feature: support AWS-LC SSL Library.

.travis.yml

@@ -29,6 +29,7 @@ addons:
       - libunwind-dev
       - wget
       - libbrotli1
+      - ninja-build # for aws-lc
 
 cache:
   directories:
@@ -66,6 +67,7 @@ env:
     - NGINX_VERSION=1.21.4 OPENSSL_VER=1.1.1w OPENSSL_PATCH_VER=1.1.1f
     - NGINX_VERSION=1.27.1 OPENSSL_VER=1.1.1w OPENSSL_PATCH_VER=1.1.1f USE_PCRE2=Y TEST_NGINX_TIMEOUT=5
     - NGINX_VERSION=1.27.1 BORINGSSL=1 TEST_NGINX_USE_HTTP3=1 USE_PCRE2=Y TEST_NGINX_QUIC_IDLE_TIMEOUT=3
+    - NGINX_VERSION=1.27.1 AWSLC=1 TEST_NGINX_USE_HTTP3=1 USE_PCRE2=Y TEST_NGINX_QUIC_IDLE_TIMEOUT=3
     #- NGINX_VERSION=1.25.1 OPENSSL_VER=1.1.1w TEST_NGINX_USE_HTTP2=1
 
 services:
@@ -85,6 +87,7 @@ install:
   - if [ -n "$OPENSSL_VER" ] && [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/old/${OPENSSL_VER//[a-z]/}/openssl-$OPENSSL_VER.tar.gz; fi
   - if [ -n "$OPENSSL_VER" ] && [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/old/${OPENSSL_VER//[a-z]/}/openssl-$OPENSSL_VER.tar.gz; fi
   - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/boringssl-20230902-x64-focal.tar.gz
+  - wget -O aws-lc-1.34.2.tar.gz https://github.com/aws/aws-lc/archive/refs/tags/v1.34.2.tar.gz
   - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/curl-h3-x64-focal.tar.gz
   - git clone https://github.com/openresty/test-nginx.git
   - git clone https://github.com/openresty/openresty.git ../openresty
@@ -139,6 +142,7 @@ script:
   - if [ "$USE_PCRE2" = "Y" ]; then tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi
   - if [ -n "$OPENSSL_VER" ]; then tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch; ./config shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi
   - if [ -n "$BORINGSSL" ]; then sudo mkdir -p /opt/ssl && sudo tar -C /opt/ssl -xf boringssl-20230902-x64-focal.tar.gz --strip-components=1; fi
+  - if [ -n "$AWSLC" ]; then sudo mkdir -p /opt/ssl; sudo sh util/build-aws-lc.sh; fi
   - export NGX_BUILD_CC=$CC
   - sh util/build-without-ssl.sh $NGINX_VERSION > build.log 2>&1 || (cat build.log && exit 1)
   - sh util/build-with-dd.sh $NGINX_VERSION > build.log 2>&1 || (cat build.log && exit 1)

src/ngx_http_lua_ssl_certby.c

@@ -1345,7 +1345,7 @@ ngx_http_lua_ffi_set_cert(ngx_http_request_t *r,
 
 #   else
 
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
     size_t             i;
 #else
     int                i;
@@ -1487,7 +1487,7 @@ ngx_http_lua_ffi_ssl_verify_client(ngx_http_request_t *r, void *client_certs,
     X509                        *x509 = NULL;
     X509_NAME                   *subject = NULL;
     X509_STORE                  *ca_store = NULL;
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
     size_t                      i;
 #else
     int                         i;

src/ngx_http_lua_ssl_export_keying_material.c

@@ -31,7 +31,7 @@ ngx_http_lua_ffi_ssl_export_keying_material(ngx_http_request_t *r,
     u_char *out, size_t out_size, const char *label, size_t llen,
     const u_char *context, size_t ctxlen, int use_ctx, char **err)
 {
-#if defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_NUMBER < 0x10101000L
+#if defined(OPENSSL_IS_BORINGSSL)
     *err = "BoringSSL does not support SSL_export_keying_material";
     return NGX_ERROR;
 #elif defined(LIBRESSL_VERSION_NUMBER)
@@ -79,11 +79,14 @@ ngx_http_lua_ffi_ssl_export_keying_material_early(ngx_http_request_t *r,
     u_char *out, size_t out_size, const char *label, size_t llen,
     const u_char *context, size_t ctxlen, char **err)
 {
-#if defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_NUMBER < 0x10101000L
-    *err = "BoringSSL does not support SSL_export_keying_material";
+#if defined(OPENSSL_IS_BORINGSSL)
+    *err = "BoringSSL does not support SSL_export_keying_material_early";
     return NGX_ERROR;
 #elif defined(LIBRESSL_VERSION_NUMBER)
-    *err = "LibreSSL does not support SSL_export_keying_material";
+    *err = "LibreSSL does not support SSL_export_keying_material_early";
+    return NGX_ERROR;
+#elif defined(OPENSSL_IS_AWSLC)
+    *err = "AWS-LC does not support SSL_export_keying_material_early";
     return NGX_ERROR;
 #elif OPENSSL_VERSION_NUMBER < 0x10101000L
     *err = "OpenSSL too old";

src/ngx_http_lua_ssl_ocsp.c

@@ -511,7 +511,7 @@ ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r,
         return NGX_ERROR;
     }
 
