openssl: interop with AWS-LC

* CMakeLists.txt changes to detect AWS-LC
* Compile-time branches needed to support AWS-LC
* GitHub Actions script to build with autoconf and cmake against AWS-LC

AWS-LC is a BoringSSL/OpenSSL derivative
For more information see https://github.com/awslabs/aws-lc/

.github/scripts/spellcheck.words

@@ -42,6 +42,11 @@ Automake
 Autotools
 autotools
 AVR
+AWS
+AWS-LC
+AWSLC
+aws-lc
+awslc
 axTLS
 backend
 backends

.github/workflows/awslc.yml

@@ -0,0 +1,106 @@
+# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# SPDX-License-Identifier: curl
+
+name: Linux
+
+on:
+  push:
+    branches:
+    - master
+    - '*/ci'
+    paths-ignore:
+    - '**/*.md'
+  pull_request:
+    branches:
+    - master
+    paths-ignore:
+    - '**/*.md'
+
+concurrency:
+  # Hardcoded workflow filename as workflow name above is just Linux again
+  group: awslc-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  autoconf:
+    name: awslc (autoconf)
+    runs-on: 'ubuntu-latest'
+    timeout-minutes: 30
+
+    steps:
+    - run: |
+        sudo apt-get update --yes
+        sudo apt-get install --yes libtool autoconf automake pkg-config stunnel4
+        # ensure we don't pick up openssl in this build
+        sudo apt remove --yes libssl-dev
+        sudo python3 -m pip install impacket
+      name: 'install prereqs and impacket'
+
+    - run: |
+        curl -LO https://github.com/awslabs/aws-lc/archive/refs/tags/v1.3.0.tar.gz
+        tar xzf v1.3.0.tar.gz
+        mkdir aws-lc-1.3.0-build
+        cd aws-lc-1.3.0-build
+        cmake -DCMAKE_INSTALL_PREFIX=$HOME/awslc ../aws-lc-1.3.0
+        cmake --build . --parallel
+        cmake --install .
+      name: 'install awslc'
+
+    - uses: actions/checkout@v3
+
+    - run: autoreconf -fi
+      name: 'autoreconf'
+
+    - run: ./configure --enable-warnings --enable-werror --with-openssl=$HOME/awslc
+      name: 'configure'
+
+    - run: make -j 2 V=1
+      name: 'make'
+
+    - run: make -j 2 V=1 examples
+      name: 'make examples'
+
+    - run: make -j 2 V=1 -C tests
+      name: 'make tests'
+
+    - run: make V=1 test-ci
+      name: 'run tests'
+
+  cmake:
+    name: awslc (cmake)
+    runs-on: 'ubuntu-latest'
+    timeout-minutes: 15
+
+    steps:
+    - run: |
+        sudo apt-get update
+        sudo apt-get install cmake stunnel4
+        # ensure we don't pick up openssl in this build
+        sudo apt remove --yes libssl-dev
+        sudo python3 -m pip install impacket
+      name: 'install prereqs and impacket'
+
+    - run: |
+        curl -LO https://github.com/awslabs/aws-lc/archive/refs/tags/v1.3.0.tar.gz
+        tar xzf v1.3.0.tar.gz
+        mkdir aws-lc-1.3.0-build
+        cd aws-lc-1.3.0-build
+        cmake -DCMAKE_INSTALL_PREFIX=$HOME/awslc ../aws-lc-1.3.0
+        cmake --build . --parallel
+        cmake --install .
+      name: 'install awslc'
+
+    - uses: actions/checkout@v3
+
+    # CMAKE_COMPILE_WARNING_AS_ERROR is available in cmake 3.24 or later
+    - run: cmake -Bbuild -DOPENSSL_ROOT_DIR=$HOME/awslc -DBUILD_SHARED_LIBS=ON -DCMAKE_COMPILE_WARNING_AS_ERROR=ON .
+      name: 'cmake generate'
+
+    - run: cmake --build build --parallel
+      name: 'cmake build'
+
+    - run: cmake --install build --prefix $HOME/curl --strip
+      name: 'cmake install'

