modify openssh build with patch for mainline

aws · Feb 3, 2025 · 695d17a · 695d17a
1 parent 6c613fa
commit 695d17a
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 5 deletions.
diff --git a/tests/ci/integration/openssh_patch/aws-lc-openssh-master.patch b/tests/ci/integration/openssh_patch/aws-lc-openssh-master.patch
@@ -0,0 +1,33 @@
+diff --git a/configure.ac b/configure.ac
+index e5da93365..b802d0e60 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -3276,6 +3276,12 @@ fi
+ # PKCS11/U2F depend on OpenSSL and dlopen().
+ enable_pkcs11=yes
+ enable_sk=yes
++
++AC_CHECK_DECL([OPENSSL_IS_AWSLC],
++	[enable_pkcs11="disabled; PKCS#11 not supported with AWS-LC"],
++	[],
++	[#include <openssl/base.h>]
++)
+ if test "x$openssl" != "xyes" ; then
+ 	enable_pkcs11="disabled; missing libcrypto"
+ fi
+diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
+index 2b9780f5e..6b8fff412 100644
+--- a/openbsd-compat/openssl-compat.h
++++ b/openbsd-compat/openssl-compat.h
+@@ -55,9 +55,9 @@ void ssh_libcrypto_init(void);
+ # endif
+ #endif
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ /*
+- * BoringSSL (rightly) got rid of the BN_FLG_CONSTTIME flag, along with
++ * BoringSSL and AWS-LC (rightly) got rid of the BN_FLG_CONSTTIME flag, along with
+  * the entire BN_set_flags() interface.
+  * https://boringssl.googlesource.com/boringssl/+/0a211dfe9
+  */
diff --git a/tests/ci/integration/run_openssh_integration.sh b/tests/ci/integration/run_openssh_integration.sh
@@ -49,11 +49,17 @@ function install_aws_lc() {
 function openssh_build() {
   pushd "${OPENSSH_WORKSPACE_FOLDER}"
   autoreconf
-  # The RSA_meth_XXX functions are not implemented by AWS-LC, and the implementation provided by OpenSSH also doesn't compile for us.
-  # Fortunately, these functions are only needed for pkcs11 support, which is disabled for our build.
-  # See: https://github.com/openssh/openssh-portable/pull/385
-  export CFLAGS="-DBN_FLG_CONSTTIME=0x04 -DHAVE_RSA_METH_FREE=1 -DHAVE_RSA_METH_DUP=1 -DHAVE_RSA_METH_SET1_NAME=1 -DHAVE_RSA_METH_GET_FINISH=1 -DHAVE_RSA_METH_SET_PRIV_ENC=1 -DHAVE_RSA_METH_SET_PRIV_DEC=1 -DHAVE_RSA_METH_SET_FINISH=1 "
-  ./configure --with-ssl-dir="${AWS_LC_INSTALL_FOLDER}" --prefix="${OPENSSH_INSTALL_FOLDER}" --disable-pkcs11
+
+  if [ "$OPENSSH_BRANCH" == "master" ]; then
+    ./configure --with-ssl-dir="${AWS_LC_INSTALL_FOLDER}" --prefix="${OPENSSH_INSTALL_FOLDER}"
+  else
+    # The RSA_meth_XXX functions are not implemented by AWS-LC, and the implementation provided by OpenSSH also doesn't compile for us.
+    # Fortunately, these functions are only needed for pkcs11 support, which is disabled for our build.
+    # See: https://github.com/openssh/openssh-portable/pull/385
+    export CFLAGS="-DBN_FLG_CONSTTIME=0x04 -DHAVE_RSA_METH_FREE=1 -DHAVE_RSA_METH_DUP=1 -DHAVE_RSA_METH_SET1_NAME=1 -DHAVE_RSA_METH_GET_FINISH=1 -DHAVE_RSA_METH_SET_PRIV_ENC=1 -DHAVE_RSA_METH_SET_PRIV_DEC=1 -DHAVE_RSA_METH_SET_FINISH=1 "
+    ./configure --with-ssl-dir="${AWS_LC_INSTALL_FOLDER}" --prefix="${OPENSSH_INSTALL_FOLDER}" --disable-pkcs11
+  fi
+
   make -j "$NUM_CPU_THREADS"
   make install
   ls -R "${OPENSSH_INSTALL_FOLDER}"
@@ -67,6 +73,16 @@ function checkout_openssh_branch() {
   popd
 }
 
+function apply_openssh_patch() {
+  pushd "${OPENSSH_WORKSPACE_FOLDER}"
+  local patch_dir="${SRC_ROOT}/tests/ci/integration/openssh_patch/"
+  for patchfile in $(find -L ${patch_dir} -type f -name '*.patch'); do
+    echo "Apply patch ${patchfile}..."
+    cat ${patchfile} \
+        | patch -p1 --quiet -d ${src_dir}
+  done
+}
+
 function openssh_run_tests() {
   pushd "${OPENSSH_WORKSPACE_FOLDER}"
   if ! id -u sshd; then
@@ -90,6 +106,8 @@ install_aws_lc
 
 if [ "$OPENSSH_BRANCH" != "master" ]; then
   checkout_openssh_branch "$OPENSSH_BRANCH"
+else
+  apply_openssh_patch()
 fi
 
 openssh_build