-#ifdef SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE
+#if defined(SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE) || defined(OPENSSL_IS_AWSLC)
     if (SSL_get_tlsext_status_type(ssl_conn) == -1) {
 #else
     if (ssl_conn->tlsext_status_type == -1) {

t/140-ssl-c-api.t

@@ -11,6 +11,8 @@ my $openssl_version = eval { `$NginxBinary -V 2>&1` };
 if ($openssl_version =~ m/built with OpenSSL (0|1\.0\.(?:0|1[^\d]|2[a-d]).*)/) {
     plan(skip_all => "too old OpenSSL, need 1.0.2e, was $1");
 
+} elsif ($openssl_version =~ m/AWS-LC/) {
+    plan(skip_all => "does not support AWS-LC");
 } else {
     plan tests => repeat_each() * (blocks() * 5 - 1);
 }

t/166-ssl-client-hello.t

@@ -12,6 +12,8 @@ if ($openssl_version =~ m/built with OpenSSL (0\S*|1\.0\S*|1\.1\.0\S*)/) {
     plan(skip_all => "too old OpenSSL, need 1.1.1, was $1");
 } elsif ($openssl_version =~ m/running with BoringSSL/) {
     plan(skip_all => "does not support BoringSSL");
+} elsif ($openssl_version =~ m/AWS-LC/) {
+    plan(skip_all => "does not support AWS-LC");
 } else {
     plan tests => repeat_each() * (blocks() * 6 + 8);
 }

t/187-ssl-two-verification.t

@@ -12,6 +12,8 @@ if ($openssl_version =~ m/built with OpenSSL (0\S*|1\.0\S*|1\.1\.0\S*)/) {
     plan(skip_all => "too old OpenSSL, need 1.1.1, was $1");
 } elsif ($openssl_version =~ m/running with BoringSSL/) {
     plan(skip_all => "does not support BoringSSL");
+} elsif ($openssl_version =~ m/AWS-LC/) {
+    plan(skip_all => "does not support AWS-LC");
 } else {
     plan tests => repeat_each() * (blocks() * 7);
 }

util/build-aws-lc.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+# this script is for developers only.
+# to build nginx with aws-lc, need two patches:
+# https://mailman.nginx.org/pipermail/nginx-devel/2024-February/3J4C2B5L67YSKARKNVLLQHHR7QXXMMRI.html
+# https://mailman.nginx.org/pipermail/nginx-devel/2024-February/R2AD2Q4XEVNAYEZY6WEVQBAKTM45OMTG.html
+# those patches are merged into nginx-*-aws-lc.patch
+
+root=`pwd`
+
+tar -xzf aws-lc-1.34.2.tar.gz
+mv aws-lc-1.34.2 aws-lc
+cmake $root/aws-lc -GNinja -B$root/aws-lc-build -DCMAKE_INSTALL_PREFIX=/opt/ssl -DBUILD_TESTING=OFF -DDISABLE_GO=ON -DBUILD_TOOL=OFF -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=0
+ninja -C $root/aws-lc-build install

util/build-with-dd.sh

@@ -28,7 +28,12 @@ if [ "$USE_PCRE2" = "Y" ]; then
     PCRE_LIB=$PCRE2_LIB
 fi
 
-time ngx-build $force $version \
+patch=""
+if [ -n "$AWSLC" ]; then
+    patch="-p $root/util/nginx-$NGINX_VERSION-aws-lc.patch"
+fi
+
+time ngx-build $force $patch $version \
             --with-threads \
             --with-pcre-jit \
             $disable_pcre2 \

util/build.sh

@@ -40,7 +40,12 @@ if [ "$USE_PCRE2" = "Y" ]; then
     PCRE_LIB=$PCRE2_LIB
 fi
 
-time ngx-build $force $version \
+patch=""
+if [ -n "$AWSLC" ]; then
+    patch="-p $root/util/nginx-$NGINX_VERSION-aws-lc.patch"
+fi
+
+time ngx-build $force $patch $version \
             --with-threads \
             --with-pcre-jit \
             $disable_pcre2 \