OpenSSL/libcrypto fixes and CI (#88)

* Additional fixes from openssl testing * added diagnostics for libcrypto usage * only allow openssl variant on linux * Fixed versioning of builder in builds that left it out * Updated to builder v0.8.14 for variants support
awslabs · May 3, 2021 · 936ec2c · 936ec2c
1 parent 2d39962
commit 936ec2c
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 9 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,7 +7,7 @@ on:
       - '!main'
 
 env:
-  BUILDER_VERSION: v0.8.9
+  BUILDER_VERSION: v0.8.14
   BUILDER_SOURCE: releases
   BUILDER_HOST: https://d19elf31gohf1l.cloudfront.net
   PACKAGE_NAME: aws-c-cal
@@ -112,7 +112,29 @@ jobs:
         echo "${{ secrets.GITHUB_TOKEN }}" | docker login docker.pkg.github.com -u awslabs --password-stdin
         export DOCKER_IMAGE=docker.pkg.github.com/awslabs/aws-crt-builder/aws-crt-${{ env.LINUX_BASE_IMAGE }}:${{ env.BUILDER_VERSION }}
         docker pull $DOCKER_IMAGE
-        docker run --env GITHUB_REF $DOCKER_IMAGE build -p ${{ env.PACKAGE_NAME }} --cmake-extra=-DBUILD_SHARED_LIBS=ON
+        docker run --env GITHUB_REF $DOCKER_IMAGE --version=${{ env.BUILDER_VERSION  }} build -p ${{ env.PACKAGE_NAME }} --cmake-extra=-DBUILD_SHARED_LIBS=ON
+
+  linux-openssl-static:
+    runs-on: ubuntu-latest
+    steps:
+        # We can't use the `uses: docker://image` version yet, GitHub lacks authentication for actions -> packages
+    - name: Build ${{ env.PACKAGE_NAME }}
+      run: |
+        echo "${{ secrets.GITHUB_TOKEN }}" | docker login docker.pkg.github.com -u awslabs --password-stdin
+        export DOCKER_IMAGE=docker.pkg.github.com/awslabs/aws-crt-builder/aws-crt-${{ env.LINUX_BASE_IMAGE }}:${{ env.BUILDER_VERSION }}
+        docker pull $DOCKER_IMAGE
+        docker run --env GITHUB_REF $DOCKER_IMAGE --version=${{ env.BUILDER_VERSION  }} build -p ${{ env.PACKAGE_NAME }} --variant=openssl --cmake-extra=-DUSE_OPENSSL=ON
+
+  linux-openssl-shared:
+    runs-on: ubuntu-latest
+    steps:
+        # We can't use the `uses: docker://image` version yet, GitHub lacks authentication for actions -> packages
+    - name: Build ${{ env.PACKAGE_NAME }}
+      run: |
+        echo "${{ secrets.GITHUB_TOKEN }}" | docker login docker.pkg.github.com -u awslabs --password-stdin
+        export DOCKER_IMAGE=docker.pkg.github.com/awslabs/aws-crt-builder/aws-crt-${{ env.LINUX_BASE_IMAGE }}:${{ env.BUILDER_VERSION }}
+        docker pull $DOCKER_IMAGE
+        docker run --env GITHUB_REF $DOCKER_IMAGE --version=${{ env.BUILDER_VERSION  }} build -p ${{ env.PACKAGE_NAME }} --variant=openssl --cmake-extra=-DUSE_OPENSSL=ON --cmake-extra=-DBUILD_SHARED_LIBS=ON
 
   windows:
     runs-on: windows-latest

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -9,6 +9,7 @@ if (POLICY CMP0069)
 endif()
 
 option(BYO_CRYPTO "Set this if you want to provide your own cryptography implementation. This will cause the defaults to not be compiled." OFF)
+option(USE_OPENSSL "Set this if you want to use your system's OpenSSL 1.0.2/1.1.1 compatible libcrypto" OFF)
 
 if (DEFINED CMAKE_PREFIX_PATH)
     file(TO_CMAKE_PATH "${CMAKE_PREFIX_PATH}" CMAKE_PREFIX_PATH)
@@ -82,8 +83,17 @@ else ()
         file(GLOB AWS_CAL_OS_SRC
             "source/unix/*.c"
         )
-        find_package(LibCrypto REQUIRED)
-        set(PLATFORM_LIBS LibCrypto::Crypto dl)
+        if (USE_OPENSSL)
+            find_package(OpenSSL REQUIRED)
+            set(PLATFORM_LIBS OpenSSL::Crypto dl)
+            set(CRYPTO_INCLUDE_DIR OPENSSL_INCLUDE_DIR)
+            message(STATUS "Using libcrypto from system: ${OPENSSL_CRYPTO_LIBRARY}")
+        else()
+            find_package(LibCrypto REQUIRED)
+            set(PLATFORM_LIBS LibCrypto::Crypto dl)
+            set(CRYPTO_INCLUDE_DIR LibCrypto_INCLUDE_DIR)
+            message(STATUS "Using automatic libcrypto: ${LibCrypto_LIBRARY}")
+        endif()
     endif()
 endif()
 
@@ -107,7 +117,7 @@ target_link_libraries(${PROJECT_NAME} PUBLIC ${DEP_AWS_LIBS} ${PLATFORM_LIBS})
 if (BYO_CRYPTO)
     target_compile_definitions(${PROJECT_NAME} PRIVATE -DBYO_CRYPTO)
 elseif (NOT WIN32 AND NOT APPLE)
-    target_include_directories(${PROJECT_NAME} PRIVATE $<TARGET_PROPERTY:LibCrypto::Crypto,INTERFACE_INCLUDE_DIRECTORIES>)
+    target_include_directories(${PROJECT_NAME} PRIVATE ${CRYPTO_INCLUDE_DIR})
 endif()
 
 # Our ABI is not yet stable

diff --git a/builder.json b/builder.json
@@ -17,5 +17,23 @@
                 { "name": "aws-lc" }
             ]
         }
+    },
+    "variants": {
+        "openssl": {
+            "hosts": {
+                "ubuntu": {
+                    "packages": [
+                        "libssl-dev"
+                    ]
+                }
+            },
+            "targets": {
+                "linux": {
+                    "!upstream": [
+                        { "name": "aws-c-common" }
+                    ]
+                }
+            }
+        }
     }
 }
diff --git a/source/unix/openssl_platform_init.c b/source/unix/openssl_platform_init.c
@@ -10,7 +10,7 @@
 #include <dlfcn.h>
 
 #include <aws/cal/private/opensslcrypto_common.h>
-
+#define AWS_LIBCRYPTO_LOG_RESOLVE 1
 #if defined(AWS_LIBCRYPTO_LOG_RESOLVE)
 #    define FLOGF(...)                                                                                                 \
         do {                                                                                                           \
@@ -402,7 +402,7 @@ static enum aws_libcrypto_version s_resolve_libcrypto_md(enum aws_libcrypto_vers
         case AWS_LIBCRYPTO_1_1_1:
             return s_resolve_md_111(module) ? version : AWS_LIBCRYPTO_NONE;
         case AWS_LIBCRYPTO_1_0_2:
-            return s_resolve_hmac_102(module) ? version : AWS_LIBCRYPTO_NONE;
+            return s_resolve_md_102(module) ? version : AWS_LIBCRYPTO_NONE;
         case AWS_LIBCRYPTO_NONE:
             AWS_FATAL_ASSERT(!"Attempted to resolve invalid libcrypto MD API version AWS_LIBCRYPTO_NONE");
     }
@@ -413,12 +413,10 @@ static enum aws_libcrypto_version s_resolve_libcrypto_md(enum aws_libcrypto_vers
 static enum aws_libcrypto_version s_resolve_libcrypto_symbols(enum aws_libcrypto_version version, void *module) {
     enum aws_libcrypto_version found_version = s_resolve_libcrypto_hmac(version, module);
     if (found_version == AWS_LIBCRYPTO_NONE) {
-        FLOGF("Unable to resolve HMAC symbols");
         return AWS_LIBCRYPTO_NONE;
     }
     found_version = s_resolve_libcrypto_md(found_version, module);
     if (found_version == AWS_LIBCRYPTO_NONE) {
-        FLOGF("Unable to resolve MD symbols");
         return AWS_LIBCRYPTO_NONE;
     }
     return found_version;
@@ -499,14 +497,17 @@ static enum aws_libcrypto_version s_resolve_libcrypto(void) {
     AWS_FATAL_ASSERT(process && "Unable to load symbols from process space");
     enum aws_libcrypto_version result = s_resolve_libcrypto_symbols(AWS_LIBCRYPTO_LC, process);
     if (result == AWS_LIBCRYPTO_NONE) {
+        FLOGF("did not find aws-lc symbols linked");
         result = s_resolve_libcrypto_symbols(AWS_LIBCRYPTO_1_0_2, process);
     }
     if (result == AWS_LIBCRYPTO_NONE) {
+        FLOGF("did not find libcrypto 1.0.2 symbols linked");
         result = s_resolve_libcrypto_symbols(AWS_LIBCRYPTO_1_1_1, process);
     }
     dlclose(process);
 
     if (result == AWS_LIBCRYPTO_NONE) {
+        FLOGF("did not find libcrypto 1.1.1 symbols linked");
         FLOGF("libcrypto symbols were not statically linked, searching for shared libraries");
         result = s_resolve_libcrypto_lib();
     }
@@ -543,6 +544,8 @@ static unsigned long s_id_fn(void) {
 void aws_cal_platform_init(struct aws_allocator *allocator) {
     int version = s_resolve_libcrypto();
     AWS_FATAL_ASSERT(version != AWS_LIBCRYPTO_NONE && "libcrypto could not be resolved");
+    AWS_FATAL_ASSERT(g_aws_openssl_evp_md_ctx_table);
+    AWS_FATAL_ASSERT(g_aws_openssl_hmac_ctx_table);
 
     s_libcrypto_allocator = allocator;