feat: support openssl3 (#357)

AlinsRan · web-flow · commit 055f1e66e181 · 2023-12-27T17:41:56.000+08:00
diff --git a/.github/workflows/package-apisix-runtime-deb-ubuntu20.04.yml b/.github/workflows/package-apisix-runtime-deb-ubuntu20.04.yml
@@ -43,7 +43,7 @@ jobs:
           docker exec ubuntu20.04Instance bash -c "wget -O - https://openresty.org/package/pubkey.gpg | apt-key add -"
           docker exec ubuntu20.04Instance bash -c 'echo "deb http://openresty.org/package/ubuntu $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/openresty.list'
           docker exec ubuntu20.04Instance bash -c "DEBIAN_FRONTEND=noninteractive apt-get update"
-          docker exec ubuntu20.04Instance bash -c "DEBIAN_FRONTEND=noninteractive apt-get -y install openresty-openssl111 openresty-pcre openresty-zlib"
+          docker exec ubuntu20.04Instance bash -c "DEBIAN_FRONTEND=noninteractive apt-get -y install openresty-pcre openresty-zlib"
 
       - name: install deb in container
         run: |
diff --git a/.github/workflows/package-apisix-runtime-rpm-el7.yml b/.github/workflows/package-apisix-runtime-rpm-el7.yml
@@ -38,7 +38,7 @@ jobs:
       - name: install dependencies in container
         run: |
           docker exec centos7Instance bash -c "yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo"
-          docker exec centos7Instance bash -c "yum -y install openresty-openssl111 openresty-pcre openresty-zlib"
+          docker exec centos7Instance bash -c "yum -y install openresty-pcre openresty-zlib"
 
       - name: install rpm in container
         run: |
diff --git a/.github/workflows/package-apisix-runtime-rpm-el8.yml b/.github/workflows/package-apisix-runtime-rpm-el8.yml
@@ -45,7 +45,7 @@ jobs:
 
           docker exec centos8Instance bash -c "dnf install -y yum-utils"
           docker exec centos8Instance bash -c "yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo"
-          docker exec centos8Instance bash -c "yum -y install openresty-openssl111 openresty-pcre openresty-zlib"
+          docker exec centos8Instance bash -c "yum -y install openresty-pcre openresty-zlib"
 
       - name: install rpm in container
         run: |
diff --git a/.github/workflows/package-apisix-runtime-rpm-ubi.yml b/.github/workflows/package-apisix-runtime-rpm-ubi.yml
@@ -37,7 +37,7 @@ jobs:
         run: |
           docker exec ubiInstance bash -c "dnf install -y yum-utils"
           docker exec ubiInstance bash -c "yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo"
-          docker exec ubiInstance bash -c "yum -y install openresty-openssl111 openresty-pcre openresty-zlib"
+          docker exec ubiInstance bash -c "yum -y install openresty-pcre openresty-zlib"
 
       - name: install rpm in container
         run: |
diff --git a/build-apisix-runtime-debug-centos7.sh b/build-apisix-runtime-debug-centos7.sh
@@ -4,9 +4,9 @@ set -x
 
 yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo
 yum -y install gcc gcc-c++ patch wget git make sudo
-yum -y install openresty-openssl111-devel openresty-pcre-devel openresty-zlib-devel
+yum -y install openresty-pcre-devel openresty-zlib-devel
 
-export openssl_prefix=/usr/local/openresty/openssl111
+export openssl_prefix=/usr/local/openresty/openssl3
 export zlib_prefix=/usr/local/openresty/zlib
 export pcre_prefix=/usr/local/openresty/pcre
 
diff --git a/build-apisix-runtime.sh b/build-apisix-runtime.sh
@@ -4,6 +4,23 @@ set -x
 
