Add and test AWS-LC support.

Author: bavshin-f5

.github/workflows/ci.yaml

@@ -9,6 +9,7 @@ on:
 env:
   CARGO_TERM_COLOR: 'always'
   RUST_BACKTRACE: '1'
+  AWSLC_SOURCE_DIR: ${{ github.workspace }}/aws-lc
   NGINX_SOURCE_DIR: nginx
 
 jobs:
@@ -55,6 +56,11 @@ jobs:
             nginx-ref: stable-1.28
             build: debug
 
+          - runner: ubuntu
+            rust-version: stable
+            nginx-ref: master # AWS-LC is not supported in stable-1.28
+            build: aws-lc
+
           - runner: macos
             rust-version: stable
             nginx-ref: stable-1.28
@@ -81,6 +87,12 @@ jobs:
           repository: 'nginx/nginx-tests'
           path: 'nginx/tests'
 
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        if: startsWith(matrix.build, 'aws-lc')
+        with:
+          repository: 'aws/aws-lc'
+          path: ${{ env.AWSLC_SOURCE_DIR }}
+
       - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
         with:
           toolchain: ${{ matrix.rust-version }}

build/build-aws-lc-static.mk

@@ -0,0 +1,35 @@
+#
+# Build static module with AWS-LC
+#
+
+LIBSSL_SRCDIR		= $(AWSLC_SOURCE_DIR)
+LIBSSL_BUILDDIR		= $(NGINX_BUILD_DIR)/lib/aws-lc/build
+LIBSSL_DESTDIR		= $(NGINX_BUILD_DIR)/lib/aws-lc/install
+
+# pass SSL library location to openssl-sys
+
+BUILD_ENV		+= OPENSSL_INCLUDE_DIR="$(LIBSSL_DESTDIR)/include"
+BUILD_ENV		+= OPENSSL_LIB_DIR="$(LIBSSL_DESTDIR)/lib"
+BUILD_ENV		+= OPENSSL_STATIC=1
+
+NGINX_CONFIGURE		= \
+	$(NGINX_CONFIGURE_BASE) \
+		--with-cc-opt="-I$(LIBSSL_DESTDIR)/include" \
+		--with-ld-opt="-L$(LIBSSL_DESTDIR)/lib -lstdc++" \
+		--with-debug \
+		--add-module="$(CURDIR)"
+
+
+$(LIBSSL_BUILDDIR)/CMakeCache.txt: $(LIBSSL_SRCDIR)/CMakeLists.txt
+	cmake -S $(LIBSSL_SRCDIR) \
+		-B $(LIBSSL_BUILDDIR) \
+		-DBUILD_TESTING:BOOL=OFF \
+		-DCMAKE_BUILD_TYPE=RelWithDebInfo \
+		-DCMAKE_INSTALL_LIBDIR:STRING=lib \
+		-DCMAKE_INSTALL_PREFIX:STRING=$(LIBSSL_DESTDIR)
+
+$(LIBSSL_DESTDIR)/lib/libssl.a: $(LIBSSL_BUILDDIR)/CMakeCache.txt
+	cmake --build $(LIBSSL_BUILDDIR)
+	cmake --install $(LIBSSL_BUILDDIR)
+
+$(NGINX_BUILD_DIR)/Makefile: $(LIBSSL_DESTDIR)/lib/libssl.a

