FIPS fails to build with GCC >= 14

[jkalez]

Problem:

cargo check fails when using clang 19 for FIPS builds. AFAICT it's because AWS-LC is pinned to a specific commit (ec94d74), which has a cast operation in it that newer versions of clang rejects. I did try upgrading to AWS-LC-FIPS-2.0.17, but it appears the issue is still there and cargo check still fails.

Relevant details

AWS-LC for Rust versions or commit: (6b1bce0...)

System information: for linux, below info can be collected by running uname -srvmp

• CPU architecture: x86-64
• CPU name: Xeon CascadeLake
• OS: Ubuntu 24.10

Build log:

• The log tells compiler and version.

root@504baee641ea:~/aws-lc-rs# cargo check -p aws-lc-rs --features fips
   Compiling aws-lc-fips-sys v0.12.13 (/root/aws-lc-rs/aws-lc-fips-sys)
   Compiling aws-lc-sys v0.22.0 (/root/aws-lc-rs/aws-lc-sys)
The following warnings were emitted during compilation:

warning: [email protected]: Building with: CMake
warning: [email protected]: Symbol Prefix: Some("aws_lc_fips_0_12_13")

error: failed to run custom build command for `aws-lc-fips-sys v0.12.13 (/root/aws-lc-rs/aws-lc-fips-sys)`

