Fix cmake4 macos builds (#226)

Author: DmitriyMusatkin

.github/workflows/ci.yml

@@ -310,8 +310,8 @@ jobs:
   macos-ed25519:
     strategy:
       matrix:
-        image: [macos-14-large, macos-14]
-    name: ${{ matrix.image == 'macos-14' && 'macos' || 'macos-x64' }} with lc ed25519
+        image: [macos-15-large, macos-15]
+    name: ${{ matrix.image == 'macos-15' && 'macos' || 'macos-x64' }} with lc ed25519
     runs-on: ${{ matrix.image }}
     steps:
     - uses: aws-actions/configure-aws-credentials@v4

CMakeLists.txt

@@ -62,6 +62,29 @@ if (WIN32)
     endif ()
 
 elseif (APPLE)
+    if(DEFINED CMAKE_OSX_SYSROOT)
+        message(STATUS "CMAKE_OSX_SYSROOT is defined and set to: ${CMAKE_OSX_SYSROOT} this value")
+    else()
+        message(STATUS "CMAKE_OSX_SYSROOT is not defined")
+    endif()
+
+    # As of CMake 4.0 isysroot is no longer set on mac and instead /usr/local is checked
+    # On systems where custom headers are installed at that location (homebrew loves doing that)
+    # we can end up building against random libcrypto headers, which are not guaranteed to be forward compatible.
+    # This tries to set isysroot in a way that works on as many combinations of cmake and os as possible.
+    if(NOT CMAKE_OSX_SYSROOT)
+        execute_process(
+            COMMAND xcrun --show-sdk-path
+            RESULT_VARIABLE XCRUN_RESULT
+            OUTPUT_VARIABLE CMAKE_OSX_SYSROOT
+            OUTPUT_STRIP_TRAILING_WHITESPACE
+            ERROR_QUIET
+        )
+        if(NOT XCRUN_RESULT EQUAL 0)
+            message(WARNING "Failed to determine SDK path using xcrun")
+        endif()
+    endif()
+
     if (NOT BYO_CRYPTO)
         file(GLOB AWS_CAL_OS_SRC
             "source/darwin/*.c"
@@ -79,7 +102,6 @@ elseif (APPLE)
            message(FATAL_ERROR "Security Framework not found")
         endif ()
 
-
         find_library(COREFOUNDATION_LIB CoreFoundation)
         if(NOT COREFOUNDATION_LIB)
            message(FATAL_ERROR "CoreFoundation Framework not found")
@@ -116,7 +138,7 @@ if (NOT BYO_CRYPTO)
                 message(FATAL_ERROR "Target crypto is not defined, failed to find libcrypto.")
             endif()
         else()
-            #  note aws_use_package() does this for you, except it appends to the public link targets
+            # note aws_use_package() does this for you, except it appends to the public link targets
             # which we probably don't want for this case where we want the crypto dependency private
             if (IN_SOURCE_BUILD)
                 list(APPEND PLATFORM_LIBS crypto)

include/aws/cal/private/opensslcrypto_common.h

@@ -81,4 +81,6 @@ extern struct openssl_evp_md_ctx_table *g_aws_openssl_evp_md_ctx_table;
 
 int aws_reinterpret_lc_evp_error_as_crt(int evp_error, const char *function_name, enum aws_cal_log_subject subject);
 
+void aws_validate_libcrypto_linkage(void);
+
 #endif /* AWS_C_CAL_OPENSSLCRYPTO_COMMON_H */

source/darwin/commoncrypto_platform_init.c

@@ -4,11 +4,17 @@
  */
 
 #include <aws/common/allocator.h>
-#if defined(AWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE) && defined(OPENSSL_IS_AWSLC)
-#    include <openssl/thread.h>
+#if defined(AWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE)
+#    include <aws/cal/private/opensslcrypto_common.h>
+#    if defined(OPENSSL_IS_AWSLC)
+#        include <openssl/thread.h>
+#    endif
 #endif
 
 void aws_cal_platform_init(struct aws_allocator *allocator) {
+#if defined(AWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE)
+    aws_validate_libcrypto_linkage();
+#endif
     (void)allocator;
 }
 

source/shared/ed25519.c

@@ -10,6 +10,7 @@
 #include <aws/common/encoding.h>
 
 #include <openssl/evp.h>
+#include <openssl/objects.h>
 
 #if defined(OPENSSL_IS_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10101000L
 /* ed25519 support does not exist prior to 1.1.1 */
@@ -61,7 +62,16 @@ struct aws_ed25519_key_pair_impl *aws_ed25519_key_pair_new_generate_impl(struct
 #else
     EVP_PKEY *pkey = NULL;
 
