update rustls 0.23.13 -> 0.23.15

Pulling this out into a separate PR since I have some TODOs for this one: #479

presently the Mac and Windows FIPS-enabled builds fail with unresolved symbol errors when building the client/server examples

The Ubuntu FIPS CI works great, and so do my local test builds on x86_64-unknown-linux.

Both MacOS and Windows build the Rust rustls-ffi lib and the aws-lc-rs/aws-lc-sys-fips crates without error, but fail to build/link the example C programs:

The MacOS builds fail to compile the client/server example .c programs with errors like:

cc -o target/client target/client.o target/common.o target/release/librustls_ffi.a -Wl,-dead_strip -framework Security -framework Foundation
Undefined symbols for architecture arm64:
  "_aws_lc_fips_0_12_13_AES_ecb_encrypt", referenced from:
      rustls::crypto::aws_lc_rs::quic::HeaderProtectionKey::xor_in_place::h57084e5b13308bb1 in librustls_ffi.a[72](rustls-c38d2f20cf176c7d.rustls.1215cb8b128a8c54-cgu.12.rcgu.o)

Similar failures for the cmake builds on Windows:

  Generating Code...
rustls_ffi.lib(rustls-c4ef5bb999bbcf41.rustls.dd57a86e5d66d92f-cgu.08.rcgu.o) : error LNK2001: unresolved external symbol aws_lc_fips_0_12_13_EVP_PKEY_free [D:\a\rustls-ffi\rustls-ffi\build\tests\client.vcxproj]

Probably missing some extra linker arguments for the C programs (?) - have to put a pin in this for today but will debug further when time permits.

I believe the root cause of the trouble here is that I didn't realize the aws-lc FIPS module only supports static linking on Linux. On macOS the module .dylib needs to be used (aws/aws-lc-rs#495). On Windows, there are two .dll's that need to be distributed with the application.

Both are limitations we can surmount for the CI integration testing of a FIPS-enabled client/server test binary, but I need to think about the best way to pull out a predictable file path for both the .dylib and .dll's produced by the cargo build of rustsl-ffi with the dependent crates in fips-mode.

Taking Windows as an example, right now they're under paths like:

./target/release/build/aws-lc-fips-sys-7dc15b55e6834182/out/build/artifacts/aws_lc_fips_0_12_13_rust_wrapper.dll
./target/release/build/aws-lc-fips-sys-7dc15b55e6834182/out/build/artifacts/aws_lc_fips_0_12_13_crypto.dll

I'm not sure the right way to jig a target_link_libraries cmake rule for the test binary CMakeList.txt that could predict the right paths for the .lib artifacts 🤔

@ctz Do you have any experience with this?

I'm not sure the right way to jig a target_link_libraries cmake rule for the test binary CMakeList.txt that could predict the right paths for the .lib artifacts 🤔

Some progress in 6732976 - mostly struggling with cmake now (ugh).

The solution in that commit works without too much hardcoding, but it assumes you've run a cargo build before running cmake -S . -B build or otherwise it errors because the path expansions to find the built .lib/.dll's fail. I'm struggling to find the right way to "defer" this until the result of the add_dependencies(client rustls-ffi) expressions ensures the cargo build was run.

More iteration (and probably an attempt to properly learn cmake) are required...

@ctz Do you have any experience with this?

I'm afraid not :(

I'm afraid not :(

Np! I will keep plugging away at this, more because I'm overdue to better understand the existing Windows build than because I think it's super important to get working.

Worst case I'll land Linux in CI and we can circle back on MacOS/Windows testing of the FIPS builds later on.

cpu marked this pull request as ready for review now

I backed out the CI bits for MacOS and Windows. You can still build rustls-ffi in FIPS mode on those platforms, but since linking the client/server binaries to the FIPS module is more involved on those platforms it's untested in CI at the moment (but verified to work manually).

I've learned a lot (some would say: too much) about cmake over the weekend and I think I'd prefer to:

• Land this as-is
• Rework the build system using what I've learned about cmake (I have Mac/Linux building w/ cmake on a separate branch so we can avoid Windows being the special duck).
• Add back the FIPS coverage for MacOS/Windows after the build rework makes it a bit more tractable.

WDYT? @jsha @ctz

Alternatively we could table this PR, do the build bits, and then rebase it and land it with full CI coverage.

@jsha Is this a branch I should hold for your review? 🙇

jsha Is this a branch I should hold for your review?

last time we chatted on this subject you mentioned being OK with merges that get a review from another team member if you don't get to them within a few weeks. I think this branch falls into that category so I'm going to merge it. Let me know if I should adjust my heuristics in the future!