feature: add AWS-LC patches and tests

.travis.yml

@@ -29,6 +29,7 @@ addons:
       - libunwind-dev
       - wget
       - libbrotli1
+      - ninja-build # for aws-lc
 
 cache:
   directories:
@@ -66,6 +67,7 @@ env:
     - NGINX_VERSION=1.21.4 OPENSSL_VER=1.1.1w OPENSSL_PATCH_VER=1.1.1f
     - NGINX_VERSION=1.27.1 OPENSSL_VER=1.1.1w OPENSSL_PATCH_VER=1.1.1f USE_PCRE2=Y TEST_NGINX_TIMEOUT=5
     - NGINX_VERSION=1.27.1 BORINGSSL=1 TEST_NGINX_USE_HTTP3=1 USE_PCRE2=Y TEST_NGINX_QUIC_IDLE_TIMEOUT=3
+    - NGINX_VERSION=1.27.1 AWSLC=1 TEST_NGINX_USE_HTTP3=1 USE_PCRE2=Y TEST_NGINX_QUIC_IDLE_TIMEOUT=3
     #- NGINX_VERSION=1.25.1 OPENSSL_VER=1.1.1w TEST_NGINX_USE_HTTP2=1
 
 services:
@@ -85,6 +87,7 @@ install:
   - if [ -n "$OPENSSL_VER" ] && [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/old/${OPENSSL_VER//[a-z]/}/openssl-$OPENSSL_VER.tar.gz; fi
   - if [ -n "$OPENSSL_VER" ] && [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/old/${OPENSSL_VER//[a-z]/}/openssl-$OPENSSL_VER.tar.gz; fi
   - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/boringssl-20230902-x64-focal.tar.gz
+  - wget -O aws-lc-1.34.2.tar.gz https://github.com/aws/aws-lc/archive/refs/tags/v1.34.2.tar.gz
   - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/curl-h3-x64-focal.tar.gz
   - git clone https://github.com/openresty/test-nginx.git
   - git clone https://github.com/openresty/openresty.git ../openresty
@@ -139,6 +142,7 @@ script:
   - if [ "$USE_PCRE2" = "Y" ]; then tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi
   - if [ -n "$OPENSSL_VER" ]; then tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch; ./config shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi
   - if [ -n "$BORINGSSL" ]; then sudo mkdir -p /opt/ssl && sudo tar -C /opt/ssl -xf boringssl-20230902-x64-focal.tar.gz --strip-components=1; fi
+  - if [ -n "$AWSLC" ]; then sudo mkdir -p /opt/ssl; sudo sh util/build-aws-lc.sh; cd test-nginx; patch -p1 < ../util/aws-lc-nginx-tests.patch; cd ..; fi
   - export NGX_BUILD_CC=$CC
   - sh util/build-without-ssl.sh $NGINX_VERSION > build.log 2>&1 || (cat build.log && exit 1)
   - sh util/build-with-dd.sh $NGINX_VERSION > build.log 2>&1 || (cat build.log && exit 1)

