Skip to content

Commit 598c80b

Browse files
fix(rust): bump aws-lc-rs to 1.17.0, de-dupe aws-lc-sys (#2336)
1 parent 6683d0a commit 598c80b

3 files changed

Lines changed: 119 additions & 3 deletions

File tree

.github/workflows/pull.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -109,6 +109,10 @@ jobs:
109109
uses: ./.github/workflows/library_rust_tests.yml
110110
with:
111111
dafny: ${{needs.getVersion.outputs.version}}
112+
pr-ci-rust-duplicate-deps:
113+
permissions:
114+
contents: read
115+
uses: ./.github/workflows/rust_duplicate_deps.yml
112116
pr-ci-net-test-vectors:
113117
permissions:
114118
contents: read
@@ -145,6 +149,7 @@ jobs:
145149
- pr-ci-java-examples
146150
- pr-ci-net
147151
- pr-ci-rust
152+
- pr-ci-rust-duplicate-deps
148153
- pr-ci-net-test-vectors
149154
- pr-ci-net-examples
150155
runs-on: ubuntu-22.04
Lines changed: 111 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,111 @@
1+
# Fails CI if more than one version of the aws-lc native crates
2+
# (aws-lc-sys / aws-lc-fips-sys) resolves into the Rust dependency tree.
3+
#
4+
# aws-lc-rs pulls in one of these -sys crates transitively. Declaring a
5+
# DIRECT dependency on a different version forces a second copy of AWS-LC to
6+
# compile, which has real costs:
7+
# * ~2x native C build time, and a larger binary (two libcrypto copies are
8+
# statically linked).
9+
# * The SDK's raw FFI calls (aws_lc_sys_impl::*) run against the version
10+
# declared directly here, while aws-lc-rs's safe APIs run against the
11+
# version aws-lc-rs pulls in. The two paths can therefore use different
12+
# AWS-LC builds, and the raw-FFI path can stay on a stale or vulnerable
13+
# version independently of aws-lc-rs. Only byte buffers cross between the
14+
# two copies, so it is memory-safe -- but wasteful and a security-skew risk.
15+
#
16+
# The fix is always to pin the direct -sys version to match aws-lc-rs.
17+
name: Rust Duplicate aws-lc Dependency Check
18+
19+
on:
20+
# Invoked by pull.yml so this check is part of the required
21+
# pr-ci-all-required gate (a failure must block merge). Also runs
22+
# directly on push to the default branch.
23+
workflow_call: {}
24+
push:
25+
branches:
26+
- main
27+
28+
permissions:
29+
contents: read
30+
31+
jobs:
32+
duplicate-aws-lc:
33+
runs-on: ubuntu-22.04
34+
steps:
35+
- uses: actions/checkout@v6
36+
with:
37+
submodules: recursive
38+
39+
- name: Setup Rust Toolchain
40+
uses: actions-rust-lang/setup-rust-toolchain@v1
41+
with:
42+
cache: false
43+
44+
# The Rust sources under runtimes/rust are partially generated
45+
# (gitignored), but `cargo tree` only needs a resolvable manifest.
46+
# Stub any missing targets so dependency resolution succeeds without
47+
# running codegen.
48+
- name: Stub generated targets
49+
shell: bash
50+
working-directory: ./DynamoDbEncryption/runtimes/rust
51+
run: |
52+
mkdir -p src examples
53+
[ -f src/lib.rs ] || : > src/lib.rs
54+
[ -f examples/main.rs ] || echo 'fn main() {}' > examples/main.rs
55+
56+
- name: Check for duplicate aws-lc-sys / aws-lc-fips-sys
57+
shell: bash
58+
working-directory: ./DynamoDbEncryption/runtimes/rust
59+
run: |
60+
set -euo pipefail
61+
status=0
62+
63+
# Print the duplicate aws-lc blocks for one feature profile, and if
64+
# any exist, explain what to do. `cargo tree -d` lists each duplicated
65+
# package followed by the reverse-dependency tree, so it shows exactly
66+
# which package pulls in each version (e.g. the direct dep vs aws-lc-rs).
67+
check_profile() {
68+
label="$1"
69+
args="$2"
70+
71+
# Liveness guard: a "no duplicates" result is only trustworthy if the
72+
# tree actually resolved. This check intentionally ignores cargo
73+
# errors below, so without this guard a resolution failure (broken
74+
# stub, missing submodule, dropped feature, etc.) would pass silently.
75+
# aws-lc-rs is a non-optional dependency, so it MUST appear; if it
76+
# does not, fail loudly instead of reporting a false "all clear".
77+
if ! cargo tree $args 2>/dev/null | grep -q 'aws-lc-rs v'; then
78+
echo "::error::Duplicate check could not resolve the dependency tree ($label build) -- failing instead of passing silently. Run 'cargo tree $args' locally to debug."
79+
status=1
80+
return
81+
fi
82+
83+
dup=$(cargo tree -d $args 2>/dev/null || true)
84+
awslc=$(printf '%s\n' "$dup" | awk 'BEGIN{RS="";ORS="\n\n"} /^aws-lc-(sys|fips-sys) v/' || true)
85+
if [ -n "$(printf '%s' "$awslc" | tr -d '[:space:]')" ]; then
86+
status=1
87+
echo "::error::Duplicate aws-lc native crate detected ($label build). See log for how to fix."
88+
echo "------------------------------------------------------------------------"
89+
echo "Duplicate aws-lc native crate(s) in the $label dependency tree."
90+
echo "Each version below compiles a separate copy of AWS-LC. The tree shows"
91+
echo "which package pulls in each version:"
92+
echo ""
93+
printf '%s\n' "$awslc" | sed 's/^/ /'
94+
echo "Declared directly in this crate's Cargo.toml:"
95+
grep -nE '^aws-lc-(sys|fips-sys)[[:space:]]' Cargo.toml | sed 's/^/ /' || true
96+
echo ""
97+
echo "Why this matters: a different DIRECT -sys version forces a second copy"
98+
echo "of AWS-LC to compile (~2x native C build time + larger binary), and the"
99+
echo "SDK's raw FFI (aws_lc_sys_impl::*) then uses the version YOU declared"
100+
echo "while aws-lc-rs uses the one it pulls in -- so the raw path can stay on a"
101+
echo "stale/vulnerable AWS-LC independently of aws-lc-rs."
102+
echo ""
103+
echo "How to fix: set the direct version to the SAME version aws-lc-rs resolves"
104+
echo "to (shown above), then confirm locally with: cargo tree -d"
105+
echo "------------------------------------------------------------------------"
106+
fi
107+
}
108+
109+
check_profile "default" ""
110+
check_profile "fips" "--no-default-features --features fips"
111+
exit $status

DynamoDbEncryption/runtimes/rust/Cargo.toml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -16,9 +16,9 @@ readme = "README.md"
1616

1717
[dependencies]
1818
aws-config = "1.8.12"
19-
aws-lc-rs = {version = "1.15.4"}
20-
aws-lc-sys = { version = "0.39", optional = true }
21-
aws-lc-fips-sys = { version = "0.13", optional = true }
19+
aws-lc-rs = {version = "1.17.0"}
20+
aws-lc-sys = { version = "0.41", optional = true }
21+
aws-lc-fips-sys = { version = "0.13.1", optional = true }
2222
aws-sdk-dynamodb = "1.103.0"
2323
aws-sdk-kms = "1.98.0"
2424
aws-smithy-runtime-api = {version = "1.10.0", features = ["client"] }

0 commit comments

Comments
 (0)