Migrate crypto backend from ring to aws-lc-rs
#824
Comments
|
Thanks for the ping! In a vacuum I think Option 1 makes perfect sense, except that With my ex-maintainer hat on, for whatever that's still worth: I think the best option long-term is Option 3. I think it could be tricky to design a |
|
Update: I tested |
|
@iliana thanks for such a quick response, and for chasing 1/ down a bit further on your end. Another option I'm chewing on is first refactoring |
|
Once there's a branch with the refactor let me know, and I'll be happy to slot it into where we're using tough and make sure it still works as expected in our environment. |
|
I'm running tests now. It turns out my coworker was actually right about build issues with AWS-LC (I forgot to test linking!), but another coworker chased down the changes that need to be made to get it to build fine. I'm running tests with your branch now. aws/aws-lc#1854 is our PR to AWS-LC. |
|
Our unit/integration tests pass on #825, with some modifications for an API difference between ring and aws-lc-rs. As a heads up, we're currently only using Ed25519 for signing/verification, so we don't test all the ring/aws-lc-rs related codepaths. |
|
Thanks @iliana !
Any chance that was changes required around
Ack, we'll be testing against RSA, ecdsa, and ED25519 |
|
It was related to |
|
For sigstore, I think we could cope with option 1, ideally speaking option 3 would be the best. Thanks for having reached out! |
### Issues: n/a ### Description of changes: The team that works on [awslabs/tough](https://github.com/awslabs/tough) wants to support using the aws-lc-rs Rust crate (awslabs/tough#824). As one of several downstream consumers of tough outside of AWS, we were asked for feedback. Oxide uses tough as part of our product which runs on the illumos operating system. When linking Rust code using aws-lc-rs, the linker cannot find several `aws_lc_*` symbols: ``` Undefined first referenced symbol in file aws_lc_0_21_1_bn_gather5 /home/iliana/git/omicron/target/debug/deps/libaws_lc_sys-ff0ab07b18206e1f.rlib(bcm.c.o) aws_lc_0_21_1_rsaz_1024_red2norm_avx2 /home/iliana/git/omicron/target/debug/deps/libaws_lc_sys-ff0ab07b18206e1f.rlib(bcm.c.o) aws_lc_0_21_1_aesni_gcm_encrypt /home/iliana/git/omicron/target/debug/deps/libaws_lc_sys-ff0ab07b18206e1f.rlib(bcm.c.o) aws_lc_0_21_1_chacha20_poly1305_seal /home/iliana/git/omicron/target/debug/deps/libaws_lc_sys-ff0ab07b18206e1f.rlib(e_chacha20poly1305.c.o) aws_lc_0_21_1_chacha20_poly1305_open /home/iliana/git/omicron/target/debug/deps/libaws_lc_sys-ff0ab07b18206e1f.rlib(e_chacha20poly1305.c.o) [ ... this goes on for some hundreds of lines ... ] ``` `uname -p` on illumos systems returns `i386` on 64-bit machines. This resulted in assembly code not being linked into the AWS-LC library due to architecture misdetection. To determine the native instruction set, `isainfo -n` is used instead. Once these cryptic errors were out of the way, we got a more normal linking error indicating some missing libraries; symbols that are in the libc on other platforms are in separate libraries on illumos. I'm sending this PR on behalf of my coworker, @jclulow, but I can help handle any requested changes. ### Call-outs: n/a ### Testing: Tested on an illumos system via aws-lc-rs by patching the crate in Cargo.toml with: ``` [patch.crates-io.aws-lc-sys] git = "https://github.com/oxidecomputer/aws-lc-rs" branch = "illumos/aws-lc-sys/v0.21.1" ``` which updates the AWS-LC submodule to this commit. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license. --------- Co-authored-by: Joshua M. Clulow <[email protected]>
The maintainers of
toughwish to support theaws-lc-rscrypto library, which wishes to be a "drop-in replacement for ring that provides FIPS support and is compatible with the ring API".We have some rough ideas for an approach and would like to get community input before such a change:
ringwithaws-lc-rsas a drop-in replacementaws-lc-rsas the backend behind a feature (seerustls, which usesaws-lc-rsby default and offersringas a feature on the crate: https://github.com/rustls/rustls?tab=readme-ov-file#platform-support)CryptoProviderinterface for consumers of the library, with implementations forringandaws-lc-rs(a larustls: https://docs.rs/rustls/latest/rustls/crypto/struct.CryptoProvider.html)We will keep this issue updated with our plans.
cc: @flavio @iliana @fghanmi and others in the community for your thoughts, questions, concerns, etc.
The text was updated successfully, but these errors were encountered: