Merge branch 'main' into x509-path-length

Author: justsmth

.github/docker_images/cmake_build_versions/cmake_build.sh

@@ -15,15 +15,8 @@ NUM_CPU_THREADS=$(grep -c ^processor /proc/cpuinfo)
 # For older versions, we use CMake's bundled curl instead of the system curl.
 CONFIGURE_OPTS="--prefix=/opt/cmake --system-libarchive"
 
-if [[ "${CMAKE_VERSION}" =~ ^[0-3]\. ]]; then
-    # CMake versions 3.x and earlier: use bundled curl to avoid compatibility issues
-    echo "Using bundled curl for CMake ${CMAKE_VERSION}"
-else
-    # CMake 4.0 and later: safe to use system curl
-    echo "Using system curl for CMake ${CMAKE_VERSION}"
-    CONFIGURE_OPTS="${CONFIGURE_OPTS} --system-curl"
-fi
+echo "Using bundled curl for CMake ${CMAKE_VERSION}"
 
 ./configure ${CONFIGURE_OPTS}
 make -j"${NUM_CPU_THREADS}"
-make install
+make install

.github/workflows/linux_x86_omnibus.yml

@@ -112,6 +112,24 @@ jobs:
             source /opt/compiler-env/setup-clang-9.sh
             ./tests/ci/run_install_shared_and_static.sh
 
+  dist_pkg_tests:
+    runs-on:
+      - codebuild-aws-lc-ci-github-actions-${{ github.run_id }}-${{ github.run_attempt }}
+        image:linux-5.0
+        instance-size:small
+    steps:
+      - uses: actions/checkout@v5
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+      - uses: ./.github/actions/codebuild-docker-run
+        name: Run Container
+        with:
+          image: ${{ steps.login-ecr.outputs.registry }}/aws-lc/ubuntu:20.04
+          run: |
+            source /opt/compiler-env/setup-clang-9.sh
+            ./tests/ci/run_dist_pkg_tests.sh
+
   # Build and test aws-lc without Perl/Go.
   minimal_tests:
     name: minimal-${{ matrix.image }}-${{ matrix.compiler }}-x86_64

.gitignore

@@ -4,6 +4,7 @@ build/
 build32/
 build64/
 build-*/
+build_*/
 *_BUILD_ROOT/
 ssl/test/runner/runner
 *.pyc

CMakeLists.txt

@@ -5,7 +5,7 @@ cmake_policy(SET CMP0091 NEW)
 endif()
 
 set(SOFTWARE_NAME "awslc")
-set(SOFTWARE_VERSION "1.69.0")
+set(SOFTWARE_VERSION "1.70.0")
 set(ABI_VERSION 0)
 set(CRYPTO_LIB_NAME "crypto")
 set(SSL_LIB_NAME "ssl")
@@ -19,6 +19,26 @@ set(REPORTED_PKGCONFIG_VERSION "1.1.1")
 # Defer enabling C and CXX languages.
 project(AWSLC VERSION "${SOFTWARE_VERSION}" LANGUAGES NONE)
 
+if(DEFINED ENABLE_PRE_SONAME_BUILD)
+  message(WARNING "ENABLE_PRE_SONAME_BUILD option will be deprecated in a future release. Please see ENABLE_DIST_PKG and ENABLE_DIST_PKG_OPENSSL_SHIM")
+endif()
+
+option(BUILD_TESTING "Build all test targets for AWS-LC" ON)
+option(BUILD_LIBSSL "Build libssl for AWS-LC" ON)
+option(BUILD_TOOL "Build bssl tool for AWS-LC" ON)
+option(DISABLE_PERL "Disable Perl for AWS-LC" OFF)
+option(DISABLE_GO "Disable Go for AWS-LC" OFF)
+# Keeping this flag for now, for compatibility with existing build configs.
+option(ENABLE_FIPS_ENTROPY_CPU_JITTER "Enable FIPS entropy source: CPU Jitter" OFF)
+option(ENABLE_DATA_INDEPENDENT_TIMING "Enable automatic setting/resetting Data-Independent Timing
+(DIT) flag in cryptographic functions. Currently only applicable to Arm64 (except on Windows)" OFF)
+option(ENABLE_PRE_SONAME_BUILD "Build AWS-LC without SONAME configuration for shared library builds" ON)
+option(ENABLE_SOURCE_MODIFICATION "Allow the build to update files in the source directory. This is typically done to update versioning." ON)
+option(DISABLE_CPU_JITTER_ENTROPY "Disable usage of CPU Jitter Entropy as an entropy source. This option cannot be used with the FIPS build. With this configuration, randomness generation might not use two independent entropy sources." OFF)
+option(GENERATE_RUST_BINDINGS "Generate Rust bindings using bindgen-cli" OFF)
+option(ENABLE_DIST_PKG "Enables a set of packaging that take highest precedence to any other packaging configuration i.e. ENABLE_PRE_SONAME_BUILD" OFF)
+option(ENABLE_DIST_PKG_OPENSSL_SHIM "Controls whether the OpenSSL shim components are installed when ENABLE_DIST_PKG is enabled" OFF)
+
 if(MSVC)
   # On Windows, prefer cl over gcc if both are available. By default most of
   # the CMake generators prefer gcc, even on Windows.
@@ -52,6 +72,62 @@ if(POLICY CMP0077)
   cmake_policy(SET CMP0077 NEW) #option does nothing when a normal variable of the same name exists.
 endif()
 
