feature: support AWS-LC SSL Library. #2357
Conversation
|
@devhaozi We need to add test cases to cover this new feature |
Add it to .travis.yml like BoringSSL? |
|
We don't need to run the tests in t/ directory. |
|
@zhuizhuhaomeng tests added. |
This comment was marked as resolved.
This comment was marked as resolved.
|
This pull request is now in conflict :( |
| @@ -511,7 +511,7 @@ ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r, | |||
| return NGX_ERROR; | |||
| } | |||
|
|
|||
| #ifdef SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE | |||
| #if defined(SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE) || defined(OPENSSL_IS_AWSLC) | |||
There was a problem hiding this comment.
AWS-LC supports SSL_get_tlsext_status_type, but does not define SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE.
| #if defined(OPENSSL_IS_BORINGSSL) | ||
| *err = "BoringSSL does not support SSL_export_keying_material_early"; | ||
| return NGX_ERROR; | ||
| #elif defined(LIBRESSL_VERSION_NUMBER) | ||
| *err = "LibreSSL does not support SSL_export_keying_material"; | ||
| *err = "LibreSSL does not support SSL_export_keying_material_early"; |
| @@ -31,7 +31,7 @@ ngx_http_lua_ffi_ssl_export_keying_material(ngx_http_request_t *r, | |||
| u_char *out, size_t out_size, const char *label, size_t llen, | |||
| const u_char *context, size_t ctxlen, int use_ctx, char **err) | |||
| { | |||
| #if defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_NUMBER < 0x10101000L | |||
| #if defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) | |||
There was a problem hiding this comment.
AWS-LC supports SSL_export_keying_material but does not support SSL_export_keying_material_early due to performance reasons, see aws/aws-lc@94b2871
| #elif defined(OPENSSL_IS_AWSLC) | ||
| *err = "AWS-LC does not support by ssl_client_hello_by_lua*"; | ||
| return NGX_ERROR; |
There was a problem hiding this comment.
AWS-LC does not support SSL_client_hello_get0_ext, and therefore does not support ssl_client_hello_by_lua*.
From the test cases I think BoringSSL also does not support SSL_client_hello_get0_ext, but it is not shown here?
| @@ -141,6 +144,7 @@ script: | |||
| #- if [ -n "$PCRE2_VER" ]; then tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi | |||
| #- if [ -n "$OPENSSL_VER" ]; then tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch; ./config shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX --libdir=lib -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi | |||
| - if [ -n "$BORINGSSL" ]; then sudo mkdir -p /opt/ssl && sudo tar -C /opt/ssl -xf boringssl-20230902-x64-focal.tar.gz --strip-components=1; fi | |||
| - if [ -n "$AWSLC" ]; then sudo mkdir -p /opt/ssl; sudo sh util/build-aws-lc.sh; export ENABLE_AWS_LC="-DOPENSSL_IS_BORINGSSL "; fi | |||
There was a problem hiding this comment.
AWS-LC is close to BoringSSL, so can use -DOPENSSL_IS_BORINGSSL directly.
| #elif defined(OPENSSL_IS_AWSLC) | ||
| *err = "AWSLC does not support by ssl_client_hello_by_lua*"; | ||
| return NGX_ERROR; |
|
@zhuizhuhaomeng Ready for review, can you take a moment to look at this? |
This PR enables lua-nginx-module to be compiled with AWS-LC, tested on OpenResty 1.27.1.1.
I hereby granted the copyright of the changes in this pull request
to the authors of this lua-nginx-module project.