diff --git a/flake.lock b/flake.lock index e215dd49511..d8c12dac69d 100644 --- a/flake.lock +++ b/flake.lock @@ -21,6 +21,65 @@ "type": "github" } }, + "awslc-fips": { + "inputs": { + "flake-utils": "flake-utils_2", + "nix": "nix_2", + "nixpkgs": "nixpkgs_4" + }, + "locked": { + "lastModified": 1737496455, + "narHash": "sha256-zBJjsmqOnELGamZjN0GN/5EokgEF3DQOva27r6BMYsE=", + "owner": "dougch", + "repo": "aws-lc", + "rev": "ab74281ab92c7fd82819e51c19cdc61624431dd7", + "type": "github" + }, + "original": { + "owner": "dougch", + "ref": "nixfips-2024-09-27", + "repo": "aws-lc", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "awslc-fips", + "nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1667395993, @@ -36,6 +95,23 @@ } }, "flake-utils_2": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "id": "flake-utils", + "type": "indirect" + } + }, + "flake-utils_3": { "locked": { "lastModified": 1667395993, "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", @@ -49,6 +125,41 @@ "type": "indirect" } }, + "git-hooks-nix": { + "inputs": { + "flake-compat": [ + "awslc-fips", + "nix" + ], + "gitignore": [ + "awslc-fips", + "nix" + ], + "nixpkgs": [ + "awslc-fips", + "nix", + "nixpkgs" + ], + "nixpkgs-stable": [ + "awslc-fips", + "nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1734279981, + "narHash": "sha256-NdaCraHPp8iYMWzdXAt5Nv6sA3MUzlCiGiR586TCwo0=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "aa9f40c906904ebd83da78e7f328cd8aeaeae785", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, "lowdown-src": { "flake": false, "locked": { @@ -102,10 +213,32 @@ }, "nix_2": { "inputs": { - "lowdown-src": "lowdown-src_2", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "git-hooks-nix": "git-hooks-nix", "nixpkgs": "nixpkgs_3", + "nixpkgs-23-11": "nixpkgs-23-11", "nixpkgs-regression": "nixpkgs-regression_2" }, + "locked": { + "lastModified": 1736859128, + "narHash": "sha256-TbnLQ3Z2Voj0mMHhw30dJPEjQYmj6bfLMVGr8RU20v4=", + "owner": "NixOS", + "repo": "nix", + "rev": "8aafc0588594033fc6f1c3e2a36fe6f04559981f", + "type": "github" + }, + "original": { + "id": "nix", + "type": "indirect" + } + }, + "nix_3": { + "inputs": { + "lowdown-src": "lowdown-src_2", + "nixpkgs": "nixpkgs_5", + "nixpkgs-regression": "nixpkgs-regression_3" + }, "locked": { "lastModified": 1674061467, "narHash": "sha256-yvLbQusfeOizDwHFfTRtVwrUU15q2oaeDzImRGxoTs4=", @@ -135,6 +268,22 @@ "type": "github" } }, + "nixpkgs-23-11": { + "locked": { + "lastModified": 1717159533, + "narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446", + "type": "github" + } + }, "nixpkgs-regression": { "locked": { "lastModified": 1643052045, @@ -167,6 +316,22 @@ "type": "github" } }, + "nixpkgs-regression_3": { + "locked": { + "lastModified": 1643052045, + "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1675918889, @@ -184,6 +349,38 @@ } }, "nixpkgs_3": { + "locked": { + "lastModified": 1734359947, + "narHash": "sha256-1Noao/H+N8nFB4Beoy8fgwrcOQLVm9o4zKW1ODaqK9E=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "48d12d5e70ee91fe8481378e540433a7303dbf6a", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1688392541, + "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_5": { "locked": { "lastModified": 