bugzilla-daemon at mindrot.org
2025-Feb-05 00:12 UTC
[Bug 3784] New: Support building OpenSSH with AWS-LC
https://bugzilla.mindrot.org/show_bug.cgi?id=3784
Bug ID: 3784
Summary: Support building OpenSSH with AWS-LC
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: Build system
Assignee: unassigned-bugs at mindrot.org
Reporter: smittals at amazon.com
Created attachment 3858
--> https://bugzilla.mindrot.org/attachment.cgi?id=3858&action=edit
Patch file to add compatibility for AWS-LC
I?m an engineer at AWS working on AWS Libcrypto (AWS-LC), AWS?s
open-source cryptographic library maintained for AWS and their
customers. We are committed to backwards compatibility and have CI jobs
(https://github.com/aws/aws-lc/blob/main/.github/workflows/integrations.yml)
asserting every change?s compatibility with many different open-source
projects. We use these tests to catch compatibility regressions before
they?re merged and have already added OpenSSH to our CI here
(https://github.com/aws/aws-lc/blob/cc9c9f04c7b7d53bb0018e8c91185d26c9ed269c/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml#L47)
AWS-LC supports CPU-specific performance optimizations for AWS Graviton
2, AWS Graviton 3
(https://github.com/aws/aws-lc/commit/ae87faf735c0241a115542b1c1022d125564bf55),
and Intel x86-64 with AVX-512 instructions
(https://github.com/aws/aws-lc/commit/d4cecff8b3dd4584e2ba04f55073a4bd3289046a).
We?ve formally verified a subset of
(https://quip-amazon.com/F6amATPbAICi/AWS-LC-OpenSSH-Integration#temp:C:YUP3da3fc9d75924246b7fd81308)
AWS-LC?s cryptographic primitives, and continue to invest in expanding
this coverage. AWS-LC has been FIPS validated
(https://github.com/aws/aws-lc/blob/0931fe2ff18ed4ad47473cbb8c11066e25fc26c5/crypto/fipsmodule/FIPS.md?plain=1)
by NIST and we have 140-3 certificates for both dynamic
(https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4759)
and static
(https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4816)
builds. To give OpenSSH users a well-documented and supported way to
take advantage of these investments in performance, correctness, and
compliance, we would like to upstream support for AWS-LC into mainline
OpenSSH. We believe that this would provide the best experience for
users wishing to build OpenSSH against AWS-LC. It would also allow
users to skip the (often brittle) process of maintaining and applying
their own patch sets to build OpenSSH with AWS-LC.
We support all OpenSSH features with two exceptions, 1) the patch
disables pkcs11 in OpenSSH when building against AWS-LC and 2) an ifdef
to compile with a missing BN_set_flags. The attached patch file
accommodates these changes and also adds AWS-LC to OpenSSH's CI. If you
folks agree that this integration would be useful for upstream OpenSSH,
I?d be happy to put together a PR.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Feb-05 00:15 UTC
[Bug 3784] Support building OpenSSH with AWS-LC
https://bugzilla.mindrot.org/show_bug.cgi?id=3784
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at dtucker.net
Attachment #3858|application/octet-stream |text/plain
mime type| |
Attachment #3858|0 |1
is patch| |
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Feb-05 04:09 UTC
[Bug 3784] Support building OpenSSH with AWS-LC
https://bugzilla.mindrot.org/show_bug.cgi?id=3784
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
Attachment #3858| |ok?(dtucker at dtucker.net)
Flags| |
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Comment on attachment 3858
--> https://bugzilla.mindrot.org/attachment.cgi?id=3858
Patch file to add compatibility for AWS-LC
These look fine to me - I'm glad that AWS-LC is so compatible :)
BTW I'm planning on changing the PKCS#11 interface to no longer use the
libcrypto method interface. This might allow you to restore support in
the future.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Feb-05 04:28 UTC
[Bug 3784] Support building OpenSSH with AWS-LC
https://bugzilla.mindrot.org/show_bug.cgi?id=3784
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #3858|ok?(dtucker at dtucker.net) |ok+
Flags| |
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Feb-05 22:39 UTC
[Bug 3784] Support building OpenSSH with AWS-LC
https://bugzilla.mindrot.org/show_bug.cgi?id=3784
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
Blocks| |3740
--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Applied - thanks. This will be in OpenSSH 10.0, due fairly soon
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3740
[Bug 3740] Tracking bug for OpenSSH 10.0
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Feb-05 23:00 UTC
[Bug 3784] Support building OpenSSH with AWS-LC
https://bugzilla.mindrot.org/show_bug.cgi?id=3784 --- Comment #3 from Shubham Mittal <smittals at amazon.com> --- That's good to hear about PKCS11, thank you! -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.