From 67ebadea664afaac6c945e7e21f06e9d2bce0082 Mon Sep 17 00:00:00 2001 From: Justin Smith Date: Tue, 26 Nov 2024 10:44:08 -0500 Subject: [PATCH 1/2] Warn unsupported compiler on FIPS build --- aws-lc-fips-sys/Cargo.toml | 1 + aws-lc-fips-sys/builder/cmake_builder.rs | 96 +++++++++++++++++++++++- aws-lc-fips-sys/builder/main.rs | 2 - aws-lc-rs/Cargo.toml | 2 +- 4 files changed, 97 insertions(+), 4 deletions(-) diff --git a/aws-lc-fips-sys/Cargo.toml b/aws-lc-fips-sys/Cargo.toml index 3084cf79ea1..1d357140a2d 100644 --- a/aws-lc-fips-sys/Cargo.toml +++ b/aws-lc-fips-sys/Cargo.toml @@ -64,6 +64,7 @@ cmake = "0.1.48" dunce = "1.0" fs_extra = "1.3" cc = "1.0.100" +regex = "1" [target.'cfg(all(any(target_arch = "x86_64", target_arch = "aarch64"), any(target_os = "linux", target_os = "macos"), any(target_env = "gnu", target_env = "musl", target_env = "")))'.build-dependencies] bindgen = { version = "0.69.5", optional = true } diff --git a/aws-lc-fips-sys/builder/cmake_builder.rs b/aws-lc-fips-sys/builder/cmake_builder.rs index 89662a97003..341ef32a876 100644 --- a/aws-lc-fips-sys/builder/cmake_builder.rs +++ b/aws-lc-fips-sys/builder/cmake_builder.rs @@ -5,6 +5,7 @@ use crate::OutputLib::{Crypto, RustWrapper, Ssl}; use crate::{ cargo_env, emit_warning, execute_command, is_no_asm, option_env, target, target_arch, target_env, target_family, target_os, target_underscored, target_vendor, OutputLibType, + TestCommandResult, }; use std::collections::HashMap; use std::env; @@ -105,6 +106,7 @@ impl CmakeBuilder { cmake_cfg.define("BUILD_SHARED_LIBS", "0"); } + let cc_build = cc::Build::new(); let opt_level = cargo_env("OPT_LEVEL"); if opt_level.ne("0") { if opt_level.eq("1") || opt_level.eq("2") { @@ -120,7 +122,7 @@ impl CmakeBuilder { let parent_dir = self.manifest_dir.parent(); if parent_dir.is_some() && (target_family() == "unix" || target_env() == "gnu") { let parent_dir = parent_dir.unwrap(); - let cc_build = cc::Build::new(); + let flag = format!("\"-ffile-prefix-map={}=\"", parent_dir.display()); if let Ok(true) = cc_build.is_flag_supported(&flag) { emit_warning(&format!("Using flag: {}", &flag)); @@ -144,6 +146,8 @@ impl CmakeBuilder { cmake_cfg.define("CMAKE_BUILD_TYPE", "debug"); } + Self::verify_compiler_support(&cc_build.get_compiler()); + if let Some(prefix) = &self.build_prefix { cmake_cfg.define("BORINGSSL_PREFIX", format!("{prefix}_")); let include_path = self.manifest_dir.join("generated-include"); @@ -229,6 +233,59 @@ impl CmakeBuilder { cmake_cfg } + fn verify_compiler_support(compiler: &cc::Tool) -> Option { + let compiler_path = compiler.path(); + + if compiler.is_like_gnu() || compiler.is_like_clang() { + if let TestCommandResult { + stderr: _, + stdout, + executed: true, + status: true, + } = execute_command(compiler_path.as_os_str(), &["--version".as_ref()]) + { + if let Some(first_line) = stdout.lines().nth(0) { + if let Some((major, minor, patch)) = parse_version(first_line) { + // We don't force a build failure, but we generate a clear message. + if compiler.is_like_gnu() { + emit_warning(&format!("GCC v{major}.{minor}.{patch} detected.")); + if major > 13 { + // TODO: Update when FIPS GCC 14 build is fixed + emit_warning("WARNING: FIPS build is known to fail on GCC >= 14. See: https://github.com/aws/aws-lc-rs/issues/569"); + return Some(false); + } + } + if compiler.is_like_clang() { + emit_warning(&format!("Clang v{major}.{minor}.{patch} detected.")); + if major > 18 { + // TODO: Update when FIPS Clang 19 build is fixed + emit_warning("WARNING: FIPS build is known to fail on Clang >= 19. See: https://github.com/aws/aws-lc-rs/issues/569"); + return Some(false); + } + } + return Some(true); + } + } + } + } else if compiler.is_like_msvc() { + if let TestCommandResult { + stderr, + stdout: _, + executed: true, + status: true, + } = execute_command(compiler_path.as_os_str(), &["/help".as_ref()]) + { + if let Some(first_line) = stderr.lines().nth(0) { + if let Some((major, minor, patch)) = parse_version(first_line) { + emit_warning(&format!