openssl: interop with AWS-LC

* Configure changes to detect AWS-LC * CMakeLists.txt changes to detect AWS-LC * Compile-time branches needed to support AWS-LC * Correctly set OSSL_VERSION and report AWS-LC release number * GitHub Actions script to build with autoconf and cmake against AWS-LC AWS-LC is a BoringSSL/OpenSSL derivative For more information see https://github.com/awslabs/aws-lc/ Closes #10320
2025-03-19 15:40:42 +08:00 · 2023-01-18 11:54:30 -05:00 · 2023-01-18 11:54:30 -05:00 · 34ef4fab22
commit 34ef4fab22
parent 1e3319a167
11 changed files with 169 additions and 14 deletions
--- a/.github/scripts/spellcheck.words
+++ b/.github/scripts/spellcheck.words
@ -42,6 +42,11 @@ Automake
 Autotools
 autotools
 AVR
+AWS
+AWS-LC
+AWSLC
+aws-lc
+awslc
 axTLS
 backend
 backends
--- a/.github/workflows/awslc.yml
+++ b/.github/workflows/awslc.yml
@ -0,0 +1,106 @@
+# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# SPDX-License-Identifier: curl
+
+name: Linux
+
+on:
+  push:
+    branches:
+    - master
+    - '*/ci'
+    paths-ignore:
+    - '**/*.md'
+  pull_request:
+    branches:
+    - master
+    paths-ignore:
+    - '**/*.md'
+
+concurrency:
+  # Hardcoded workflow filename as workflow name above is just Linux again
+  group: awslc-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  autoconf:
+    name: awslc (autoconf)
+    runs-on: 'ubuntu-latest'
+    timeout-minutes: 30
+
+    steps:
+    - run: |
+        sudo apt-get update --yes
+        sudo apt-get install --yes libtool autoconf automake pkg-config stunnel4
+        # ensure we don't pick up openssl in this build
+        sudo apt remove --yes libssl-dev
+        sudo python3 -m pip install impacket
+      name: 'install prereqs and impacket'
+
+    - run: |
+        curl -LO https://github.com/awslabs/aws-lc/archive/refs/tags/v1.3.0.tar.gz
+        tar xzf v1.3.0.tar.gz
+        mkdir aws-lc-1.3.0-build
+        cd aws-lc-1.3.0-build
+        cmake -DCMAKE_INSTALL_PREFIX=$HOME/awslc ../aws-lc-1.3.0
+        cmake --build . --parallel
+        cmake --install .
+      name: 'install awslc'
+
+    - uses: actions/checkout@v3
+
+    - run: autoreconf -fi
+      name: 'autoreconf'
+
+    - run: ./configure --enable-warnings --enable-werror --with-openssl=$HOME/awslc
+      name: 'configure'
+
+    - run: make -j 2 V=1
+      name: 'make'
+
+    - run: make -j 2 V=1 examples
+      name: 'make examples'
+
+    - run: make -j 2 V=1 -C tests
+      name: 'make tests'
+
+    - run: make V=1 test-ci
+      name: 'run tests'
+
+  cmake:
+    name: awslc (cmake)
+    runs-on: 'ubuntu-latest'
+    timeout-minutes: 15
+
+    steps:
+    - run: |
+        sudo apt-get update
+        sudo apt-get install cmake stunnel4
+        # ensure we don't pick up openssl in this build
+        sudo apt remove --yes libssl-dev
+        sudo python3 -m pip install impacket
+      name: 'install prereqs and impacket'
+
+    - run: |
+        curl -LO https://github.com/awslabs/aws-lc/archive/refs/tags/v1.3.0.tar.gz
+        tar xzf v1.3.0.tar.gz
+        mkdir aws-lc-1.3.0-build
+        cd aws-lc-1.3.0-build
+        cmake -DCMAKE_INSTALL_PREFIX=$HOME/awslc ../aws-lc-1.3.0
+        cmake --build . --parallel
+        cmake --install .
+      name: 'install awslc'
+
+    - uses: actions/checkout@v3
+
+    # CMAKE_COMPILE_WARNING_AS_ERROR is available in cmake 3.24 or later
+    - run: cmake -Bbuild -DOPENSSL_ROOT_DIR=$HOME/awslc -DBUILD_SHARED_LIBS=ON -DCMAKE_COMPILE_WARNING_AS_ERROR=ON .
+      name: 'cmake generate'
+
+    - run: cmake --build build --parallel
+      name: 'cmake build'
+
+    - run: cmake --install build --prefix $HOME/curl --strip
+      name: 'cmake install'
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -50,6 +50,7 @@
 #
 # The following variables are available:
 #   HAVE_RAND_EGD: `RAND_egd` present in OpenSSL
+#   HAVE_AWSLC: OpenSSL is AWS-LC
 #   HAVE_BORINGSSL: OpenSSL is BoringSSL
 #   HAVE_PK11_CREATEMANAGEDGENERICOBJECTL: `PK11_CreateManagedGenericObject` present in NSS
 #   HAVE_SSL_CTX_SET_QUIC_METHOD: `SSL_CTX_set_quic_method` present in OpenSSL/wolfSSL
@ -473,6 +474,9 @@ if(CURL_USE_OPENSSL)
  if(NOT DEFINED HAVE_BORINGSSL)
    check_symbol_exists(OPENSSL_IS_BORINGSSL "openssl/base.h" HAVE_BORINGSSL)
  endif()
+  if(NOT DEFINED HAVE_AWSLC)
+    check_symbol_exists(OPENSSL_IS_AWSLC "openssl/base.h" HAVE_AWSLC)
+  endif()
 endif()

 if(CURL_USE_MBEDTLS)
--- a/docs/FAQ
+++ b/docs/FAQ
@ -422,7 +422,7 @@ FAQ
  backends.

