGINX_USE_AWSLC} = 1; +} + #log_level 'warn'; log_level 'debug'; @@ -93,6 +99,7 @@ run_tests(); __DATA__ === TEST 1: simple cert + private key +--- skip_eval: 8:$ENV{TEST_NGINX_USE_AWSLC} --- http_config server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; @@ -247,6 +254,7 @@ lua ssl server name: "test.com" === TEST 2: ECDSA cert + private key +--- skip_eval: 8:$ENV{TEST_NGINX_USE_AWSLC} --- http_config server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; @@ -530,6 +538,7 @@ failed to parse PEM priv key: PEM_read_bio_PrivateKey() failed === TEST 4: simple cert + private key cdata +--- skip_eval: 8:$ENV{TEST_NGINX_USE_AWSLC} --- http_config server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; @@ -680,6 +689,7 @@ lua ssl server name: "test.com" === TEST 5: ECDSA cert + private key cdata +--- skip_eval: 8:$ENV{TEST_NGINX_USE_AWSLC} --- http_config server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; @@ -1040,6 +1050,7 @@ client certificate subject: nil === TEST 9: simple cert + private key with passphrase +--- skip_eval: 8:$ENV{TEST_NGINX_USE_AWSLC} --- http_config server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; @@ -1336,6 +1347,7 @@ SNI is test.com === TEST 11: DER cert + private key cdata +--- skip_eval: 8:$ENV{TEST_NGINX_USE_AWSLC} --- http_config server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; diff --git a/t/166-ssl-client-hello.t b/t/166-ssl-client-hello.t index a356b6eeaa..dd53c3cce0 100644 --- a/t/166-ssl-client-hello.t +++ b/t/166-ssl-client-hello.t @@ -12,6 +12,8 @@ if ($openssl_version =~ m/built with OpenSSL (0\S*|1\.0\S*|1\.1\.0\S*)/) { plan(skip_all => "too old OpenSSL, need 1.1.1, was $1"); } elsif ($openssl_version =~ m/running with BoringSSL/) { plan(skip_all => "does not support BoringSSL"); +} elsif ($openssl_version =~ m/AWS-LC/) { + plan(skip_all => "does not support AWS-LC"); } else { plan tests => repeat_each() * (blocks() * 6 + 8); } diff --git a/t/187-ssl-two-verification.t b/t/187-ssl-two-verification.t index 312847252c..3b70d0a685 100644 --- a/t/187-ssl-two-verification.t +++ b/t/187-ssl-two-verification.t @@ -12,6 +12,8 @@ if ($openssl_version =~ m/built with OpenSSL (0\S*|1\.0\S*|1\.1\.0\S*)/) { plan(skip_all => "too old OpenSSL, need 1.1.1, was $1"); } elsif ($openssl_version =~ m/running with BoringSSL/) { plan(skip_all => "does not support BoringSSL"); +} elsif ($openssl_version =~ m/AWS-LC/) { + plan(skip_all => "does not support AWS-LC"); } else { plan tests => repeat_each() * (blocks() * 7); } From 8a41b5cc40495fd7b37c8a52057f3dcd6f09a4df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=97=E5=AD=90?= Date: Fri, 6 Sep 2024 16:57:23 +0800 Subject: [PATCH 13/17] fix: skip 140 test --- t/140-ssl-c-api.t | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/t/140-ssl-c-api.t b/t/140-ssl-c-api.t index d04ef44ab5..2ec94b8ebf 100644 --- a/t/140-ssl-c-api.t +++ b/t/140-ssl-c-api.t @@ -11,18 +11,14 @@ my $openssl_version = eval { `$NginxBinary -V 2>&1` }; if ($openssl_version =~ m/built with OpenSSL (0|1\.0\.(?:0|1[^\d]|2[a-d]).