From 71fabeb63a9a546870e25433adeb71594e31e920 Mon Sep 17 00:00:00 2001
From: Shubham Mittal <smittals@amazon.com>
Date: Tue, 4 Feb 2025 12:59:49 -0800
Subject: [PATCH] openssh_patch

---
 .../openssh_patch/aws-lc-openssh-master.patch | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 tests/ci/integration/openssh_patch/aws-lc-openssh-master.patch

diff --git a/tests/ci/integration/openssh_patch/aws-lc-openssh-master.patch b/tests/ci/integration/openssh_patch/aws-lc-openssh-master.patch
new file mode 100644
index 0000000000..101faf1670
--- /dev/null
+++ b/tests/ci/integration/openssh_patch/aws-lc-openssh-master.patch
@@ -0,0 +1,33 @@
+diff --git a/configure.ac b/configure.ac
+index e5da93365..b802d0e60 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -3276,6 +3276,12 @@ fi
+ # PKCS11/U2F depend on OpenSSL and dlopen().
+ enable_pkcs11=yes
+ enable_sk=yes
++
++AC_CHECK_DECL([OPENSSL_IS_AWSLC],
++	[enable_pkcs11="disabled; PKCS#11 not supported with AWS-LC"],
++	[],
++	[#include <openssl/base.h>]
++)
+ if test "x$openssl" != "xyes" ; then
+ 	enable_pkcs11="disabled; missing libcrypto"
+ fi
+diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
+index 2b9780f5e..6b8fff412 100644
+--- a/openbsd-compat/openssl-compat.h
++++ b/openbsd-compat/openssl-compat.h
+@@ -55,9 +55,9 @@ void ssh_libcrypto_init(void);
+ # endif
+ #endif
+ 
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ /*
+- * BoringSSL (rightly) got rid of the BN_FLG_CONSTTIME flag, along with
++ * BoringSSL and AWS-LC (rightly) got rid of the BN_FLG_CONSTTIME flag, along with
+  * the entire BN_set_flags() interface.
+  * https://boringssl.googlesource.com/boringssl/+/0a211dfe9
+  */