Integration test for libgit2 (#2215)

### Description of changes: 
* Integration test for libgit2.
* Adds tests to CodeBuild CI.

### Call-outs:
* Side-steps the C90 header incompatibilities by setting
`-DCMAKE_C_STANDARD=99` for the build.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

include/openssl/des.h

@@ -77,6 +77,8 @@ typedef struct DES_cblock_st {
   uint8_t bytes[8];
 } DES_cblock;
 
+typedef struct DES_cblock_st const_DES_cblock;
+
 typedef struct DES_ks {
   uint32_t subkeys[16][2];
 } DES_key_schedule;

tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml

@@ -36,6 +36,16 @@ batch:
         variables:
           AWS_LC_CI_TARGET: "tests/ci/integration/run_crt_integration.sh"
 
+    - identifier: libgit2_x86_64
+      buildspec: tests/ci/codebuild/common/run_simple_target.yml
+      env:
+        type: LINUX_CONTAINER
+        privileged-mode: false
+        compute-type: BUILD_GENERAL1_SMALL
+        image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-22.04_gcc-12x_integration_latest
+        variables:
+          AWS_LC_CI_TARGET: "tests/ci/integration/run_libgit2_integration.sh"
+
     - identifier: openssh_integration_master_x86_64
       buildspec: tests/ci/codebuild/common/run_simple_target.yml
       env:

tests/ci/integration/libgit2_patch/0001-Support-for-AWS-LC.patch

@@ -0,0 +1,87 @@
+From 399b74c9a4fd6caa55118f6f9ffdb93808aa0fbc Mon Sep 17 00:00:00 2001
+From: Justin Smith <[email protected]>
+Date: Tue, 25 Feb 2025 11:50:34 -0500
+Subject: [PATCH] Support for AWS-LC
+
+---
+ deps/ntlmclient/crypt_openssl.c |  8 +++++++-
+ deps/ntlmclient/crypt_openssl.h | 29 +++++++++++++++++++++++++++++
+ 2 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/deps/ntlmclient/crypt_openssl.c b/deps/ntlmclient/crypt_openssl.c
+index 3bec27259..abdb46322 100644
+--- a/deps/ntlmclient/crypt_openssl.c
++++ b/deps/ntlmclient/crypt_openssl.c
+@@ -44,7 +44,7 @@ NTLM_INLINE(void) HMAC_CTX_free(HMAC_CTX *ctx)
+
+ #endif
+
+-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || \
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_AWSLC)) || \
+ 	(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x03050000fL) || \
+ 	defined(CRYPT_OPENSSL_DYNAMIC)
+
+@@ -214,8 +214,14 @@ bool ntlm_hmac_md5_init(
+
+ 	ntlm->crypt_ctx.hmac_ctx_cleanup_fn(ntlm->crypt_ctx.hmac);
+
++#if defined(OPENSSL_IS_AWSLC)
++	ntlm->crypt_ctx.hmac_ctx_reset_fn(ntlm->crypt_ctx.hmac);
++	return ntlm->crypt_ctx.hmac_init_ex_fn(ntlm->crypt_ctx.hmac, key, key_len, md5, NULL);
++#else
+ 	return ntlm->crypt_ctx.hmac_ctx_reset_fn(ntlm->crypt_ctx.hmac) &&
+ 	       ntlm->crypt_ctx.hmac_init_ex_fn(ntlm->crypt_ctx.hmac, key, key_len, md5, NULL);
++#endif
++
+ }
+
+ bool ntlm_hmac_md5_update(
+diff --git a/deps/ntlmclient/crypt_openssl.h b/deps/ntlmclient/crypt_openssl.h
+index 8654027db..c18df6848 100644
+--- a/deps/ntlmclient/crypt_openssl.h
++++ b/deps/ntlmclient/crypt_openssl.h
+@@ -60,6 +60,34 @@ typedef struct hmac_ctx_st {
+ } HMAC_CTX;
+ #endif
+
++#if defined(OPENSSL_IS_AWSLC)
++struct ntlm_crypt_ctx {
++	HMAC_CTX *hmac;
++
++	void *openssl_handle;
++
++	void (*des_ecb_encrypt_fn)(const_DES_cblock *input, DES_cblock *output, const DES_key_schedule *ks, int enc);
++	int (*des_set_key_fn)(const_DES_cblock *key, DES_key_schedule *schedule);
++
++	uint32_t (*err_get_error_fn)(void);
++	const char *(*err_lib_error_string_fn)(uint32_t e);
++
++	const EVP_MD *(*evp_md5_fn)(void);
++
++	HMAC_CTX *(*hmac_ctx_new_fn)(void);
++	void (*hmac_ctx_reset_fn)(HMAC_CTX *ctx);
++	void (*hmac_ctx_free_fn)(HMAC_CTX *ctx);
++	void (*hmac_ctx_cleanup_fn)(HMAC_CTX *ctx);
++
++	int (*hmac_init_ex_fn)(HMAC_CTX *ctx, const void *key, unsigned long key_len, const EVP_MD *md, ENGINE *impl);
++	int (*hmac_update_fn)(HMAC_CTX *ctx, const unsigned char *data, size_t len);
++	int (*hmac_final_fn)(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
++
++	unsigned char *(*md4_fn)(const unsigned char *d, size_t n, unsigned char *md);
++
++	int (*rand_bytes_fn)(unsigned char *buf, unsigned long num);
++};
++#else
+ struct ntlm_crypt_ctx {
+ 	HMAC_CTX *hmac;
+
+@@ -86,5 +114,6 @@ struct ntlm_crypt_ctx {
+
+ 	int (*rand_bytes_fn)(unsigned char *buf, int num);
+ };
++#endif
+
+ #endif /* PRIVATE_CRYPT_OPENSSL_H__ */
+-- 
+2.39.5 (Apple Git-154)
+

