feat: support openssl3 (apache#10724)

dabue · Dec 28, 2023 · 538b964 · 538b964
1 parent 593e4c2
commit 538b964
Show file tree

Hide file tree

Showing 14 changed files with 62 additions and 109 deletions.
diff --git a/.github/workflows/cli-master.yml b/.github/workflows/cli-master.yml
@@ -6,11 +6,6 @@ on:
     paths-ignore:
       - 'docs/**'
       - '**/*.md'
-  pull_request:
-    branches: [master]
-    paths-ignore:
-      - 'docs/**'
-      - '**/*.md'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/master' && github.run_number || github.ref }}

diff --git a/.github/workflows/code-lint.yml b/.github/workflows/code-lint.yml
@@ -22,9 +22,9 @@ jobs:
         export_or_prefix
         export OPENRESTY_VERSION=default
 
-        ./ci/linux-install-openresty.sh
+        sudo -E ./ci/linux-install-openresty.sh
         ./utils/linux-install-luarocks.sh
-        sudo luarocks install luacheck
+        sudo -E luarocks install luacheck
 
     - name: Script
       run: |

diff --git a/.github/workflows/fips.yml b/.github/workflows/fips.yml
@@ -39,6 +39,7 @@ jobs:
     env:
       SERVER_NAME: ${{ matrix.os_name }}
       OPENRESTY_VERSION: default
+      ENABLE_FIPS: true
 
     steps:
       - name: Check out code
@@ -54,28 +55,6 @@ jobs:
           path: deps
           key: ${{ runner.os }}-${{ env.cache-name }}-${{ matrix.os_name }}-${{ hashFiles('apisix-master-0.rockspec') }}
 
-      - name: Cache openssl-3.0 compilation
-        id: cache-openssl
-        uses: actions/cache@v3
-        env:
-          cache-name: cache-openssl
-        with:
-          path: ~/openssl-3.0
-          key: ${{ runner.os }}-${{ env.cache-name }}-${{ matrix.os_name }}
-
-      - name: set openssl prefix
-        id: set_openssl_prefix
-        shell: bash
-        run: |
-          echo "openssl3_prefix=$HOME" >>$GITHUB_OUTPUT
-
-      - name: Toggle openssl compile
-        id: test_ssl_env
-        shell: bash
-        if: steps.cache-openssl.outputs.cache-hit != 'true'
-        run: |
-          echo "openssl3=yes" >>$GITHUB_OUTPUT
-
       - name: Extract test type
         shell: bash
         id: test_env
@@ -139,16 +118,9 @@ jobs:
         run: sudo ./ci/${{ matrix.os_name }}_runner.sh before_install
 
       - name: Linux Install
-        env:
-          COMPILE_OPENSSL3: ${{ steps.test_ssl_env.outputs.openssl3 }}
-          OPENSSL3_PREFIX: ${{ steps.set_openssl_prefix.outputs.openssl3_prefix }}
-          USE_OPENSSL3: yes
         run: |
-          sudo --preserve-env=OPENRESTY_VERSION \
-          --preserve-env=COMPILE_OPENSSL3 \
-          --preserve-env=OPENSSL3_PREFIX \
-          --preserve-env=USE_OPENSSL3 \
-          ./ci/${{ matrix.os_name }}_runner.sh do_install
+          sudo --preserve-env=ENABLE_FIPS \
+            ./ci/${{ matrix.os_name }}_runner.sh do_install
 
