feat(build): Improve OpenSSL libcrypto discovery

[goatgoose]

Release Summary:

• s2n-tls now uses the FindOpenSSL CMake module as part of the search for a libcrypto, allowing libcrypto dependencies to be discovered and linked to automatically.

Resolved issues:

resolves #5078

Description of changes:

Currently, s2n-tls has a two-step process for discovering a libcrypto to link to. First, we search for AWS-LC's crypto-config.cmake file in the user's provided search paths or somewhere on the system. Then, if AWS-LC's config isn't found, we search directly for libcrypto.a/libcrypto.so artifacts using our Findcrypto.cmake module, invoked by find_package().

In the case that AWS-LC's config isn't found, and we search directly for libcrypto artifacts, it's possible that the libcrypto that's discovered may have its own dependencies. For example, OpenSSL can be configured with a dependency on zlib. In this case, s2n-tls will fail to build, because we don't properly specify the libcrypto dependencies that must be linked to (see #5075 (comment)). The current solution to workaround this would be for the user to specify the linker arguments manually depending on how the libcrypto is configured, with something like this:

export LDFLAGS="-Wl,--no-as-needed -lcrypto -lz -lzstd -ldl -pthread"

Manually specifying linker arguments when building s2n-tls is not a great experience. And it's been reported that manually specifying these flags may not always work (though I haven't been able to reproduce this yet): #5078 (comment).

This PR adds a new step to the s2n-tls libcrypto search to invoke the FindOpenSSL CMake module. This performs a more sophisticated search for OpenSSL by looking for CMake/pkgconfig files that declare the dependencies for the discovered libcrypto. These dependencies are then automatically added to the libcrypto target, avoiding the need to manually specify them.

Call-outs:

This change resulted in the 32bit cross compile test discovering the system's normal 64 bit libcrypto instead of the intended 32 bit libcrypto. I updated the test to give s2n-tls the path to the 32 bit libcrypto so it would find it. This indicates that the new search procedure won't be 100% backwards compatible. However, I believe the change is safe under the assumption that if your use case requires a specific libcrypto (such as the 32 bit libcrypto in the cross compile test), you should be pathing to that libcrypto specifically rather than assuming s2n-tls will discover it first in its search process.

Testing:

A new test was added which confirms that s2n-tls is now able to link to an OpenSSL installation with a dependency on zlib. This test fails on mainline s2n-tls.

I also confirmed that this change allows s2n-tls to build on a ubunu25 instance without manually providing any linker arguments:

Before change

> ./build.sh
CMake Deprecation Warning at CMakeLists.txt:1 (cmake_minimum_required):
  Compatibility with CMake < 3.10 will be removed from a future version of
  CMake.
Update the VERSION argument  value.  Or, use the ... syntax

to tell CMake that the project requires at least  but has been updated

to work with policies introduced by  or earlier.
-- The C compiler identification is GNU 14.2.0