  curl can be built to use one of the following SSL alternatives: OpenSSL,
-  libressl, BoringSSL, GnuTLS, wolfSSL, NSS, mbedTLS, Secure
+  libressl, BoringSSL, AWS-LC, GnuTLS, wolfSSL, NSS, mbedTLS, Secure
  Transport (native iOS/OS X), Schannel (native Windows), GSKit (native IBM
  i), BearSSL, or Rustls. They all have their pros and cons, and we try to
  maintain a comparison of them here: https://curl.se/docs/ssl-compared.html
--- a/docs/INSTALL.md
+++ b/docs/INSTALL.md
@ -135,7 +135,7 @@ These options are provided to select the TLS backend to use.
 - GnuTLS: `--with-gnutls`.
 - mbedTLS: `--with-mbedtls`
 - NSS: `--with-nss`
- - OpenSSL: `--with-openssl` (also for BoringSSL, libressl and quictls)
+ - OpenSSL: `--with-openssl` (also for BoringSSL, AWS-LC, libressl, and quictls)
 - rustls: `--with-rustls`
 - Schannel: `--with-schannel`
 - Secure Transport: `--with-secure-transport`
--- a/docs/libcurl/libcurl-thread.3
+++ b/docs/libcurl/libcurl-thread.3
@ -67,6 +67,8 @@ The engine is used by libcurl in a way that is fully thread-safe.
 The engine is used by libcurl in a way that is fully thread-safe.
 .IP BoringSSL
 The engine is used by libcurl in a way that is fully thread-safe.
+.IP AWS-LC
+The engine is used by libcurl in a way that is fully thread-safe.
 .SH "Other areas of caution"
 .IP Signals
 Signals are used for timing out name resolves (during DNS lookup) - when built
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@ -1015,6 +1015,7 @@ CURLSSH_AUTH_KEYBOARD           7.16.1
 CURLSSH_AUTH_NONE               7.16.1
 CURLSSH_AUTH_PASSWORD           7.16.1
 CURLSSH_AUTH_PUBLICKEY          7.16.1
+CURLSSLBACKEND_AWSLC            8.1.0
 CURLSSLBACKEND_AXTLS            7.38.0       7.61.0
 CURLSSLBACKEND_BEARSSL          7.68.0
 CURLSSLBACKEND_BORINGSSL        7.49.0
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@ -174,8 +174,9 @@ typedef enum {
 } curl_sslbackend;

 /* aliases for library clones and renames */
-#define CURLSSLBACKEND_LIBRESSL CURLSSLBACKEND_OPENSSL
+#define CURLSSLBACKEND_AWSLC CURLSSLBACKEND_OPENSSL
 #define CURLSSLBACKEND_BORINGSSL CURLSSLBACKEND_OPENSSL
+#define CURLSSLBACKEND_LIBRESSL CURLSSLBACKEND_OPENSSL

 /* deprecated names: */
 #define CURLSSLBACKEND_CYASSL CURLSSLBACKEND_WOLFSSL
--- a/lib/curl_ntlm_core.c
+++ b/lib/curl_ntlm_core.c
@ -83,6 +83,10 @@
 #    define DES_ecb_encrypt des_ecb_encrypt
 #    define DESKEY(x) x
 #    define DESKEYARG(x) x
+#  elif defined(OPENSSL_IS_AWSLC)
+#    define DES_set_key_unchecked (void)DES_set_key
+#    define DESKEYARG(x) *x
+#    define DESKEY(x) &x
 #  else
 #    define DESKEYARG(x) *x
 #    define DESKEY(x) &x
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@ -207,8 +207,10 @@
 #if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && \
     !defined(LIBRESSL_VERSION_NUMBER) &&       \
     !defined(OPENSSL_IS_BORINGSSL))
-#define HAVE_SSL_CTX_SET_CIPHERSUITES
-#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
+  #define HAVE_SSL_CTX_SET_CIPHERSUITES
+  #if !defined(OPENSSL_IS_AWSLC)
+    #define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
+  #endif
 #endif