build/build-aws-lc.mk

@@ -0,0 +1,57 @@
+#
+# Build dynamic module with AWS-LC
+#
+# This build flavor requires shared AWS-LC, because:
+#
+# * we use libssl objects created by nginx, and thus have to link to the same
+#   library
+# 
+# * linking static libssl.a to the nginx binary alone results in missing
+#   symbols during module load
+#
+# * linking static libssl.a to both the binary and the module results in two
+#   different sets of static globals
+#
+
+LIBSSL_SRCDIR		= $(AWSLC_SOURCE_DIR)
+LIBSSL_BUILDDIR		= $(NGINX_BUILD_DIR)/lib/aws-lc/build
+LIBSSL_DESTDIR		= $(NGINX_BUILD_DIR)/lib/aws-lc/install
+
+# pass SSL library location to openssl-sys
+
+BUILD_ENV		+= OPENSSL_INCLUDE_DIR="$(LIBSSL_DESTDIR)/include"
+BUILD_ENV		+= OPENSSL_LIB_DIR="$(LIBSSL_DESTDIR)/lib"
+BUILD_ENV		+= OPENSSL_STATIC=0
+
+TEST_ENV		+= LD_LIBRARY_PATH="$(LIBSSL_DESTDIR)/lib"
+
+NGINX_CONFIGURE		= \
+	$(NGINX_CONFIGURE_BASE) \
+		--with-cc-opt="-I$(LIBSSL_DESTDIR)/include" \
+		--with-ld-opt="-L$(LIBSSL_DESTDIR)/lib -lstdc++" \
+		--with-debug \
+		--add-dynamic-module="$(CURDIR)"
+
+
+NGX_MODULE		= $(NGINX_BUILD_DIR)/ngx_http_acme_module.so
+TEST_NGINX_GLOBALS	+= load_module $(NGX_MODULE);
+
+.PHONY: $(NGX_MODULE)
+
+build: $(NGX_MODULE)
+
+
+$(LIBSSL_BUILDDIR)/CMakeCache.txt: $(LIBSSL_SRCDIR)/CMakeLists.txt
+	cmake -S $(LIBSSL_SRCDIR) \
+		-B $(LIBSSL_BUILDDIR) \
+		-DBUILD_SHARED_LIBS:BOOL=ON \
+		-DBUILD_TESTING:BOOL=OFF \
+		-DCMAKE_BUILD_TYPE=RelWithDebInfo \
+		-DCMAKE_INSTALL_LIBDIR:STRING=lib \
+		-DCMAKE_INSTALL_PREFIX:STRING=$(LIBSSL_DESTDIR)
+
+$(LIBSSL_DESTDIR)/lib/libssl.so: $(LIBSSL_BUILDDIR)/CMakeCache.txt
+	cmake --build $(LIBSSL_BUILDDIR)
+	cmake --install $(LIBSSL_BUILDDIR)
+
+$(NGINX_BUILD_DIR)/Makefile: $(LIBSSL_DESTDIR)/lib/libssl.so

src/jws.rs

@@ -253,8 +253,8 @@ impl Serialize for ShaWithRsaKey {
         let num_bytes = rsa.e().num_bytes().max(rsa.n().num_bytes()) as usize;
         let mut buf = vec![0u8; num_bytes];
 
-        let e = base64url(bn2bin(rsa.e(), &mut buf).map_err(Error::custom)?);
-        let n = base64url(bn2bin(rsa.n(), &mut buf).map_err(Error::custom)?);
+        let e = base64url(bn2bin(rsa.e(), &mut buf));
+        let n = base64url(bn2bin(rsa.n(), &mut buf));
 
         let mut map = serializer.serialize_map(Some(3))?;
         // order is important for thumbprint generation (RFC7638)
@@ -344,14 +344,13 @@ where
 }
 
 /// [openssl] offers [BigNumRef::to_vec()], but we want to avoid an extra allocation.
-fn bn2bin<'a>(bn: &BigNumRef, out: &'a mut [u8]) -> Result<&'a [u8], ErrorStack> {
+fn bn2bin<'a>(bn: &BigNumRef, out: &'a mut [u8]) -> &'a [u8] {
     debug_assert!(bn.num_bytes() as usize <= out.len());
+    // BN_bn2bin cannot fail.
     let n = unsafe { openssl_sys::BN_bn2bin(bn.as_ptr(), out.as_mut_ptr()) };
-    if n >= 0 {
-        Ok(&out[..n as usize])
-    } else {
-        Err(ErrorStack::get())
-    }
+    #[cfg(not(any(openssl = "awslc", openssl = "boringssl")))]
+    debug_assert!(n >= 0);
+    &out[..n as usize]
 }
 
 /// [openssl] offers [BigNumRef::to_vec_padded()], but we want to avoid an extra allocation.