Support CPU Jitter Entropy from upstream RAGDOLL (#865)

torben-hansen · web-flow · commit 391ede771150 · 2025-08-20T19:20:48.000-07:00
Ragdoll merge aws/aws-lc#2615 surface that aws-lc-rs CC build type doesn't support building the CPU Jitter Entropy sub module.
diff --git a/aws-lc-rs/src/lib.rs b/aws-lc-rs/src/lib.rs
@@ -321,7 +321,8 @@ mod tests {
     #[test]
     fn test_fips() {
         assert!({ crate::try_fips_mode().is_err() });
-        assert!({ crate::try_fips_cpu_jitter_entropy().is_err() });
+        // Re-enable with fixed test after upstream has merged RAGDOLL
+        //assert!({ crate::try_fips_cpu_jitter_entropy().is_ok() });
     }
 
     #[test]
diff --git a/aws-lc-sys/builder/cc_builder.rs b/aws-lc-sys/builder/cc_builder.rs
@@ -344,7 +344,7 @@ impl CcBuilder {
     fn add_all_files(&self, lib: &Library, cc_build: &mut cc::Build) {
         use core::str::FromStr;
 
-        // s2n_bignum is compiled separately due to needing extra flags
+        // s2n-bignum is compiled separately due to needing extra flags
         let mut s2n_bignum_builder = cc_build.clone();
         s2n_bignum_builder.flag(format!(
             "--include={}",
@@ -355,18 +355,41 @@ impl CcBuilder {
                 .display()
         ));
         s2n_bignum_builder.define("S2N_BN_HIDE_SYMBOLS", "1");
+
+        // CPU Jitter Entropy is compiled separately due to needing specific flags
+        let mut jitter_entropy_builder = cc_build.clone();
+        jitter_entropy_builder.flag(format!(
+            "--include={}",
+            self.manifest_dir
+                .join("generated-include")
+                .join("openssl")
+                .join("boringssl_prefix_symbols.h")
+                .display()
+        ));
+        // From cmake script in /third_party/jitterentropy.
+        // If ever supporting CC build for Windows these flags must be
+        // conditioned on the target OS.
+        jitter_entropy_builder.flag("-DAWSLC -fwrapv --param ssp-buffer-size=4 -fvisibility=hidden -Wcast-align -Wmissing-field-initializers -Wshadow -Wswitch-enum -Wextra -Wall -pedantic -O0 -fwrapv -Wconversion");
+
         for source in lib.sources {
             let source_path = self.manifest_dir.join("aws-lc").join(source);
             let is_s2n_bignum = std::path::Path::new(source).starts_with("third_party/s2n-bignum");
+            let is_jitter_entropy = std::path::Path::new(source).starts_with("third_party/jitterentropy");
 
             if is_s2n_bignum {
                 s2n_bignum_builder.file(source_path);
+            } else if is_jitter_entropy {
+                jitter_entropy_builder.file(source_path);
             } else {
                 cc_build.file(source_path);
             }
         }
-        let object_files = s2n_bignum_builder.compile_intermediates();
-        for object in object_files {
+        let s2n_bignum_object_files = s2n_bignum_builder.compile_intermediates();
+        for object in s2n_bignum_object_files {
+            cc_build.object(object);
+        }
+        let jitter_entropy_object_files = jitter_entropy_builder.compile_intermediates();
+        for object in jitter_entropy_object_files {
             cc_build.object(object);
         }
         cc_build.file(PathBuf::from_str("rust_wrapper.c").unwrap());

Original file line number	Diff line number	Diff line change
`@@ -321,7 +321,8 @@ mod tests {`
`321`	`321`	`#[test]`
`322`	`322`	`fn test_fips() {`
`323`	`323`	`assert!({ crate::try_fips_mode().is_err() });`
`324`		`- assert!({ crate::try_fips_cpu_jitter_entropy().is_err() });`
	`324`	`+ // Re-enable with fixed test after upstream has merged RAGDOLL`
	`325`	`+ //assert!({ crate::try_fips_cpu_jitter_entropy().is_ok() });`
`325`	`326`	`}`
`326`	`327`
`327`	`328`	`#[test]`