*)/) { plan(skip_all => "too old OpenSSL, need 1.0.2e, was $1"); +} elsif ($openssl_version =~ m/AWS-LC/) { + plan(skip_all => "does not support AWS-LC"); } else { plan tests => repeat_each() * (blocks() * 5 - 1); } $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); -my $NginxBinary = $ENV{'TEST_NGINX_BINARY'} || 'nginx'; -my $openssl_version = eval { `$NginxBinary -V 2>&1` }; -if ($openssl_version =~ m/AWS-LC/) { - $ENV{TEST_NGINX_USE_AWSLC} = 1; -} - #log_level 'warn'; log_level 'debug'; @@ -99,7 +95,6 @@ run_tests(); __DATA__ === TEST 1: simple cert + private key ---- skip_eval: 8:$ENV{TEST_NGINX_USE_AWSLC} --- http_config server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; @@ -254,7 +249,6 @@ lua ssl server name: "test.com" === TEST 2: ECDSA cert + private key ---- skip_eval: 8:$ENV{TEST_NGINX_USE_AWSLC} --- http_config server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; @@ -538,7 +532,6 @@ failed to parse PEM priv key: PEM_read_bio_PrivateKey() failed === TEST 4: simple cert + private key cdata ---- skip_eval: 8:$ENV{TEST_NGINX_USE_AWSLC} --- http_config server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; @@ -689,7 +682,6 @@ lua ssl server name: "test.com" === TEST 5: ECDSA cert + private key cdata ---- skip_eval: 8:$ENV{TEST_NGINX_USE_AWSLC} --- http_config server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; @@ -1050,7 +1042,6 @@ client certificate subject: nil === TEST 9: simple cert + private key with passphrase ---- skip_eval: 8:$ENV{TEST_NGINX_USE_AWSLC} --- http_config server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; @@ -1347,7 +1338,6 @@ SNI is test.com === TEST 11: DER cert + private key cdata ---- skip_eval: 8:$ENV{TEST_NGINX_USE_AWSLC} --- http_config server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; From 09ed48f3b89a1ee48ecfb36197c6b3c13c88bcdc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=97=E5=AD=90?= Date: Fri, 6 Sep 2024 17:57:19 +0800 Subject: [PATCH 14/17] chore: finish test --- .travis.yml | 4 ++-- t/140-ssl-c-api.t | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index e97d236e0f..b2f4243805 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,4 +1,4 @@ -dist: jammy +dist: focal branches: only: @@ -112,7 +112,7 @@ install: - git clone https://github.com/openresty/lua-resty-mysql.git ../lua-resty-mysql - git clone https://github.com/spacewander/lua-resty-rsa.git ../lua-resty-rsa - git clone https://github.com/openresty/lua-resty-string.git ../lua-resty-string - - git clone https://github.com/devhaozi/stream-lua-nginx-module.git ../stream-lua-nginx-module + - git clone https://github.com/openresty/stream-lua-nginx-module.git ../stream-lua-nginx-module - git clone -b v2.1-agentzh https://github.com/openresty/luajit2.git luajit2 before_script: diff --git a/t/140-ssl-c-api.t b/t/140-ssl-c-api.t index 2ec94b8ebf..8263e87158 100644 --- a/t/140-ssl-c-api.t +++ b/t/140-ssl-c-api.t @@ -307,7 +307,7 @@ lua ssl server name: "test.com" local pkey_der = ffi.string(out, rc) - local rc = ffi.C.ngx_http_lua_ffi_ssl_set_der_private_key(r, pkey_der, #pkey_der, errmsg) + local rc = ffi.C. 3(r, pkey_der, #pkey_der, errmsg) if rc ~= 0 then ngx.log(ngx.ERR, "failed to set DER priv key: ", ffi.string(errmsg[0])) From 0f479789a62c349e23541f2baff560a6566af326 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=97=E5=AD=90?