Support WASM/Emscripten (#2959)

### Issues:
Addresses: P372521248

### Description of changes:
This PR adds support for building and testing AWS-LC with WebAssembly
(WASM) using an Emscripten toolchain.

### Description

- Defines `OPENSSL_WASM` when compiling with `__wasm__` to enable
WASM-specific code paths
- Configures WASM builds to use `getentropy()` for random number
generation, which Emscripten provides
   - Provide CMake toolchain file: `util/wasm-toolchain.cmake`
   - Added `tests/ci/run_emscripten_tests.sh` for testing.
   - Added CI workflow: .github/workflows/emscripten.yml

### Call-outs:
- Threading is enabled via Emscripten's pthread implementation using Web
Workers and SharedArrayBuffer
- Tests that require `fork()` or POSIX sockets are excluded as these are
not supported in the WASM/Emscripten environments

### Testing:
- The new CI workflow builds AWS-LC and runs `crypto_test`,
`urandom_test`, and `ssl_test` in a WASM/Node.js environment
- All tests pass except those explicitly filtered out due to WASM
platform limitations (fork/socket operations)


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

Author: justsmth

.github/workflows/emscripten.yml

@@ -0,0 +1,50 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+name: WASM Build & Test
+on:
+  push:
+    branches: ["*"]
+  pull_request:
+    branches: ["*"]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: true
+permissions:
+  contents: read
+
+env:
+  EMSDK_VERSION: "4.0.23"
+
+jobs:
+  wasm-build-test:
+    if: github.repository_owner == 'aws'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install build dependencies
+        run: |
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
+          sudo apt-get -y --no-install-recommends install cmake ninja-build
+
+      - name: Setup Emscripten SDK
+        uses: mymindstorm/setup-emsdk@v14
+        with:
+          version: ${{ env.EMSDK_VERSION }}
+
+      - name: Verify Emscripten installation
+        run: |
+          emcc --version
+          node --version
+
+      - name: Run Emscripten tests
+        env:
+          EMSDK_PATH: ${{ env.EMSDK }}
+        run: |
+          ./tests/ci/run_emscripten_tests.sh

.gitignore

@@ -3,7 +3,7 @@ cmake-build-debug/
 build/
 build32/
 build64/
-build-fips/
+build-*/
 *_BUILD_ROOT/
 ssl/test/runner/runner
 *.pyc

README.md

@@ -68,24 +68,24 @@ adding it to our CI.
 
 ## Platform Support
 
-AWS-LC correctness is tested on a variety of *platforms* (i.e., OS/CPU combinations).  
-The following is an overview of the platforms we actively support or are 
-known to be of interest to our community. 
+AWS-LC correctness is tested on a variety of *platforms* (i.e., OS/CPU combinations).
+The following is an overview of the platforms we actively support or are
+known to be of interest to our community.
 
 If you use a platform not listed below and would like to request it be added to our CI,
 please open an [issue](https://github.com/aws/aws-lc/issues/new/choose) for discussion.
-Regardless of our support level for a particular platform, we will gladly consider contributions that 
+Regardless of our support level for a particular platform, we will gladly consider contributions that
 improve or extend our support.
 
 ### Supported Platforms
 
-The following platforms are actively tested in our CI pipeline. A few of these platforms are tested across 
-multiple compilers or compiler versions. For each pull request, the proposed change is validated to confirm that it 
-successfully builds and tests pass for these platform. 
-A more complete description of our test setup can be found in the 
+The following platforms are actively tested in our CI pipeline. A few of these platforms are tested across
+multiple compilers or compiler versions. For each pull request, the proposed change is validated to confirm that it
+successfully builds and tests pass for these platform.
+A more complete description of our test setup can be found in the
 [CI README](https://github.com/aws/aws-lc/blob/main/tests/ci/README.md).
 
