Using static lib in iOS fails with Undefined symbols

[ospfranco]

Problem:

Hi! I continue on my journey to try to use this crate on iOS/Android. I've managed to compile my crate as a staticlib that I want to use in iOS. This approach has worked for me in the past with other Rust crates.

My cargo.toml is defined as such:

[package]
name = "rn-aws-lc"
version = "0.0.0"
edition = "2021"


[lib]
crate-type = ["staticlib"]

[dependencies]
aws-lc-rs = { version = "1.12.2", features = ["fips", "bindgen"] }

[build-dependencies]
cbindgen = "0.28.0"

[profile.dev]
incremental=true

I then take the compiled .a binary and drop it in a xcframework which I then add to an iOS project. However, when I try to build an example app I get the following errors:

Showing Recent Errors Only
Ld /Users/osp/Library/Developer/Xcode/DerivedData/OpAwsLcExample-dprqrhlvbttihtanehmzqayabuhj/Build/Products/Debug-iphonesimulator/OpAwsLcExample.app/OpAwsLcExample.debug.dylib normal (in target 'OpAwsLcExample' from project 'OpAwsLcExample')

clang: error: linker command failed with exit code 1 (use -v to see invocation)

Undefined symbol: _aws_lc_fips_0_13_1_AES_cbc_encrypt

Undefined symbol: _aws_lc_fips_0_13_1_AES_cfb128_encrypt

Undefined symbol: _aws_lc_fips_0_13_1_AES_ctr128_encrypt

Undefined symbol: _aws_lc_fips_0_13_1_AES_ecb_encrypt

Undefined symbol: _aws_lc_fips_0_13_1_AES_set_decrypt_key

Undefined symbol: _aws_lc_fips_0_13_1_AES_set_encrypt_key

Undefined symbol: _aws_lc_fips_0_13_1_AES_unwrap_key

Undefined symbol: _aws_lc_fips_0_13_1_AES_unwrap_key_padded

Undefined symbol: _aws_lc_fips_0_13_1_AES_wrap_key

Undefined symbol: _aws_lc_fips_0_13_1_AES_wrap_key_padded

Undefined symbol: _aws_lc_fips_0_13_1_BN_bin2bn

Undefined symbol: _aws_lc_fips_0_13_1_BN_bn2bin

Undefined symbol: _aws_lc_fips_0_13_1_BN_bn2bin_padded

Undefined symbol: _aws_lc_fips_0_13_1_BN_free

Undefined symbol: _aws_lc_fips_0_13_1_BN_new

Undefined symbol: _aws_lc_fips_0_13_1_BN_num_bits

Undefined symbol: _aws_lc_fips_0_13_1_BN_num_bytes

Undefined symbol: _aws_lc_fips_0_13_1_BN_set_u64

Undefined symbol: _aws_lc_fips_0_13_1_CBB_cleanup

Undefined symbol: _aws_lc_fips_0_13_1_CBB_finish

Undefined symbol: _aws_lc_fips_0_13_1_CBB_init

Undefined symbol: _aws_lc_fips_0_13_1_CBB_init_fixed

Undefined symbol: _aws_lc_fips_0_13_1_CBS_init

Undefined symbol: _aws_lc_fips_0_13_1_CRYPTO_library_init

Undefined symbol: _aws_lc_fips_0_13_1_CRYPTO_memcmp

Undefined symbol: _aws_lc_fips_0_13_1_CRYPTO_tls1_prf

Undefined symbol: _aws_lc_fips_0_13_1_ECDSA_SIG_free

Undefined symbol: _aws_lc_fips_0_13_1_ECDSA_SIG_new

Undefined symbol: _aws_lc_fips_0_13_1_ECDSA_SIG_set0

Undefined symbol: _aws_lc_fips_0_13_1_ECDSA_SIG_to_bytes

Undefined symbol: _aws_lc_fips_0_13_1_EC_GROUP_free

Undefined symbol: _aws_lc_fips_0_13_1_EC_GROUP_get_curve_name

Undefined symbol: _aws_lc_fips_0_13_1_EC_GROUP_new_by_curve_name

Undefined symbol: _aws_lc_fips_0_13_1_EC_KEY_check_fips

Undefined symbol: _aws_lc_fips_0_13_1_EC_KEY_free

Undefined symbol: _aws_lc_fips_0_13_1_EC_KEY_get0_group

Undefined symbol: _aws_lc_fips_0_13_1_EC_KEY_get0_private_key

Undefined symbol: _aws_lc_fips_0_13_1_EC_KEY_get0_public_key

Undefined symbol: _aws_lc_fips_0_13_1_EC_KEY_new

Undefined symbol: _aws_lc_fips_0_13_1_EC_KEY_set_group

Undefined symbol: _aws_lc_fips_0_13_1_EC_KEY_set_private_key

Undefined symbol: _aws_lc_fips_0_13_1_EC_KEY_set_public_key

Undefined symbol: _aws_lc_fips_0_13_1_EC_POINT_free

Undefined symbol: _aws_lc_fips_0_13_1_EC_POINT_mul

Undefined symbol: _aws_lc_fips_0_13_1_EC_POINT_new

Undefined symbol: _aws_lc_fips_0_13_1_EC_POINT_oct2point

Undefined symbol: _aws_lc_fips_0_13_1_EC_POINT_point2oct

Undefined symbol: _aws_lc_fips_0_13_1_EVP_AEAD_CTX_free

Undefined symbol: _aws_lc_fips_0_13_1_EVP_AEAD_CTX_init

Undefined symbol: _aws_lc_fips_0_13_1_EVP_AEAD_CTX_init_with_direction

Undefined symbol: _aws_lc_fips_0_13_1_EVP_AEAD_CTX_zero

Undefined symbol: _aws_lc_fips_0_13_1_EVP_CIPHER_CTX_free

Undefined symbol: _aws_lc_fips_0_13_1_EVP_CIPHER_CTX_new

Undefined symbol: _aws_lc_fips_0_13_1_EVP_DecryptFinal_ex

Undefined symbol: _aws_lc_fips_0_13_1_EVP_DecryptInit_ex

Undefined symbol: _aws_lc_fips_0_13_1_EVP_DecryptUpdate

Undefined symbol: _aws_lc_fips_0_13_1_EVP_DigestFinal

Undefined symbol: _aws_lc_fips_0_13_1_EVP_DigestInit_ex

Undefined symbol: _aws_lc_fips_0_13_1_EVP_DigestSign

Undefined symbol: _aws_lc_fips_0_13_1_EVP_DigestSignInit

Undefined symbol: _aws_lc_fips_0_13_1_EVP_DigestUpdate

Undefined symbol: _aws_lc_fips_0_13_1_EVP_DigestVerify

Undefined symbol: _aws_lc_fips_0_13_1_EVP_DigestVerifyInit

Undefined symbol: _aws_lc_fips_0_13_1_EVP_EncryptFinal_ex

Undefined symbol: _aws_lc_fips_0_13_1_EVP_EncryptInit_ex

Undefined symbol: _aws_lc_fips_0_13_1_EVP_EncryptUpdate

Undefined symbol: _aws_lc_fips_0_13_1_EVP_MD_CTX_cleanup

Undefined symbol: _aws_lc_fips_0_13_1_EVP_MD_CTX_copy

Undefined symbol: _aws_lc_fips_0_13_1_EVP_MD_CTX_init

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_CTX_free

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_CTX_new

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_CTX_new_id

