Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fips feature: both fips and non-fips aws-lc-sys is compiled and present in the library #528

Open
xnox opened this issue Jan 20, 2025 · 2 comments
Open

fips feature: both fips and non-fips aws-lc-sys is compiled and present in the library #528

xnox opened this issue Jan 20, 2025 · 2 comments

Comments

@xnox
Copy link

xnox commented Jan 20, 2025

Using 7bb2ae7

Compiling using

cargo auditable capi install --features fips --locked --prefix=/usr --destdir "${{targets.contextdir}}"

Observing:

2025/01/20 14:34:20 WARN + cargo auditable capi install --no-default-features --features fips --locked '--prefix=/usr' --destdir /home/build/melange-out/rustls-ffi-fips
2025/01/20 14:34:20 WARN     Updating crates.io index
2025/01/20 14:34:23 WARN  Downloading crates ...

2025/01/20 14:34:23 WARN   Downloaded aws-lc-rs v1.12.0
2025/01/20 14:34:23 WARN   Downloaded aws-lc-fips-sys v0.13.0
2025/01/20 14:34:24 WARN   Downloaded aws-lc-sys v0.24.0
2025/01/20 14:34:24 WARN   Downloaded ring v0.17.8

2025/01/20 14:34:25 WARN    Compiling aws-lc-rs v1.12.0
2025/01/20 14:34:35 WARN    Compiling aws-lc-sys v0.24.0
2025/01/20 14:34:44 WARN    Compiling aws-lc-fips-sys v0.13.0

2025/01/20 14:36:46 WARN     Finished `release` profile [optimized] target(s) in 2m 26s
2025/01/20 14:36:46 WARN     Building pkg-config files
2025/01/20 14:36:46 WARN   Populating uninstalled header directory
2025/01/20 14:36:47 WARN   Installing pkg-config file
2025/01/20 14:36:47 WARN   Installing header file
2025/01/20 14:36:47 WARN   Installing static library
2025/01/20 14:36:47 WARN   Installing shared library

The compilation does not have ring, but does have two copies of aws-lc-*sys modules

$ find target/ -name '*.rlib' | grep -e libaws -e libring
target/x86_64-unknown-linux-gnu/release/deps/libaws_lc_sys-2525757ee4a12aa0.rlib
target/x86_64-unknown-linux-gnu/release/deps/libaws_lc_rs-5126331562e8f1b8.rlib
target/x86_64-unknown-linux-gnu/release/deps/libaws_lc_fips_sys-c5f3330d855b5592.rlib

But it does appear to have both aws-lc-sys and aws-lc-fips-sys symbols

$ readelf --wide --symbols target/x86_64-unknown-linux-gnu/release/deps/librustls.so  | ~/.cargo/bin/rustfilt | grep -e SHA256_Update
  2646: 000000000012a8d0     5 FUNC    LOCAL  DEFAULT   11 AWS_LC_TRAMPOLINE_SHA256_Update
  6267: 000000000012a600   695 FUNC    LOCAL  DEFAULT   11 aws_lc_fips_0_13_0_SHA256_Update

Would you be able to trace what pulls in and uses non-fips-sys version of aws-lc in the librustls.so?
@ctz
Copy link
Member

ctz commented Jan 20, 2025

Related: rustls/rustls#2291

@cpu
Copy link
Member

cpu commented Jan 20, 2025

Related: rustls/rustls#2291

Yes I think this is blocked on that Rustls PR, which is in turn blocked on a webpki release.

@xnox Separate from this issue, Is Chainguard interested in sponsoring development of rustls-ffi in some way? I've been the primary contributor for some time but as of January it's exclusively as a volunteer and being candid recreational FIPS work ranks pretty low on my interest list :-)

@cpu cpu mentioned this issue Jan 20, 2025
Draft
19 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xnox @cpu @ctz