Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nix awslc-fips #5035

Draft
wants to merge 9 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
229 changes: 221 additions & 8 deletions flake.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

22 changes: 17 additions & 5 deletions flake.nix
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,14 @@
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
# TODO: https://github.com/aws/aws-lc/pull/830
inputs.awslc.url = "github:dougch/aws-lc?ref=nixv1.36.0";
inputs.awslc-fips.url = "github:dougch/aws-lc?ref=nixfips-2024-09-27";

outputs = { self, nix, nixpkgs, awslc, flake-utils }:
outputs = { self, nix, nixpkgs, awslc, awslc-fips, flake-utils }:
dougch marked this conversation as resolved.
Show resolved Hide resolved
flake-utils.lib.eachDefaultSystem (system:
let
pkgs = nixpkgs.legacyPackages.${system};
aws-lc = awslc.packages.${system}.aws-lc;
aws-lc-fips = awslc-fips.packages.${system}.aws-lc-fips;
# TODO: submit a flake PR
Comment on lines +14 to 15
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which version of awslc-fips is this? The one our CI calls "awslc-fips" or the one it calls "awslc-fips-2022"? Or is this a completely different version?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR says it's fips-2024-09-27

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And I'm guessing that's not the "awslc-fips" used by the rest of the CI? Is the inconsistency a potential problem? Which version of awslc-fips SHOULD we be testing with?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, the rest of the CI is 2022. My preference is to test with the newest version though. Not sure why we're able to upgrade our nix awslc version easier than the rest of the CI.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Theoretically there is an aws-lc-fips release per year, and they are pretty stationary after release. This one is the ML-KEM and 140-3 validation flavor. Let discuss the SHOULD question offline, but we should add latest regardless.

corretto = import nix/amazon-corretto-17.nix { pkgs = pkgs; };
# TODO: We have parts of our CI that rely on clang-format-15, but that is only available on github:nixos/nixpkgs/nixos-unstable
Expand Down Expand Up @@ -101,6 +103,7 @@
OPENSSL_1_1_1_INSTALL_DIR = "${openssl_1_1_1}";
OPENSSL_3_0_INSTALL_DIR = "${openssl_3_0}";
AWSLC_INSTALL_DIR = "${aws-lc}";
AWSLCFIPS_INSTALL_DIR = "${aws-lc-fips}";
GNUTLS_INSTALL_DIR = "${pkgs.gnutls}";
LIBRESSL_INSTALL_DIR = "${libressl}";
# Integ s_client/server tests expect openssl 1.1.1.
Expand All @@ -118,7 +121,6 @@
buildInputs = [ pkgs.cmake openssl_1_1_1 ];
S2N_LIBCRYPTO = "openssl-1.1.1";
# Integ s_client/server tests expect openssl 1.1.1.
# GnuTLS-cli and serv utilities needed for some integration tests.
shellHook = ''
echo Setting up $S2N_LIBCRYPTO environment from flake.nix...
export PATH=${openssl_1_1_1}/bin:$PATH
Expand All @@ -133,7 +135,6 @@
buildInputs = [ pkgs.cmake libressl ];
S2N_LIBCRYPTO = "libressl";
# Integ s_client/server tests expect openssl 1.1.1.
# GnuTLS-cli and serv utilities needed for some integration tests.
shellHook = ''
echo Setting up $S2N_LIBCRYPTO environment from flake.nix...
export PATH=${openssl_1_1_1}/bin:$PATH
Expand All @@ -148,7 +149,6 @@
buildInputs = [ pkgs.cmake openssl_1_0_2 ];
S2N_LIBCRYPTO = "openssl-1.0.2";
# Integ s_client/server tests expect openssl 1.1.1.
# GnuTLS-cli and serv utilities needed for some integration tests.
shellHook = ''
echo Setting up $S2N_LIBCRYPTO environment from flake.nix...
export PATH=${openssl_1_1_1}/bin:$PATH
Expand All @@ -163,7 +163,19 @@
buildInputs = [ pkgs.cmake aws-lc ];
S2N_LIBCRYPTO = "awslc";
# Integ s_client/server tests expect openssl 1.1.1.
# GnuTLS-cli and serv utilities needed for some integration tests.
shellHook = ''
echo Setting up $S2N_LIBCRYPTO environment from flake.nix...
export PATH=${openssl_1_1_1}/bin:$PATH
export PS1="[nix $S2N_LIBCRYPTO] $PS1"
source ${writeScript ./nix/shell.sh}
'';
});
devShells.awslc-fips = devShells.default.overrideAttrs
(finalAttrs: previousAttrs: {
# Re-include cmake to update the environment with a new libcrypto.
buildInputs = [ pkgs.cmake aws-lc-fips ];
S2N_LIBCRYPTO = "awslc-fips";
# Integ s_client/server tests expect openssl 1.1.1.
Copy link
Contributor

@maddeleine maddeleine Jan 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These next couple of changes seem unrelated to awslc-fips? What's happening here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

iirc, the shellHook couldn't be appended to, so in order to change one value(PS1), the whole thing had to be redefined. There is one irreverent comment on 183 I'll remove though..

shellHook = ''
echo Setting up $S2N_LIBCRYPTO environment from flake.nix...
export PATH=${openssl_1_1_1}/bin:$PATH
Expand Down
20 changes: 19 additions & 1 deletion nix/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,25 @@ separate from the buildPhase, configurePhase and checkPhase.

### Specific libcrypto

By default, the devShell uses Openssl-3. To run the devShell with a different libcrypto like awslc, use `nix develop .#awslc`. The currently supported options are awslc, openssl111, openssl102, and libressl. See flake.nix in the root directory.
By default, the development shell uses Openssl-3. To enter a development shell with a different libcrypto like awslc, use `nix develop .#awslc`. The currently supported options are awslc, awslc-fips, openssl111, openssl102, and libressl. See `flake.nix` in the root directory for more specifics.

There are helper aliases in the development shell to help you use the binaries associated with different libcryptos, information about these is printed out when you enter a development shell, e.g.:

```
$ nix develop .#awslc-fips
Libcrypto binary /nix/store/g4xnh7h1yk783d8r47fdirdq39yimnl0-openssl-1.0.2/bin/openssl available as openssl102
Libcrypto binary /nix/store/6sqmgyq2m5kshfysgwn3j4k1jr74ij3r-openssl-1.1.1/bin/openssl available as openssl111
Libcrypto binary /nix/store/j4nwg83rqgv70p3i740krbk3g041fg43-openssl-3.0.7/bin/openssl available as openssl30
Libcrypto binary /nix/store/64bg46k428bzwmazx05935rnql21zp3l-aws-lc/bin/bssl available as bssl
Libcrypto binary /nix/store/bv0gsw3rrv5b5s17lsyfv2v77wk9rvda-aws-lc-fips/bin/bssl available as fipsbssl
Libcrypto binary /nix/store/c88smradwsi0sc1gcimmlpkgk4v978al-libressl-3.6.1/bin/openssl available as libressl
```

If you wanted to query the version of openssl30, you would type `openssl30 version` in your development shell:
```
[nix awslc-fips]$ openssl30 version
OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
```

### Configure and build

Expand Down
Loading
Loading