From b955bc28c725d0b879b9a2041fc1d6a114ceb3d0 Mon Sep 17 00:00:00 2001 From: WillChilds-Klein Date: Fri, 12 Jul 2024 19:43:31 +0000 Subject: [PATCH 1/2] Revert "Revert "Implement runtime check on libcrypto linkage (#186)" (#191)" This reverts commit 71810b1ade7af4747104ae245b74240ae8e8cf77. --- source/unix/openssl_platform_init.c | 47 +++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/source/unix/openssl_platform_init.c b/source/unix/openssl_platform_init.c index 2eaa1b70..1be67098 100644 --- a/source/unix/openssl_platform_init.c +++ b/source/unix/openssl_platform_init.c @@ -22,6 +22,10 @@ #define OPENSSL_SUPPRESS_DEPRECATED #include +#if defined(OPENSSL_IS_AWSLC) +# include +#endif + static struct openssl_hmac_ctx_table hmac_ctx_table; static struct openssl_evp_md_ctx_table evp_md_ctx_table; @@ -555,6 +559,47 @@ static enum aws_libcrypto_version s_resolve_libcrypto_lib(void) { return AWS_LIBCRYPTO_NONE; } +/* Validate at runtime that we're linked against the same libcrypto we compiled against. */ +static void s_validate_libcrypto_linkage(void) { + /* NOTE: the choice of stack buffer size is somewhat arbitrary. it's + * possible, but unlikely, that libcrypto version strings may exceed this in + * the future. we guard against buffer overflow by limiting write size in + * snprintf with the size of the buffer itself. if libcrypto version strings + * do eventually exceed the chosen size, this runtime check will fail and + * will need to be addressed by increasing buffer size.*/ + char expected_version[64] = {0}; +#if defined(OPENSSL_IS_AWSLC) + /* get FIPS mode at runtime becuase headers don't give any indication of + * AWS-LC's FIPSness at aws-c-cal compile time. version number can still be + * captured at preprocess/compile time from AWSLC_VERSION_NUMBER_STRING.*/ + const char *mode = FIPS_mode() ? "AWS-LC FIPS" : "AWS-LC"; + snprintf(expected_version, sizeof(expected_version), "%s %s", mode, AWSLC_VERSION_NUMBER_STRING); +#elif defined(OPENSSL_IS_BORINGSSL) + snprintf(expected_version, sizeof(expected_version), "BoringSSL"); +#elif defined(OPENSSL_IS_OPENSSL) + snprintf(expected_version, sizeof(expected_version), OPENSSL_VERSION_TEXT); +#elif !defined(BYO_CRYPTO) +# error Unsupported libcrypto! +#endif + const char *runtime_version = SSLeay_version(SSLEAY_VERSION); + AWS_LOGF_DEBUG( + AWS_LS_CAL_LIBCRYPTO_RESOLVE, + "Compiled with libcrypto %s, linked to libcrypto %s", + expected_version, + runtime_version); +#if defined(OPENSSL_IS_OPENSSL) + /* Validate that the string "AWS-LC" doesn't appear in OpenSSL version str. */ + AWS_FATAL_ASSERT(strstr("AWS-LC", expected_version) == NULL); + AWS_FATAL_ASSERT(strstr("AWS-LC", runtime_version) == NULL); + /* Validate both expected and runtime versions begin with OpenSSL's version str prefix. */ + const char *openssl_prefix = "OpenSSL "; + AWS_FATAL_ASSERT(strncmp(openssl_prefix, expected_version, strlen(openssl_prefix)) == 0); + AWS_FATAL_ASSERT(strncmp(openssl_prefix, runtime_version, strlen(openssl_prefix)) == 0); +#else + AWS_FATAL_ASSERT(strcmp(expected_version, runtime_version) == 0 && "libcrypto mislink"); +#endif +} + static enum aws_libcrypto_version s_resolve_libcrypto(void) { /* Try to auto-resolve against what's linked in/process space */ AWS_LOGF_DEBUG(AWS_LS_CAL_LIBCRYPTO_RESOLVE, "searching process and loaded modules"); @@ -583,6 +628,8 @@ static enum aws_libcrypto_version s_resolve_libcrypto(void) { result = s_resolve_libcrypto_lib(); } + s_validate_libcrypto_linkage(); + return result; } From c63d8cdf595c1d175a8e770eb86672533812145e Mon Sep 17 00:00:00 2001 From: Dengke Date: Fri, 12 Jul 2024 16:07:23 -0700 Subject: [PATCH 2/2] use the latest main --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 79247fe4..059ee3e6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,7 +6,7 @@ on: - 'main' env: - BUILDER_VERSION: v0.9.57 + BUILDER_VERSION: v0.9.61 BUILDER_SOURCE: releases BUILDER_HOST: https://d19elf31gohf1l.cloudfront.net PACKAGE_NAME: aws-c-cal