("MSVC v{major}.{minor}.{patch} detected.")); + return Some(true); + } + } + } + } + None + } + fn configure_open_harmony(cmake_cfg: &mut cmake::Config) { const OHOS_NDK_HOME: &str = "OHOS_NDK_HOME"; if let Ok(ndk) = env::var(OHOS_NDK_HOME) { @@ -366,3 +423,40 @@ impl crate::Builder for CmakeBuilder { Ok(()) } } + +fn parse_version(line: &str) -> Option<(u32, u32, u32)> { + let version_pattern = regex::Regex::new(r"\s(\d{1,2})\.(\d{1,2})\.(\d+)").unwrap(); + let captures = version_pattern.captures(line)?; + + let major_str = captures.get(1)?.as_str(); + let minor_str = captures.get(2)?.as_str(); + let patch_str = captures.get(3)?.as_str(); + let major = major_str.parse::().ok()?; + let minor = minor_str.parse::().ok()?; + let patch = patch_str.parse::().ok()?; + + Some((major, minor, patch)) +} + +// Tests inside build script don't actually get run. +// These tests and the function above need to be copied elsewhere to test. +// +// #[cfg(test)] +// mod tests { +// #[test] +// fn test_parse_version() { +// let test_cases = [ +// ("Apple clang version 14.0.0 (clang-1500.1.0.2.5)\n", (14, 0, 0)), +// ("gcc (Ubuntu 13.2.0-23ubuntu4) 13.2.0", (13,2,0)), +// ("FreeBSD clang version 18.1.5 (https://github.com/llvm/llvm-project.git llvmorg-18.1.5-0-g617a15a9eac9)", (18,1,5)), +// ("gcc (GCC) 11.4.1 20230605 (Red Hat 11.4.1-2)", (11, 4, 1)), +// ("Microsoft (R) C/C++ Optimizing Compiler Version 19.40.33812 for x64", (19, 40, 33812)) +// ]; +// for case in test_cases { +// let (major, minor, patch) = super::parse_version(case.0).unwrap(); +// assert_eq!(major, case.1 .0); +// assert_eq!(minor, case.1 .1); +// assert_eq!(patch, case.1 .2); +// } +// } +// } diff --git a/aws-lc-fips-sys/builder/main.rs b/aws-lc-fips-sys/builder/main.rs index 2cd939546df..7077e1b4228 100644 --- a/aws-lc-fips-sys/builder/main.rs +++ b/aws-lc-fips-sys/builder/main.rs @@ -216,9 +216,7 @@ fn target_platform_prefix(name: &str) -> String { } pub(crate) struct TestCommandResult { - #[allow(dead_code)] stderr: Box, - #[allow(dead_code)] stdout: Box, executed: bool, status: bool, diff --git a/aws-lc-rs/Cargo.toml b/aws-lc-rs/Cargo.toml index e8cb5e9216e..d373cac01ef 100644 --- a/aws-lc-rs/Cargo.toml +++ b/aws-lc-rs/Cargo.toml @@ -62,7 +62,7 @@ which = "5.0.0" # Pinned dependency to preserve MSRV: ??? <= rust-version < 1.70.0 home = "=0.5.5" # Pinned dependency to preserve MSRV: 1.60.0 <= rust-version < 1.65.0 -regex = "~1.9.6" +regex = "<1.10.0" # Pinned dependency to preserve MSRV: ??? <= rust-version < 1.65.0 regex-automata = "~0.3.9" # Pinned dependency to preserve MSRV: 1.60.0 <= rust-version < 1.65.0 From 69266de0c1b61a684255572c636e66b031c3c6fd Mon Sep 17 00:00:00 2001 From: Justin Smith Date: Tue, 3 Dec 2024 12:34:00 -0500 Subject: [PATCH 2/2] AWS-LC-FIPS 3.0 builds with Clang 19 --- aws-lc-fips-sys/builder/cmake_builder.rs | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/aws-lc-fips-sys/builder/cmake_builder.rs b/aws-lc-fips-sys/builder/cmake_builder.rs index 341ef32a876..21a5ff651f6 100644 --- a/aws-lc-fips-sys/builder/cmake_builder.rs +++ b/aws-lc-fips-sys/builder/cmake_builder.rs @@ -256,12 +256,8 @@ impl CmakeBuilder { } } if compiler.is_like_clang() { + // AWS-LC-FIPS 2.0 was unable to compile with Clang 19 emit_warning(&format!("Clang v{major}.{minor}.{patch} detected.")); - if major > 18 { - // TODO: Update when FIPS Clang 19 build is fixed - emit_warning("WARNING: FIPS build is known to fail on Clang >= 19. See: https://github.com/aws/aws-lc-rs/issues/569"); - return Some(false); - } } return Some(true); } @@ -425,7 +421,7 @@ impl crate::Builder for CmakeBuilder { } fn parse_version(line: &str) -> Option<(u32, u32, u32)> { - let version_pattern = regex::Regex::new(r"\s(\d{1,2})\.(\d{1,2})\.(\d+)").unwrap(); + let version_pattern = regex::Regex::new(r"\s(\d{1,2})\.(\d{1,2})\.(\d+)").ok()?; let captures = version_pattern.captures(line)?; let major_str = captures.get(1)?.as_str();