diff options
author | Jim King <jaseking@amazon.com> | 2023-01-18 11:54:30 -0500 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2023-03-30 10:56:14 +0200 |
commit | 34ef4fab22d93cf7ef1d6c2954a0bad19f323ea9 (patch) | |
tree | 3baf04654b7eaa0bb14f9acf8b8798cc24d5ec46 | |
parent | 1e3319a167d2f32d295603167486e9e88af9bb4e (diff) | |
download | curl-34ef4fab22d93cf7ef1d6c2954a0bad19f323ea9.tar.gz |
openssl: interop with AWS-LC
* Configure changes to detect AWS-LC
* CMakeLists.txt changes to detect AWS-LC
* Compile-time branches needed to support AWS-LC
* Correctly set OSSL_VERSION and report AWS-LC release number
* GitHub Actions script to build with autoconf and cmake against AWS-LC
AWS-LC is a BoringSSL/OpenSSL derivative
For more information see https://github.com/awslabs/aws-lc/
Closes #10320
-rw-r--r-- | .github/scripts/spellcheck.words | 5 | ||||
-rw-r--r-- | .github/workflows/awslc.yml | 106 | ||||
-rw-r--r-- | CMakeLists.txt | 4 | ||||
-rw-r--r-- | docs/FAQ | 2 | ||||
-rw-r--r-- | docs/INSTALL.md | 2 | ||||
-rw-r--r-- | docs/libcurl/libcurl-thread.3 | 2 | ||||
-rw-r--r-- | docs/libcurl/symbols-in-versions | 1 | ||||
-rw-r--r-- | include/curl/curl.h | 3 | ||||
-rw-r--r-- | lib/curl_ntlm_core.c | 4 | ||||
-rw-r--r-- | lib/vtls/openssl.c | 36 | ||||
-rw-r--r-- | m4/curl-openssl.m4 | 18 |
11 files changed, 169 insertions, 14 deletions
diff --git a/.github/scripts/spellcheck.words b/.github/scripts/spellcheck.words index 1a7223e0f..a0464541b 100644 --- a/.github/scripts/spellcheck.words +++ b/.github/scripts/spellcheck.words @@ -42,6 +42,11 @@ Automake Autotools autotools AVR +AWS +AWS-LC +AWSLC +aws-lc +awslc axTLS backend backends diff --git a/.github/workflows/awslc.yml b/.github/workflows/awslc.yml new file mode 100644 index 000000000..aa8f2ab03 --- /dev/null +++ b/.github/workflows/awslc.yml @@ -0,0 +1,106 @@ +# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. +# +# SPDX-License-Identifier: curl + +name: Linux + +on: + push: + branches: + - master + - '*/ci' + paths-ignore: + - '**/*.md' + pull_request: + branches: + - master + paths-ignore: + - '**/*.md' + +concurrency: + # Hardcoded workflow filename as workflow name above is just Linux again + group: awslc-${{ github.event.pull_request.number || github.sha }} + cancel-in-progress: true + +permissions: {} + +jobs: + autoconf: + name: awslc (autoconf) + runs-on: 'ubuntu-latest' + timeout-minutes: 30 + + steps: + - run: | + sudo apt-get update --yes + sudo apt-get install --yes libtool autoconf automake pkg-config stunnel4 + # ensure we don't pick up openssl in this build + sudo apt remove --yes libssl-dev + sudo python3 -m pip install impacket + name: 'install prereqs and impacket' + + - run: | + curl -LO https://github.com/awslabs/aws-lc/archive/refs/tags/v1.3.0.tar.gz + tar xzf v1.3.0.tar.gz + mkdir aws-lc-1.3.0-build + cd aws-lc-1.3.0-build + cmake -DCMAKE_INSTALL_PREFIX=$HOME/awslc ../aws-lc-1.3.0 + cmake --build . --parallel + cmake --install . + name: 'install awslc' + + - uses: actions/checkout@v3 + + - run: autoreconf -fi + name: 'autoreconf' + + - run: ./configure --enable-warnings --enable-werror --with-openssl=$HOME/awslc + name: 'configure' + + - run: make -j 2 V=1 + name: 'make' + + - run: make -j 2 V=1 examples + name: 'make examples' + + - run: make -j 2 V=1 -C tests + name: 'make tests' + + - run: make V=1 test-ci + name: 'run tests' + + cmake: + name: awslc (cmake) + runs-on: 'ubuntu-latest' + timeout-minutes: 15 + + steps: + - run: | + sudo apt-get update + sudo apt-get install cmake stunnel4 + # ensure we don't pick up openssl in this build + sudo apt remove --yes libssl-dev + sudo python3 -m pip install impacket + name: 'install prereqs and impacket' + + - run: | + curl -LO https://github.com/awslabs/aws-lc/archive/refs/tags/v1.3.0.tar.gz + tar xzf v1.3.0.tar.gz + mkdir aws-lc-1.3.0-build + cd aws-lc-1.3.0-build + cmake -DCMAKE_INSTALL_PREFIX=$HOME/awslc ../aws-lc-1.3.0 + cmake --build . --parallel + cmake --install . + name: 'install awslc' + + - uses: actions/checkout@v3 + + # CMAKE_COMPILE_WARNING_AS_ERROR is available in cmake 3.24 or later + - run: cmake -Bbuild -DOPENSSL_ROOT_DIR=$HOME/awslc -DBUILD_SHARED_LIBS=ON -DCMAKE_COMPILE_WARNING_AS_ERROR=ON . + name: 'cmake generate' + + - run: cmake --build build --parallel + name: 'cmake build' + + - run: cmake --install build --prefix $HOME/curl --strip + name: 'cmake install' diff --git a/CMakeLists.txt b/CMakeLists.txt index e3eaad34d..94eb5444b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -50,6 +50,7 @@ # # The following variables are available: # HAVE_RAND_EGD: `RAND_egd` present in OpenSSL +# HAVE_AWSLC: OpenSSL is AWS-LC # HAVE_BORINGSSL: OpenSSL is BoringSSL # HAVE_PK11_CREATEMANAGEDGENERICOBJECTL: `PK11_CreateManagedGenericObject` present in NSS # HAVE_SSL_CTX_SET_QUIC_METHOD: `SSL_CTX_set_quic_method` present in OpenSSL/wolfSSL @@ -473,6 +474,9 @@ if(CURL_USE_OPENSSL) if(NOT DEFINED HAVE_BORINGSSL) check_symbol_exists(OPENSSL_IS_BORINGSSL "openssl/base.h" HAVE_BORINGSSL) endif() + if(NOT DEFINED HAVE_AWSLC) + check_symbol_exists(OPENSSL_IS_AWSLC "openssl/base.h" HAVE_AWSLC) + endif() endif() if(CURL_USE_MBEDTLS) @@ -422,7 +422,7 @@ FAQ backends. curl can be built to use one of the following SSL alternatives: OpenSSL, - libressl, BoringSSL, GnuTLS, wolfSSL, NSS, mbedTLS, Secure + libressl, BoringSSL, AWS-LC, GnuTLS, wolfSSL, NSS, mbedTLS, Secure Transport (native iOS/OS X), Schannel (native Windows), GSKit (native IBM i), BearSSL, or Rustls. They all have their pros and cons, and we try to maintain a comparison of them here: https://curl.se/docs/ssl-compared.html diff --git a/docs/INSTALL.md b/docs/INSTALL.md index dbb206805..c5326e8da 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -135,7 +135,7 @@ These options are provided to select the TLS backend to use. - GnuTLS: `--with-gnutls`. - mbedTLS: `--with-mbedtls` - NSS: `--with-nss` - - OpenSSL: `--with-openssl` (also for BoringSSL, libressl and quictls) + - OpenSSL: `--with-openssl` (also for BoringSSL, AWS-LC, libressl, and quictls) - rustls: `--with-rustls` - Schannel: `--with-schannel` - Secure Transport: `--with-secure-transport` diff --git a/docs/libcurl/libcurl-thread.3 b/docs/libcurl/libcurl-thread.3 index fecb8cfd6..a29c4e821 100644 --- a/docs/libcurl/libcurl-thread.3 +++ b/docs/libcurl/libcurl-thread.3 @@ -67,6 +67,8 @@ The engine is used by