Distribution Packaging Improvements

Author: skmcgrail

.github/workflows/linux_x86_omnibus.yml

@@ -112,6 +112,24 @@ jobs:
             source /opt/compiler-env/setup-clang-9.sh
             ./tests/ci/run_install_shared_and_static.sh
 
+  dist_pkg_tests:
+    runs-on:
+      - codebuild-aws-lc-ci-github-actions-${{ github.run_id }}-${{ github.run_attempt }}
+        image:linux-5.0
+        instance-size:small
+    steps:
+      - uses: actions/checkout@v5
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+      - uses: ./.github/actions/codebuild-docker-run
+        name: Run Container
+        with:
+          image: ${{ steps.login-ecr.outputs.registry }}/aws-lc/ubuntu:20.04
+          run: |
+            source /opt/compiler-env/setup-clang-9.sh
+            ./tests/ci/run_dist_pkg_tests.sh
+
   # Build and test aws-lc without Perl/Go.
   minimal_tests:
     name: minimal-${{ matrix.image }}-${{ matrix.compiler }}-x86_64

CMakeLists.txt

@@ -19,6 +19,22 @@ set(REPORTED_PKGCONFIG_VERSION "1.1.1")
 # Defer enabling C and CXX languages.
 project(AWSLC VERSION "${SOFTWARE_VERSION}" LANGUAGES NONE)
 
+option(BUILD_TESTING "Build all test targets for AWS-LC" ON)
+option(BUILD_LIBSSL "Build libssl for AWS-LC" ON)
+option(BUILD_TOOL "Build bssl tool for AWS-LC" ON)
+option(DISABLE_PERL "Disable Perl for AWS-LC" OFF)
+option(DISABLE_GO "Disable Go for AWS-LC" OFF)
+# Keeping this flag for now, for compatibility with existing build configs.
+option(ENABLE_FIPS_ENTROPY_CPU_JITTER "Enable FIPS entropy source: CPU Jitter" OFF)
+option(ENABLE_DATA_INDEPENDENT_TIMING "Enable automatic setting/resetting Data-Independent Timing
+(DIT) flag in cryptographic functions. Currently only applicable to Arm64 (except on Windows)" OFF)
+option(ENABLE_PRE_SONAME_BUILD "Build AWS-LC without SONAME configuration for shared library builds" ON)
+option(ENABLE_SOURCE_MODIFICATION "Allow the build to update files in the source directory. This is typically done to update versioning." ON)
+option(DISABLE_CPU_JITTER_ENTROPY "Disable usage of CPU Jitter Entropy as an entropy source. This option cannot be used with the FIPS build. With this configuration, randomness generation might not use two independent entropy sources." OFF)
+option(GENERATE_RUST_BINDINGS "Generate Rust bindings using bindgen-cli" OFF)
+option(ENABLE_DIST_PKG "Enables a set of packaging that take highest presedence to any other packaging configuration i.e. ENABLE_PRE_SONAME_BUILD" OFF)
+option(ENABLE_DIST_PKG_OPENSSL_SHIM "Controls whether the OpenSSL shim componenets are installed when ENABLE_DIST_PKG is enabled" OFF)
+
 if(MSVC)
   # On Windows, prefer cl over gcc if both are available. By default most of
   # the CMake generators prefer gcc, even on Windows.
@@ -52,6 +68,52 @@ if(POLICY CMP0077)
   cmake_policy(SET CMP0077 NEW) #option does nothing when a normal variable of the same name exists.
 endif()
 
+set(RUST_BINDINGS_TARGET_VERSION "1.70" CACHE STRING "Minimum Rust version for generated bindings")
+
+include(cmake/go.cmake)
+
+if(ENABLE_DIST_PKG AND UNIX AND NOT APPLE)
+  set(SET_LIB_SONAME 1)
+  set(COHABITANT_HEADERS 1)
+  if(ENABLE_DIST_PKG_OPENSSL_SHIM)
+    set(INSTALL_OPENSSL_SHIM 1)
+  else()
+    set(INSTALL_OPENSSL_SHIM 0)
+  endif()
+elseif(NOT ENABLE_PRE_SONAME_BUILD AND BUILD_SHARED_LIBS AND UNIX AND NOT APPLE)
+  set(SET_LIB_SONAME 1)
+  set(COHABITANT_HEADERS 0)
+  set(INSTALL_OPENSSL_SHIM 1)
+else()
+  set(SET_LIB_SONAME 0)
+  set(COHABITANT_HEADERS 0)
+  set(INSTALL_OPENSSL_SHIM 1)
+endif()
+
+if(SET_LIB_SONAME)
+  set(CRYPTO_LIB_NAME "${CRYPTO_LIB_NAME}-${SOFTWARE_NAME}")
+  set(SSL_LIB_NAME "${SSL_LIB_NAME}-${SOFTWARE_NAME}")
+endif()
+
+if (NOT WIN32 AND NOT APPLE)
+  include(GNUInstallDirs)
+elseif(NOT DEFINED CMAKE_INSTALL_LIBDIR)
+  set(CMAKE_INSTALL_LIBDIR "lib")
+  set(CMAKE_INSTALL_INCLUDEDIR "include")
+  set(CMAKE_INSTALL_BINDIR "bin")
+endif()
+
+# Set the install include directory based on whether a prefix subdirectory is desired
+if(COHABITANT_HEADERS)
+  set(AWSLC_INSTALL_INCLUDEDIR "${CMAKE_INSTALL_INCLUDEDIR}/aws-lc")
+else()
+  set(AWSLC_INSTALL_INCLUDEDIR "${CMAKE_INSTALL_INCLUDEDIR}")
+endif()
+
+if(NOT ENABLE_PRE_SONAME_BUILD)
+message(WARNING "ENABLE_PRE_SONAME_BUILD option will be deprecated in a future release. Please see ENABLE_DIST_PKG and ENABLE_DIST_PKG_OPENSSL_SHIM")
+endif()
+
 function(target_add_awslc_include_paths)
   set(options EXCLUDE_PREFIX_HEADERS)
   set(oneValueArgs TARGET SCOPE)
@@ -81,37 +143,9 @@ function(target_add_awslc_include_paths)
   target_include_directories(${arg_TARGET} BEFORE ${arg_SCOPE}
     $<$<BOOL:${INCLUDE_PREFIX_HEADERS}>:$<BUILD_INTERFACE:${AWSLC_BINARY_DIR}/symbol_prefix_include>>
     $<BUILD_INTERFACE:${AWSLC_SOURCE_DIR}/include>
-    $<INSTALL_INTERFACE:include>)
+    $<INSTALL_INTERFACE:${AWSLC_INSTALL_INCLUDEDIR}>)
 endfunction()
 
-option(BUILD_TESTING "Build all test targets for AWS-LC" ON)
-option(BUILD_LIBSSL "Build libssl for AWS-LC" ON)
-option(BUILD_TOOL "Build bssl tool for AWS-LC" ON)
-option(DISABLE_PERL "Disable Perl for AWS-LC" OFF)
-option(DISABLE_GO "Disable Go for AWS-LC" OFF)
-# Keeping this flag for now, for compatibility with existing build configs.
-option(ENABLE_FIPS_ENTROPY_CPU_JITTER "Enable FIPS entropy source: CPU Jitter" OFF)
-option(ENABLE_DATA_INDEPENDENT_TIMING "Enable automatic setting/resetting Data-Independent Timing
-(DIT) flag in cryptographic functions. Currently only applicable to Arm64 (except on Windows)" OFF)
-option(ENABLE_PRE_SONAME_BUILD "Build AWS-LC without SONAME configuration for shared library builds" ON)
-option(ENABLE_SOURCE_MODIFICATION "Allow the build to update files in the source directory. This is typically done to update versioning." ON)
-option(DISABLE_CPU_JITTER_ENTROPY "Disable usage of CPU Jitter Entropy as an entropy source. This option cannot be used with the FIPS build. With this configuration, randomness generation might not use two independent entropy sources." OFF)
-option(GENERATE_RUST_BINDINGS "Generate Rust bindings using bindgen-cli" OFF)
-set(RUST_BINDINGS_TARGET_VERSION "1.70" CACHE STRING "Minimum Rust version for generated bindings")
-
-include(cmake/go.cmake)
-
-if(NOT ENABLE_PRE_SONAME_BUILD AND BUILD_SHARED_LIBS AND UNIX AND NOT APPLE)
-  set(PERFORM_SONAME_BUILD 1)
-  set(CRYPTO_LIB_NAME "${CRYPTO_LIB_NAME}-${SOFTWARE_NAME}")
-  set(SSL_LIB_NAME "${SSL_LIB_NAME}-${SOFTWARE_NAME}")
-else()
-  set(PERFORM_SONAME_BUILD 0)
-endif()
-
-message(STATUS "ENABLE_PRE_SONAME_BUILD: ${ENABLE_PRE_SONAME_BUILD}")
-message(STATUS "PERFORM_SONAME_BUILD: ${PERFORM_SONAME_BUILD}")
-
 enable_language(C)
 