 runtime_version=${runtime_version:-0.0.0}
 
+
+debug_args=${debug_args:-}
+ENABLE_FIPS=${ENABLE_FIPS:-"false"}
+OPENSSL_CONF_PATH=${OPENSSL_CONF_PATH:-$PWD/conf/openssl3/openssl.cnf}
+
+
+OR_PREFIX=${OR_PREFIX:="/usr/local/openresty"}
+OPENSSL_PREFIX=${OPENSSL_PREFIX:=$OR_PREFIX/openssl3}
+zlib_prefix=${OR_PREFIX}/zlib
+pcre_prefix=${OR_PREFIX}/pcre
+
+cc_opt=${cc_opt:-"-DNGX_LUA_ABORT_AT_PANIC -I$zlib_prefix/include -I$pcre_prefix/include -I$OPENSSL_PREFIX/include"}
+ld_opt=${ld_opt:-"-L$zlib_prefix/lib -L$pcre_prefix/lib -L$OPENSSL_PREFIX/lib -Wl,-rpath,$zlib_prefix/lib:$pcre_prefix/lib:$OPENSSL_PREFIX/lib"}
+
+
+# dependencies for building openresty
+OPENSSL_VERSION=${OPENSSL_VERSION:-"3.2.0"}
 OPENRESTY_VERSION="1.21.4.2"
 ngx_multi_upstream_module_ver="1.1.1"
 mod_dubbo_ver="1.0.2"
@@ -12,8 +29,41 @@ wasm_nginx_module_ver="0.6.5"
 lua_var_nginx_module_ver="v0.5.3"
 grpc_client_nginx_module_ver="v0.4.4"
 lua_resty_events_ver="0.2.0"
-OR_PREFIX=${OR_PREFIX:="/usr/local/openresty"}
-debug_args=${debug_args:-}
+
+
+install_openssl_3(){
+    local fips=""
+    if [ "$ENABLE_FIPS" == "true" ]; then
+        fips="enable-fips"
+    fi
+    # required for openssl 3.x config
+    cpanm IPC/Cmd.pm
+    wget --no-check-certificate  https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz
+    tar xvf openssl-${OPENSSL_VERSION}.tar.gz
+    cd openssl-${OPENSSL_VERSION}/
+    export LDFLAGS="-Wl,-rpath,$zlib_prefix/lib:$OPENSSL_PREFIX/lib"
+    ./config $fips \
+      shared \
+      zlib \
+	  enable-camellia enable-seed enable-rfc3779 \
+	  enable-cms enable-md2 enable-rc5 \
+	  enable-weak-ssl-ciphers \
+      --prefix=$OPENSSL_PREFIX \
+      --libdir=lib               \
+      --with-zlib-lib=$zlib_prefix/lib \
+      --with-zlib-include=$zlib_prefix/include
+    make -j $(nproc) LD_LIBRARY_PATH= CC="gcc"
+    make install
+    if [ -f "$OPENSSL_CONF_PATH" ]; then
+        cp "$OPENSSL_CONF_PATH" "$OPENSSL_PREFIX"/ssl/openssl.cnf
+    fi
+    if [ "$ENABLE_FIPS" == "true" ]; then
+        $OPENSSL_PREFIX/bin/openssl fipsinstall -out $OPENSSL_PREFIX/ssl/fipsmodule.cnf -module $OPENSSL_PREFIX/lib/ossl-modules/fips.so
+        sed -i 's@# .include fipsmodule.cnf@.include '"$OPENSSL_PREFIX"'/ssl/fipsmodule.cnf@g; s/# \(fips = fips_sect\)/\1\nbase = base_sect\n\n[base_sect]\nactivate=1\n/g' $OPENSSL_PREFIX/ssl/openssl.cnf
+    fi
+    cd ..
+}
+
 
 if ([ $# -gt 0 ] && [ "$1" == "latest" ]) || [ "$version" == "latest" ]; then
     debug_args="--with-debug"
@@ -24,6 +74,9 @@ repo=$(basename "$prev_workdir")
 workdir=$(mktemp -d)
 cd "$workdir" || exit 1
 
+
+install_openssl_3
+
 wget --no-check-certificate https://openresty.org/download/openresty-${OPENRESTY_VERSION}.tar.gz
 tar -zxvpf openresty-${OPENRESTY_VERSION}.tar.gz > /dev/null
 
@@ -95,8 +148,7 @@ cd wasm-nginx-module-${wasm_nginx_module_ver} || exit 1
 ./install-wasmtime.sh
 cd ..
 
-cc_opt=${cc_opt:-}
-ld_opt=${ld_opt:-}
+
 luajit_xcflags=${luajit_xcflags:="-DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT"}
 no_pool_patch=${no_pool_patch:-}
 # TODO: remove old NGX_HTTP_GRPC_CLI_ENGINE_PATH once we have released a new
@@ -126,6 +178,7 @@ else
     mv lua-resty-limit-traffic-$limit_ver bundle/lua-resty-limit-traffic-$or_limit_ver
 fi
 
+
 ./configure --prefix="$OR_PREFIX" \
     --with-cc-opt="-DAPISIX_RUNTIME_VER=$runtime_version $grpc_engine_path $cc_opt" \
     --with-ld-opt="-Wl,-rpath,$OR_PREFIX/wasmtime-c-api/lib $ld_opt" \
diff --git a/conf/openssl3/openssl.cnf b/conf/openssl3/openssl.cnf
diff --git a/package-apisix-runtime.sh b/package-apisix-runtime.sh
diff --git a/utils/build-common.sh b/utils/build-common.sh