CMakeLists.txt

@@ -50,6 +50,7 @@
 #
 # The following variables are available:
 #   HAVE_RAND_EGD: `RAND_egd` present in OpenSSL
+#   HAVE_AWSLC: OpenSSL is AWS-LC
 #   HAVE_BORINGSSL: OpenSSL is BoringSSL
 #   HAVE_PK11_CREATEMANAGEDGENERICOBJECTL: `PK11_CreateManagedGenericObject` present in NSS
 #   HAVE_SSL_CTX_SET_QUIC_METHOD: `SSL_CTX_set_quic_method` present in OpenSSL
@@ -459,14 +460,16 @@ if(CURL_USE_OPENSSL)
     list(APPEND CURL_LIBS ${OPENSSL_LIBRARIES})
     include_directories(${OPENSSL_INCLUDE_DIR})
   endif()
-
   set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
   if(NOT DEFINED HAVE_RAND_EGD)
     check_symbol_exists(RAND_egd "${CURL_INCLUDES}" HAVE_RAND_EGD)
   endif()
   if(NOT DEFINED HAVE_BORINGSSL)
     check_symbol_exists(OPENSSL_IS_BORINGSSL "openssl/base.h" HAVE_BORINGSSL)
   endif()
+  if(NOT DEFINED HAVE_AWSLC)
+    check_symbol_exists(OPENSSL_IS_AWSLC "openssl/base.h" HAVE_AWSLC)
+  endif()
 
   add_definitions(-DOPENSSL_SUPPRESS_DEPRECATED)
 endif()

docs/FAQ

@@ -422,7 +422,7 @@ FAQ
   backends.
 
   curl can be built to use one of the following SSL alternatives: OpenSSL,
-  libressl, BoringSSL, GnuTLS, wolfSSL, NSS, mbedTLS, Secure
+  libressl, BoringSSL, AWS-LC, GnuTLS, wolfSSL, NSS, mbedTLS, Secure
   Transport (native iOS/OS X), Schannel (native Windows), GSKit (native IBM
   i), BearSSL, or Rustls. They all have their pros and cons, and we try to
   maintain a comparison of them here: https://curl.se/docs/ssl-compared.html

docs/INSTALL.md

@@ -135,7 +135,7 @@ These options are provided to select the TLS backend to use.
  - GnuTLS: `--with-gnutls`.
  - mbedTLS: `--with-mbedtls`
  - NSS: `--with-nss`
- - OpenSSL: `--with-openssl` (also for BoringSSL and libressl)
+ - OpenSSL: `--with-openssl` (also for BoringSSL, AWS-LC, and libressl)
  - rustls: `--with-rustls`
  - Schannel: `--with-schannel`
  - Secure Transport: `--with-secure-transport`

docs/libcurl/libcurl-thread.3

@@ -67,6 +67,8 @@ The engine is used by libcurl in a way that is fully thread-safe.
 The engine is used by libcurl in a way that is fully thread-safe.
 .IP BoringSSL
 The engine is used by libcurl in a way that is fully thread-safe.
+.IP AWS-LC
+The engine is used by libcurl in a way that is fully thread-safe.
 .SH "Other areas of caution"
 .IP Signals
 Signals are used for timing out name resolves (during DNS lookup) - when built

docs/libcurl/symbols-in-versions

@@ -1015,6 +1015,7 @@ CURLSSH_AUTH_KEYBOARD           7.16.1
 CURLSSH_AUTH_NONE               7.16.1
 CURLSSH_AUTH_PASSWORD           7.16.1
 CURLSSH_AUTH_PUBLICKEY          7.16.1
+CURLSSLBACKEND_AWSLC            7.88.0
 CURLSSLBACKEND_AXTLS            7.38.0       7.61.0
 CURLSSLBACKEND_BEARSSL          7.68.0
 CURLSSLBACKEND_BORINGSSL        7.49.0

include/curl/curl.h

@@ -173,8 +173,9 @@ typedef enum {
 } curl_sslbackend;
 
 /* aliases for library clones and renames */
-#define CURLSSLBACKEND_LIBRESSL CURLSSLBACKEND_OPENSSL
+#define CURLSSLBACKEND_AWSLC CURLSSLBACKEND_OPENSSL
 #define CURLSSLBACKEND_BORINGSSL CURLSSLBACKEND_OPENSSL
+#define CURLSSLBACKEND_LIBRESSL CURLSSLBACKEND_OPENSSL
 