-- Detecting C compiler ABI info

-- Detecting C compiler ABI info - done

-- Check for working C compiler: /usr/bin/cc - skipped

-- Detecting C compile features

-- Detecting C compile features - done

-- Detected CMAKE_SYSTEM_PROCESSOR as x86_64

-- Detected 64-Bit system

-- Performing Test CMAKE_HAVE_LIBC_PTHREAD

-- Performing Test CMAKE_HAVE_LIBC_PTHREAD - Success

-- Found Threads: TRUE

-- Found crypto: /usr/lib/x86_64-linux-gnu/libcrypto.a

-- LibCrypto Include Dir: /usr/include

-- LibCrypto Shared Lib:  /usr/lib/x86_64-linux-gnu/libcrypto.so

-- LibCrypto Static Lib:  /usr/lib/x86_64-linux-gnu/libcrypto.a

-- Using libcrypto from the cmake path

-- CMAKE_AR found: /usr/bin/ar

-- CMAKE_RANLIB found: /usr/bin/ranlib

-- CMAKE_OBJCOPY found: /usr/bin/objcopy

-- feature S2N_ATOMIC_SUPPORTED: TRUE

-- feature S2N_CLOEXEC_SUPPORTED: TRUE

-- feature S2N_CLOEXEC_XOPEN_SUPPORTED: TRUE

-- feature S2N_CLONE_SUPPORTED: TRUE

-- feature S2N_COMPILER_SUPPORTS_BRANCH_ALIGN: TRUE

-- feature S2N_CPUID_AVAILABLE: TRUE

-- feature S2N_DIAGNOSTICS_POP_SUPPORTED: TRUE

-- feature S2N_DIAGNOSTICS_PUSH_SUPPORTED: TRUE

-- feature S2N_EXECINFO_AVAILABLE: TRUE

-- feature S2N_FALL_THROUGH_SUPPORTED: TRUE

-- feature S2N_FEATURES_AVAILABLE: TRUE

-- feature S2N_KTLS_SUPPORTED: TRUE

-- feature S2N_LIBCRYPTO_SUPPORTS_CUSTOM_OID: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_EC_KEY_CHECK_FIPS: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_ENGINE: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_EVP_AEAD_TLS: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_EVP_KEM: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_EVP_MD5_SHA1_HASH: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_EVP_MD_CTX_SET_PKEY_CTX: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_EVP_RC4: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_FLAG_NO_CHECK_TIME: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_HKDF: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_MLDSA: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_MLKEM: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_PRIVATE_RAND: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_PROVIDERS: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_RSA_PSS_SIGNING: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_SHAKE: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_X509_STORE_LIST: FALSE

-- feature S2N_LINUX_SENDFILE: TRUE

-- feature S2N_MADVISE_SUPPORTED: TRUE

-- feature S2N_MINHERIT_SUPPORTED: FALSE

-- feature S2N_STACKTRACE: TRUE

-- Running tests with environment: S2N_DONT_MLOCK=1

-- Configuring done (4.9s)

-- Generating done (0.4s)

-- Build files have been written to: /home/ubuntu/s2n-tls-fork/build

...

[ 26%] Linking C executable bin/policy

[ 27%] Linking C static library lib/libtestss2n.a

[ 27%] Built target testss2n

[ 27%] Linking C executable bin/s2nd

/usr/bin/ld: /usr/lib/x86_64-linux-gnu/libcrypto.a(libcrypto-lib-c_zlib.o): in function zlib_stateful_expand_block': (.text+0x89): undefined reference to inflate'

/usr/bin/ld: /usr/lib/x86_64-linux-gnu/libcrypto.a(libcrypto-lib-c_zlib.o): in function zlib_stateful_compress_block': (.text+0x133): undefined reference to deflate'

...

After change

> ./build.sh
CMake Deprecation Warning at CMakeLists.txt:1 (cmake_minimum_required):
  Compatibility with CMake < 3.10 will be removed from a future version of
  CMake.
Update the VERSION argument  value.  Or, use the ... syntax

to tell CMake that the project requires at least  but has been updated

to work with policies introduced by  or earlier.
-- The C compiler identification is GNU 14.2.0

-- Detecting C compiler ABI info

-- Detecting C compiler ABI info - done

-- Check for working C compiler: /usr/bin/cc - skipped

-- Detecting C compile features

-- Detecting C compile features - done

-- Detected CMAKE_SYSTEM_PROCESSOR as x86_64

-- Detected 64-Bit system

-- Performing Test CMAKE_HAVE_LIBC_PTHREAD

-- Performing Test CMAKE_HAVE_LIBC_PTHREAD - Success

-- Found Threads: TRUE

-- Found crypto: /usr/lib/x86_64-linux-gnu/libcrypto.a

-- libcrypto discovered by the FindOpenSSL module

-- LibCrypto Include Dir: /usr/include

-- LibCrypto Shared Lib:

-- LibCrypto Static Lib:  /usr/lib/x86_64-linux-gnu/libcrypto.a

-- Using libcrypto from the cmake path

-- CMAKE_AR found: /usr/bin/ar

-- CMAKE_RANLIB found: /usr/bin/ranlib

-- CMAKE_OBJCOPY found: /usr/bin/objcopy

-- feature S2N_ATOMIC_SUPPORTED: TRUE

-- feature S2N_CLOEXEC_SUPPORTED: TRUE

-- feature S2N_CLOEXEC_XOPEN_SUPPORTED: TRUE

-- feature S2N_CLONE_SUPPORTED: TRUE

-- feature S2N_COMPILER_SUPPORTS_BRANCH_ALIGN: TRUE

-- feature S2N_CPUID_AVAILABLE: TRUE

-- feature S2N_DIAGNOSTICS_POP_SUPPORTED: TRUE

-- feature S2N_DIAGNOSTICS_PUSH_SUPPORTED: TRUE

-- feature S2N_EXECINFO_AVAILABLE: TRUE

-- feature S2N_FALL_THROUGH_SUPPORTED: TRUE

-- feature S2N_FEATURES_AVAILABLE: TRUE

-- feature S2N_KTLS_SUPPORTED: TRUE

-- feature S2N_LIBCRYPTO_SUPPORTS_CUSTOM_OID: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_EC_KEY_CHECK_FIPS: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_ENGINE: TRUE