util/aws-lc-nginx-tests.patch

@@ -0,0 +1,120 @@
+diff --git a/h3_ssl_early_data.t b/h3_ssl_early_data.t
+index 064ffad..b06acd1 100644
+--- a/h3_ssl_early_data.t
++++ b/h3_ssl_early_data.t
+@@ -89,6 +89,7 @@ $s = Test::Nginx::HTTP3->new(8980, psk_list => $psk_list, early_data => {});
+ TODO: {
+ local $TODO = 'no 0-RTT in OpenSSL compat layer'
+ 	unless $t->has_module('OpenSSL [.0-9]+\+quic')
++	or $t->has_module('AWS-LC')
+ 	or $t->has_module('BoringSSL')
+ 	or $t->has_module('LibreSSL');
+
+diff --git a/h3_ssl_session_reuse.t b/h3_ssl_session_reuse.t
+index e9ef846..eaac4de 100644
+--- a/h3_ssl_session_reuse.t
++++ b/h3_ssl_session_reuse.t
+@@ -139,6 +139,8 @@ is(test_reuse(8944), 1, 'tickets and cache reused');
+
+ local $TODO = 'no TLSv1.3 session cache in BoringSSL'
+ 	if $t->has_module('BoringSSL');
++local $TODO = 'no TLSv1.3 session cache in AWS-LC'
++    if $t->has_module('AWS-LC');
+
+ is(test_reuse(8945), 1, 'cache shared reused');
+ is(test_reuse(8946), 1, 'cache builtin reused');
+diff --git a/mail_ssl_session_reuse.t b/mail_ssl_session_reuse.t
+index 96330cc..30ed758 100644
+--- a/mail_ssl_session_reuse.t
++++ b/mail_ssl_session_reuse.t
+@@ -147,6 +147,8 @@ is(test_reuse(8994), 1, 'tickets and cache reused');
+ TODO: {
+ local $TODO = 'no TLSv1.3 session cache in BoringSSL'
+ 	if $t->has_module('BoringSSL') && test_tls13();
++local $TODO = 'no TLSv1.3 session cache in AWS-LC'
++    if $t->has_module('AWS-LC') && test_tls13();
+
+ is(test_reuse(8995), 1, 'cache shared reused');
+ is(test_reuse(8996), 1, 'cache builtin reused');
+diff --git a/ssl.t b/ssl.t
+index 6055e08..bbbe4dd 100644
+--- a/ssl.t
++++ b/ssl.t
+@@ -218,6 +218,8 @@ local $TODO = 'no TLSv1.3 sessions in LibreSSL'
+ 	if $t->has_module('LibreSSL') && test_tls13();
+ local $TODO = 'no TLSv1.3 sessions ids in BoringSSL'
+ 	if $t->has_module('BoringSSL') && test_tls13();
++local $TODO = 'no TLSv1.3 sessions ids in AWS-LC'
++	if $t->has_module('AWS-LC') && test_tls13();
+
+ like(get('/id', 8085, $ctx), qr/^body \w{64}$/m, 'session id reused');
+
+@@ -229,6 +231,7 @@ like(get('/cipher', 8085), qr/^body [\w-]+$/m, 'cipher');
+
+ SKIP: {
+ skip 'BoringSSL', 1 if $t->has_module('BoringSSL');
++skip 'AWS-LC', 1 if $t->has_module('AWS-LC');
+
+ like(get('/ciphers', 8085), qr/^body [:\w-]+$/m, 'ciphers');
+
+diff --git a/ssl_ocsp.t b/ssl_ocsp.t
+index 8f6b26d..ee9a82d 100644
+--- a/ssl_ocsp.t
++++ b/ssl_ocsp.t
+@@ -363,6 +363,8 @@ local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL'
+ 	if $IO::Socket::SSL::VERSION < 2.061 && test_tls13();
+ local $TODO = 'no TLSv1.3 sessions in LibreSSL'
+ 	if $t->has_module('LibreSSL') && test_tls13();
++local $TODO = 'no TLSv1.3 session cache in AWS-LC'
++	if $t->has_module('AWS-LC') && test_tls13();
+
+ like(get('ec-end', ses => $s),
+ 	qr/200 OK.*SUCCESS:r/s, 'session reused');
+@@ -395,6 +397,8 @@ local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL'
+ 	if $IO::Socket::SSL::VERSION < 2.061 && test_tls13();
+ local $TODO = 'no TLSv1.3 sessions in LibreSSL'
+ 	if $t->has_module('LibreSSL') && test_tls13();
++local $TODO = 'no TLSv1.3 session cache in AWS-LC'
++	if $t->has_module('AWS-LC') && test_tls13();
+
+ like(get('ec-end', ses => $s),
+ 	qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked');
+diff --git a/ssl_session_reuse.t b/ssl_session_reuse.t
+index 163de3d..d22282b 100644
+--- a/ssl_session_reuse.t
++++ b/ssl_session_reuse.t
+@@ -174,6 +174,8 @@ is(test_reuse(8444), 1, 'tickets and cache reused');
+ TODO: {
+ local $TODO = 'no TLSv1.3 session cache in BoringSSL'
+ 	if $t->has_module('BoringSSL') && test_tls13();
++local $TODO = 'no TLSv1.3 session cache in AWS-LC'
++    if $t->has_module('AWS-LC') && test_tls13();
+
+ is(test_reuse(8445), 1, 'cache shared reused');
+ is(test_reuse(8446), 1, 'cache builtin reused');
+diff --git a/ssl_sni_sessions.t b/ssl_sni_sessions.t
+index 7ff5fa0..958bfaa 100644
+--- a/ssl_sni_sessions.t
++++ b/ssl_sni_sessions.t
+@@ -118,6 +118,8 @@ plan(skip_all => 'no TLSv1.3 sessions in LibreSSL')
+         if $t->has_module('LibreSSL') && test_tls13();
+ plan(skip_all => 'no TLS 1.3 session cache in BoringSSL')
+ 	if $t->has_module('BoringSSL') && test_tls13();
++plan(skip_all => 'no TLS 1.3 session cache in AWS-LC')
++    if $t->has_module('AWS-LC') && test_tls13();
+
+ $t->plan(6);
+
+diff --git a/stream_ssl_session_reuse.t b/stream_ssl_session_reuse.t
+index 53f24d2..39b7d62 100644
+--- a/stream_ssl_session_reuse.t
++++ b/stream_ssl_session_reuse.t
+@@ -151,6 +151,8 @@ is(test_reuse(8444), 1, 'tickets and cache reused');
+ TODO: {
+ local $TODO = 'no TLSv1.3 session cache in BoringSSL'
+ 	if $t->has_module('BoringSSL') && test_tls13();
++local $TODO = 'no TLSv1.3 session cache in AWS-LC'
++    if $t->has_module('AWS-LC') && test_tls13();
+
+ is(test_reuse(8445), 1, 'cache shared reused');
+ is(test_reuse(8446), 1, 'cache builtin reused');