[Bug 3784] New: Support building OpenSSH with AWS-LC

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Feb 5 11:12:18 AEDT 2025 

https://bugzilla.mindrot.org/show_bug.cgi?id=3784

            Bug ID: 3784
           Summary: Support building OpenSSH with AWS-LC
           Product: Portable OpenSSH
           Version: -current
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Build system
          Assignee: unassigned-bugs at mindrot.org
          Reporter: smittals at amazon.com

Created attachment 3858
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3858&action=edit
Patch file to add compatibility for AWS-LC

I’m an engineer at AWS working on AWS Libcrypto (AWS-LC), AWS’s
open-source cryptographic library maintained for AWS and their
customers. We are committed to backwards compatibility and have CI jobs
(https://github.com/aws/aws-lc/blob/main/.github/workflows/integrations.yml)
asserting every change’s compatibility with many different open-source
projects. We use these tests to catch compatibility regressions before
they’re merged and have already added OpenSSH to our CI here
(https://github.com/aws/aws-lc/blob/cc9c9f04c7b7d53bb0018e8c91185d26c9ed269c/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml#L47)

AWS-LC supports CPU-specific performance optimizations for AWS Graviton
2, AWS Graviton 3
(https://github.com/aws/aws-lc/commit/ae87faf735c0241a115542b1c1022d125564bf55),
and Intel x86-64 with AVX-512 instructions
(https://github.com/aws/aws-lc/commit/d4cecff8b3dd4584e2ba04f55073a4bd3289046a).
We’ve formally verified a subset of
(https://quip-amazon.com/F6amATPbAICi/AWS-LC-OpenSSH-Integration#temp:C:YUP3da3fc9d75924246b7fd81308)
AWS-LC’s cryptographic primitives, and continue to invest in expanding
this coverage. AWS-LC has been FIPS validated
(https://github.com/aws/aws-lc/blob/0931fe2ff18ed4ad47473cbb8c11066e25fc26c5/crypto/fipsmodule/FIPS.md?plain=1)
by NIST and we have 140-3 certificates for both dynamic
(https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4759)
and static
(https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4816)
builds. To give OpenSSH users a well-documented and supported way to
take advantage of these investments in performance, correctness, and
compliance, we would like to upstream support for AWS-LC into mainline
OpenSSH. We believe that this would provide the best experience for
users wishing to build OpenSSH against AWS-LC. It would also allow
users to skip the (often brittle) process of maintaining and applying
their own patch sets to build OpenSSH with AWS-LC.

We support all OpenSSH features with two exceptions, 1) the patch
disables pkcs11 in OpenSSH when building against AWS-LC and 2) an ifdef
to compile with a missing BN_set_flags. The attached patch file
accommodates these changes and also adds AWS-LC to OpenSSH's CI. If you
folks agree that this integration would be useful for upstream OpenSSH,
I’d be happy to put together a PR.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list