To support the MONGODB-AWS authentication mechanism, the driver will need to make signed AWS requests. The kms-message library does exactly that.

Here is a rough sketch of what I had in mind. Feel free to amend as needed.

• Put kms-message into src/libmongoc/kms-message (as a sibling directory of zlib-1.2.11)
• Do not use or alter the CMakeLists.txt (or any files) within kms-message, so we can copy over kms-message again in future. Instead, have src/libmongoc/CMakeLists.txt responsible for adding kms-message files to dist.
• Similar to zlib, add the sources for kms-message in src/libmongoc/CMakeLists.txt. Do not define KMS_MSG_EXPORT, as we should not be exporting kms-message symbols.

Also to consider. If it seems a lot cleaner, we could move both zlib-1.2.11 and kms-message into a subdirectory named "vendor".

We don't need rigorous testing (if anything, maybe just check calling a kms function from libmongoc as a one-off test). The implementation of CDRIVER-3424 will test by virtue of using kms-message.