+set(RUST_BINDINGS_TARGET_VERSION "1.70" CACHE STRING "Minimum Rust version for generated bindings")
+
+include(cmake/go.cmake)
+
+if(ENABLE_DIST_PKG_OPENSSL_SHIM AND NOT ENABLE_DIST_PKG)
+  message(FATAL_ERROR "ENABLE_DIST_PKG_OPENSSL_SHIM requires ENABLE_DIST_PKG to be enabled and will be ignored.")
+endif()
+
+if(ENABLE_DIST_PKG)
+  if(NOT UNIX OR APPLE)
+    message(FATAL_ERROR "ENABLE_DIST_PKG is not supported on macOS or Windows and will be ignored.")
+  else()
+    set(SET_LIB_SONAME 1)
+    set(COHABITANT_HEADERS 1)
+    if(ENABLE_DIST_PKG_OPENSSL_SHIM)
+      set(INSTALL_OPENSSL_SHIM 1)
+    else()
+      set(INSTALL_OPENSSL_SHIM 0)
+    endif()
+  endif()
+elseif(NOT ENABLE_PRE_SONAME_BUILD AND BUILD_SHARED_LIBS AND UNIX AND NOT APPLE)
+  set(SET_LIB_SONAME 1)
+  set(COHABITANT_HEADERS 0)
+  set(INSTALL_OPENSSL_SHIM 1)
+else()
+  set(SET_LIB_SONAME 0)
+  set(COHABITANT_HEADERS 0)
+  set(INSTALL_OPENSSL_SHIM 1)
+endif()
+
+message(STATUS "SET_LIB_SONAME: ${SET_LIB_SONAME}")
+message(STATUS "COHABITANT_HEADERS: ${COHABITANT_HEADERS}")
+message(STATUS "INSTALL_OPENSSL_SHIM: ${INSTALL_OPENSSL_SHIM}")
+
+if(SET_LIB_SONAME)
+  set(CRYPTO_LIB_NAME "${CRYPTO_LIB_NAME}-${SOFTWARE_NAME}")
+  set(SSL_LIB_NAME "${SSL_LIB_NAME}-${SOFTWARE_NAME}")
+endif()
+
+enable_language(C)
+
+if (NOT WIN32 AND NOT APPLE)
+  include(GNUInstallDirs)
+elseif(NOT DEFINED CMAKE_INSTALL_LIBDIR)
+  set(CMAKE_INSTALL_LIBDIR "lib")
+  set(CMAKE_INSTALL_INCLUDEDIR "include")
+  set(CMAKE_INSTALL_BINDIR "bin")
+endif()
+
+# Set the install include directory based on whether a prefix subdirectory is desired
+if(COHABITANT_HEADERS)
+  set(AWSLC_INSTALL_INCLUDEDIR "${CMAKE_INSTALL_INCLUDEDIR}/aws-lc")
+else()
+  set(AWSLC_INSTALL_INCLUDEDIR "${CMAKE_INSTALL_INCLUDEDIR}")
+endif()
+
 function(target_add_awslc_include_paths)
   set(options EXCLUDE_PREFIX_HEADERS)
   set(oneValueArgs TARGET SCOPE)
@@ -81,39 +157,9 @@ function(target_add_awslc_include_paths)
   target_include_directories(${arg_TARGET} BEFORE ${arg_SCOPE}
     $<$<BOOL:${INCLUDE_PREFIX_HEADERS}>:$<BUILD_INTERFACE:${AWSLC_BINARY_DIR}/symbol_prefix_include>>
     $<BUILD_INTERFACE:${AWSLC_SOURCE_DIR}/include>
-    $<INSTALL_INTERFACE:include>)
+    $<INSTALL_INTERFACE:${AWSLC_INSTALL_INCLUDEDIR}>)
 endfunction()
 
