Skip to content

Commit 43f6926

Browse files
committed
bazel-registry: Add aws-lc-fips@1.66.2.envoy
Signed-off-by: Ryan Northey <ryan@synca.io>
1 parent 33842ce commit 43f6926

File tree

5 files changed

+202
-0
lines changed

5 files changed

+202
-0
lines changed
Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
module(
2+
name = "aws-lc-fips",
3+
version = "1.66.2.envoy",
4+
bazel_compatibility = [">=7.2.1"],
5+
compatibility_level = 1,
6+
)
7+
8+
bazel_dep(name = "rules_foreign_cc", version = "0.15.1")
9+
bazel_dep(name = "go-fips", version = "1.24.12.envoy")
10+
bazel_dep(name = "rules_cc", version = "0.1.1")
11+
bazel_dep(name = "platforms", version = "0.0.11")
12+
bazel_dep(name = "bazel_skylib", version = "1.8.2")
Lines changed: 151 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,151 @@
1+
load("@rules_cc//cc:defs.bzl", "cc_library")
2+
load("@rules_foreign_cc//foreign_cc:defs.bzl", "cmake")
3+
4+
licenses(["notice"]) # Apache 2 license
5+
6+
# AWS-LC FIPS build for use in Envoy on ppc64le where BoringSSL FIPS is not available
7+
# This is based on the boringssl-fips implementation but adapted for AWS-LC
8+
# Reference: https://github.com/aws/aws-lc/blob/main/crypto/fipsmodule/FIPS.md
9+
#
10+
# FIPS Validation:
11+
# AWS-LC provides a 'bssl isfips' tool (similar to BoringSSL) that verifies FIPS mode.
12+
# This build includes explicit validation to ensure FIPS mode is enabled before
13+
# exposing the libraries for consumption.
14+
15+
filegroup(
16+
name = "all_srcs",
17+
srcs = glob(
18+
["**"],
19+
),
20+
)
21+
22+
cmake(
23+
name = "_aws_lc_build",
24+
cache_entries = {
25+
"CMAKE_BUILD_TYPE": "Release",
26+
"FIPS": "1",
27+
"BUILD_SHARED_LIBS": "0",
28+
"CMAKE_C_FLAGS": "-fPIC",
29+
"CMAKE_CXX_FLAGS": "-fPIC",
30+
"GO_EXECUTABLE": "$$EXT_BUILD_ROOT/external/go-fips~/bin/go",
31+
"BUILD_TESTING": "OFF",
32+
},
33+
lib_source = ":all_srcs",
34+
out_static_libs = [
35+
"libcrypto_unvalidated.a",
36+
"libssl_unvalidated.a",
37+
],
38+
out_binaries = ["bssl"],
39+
targets = [
40+
"crypto",
41+
"ssl",
42+
"bssl",
43+
],
44+
env = {
45+
"GOCACHE": "$$EXT_BUILD_ROOT$$/gocache",
46+
"GOPATH": "$$EXT_BUILD_ROOT$$/gopath",
47+
},
48+
postfix_script = """
49+
mv $$INSTALLDIR/lib/libcrypto.a $$INSTALLDIR/lib/libcrypto_unvalidated.a
50+
mv $$INSTALLDIR/lib/libssl.a $$INSTALLDIR/lib/libssl_unvalidated.a
51+
""",
52+
build_data = [
53+
"@go-fips//:go",
54+
"@go-fips//:go_sdk",
55+
],
56+
visibility = ["//visibility:private"],
57+
)
58+
59+
genrule(
60+
name = "_aws_lc_outputs",
61+
srcs = [":_aws_lc_build"],
62+
outs = [
63+
"libcrypto_unvalidated.a",
64+
"libssl_unvalidated.a",
65+
"bssl",
66+
],
67+
cmd = """
68+
for f in $(locations :_aws_lc_build); do
69+
case "$$f" in
70+
*libcrypto_unvalidated.a)
71+
cp "$$f" $(location libcrypto_unvalidated.a)
72+
;;
73+
*libssl_unvalidated.a)
74+
cp "$$f" $(location libssl_unvalidated.a)
75+
;;
76+
*/bin/bssl)
77+
cp "$$f" $(location bssl)