-    EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519, NULL);
+    /* Note: nids are not consistent between versions, so we need to do runtime retrieval
+     * to avoid weird issues when building against one version and running against different version. */
+    int nid = OBJ_sn2nid("ED25519");
+    if (nid == NID_undef) {
+        aws_raise_error(AWS_ERROR_CAL_UNSUPPORTED_ALGORITHM);
+        return NULL;
+    }
+
+    EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(nid, NULL);
+
     if (ctx == NULL) {
         aws_raise_error(AWS_ERROR_CAL_UNSUPPORTED_ALGORITHM);
         return NULL;

source/shared/lccrypto_common.c

@@ -73,3 +73,44 @@ int aws_reinterpret_lc_evp_error_as_crt(int evp_error, const char *function_name
 
     return aws_raise_error(crt_error);
 }
+
+/* Validate at runtime that we're linked against the same libcrypto we compiled against. */
+void aws_validate_libcrypto_linkage(void) {
+    /* NOTE: the choice of stack buffer size is somewhat arbitrary. it's
+     * possible, but unlikely, that libcrypto version strings may exceed this in
+     * the future. we guard against buffer overflow by limiting write size in
+     * snprintf with the size of the buffer itself. if libcrypto version strings
+     * do eventually exceed the chosen size, this runtime check will fail and
+     * will need to be addressed by increasing buffer size.*/
+    char expected_version[64] = {0};
+#if defined(OPENSSL_IS_AWSLC)
+    /* get FIPS mode at runtime because headers don't give any indication of
+     * AWS-LC's FIPSness at aws-c-cal compile time. version number can still be
+     * captured at preprocess/compile time from AWSLC_VERSION_NUMBER_STRING.*/
+    const char *mode = FIPS_mode() ? "AWS-LC FIPS" : "AWS-LC";
+    snprintf(expected_version, sizeof(expected_version), "%s %s", mode, AWSLC_VERSION_NUMBER_STRING);
+#elif defined(OPENSSL_IS_BORINGSSL)
+    snprintf(expected_version, sizeof(expected_version), "BoringSSL");
+#elif defined(OPENSSL_IS_OPENSSL)
+    snprintf(expected_version, sizeof(expected_version), OPENSSL_VERSION_TEXT);
+#elif !defined(BYO_CRYPTO)
+#    error Unsupported libcrypto!
+#endif
+    const char *runtime_version = SSLeay_version(SSLEAY_VERSION);
+    AWS_LOGF_DEBUG(
+        AWS_LS_CAL_LIBCRYPTO_RESOLVE,
+        "Compiled with libcrypto %s, linked to libcrypto %s",
+        expected_version,
+        runtime_version);
+#if defined(OPENSSL_IS_OPENSSL)
+    /* Validate that the string "AWS-LC" doesn't appear in OpenSSL version str. */
+    AWS_FATAL_ASSERT(strstr("AWS-LC", expected_version) == NULL);
+    AWS_FATAL_ASSERT(strstr("AWS-LC", runtime_version) == NULL);
+    /* Validate both expected and runtime versions begin with OpenSSL's version str prefix. */
+    const char *openssl_prefix = "OpenSSL ";
+    AWS_FATAL_ASSERT(strncmp(openssl_prefix, expected_version, strlen(openssl_prefix)) == 0);
+    AWS_FATAL_ASSERT(strncmp(openssl_prefix, runtime_version, strlen(openssl_prefix)) == 0);
+#else
+    AWS_FATAL_ASSERT(strcmp(expected_version, runtime_version) == 0 && "libcrypto mislink");
+#endif
+}

source/unix/openssl_platform_init.c

@@ -653,47 +653,6 @@ static enum aws_libcrypto_version s_resolve_libcrypto_sharedlib(void) {
     return AWS_LIBCRYPTO_NONE;
 }
 
