(feat): support building against AWS-LC as the libcrypto

[prasden]

Addresses #434

Changes:

This PR adds support for building OpenVPN3 against AWS-LC as the libcrypto/libssl backend, selected by the flag -DUSE_AWSLC=ON and OPENSSL_ROOT_DIR pointing at the AWS-LC install. Since AWS-LC is largely API-compatible with OpenSSL, the build reuses OpenVPN3's existing OpenSSL paths and compat.hpp shim, and for AWS-LC divergences, openvpn/openssl/aws-lc-compat.hpp was added.

The divergences covered by aws-lc-compat include:

• BIOerr/BIO_F_* methods were dropped by AWS-LC, we now map onto ERR_put_error

• SSL_CIPHER_description: AWS-LC returns const char * vs OpenSSL's char *, so a const_cast
  is added. No-op on OpenSSL and type fix for AWS-LC.

• RSA_meth_get0_app_data: AWS-LC has no way to read back a pointer stored on an RSA_METHOD, so external PKI instead attaches its instance pointer to the RSA object via RSA_set_app_data/RSA_get_app_data

• EC_KEY_METHOD_set_sign: AWS-LC requires its sign_setup parameter to be NULL, added a wrapper to drop the arg

• EVP_{En,De}cryptUpdate: AWS-LC treats a NULL input as a GCM finalize, so empty AAD/data is routed through a zero length buffer to stay a no-op

• PKCS7_verify: OpenVPN calls it with a NULL X509_STORE and PKCS7_NOVERIFY since it only parses the structure and does no trust chain verification. AWS-LC rejects a NULL store before checking PKCS7_NOVERIFY, so an empty X509_STORE is supplied.

• CRYPTO_tls1_prf: native AWS-LC TLS PRF used directly

• EVP_PKEY_DSA1..4: AWS-LC collapses all PKEY_DSA_X variants into one PKEY_DSA

• The external-PKI impl is now built with make_shared<ExternalPKIRsaImpl>() / make_shared<ExternalPKIECImpl>() instead of make_shared<ExternalPKIImpl>(ExternalPKIRsaImpl()), which dropped the RSA/EC data and left the signing callbacks pointing at a destroyed object.

Testing

Built against AWS-LC and verified that all unit tests passed (591/591) and also verified OpenVPN3 was able to build against stock OpenSSL, passing all unit tests, confirming there were no regressions from the changes.

To test building against AWS-LC: see aws-lc/BUILDING.md for prerequisites

Build AWS-LC

git clone https://github.com/aws/aws-lc.git
 cmake -GNinja -B aws-lc/build -S aws-lc \
     -DCMAKE_BUILD_TYPE=Release \
     -DBUILD_SHARED_LIBS=ON \
     -DCMAKE_INSTALL_PREFIX=aws-lc/install
 ninja -C aws-lc/build install

Build OpenVPN3 using AWS-LC as the SSL backend and run the tests:

cmake -B build-awslc -S . -DUSE_AWSLC=ON -DOPENSSL_ROOT_DIR=/path/to/aws-lc/install
cmake --build build-awslc --target coreUnitTests ovpncli

[schwabe]

I started reviewing this buit I think the PR needs a bit of overhaul in the general strategy to wherever possible to avoid the ifdefs directly in the code and instead try to use compat.hpp instead.

It seems that this PR also ignores a lot of the compat stuff that is already there for OpenSSL 1.1.x that has its own compat layer and instead adds its own distinct ifdef/compat stuff.

That generates extra code to maintain.

To be honest, this PR feels a bit like AI was used and then not really cleaned up by a human enough to make it actually good/maintainable code.

[prasden]

Thank you for the feedback. I am going to close this PR and open a different one more in line with using compat.hpp instead of in line definitions.

[ordex]

You could also force push to the same branch, instead of opening new PRs each time. It's less noisy and easier to follow, because we don't lose older comments.

[schwabe]

Yes. I agree with @ordex please force push to this PR and reopen it if you have a new version.

[prasden]

Ack, reopened with the force pushed changes and edited the PR description. Thanks!