feature: support AWS-LC SSL Library.

.travis.yml

@@ -29,6 +29,7 @@ addons:
       - libunwind-dev
       - wget
       - libbrotli1
+      - ninja-build # for aws-lc
 
 cache:
   directories:
@@ -67,6 +68,7 @@ env:
     - NGINX_VERSION=1.27.1 OPENSSL_VER=3.0.15 OPENSSL_PATCH_VER=3.0.15 TEST_NGINX_TIMEOUT=5 PCRE2_VER=10.42 TEST_NGINX_USE_HTTP2=1
     - NGINX_VERSION=1.27.1 OPENSSL_VER=3.0.15 OPENSSL_PATCH_VER=3.0.15 TEST_NGINX_USE_HTTP3=1 TEST_NGINX_QUIC_IDLE_TIMEOUT=3 PCRE2_VER=10.42
     - NGINX_VERSION=1.27.1 BORINGSSL=1 TEST_NGINX_USE_HTTP3=1 TEST_NGINX_QUIC_IDLE_TIMEOUT=3 PCRE2_VER=10.42
+    - NGINX_VERSION=1.27.1 AWSLC=1 TEST_NGINX_USE_HTTP3=1 TEST_NGINX_QUIC_IDLE_TIMEOUT=3 PCRE2_VER=10.42
 
 services:
   - memcached
@@ -87,6 +89,7 @@ install:
   - if [ -n "$PCRE_VER" ]; then wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v1.0.0/pcre-${PCRE_VER}-x64-focal.tar.gz; fi
   - if [ -n "$PCRE2_VER" ]; then wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v1.0.0/pcre2-${PCRE2_VER}-x64-focal.tar.gz; fi
   - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/boringssl-20230902-x64-focal.tar.gz
+  - wget -O aws-lc.tar.gz https://github.com/aws/aws-lc/archive/refs/tags/v1.49.1.tar.gz
   - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/curl-h3-x64-focal.tar.gz
   - git clone https://github.com/openresty/test-nginx.git
   - git clone https://github.com/openresty/openresty.git ../openresty
@@ -141,6 +144,7 @@ script:
   #- if [ -n "$PCRE2_VER" ]; then tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi
   #- if [ -n "$OPENSSL_VER" ]; then tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch; ./config shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX --libdir=lib -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi
   - if [ -n "$BORINGSSL" ]; then sudo mkdir -p /opt/ssl && sudo tar -C /opt/ssl -xf boringssl-20230902-x64-focal.tar.gz --strip-components=1; fi
+  - if [ -n "$AWSLC" ]; then sudo mkdir -p /opt/ssl; sudo sh util/build-aws-lc.sh; export ENABLE_AWS_LC="-DOPENSSL_IS_BORINGSSL "; fi
   - if [ -n "$OPENSSL_VER" ]; then sudo mkdir -p /opt/ssl && sudo tar -C /opt/ssl -xf openssl-$OPENSSL_VER-x64-focal.tar.gz --strip-components=2; fi
   - if [ -n "$PCRE_VER" ]; then sudo mkdir -p $PCRE_PREFIX && sudo tar -C $PCRE_PREFIX -xf pcre-$PCRE_VER-x64-focal.tar.gz --strip-components=2; fi
   - if [ -n "$PCRE2_VER" ]; then sudo mkdir -p $PCRE2_PREFIX && sudo tar -C $PCRE2_PREFIX -xf pcre2-$PCRE2_VER-x64-focal.tar.gz --strip-components=2; fi

src/ngx_http_lua_ssl_client_helloby.c

@@ -544,6 +544,9 @@ ngx_http_lua_ffi_ssl_get_client_hello_server_name(ngx_http_request_t *r,
 #ifdef LIBRESSL_VERSION_NUMBER
     *err = "LibreSSL does not support by ssl_client_hello_by_lua*";
     return NGX_ERROR;
+#elif defined(OPENSSL_IS_AWSLC)
+    *err = "AWS-LC does not support by ssl_client_hello_by_lua*";
+    return NGX_ERROR;
 #else
     ngx_ssl_conn_t          *ssl_conn;
 #ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB
@@ -634,6 +637,9 @@ ngx_http_lua_ffi_ssl_get_client_hello_ext(ngx_http_request_t *r,
 #ifdef LIBRESSL_VERSION_NUMBER
     *err = "LibreSSL does not support by ssl_client_hello_by_lua*";
     return NGX_ERROR;
+#elif defined(OPENSSL_IS_AWSLC)
+    *err = "AWSLC does not support by ssl_client_hello_by_lua*";
+    return NGX_ERROR;
 #else
     ngx_ssl_conn_t          *ssl_conn;
 

