From 66efd0fbb6b8b95f8a520f2cdf8ede14e62b30b3 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Thu, 6 Feb 2025 09:38:09 +1100
Subject: [PATCH] add support for AWS-LC (AWS libcrypto)

Patch from Shubham Mittal via bz3784; ok dtucker
---
 .github/configs                 |  3 +++
 .github/setup_ci.sh             | 13 +++++++++++++
 .github/workflows/c-cpp.yml     |  1 +
 configure.ac                    |  6 ++++++
 openbsd-compat/openssl-compat.h |  4 ++--
 5 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/.github/configs b/.github/configs
index 3cdcfeac7..bcb67365a 100755
--- a/.github/configs
+++ b/.github/configs
@@ -161,6 +161,9 @@ case "$config" in
 	CONFIGFLAGS="--disable-pkcs11"
 	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/boringssl --with-rpath=-Wl,-rpath,"
 	;;
+	aws-lc)
+	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/aws-lc --with-rpath=-Wl,-rpath,"
+	;;
     libressl-*)
 	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
 	;;
diff --git a/.github/setup_ci.sh b/.github/setup_ci.sh
index 7e1becaac..89a2d2877 100755
--- a/.github/setup_ci.sh
+++ b/.github/setup_ci.sh
@@ -142,6 +142,10 @@ for TARGET in $TARGETS; do
         INSTALL_BORINGSSL=1
         PACKAGES="${PACKAGES} cmake ninja-build"
        ;;
+    aws-lc)
+        INSTALL_AWSLC=1
+        PACKAGES="${PACKAGES} cmake ninja-build"
+        ;;
     putty-*)
 	INSTALL_PUTTY=$(echo "${TARGET}" | cut -f2 -d-)
 	PACKAGES="${PACKAGES} cmake"
@@ -240,6 +244,15 @@ if [ ! -z "${INSTALL_BORINGSSL}" ]; then
      cp -r ${HOME}/boringssl/include /opt/boringssl)
 fi
 
+if [ ! -z "${INSTALL_AWSLC}" ]; then
+    (cd ${HOME} && git clone --depth 1 --branch v1.42.0 https://github.com/aws/aws-lc.git &&
+     cd ${HOME}/aws-lc && mkdir build && cd build &&
+     cmake -GNinja -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF .. && ninja &&
+     mkdir -p /opt/aws-lc/lib &&
+     cp ${HOME}/aws-lc/build/crypto/libcrypto.a /opt/aws-lc/lib &&
+     cp -r ${HOME}/aws-lc/include /opt/aws-lc)
+fi
+
 if [ ! -z "${INSTALL_ZLIB}" ]; then
     (cd ${HOME} && git clone https://github.com/madler/zlib.git &&
      cd ${HOME}/zlib && ./configure && make &&
diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml
index 2d672d871..b05ff0c6e 100644
--- a/.github/workflows/c-cpp.yml
+++ b/.github/workflows/c-cpp.yml
@@ -55,6 +55,7 @@ jobs:
           - { target: ubuntu-20.04, config: tcmalloc }
           - { target: ubuntu-20.04, config: musl }
           - { target: ubuntu-latest, config: boringssl }
+          - { target: ubuntu-latest, config: aws-lc }
           - { target: ubuntu-latest, config: libressl-master }
           - { target: ubuntu-latest, config: libressl-3.2.6 }
           - { target: ubuntu-latest, config: libressl-3.3.6 }
diff --git a/configure.ac b/configure.ac
index e5da93365..b802d0e60 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3276,6 +3276,12 @@ fi
 # PKCS11/U2F depend on OpenSSL and dlopen().
 enable_pkcs11=yes
 enable_sk=yes
+
+AC_CHECK_DECL([OPENSSL_IS_AWSLC],
+	[enable_pkcs11="disabled; PKCS#11 not supported with AWS-LC"],
+	[],
+	[#include <openssl/base.h>]
+)
 if test "x$openssl" != "xyes" ; then
 	enable_pkcs11="disabled; missing libcrypto"
 fi
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index 2b9780f5e..6b8fff412 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -55,9 +55,9 @@ void ssh_libcrypto_init(void);
 # endif
 #endif
 
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 /*
- * BoringSSL (rightly) got rid of the BN_FLG_CONSTTIME flag, along with
+ * BoringSSL and AWS-LC (rightly) got rid of the BN_FLG_CONSTTIME flag, along with
  * the entire BN_set_flags() interface.
  * https://boringssl.googlesource.com/boringssl/+/0a211dfe9
  */
-- 
2.47.3