libcurl in a way that is fully thread-safe. The engine is used by libcurl in a way that is fully thread-safe. .IP BoringSSL The engine is used by libcurl in a way that is fully thread-safe. +.IP AWS-LC +The engine is used by libcurl in a way that is fully thread-safe. .SH "Other areas of caution" .IP Signals Signals are used for timing out name resolves (during DNS lookup) - when built diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions index 4081314e0..a466c39d6 100644 --- a/docs/libcurl/symbols-in-versions +++ b/docs/libcurl/symbols-in-versions @@ -1015,6 +1015,7 @@ CURLSSH_AUTH_KEYBOARD 7.16.1 CURLSSH_AUTH_NONE 7.16.1 CURLSSH_AUTH_PASSWORD 7.16.1 CURLSSH_AUTH_PUBLICKEY 7.16.1 +CURLSSLBACKEND_AWSLC 8.1.0 CURLSSLBACKEND_AXTLS 7.38.0 7.61.0 CURLSSLBACKEND_BEARSSL 7.68.0 CURLSSLBACKEND_BORINGSSL 7.49.0 diff --git a/include/curl/curl.h b/include/curl/curl.h index a4872bd47..e8b551b13 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -174,8 +174,9 @@ typedef enum { } curl_sslbackend; /* aliases for library clones and renames */ -#define CURLSSLBACKEND_LIBRESSL CURLSSLBACKEND_OPENSSL +#define CURLSSLBACKEND_AWSLC CURLSSLBACKEND_OPENSSL #define CURLSSLBACKEND_BORINGSSL CURLSSLBACKEND_OPENSSL +#define CURLSSLBACKEND_LIBRESSL CURLSSLBACKEND_OPENSSL /* deprecated names: */ #define CURLSSLBACKEND_CYASSL CURLSSLBACKEND_WOLFSSL diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c index 25d252602..ba8457d6e 100644 --- a/lib/curl_ntlm_core.c +++ b/lib/curl_ntlm_core.c @@ -83,6 +83,10 @@ # define DES_ecb_encrypt des_ecb_encrypt # define DESKEY(x) x # define DESKEYARG(x) x +# elif defined(OPENSSL_IS_AWSLC) +# define DES_set_key_unchecked (void)DES_set_key +# define DESKEYARG(x) *x +# define DESKEY(x) &x # else # define DESKEYARG(x) *x # define DESKEY(x) &x diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index ce0b61998..397447007 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -207,8 +207,10 @@ #if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && \ !defined(LIBRESSL_VERSION_NUMBER) && \ !defined(OPENSSL_IS_BORINGSSL)) -#define HAVE_SSL_CTX_SET_CIPHERSUITES -#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH + #define HAVE_SSL_CTX_SET_CIPHERSUITES + #if !defined(OPENSSL_IS_AWSLC) + #define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH + #endif #endif /* @@ -227,6 +229,8 @@ #define OSSL_PACKAGE "LibreSSL" #elif defined(OPENSSL_IS_BORINGSSL) #define OSSL_PACKAGE "BoringSSL" +#elif defined(OPENSSL_IS_AWSLC) +#define OSSL_PACKAGE "AWS-LC" #else #define OSSL_PACKAGE "OpenSSL" #endif @@ -257,7 +261,8 @@ #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ !(defined(LIBRESSL_VERSION_NUMBER) && \ LIBRESSL_VERSION_NUMBER < 0x2070100fL) && \ - !defined(OPENSSL_IS_BORINGSSL) + !defined(OPENSSL_IS_BORINGSSL) && \ + !defined(OPENSSL_IS_AWSLC) #define HAVE_OPENSSL_VERSION #endif @@ -393,7 +398,7 @@ static void X509V3_ext(struct Curl_easy *data, } } -#ifdef OPENSSL_IS_BORINGSSL +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) typedef size_t numcert_t; #else typedef int numcert_t; @@ -926,7 +931,7 @@ static char *ossl_strerror(unsigned long error, char *buf, size_t size) *buf = '\0'; } -#ifdef OPENSSL_IS_BORINGSSL +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) ERR_error_string_n((uint32_t)error, buf, size); #else ERR_error_string_n(error, buf, size); @@ -2147,7 +2152,7 @@ ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn, altnames = X509_get_ext_d2i(server_cert, NID_subject_alt_name, NULL, NULL); if(altnames) { -#ifdef OPENSSL_IS_BORINGSSL +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) size_t numalts; size_t i; #else @@ -2716,7 +2721,9 @@ set_ssl_version_min_max(struct Curl_cfilter *cf, SSL_CTX *ctx) long curl_ssl_version_max; /* convert curl min SSL version option to OpenSSL constant */ -#if defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER) +#if (defined(OPENSSL_IS_BORINGSSL) || \ + defined(OPENSSL_IS_AWSLC) || \ + defined(LIBRESSL_VERSION_NUMBER)) uint16_t ossl_ssl_version_min = 0; uint16_t ossl_ssl_version_max = 0; #else @@ -2793,7 +2800,7 @@ set_ssl_version_min_max(struct Curl_cfilter *cf, SSL_CTX *ctx) } #endif -#ifdef OPENSSL_IS_BORINGSSL +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) typedef uint32_t ctx_option_t; #elif OPENSSL_VERSION_NUMBER >= 0x30000000L typedef uint64_t ctx_option_t; @@ -3726,7 +3733,8 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, SSL_set_tlsext_status_type(backend->handle, TLSEXT_STATUSTYPE_ocsp); #endif -#if defined(OPENSSL_IS_BORINGSSL) && defined(ALLOW_RENEG) +#if (defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)) && \ + defined(ALLOW_RENEG) SSL_set_renegotiate_mode(backend->handle, ssl_renegotiate_freely); #endif @@ -3887,9 +3895,11 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf, } #if (OPENSSL_VERSION_NUMBER >= 0x10101000L && \ !defined(LIBRESSL_VERSION_NUMBER) && \ - !defined(OPENSSL_IS_BORINGSSL)) + !defined(OPENSSL_IS_BORINGSSL) && \ + !defined(OPENSSL_IS_AWSLC)) + /* SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on - OpenSSL version above v1.1.1, not LibreSSL nor BoringSSL */ + OpenSSL version above v1.1.1, not LibreSSL, BoringSSL, or AWS-LC */ else if((lib == ERR_LIB_SSL) && (reason == SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED)) { /* If client certificate is required, communicate the @@ -4629,6 +4639,10 @@ static size_t ossl_version(char *buffer, size_t size) #else return msnprintf(buffer, size, OSSL_PACKAGE); #endif +#elif defined(OPENSSL_IS_AWSLC) + return msnprintf(buffer, size, "%s/%s", + OSSL_PACKAGE, + AWSLC_VERSION_NUMBER_STRING); #elif defined(HAVE_OPENSSL_VERSION) && defined(OPENSSL_VERSION_STRING) return msnprintf(buffer, size, "%s/%s", OSSL_PACKAGE, OpenSSL_version(OPENSSL_VERSION_STRING)); diff --git a/m4/curl-openssl.m4 b/m4/curl-openssl.m4 index e41569f37..b3a63225a 100644 --- a/m4/curl-openssl.m4 +++ b/m4/curl-openssl.m4 @@ -279,6 +279,24 @@ if test "x$OPT_OPENSSL" != xno; then AC_MSG_RESULT([no]) ]) + AC_MSG_CHECKING([for AWS-LC]) + AC_COMPILE_IFELSE([ + AC_LANG_PROGRAM([[ + #include <openssl/base.h> + ]],[[ + #ifndef OPENSSL_IS_AWSLC + #error not AWS-LC + #endif + ]]) + ],[ + AC_MSG_RESULT([yes]) + AC_DEFINE_UNQUOTED(HAVE_AWSLC, 1, + [Define to 1 if using AWS-LC.]) + ssl_msg="AWS-LC" + ],[ + AC_MSG_RESULT([no]) + ]) + AC_MSG_CHECKING([for libressl]) AC_COMPILE_IFELSE([ AC_LANG_PROGRAM([[ |