Add aws-lc code build. (aws#2275)

* Add aws-lc code build.

* Fix indentation.

* Change syntax.

* Remove quilt from buildspec_ubuntu.yml.

* Build aws-lc with ninja.

* Move awslc code build to omnibus.

codebuild/bin/install_awslc.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License").
+# You may not use this file except in compliance with the License.
+# A copy of the License is located at
+#
+#  http://aws.amazon.com/apache2.0
+#
+# or in the "license" file accompanying this file. This file is distributed
+# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+# express or implied. See the License for the specific language governing
+# permissions and limitations under the License.
+
+set -ex
+pushd "$(pwd)"
+
+usage() {
+    echo "install_awslc.sh build_dir install_dir"
+    exit 1
+}
+
+if [ "$#" -ne "2" ]; then
+    usage
+fi
+
+BUILD_DIR=$1
+INSTALL_DIR=$2
+source codebuild/bin/jobs.sh
+
+cd "$BUILD_DIR"
+git clone https://github.com/awslabs/aws-lc.git
+mkdir build
+cd build
+
+cmake ../aws-lc -GNinja -DBUILD_SHARED_LIBS=1 -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX="${INSTALL_DIR}"
+ninja -j "${JOBS}" install
+
+popd
+
+exit 0

codebuild/bin/install_default_dependencies.sh

@@ -58,6 +58,11 @@ if [[ "$S2N_LIBCRYPTO" == "boringssl" && ! -d "$BORINGSSL_INSTALL_DIR" ]]; then
     codebuild/bin/install_boringssl.sh "$(mktemp -d)" "$BORINGSSL_INSTALL_DIR" > /dev/null ;
 fi
 
+# Download and Install AWS-LC
+if [[ "$S2N_LIBCRYPTO" == "awslc" && ! -d "$AWSLC_INSTALL_DIR" ]]; then
+    codebuild/bin/install_awslc.sh "$(mktemp -d)" "$AWSLC_INSTALL_DIR" > /dev/null ;
+fi
+
 if [[ "$TESTS" == "integration" || "$TESTS" == "integrationv2" || "$TESTS" == "ALL" ]]; then
     # Install tox if running on Ubuntu(only supported Linux at this time)
     if [[ "$OS_NAME" == "linux" && ! -x `which tox` ]]; then

codebuild/bin/install_ubuntu_dependencies.sh

@@ -19,9 +19,10 @@
 set -ex
 
 sudo add-apt-repository ppa:ubuntu-toolchain-r/test -y
+sudo add-apt-repository ppa:longsleep/golang-backports
 sudo apt-get update -o Acquire::CompressionTypes::Order::=gz
 
-DEPENDENCIES="unzip make indent kwstyle libssl-dev tcpdump valgrind lcov m4 nettle-dev nettle-bin pkg-config gcc g++ zlibc zlib1g-dev python3-pip python3-testresources llvm curl git tox cmake libtool ninja-build"
+DEPENDENCIES="unzip make indent kwstyle libssl-dev tcpdump valgrind lcov m4 nettle-dev nettle-bin pkg-config gcc g++ zlibc zlib1g-dev python3-pip python3-testresources llvm curl git tox cmake libtool ninja-build golang-go quilt"
 
 
 if [[ -n "$GCC_VERSION" ]] && [[ "$GCC_VERSION" != "NONE" ]]; then

codebuild/bin/s2n_setup_env.sh

@@ -40,6 +40,7 @@
 : "${OQS_OPENSSL_1_1_1_INSTALL_DIR:=$TEST_DEPS_DIR/oqs_openssl-1.1.1}"
 : "${OPENSSL_1_0_2_FIPS_INSTALL_DIR:=$TEST_DEPS_DIR/openssl-1.0.2-fips}"
 : "${BORINGSSL_INSTALL_DIR:=$TEST_DEPS_DIR/boringssl}"
+: "${AWSLC_INSTALL_DIR:=$TEST_DEPS_DIR/awslc}"
 : "${LIBRESSL_INSTALL_DIR:=$TEST_DEPS_DIR/libressl-2.6.4}"
 : "${CPPCHECK_INSTALL_DIR:=$TEST_DEPS_DIR/cppcheck}"
 : "${CTVERIF_INSTALL_DIR:=$TEST_DEPS_DIR/ctverif}"
@@ -71,6 +72,7 @@ export OPENSSL_1_0_2_INSTALL_DIR
 export OPENSSL_1_0_2_FIPS_INSTALL_DIR
 export OQS_OPENSSL_1_1_1_INSTALL_DIR
 export BORINGSSL_INSTALL_DIR
+export AWSLC_INSTALL_DIR
 export LIBRESSL_INSTALL_DIR
 export CPPCHECK_INSTALL_DIR
 export CTVERIF_INSTALL_DIR
@@ -97,6 +99,8 @@ if [[ "$S2N_LIBCRYPTO" == "openssl-1.0.2-fips" ]]; then
 fi
 if [[ "$S2N_LIBCRYPTO" == "boringssl" ]]; then export LIBCRYPTO_ROOT=$BORINGSSL_INSTALL_DIR ; fi
 