       - name: Linux Script
         env:

diff --git a/.requirements b/.requirements
@@ -17,4 +17,4 @@
 
 APISIX_PACKAGE_NAME=apisix
 
-APISIX_RUNTIME=1.0.2
+APISIX_RUNTIME=1.1.0
diff --git a/Makefile b/Makefile
@@ -40,7 +40,7 @@ ENV_DOCKER             ?= docker
 ENV_DOCKER_COMPOSE     ?= docker-compose --project-directory $(CURDIR) -p $(project_name) -f $(project_compose_ci)
 ENV_NGINX              ?= $(ENV_NGINX_EXEC) -p $(CURDIR) -c $(CURDIR)/conf/nginx.conf
 ENV_NGINX_EXEC         := $(shell command -v openresty 2>/dev/null || command -v nginx 2>/dev/null)
-ENV_OPENSSL_PREFIX     ?= $(addprefix $(ENV_NGINX_PREFIX), openssl)
+ENV_OPENSSL_PREFIX     ?= $(addprefix $(ENV_NGINX_PREFIX), openssl3)
 ENV_LUAROCKS           ?= luarocks
 ## These variables can be injected by luarocks
 ENV_INST_PREFIX        ?= /usr
@@ -59,9 +59,9 @@ endif
 # Execute only in the presence of ENV_NGINX_EXEC to avoid unexpected error output
 ifneq ($(ENV_NGINX_EXEC), )
 	ENV_NGINX_PREFIX := $(shell $(ENV_NGINX_EXEC) -V 2>&1 | grep -Eo 'prefix=(.*)/nginx\s+' | grep -Eo '/.*/')
-	# OpenResty 1.17.8 or higher version uses openssl111 as the openssl dirname.
-	ifeq ($(shell test -d $(addprefix $(ENV_NGINX_PREFIX), openssl111) && echo -n yes), yes)
-		ENV_OPENSSL_PREFIX := $(addprefix $(ENV_NGINX_PREFIX), openssl111)
+	# OpenResty 1.17.8 or higher version uses openssl3 as the openssl dirname.
+	ifeq ($(shell test -d $(addprefix $(ENV_NGINX_PREFIX), openssl3) && echo -n yes), yes)
+		ENV_OPENSSL_PREFIX := $(addprefix $(ENV_NGINX_PREFIX), openssl3)
 	endif
 endif
 
@@ -80,8 +80,8 @@ ifeq ($(ENV_OS_NAME), darwin)
 	ifeq ($(shell test -d $(ENV_HOMEBREW_PREFIX)/opt/openresty-openssl && echo -n yes), yes)
 		ENV_OPENSSL_PREFIX := $(ENV_HOMEBREW_PREFIX)/opt/openresty-openssl
 	endif
-	ifeq ($(shell test -d $(ENV_HOMEBREW_PREFIX)/opt/openresty-openssl111 && echo -n yes), yes)
-		ENV_OPENSSL_PREFIX := $(ENV_HOMEBREW_PREFIX)/opt/openresty-openssl111
+	ifeq ($(shell test -d $(ENV_HOMEBREW_PREFIX)/opt/openresty-openssl3 && echo -n yes), yes)
+		ENV_OPENSSL_PREFIX := $(ENV_HOMEBREW_PREFIX)/opt/openresty-openssl3
 	endif
 	ifeq ($(shell test -d $(ENV_HOMEBREW_PREFIX)/opt/pcre && echo -n yes), yes)
 		ENV_PCRE_PREFIX := $(ENV_HOMEBREW_PREFIX)/opt/pcre

diff --git a/apisix-master-0.rockspec b/apisix-master-0.rockspec
@@ -65,7 +65,7 @@ dependencies = {
     "graphql = 0.0.2",
     "argparse = 0.7.1-1",
     "luasocket = 3.1.0-1",
-    "luasec = 0.9-1",
+    "luasec = 1.3.2-1",
     "lua-resty-consul = 0.3-2",
     "penlight = 1.13.1",
     "ext-plugin-proto = 0.6.1",

diff --git a/ci/centos7-ci.sh b/ci/centos7-ci.sh
@@ -23,9 +23,12 @@ install_dependencies() {
     export_or_prefix
 
     # install build & runtime deps
-    yum install -y wget tar gcc automake autoconf libtool make unzip \
-        git sudo openldap-devel which ca-certificates openssl-devel \
-        epel-release
+    yum install -y wget tar gcc gcc-c++ automake autoconf libtool make unzip patch \
+        git sudo openldap-devel which ca-certificates \
+        openresty-pcre-devel openresty-zlib-devel \
+        epel-release  \
+        cpanminus perl \
+        openssl-devel
 