Caused by:
  process didn't exit successfully: `/root/aws-lc-rs/target/debug/build/aws-lc-fips-sys-4f564eb018bf155b/build-script-main` (exit status: 101)
  --- stdout
  cargo:rerun-if-env-changed=AWS_LC_FIPS_SYS_NO_PREFIX
  cargo:rerun-if-env-changed=AWS_LC_FIPS_SYS_PREGENERATING_BINDINGS
  cargo:rerun-if-env-changed=AWS_LC_FIPS_SYS_EXTERNAL_BINDGEN
  cargo:rerun-if-env-changed=AWS_LC_FIPS_SYS_NO_ASM
  cargo:rustc-cfg=x86_64_unknown_linux_gnu
  cargo:rerun-if-env-changed=AWS_LC_FIPS_SYS_STATIC
  cargo:warning=Building with: CMake
  cargo:warning=Symbol Prefix: Some("aws_lc_fips_0_12_13")
  cargo:rerun-if-env-changed=CMAKE
  cargo:rerun-if-env-changed=AWS_LC_FIPS_SYS_STATIC
  cargo:rerun-if-env-changed=CMAKE_TOOLCHAIN_FILE
  cargo:rerun-if-env-changed=CMAKE_TOOLCHAIN_FILE_x86_64_unknown_linux_gnu
  CMAKE_TOOLCHAIN_FILE_x86_64-unknown-linux-gnu = None
  CMAKE_TOOLCHAIN_FILE_x86_64_unknown_linux_gnu = None
  HOST_CMAKE_TOOLCHAIN_FILE = None
  CMAKE_TOOLCHAIN_FILE = None
  CMAKE_GENERATOR_x86_64-unknown-linux-gnu = None
  CMAKE_GENERATOR_x86_64_unknown_linux_gnu = None
  HOST_CMAKE_GENERATOR = None
  CMAKE_GENERATOR = None
  CMAKE_PREFIX_PATH_x86_64-unknown-linux-gnu = None
  CMAKE_PREFIX_PATH_x86_64_unknown_linux_gnu = None
  HOST_CMAKE_PREFIX_PATH = None
  CMAKE_PREFIX_PATH = None
  CMAKE_x86_64-unknown-linux-gnu = None
  CMAKE_x86_64_unknown_linux_gnu = None
  HOST_CMAKE = None
  CMAKE = Some("cmake")
  running: cd "/root/aws-lc-rs/target/debug/build/aws-lc-fips-sys-adb27b8e39ad1f3d/out/build" && CMAKE_PREFIX_PATH="" "cmake" "/root/aws-lc-rs/aws-lc-fips-sys" "-DBUILD_SHARED_LIBS=0" "-DCMAKE_BUILD_TYPE=debug" "-DBORINGSSL_PREFIX=aws_lc_fips_0_12_13_" "-DBORINGSSL_PREFIX_HEADERS=/root/aws-lc-rs/aws-lc-fips-sys/generated-include" "-DBUILD_TESTING=OFF" "-DBUILD_LIBSSL=OFF" "-DFIPS=1" "-DCMAKE_INSTALL_PREFIX=/root/aws-lc-rs/target/debug/build/aws-lc-fips-sys-adb27b8e39ad1f3d/out" "-DCMAKE_C_FLAGS= -ffunction-sections -fdata-sections -fPIC -m64 --target=x86_64-unknown-linux-gnu" "-DCMAKE_C_COMPILER=/usr/bin/clang" "-DCMAKE_CXX_FLAGS= -ffunction-sections -fdata-sections -fPIC -m64 --target=x86_64-unknown-linux-gnu" "-DCMAKE_CXX_COMPILER=/usr/bin/clang++" "-DCMAKE_ASM_FLAGS= -ffunction-sections -fdata-sections -fPIC -m64 --target=x86_64-unknown-linux-gnu" "-DCMAKE_ASM_COMPILER=/usr/bin/clang" "--no-warn-unused-cli"
  Not searching for unused variables given on the command line.
  -- FIPS build mode configured
  -- FIPS entropy source method configured: Passive
  -- Found Perl: /usr/bin/perl (found version "5.38.2")
  -- Checking for module 'libunwind-generic'
  --   Package 'libunwind-generic', required by 'virtual:world', not found
  -- stdalign_check.c probe is positive, enabling AWS_LC_STDALIGN_AVAILABLE
  -- builtin_swap_check.c probe is positive, enabling AWS_LC_BUILTIN_SWAP_SUPPORTED
  -- linux_u32.c probe is positive, enabling AWS_LC_URANDOM_U32
  -- The ASM compiler identification is Clang with GNU-like command-line
  -- Found assembler: /usr/bin/clang
  -- Disabling debug symbols for Clang internal assembler
  -- Performing Test CMAKE_HAVE_LIBC_PTHREAD
  -- Performing Test CMAKE_HAVE_LIBC_PTHREAD - Success
  -- Found Threads: TRUE
  -- Configuring done (2.3s)
  -- Generating done (0.1s)
  -- Build files have been written to: /root/aws-lc-rs/target/debug/build/aws-lc-fips-sys-adb27b8e39ad1f3d/out/build
  running: cd "/root/aws-lc-rs/target/debug/build/aws-lc-fips-sys-adb27b8e39ad1f3d/out/build" && MAKEFLAGS="-j --jobserver-fds=8,9 --jobserver-auth=8,9" "cmake" "--build" "." "--target" "install" "--config" "Debug"
  [  0%] Built target boringssl_prefix_symbols
  [  0%] Built target global_target
  [  0%] Building C object aws-lc/third_party/jitterentropy/CMakeFiles/jitterentropy.dir/jitterentropy-base.c.o
  [  1%] Building C object aws-lc/third_party/jitterentropy/CMakeFiles/jitterentropy.dir/jitterentropy-gcd.c.o
  [  1%] Building C object aws-lc/third_party/jitterentropy/CMakeFiles/jitterentropy.dir/jitterentropy-health.c.o
  [  1%] Building C object aws-lc/third_party/jitterentropy/CMakeFiles/jitterentropy.dir/jitterentropy-noise.c.o
  [  2%] Building C object aws-lc/third_party/jitterentropy/CMakeFiles/jitterentropy.dir/jitterentropy-sha3.c.o
  [  2%] Building C object aws-lc/third_party/jitterentropy/CMakeFiles/jitterentropy.dir/jitterentropy-timer.c.o
  [  3%] Building C object aws-lc/crypto/fipsmodule/CMakeFiles/fipsmodule.dir/fips_shared_support.c.o
  [  3%] Generating test/trampoline-x86_64.S
  [  3%] Building C object aws-lc/crypto/fipsmodule/CMakeFiles/fipsmodule.dir/cpucap/cpucap.c.o
  [  3%] Generating cipher_extra/aes128gcmsiv-x86_64.S
  [  4%] Generating chacha/chacha-x86_64.S
  [  4%] Generating cipher_extra/aesni-sha1-x86_64.S
  [  4%] Building C object aws-lc/crypto/fipsmodule/CMakeFiles/bcm_c_generated_asm.dir/bcm.c.o
  [  5%] Generating cipher_extra/aesni-sha256-x86_64.S
  [  5%] Built target jitterentropy
  [  5%] Generating cipher_extra/chacha20_poly1305_x86_64.S
  [  5%] Built target fipsmodule
  [  5%] Generating err_data.c
  [  5%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/a_bitstr.c.o
  [  6%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/a_dup.c.o
  [  6%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/a_bool.c.o
  [  6%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/a_d2i_fp.c.o
  [  7%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/a_gentm.c.o
  [  7%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/a_int.c.o
  [  8%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/a_mbstr.c.o
  [  8%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/a_i2d_fp.c.o
  [  8%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/a_octet.c.o
  [  8%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/a_object.c.o
  [  9%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/a_strnid.c.o
  [  9%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/a_strex.c.o
  [ 10%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/a_time.c.o
  [ 10%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/a_type.c.o
  [ 10%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/a_utctm.c.o
  [ 10%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/a_utf8.c.o
  [ 11%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/asn1_lib.c.o
  [ 11%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/asn1_par.c.o
  [ 11%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/asn_pack.c.o
  [ 12%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/f_int.c.o
  [ 12%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/f_string.c.o
  [ 12%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/tasn_dec.c.o
  [ 13%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/tasn_enc.c.o
  [ 13%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/tasn_fre.c.o
  [ 13%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/tasn_new.c.o
  [ 14%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/tasn_typ.c.o
  [ 14%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/tasn_utl.c.o
  [ 14%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/posix_time.c.o
  [ 15%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/base64/base64.c.o
  [ 15%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/bio/bio.c.o
  [ 15%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/bio/bio_mem.c.o
  [ 16%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/bio/connect.c.o
  [ 16%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/bio/file.c.o
  [ 16%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/bio/fd.c.o
  [ 17%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/bio/hexdump.c.o
  [ 17%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/bio/pair.c.o
  [ 18%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/bio/socket.c.o
  [ 18%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/bio/socket_helper.c.o
  [ 18%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/bio/printf.c.o
  [ 18%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/blake2/blake2.c.o
  [ 19%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/bn_extra/bn_asn1.c.o
  [ 19%] Building C object aws-lc/crypto/CMakeFiles/crypto_objects.dir/bn_extra/convert.c.o
  [ 19%] Linking C static library libbcm_c_generated_asm.a
  [ 19%] Built target bcm_c_generated_asm

