Compare commits

..

2 Commits

Author SHA1 Message Date
a278f6fd73
update README to reflect openssl->aws-lc switch 2021-04-29 16:30:55 -07:00
e0b3c4f0b3
switch openssl->aws-lc
This switch moves to a full AWS stack and a core ssl library with
smaller security attack surface. It increases final binary size by
3MB which may be largely avoided by tweaking the aws-lc build
commands at the expense of some performance. Note aws-lc will
likely be the primarily supported ssl library by the AWS c
runtime libs moving forward, and thus this also allows us to move
to more recent versions of the dependant libraries. We still
require a custom fork of aws-c-cal until PR 89 is merged
2021-04-29 16:27:23 -07:00
3 changed files with 33 additions and 24 deletions

View File

@ -1,3 +1,9 @@
# We are looking for a static build, so we need to be on a musl system
# Zig uses clang, so for best compatibility, everything should be built
# using that compiler
# Establish a base container with build tools common to most projects
FROM alpine:3.13 AS base FROM alpine:3.13 AS base
# gcc gets us libgcc.a, even though the build should be using clang # gcc gets us libgcc.a, even though the build should be using clang
RUN apk add --no-cache clang git cmake make lld musl-dev gcc && \ RUN apk add --no-cache clang git cmake make lld musl-dev gcc && \
@ -5,8 +11,6 @@ RUN apk add --no-cache clang git cmake make lld musl-dev gcc && \
ln -s /usr/bin/ld.lld /usr/bin/ld && rm /usr/bin/gcc # just to be sure ln -s /usr/bin/ld.lld /usr/bin/ld && rm /usr/bin/gcc # just to be sure
FROM base AS common FROM base AS common
# d5f9398d48d9c318563db08100e2e87b24ea3656
# RUN git clone --depth 1 -b pthread-np https://github.com/r-burns/aws-c-common && \
RUN git clone --depth 1 -b v0.5.2 https://github.com/awslabs/aws-c-common && \ RUN git clone --depth 1 -b v0.5.2 https://github.com/awslabs/aws-c-common && \
mkdir aws-c-common-build && cd aws-c-common-build && \ mkdir aws-c-common-build && cd aws-c-common-build && \
cmake ../aws-c-common && \ cmake ../aws-c-common && \
@ -14,33 +18,35 @@ RUN git clone --depth 1 -b v0.5.2 https://github.com/awslabs/aws-c-common && \
RUN tar -czf aws-c-common-clang.tgz /usr/local/* RUN tar -czf aws-c-common-clang.tgz /usr/local/*
FROM base AS openssl # The only tags currently on the repo are from 9/2020 and don't install
RUN apk add --no-cache perl linux-headers && \ # anything, so we'll use current head of main branch (d60b60e)
git clone --depth 1 -b OpenSSL_1_1_1i https://github.com/openssl/openssl && \ FROM base AS awslc
cd openssl && ./Configure linux-x86_64-clang && make && make install RUN apk add --no-cache perl go g++ linux-headers && rm /usr/bin/g++ && rm /usr/bin/c++ && \
git clone --depth 1000 https://github.com/awslabs/aws-lc && cd aws-lc && \
git reset d60b60e --hard && cd .. && \
cmake -S aws-lc -B aws-lc/build -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_PREFIX_PATH=/usr/local -DCMAKE_INSTALL_PREFIX=/usr/local && \
cmake --build aws-lc/build --config RelWithDebInfo --target install
RUN tar -czf openssl-clang.tgz /usr/local/* RUN tar -czf aws-lc-clang.tgz /usr/local/*
FROM base AS s2n FROM base AS s2n
ENV S2N_LIBCRYPTO=openssl-1.1.1 ENV S2N_LIBCRYPTO=awslc
COPY --from=openssl /openssl-clang.tgz / COPY --from=awslc /aws-lc-clang.tgz /
RUN git clone --depth 1 -b v0.10.26 https://github.com/awslabs/s2n && \ RUN git clone --depth 1 -b v1.0.5 https://github.com/aws/s2n-tls && \
tar -xzf openssl-clang.tgz && \ tar -xzf aws-lc-clang.tgz && \
mkdir s2n-build && cd s2n-build && \ mkdir s2n-build && cd s2n-build && \
cmake ../s2n && \ cmake ../s2n-tls && \
make -j12 && make install make -j12 && make install
RUN tar -czf s2n-clang.tgz /usr/local/* RUN tar -czf s2n-clang.tgz /usr/local/*
FROM base AS cal FROM base AS cal
COPY --from=openssl /openssl-clang.tgz / COPY --from=awslc /aws-lc-clang.tgz /
COPY --from=common /aws-c-common-clang.tgz / COPY --from=common /aws-c-common-clang.tgz /
# environment not used - just busting docker's cache # RUN git clone --depth 1 -b v0.5.5 https://github.com/awslabs/aws-c-cal && \
ENV COMMIT=d1a4d RUN git clone --depth 1 -b static-musl-builds https://github.com/elerch/aws-c-cal && \
# RUN git clone --depth 1 -b v0.4.5 https://github.com/awslabs/aws-c-cal && \
RUN git clone --depth 1 https://github.com/elerch/aws-c-cal && \
tar -xzf aws-c-common-clang.tgz && \ tar -xzf aws-c-common-clang.tgz && \
tar -xzf openssl-clang.tgz && \ tar -xzf aws-lc-clang.tgz && \
mkdir cal-build && cd cal-build && \ mkdir cal-build && cd cal-build && \
cmake -DCMAKE_MODULE_PATH=/usr/local/lib64/cmake ../aws-c-cal && \ cmake -DCMAKE_MODULE_PATH=/usr/local/lib64/cmake ../aws-c-cal && \
make -j12 && make install make -j12 && make install