     # install newer curl
     yum makecache
@@ -40,12 +43,14 @@ install_dependencies() {
 
     # install openresty to make apisix's rpm test work
     yum install -y yum-utils && yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo
+    export luajit_xcflags="-DLUAJIT_ASSERT -DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT -O0"
+    export debug_args=--with-debug
 
-    wget "https://raw.githubusercontent.com/api7/apisix-build-tools/apisix-runtime/${APISIX_RUNTIME}/build-apisix-runtime-debug-centos7.sh"
     wget "https://raw.githubusercontent.com/api7/apisix-build-tools/apisix-runtime/${APISIX_RUNTIME}/build-apisix-runtime.sh"
-    chmod +x build-apisix-runtime-debug-centos7.sh
     chmod +x build-apisix-runtime.sh
-    ./build-apisix-runtime-debug-centos7.sh
+    ./build-apisix-runtime.sh latest
+    curl -o /usr/local/openresty/openssl3/ssl/openssl.cnf \
+        https://raw.githubusercontent.com/api7/apisix-build-tools/apisix-runtime/${APISIX_RUNTIME}/conf/openssl3/openssl.cnf
 
     # patch lua-resty-events
     sed -i 's/log(ERR, "event worker failed: ", perr)/log(ngx.WARN, "event worker failed: ", perr)/' /usr/local/openresty/lualib/resty/events/worker.lua

diff --git a/ci/common.sh b/ci/common.sh
@@ -25,7 +25,8 @@ export_or_prefix() {
     export OPENRESTY_PREFIX="/usr/local/openresty"
     export APISIX_MAIN="https://raw.githubusercontent.com/apache/apisix/master/apisix-master-0.rockspec"
     export PATH=$OPENRESTY_PREFIX/nginx/sbin:$OPENRESTY_PREFIX/luajit/bin:$OPENRESTY_PREFIX/bin:$PATH
-    export OPENSSL111_BIN=$OPENRESTY_PREFIX/openssl111/bin/openssl
+    export OPENSSL_PREFIX=$OPENRESTY_PREFIX/openssl3
+    export OPENSSL_BIN=$OPENSSL_PREFIX/bin/openssl
 }
 
 create_lua_deps() {

diff --git a/ci/linux-install-openresty.sh b/ci/linux-install-openresty.sh
@@ -35,41 +35,12 @@ sudo add-apt-repository -y "deb https://openresty.org/package/${arch_path}ubuntu
 sudo add-apt-repository -y "deb http://repos.apiseven.com/packages/${arch_path}debian bullseye main"
 
 sudo apt-get update
-sudo apt-get install -y openresty-openssl111 openresty-openssl111-dev libldap2-dev openresty-pcre openresty-zlib
+sudo apt-get install -y libldap2-dev openresty-pcre-dev openresty-zlib-dev build-essential gcc g++ cpanminus
 
-COMPILE_OPENSSL3=${COMPILE_OPENSSL3-no}
-USE_OPENSSL3=${USE_OPENSSL3-no}
-OPENSSL3_PREFIX=${OPENSSL3_PREFIX-/home/runner}
 SSL_LIB_VERSION=${SSL_LIB_VERSION-openssl}
+ENABLE_FIPS=${ENABLE_FIPS:-"false"}
 