-- feature S2N_LIBCRYPTO_SUPPORTS_EVP_AEAD_TLS: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_EVP_KEM: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_EVP_MD5_SHA1_HASH: TRUE

-- feature S2N_LIBCRYPTO_SUPPORTS_EVP_MD_CTX_SET_PKEY_CTX: TRUE

-- feature S2N_LIBCRYPTO_SUPPORTS_EVP_RC4: TRUE

-- feature S2N_LIBCRYPTO_SUPPORTS_FLAG_NO_CHECK_TIME: TRUE

-- feature S2N_LIBCRYPTO_SUPPORTS_HKDF: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_MLDSA: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_MLKEM: FALSE

-- feature S2N_LIBCRYPTO_SUPPORTS_PRIVATE_RAND: TRUE

-- feature S2N_LIBCRYPTO_SUPPORTS_PROVIDERS: TRUE

-- feature S2N_LIBCRYPTO_SUPPORTS_RSA_PSS_SIGNING: TRUE

-- feature S2N_LIBCRYPTO_SUPPORTS_SHAKE: TRUE

-- feature S2N_LIBCRYPTO_SUPPORTS_X509_STORE_LIST: TRUE

-- feature S2N_LINUX_SENDFILE: TRUE

-- feature S2N_MADVISE_SUPPORTED: TRUE

-- feature S2N_MINHERIT_SUPPORTED: FALSE

-- feature S2N_STACKTRACE: TRUE

-- Running tests with environment: S2N_DONT_MLOCK=1

-- Configuring done (5.0s)

-- Generating done (0.4s)

-- Build files have been written to: /home/ubuntu/s2n-tls-fork/build

[  0%] Building C object CMakeFiles/s2n.dir/crypto/s2n_aead_cipher_aes_gcm.c.o

[  0%] Building C object CMakeFiles/s2n.dir/crypto/s2n_aead_cipher_chacha20_poly1305.c.o

[  0%] Building C object CMakeFiles/s2n.dir/crypto/s2n_cbc_cipher_aes.c.o

[  0%] Building C object CMakeFiles/s2n.dir/crypto/s2n_cbc_cipher_3des.c.o

[  0%] Building C object CMakeFiles/s2n.dir/crypto/s2n_certificate.c.o

[  1%] Building C object CMakeFiles/s2n.dir/crypto/s2n_dhe.c.o

[  1%] Building C object CMakeFiles/s2n.dir/crypto/s2n_cipher.c.o

[  1%] Building C object CMakeFiles/s2n.dir/crypto/s2n_crypto.c.o

[  1%] Building C object CMakeFiles/s2n.dir/crypto/s2n_composite_cipher_aes_sha.c.o

[  1%] Building C object CMakeFiles/s2n.dir/crypto/s2n_ecc_evp.c.o

...

[ 99%] Built target s2n_tls13_handshake_state_machine_test

[ 99%] Built target s2n_tls_prf_test

[ 99%] Linking C executable bin/s2n_tls13_secrets_test

[100%] Linking C executable bin/s2n_signature_algorithms_test

[100%] Linking C executable bin/s2n_server_key_share_extension_test

[100%] Built target s2n_tls13_secrets_test

[100%] Built target s2n_signature_algorithms_test

[100%] Built target s2n_server_key_share_extension_test

[100%] Linking C executable bin/s2n_shutdown_test

[100%] Linking C executable bin/s2n_self_talk_session_resumption_test

[100%] Built target s2n_shutdown_test

[100%] Built target s2n_self_talk_session_resumption_test

[100%] Linking C executable bin/s2n_server_new_session_ticket_test

[100%] Built target s2n_server_new_session_ticket_test

[100%] Linking C executable bin/s2n_resume_test

[100%] Built target s2n_resume_test

[100%] Linking C executable bin/s2n_session_ticket_test

[100%] Built target s2n_session_ticket_test

[100%] Linking C executable bin/s2n_x509_validator_test

[100%] Built target s2n_x509_validator_test

Internal ctest changing into directory: /home/ubuntu/s2n-tls-fork/build

...
100% tests passed, 0 tests failed out of 277

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[dougch]

nit; curious to know (STATUS) what's getting linked...

[dougch]

This is slightly different than the build.sh output in the comments? That appears to be using the system installed libcrypto, where-as this is building it anew- did you have an example of this workflow running/failing on mainline (or did I miss it)?

[goatgoose]

Yeah it's linked in the description: https://github.com/goatgoose/s2n-tls/actions/runs/18793539852/job/53629032545?pr=20

The test output pasted in the description is from testing this change with the ubuntu25 system libcrypto.