+if [[ "$S2N_LIBCRYPTO" == "awslc" ]]; then export LIBCRYPTO_ROOT=$AWSLC_INSTALL_DIR ; fi
+
 if [[ "$S2N_LIBCRYPTO" == "libressl" ]]; then export LIBCRYPTO_ROOT=$LIBRESSL_INSTALL_DIR ; fi
 
 # Create a link to the selected libcrypto. This shouldn't be needed when LIBCRYPTO_ROOT is set, but some tests

codebuild/spec/buildspec_omnibus.yml

@@ -23,6 +23,12 @@ batch:
         privileged-mode: true
         compute-type: BUILD_GENERAL1_LARGE
 
+    - identifier: s2nIntegrationAwsLc
+      buildspec: codebuild/spec/buildspec_ubuntu_integ_awslc.yml
+      env:
+        privileged-mode: true
+        compute-type: BUILD_GENERAL1_LARGE
+
     - identifier: s2nIntegrationOpenSSL111PlusCoverage
       buildspec: codebuild/spec/buildspec_ubuntu_integ_openssl111.yml
       env:

codebuild/spec/buildspec_ubuntu_integ_awslc.yml

@@ -0,0 +1,59 @@
+---
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You may not use
+# this file except in compliance with the License. A copy of the License is
+# located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied. See the License for the specific language governing permissions and
+# limitations under the License.
+version: 0.2
+
+env:
+  variables:
+    # CODEBUILD_ is a reserved namespace.
+    CB_BIN_DIR: "./codebuild/bin"
+    S2N_LIBCRYPTO: "awslc"
+    TESTS: "integration"
+    BUILD_S2N: true
+
+phases:
+  install:
+    runtime-versions:
+      python: 3.7
+    commands:
+      - echo Entered the install phase...
+      - add-apt-repository ppa:ubuntu-toolchain-r/test -y
+      # Add repo to get latest golang version. https://github.com/golang/go/wiki/Ubuntu
+      - add-apt-repository ppa:longsleep/golang-backports
+      - apt-get update -o Acquire::CompressionTypes::Order::=gz
+      - apt-get update -y
+      - apt-get install -y --no-install-recommends gcc g++ gcc-4.8 g++-4.8 gcc-6 g++-6 gcc-9 g++-9
+      # Don't install old clang and llvm if LATEST_CLANG is enabled, handle it in install_clang.sh instead
+      - |
+        if expr "${LATEST_CLANG}" != "true" >/dev/null; then
+          apt-get install -y --no-install-recommends clang-3.9 llvm-3.9;
+        fi
+      - apt-get install -y --no-install-recommends indent kwstyle lcov libssl-dev m4 make net-tools nettle-bin nettle-dev pkg-config psmisc python3-pip shellcheck sudo tcpdump unzip valgrind zlib1g-dev zlibc cmake tox libtool ninja-build quilt golang-go
+  pre_build:
+    commands:
+      - |
+        if [ -d "third-party-src" ]; then
+          cd third-party-src;
+        fi
+      - GCC_VERSION=6 $CB_BIN_DIR/install_default_dependencies.sh
+  build:
+    commands:
+      - printenv
+      - GCC_VERSION=4.8 $CB_BIN_DIR/s2n_codebuild.sh
+      - GCC_VERSION=6 $CB_BIN_DIR/s2n_codebuild.sh
+      - GCC_VERSION=9 $CB_BIN_DIR/s2n_codebuild.sh
+  post_build:
+    commands:
+      - echo Build completed on `date`
+      - echo Uploading CodeCov.io artifacts
+      - $CB_BIN_DIR/s2n_after_codebuild.sh