78+
;;
79+
esac
80+
done
81+
""",
82+
visibility = ["//visibility:private"],
83+
)
84+
85+
genrule(
86+
name = "_aws_lc_validated",
87+
srcs = [
88+
":libcrypto_unvalidated.a",
89+
":libssl_unvalidated.a",
90+
":bssl",
91+
],
92+
outs = [
93+
"lib/libcrypto.a",
94+
"lib/libssl.a",
95+
],
96+
cmd = """
97+
set -eo pipefail
98+
99+
CRYPTO_LIB="$(location :libcrypto_unvalidated.a)"
100+
SSL_LIB="$(location :libssl_unvalidated.a)"
101+
BSSL="$(location :bssl)"
102+
OUT_DIR=$$(dirname $(location lib/libcrypto.a))
103+
104+
echo "=== AWS-LC FIPS Validation Starting ==="
105+
echo "CRYPTO_LIB: $$CRYPTO_LIB"
106+
echo "SSL_LIB: $$SSL_LIB"
107+
echo "BSSL: $$BSSL"
108+
109+
echo "Running FIPS validation: bssl isfips..."
110+
IS_FIPS=$$($$BSSL isfips || true)
111+
if [[ "$$IS_FIPS" = "1" ]]; then
112+
echo "✓ FIPS mode is ENABLED - bssl isfips returned 1"
113+
else
114+
echo "✗ ERROR: FIPS mode verification FAILED" >&2
115+
echo " expected: 1" >&2
116+
echo " found: $$IS_FIPS" >&2
117+
exit 1
118+
fi
119+
120+
echo "✓ FIPS validation tests passed"
121+
122+
mkdir -p $$OUT_DIR
123+
cp "$$CRYPTO_LIB" "$(location lib/libcrypto.a)"
124+
cp "$$SSL_LIB" "$(location lib/libssl.a)"
125+
126+
echo "=== AWS-LC FIPS Validation Complete ==="
127+
echo "✓ FIPS-validated AWS-LC libraries are ready for consumption"
128+
echo " These libraries have passed FIPS validation and are safe to use"
129+
130+
""",
131+
visibility = ["//visibility:private"],
132+
)
133+
134+
cc_library(
135+
name = "crypto",
136+
srcs = ["lib/libcrypto.a"],
137+
hdrs = glob(["include/**/*.h"]),
138+
includes = ["include"],
139+
linkstatic = 1,
140+
visibility = ["//visibility:public"],
141+
)
142+
143+
cc_library(
144+
name = "ssl",
145+
srcs = ["lib/libssl.a"],
146+
hdrs = glob(["include/**/*.h"]),
147+
includes = ["include"],
148+
linkstatic = 1,
149+
deps = [":crypto"],
150+
visibility = ["//visibility:public"],
151+
)
Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
matrix:
2+
platform:
3+
- ubuntu2204
4+
bazel:
5+
- 8.x
6+
- 7.x
7+
tasks:
8+
verify_targets:
9+
name: Verify build targets
10+
platform: ${{ platform }}
11+
bazel: ${{ bazel }}
12+
build_targets:
13+
- '@aws-lc-fips//:crypto'
14+
- '@aws-lc-fips//:ssl'
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
{
2+
"url": "https://github.com/aws/aws-lc/archive/v1.66.2.tar.gz",
3+
"integrity": "sha256-1kpGtPdfpTYtpBLx6W/1t37tdrOpVoVlH4GlWMXJ4SY=",
4+
"strip_prefix": "aws-lc-1.66.2",
5+
"overlay": {
6+
"BUILD.bazel": "sha256-vsWmN7z3HV5+p82gES3tE15iSxNOObJcf5Mv1Mdnx/k="
7+
}
8+
}
Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
{
2+
"homepage": "https://github.com/aws/aws-lc",
3+
"maintainers": [
4+
{
5+
"email": "maintainers@envoyproxy.io",
6+
"github": "envoyproxy",
7+
"name": "Envoy Proxy Maintainers"
8+
}
9+
],
10+
"repository": [
11+
"github:aws/aws-lc"
12+
],
13+
"versions": [
14+
"1.66.2.envoy"
15+
],
16+
"yanked_versions": {}
17+
}

0 commit comments

Comments
 (0)