tests/ci/integration/run_libgit2_integration.sh

@@ -0,0 +1,94 @@
+#!/usr/bin/env bash
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+set -exu
+
+source tests/ci/common_posix_setup.sh
+
+# Set up environment.
+
+# SYS_ROOT
+#  |
+#  - SRC_ROOT(aws-lc)
+#  |
+#  - SCRATCH_FOLDER
+#    |
+#    - libgit2
+#    - LIBGIT2_BUILD_FOLDER
+#    - LIBGIT2_INSTALL_FOLDER
+#    - AWS_LC_BUILD_FOLDER
+#    - AWS_LC_INSTALL_FOLDER
+
+# Assumes script is executed from the root of aws-lc directory
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+SCRATCH_FOLDER=${SYS_ROOT}/"LIBGIT2_SCRATCH"
+LIBGIT2_SRC_FOLDER="${SCRATCH_FOLDER}/libgit2"
+LIBGIT2_PATCH_FOLDER="${SCRIPT_DIR}"/libgit2_patch
+LIBGIT2_BUILD_FOLDER="${SCRATCH_FOLDER}/libgit2-build"
+LIBGIT2_INSTALL_FOLDER="${SCRATCH_FOLDER}/libgit2-install"
+AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build"
+AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install"
+
+mkdir -p "${SCRATCH_FOLDER}"
+rm -rf "${SCRATCH_FOLDER:?}"/*
+
+pushd "${SCRATCH_FOLDER}"
+
+function libgit2_patch_build() {
+  pushd "${LIBGIT2_SRC_FOLDER}"
+  for patchfile in $(find -L "${LIBGIT2_PATCH_FOLDER}" -type f -name '*.patch' | sort); do
+    echo "Apply patch $patchfile..."
+    patch -p1 --quiet -i "$patchfile"
+  done
+  popd
+}
+
+function libgit2_build_shared() {
+  cmake -B "${LIBGIT2_BUILD_FOLDER}" -DBUILD_SHARED_LIBS=ON -DLINK_WITH_STATIC_LIBRARIES=OFF -DBUILD_TESTS=1 -DCMAKE_INSTALL_PREFIX="${LIBGIT2_INSTALL_FOLDER}" -DOPENSSL_ROOT_DIR="${AWS_LC_INSTALL_FOLDER}" -DUSE_SSH=exec -DUSE_HTTPS=openssl -DUSE_SHA1=HTTPS -DUSE_SHA256=HTTPS -DCMAKE_C_STANDARD=99 -DUSE_AUTH_NTLM=builtin
+  cmake --build "${LIBGIT2_BUILD_FOLDER}" --target install
+  ldd "${LIBGIT2_INSTALL_FOLDER}/bin/git2" | grep "${AWS_LC_INSTALL_FOLDER}" | grep "libcrypto.so" || exit 1
+}
+
+function libgit2_build_static() {
+  cmake -B "${LIBGIT2_BUILD_FOLDER}" -DBUILD_SHARED_LIBS=OFF -DLINK_WITH_STATIC_LIBRARIES=ON -DBUILD_TESTS=1 -DCMAKE_INSTALL_PREFIX="${LIBGIT2_INSTALL_FOLDER}" -DOPENSSL_ROOT_DIR="${AWS_LC_INSTALL_FOLDER}" -DUSE_SSH=exec -DUSE_HTTPS=openssl -DUSE_SHA1=HTTPS -DUSE_SHA256=HTTPS -DCMAKE_C_STANDARD=99 -DUSE_AUTH_NTLM=builtin
+  cmake --build "${LIBGIT2_BUILD_FOLDER}" --target install
+  nm --defined-only "${LIBGIT2_INSTALL_FOLDER}/bin/git2" | grep awslc_version_string || exit 1
+}
+
+function libgit2_run_tests() {
+  ctest --extra-verbose
+}
+
+# Get latest libgit2 version.
+git clone https://github.com/libgit2/libgit2.git "${LIBGIT2_SRC_FOLDER}"
+mkdir -p "${AWS_LC_BUILD_FOLDER}" "${AWS_LC_INSTALL_FOLDER}" "${LIBGIT2_BUILD_FOLDER}" "${LIBGIT2_INSTALL_FOLDER}"
+ls
+
+libgit2_patch_build
+
+aws_lc_build "$SRC_ROOT" "$AWS_LC_BUILD_FOLDER" "$AWS_LC_INSTALL_FOLDER" -DBUILD_TESTING=OFF -DBUILD_TOOL=OFF -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_SHARED_LIBS=1
+aws_lc_build "$SRC_ROOT" "$AWS_LC_BUILD_FOLDER" "$AWS_LC_INSTALL_FOLDER" -DBUILD_TESTING=OFF -DBUILD_TOOL=OFF -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_SHARED_LIBS=0
+export LD_LIBRARY_PATH="${AWS_LC_INSTALL_FOLDER}/lib/:${AWS_LC_INSTALL_FOLDER}/lib64/:${LD_LIBRARY_PATH:-}"
+
+pushd "${LIBGIT2_SRC_FOLDER}"
+libgit2_build_shared
+popd
+
+pushd "${LIBGIT2_BUILD_FOLDER}"
+libgit2_run_tests
+popd
+
+rm -rf "${LIBGIT2_BUILD_FOLDER:?}"/* "${LIBGIT2_INSTALL_FOLDER:?}"/*
+
+pushd "${LIBGIT2_SRC_FOLDER}"
+libgit2_build_static
+popd
+
+pushd "${LIBGIT2_BUILD_FOLDER}"
+libgit2_run_tests
+popd
+
+popd
+
+