 # Validate Rust bindings prerequisites
@@ -168,8 +202,6 @@ else()
   message(STATUS "Entropy source configured: Dynamic (default: CPU Jitter)")
 endif()
 
-
-
 if(${CMAKE_SYSTEM_NAME} STREQUAL "OpenBSD")
   # OpenBSD by defaults links with --execute-only this is problematic for two reasons:
   # 1. The FIPS shared and static builds need to compute the module signature hash by reading the .text section
@@ -254,16 +286,8 @@ elseif(CMAKE_C_COMPILER_ID MATCHES "GNU")
   set(GCC 1)
 endif()
 
-if (NOT WIN32 AND NOT APPLE)
-  include(GNUInstallDirs)
-elseif(NOT DEFINED CMAKE_INSTALL_LIBDIR)
-  set(CMAKE_INSTALL_LIBDIR "lib")
-  set(CMAKE_INSTALL_INCLUDEDIR "include")
-  set(CMAKE_INSTALL_BINDIR "bin")
-endif()
-
 install(DIRECTORY include/openssl
-        DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}
+        DESTINATION ${AWSLC_INSTALL_INCLUDEDIR}
         COMPONENT Development
         PATTERN boringssl_prefix_symbols.h EXCLUDE
         PATTERN boringssl_prefix_symbols_asm.h EXCLUDE
@@ -364,7 +388,7 @@ if(BORINGSSL_PREFIX AND BORINGSSL_PREFIX_SYMBOLS AND GO_EXECUTABLE)
             symbol_prefix_include/openssl/boringssl_prefix_symbols_nasm.inc)
 
   install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/symbol_prefix_include/openssl
-          DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}
+          DESTINATION ${AWSLC_INSTALL_INCLUDEDIR}
           COMPONENT Development
   )
 elseif(BORINGSSL_PREFIX AND BORINGSSL_PREFIX_HEADERS)
@@ -384,7 +408,7 @@ elseif(BORINGSSL_PREFIX AND BORINGSSL_PREFIX_HEADERS)
   add_custom_target(boringssl_prefix_symbols)
 
   install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/symbol_prefix_include/openssl
-          DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}
+          DESTINATION ${AWSLC_INSTALL_INCLUDEDIR}
           COMPONENT Development
   )
 elseif(BORINGSSL_PREFIX AND BORINGSSL_PREFIX_SYMBOLS AND NOT GO_EXECUTABLE)
@@ -398,7 +422,7 @@ else()
   add_custom_target(boringssl_prefix_symbols)
 
   install(DIRECTORY include/openssl
-          DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}
+          DESTINATION ${AWSLC_INSTALL_INCLUDEDIR}
           COMPONENT Development
           FILES_MATCHING
           PATTERN boringssl_prefix_symbols.h
@@ -1466,15 +1490,22 @@ endif()
 file(GLOB OPENSSL_PKGCONFIGS "pkgconfig/*.pc.in")
 