s2n.mk

@@ -35,6 +35,9 @@ INDENT  = $(shell (if indent --version 2>&1 | grep GNU > /dev/null; then echo in
 # BoringSSL is a C11 library and has less strict compiler flags than s2n. All other libcryptos use the default c99 flags
 ifeq ($(S2N_LIBCRYPTO), boringssl)
 	DEFAULT_CFLAGS = -std=c11
+else ifeq ($(S2N_LIBCRYPTO), awslc)
+	# AWS-LC is a BoringSSL derivative.
+	DEFAULT_CFLAGS = -std=c11
 else
 	DEFAULT_CFLAGS = -std=c99 -Wcast-qual
 endif

tests/integration/common/s2n_test_scenario.py

@@ -124,6 +124,7 @@ def get_libcrypto():
     "openssl-1.0.2-fips"    : LEGACY_COMPATIBLE_CIPHERS,
     "libressl"              : LEGACY_COMPATIBLE_CIPHERS,
     "boringssl"             : LEGACY_COMPATIBLE_CIPHERS,
+    "awslc"                 : LEGACY_COMPATIBLE_CIPHERS,
 }
 
 class Curve():
@@ -163,6 +164,7 @@ def all(cls):
     "openssl-1.0.2-fips"    : LEGACY_COMPATIBLE_CURVES,
     "libressl"              : LEGACY_COMPATIBLE_CURVES,
     "boringssl"             : LEGACY_COMPATIBLE_CURVES,
+    "awslc"                 : LEGACY_COMPATIBLE_CURVES,
 }
 
 

tests/integration/s2n_test_constants.py

@@ -102,10 +102,11 @@ class OCSP(Enum):
 # Test ciphers to use when s2n is built with Openssl 1.0.2 libcrypto that is linked with a FIPS module.
 OPENSSL_1_0_2_FIPS_TEST_CIPHERS = list(filter(lambda x: x.openssl_fips_compatible == True, ALL_TEST_CIPHERS))
 
-# Test ciphers to use when s2n is built with LibreSSL or BoringSSL libcrypto. s2n does not implement the
+# Test ciphers to use when s2n is built with LibreSSL, AWS-LC or BoringSSL libcrypto. s2n does not implement the
 # ChaCha20-Poly1305 cipher offered by these libcryptos.
 LIBRESSL_TEST_CIPHERS = list(filter(lambda x: "CHACHA20" not in x.openssl_name, ALL_TEST_CIPHERS))
 BORINGSSL_TEST_CIPHERS = list(filter(lambda x: "CHACHA20" not in x.openssl_name, ALL_TEST_CIPHERS))
+AWSLC_TEST_CIPHERS = list(filter(lambda x: "CHACHA20" not in x.openssl_name, ALL_TEST_CIPHERS))
 
 # Dictionary to look up ciphers to use by libcrypto s2n is built with.
 # Libcrypto string will be an argument to test scripts.
@@ -115,6 +116,7 @@ class OCSP(Enum):
     "openssl-1.0.2-fips"    : OPENSSL_1_0_2_FIPS_TEST_CIPHERS,
     "libressl"              : LIBRESSL_TEST_CIPHERS,
     "boringssl"             : BORINGSSL_TEST_CIPHERS,
+    "awslc"                 : AWSLC_TEST_CIPHERS,
 }
 
 S2N_LIBCRYPTO_TO_OCSP = {
@@ -123,9 +125,10 @@ class OCSP(Enum):
     "openssl-1.0.2-fips"    : [OCSP.ENABLED, OCSP.DISABLED, OCSP.MALFORMED],
     "libressl"              : [OCSP.ENABLED, OCSP.DISABLED, OCSP.MALFORMED],
     "boringssl"             : [OCSP.DISABLED],
+    "awslc"                 : [OCSP.DISABLED],
 }
 
-S2N_LIBCRYPTO_CHOICES = ['openssl-1.0.2', 'openssl-1.0.2-fips', 'openssl-1.1.1', 'libressl', 'boringssl']
+S2N_LIBCRYPTO_CHOICES = ['openssl-1.0.2', 'openssl-1.0.2-fips', 'openssl-1.1.1', 'libressl', 'boringssl', 'awslc']
 
 S2N_PROTO_VERS_TO_STR = {
     S2N_SSLv3 : "SSLv3",