search

awslabs / aws-c-cal

Aws Crypto Abstraction Layer: Cross-Platform, C99 wrapper for cryptography primitives.
Apache License 2.0
33 stars 36 forks source link

Implement runtime check on libcrypto linkage #186

Closed WillChilds-Klein closed 1 month ago

WillChilds-Klein commented 1 month ago

Description

This PR adds a runtime check to ensure that the preprocess/compile-time libcrypto is of the same "family" as linked libcrypto. With this check, we enforce that aws-c-cal is compiled against supported libcrypto's (unless BYO_CRYPTO has been specified). In the case of compilation against AWS-LC, we also validate that compile/link version is the same. We do not check version in the OpenSSL case as discussed here and here.

Testing

This PR's CI jobs verify the "happy" path for supported libcryptos (AWS-LC, BoringSSL, BYO_CRYPTO, and a few versions of OpenSSL). I've also tested the failure case with aws-c-cal compiled against OpenSSL 1.1.1, then linked by aws-crt-python's build to AWS-LC. Run from aws-crt-python's source root (with debug logging configured in aws-c-cal):

$ python3 -m unittest discover --failfast --verbose
...
Fatal error condition occurred in /tmp/tmp.5xrtKAz4xw/tmp/src/Aws-c-cal/source/unix/openssl_platform_init.c:591: strcmp(expected_version, runtime_version) == 0 && "libcrypto mislink"
Exiting Application
[DEBUG] [2024-05-23T23:53:49Z] [00007f8dc4ba1740] [libcrypto_resolve] - Compiled with libcrypto OpenSSL 1.1.1x  30 Jan 2024, linked to libcrypto AWS-LC FIPS 1.26.0
...

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.