feat: update AWS-LC

h2zi · h2zi · commit 36af2ea4e65e · 2025-04-18T00:22:35.000+08:00
diff --git a/.travis.yml b/.travis.yml
@@ -89,7 +89,7 @@ install:
   - if [ -n "$PCRE_VER" ]; then wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v1.0.0/pcre-${PCRE_VER}-x64-focal.tar.gz; fi
   - if [ -n "$PCRE2_VER" ]; then wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v1.0.0/pcre2-${PCRE2_VER}-x64-focal.tar.gz; fi
   - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/boringssl-20230902-x64-focal.tar.gz
-  - wget -O aws-lc.tar.gz https://github.com/aws/aws-lc/archive/refs/tags/v1.34.2.tar.gz
+  - wget -O aws-lc.tar.gz https://github.com/aws/aws-lc/archive/refs/tags/v1.49.1.tar.gz
   - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/curl-h3-x64-focal.tar.gz
   - git clone https://github.com/openresty/test-nginx.git
   - git clone https://github.com/openresty/openresty.git ../openresty
diff --git a/src/ngx_http_lua_ssl_certby.c b/src/ngx_http_lua_ssl_certby.c
@@ -1345,7 +1345,7 @@ ngx_http_lua_ffi_set_cert(ngx_http_request_t *r,
 
 #   else
 
-#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+#ifdef OPENSSL_IS_BORINGSSL
     size_t             i;
 #else
     int                i;
@@ -1487,7 +1487,7 @@ ngx_http_lua_ffi_ssl_verify_client(ngx_http_request_t *r, void *client_certs,
     X509                        *x509 = NULL;
     X509_NAME                   *subject = NULL;
     X509_STORE                  *ca_store = NULL;
-#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+#ifdef OPENSSL_IS_BORINGSSL
     size_t                      i;
 #else
     int                         i;
diff --git a/src/ngx_http_lua_ssl_export_keying_material.c b/src/ngx_http_lua_ssl_export_keying_material.c
@@ -85,9 +85,6 @@ ngx_http_lua_ffi_ssl_export_keying_material_early(ngx_http_request_t *r,
 #elif defined(LIBRESSL_VERSION_NUMBER)
     *err = "LibreSSL does not support SSL_export_keying_material_early";
     return NGX_ERROR;
-#elif defined(OPENSSL_IS_AWSLC)
-    *err = "AWS-LC does not support SSL_export_keying_material_early";
-    return NGX_ERROR;
 #elif OPENSSL_VERSION_NUMBER < 0x10101000L
     *err = "OpenSSL too old";
     return NGX_ERROR;
diff --git a/src/ngx_http_lua_ssl_ocsp.c b/src/ngx_http_lua_ssl_ocsp.c
@@ -511,7 +511,7 @@ ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r,
         return NGX_ERROR;
     }
 
-#if defined(SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE) || defined(OPENSSL_IS_AWSLC)
+#ifdef SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE
     if (SSL_get_tlsext_status_type(ssl_conn) == -1) {
 #else
     if (ssl_conn->tlsext_status_type == -1) {
diff --git a/util/build-aws-lc.sh b/util/build-aws-lc.sh
@@ -1,10 +1,6 @@
 #!/usr/bin/env bash
 
 # this script is for developers only.
-# to build nginx with aws-lc, need two patches:
-# https://mailman.nginx.org/pipermail/nginx-devel/2024-February/3J4C2B5L67YSKARKNVLLQHHR7QXXMMRI.html
-# https://mailman.nginx.org/pipermail/nginx-devel/2024-February/R2AD2Q4XEVNAYEZY6WEVQBAKTM45OMTG.html
-# those patches are merged into nginx-*-aws-lc.patch
 
 root=`pwd`
 

Original file line number	Diff line number	Diff line change
`@@ -511,7 +511,7 @@ ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r,`
`511`	`511`	`return NGX_ERROR;`
`512`	`512`	`}`
`513`	`513`
`514`		`-#if defined(SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE) \|\| defined(OPENSSL_IS_AWSLC)`
	`514`	`+#ifdef SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE`
`515`	`515`	`if (SSL_get_tlsext_status_type(ssl_conn) == -1) {`
`516`	`516`	`#else`
`517`	`517`	`if (ssl_conn->tlsext_status_type == -1) {`