View File

@ -54,7 +54,7 @@ supercede all other configuration.
Full dependency tree: Full dependency tree:
aws-c-auth aws-c-auth
* s2n * s2n
* openssl * aws-lc
* aws-c-common * aws-c-common
* aws-c-compression * aws-c-compression
* aws-c-common * aws-c-common
@ -64,17 +64,20 @@ aws-c-auth
* aws-c-io * aws-c-io
* aws-c-common * aws-c-common
* s2n * s2n
* openssl * aws-lc
* aws-c-cal * aws-c-cal
* aws-c-common
* aws-lc
* aws-c-compression * aws-c-compression
* aws-c-common * aws-c-common
* aws-c-cal * aws-c-cal
* aws-c-common * aws-c-common
* aws-lc
Build order based on above: Build order based on above:
1. aws-c-common 1. aws-c-common
1. openssl 1. aws-lc
2. s2n 2. s2n
2. aws-c-cal 2. aws-c-cal
2. aws-c-compression 2. aws-c-compression
@ -92,7 +95,7 @@ TODO List:
* Implement generic response body -> Response type handling (right now, this is hard-coded) * Implement generic response body -> Response type handling (right now, this is hard-coded)
* Implement codegen for services with xml structures (using Smithy models) * Implement codegen for services with xml structures (using Smithy models)
* Implement codegen for others (using Smithy models) * Implement codegen for others (using Smithy models)
* Issue PR in c libraries for full static musl build support (see Dockerfile) * Switch to aws-c-cal upsream once PR for full static musl build support is merged (see Dockerfile)
* Remove compiler 0.7.1 shims when 0.8.0 is released * Remove compiler 0.7.1 shims when 0.8.0 is released
Compiler wishlist/watchlist: Compiler wishlist/watchlist:

View File

@ -17,8 +17,8 @@ pub fn build(b: *Builder) void {
exe.addIncludeDir("./src/"); exe.addIncludeDir("./src/");
exe.addIncludeDir("/usr/local/include"); exe.addIncludeDir("/usr/local/include");
exe.addObjectFile("/usr/local/lib64/libs2n.a"); exe.addObjectFile("/usr/local/lib64/libs2n.a");
exe.addObjectFile("/usr/local/lib/libcrypto.a"); exe.addObjectFile("/usr/local/lib64/libcrypto.a");
exe.addObjectFile("/usr/local/lib/libssl.a"); exe.addObjectFile("/usr/local/lib64/libssl.a");
exe.addObjectFile("/usr/local/lib64/libaws-c-auth.a"); exe.addObjectFile("/usr/local/lib64/libaws-c-auth.a");
exe.addObjectFile("/usr/local/lib64/libaws-c-cal.a"); exe.addObjectFile("/usr/local/lib64/libaws-c-cal.a");
exe.addObjectFile("/usr/local/lib64/libaws-c-common.a"); exe.addObjectFile("/usr/local/lib64/libaws-c-common.a");