 /*
@ -227,6 +229,8 @@
 #define OSSL_PACKAGE "LibreSSL"
 #elif defined(OPENSSL_IS_BORINGSSL)
 #define OSSL_PACKAGE "BoringSSL"
+#elif defined(OPENSSL_IS_AWSLC)
+#define OSSL_PACKAGE "AWS-LC"
 #else
 #define OSSL_PACKAGE "OpenSSL"
 #endif
@ -257,7 +261,8 @@
 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
    !(defined(LIBRESSL_VERSION_NUMBER) && \
      LIBRESSL_VERSION_NUMBER < 0x2070100fL) && \
-    !defined(OPENSSL_IS_BORINGSSL)
+    !defined(OPENSSL_IS_BORINGSSL) && \
+    !defined(OPENSSL_IS_AWSLC)
 #define HAVE_OPENSSL_VERSION
 #endif

@ -393,7 +398,7 @@ static void X509V3_ext(struct Curl_easy *data,
  }
 }

-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 typedef size_t numcert_t;
 #else
 typedef int numcert_t;
@ -926,7 +931,7 @@ static char *ossl_strerror(unsigned long error, char *buf, size_t size)
    *buf = '\0';
  }

-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
  ERR_error_string_n((uint32_t)error, buf, size);
 #else
  ERR_error_string_n(error, buf, size);
@ -2147,7 +2152,7 @@ ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn,
  altnames = X509_get_ext_d2i(server_cert, NID_subject_alt_name, NULL, NULL);

  if(altnames) {
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
    size_t numalts;
    size_t i;
 #else
@ -2716,7 +2721,9 @@ set_ssl_version_min_max(struct Curl_cfilter *cf, SSL_CTX *ctx)
  long curl_ssl_version_max;

  /* convert curl min SSL version option to OpenSSL constant */
-#if defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER)
+#if (defined(OPENSSL_IS_BORINGSSL)  || \
+     defined(OPENSSL_IS_AWSLC)      || \
+     defined(LIBRESSL_VERSION_NUMBER))
  uint16_t ossl_ssl_version_min = 0;
  uint16_t ossl_ssl_version_max = 0;
 #else
@ -2793,7 +2800,7 @@ set_ssl_version_min_max(struct Curl_cfilter *cf, SSL_CTX *ctx)
 }
 #endif

-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 typedef uint32_t ctx_option_t;
 #elif OPENSSL_VERSION_NUMBER >= 0x30000000L
 typedef uint64_t ctx_option_t;
@ -3726,7 +3733,8 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf,
    SSL_set_tlsext_status_type(backend->handle, TLSEXT_STATUSTYPE_ocsp);
 #endif

-#if defined(OPENSSL_IS_BORINGSSL) && defined(ALLOW_RENEG)
+#if (defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)) && \
+    defined(ALLOW_RENEG)
  SSL_set_renegotiate_mode(backend->handle, ssl_renegotiate_freely);
 #endif

@ -3887,9 +3895,11 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf,
      }
 #if (OPENSSL_VERSION_NUMBER >= 0x10101000L &&   \
     !defined(LIBRESSL_VERSION_NUMBER) &&       \
-     !defined(OPENSSL_IS_BORINGSSL))
+     !defined(OPENSSL_IS_BORINGSSL) &&          \
+     !defined(OPENSSL_IS_AWSLC))
+
      /* SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on
-         OpenSSL version above v1.1.1, not LibreSSL nor BoringSSL */
+         OpenSSL version above v1.1.1, not LibreSSL, BoringSSL, or AWS-LC */
      else if((lib == ERR_LIB_SSL) &&
              (reason == SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED)) {
        /* If client certificate is required, communicate the
@ -4629,6 +4639,10 @@ static size_t ossl_version(char *buffer, size_t size)
 #else
  return msnprintf(buffer, size, OSSL_PACKAGE);
 #endif
+#elif defined(OPENSSL_IS_AWSLC)
+  return msnprintf(buffer, size, "%s/%s",
+                   OSSL_PACKAGE,
+                   AWSLC_VERSION_NUMBER_STRING);
 #elif defined(HAVE_OPENSSL_VERSION) && defined(OPENSSL_VERSION_STRING)
  return msnprintf(buffer, size, "%s/%s",
                   OSSL_PACKAGE, OpenSSL_version(OPENSSL_VERSION_STRING));
--- a/m4/curl-openssl.m4
+++ b/m4/curl-openssl.m4
@ -279,6 +279,24 @@ if test "x$OPT_OPENSSL" != xno; then
        AC_MSG_RESULT([no])
    ])

+    AC_MSG_CHECKING([for AWS-LC])
+    AC_COMPILE_IFELSE([
+        AC_LANG_PROGRAM([[
+                #include <openssl/base.h>
+                ]],[[
+                #ifndef OPENSSL_IS_AWSLC
+                #error not AWS-LC
+                #endif
+       ]])
+    ],[
+        AC_MSG_RESULT([yes])
+        AC_DEFINE_UNQUOTED(HAVE_AWSLC, 1,
+                           [Define to 1 if using AWS-LC.])
+        ssl_msg="AWS-LC"
+    ],[
+        AC_MSG_RESULT([no])
+    ])
+
    AC_MSG_CHECKING([for libressl])
    AC_COMPILE_IFELSE([
      AC_LANG_PROGRAM([[