add support for AWS-LC (AWS libcrypto)

Patch from Shubham Mittal via bz3784; ok dtucker

diff --git a/.github/configs b/.github/configs
index 3cdcfeac71b58a3b932fe80088cf02e545fee3b9..bcb67365a39b612eef7c15e5d69d5bb811f72206 100755 (executable)
--- a/.github/configs
+++ b/.github/configs
@@ -161,6 +161,9 @@ case "$config" in
        CONFIGFLAGS="--disable-pkcs11"
        LIBCRYPTOFLAGS="--with-ssl-dir=/opt/boringssl --with-rpath=-Wl,-rpath,"
        ;;
+       aws-lc)
+       LIBCRYPTOFLAGS="--with-ssl-dir=/opt/aws-lc --with-rpath=-Wl,-rpath,"
+       ;;
     libressl-*)
        LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
        ;;

diff --git a/.github/setup_ci.sh b/.github/setup_ci.sh
index 7e1becaac2df4c63844fcc21db583964919128a5..89a2d2877370f7566706a16ad6ac06956cc289bd 100755 (executable)
--- a/.github/setup_ci.sh
+++ b/.github/setup_ci.sh
@@ -142,6 +142,10 @@ for TARGET in $TARGETS; do
         INSTALL_BORINGSSL=1
         PACKAGES="${PACKAGES} cmake ninja-build"
        ;;
+    aws-lc)
+        INSTALL_AWSLC=1
+        PACKAGES="${PACKAGES} cmake ninja-build"
+        ;;
     putty-*)
        INSTALL_PUTTY=$(echo "${TARGET}" | cut -f2 -d-)
        PACKAGES="${PACKAGES} cmake"
@@ -240,6 +244,15 @@ if [ ! -z "${INSTALL_BORINGSSL}" ]; then
      cp -r ${HOME}/boringssl/include /opt/boringssl)
 fi
 
+if [ ! -z "${INSTALL_AWSLC}" ]; then
+    (cd ${HOME} && git clone --depth 1 --branch v1.42.0 https://github.com/aws/aws-lc.git &&
+     cd ${HOME}/aws-lc && mkdir build && cd build &&
+     cmake -GNinja -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF .. && ninja &&
+     mkdir -p /opt/aws-lc/lib &&
+     cp ${HOME}/aws-lc/build/crypto/libcrypto.a /opt/aws-lc/lib &&
+     cp -r ${HOME}/aws-lc/include /opt/aws-lc)
+fi
+
 if [ ! -z "${INSTALL_ZLIB}" ]; then
     (cd ${HOME} && git clone https://github.com/madler/zlib.git &&
      cd ${HOME}/zlib && ./configure && make &&

diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml
index 2d672d87199d6efbf014c499198f56dd79a54792..b05ff0c6ec2378404d04ca696ad1cb91273f5fce 100644 (file)
--- a/.github/workflows/c-cpp.yml
+++ b/.github/workflows/c-cpp.yml
@@ -55,6 +55,7 @@ jobs:
           - { target: ubuntu-20.04, config: tcmalloc }
           - { target: ubuntu-20.04, config: musl }
           - { target: ubuntu-latest, config: boringssl }
+          - { target: ubuntu-latest, config: aws-lc }
           - { target: ubuntu-latest, config: libressl-master }
           - { target: ubuntu-latest, config: libressl-3.2.6 }
           - { target: ubuntu-latest, config: libressl-3.3.6 }

diff --git a/configure.ac b/configure.ac
index e5da93365968d1b291f7b4a21872fa3aa7513b74..b802d0e60b713cc44d65997b6665c6ac0686e6c2 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -3276,6 +3276,12 @@ fi
 # PKCS11/U2F depend on OpenSSL and dlopen().
 enable_pkcs11=yes
 enable_sk=yes
+
+AC_CHECK_DECL([OPENSSL_IS_AWSLC],
+       [enable_pkcs11="disabled; PKCS#11 not supported with AWS-LC"],
+       [],
+       [#include <openssl/base.h>]
+)
 if test "x$openssl" != "xyes" ; then
        enable_pkcs11="disabled; missing libcrypto"
 fi

diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index 2b9780f5e86bff41b90f2400a5b793570bfd9fb7..6b8fff4129516971c02c5e7aefc3b9d5c400b77e 100644 (file)
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -55,9 +55,9 @@ void ssh_libcrypto_init(void);
 # endif
 #endif
 
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 /*
- * BoringSSL (rightly) got rid of the BN_FLG_CONSTTIME flag, along with
+ * BoringSSL and AWS-LC (rightly) got rid of the BN_FLG_CONSTTIME flag, along with
  * the entire BN_set_flags() interface.
  * https://boringssl.googlesource.com/boringssl/+/0a211dfe9
  */