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_CTX_set0_rsa_oaep_label

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_CTX_set_rsa_mgf1_md

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_CTX_set_rsa_oaep_md

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_CTX_set_rsa_padding

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_CTX_set_rsa_pss_saltlen

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_assign_EC_KEY

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_assign_RSA

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_bits

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_decrypt

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_decrypt_init

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_encrypt

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_encrypt_init

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_free

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_get0_EC_KEY

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_get0_RSA

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_get1_RSA

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_get_raw_private_key

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_get_raw_public_key

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_id

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_keygen

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_keygen_init

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_new

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_new_raw_private_key

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_new_raw_public_key

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_size

Undefined symbol: _aws_lc_fips_0_13_1_EVP_PKEY_up_ref

Undefined symbol: _aws_lc_fips_0_13_1_EVP_aead_aes_128_gcm

Undefined symbol: _aws_lc_fips_0_13_1_EVP_aead_aes_128_gcm_randnonce

Linker command failed with exit code 1 (use -v to see invocation)

I remember briefly seeing that using the fips feature relies on some other aws-lc static library? Any advice is much appreciated!

[ospfranco]

A here I found where in the documentation I saw this:

https://aws.github.io/aws-lc-rs/requirements/apple#fips-build

I don't see any dylib (on iOS it has no extension afaik) in the target folder. Where can I find these files?

[ospfranco]

Could it be this one? Is it correct to grab it from this path?

[justsmth]

Hello!

Our FIPS build has limitations that make it much more challenging for consumers to use. Specifically, we can only provide a dynamic (FIPS) library for the IOS/Android targets asked about. Our static (FIPS) library build is limited to Linux, x86_64 and aarch64.

The reason for this relates to a FIPS requirement for a runtime integrity check, which requires our library compilation to not produce any "relocations" in the resulting binary. In order to achieve this result with a static library, our build process must parse/modify the assembly output from the compiler. This complexity also makes the FIPS build much more fragile.

Are you able to use our library w/o the "fips" feature. Unless you've been guidance otherwise by FIPS-compliance experts, I would just avoid using the "fips" feature.

I apologize for the difficulty caused by this limitation. Hopefully we will be able to expand the static FIPS library to other platforms, but it might be awhile.

[ospfranco]

Well, I'm interested in making it available as a library just because of the FIPS feature. I understand your answer though.

Now, back to my current problem, i just want to get it to work. Is my assumption on the latest comment that if I manage to package the dylibs that i pointed out then it should work or do I need to do anything else?

[justsmth]

Is my assumption on the latest comment that if I manage to package the dylibs that i pointed out then it should work or do I need to do anything else?

Yeah, for iOS the name of the libraries will match the pattern libaws_lc_fips_{<major>}_{<minor>}_{<patch>}_{crypto|rust_wrapper}.dylib.

Unfortunately, I'm not familiar with how the "loader" locates shared libraries on iOS/Android. I did find a comment here providing some history related to the ability to link to shared libraries on these platforms.

I wouldn't want to give you bad advice for how to link to shared libraries. You might try posted the question/details on Rust's user forums or on discord? The forums have some very qualified people that could provide answers and explanations of various issues around this topic.

If you do find an answer, I'd love to learn more about this as well! Feel free to post here any info (or a link to any info) on this issue. I'll take note of it so we can help others who might also run into this. Thanks!

[ospfranco]

I know how to load dylibs on iOS, I wrote a guide about it :) I just need to know where can I find the files

[justsmth]

Thanks for the link! 😊

For future reference, the name of the library is derived from the return value of the prefix_string() function:

• aws-lc-fips-sys: https://github.com/aws/aws-lc-rs/blob/main/aws-lc-fips-sys/builder/main.rs#L209
• aws-lc-sys: https://github.com/aws/aws-lc-rs/blob/main/aws-lc-sys/builder/main.rs#L213