1670461440, "narHash": "sha256-jy1LB8HOMKGJEGXgzFRLDU1CBGL0/LlkolgnqIsF0D8=", @@ -199,13 +396,13 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_6": { "locked": { - "lastModified": 1674781052, - "narHash": "sha256-nseKFXRvmZ+BDAeWQtsiad+5MnvI/M2Ak9iAWzooWBw=", + "lastModified": 1688392541, + "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cc4bb87f5457ba06af9ae57ee4328a49ce674b1b", + "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", "type": "github" }, "original": { @@ -218,9 +415,25 @@ "root": { "inputs": { "awslc": "awslc", - "flake-utils": "flake-utils_2", - "nix": "nix_2", - "nixpkgs": "nixpkgs_4" + "awslc-fips": "awslc-fips", + "flake-utils": "flake-utils_3", + "nix": "nix_3", + "nixpkgs": "nixpkgs_6" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index b38d08909fb..b0d09c8d75e 100644 --- a/flake.nix +++ b/flake.nix @@ -4,12 +4,14 @@ inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11"; # TODO: https://github.com/aws/aws-lc/pull/830 inputs.awslc.url = "github:dougch/aws-lc?ref=nixv1.36.0"; + inputs.awslc-fips.url = "github:dougch/aws-lc?ref=nixfips-2024-09-27"; - outputs = { self, nix, nixpkgs, awslc, flake-utils }: + outputs = { self, nix, nixpkgs, awslc, awslc-fips, flake-utils }: flake-utils.lib.eachDefaultSystem (system: let pkgs = nixpkgs.legacyPackages.${system}; aws-lc = awslc.packages.${system}.aws-lc; + aws-lc-fips = awslc-fips.packages.${system}.aws-lc-fips; # TODO: submit a flake PR corretto = import nix/amazon-corretto-17.nix { pkgs = pkgs; }; # TODO: We have parts of our CI that rely on clang-format-15, but that is only available on github:nixos/nixpkgs/nixos-unstable @@ -101,6 +103,7 @@ OPENSSL_1_1_1_INSTALL_DIR = "${openssl_1_1_1}"; OPENSSL_3_0_INSTALL_DIR = "${openssl_3_0}"; AWSLC_INSTALL_DIR = "${aws-lc}"; + AWSLCFIPS_INSTALL_DIR = "${aws-lc-fips}"; GNUTLS_INSTALL_DIR = "${pkgs.gnutls}"; LIBRESSL_INSTALL_DIR = "${libressl}"; # Integ s_client/server tests expect openssl 1.1.1. @@ -118,7 +121,6 @@ buildInputs = [ pkgs.cmake openssl_1_1_1 ]; S2N_LIBCRYPTO = "openssl-1.1.1"; # Integ s_client/server tests expect openssl 1.1.1. - # GnuTLS-cli and serv utilities needed for some integration tests. shellHook = '' echo Setting up $S2N_LIBCRYPTO environment from flake.nix... export PATH=${openssl_1_1_1}/bin:$PATH @@ -133,7 +135,6 @@ buildInputs = [ pkgs.cmake libressl ]; S2N_LIBCRYPTO = "libressl"; # Integ s_client/server tests expect openssl 1.1.1. - # GnuTLS-cli and serv utilities needed for some integration tests. shellHook = '' echo Setting up $S2N_LIBCRYPTO environment from flake.nix... export PATH=${openssl_1_1_1}/bin:$PATH @@ -148,7 +149,6 @@ buildInputs = [ pkgs.cmake openssl_1_0_2 ]; S2N_LIBCRYPTO = "openssl-1.0.2"; # Integ s_client/server tests expect openssl 1.1.1. - # GnuTLS-cli and serv utilities needed for some integration tests. shellHook = '' echo Setting up $S2N_LIBCRYPTO environment from flake.nix... export PATH=${openssl_1_1_1}/bin:$PATH @@ -163,7 +163,19 @@ buildInputs = [ pkgs.cmake aws-lc ]; S2N_LIBCRYPTO = "awslc"; # Integ s_client/server tests expect openssl 1.1.1. - # GnuTLS-cli and