 include(cmake/JoinPaths.cmake)
-join_paths(libdir_for_pc_file "\${prefix}" "${CMAKE_INSTALL_LIBDIR}")
-join_paths(includedir_for_pc_file "\${prefix}" "${CMAKE_INSTALL_INCLUDEDIR}")
-
-foreach(in_file ${OPENSSL_PKGCONFIGS})
-  file(RELATIVE_PATH in_file ${AWSLC_SOURCE_DIR} ${in_file})
-  string(REPLACE ".in" "" pc_file ${in_file})
-  configure_file(${in_file} ${CMAKE_CURRENT_BINARY_DIR}/${pc_file} @ONLY)
-  install(FILES ${CMAKE_CURRENT_BINARY_DIR}/${pc_file} DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig)
-endforeach()
+join_paths(LIBDIR_FOR_PC_FILE "\${prefix}" "${CMAKE_INSTALL_LIBDIR}")
+join_paths(INCLUDEDIR_FOR_PC_FILE "\${prefix}" "${AWSLC_INSTALL_INCLUDEDIR}")
+
+function(install_pkgconfig_file)
+  set(options "")
+  set(oneValueArgs TEMPLATE DEST)
+  set(multiValueArgs)
+  if(CMAKE_VERSION VERSION_LESS "3.7")
+    cmake_parse_arguments(arg "${options}" "${oneValueArgs}" "${multiValueArgs}" ${ARGN})
+  else()
+    cmake_parse_arguments(PARSE_ARGV 0 arg "${options}" "${oneValueArgs}" "${multiValueArgs}")
+  endif()
+
+  configure_file(pkgconfig/${arg_TEMPLATE} ${CMAKE_CURRENT_BINARY_DIR}/pkgconfig/${arg_DEST} @ONLY)
+  install(FILES ${CMAKE_CURRENT_BINARY_DIR}/pkgconfig/${arg_DEST} DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig)
+endfunction()
 
 if(ENABLE_SOURCE_MODIFICATION)
   configure_file(include/openssl/base.h.in ${AWSLC_SOURCE_DIR}/include/openssl/base.h @ONLY)
@@ -1483,3 +1514,42 @@ if(ENABLE_SOURCE_MODIFICATION)
     configure_file(util/check-linkage.sh.in check-linkage.sh @ONLY)
   endif()
 endif()
+
+install_pkgconfig_file(TEMPLATE product.pc.in DEST aws-lc.pc)
+install_pkgconfig_file(TEMPLATE libcrypto.pc.in DEST lib${CRYPTO_LIB_NAME}.pc)
+install_pkgconfig_file(TEMPLATE libssl.pc.in DEST lib${SSL_LIB_NAME}.pc)
+
+if(INSTALL_OPENSSL_SHIM)
+  install_pkgconfig_file(TEMPLATE product.pc.in DEST openssl.pc)
+
+  # Create OpenSSL compatibility symlinks
+  if(BUILD_SHARED_LIBS)
+    if(SET_LIB_SONAME)
+      # When SONAME build is enabled, libraries have -awslc suffix
+      install(CODE "
+        execute_process(COMMAND \${CMAKE_COMMAND} -E create_symlink
+          lib${CRYPTO_LIB_NAME}.so \"\$ENV{DESTDIR}\${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}/libcrypto.so\")
+        execute_process(COMMAND \${CMAKE_COMMAND} -E create_symlink
+          lib${SSL_LIB_NAME}.so \"\$ENV{DESTDIR}\${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}/libssl.so\")
+      ")
+    endif()
+  else()
+    if(SET_LIB_SONAME)
+      # When SONAME build is enabled, libraries have -awslc suffix
+      install(CODE "
+        execute_process(COMMAND \${CMAKE_COMMAND} -E create_symlink
+          lib${CRYPTO_LIB_NAME}.a \"\$ENV{DESTDIR}\${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}/libcrypto.a\")
+        execute_process(COMMAND \${CMAKE_COMMAND} -E create_symlink
+          lib${SSL_LIB_NAME}.a \"\$ENV{DESTDIR}\${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}/libssl.a\")
+      " COMPONENT Development)
+    endif()
+  endif()
+
+  if(COHABITANT_HEADERS)
+    # Always create the include directory symlink for OpenSSL compatibility
+    install(CODE "
+      execute_process(COMMAND \${CMAKE_COMMAND} -E create_symlink
+        aws-lc/openssl \"\$ENV{DESTDIR}\${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_INCLUDEDIR}/openssl\")
+    " COMPONENT Development)
+  endif()
+endif()

crypto/CMakeLists.txt

@@ -618,7 +618,7 @@ function(build_libcrypto)
     set_target_properties(${arg_NAME} PROPERTIES OUTPUT_NAME "${CRYPTO_LIB_NAME}")
   endif()
 