= Date: Fri, 6 Sep 2024 17:58:43 +0800 Subject: [PATCH 15/17] fix: error --- t/140-ssl-c-api.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/140-ssl-c-api.t b/t/140-ssl-c-api.t index 8263e87158..2ec94b8ebf 100644 --- a/t/140-ssl-c-api.t +++ b/t/140-ssl-c-api.t @@ -307,7 +307,7 @@ lua ssl server name: "test.com" local pkey_der = ffi.string(out, rc) - local rc = ffi.C. 3(r, pkey_der, #pkey_der, errmsg) + local rc = ffi.C.ngx_http_lua_ffi_ssl_set_der_private_key(r, pkey_der, #pkey_der, errmsg) if rc ~= 0 then ngx.log(ngx.ERR, "failed to set DER priv key: ", ffi.string(errmsg[0])) From 2a4a6b864f5f150d5c7213e34c173de630b20766 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=97=E5=AD=90?= Date: Wed, 9 Oct 2024 15:40:12 +0800 Subject: [PATCH 16/17] feat: optimize --- .travis.yml | 2 +- util/build-with-dd.sh | 7 +- util/build.sh | 7 +- util/nginx-1.27.1-aws-lc.patch | 267 --------------------------------- 4 files changed, 3 insertions(+), 280 deletions(-) delete mode 100644 util/nginx-1.27.1-aws-lc.patch diff --git a/.travis.yml b/.travis.yml index 8a321aad45..71250e6c8b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -142,7 +142,7 @@ script: #- if [ -n "$PCRE2_VER" ]; then tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi #- if [ -n "$OPENSSL_VER" ]; then tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch; ./config shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX --libdir=lib -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi - if [ -n "$BORINGSSL" ]; then sudo mkdir -p /opt/ssl && sudo tar -C /opt/ssl -xf boringssl-20230902-x64-focal.tar.gz --strip-components=1; fi - - if [ -n "$AWSLC" ]; then sudo mkdir -p /opt/ssl; sudo sh util/build-aws-lc.sh; fi + - if [ -n "$AWSLC" ]; then sudo mkdir -p /opt/ssl; sudo sh util/build-aws-lc.sh; export CFLAGS="-DOPENSSL_IS_BORINGSSL"; fi - if [ -n "$OPENSSL_VER" ]; then sudo mkdir -p /opt/ssl && sudo tar -C /opt/ssl -xf openssl-$OPENSSL_VER-x64-focal.tar.gz --strip-components=2; fi - if [ -n "$PCRE_VER" ]; then sudo mkdir -p $PCRE_PREFIX && sudo tar -C $PCRE_PREFIX -xf pcre-$PCRE_VER-x64-focal.tar.gz --strip-components=2; fi - if [ -n "$PCRE2_VER" ]; then sudo mkdir -p $PCRE2_PREFIX && sudo tar -C $PCRE2_PREFIX -xf pcre2-$PCRE2_VER-x64-focal.tar.gz --strip-components=2; fi diff --git a/util/build-with-dd.sh b/util/build-with-dd.sh index 74eeda2a45..a56a89119b 100755 --- a/util/build-with-dd.sh +++ b/util/build-with-dd.sh @@ -28,12 +28,7 @@ if [ "$USE_PCRE2" = "Y" ]; then PCRE_LIB=$PCRE2_LIB fi -patch="" -if [ -n "$AWSLC" ]; then - patch="-p $root/util/nginx-$NGINX_VERSION-aws-lc.patch" -fi - -time ngx-build $force $patch $version \ +time ngx-build $force $version \ --with-threads \ --with-pcre-jit \ $disable_pcre2 \ diff --git a/util/build.sh b/util/build.sh index 0d2bfbb67f..fdf5c4d53d 100755 --- a/util/build.sh +++ b/util/build.sh @@ -40,12 +40,7 @@ if [ "$USE_PCRE2" = "Y" ]; then PCRE_LIB=$PCRE2_LIB fi -patch="" -if [ -n "$AWSLC" ]; then - patch="-p $root/util/nginx-$NGINX_VERSION-aws-lc.patch" -fi - -time ngx-build $force $patch $version \ +time ngx-build $force $version \ --with-threads \ --with-pcre-jit \ $disable_pcre2 \ diff --git a/util/nginx-1.27.1-aws-lc.patch b/util/nginx-1.27.1-aws-lc.patch deleted