-/* Validate at runtime that we're linked against the same libcrypto we compiled against. */
-static void s_validate_libcrypto_linkage(void) {
-    /* NOTE: the choice of stack buffer size is somewhat arbitrary. it's
-     * possible, but unlikely, that libcrypto version strings may exceed this in
-     * the future. we guard against buffer overflow by limiting write size in
-     * snprintf with the size of the buffer itself. if libcrypto version strings
-     * do eventually exceed the chosen size, this runtime check will fail and
-     * will need to be addressed by increasing buffer size.*/
-    char expected_version[64] = {0};
-#if defined(OPENSSL_IS_AWSLC)
-    /* get FIPS mode at runtime because headers don't give any indication of
-     * AWS-LC's FIPSness at aws-c-cal compile time. version number can still be
-     * captured at preprocess/compile time from AWSLC_VERSION_NUMBER_STRING.*/
-    const char *mode = FIPS_mode() ? "AWS-LC FIPS" : "AWS-LC";
-    snprintf(expected_version, sizeof(expected_version), "%s %s", mode, AWSLC_VERSION_NUMBER_STRING);
-#elif defined(OPENSSL_IS_BORINGSSL)
-    snprintf(expected_version, sizeof(expected_version), "BoringSSL");
-#elif defined(OPENSSL_IS_OPENSSL)
-    snprintf(expected_version, sizeof(expected_version), OPENSSL_VERSION_TEXT);
-#elif !defined(BYO_CRYPTO)
-#    error Unsupported libcrypto!
-#endif
-    const char *runtime_version = SSLeay_version(SSLEAY_VERSION);
-    AWS_LOGF_DEBUG(
-        AWS_LS_CAL_LIBCRYPTO_RESOLVE,
-        "Compiled with libcrypto %s, linked to libcrypto %s",
-        expected_version,
-        runtime_version);
-#if defined(OPENSSL_IS_OPENSSL)
-    /* Validate that the string "AWS-LC" doesn't appear in OpenSSL version str. */
-    AWS_FATAL_ASSERT(strstr("AWS-LC", expected_version) == NULL);
-    AWS_FATAL_ASSERT(strstr("AWS-LC", runtime_version) == NULL);
-    /* Validate both expected and runtime versions begin with OpenSSL's version str prefix. */
-    const char *openssl_prefix = "OpenSSL ";
-    AWS_FATAL_ASSERT(strncmp(openssl_prefix, expected_version, strlen(openssl_prefix)) == 0);
-    AWS_FATAL_ASSERT(strncmp(openssl_prefix, runtime_version, strlen(openssl_prefix)) == 0);
-#else
-    AWS_FATAL_ASSERT(strcmp(expected_version, runtime_version) == 0 && "libcrypto mislink");
-#endif
-}
-
 static enum aws_libcrypto_version s_resolve_libcrypto(void) {
     /* Try to auto-resolve against what's linked in/process space */
     AWS_LOGF_DEBUG(AWS_LS_CAL_LIBCRYPTO_RESOLVE, "searching process and loaded modules");
@@ -719,7 +678,7 @@ static enum aws_libcrypto_version s_resolve_libcrypto(void) {
         result = s_resolve_libcrypto_sharedlib();
     }
 
-    s_validate_libcrypto_linkage();
+    aws_validate_libcrypto_linkage();
 
     return result;
 }

source/windows/bcrypt_platform_init.c

@@ -4,34 +4,18 @@
  */
 
 #include <aws/common/allocator.h>
-#if defined(AWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE) && defined(OPENSSL_IS_AWSLC)
-#    include <openssl/thread.h>
-#    include <windows.h>
+
+#if defined(AWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE)
+#    include <aws/cal/private/opensslcrypto_common.h>
 #endif
 
 void aws_cal_platform_init(struct aws_allocator *allocator) {
+#if defined(AWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE)
+    aws_validate_libcrypto_linkage();
+#endif
     (void)allocator;
 }
 
-void aws_cal_platform_clean_up(void) {
-#if defined(AWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE) && defined(OPENSSL_IS_AWSLC)
-    AWSLC_thread_local_clear();
-#endif
-}
+void aws_cal_platform_clean_up(void) {}
 
-void aws_cal_platform_thread_clean_up(void) {
-#if defined(AWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE) && defined(OPENSSL_IS_AWSLC)
-    AWSLC_thread_local_clear();
-#endif
-}
-
-#if defined(AWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE) && defined(OPENSSL_IS_AWSLC)
-BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
-    switch (fdwReason) {
-        case DLL_PROCESS_DETACH:
-            AWSLC_thread_local_shutdown();
-            break;
-    }
-    return TRUE;
-}
-#endif
+void aws_cal_platform_thread_clean_up(void) {}

tests/CMakeLists.txt

@@ -159,6 +159,10 @@ add_test_case(ed25519_key_pair_generate_test)
 
 generate_test_driver(${PROJECT_NAME}-tests)
 
+if (AWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE)
+    target_compile_definitions(${PROJECT_NAME}-tests PRIVATE -DAWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE)
+endif()
+
 # OpenBSD 7.4+ defaults to linking with --execute-only which is not always safe for AWS-LC.
 # We have similar link flags in bindings, but in this case we need on the test executable,
 # because ed25519 keygen is hitting the same issue 

tests/ed25519_test.c

@@ -33,7 +33,6 @@ static int s_ed25519_key_pair_generate_test(struct aws_allocator *allocator, voi
 #        endif
 #    endif
 #endif
-
         return AWS_OP_SKIP;
     }