  --- stderr
  CMake Deprecation Warning at CMakeLists.txt:4 (cmake_minimum_required):
    Compatibility with CMake < 3.5 will be removed from a future version of
    CMake.

    Update the VERSION argument <min> value or use a ...<max> suffix to tell
    CMake that the project does not need compatibility with older versions.


  CMake Deprecation Warning at aws-lc/CMakeLists.txt:1 (cmake_minimum_required):
    Compatibility with CMake < 3.5 will be removed from a future version of
    CMake.

    Update the VERSION argument <min> value or use a ...<max> suffix to tell
    CMake that the project does not need compatibility with older versions.


  libunwind not found. Disabling unwind tests.
  /root/aws-lc-rs/aws-lc-fips-sys/aws-lc/crypto/bio/connect.c:493:29: error: cast from 'bio_info_cb' (aka 'long (*)(struct bio_st *, int, const char *, int, long, long)') to 'int (*)(const struct bio_st *, int, int)' converts to incompatible function type [-Werror,-Wcast-function-type-mismatch]
    493 |       data->info_callback = (int (*)(const struct bio_st *, int, int))fp;
        |                             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  1 error generated.
  gmake[2]: *** [aws-lc/crypto/CMakeFiles/crypto_objects.dir/build.make:610: aws-lc/crypto/CMakeFiles/crypto_objects.dir/bio/connect.c.o] Error 1
  gmake[2]: *** Waiting for unfinished jobs....
  gmake[1]: *** [CMakeFiles/Makefile2:280: aws-lc/crypto/CMakeFiles/crypto_objects.dir/all] Error 2
  gmake[1]: *** Waiting for unfinished jobs....
  gmake: *** [Makefile:136: all] Error 2
  thread 'main' panicked at /root/.cargo/registry/src/index.crates.io-6f17d22bba15001f/cmake-0.1.51/src/lib.rs:1100:5:

  command did not execute successfully, got: exit status: 2

  build script failed, must exit now
  note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
warning: build failed, waiting for other jobs to finish...
warning: [email protected]: Building with: CC
warning: [email protected]: Symbol Prefix: Some("aws_lc_0_22_0")
warning: [email protected]: Compilation of 'c11.c' succeeded - Ok(["/root/aws-lc-rs/target/debug/build/aws-lc-sys-44e8af250216ab0b/out/out-c11/41e58b93c06a3131-c11.o"]).
warning: [email protected]: CC environment variable set: clang
warning: [email protected]: CXX environment variable set: clang++
warning: [email protected]: Compilation of 'stdalign_check.c' succeeded - Ok(["/root/aws-lc-rs/target/debug/build/aws-lc-sys-44e8af250216ab0b/out/out-stdalign_check/41e58b93c06a3131-stdalign_check.o"]).
warning: [email protected]: Compilation of 'builtin_swap_check.c' succeeded - Ok(["/root/aws-lc-rs/target/debug/build/aws-lc-sys-44e8af250216ab0b/out/out-builtin_swap_check/41e58b93c06a3131-builtin_swap_check.o"]).

[justsmth]

Hello! Thanks for reporting this issue! I apologize for this build failure.

This seems to be due to a gap in our CI coverage -- our CI tests with clang versions up to 18, but we've not yet added 19. (Note that there is also a known FIPS build issue with GCC v14.)

As a workaround, older versions of Clang <= v18 (or GCC <= v13) should work for the FIPS build.

We'll try to get this resolved for our next release. Thanks again!

[justsmth]

I looked a little more into this problem. This build failure was fixed last year on the AWS-LC main branch. This fix will likewise be included in our next FIPS (AWS-LC-FIPS 3.0) release, which is currently being tested. However, we don't yet have a date for that release. We'll be sure to inform our users as soon as our next FIPS release is available.

[xnox]

Note that there is also a known FIPS build issue with GCC v14.

Is it possible to do a check somewhere in CMake and stop the build when clang 19 or gcc 14 are detected?

I think I hit this too, and it is very confusing!

[justsmth]

Hello!

I updated the title as the latest version of aws-lc-fips-sys should now build with Clang 19. (We're still working on support for GCC-14.)