file mode 100644 index 1275e6dbf8..0000000000 --- a/util/nginx-1.27.1-aws-lc.patch +++ /dev/null @@ -1,267 +0,0 @@ -diff -upr nginx-1.27.1/src/event/ngx_event_openssl.h nginx-1.27.1-patched/src/event/ngx_event_openssl.h ---- nginx-1.27.1/src/event/ngx_event_openssl.h -+++ nginx-1.27.1-patched/src/event/ngx_event_openssl.h -@@ -25,7 +25,7 @@ - #endif - #include - #if (NGX_QUIC) --#ifdef OPENSSL_IS_BORINGSSL -+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) - #include - #include - #else -diff -upr nginx-1.27.1/src/event/quic/ngx_event_quic.c nginx-1.27.1-patched/src/event/quic/ngx_event_quic.c ---- nginx-1.27.1/src/event/quic/ngx_event_quic.c -+++ nginx-1.27.1-patched/src/event/quic/ngx_event_quic.c -@@ -969,7 +969,7 @@ ngx_quic_handle_payload(ngx_connection_t *c, ngx_quic_header_t *pkt) - return NGX_DECLINED; - } - --#if !defined (OPENSSL_IS_BORINGSSL) -+#if !defined (OPENSSL_IS_BORINGSSL) && !defined (OPENSSL_IS_AWSLC) - /* OpenSSL provides read keys for an application level before it's ready */ - - if (pkt->level == ssl_encryption_application && !c->ssl->handshaked) { -diff -upr nginx-1.27.1/src/event/quic/ngx_event_quic_protection.c nginx-1.27.1-patched/src/event/quic/ngx_event_quic_protection.c ---- nginx-1.27.1/src/event/quic/ngx_event_quic_protection.c -+++ nginx-1.27.1-patched/src/event/quic/ngx_event_quic_protection.c -@@ -30,7 +30,7 @@ static uint64_t ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask, - - static ngx_int_t ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out, - u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log); --#ifndef OPENSSL_IS_BORINGSSL -+#if !defined (OPENSSL_IS_BORINGSSL) && !defined (OPENSSL_IS_AWSLC) - static ngx_int_t ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out, - u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log); - #endif -@@ -55,7 +55,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers) - switch (id) { - - case TLS1_3_CK_AES_128_GCM_SHA256: --#ifdef OPENSSL_IS_BORINGSSL -+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) - ciphers->c = EVP_aead_aes_128_gcm(); - #else - ciphers->c = EVP_aes_128_gcm(); -@@ -66,7 +66,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers) - break; - - case TLS1_3_CK_AES_256_GCM_SHA384: --#ifdef OPENSSL_IS_BORINGSSL -+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) - ciphers->c = EVP_aead_aes_256_gcm(); - #else - ciphers->c = EVP_aes_256_gcm(); -@@ -77,12 +77,12 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers) - break; - - case TLS1_3_CK_CHACHA20_POLY1305_SHA256: --#ifdef OPENSSL_IS_BORINGSSL -+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) - ciphers->c = EVP_aead_chacha20_poly1305(); - #else - ciphers->c = EVP_chacha20_poly1305(); - #endif --#ifdef OPENSSL_IS_BORINGSSL -+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) - ciphers->hp = (const EVP_CIPHER *) EVP_aead_chacha20_poly1305(); - #else - ciphers->hp = EVP_chacha20(); -@@ -91,7 +91,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers) - len = 32; - break; - --#ifndef OPENSSL_IS_BORINGSSL -+#if !defined (OPENSSL_IS_BORINGSSL) && !defined (OPENSSL_IS_AWSLC) - case TLS1_3_CK_AES_128_CCM_SHA256: - ciphers->c = EVP_aes_128_ccm(); - ciphers->hp = EVP_aes_128_ctr(); -@@ -259,7 +259,7 @@ static ngx_int_t - ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest, - const uint8_t *prk, size_t prk_len, const u_char *info, size_t info_len) - { --#ifdef OPENSSL_IS_BORINGSSL -+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) - - if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len) - == 0) -@@ -321,7 +321,7 @@ ngx_hkdf_extract(u_char *out_key, size_t *out_len, const EVP_MD *digest, - const u_char *secret, size_t secret_len, const u_char *salt, - size_t salt_len) - { --#ifdef OPENSSL_IS_BORINGSSL -+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) - - if (HKDF_extract(out_key, out_len, digest, secret, secret_len, salt, - salt_len) -@@ -384,7 +384,7 @@ ngx_quic_crypto_init(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s, - ngx_quic_md_t *key, ngx_int_t enc, ngx_log_t *log) - { - --#ifdef OPENSSL_IS_BORINGSSL -+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) - EVP_AEAD_CTX *ctx; - - ctx = EVP_AEAD_CTX_new(cipher, key->data, key->len, -@@ -444,7 +444,7 @@ static ngx_int_t - ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, - ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log) - { --#ifdef OPENSSL_IS_BORINGSSL -+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) - if (EVP_AEAD_CTX_open(s->ctx, out->data, &out->len, out->len, nonce, - s->iv.len, in->data, in->len, ad->data, ad->len) - != 1) -@@ -464,7 +464,7 @@ ngx_int_t - ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, - ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log) - { --#ifdef OPENSSL_IS_BORINGSSL -+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) - if (EVP_AEAD_CTX_seal(s->ctx, out->data, &out->len, out->len, nonce, - s->iv.len, in->data, in->len, ad->data, ad->len) - != 1) -@@ -480,7 +480,7 @@ ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, - } - - --#ifndef OPENSSL_IS_BORINGSSL -+#if !defined (OPENSSL_IS_BORINGSSL) && !defined (OPENSSL_IS_AWSLC) - - static ngx_int_t - ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce, -@@ -559,7 +559,7 @@ void - ngx_quic_crypto_cleanup(ngx_quic_secret_t *s) - { - if (s->ctx) { --#ifdef OPENSSL_IS_BORINGSSL -+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) - EVP_AEAD_CTX_free(s->ctx); - #else - EVP_CIPHER_CTX_free(s->ctx); -@@ -575,7 +575,7 @@ ngx_quic_crypto_hp_init(const EVP_CIPHER *cipher, ngx_quic_secret_t *s, - { - EVP_CIPHER_CTX *ctx; - --#ifdef OPENSSL_IS_BORINGSSL -+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) - if (cipher == (EVP_CIPHER *) EVP_aead_chacha20_poly1305()) { - /* no EVP interface */ - s->hp_ctx = NULL; -@@ -610,7 +610,7 @@ ngx_quic_crypto_hp(ngx_quic_secret_t *s, u_char *out, u_char *in, - - ctx = s->hp_ctx; - --#ifdef OPENSSL_IS_BORINGSSL -+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) - uint32_t cnt; - - if (ctx == NULL) { -diff -upr nginx-1.27.1/src/event/quic/ngx_event_quic_protection.h nginx-1.27.1-patched/src/event/quic/ngx_event_quic_protection.h ---- nginx-1.27.1/src/event/quic/ngx_event_quic_protection.h -+++ nginx-1.27.1-patched/src/event/quic/ngx_event_quic_protection.h -@@ -24,7 +24,7 @@ - #define NGX_QUIC_MAX_MD_SIZE 48 - - --#ifdef OPENSSL_IS_BORINGSSL -+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) - #define