Fix FIPS build under MSAN by broadening integrity-test guards#3167
Open
Fix FIPS build under MSAN by broadening integrity-test guards#3167
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3167 +/- ##
==========================================
+ Coverage 77.97% 78.15% +0.17%
==========================================
Files 689 689
Lines 122670 122671 +1
Branches 17076 17081 +5
==========================================
+ Hits 95658 95870 +212
+ Misses 26115 25902 -213
- Partials 897 899 +2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
The FIPS integrity-test symbols (BORINGSSL_bcm_text_start/end/hash) are only provided by the delocator or linker script. CMake already skips these for both ASAN and MSAN builds, but bcm.c and fips.c only guarded with !defined(OPENSSL_ASAN), causing link failures under MSAN. Broaden all guards to also check !defined(OPENSSL_MSAN), matching the existing guard in delocate.h, and add targeted MSAN+FIPS CI coverage.
WillChilds-Klein
approved these changes
Apr 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issues:
aws-lc-rs: feat: add msan (MemorySanitizer) feature flag, matching existing asan support aws-lc-rs#1077Description of changes:
CMake already skips the delocator (and linker script) for both ASAN and MSAN FIPS builds, but
bcm.candfips.conly guarded the integrity-test symbol references with#if !defined(OPENSSL_ASAN). This means an MSAN+FIPS build stillextern-declaresBORINGSSL_bcm_text_start/end/hashand tries to callBORINGSSL_integrity_test(), even though nothing provides those symbols — resulting in link failures.This broadens all three guards in
bcm.cand theFIPS_mode()check infips.cto!defined(OPENSSL_ASAN) && !defined(OPENSSL_MSAN), matching the existing guard indelocate.h.Call-outs:
FIPS_mode()now returns 0 under MSAN, just as it does under ASAN.is_fips_build()is unaffected — it still returns 1 for anyBORINGSSL_FIPSbuild regardless of sanitizer, which is the intended distinction between the two.Testing:
Added a targeted MSAN+FIPS CI job (
ubuntu:22.04/clang-14/x86_64) inlinux-multi-arch-omnibus.yml, gated behindAWSLC_ENABLE_FIPS_MSAN. The correspondingrun_fips_tests.shblock builds with-DFIPS=1 -DMSAN=1 -DUSE_CUSTOM_LIBCXX=1, verifiesbssl isfipsreturns 0, and runs the test suite.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.