-option(BUILD_TESTING "Build all test targets for AWS-LC" ON)
-option(BUILD_LIBSSL "Build libssl for AWS-LC" ON)
-option(BUILD_TOOL "Build bssl tool for AWS-LC" ON)
-option(DISABLE_PERL "Disable Perl for AWS-LC" OFF)
-option(DISABLE_GO "Disable Go for AWS-LC" OFF)
-# Keeping this flag for now, for compatibility with existing build configs.
-option(ENABLE_FIPS_ENTROPY_CPU_JITTER "Enable FIPS entropy source: CPU Jitter" OFF)
-option(ENABLE_DATA_INDEPENDENT_TIMING "Enable automatic setting/resetting Data-Independent Timing
-(DIT) flag in cryptographic functions. Currently only applicable to Arm64 (except on Windows)" OFF)
-option(ENABLE_PRE_SONAME_BUILD "Build AWS-LC without SONAME configuration for shared library builds" ON)
-option(ENABLE_SOURCE_MODIFICATION "Allow the build to update files in the source directory. This is typically done to update versioning." ON)
-option(DISABLE_CPU_JITTER_ENTROPY "Disable usage of CPU Jitter Entropy as an entropy source. This option cannot be used with the FIPS build. With this configuration, randomness generation might not use two independent entropy sources." OFF)
-option(GENERATE_RUST_BINDINGS "Generate Rust bindings using bindgen-cli" OFF)
-set(RUST_BINDINGS_TARGET_VERSION "1.70" CACHE STRING "Minimum Rust version for generated bindings")
-
-include(cmake/go.cmake)
-
-if(NOT ENABLE_PRE_SONAME_BUILD AND BUILD_SHARED_LIBS AND UNIX AND NOT APPLE)
-  set(PERFORM_SONAME_BUILD 1)
-  set(CRYPTO_LIB_NAME "${CRYPTO_LIB_NAME}-${SOFTWARE_NAME}")
-  set(SSL_LIB_NAME "${SSL_LIB_NAME}-${SOFTWARE_NAME}")
-else()
-  set(PERFORM_SONAME_BUILD 0)
-endif()
-
-message(STATUS "ENABLE_PRE_SONAME_BUILD: ${ENABLE_PRE_SONAME_BUILD}")
-message(STATUS "PERFORM_SONAME_BUILD: ${PERFORM_SONAME_BUILD}")
-
-enable_language(C)
-
 # Validate Rust bindings prerequisites
 if(GENERATE_RUST_BINDINGS)
   find_program(BINDGEN_EXECUTABLE NAMES bindgen)
@@ -168,8 +214,6 @@ else()
   message(STATUS "Entropy source configured: Dynamic (default: CPU Jitter)")
 endif()
 
-
-
 if(${CMAKE_SYSTEM_NAME} STREQUAL "OpenBSD")
   # OpenBSD by defaults links with --execute-only this is problematic for two reasons:
   # 1. The FIPS shared and static builds need to compute the module signature hash by reading the .text section
@@ -254,16 +298,8 @@ elseif(CMAKE_C_COMPILER_ID MATCHES "GNU")
   set(GCC 1)
 endif()
 