ngx_quic_cipher_t EVP_AEAD - #define ngx_quic_crypto_ctx_t EVP_AEAD_CTX - #else -diff -upr nginx-1.27.1/src/event/quic/ngx_event_quic_ssl.c nginx-1.27.1-patched/src/event/quic/ngx_event_quic_ssl.c ---- nginx-1.27.1/src/event/quic/ngx_event_quic_ssl.c -+++ nginx-1.27.1-patched/src/event/quic/ngx_event_quic_ssl.c -@@ -11,6 +11,7 @@ - - - #if defined OPENSSL_IS_BORINGSSL \ -+ || defined OPENSSL_IS_AWSLC \ - || defined LIBRESSL_VERSION_NUMBER \ - || NGX_QUIC_OPENSSL_COMPAT - #define NGX_QUIC_BORINGSSL_API 1 -@@ -578,7 +579,7 @@ ngx_quic_init_connection(ngx_connection_t *c) - return NGX_ERROR; - } - --#ifdef OPENSSL_IS_BORINGSSL -+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) - if (SSL_set_quic_early_data_context(ssl_conn, p, clen) == 0) { - ngx_log_error(NGX_LOG_INFO, c->log, 0, - "quic SSL_set_quic_early_data_context() failed"); -diff -upr nginx-1.27.1/src/event/ngx_event_openssl.h nginx-1.27.1-patched/src/event/ngx_event_openssl.h ---- nginx-1.27.1/src/event/ngx_event_openssl.c Mon Feb 26 20:00:30 2024 +0000 -+++ nginx-1.27.1-patched/src/event/ngx_event_openssl.c Mon Feb 26 20:00:32 2024 +0000 -@@ -5163,6 +5163,72 @@ - return NGX_OK; - } - -+#elif defined(OPENSSL_IS_AWSLC) -+ -+ uint16_t curve_id; -+ -+ curve_id = SSL_get_curve_id(c->ssl->connection); -+ -+ /* -+ * Hardcoded table with ANSI / SECG curve names (e.g. "prime256v1"), -+ * which is the same format that OpenSSL returns for $ssl_curve. -+ * -+ * Without this table, we'd need to make 3 additional library calls -+ * to convert from curve_id to ANSI / SECG curve name: -+ * -+ * nist_name = SSL_get_curve_name(curve_id); -+ * nid = EC_curve_nist2nid(nist_name); -+ * ansi_name = OBJ_nid2sn(nid); -+ */ -+ -+ switch (curve_id) { -+ -+#ifdef SSL_CURVE_SECP224R1 -+ case SSL_CURVE_SECP224R1: -+ ngx_str_set(s, "secp224r1"); -+ return NGX_OK; -+#endif -+ -+#ifdef SSL_CURVE_SECP256R1 -+ case SSL_CURVE_SECP256R1: -+ ngx_str_set(s, "prime256v1"); -+ return NGX_OK; -+#endif -+ -+#ifdef SSL_CURVE_SECP384R1 -+ case SSL_CURVE_SECP384R1: -+ ngx_str_set(s, "secp384r1"); -+ return NGX_OK; -+#endif -+ -+#ifdef SSL_CURVE_SECP521R1 -+ case SSL_CURVE_SECP521R1: -+ ngx_str_set(s, "secp521r1"); -+ return NGX_OK; -+#endif -+ -+#ifdef SSL_CURVE_X25519 -+ case SSL_CURVE_X25519: -+ ngx_str_set(s, "x25519"); -+ return NGX_OK; -+#endif -+ -+ case 0: -+ break; -+ -+ default: -+ s->len = sizeof("0x0000") - 1; -+ -+ s->data = ngx_pnalloc(pool, s->len); -+ if (s->data == NULL) { -+ return NGX_ERROR; -+ } -+ -+ ngx_sprintf(s->data, "0x%04xd", curve_id); -+ -+ return NGX_OK; -+ } -+ - #endif - - ngx_str_null(s); From a0e14c38bd2cc69c095adf67d7ae956486965e39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=97=E5=AD=90?= Date: Wed, 9 Oct 2024 15:50:14 +0800 Subject: [PATCH 17/17] feat: optimize --- .travis.yml | 4 ++-- util/build-aws-lc.sh | 4 ++-- util/build-with-dd.sh | 2 +- util/build.sh | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.travis.yml b/.travis.yml index 71250e6c8b..f68c3554d4 100644 --- a/.travis.yml +++ b/.travis.yml @@ -87,7 +87,7 @@ install: - if [ -n "$PCRE_VER" ]; then wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v1.0.0/pcre-${PCRE_VER}-x64-focal.tar.gz; fi - if [ -n "$PCRE2_VER" ]; then wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v1.0.0/pcre2-${PCRE2_VER}-x64-focal.tar.gz; fi - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/boringssl-20230902-x64-focal.tar.gz - - wget -O aws-lc-1.34.2.tar.gz https://github.com/aws/aws-lc/archive/refs/tags/v1.34.2.tar.gz + - wget -O aws-lc.tar.gz https://github.com/aws/aws-lc/archive/refs/tags/v1.34.2.tar.gz - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/curl-h3-x64-focal.tar.gz - git clone https://github.com/openresty/test-nginx.git - git clone https://github.com/openresty/openresty.git ../openresty @@ -142,7 +142,7 @@ script: #- if [ -n "$PCRE2_VER" ]; then tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi #- if [ -n "$OPENSSL_VER" ]; then tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch; ./config shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX --libdir=lib -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi - if [ -n "$BORINGSSL" ]; then sudo mkdir -p /opt/ssl && sudo tar -C /opt/ssl -xf boringssl-20230902-x64-focal.tar.gz --strip-components=1; fi - - if [ -n "$AWSLC" ]; then sudo mkdir -p /opt/ssl; sudo sh util/build-aws-lc.sh; export CFLAGS="-DOPENSSL_IS_BORINGSSL"; fi + - if [ -n "$AWSLC" ]; then sudo mkdir -p /opt/ssl; sudo sh util/build-aws-lc.sh; export ENABLE_AWS_LC="-DOPENSSL_IS_BORINGSSL "; fi - if [ -n "$OPENSSL_VER" ]; then sudo mkdir -p /opt/ssl && sudo tar -C /opt/ssl -xf openssl-$OPENSSL_VER-x64-focal.tar.gz --strip-components=2; fi - if [ -n "$PCRE_VER" ]; then sudo mkdir -p $PCRE_PREFIX && sudo tar -C $PCRE_PREFIX -xf pcre-$PCRE_VER-x64-focal.tar.gz --strip-components=2; fi - if [ -n "$PCRE2_VER" ]; then sudo mkdir -p $PCRE2_PREFIX && sudo tar -C $PCRE2_PREFIX -xf pcre2-$PCRE2_VER-x64-focal.tar.gz --strip-components=2; fi diff --git a/util/build-aws-lc.sh b/util/build-aws-lc.sh index f77418bd8d..1da1c3e1dc 100644 --- a/util/build-aws-lc.sh +++ b/util/build-aws-lc.sh @@ -8,7 +8,7 @@ root=`pwd` -tar -xzf aws-lc-1.34.2.tar.gz -mv aws-lc-1.34.2 aws-lc +tar -xzf aws-lc.tar.gz +mv aws-lc-* aws-lc cmake $root/aws-lc -GNinja -B$root/aws-lc-build -DCMAKE_INSTALL_PREFIX=/opt/ssl -DBUILD_TESTING=OFF -DDISABLE_GO=ON -DBUILD_TOOL=OFF -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=0 ninja -C $root/aws-lc-build install diff --git a/util/build-with-dd.sh b/util/build-with-dd.sh index a56a89119b..a48eb54827 100755 --- a/util/build-with-dd.sh +++ b/util/build-with-dd.sh @@ -33,7 +33,7 @@ time ngx-build $force $version \ --with-pcre-jit \ $disable_pcre2 \ --with-ipv6 \ - --with-cc-opt="-DNGX_LUA_USE_ASSERT -I$PCRE_INC -I$OPENSSL_INC -DDDEBUG=1" \ + --with-cc-opt="$ENABLE_AWS_LC-DNGX_LUA_USE_ASSERT -I$PCRE_INC -I$OPENSSL_INC -DDDEBUG=1" \ --with-http_v2_module \ $add_http3_module \ --with-http_realip_module \ diff --git a/util/build.sh b/util/build.sh index fdf5c4d53d..35da68b702 100755 --- a/util/build.sh +++ b/util/build.sh @@ -45,7 +45,7 @@ time ngx-build $force $version \ --with-pcre-jit \ $disable_pcre2 \ --with-ipv6 \ - --with-cc-opt="-DNGX_LUA_USE_ASSERT -I$PCRE_INC -I$OPENSSL_INC" \ + --with-cc-opt="$ENABLE_AWS_LC-DNGX_LUA_USE_ASSERT -I$PCRE_INC -I$OPENSSL_INC" \ --with-http_v2_module \ $add_http3_module \ --with-http_realip_module \