-  if(PERFORM_SONAME_BUILD)
+  if(SET_LIB_SONAME)
     set_target_properties(${arg_NAME} PROPERTIES
       VERSION "${SOFTWARE_VERSION}"
       SOVERSION "${ABI_VERSION}")
@@ -918,12 +918,19 @@ if(BUILD_TESTING)
 
 endif()
 
-install(TARGETS crypto
-        EXPORT crypto-targets
-        ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR}
-        LIBRARY
-          DESTINATION ${CMAKE_INSTALL_LIBDIR}
-          NAMELINK_SKIP)
+if(NOT CMAKE_VERSION VERSION_LESS "3.12")
+  install(TARGETS crypto
+          EXPORT crypto-targets
+          ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR}
+          LIBRARY
+            DESTINATION ${CMAKE_INSTALL_LIBDIR}
+            NAMELINK_COMPONENT Development)
+else()
+  install(TARGETS crypto
+          EXPORT crypto-targets
+          ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR}
+          LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR})
+endif()
 
 if(MSVC AND CMAKE_BUILD_TYPE_LOWER MATCHES "relwithdebinfo" AND FIPS)
   install (FILES $<TARGET_FILE_DIR:crypto>/crypto.pdb DESTINATION ${CMAKE_INSTALL_LIBDIR})
@@ -947,13 +954,3 @@ install(EXPORT crypto-targets
     DESTINATION "${CMAKE_INSTALL_LIBDIR}/crypto/cmake/${TARGET_DIR}"
     NAMESPACE AWS::
     COMPONENT Development)
-
-if(PERFORM_SONAME_BUILD)
-install(CODE "
-set(TGT lib${CRYPTO_LIB_NAME}.so.${ABI_VERSION})
-set(LNK \$ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}/libcrypto.so)
-message(STATUS \"Creating symlink: \${LNK} → \${TGT}\")
-execute_process(COMMAND ${CMAKE_COMMAND} -E create_symlink \${TGT} \${LNK})
-"
-  COMPONENT Development)
-endif()

pkgconfig/libcrypto.pc.in

@@ -1,9 +1,9 @@
 prefix=@CMAKE_INSTALL_PREFIX@
-libdir=@libdir_for_pc_file@
-includedir=@includedir_for_pc_file@
+libdir=@LIBDIR_FOR_PC_FILE@
+includedir=@INCLUDEDIR_FOR_PC_FILE@
 
-Name: AWS-LC-libcrypto
-Description: AWS-LC cryptography library
+Name: lib@CRYPTO_LIB_NAME@
+Description: AWS-LC Cryptographic Library (@SOFTWARE_VERSION@)
 Version: @REPORTED_PKGCONFIG_VERSION@
-Libs: -L${libdir} -lcrypto
+Libs: -L${libdir} -l@CRYPTO_LIB_NAME@
 Cflags: -I${includedir}

pkgconfig/libssl.pc.in

@@ -1,10 +1,10 @@
 prefix=@CMAKE_INSTALL_PREFIX@
-libdir=@libdir_for_pc_file@
-includedir=@includedir_for_pc_file@
+libdir=@LIBDIR_FOR_PC_FILE@
+includedir=@INCLUDEDIR_FOR_PC_FILE@
 
-Name: AWS-LC-libssl
-Description: AWS-LC (OpenSSL SHIM)
+Name: lib@SSL_LIB_NAME@
+Description: AWS-LC TLS Library (@SOFTWARE_VERSION@)
 Version: @REPORTED_PKGCONFIG_VERSION@
-Requires.private: libcrypto
-Libs: -L${libdir} -lssl
+Requires.private: lib@CRYPTO_LIB_NAME@
+Libs: -L${libdir} -l@SSL_LIB_NAME@
 Cflags: -I${includedir}

pkgconfig/openssl.pc.in

@@ -0,0 +1,8 @@
+prefix=@CMAKE_INSTALL_PREFIX@
+libdir=@LIBDIR_FOR_PC_FILE@
+includedir=@INCLUDEDIR_FOR_PC_FILE@
+
+Name: AWS-LC
+Description: AWS-LC (@SOFTWARE_VERSION@)
+Version: @REPORTED_PKGCONFIG_VERSION@
+Requires: lib@CRYPTO_LIB_NAME@ lib@SSL_LIB_NAME@