-if (NOT WIN32 AND NOT APPLE)
-  include(GNUInstallDirs)
-elseif(NOT DEFINED CMAKE_INSTALL_LIBDIR)
-  set(CMAKE_INSTALL_LIBDIR "lib")
-  set(CMAKE_INSTALL_INCLUDEDIR "include")
-  set(CMAKE_INSTALL_BINDIR "bin")
-endif()
-
 install(DIRECTORY include/openssl
-        DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}
+        DESTINATION ${AWSLC_INSTALL_INCLUDEDIR}
         COMPONENT Development
         PATTERN boringssl_prefix_symbols.h EXCLUDE
         PATTERN boringssl_prefix_symbols_asm.h EXCLUDE
@@ -364,7 +400,7 @@ if(BORINGSSL_PREFIX AND BORINGSSL_PREFIX_SYMBOLS AND GO_EXECUTABLE)
             symbol_prefix_include/openssl/boringssl_prefix_symbols_nasm.inc)
 
   install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/symbol_prefix_include/openssl
-          DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}
+          DESTINATION ${AWSLC_INSTALL_INCLUDEDIR}
           COMPONENT Development
   )
 elseif(BORINGSSL_PREFIX AND BORINGSSL_PREFIX_HEADERS)
@@ -384,7 +420,7 @@ elseif(BORINGSSL_PREFIX AND BORINGSSL_PREFIX_HEADERS)
   add_custom_target(boringssl_prefix_symbols)
 
   install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/symbol_prefix_include/openssl
-          DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}
+          DESTINATION ${AWSLC_INSTALL_INCLUDEDIR}
           COMPONENT Development
   )
 elseif(BORINGSSL_PREFIX AND BORINGSSL_PREFIX_SYMBOLS AND NOT GO_EXECUTABLE)
@@ -398,7 +434,7 @@ else()
   add_custom_target(boringssl_prefix_symbols)
 
   install(DIRECTORY include/openssl
-          DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}
+          DESTINATION ${AWSLC_INSTALL_INCLUDEDIR}
           COMPONENT Development
           FILES_MATCHING
           PATTERN boringssl_prefix_symbols.h
@@ -1233,6 +1269,26 @@ if(NOT DISABLE_CPU_JITTER_ENTROPY)
   add_subdirectory(third_party/jitterentropy)
 endif()
 
+# CMAKE_SYSTEM_NAME is "Generic" for embedded OSes:
+# https://cmake.org/cmake/help/book/mastering-cmake/chapter/Cross%20Compiling%20With%20CMake.html#toolchain-files
+#
+# For now we assume embedded OSes do not have threads. Additionally, the Threads
+# package does not work with Android, but Android does not require any extra
+# parameters to link pthreads. Emscripten provides its own pthread implementation
+# via Web Workers and SharedArrayBuffer, configured through compiler flags.
+if(NOT CMAKE_SYSTEM_NAME MATCHES "^(Generic|Android|Emscripten)$")
+  find_package(Threads REQUIRED)
+  set(AWSLC_LINK_THREADS TRUE)
+  # CMAKE_THREAD_LIBS_INIT contains the actual linker flags (e.g., -lpthread)
+  # set by find_package(Threads). Use this for pkgconfig instead of the
+  # imported target name.
+  set(PKGCONFIG_LIBS_PRIVATE "${CMAKE_THREAD_LIBS_INIT}")
+else()
+  set(AWSLC_LINK_THREADS FALSE)
+  set(PKGCONFIG_LIBS_PRIVATE "")
+endif()
+
+
 add_subdirectory(crypto)
 if(BUILD_LIBSSL)
   add_subdirectory(ssl)
@@ -1460,21 +1516,23 @@ if(NOT MSVC AND NOT CLANG AND NOT GCC)
   message(STATUS "Alternative compiler '${CMAKE_C_COMPILER_ID}' detected. Not all flags may be set, check final options with 'cmake --build . -- VERBOSE=1'")
 endif()
 