 /* deprecated names: */
 #define CURLSSLBACKEND_CYASSL CURLSSLBACKEND_WOLFSSL

lib/curl_ntlm_core.c

@@ -82,6 +82,10 @@
 #    define DES_ecb_encrypt des_ecb_encrypt
 #    define DESKEY(x) x
 #    define DESKEYARG(x) x
+#  elif defined(OPENSSL_IS_AWSLC)
+#    define DES_set_key_unchecked (void)DES_set_key
+#    define DESKEYARG(x) *x
+#    define DESKEY(x) &x
 #  else
 #    define DESKEYARG(x) *x
 #    define DESKEY(x) &x

lib/vtls/openssl.c

@@ -207,8 +207,10 @@
 #if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && \
      !defined(LIBRESSL_VERSION_NUMBER) &&       \
      !defined(OPENSSL_IS_BORINGSSL))
-#define HAVE_SSL_CTX_SET_CIPHERSUITES
-#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
+  #define HAVE_SSL_CTX_SET_CIPHERSUITES
+  #if !defined(OPENSSL_IS_AWSLC)
+    #define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
+  #endif
 #endif
 
 /*
@@ -397,7 +399,11 @@ CURLcode Curl_ossl_certchain(struct Curl_easy *data, SSL *ssl)
   CURLcode result;
   STACK_OF(X509) *sk;
   int i;
+#if defined(OPENSSL_IS_AWSLC)
+  size_t numcerts;
+#else
   numcert_t numcerts;
+#endif
   BIO *mem;
 
   DEBUGASSERT(ssl);
@@ -907,7 +913,7 @@ static char *ossl_strerror(unsigned long error, char *buf, size_t size)
     *buf = '\0';
   }
 
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
   ERR_error_string_n((uint32_t)error, buf, size);
 #else
   ERR_error_string_n(error, buf, size);
@@ -2198,7 +2204,7 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn,
   altnames = X509_get_ext_d2i(server_cert, NID_subject_alt_name, NULL, NULL);
 
   if(altnames) {
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
     size_t numalts;
     size_t i;
 #else
@@ -2773,7 +2779,9 @@ set_ssl_version_min_max(struct Curl_cfilter *cf, SSL_CTX *ctx)
   long curl_ssl_version_max;
 
   /* convert curl min SSL version option to OpenSSL constant */
-#if defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER)
+#if (defined(OPENSSL_IS_BORINGSSL)  || \
+     defined(OPENSSL_IS_AWSLC)      || \
+     defined(LIBRESSL_VERSION_NUMBER))
   uint16_t ossl_ssl_version_min = 0;
   uint16_t ossl_ssl_version_max = 0;
 #else
@@ -2850,7 +2858,7 @@ set_ssl_version_min_max(struct Curl_cfilter *cf, SSL_CTX *ctx)
 }
 #endif
 
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 typedef uint32_t ctx_option_t;
 #elif OPENSSL_VERSION_NUMBER >= 0x30000000L
 typedef uint64_t ctx_option_t;
@@ -3980,9 +3988,10 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf,
       }
 #if (OPENSSL_VERSION_NUMBER >= 0x10101000L && \
     !defined(LIBRESSL_VERSION_NUMBER) && \
-    !defined(OPENSSL_IS_BORINGSSL))
+    !defined(OPENSSL_IS_BORINGSSL) && \
+    !defined(OPENSSL_IS_AWSLC))
       /* SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on
-         OpenSSL version above v1.1.1, not LibreSSL nor BoringSSL */
+         OpenSSL version above v1.1.1, not LibreSSL, BoringSSL, or AWS-LC */
       else if((lib == ERR_LIB_SSL) &&
               (reason == SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED)) {
           /* If client certificate is required, communicate the

tests/CI.md

@@ -97,7 +97,7 @@ are run at [curl.zuul.vexxhost.dev](https://curl.zuul.vexxhost.dev/builds):
 
 - Source code is formatted according to expectations (`make checksrc`).
 - Curl compiled with a number of different TLS configurations (WolfSSL, rustls,
-BoringSSL, etc).
+BoringSSL, AWS-LC, etc).
 - Curl compiled with different C compilers.
 
 As of November 2021, the tests run (sometimes) but do not run consistently and