src/ngx_http_lua_ssl_export_keying_material.c

@@ -31,7 +31,7 @@ ngx_http_lua_ffi_ssl_export_keying_material(ngx_http_request_t *r,
     u_char *out, size_t out_size, const char *label, size_t llen,
     const u_char *context, size_t ctxlen, int use_ctx, char **err)
 {
-#if defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_NUMBER < 0x10101000L
+#if defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
     *err = "BoringSSL does not support SSL_export_keying_material";
     return NGX_ERROR;
 #elif defined(LIBRESSL_VERSION_NUMBER)
@@ -79,11 +79,11 @@ ngx_http_lua_ffi_ssl_export_keying_material_early(ngx_http_request_t *r,
     u_char *out, size_t out_size, const char *label, size_t llen,
     const u_char *context, size_t ctxlen, char **err)
 {
-#if defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_NUMBER < 0x10101000L
-    *err = "BoringSSL does not support SSL_export_keying_material";
+#if defined(OPENSSL_IS_BORINGSSL)
+    *err = "BoringSSL does not support SSL_export_keying_material_early";
     return NGX_ERROR;
 #elif defined(LIBRESSL_VERSION_NUMBER)
-    *err = "LibreSSL does not support SSL_export_keying_material";
+    *err = "LibreSSL does not support SSL_export_keying_material_early";
     return NGX_ERROR;
 #elif OPENSSL_VERSION_NUMBER < 0x10101000L
     *err = "OpenSSL too old";

src/ngx_http_lua_ssl_ocsp.c

@@ -511,7 +511,7 @@ ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r,
         return NGX_ERROR;
     }
 
-#ifdef SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE
+#if defined(SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE) || defined(OPENSSL_IS_AWSLC)
     if (SSL_get_tlsext_status_type(ssl_conn) == -1) {
 #else
     if (ssl_conn->tlsext_status_type == -1) {

t/166-ssl-client-hello.t

@@ -12,6 +12,8 @@ if ($openssl_version =~ m/built with OpenSSL (0\S*|1\.0\S*|1\.1\.0\S*)/) {
     plan(skip_all => "too old OpenSSL, need 1.1.1, was $1");
 } elsif ($openssl_version =~ m/running with BoringSSL/) {
     plan(skip_all => "does not support BoringSSL");
+} elsif ($openssl_version =~ m/AWS-LC/) {
+    plan(skip_all => "does not support AWS-LC");
 } else {
     plan tests => repeat_each() * (blocks() * 6 + 8);
 }

t/187-ssl-two-verification.t

@@ -12,6 +12,8 @@ if ($openssl_version =~ m/built with OpenSSL (0\S*|1\.0\S*|1\.1\.0\S*)/) {
     plan(skip_all => "too old OpenSSL, need 1.1.1, was $1");
 } elsif ($openssl_version =~ m/running with BoringSSL/) {
     plan(skip_all => "does not support BoringSSL");
+} elsif ($openssl_version =~ m/AWS-LC/) {
+    plan(skip_all => "does not support AWS-LC");
 } else {
     plan tests => repeat_each() * (blocks() * 7);
 }

util/build-aws-lc.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+# this script is for developers only.
+
+root=`pwd`
+
+tar -xzf aws-lc.tar.gz
+mv aws-lc-* aws-lc
+cmake $root/aws-lc -GNinja -B$root/aws-lc-build -DCMAKE_INSTALL_PREFIX=/opt/ssl -DBUILD_TESTING=OFF -DDISABLE_GO=ON -DBUILD_TOOL=OFF -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=0
+ninja -C $root/aws-lc-build install

util/build-with-dd.sh

@@ -33,7 +33,7 @@ time ngx-build $force $version \
             --with-pcre-jit \
             $disable_pcre2 \
             --with-ipv6 \
-            --with-cc-opt="-DNGX_LUA_USE_ASSERT -I$PCRE_INC -I$OPENSSL_INC -DDDEBUG=1" \
+            --with-cc-opt="$ENABLE_AWS_LC-DNGX_LUA_USE_ASSERT -I$PCRE_INC -I$OPENSSL_INC -DDDEBUG=1" \
             --with-http_v2_module \
             $add_http3_module \
             --with-http_realip_module \

util/build.sh

@@ -45,7 +45,7 @@ time ngx-build $force $version \
             --with-pcre-jit \
             $disable_pcre2 \
             --with-ipv6 \
-            --with-cc-opt="-DNGX_LUA_USE_ASSERT -I$PCRE_INC -I$OPENSSL_INC" \
+            --with-cc-opt="$ENABLE_AWS_LC-DNGX_LUA_USE_ASSERT -I$PCRE_INC -I$OPENSSL_INC" \
             --with-http_v2_module \
             $add_http3_module \
             --with-http_realip_module \