serv utilities needed for some integration tests. + shellHook = '' + echo Setting up $S2N_LIBCRYPTO environment from flake.nix... + export PATH=${openssl_1_1_1}/bin:$PATH + export PS1="[nix $S2N_LIBCRYPTO] $PS1" + source ${writeScript ./nix/shell.sh} + ''; + }); + devShells.awslc-fips = devShells.default.overrideAttrs + (finalAttrs: previousAttrs: { + # Re-include cmake to update the environment with a new libcrypto. + buildInputs = [ pkgs.cmake aws-lc-fips ]; + S2N_LIBCRYPTO = "awslc-fips"; + # Integ s_client/server tests expect openssl 1.1.1. shellHook = '' echo Setting up $S2N_LIBCRYPTO environment from flake.nix... export PATH=${openssl_1_1_1}/bin:$PATH diff --git a/nix/README.md b/nix/README.md index 167f3cbb00b..08d18b8de6a 100644 --- a/nix/README.md +++ b/nix/README.md @@ -31,7 +31,25 @@ separate from the buildPhase, configurePhase and checkPhase. ### Specific libcrypto -By default, the devShell uses Openssl-3. To run the devShell with a different libcrypto like awslc, use `nix develop .#awslc`. The currently supported options are awslc, openssl111, openssl102, and libressl. See flake.nix in the root directory. +By default, the development shell uses Openssl-3. To enter a development shell with a different libcrypto like awslc, use `nix develop .#awslc`. The currently supported options are awslc, awslc-fips, openssl111, openssl102, and libressl. See `flake.nix` in the root directory for more specifics. + +There are helper aliases in the development shell to help you use the binaries associated with different libcryptos, information about these is printed out when you enter a development shell, e.g.: + +``` +$ nix develop .#awslc-fips +Libcrypto binary /nix/store/g4xnh7h1yk783d8r47fdirdq39yimnl0-openssl-1.0.2/bin/openssl available as openssl102 +Libcrypto binary /nix/store/6sqmgyq2m5kshfysgwn3j4k1jr74ij3r-openssl-1.1.1/bin/openssl available as openssl111 +Libcrypto binary /nix/store/j4nwg83rqgv70p3i740krbk3g041fg43-openssl-3.0.7/bin/openssl available as openssl30 +Libcrypto binary /nix/store/64bg46k428bzwmazx05935rnql21zp3l-aws-lc/bin/bssl available as bssl +Libcrypto binary /nix/store/bv0gsw3rrv5b5s17lsyfv2v77wk9rvda-aws-lc-fips/bin/bssl available as fipsbssl +Libcrypto binary /nix/store/c88smradwsi0sc1gcimmlpkgk4v978al-libressl-3.6.1/bin/openssl available as libressl +``` + +If you wanted to query the version of openssl30, you would type `openssl30 version` in your development shell: +``` +[nix awslc-fips]$ openssl30 version +OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022) +``` ### Configure and build diff --git a/nix/shell.sh b/nix/shell.sh index 880422f1a6b..008d1e4d316 100644 --- a/nix/shell.sh +++ b/nix/shell.sh @@ -23,6 +23,7 @@ libcrypto_alias openssl102 "${OPENSSL_1_0_2_INSTALL_DIR}/bin/openssl" libcrypto_alias openssl111 "${OPENSSL_1_1_1_INSTALL_DIR}/bin/openssl" libcrypto_alias openssl30 "${OPENSSL_3_0_INSTALL_DIR}/bin/openssl" libcrypto_alias bssl "${AWSLC_INSTALL_DIR}/bin/bssl" +libcrypto_alias fipsbssl "${AWSLCFIPS_INSTALL_DIR}/bin/bssl" libcrypto_alias libressl "${LIBRESSL_INSTALL_DIR}/bin/openssl" #No need to alias gnutls because it is included in common_packages (see flake.nix).