 if [ "$OPENRESTY_VERSION" == "source" ]; then
-    export openssl_prefix=/usr/local/openresty/openssl111
-    export zlib_prefix=/usr/local/openresty/zlib
-    export pcre_prefix=/usr/local/openresty/pcre
-
-    export cc_opt="-DNGX_LUA_ABORT_AT_PANIC -I${zlib_prefix}/include -I${pcre_prefix}/include -I${openssl_prefix}/include"
-    export ld_opt="-L${zlib_prefix}/lib -L${pcre_prefix}/lib -L${openssl_prefix}/lib -Wl,-rpath,${zlib_prefix}/lib:${pcre_prefix}/lib:${openssl_prefix}/lib"
-
-    if [ "$COMPILE_OPENSSL3" == "yes" ]; then
-        apt install -y build-essential
-        git clone https://github.com/openssl/openssl
-        cd openssl
-        ./Configure --prefix=$OPENSSL3_PREFIX/openssl-3.0 enable-fips
-        make install
-        bash -c "echo $OPENSSL3_PREFIX/openssl-3.0/lib64 > /etc/ld.so.conf.d/openssl3.conf"
-        ldconfig
-        $OPENSSL3_PREFIX/openssl-3.0/bin/openssl fipsinstall -out $OPENSSL3_PREFIX/openssl-3.0/ssl/fipsmodule.cnf -module $OPENSSL3_PREFIX/openssl-3.0/lib64/ossl-modules/fips.so
-        sed -i 's@# .include fipsmodule.cnf@.include '"$OPENSSL3_PREFIX"'/openssl-3.0/ssl/fipsmodule.cnf@g; s/# \(fips = fips_sect\)/\1\nbase = base_sect\n\n[base_sect]\nactivate=1\n/g' $OPENSSL3_PREFIX/openssl-3.0/ssl/openssl.cnf
-        cd ..
-    fi
-
-    if [ "$USE_OPENSSL3" == "yes" ]; then
-        bash -c "echo $OPENSSL3_PREFIX/openssl-3.0/lib64 > /etc/ld.so.conf.d/openssl3.conf"
-        ldconfig
-        export cc_opt="-I$OPENSSL3_PREFIX/openssl-3.0/include"
-        export ld_opt="-L$OPENSSL3_PREFIX/openssl-3.0/lib64 -Wl,-rpath,$OPENSSL3_PREFIX/openssl-3.0/lib64"
-    fi
-
     if [ "$SSL_LIB_VERSION" == "tongsuo" ]; then
         export openssl_prefix=/usr/local/tongsuo
         export zlib_prefix=$OPENRESTY_PREFIX/zlib
@@ -84,5 +55,10 @@ wget "https://raw.githubusercontent.com/api7/apisix-build-tools/apisix-runtime/$
 chmod +x build-apisix-runtime.sh
 ./build-apisix-runtime.sh latest
 
+if [ ! "$ENABLE_FIPS" == "true" ]; then
+curl -o /usr/local/openresty/openssl3/ssl/openssl.cnf \
+    https://raw.githubusercontent.com/api7/apisix-build-tools/apisix-runtime/${APISIX_RUNTIME}/conf/openssl3/openssl.cnf
+fi
+
 # patch lua-resty-events
-sudo sed -i 's/log(ERR, "event worker failed: ", perr)/log(ngx.WARN, "event worker failed: ", perr)/' /usr/local/openresty/lualib/resty/events/worker.lua
+sed -i 's/log(ERR, "event worker failed: ", perr)/log(ngx.WARN, "event worker failed: ", perr)/' /usr/local/openresty/lualib/resty/events/worker.lua
diff --git a/ci/redhat-ci.sh b/ci/redhat-ci.sh
@@ -23,8 +23,11 @@ install_dependencies() {
 
     # install build & runtime deps
     yum install -y --disablerepo=* --enablerepo=ubi-8-appstream-rpms --enablerepo=ubi-8-baseos-rpms \
-    wget tar gcc automake autoconf libtool make unzip git sudo openldap-devel hostname \
-    which ca-certificates openssl-devel
+    wget tar gcc gcc-c++ automake autoconf libtool make unzip git sudo openldap-devel hostname patch \
+    which ca-certificates pcre pcre-devel xz \
+    openssl-devel
+
+    yum install -y --disablerepo=* --enablerepo=ubi-8-appstream-rpms --enablerepo=ubi-8-baseos-rpms cpanminus perl
 
     # install newer curl
     yum makecache
@@ -34,14 +37,16 @@ install_dependencies() {
     # install apisix-runtime to make apisix's rpm test work
     yum install -y yum-utils && yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo
     rpm --import https://repos.apiseven.com/KEYS
-    yum install -y openresty-openssl111 openresty-openssl111-devel pcre pcre pcre-devel xz
     yum -y install https://repos.apiseven.com/packages/centos/apache-apisix-repo-1.0-1.noarch.rpm
 