-| OS      | CPU     | 
+| OS      | CPU     |
 |---------|---------|
 | Linux   | x86     |
 | Linux   | x86-64  |
@@ -100,21 +100,33 @@ A more complete description of our test setup can be found in the
 
 ### Other platforms
 
-The platforms listed below are of interest to us or to our community. However, problems reported 
-against them might not be prioritized for immediate action by our team. We welcome contributions 
+The platforms listed below are of interest to us or to our community. However, problems reported
+against them might not be prioritized for immediate action by our team. We welcome contributions
 that improve the experience for consumers on these platforms.
 
-| OS        | CPU         |
-|-----------|-------------|
-| Android   | arm32       |
-| iOS       | aarch64     |
-| Linux     | arm32       |
-| Linux     | loongarch64 |
-| Linux     | risc-v64    |
-| Linux     | s390x       |
-| Windows   | aarch64     |
-| OpenBSD   | x86-64      |
-| FreeBSD   | x86-64      |
+| OS         | CPU         |
+|------------|-------------|
+| Android    | arm32       |
+| Emscripten | wasm32      |
+| iOS        | aarch64     |
+| Linux      | arm32       |
+| Linux      | loongarch64 |
+| Linux      | risc-v64    |
+| Linux      | s390x       |
+| Windows    | aarch64     |
+| OpenBSD    | x86-64      |
+| FreeBSD    | x86-64      |
+
+### WebAssembly (WASM) Support
+
+AWS-LC can be built for WebAssembly using Emscripten. This support is experimental and has important security considerations:
+
+- **No FIPS mode**: WASM builds cannot be FIPS-validated
+- **Randomness**: Relies on the runtime's `getentropy()` implementation
+- **No side-channel protections**: Timing and cache-based side-channel mitigations that exist for native builds may not apply in the WASM environment
+- **Threading limitations**: Uses Web Workers which have different security properties than native threads
+
+For build instructions, see [BUILDING.md](./BUILDING.md).
 
 ### FIPS Compliance
 
@@ -193,5 +205,3 @@ Security via our
 Please do **not** create a public GitHub issue.
 
 If you package or distribute AWS-LC, or use AWS-LC as part of a large multi-user service, you may be eligible for pre-notification of future AWS-LC releases. Please contact aws-lc-pre-notifications@amazon.com.
-
-

crypto/CMakeLists.txt

@@ -702,8 +702,9 @@ endif()
 #
 # For now we assume embedded OSes do not have threads. Additionally, the Threads
 # package does not work with Android, but Android does not require any extra
-# parameters to link pthreads.
-if(NOT CMAKE_SYSTEM_NAME MATCHES "^(Generic|Android)$")
+# parameters to link pthreads. Emscripten provides its own pthread implementation
+# via Web Workers and SharedArrayBuffer, configured through compiler flags.
+if(NOT CMAKE_SYSTEM_NAME MATCHES "^(Generic|Android|Emscripten)$")
   find_package(Threads REQUIRED)
   target_link_libraries(crypto PUBLIC Threads::Threads)
 endif()

crypto/rand_extra/internal.h

@@ -12,7 +12,7 @@
 #define OPENSSL_RAND_WINDOWS
 #elif defined(OPENSSL_MACOS) || defined(OPENSSL_OPENBSD) || \
     defined(OPENSSL_FREEBSD)  || defined(OPENSSL_NETBSD) || \
-    defined(OPENSSL_SOLARIS) || \
+    defined(OPENSSL_SOLARIS) || defined(OPENSSL_WASM) || \
     (defined(OPENSSL_LINUX) && !defined(HAVE_LINUX_RANDOM_H))
 #define OPENSSL_RAND_GETENTROPY
 #elif defined(OPENSSL_IOS)

include/openssl/target.h

@@ -87,7 +87,8 @@
 #define OPENSSL_LOONGARCH64
 #elif defined(__pnacl__)
 #define OPENSSL_PNACL
-#elif defined(__wasm__) // Allowed but no macro defined
+#elif defined(__wasm__)
+#define OPENSSL_WASM
 #elif defined(__asmjs__) // Allowed but no macro defined
 #elif defined(__myriad2__) // Allowed but no macro defined
 #else