-# AWS-LC may be installed in a non-standard prefix. If OpenSSL exists in the standard path,
-# the downstream integration may build with the system's OpenSSL version instead.
-# Consider adjusting the PKG_CONFIG_PATH environment to get around this.
-file(GLOB OPENSSL_PKGCONFIGS "pkgconfig/*.pc.in")
-
 include(cmake/JoinPaths.cmake)
-join_paths(libdir_for_pc_file "\${prefix}" "${CMAKE_INSTALL_LIBDIR}")
-join_paths(includedir_for_pc_file "\${prefix}" "${CMAKE_INSTALL_INCLUDEDIR}")
-
-foreach(in_file ${OPENSSL_PKGCONFIGS})
-  file(RELATIVE_PATH in_file ${AWSLC_SOURCE_DIR} ${in_file})
-  string(REPLACE ".in" "" pc_file ${in_file})
-  configure_file(${in_file} ${CMAKE_CURRENT_BINARY_DIR}/${pc_file} @ONLY)
-  install(FILES ${CMAKE_CURRENT_BINARY_DIR}/${pc_file} DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig)
-endforeach()
+join_paths(LIBDIR_FOR_PC_FILE "\${prefix}" "${CMAKE_INSTALL_LIBDIR}")
+join_paths(INCLUDEDIR_FOR_PC_FILE "\${prefix}" "${AWSLC_INSTALL_INCLUDEDIR}")
+
+function(install_pkgconfig_file)
+  set(options "")
+  set(oneValueArgs TEMPLATE DEST)
+  set(multiValueArgs)
+  if(CMAKE_VERSION VERSION_LESS "3.7")
+    cmake_parse_arguments(arg "${options}" "${oneValueArgs}" "${multiValueArgs}" ${ARGN})
+  else()
+    cmake_parse_arguments(PARSE_ARGV 0 arg "${options}" "${oneValueArgs}" "${multiValueArgs}")
+  endif()
+
+  configure_file(pkgconfig/${arg_TEMPLATE} ${CMAKE_CURRENT_BINARY_DIR}/pkgconfig/${arg_DEST} @ONLY)
+  install(FILES ${CMAKE_CURRENT_BINARY_DIR}/pkgconfig/${arg_DEST} DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig)
+endfunction()
 
 if(ENABLE_SOURCE_MODIFICATION)
   configure_file(include/openssl/base.h.in ${AWSLC_SOURCE_DIR}/include/openssl/base.h @ONLY)
@@ -1483,3 +1541,42 @@ if(ENABLE_SOURCE_MODIFICATION)
     configure_file(util/check-linkage.sh.in check-linkage.sh @ONLY)
   endif()
 endif()
+
+install_pkgconfig_file(TEMPLATE product.pc.in DEST aws-lc.pc)
+install_pkgconfig_file(TEMPLATE libcrypto.pc.in DEST lib${CRYPTO_LIB_NAME}.pc)
+install_pkgconfig_file(TEMPLATE libssl.pc.in DEST lib${SSL_LIB_NAME}.pc)
+
+if(INSTALL_OPENSSL_SHIM)
+  install_pkgconfig_file(TEMPLATE product.pc.in DEST openssl.pc)
+
+  # Create OpenSSL compatibility symlinks
+  if(BUILD_SHARED_LIBS)
+    if(SET_LIB_SONAME)
+      # When SONAME build is enabled, libraries have -awslc suffix
+      install(CODE "
+        execute_process(COMMAND \${CMAKE_COMMAND} -E create_symlink
+          lib${CRYPTO_LIB_NAME}.so \"\$ENV{DESTDIR}\${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}/libcrypto.so\")
+        execute_process(COMMAND \${CMAKE_COMMAND} -E create_symlink
+          lib${SSL_LIB_NAME}.so \"\$ENV{DESTDIR}\${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}/libssl.so\")
+      ")
+    endif()
+  else()
+    if(SET_LIB_SONAME)
+      # When SONAME build is enabled, libraries have -awslc suffix
+      install(CODE "
+        execute_process(COMMAND \${CMAKE_COMMAND} -E create_symlink
+          lib${CRYPTO_LIB_NAME}.a \"\$ENV{DESTDIR}\${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}/libcrypto.a\")
+        execute_process(COMMAND \${CMAKE_COMMAND} -E create_symlink
+          lib${SSL_LIB_NAME}.a \"\$ENV{DESTDIR}\${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}/libssl.a\")
+      " COMPONENT Development)
+    endif()
+  endif()
+
+  if(COHABITANT_HEADERS)
+    # Always create the include directory symlink for OpenSSL compatibility
+    install(CODE "
+      execute_process(COMMAND \${CMAKE_COMMAND} -E create_symlink
+        aws-lc/openssl \"\$ENV{DESTDIR}\${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_INCLUDEDIR}/openssl\")
+    " COMPONENT Development)
+  endif()
+endif()