-    wget "https://raw.githubusercontent.com/api7/apisix-build-tools/apisix-runtime/${APISIX_RUNTIME}/build-apisix-runtime-debug-centos7.sh"
+    export luajit_xcflags="-DLUAJIT_ASSERT -DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT -O0"
+    export debug_args=--with-debug
+
     wget "https://raw.githubusercontent.com/api7/apisix-build-tools/apisix-runtime/${APISIX_RUNTIME}/build-apisix-runtime.sh"
     chmod +x build-apisix-runtime.sh
-    chmod +x build-apisix-runtime-debug-centos7.sh
-    ./build-apisix-runtime-debug-centos7.sh
+    ./build-apisix-runtime.sh latest
+    curl -o /usr/local/openresty/openssl3/ssl/openssl.cnf \
+        https://raw.githubusercontent.com/api7/apisix-build-tools/apisix-runtime/${APISIX_RUNTIME}/conf/openssl3/openssl.cnf
 
     # patch lua-resty-events
     sed -i 's/log(ERR, "event worker failed: ", perr)/log(ngx.WARN, "event worker failed: ", perr)/' /usr/local/openresty/lualib/resty/events/worker.lua
@@ -60,7 +65,6 @@ install_dependencies() {
     install_brotli
 
     # install test::nginx
-    yum install -y --disablerepo=* --enablerepo=ubi-8-appstream-rpms --enablerepo=ubi-8-baseos-rpms cpanminus perl
     cpanm --notest Test::Nginx IPC::Run > build.log 2>&1 || (cat build.log && exit 1)
 
     # add go1.15 binary to the path

diff --git a/t/APISIX.pm b/t/APISIX.pm
@@ -262,7 +262,7 @@ env ENABLE_ETCD_AUTH;
 env APISIX_PROFILE;
 env PATH; # for searching external plugin runner's binary
 env TEST_NGINX_HTML_DIR;
-env OPENSSL111_BIN;
+env OPENSSL_BIN;
 _EOC_
 
 

diff --git a/t/cli/test_upstream_mtls.sh b/t/cli/test_upstream_mtls.sh
@@ -141,8 +141,8 @@ sleep 0.1
 
 make stop
 
-if ! grep -E 'self signed certificate' logs/error.log; then
-    echo "failed: should got 'self signed certificate' when ssl_trusted_certificate is wrong ca cert"
+if ! grep -E 'self-signed certificate' logs/error.log; then
+    echo "failed: should got 'self-signed certificate' when ssl_trusted_certificate is wrong ca cert"
     exit 1
 fi
 

diff --git a/t/node/ssl-protocols.t b/t/node/ssl-protocols.t
@@ -21,11 +21,11 @@ log_level('info');
 no_root_location();
 no_shuffle();
 
-my $openssl_bin = $ENV{OPENSSL111_BIN};
+my $openssl_bin = $ENV{OPENSSL_BIN};
 if (! -x $openssl_bin) {
-    $ENV{OPENSSL111_BIN} = '/usr/local/openresty/openssl111/bin/openssl';
-    if (! -x $ENV{OPENSSL111_BIN}) {
-        plan(skip_all => "openssl111 not installed");
+    $ENV{OPENSSL_BIN} = '/usr/local/openresty/openssl3/bin/openssl';
+    if (! -x $ENV{OPENSSL_BIN}) {
+        plan(skip_all => "openssl3 not installed");
     }
 }
 
@@ -128,7 +128,7 @@ passed
 
 === TEST 3: Successfully, access test.com with TLSv1.3
 --- exec
-echo -n "Q"  | $OPENSSL111_BIN s_client -connect 127.0.0.1:1994 -servername test.com -tls1_3 2>&1 | cat
+echo -n "Q"  | $OPENSSL_BIN s_client -connect 127.0.0.1:1994 -servername test.com -tls1_3 2>&1 | cat
 --- response_body eval
 qr/Server certificate/
 
@@ -144,7 +144,7 @@ qr/TLSv1\.2 \(IN\), TLS handshake, Server hello(?s).*hello world/
 
 === TEST 5: Successfully, access test.com with TLSv1.1
 --- exec
-echo -n "Q"  | $OPENSSL111_BIN s_client -connect 127.0.0.1:1994 -servername test.com -tls1_1 2>&1 | cat
+echo -n "Q"  | $OPENSSL_BIN s_client -connect 127.0.0.1:1994 -servername test.com -tls1_1 2>&1 | cat
 --- response_body eval
 qr/Server certificate/
 
@@ -219,7 +219,7 @@ GET /t
 
 === TEST 8: Successfully, access test.com with TLSv1.3
 --- exec
-echo -n "Q"  | $OPENSSL111_BIN s_client -connect 127.0.0.1:1994 -servername test.com -tls1_3 2>&1 | cat
+echo -n "Q"  | $OPENSSL_BIN s_client -connect 127.0.0.1:1994 -servername test.com -tls1_3 2>&1 | cat
 --- response_body eval
 qr/Server certificate/
 
@@ -235,7 +235,7 @@ qr/TLSv1\.2 \(IN\), TLS handshake, Server hello(?s).*hello world/
 
 === TEST 10: Successfully, access test2.com with TLSv1.3
 --- exec
-echo -n "Q"  | $OPENSSL111_BIN s_client -connect 127.0.0.1:1994 -servername test2.com -tls1_3 2>&1 | cat
+echo -n "Q"  | $OPENSSL_BIN s_client -connect 127.0.0.1:1994 -servername test2.com -tls1_3 2>&1 | cat
 --- response_body eval
 qr/Server certificate/
 
@@ -285,14 +285,14 @@ passed
 
 === TEST 13: Successfully, access test.com with TLSv1.1
 --- exec
-echo -n "Q"  | $OPENSSL111_BIN s_client -connect 127.0.0.1:1994 -servername test.com -tls1_1 2>&1 | cat
+echo -n "Q"  | $OPENSSL_BIN s_client -connect 127.0.0.1:1994 -servername test.com -tls1_1 2>&1 | cat
 --- response_body eval
 qr/Server certificate/
 
 
 
 === TEST 14: Failed, access test.com with TLSv1.3
 --- exec
-echo -n "Q"  | $OPENSSL111_BIN s_client -connect 127.0.0.1:1994 -servername test.com -tls1_3 2>&1 | cat
+echo -n "Q"  | $OPENSSL_BIN s_client -connect 127.0.0.1:1994 -servername test.com -tls1_3 2>&1 | cat
 --- response_body eval
 qr/tlsv1 alert/
diff --git a/utils/linux-install-luarocks.sh b/utils/linux-install-luarocks.sh
@@ -47,10 +47,10 @@ rm -rf luarocks-"$LUAROCKS_VER"
 
 mkdir ~/.luarocks || true
 
-# OpenResty 1.17.8 or higher version uses openssl111 as the openssl dirname.
-OPENSSL_PREFIX=${OPENRESTY_PREFIX}/openssl
-if [ -d ${OPENRESTY_PREFIX}/openssl111 ]; then
-    OPENSSL_PREFIX=${OPENRESTY_PREFIX}/openssl111
+OPENSSL_PREFIX=${OPENRESTY_PREFIX}/openssl3
+if [ ! -d ${OPENSSL_PREFIX} ]; then
+    echo "Error: ${OPENSSL_PREFIX} not found, please install openssl3 first."
+    exit 1
 fi
 
 FOUND_PATH=$(echo "${PATH}" | grep -oP '(?<=:|)/usr/local/bin(?=:|)') || true
Original file line number	Diff line number	Diff line change
Expand Up		@@ -17,4 +17,4 @@

		APISIX_PACKAGE_NAME=apisix

		APISIX_RUNTIME=1.0.2
		APISIX_RUNTIME=1.1.0