Support Building Nmap With AWS-LC

by ADMIN 34 views

Introduction to AWS-LC and Nmap Integration

As an engineer at AWS working on AWS Libcrypto (AWS-LC), an open-source cryptographic library maintained for AWS and their customers, we are committed to backwards compatibility. To ensure this, we have CI jobs asserting every change's compatibility with many different open-source projects. We use these tests to catch compatibility regressions before they're merged. Recently, we have added Nmap to our CI, and we believe that upstreaming support for AWS-LC into the mainline branch of Nmap would provide the best experience for users wishing to build Nmap against AWS-LC.

Understanding AWS-LC and its Features

AWS-LC is an open-source cryptographic library maintained for AWS and their customers. It supports CPU-specific performance optimizations for AWS Graviton 2, AWS Graviton 3, and Intel x86-64 with AVX-512 instructions. We've formally verified a subset of AWS-LC's cryptographic primitives, and continue to invest in expanding this coverage. AWS-LC has been FIPS validated by NIST and we have 140-3 certificates for both dynamic and static builds. This provides a high level of security and trustworthiness for users who rely on AWS-LC.

Benefits of Integrating AWS-LC with Nmap

Integrating AWS-LC with Nmap would provide several benefits to users. Firstly, it would allow users to build Nmap against AWS-LC, which would provide the best experience for users who rely on AWS-LC. Secondly, it would ensure that Nmap is compatible with AWS-LC, which would reduce the risk of compatibility issues. Finally, it would provide a secure and trustworthy way for users to build Nmap against AWS-LC.

Patch Requirements for Nmap Integration

To integrate AWS-LC with Nmap, a minor modification is required. The provided patch requires adding the OPENSSL_IS_AWSLC macro to an existing ifdef block. This modification is straightforward and would not require significant changes to the Nmap codebase.

CI Jobs and Compatibility Tests

We have already added Nmap to our CI, and we use these tests to catch compatibility regressions before they're merged. Our CI jobs assert every change's compatibility with many different open-source projects, including Nmap. This ensures that any changes to AWS-LC are thoroughly tested and compatible with Nmap.

Formal Verification and FIPS Validation

We've formally verified a subset of AWS-LC's cryptographic primitives, and continue to invest in expanding this coverage. AWS-LC has been FIPS validated by NIST and we have 140-3 certificates for both dynamic and static builds. This provides a high level of security and trustworthiness for users who rely on AWS-LC.

Conclusion and Next Steps

We believe that integrating AWS-LC with Nmap would provide the best experience for users wishing to build Nmap against AWS-LC. We have already added Nmap to our CI, and we have a patch that requires only a minor modification to integrate AWS-LC with Nmap. If you agree that this integration would be useful, I'd be happy to put together a PR.

Technical Details and Resources

Introduction

As we discussed in our previous article, integrating AWS-LC with Nmap would provide several benefits to users. In this article, we will answer some frequently asked questions about the integration and provide more information about the process.

Q: What is AWS-LC and why is it important?

A: AWS-LC is an open-source cryptographic library maintained for AWS and their customers. It supports CPU-specific performance optimizations for AWS Graviton 2, AWS Graviton 3, and Intel x86-64 with AVX-512 instructions. We've formally verified a subset of AWS-LC's cryptographic primitives, and continue to invest in expanding this coverage. AWS-LC has been FIPS validated by NIST and we have 140-3 certificates for both dynamic and static builds.

Q: What are the benefits of integrating AWS-LC with Nmap?

A: Integrating AWS-LC with Nmap would provide several benefits to users. Firstly, it would allow users to build Nmap against AWS-LC, which would provide the best experience for users who rely on AWS-LC. Secondly, it would ensure that Nmap is compatible with AWS-LC, which would reduce the risk of compatibility issues. Finally, it would provide a secure and trustworthy way for users to build Nmap against AWS-LC.

Q: What is the patch requirement for Nmap integration?

A: To integrate AWS-LC with Nmap, a minor modification is required. The provided patch requires adding the OPENSSL_IS_AWSLC macro to an existing ifdef block. This modification is straightforward and would not require significant changes to the Nmap codebase.

Q: How do you ensure compatibility with Nmap?

A: We have already added Nmap to our CI, and we use these tests to catch compatibility regressions before they're merged. Our CI jobs assert every change's compatibility with many different open-source projects, including Nmap. This ensures that any changes to AWS-LC are thoroughly tested and compatible with Nmap.

Q: What is the formal verification and FIPS validation process?

A: We've formally verified a subset of AWS-LC's cryptographic primitives, and continue to invest in expanding this coverage. AWS-LC has been FIPS validated by NIST and we have 140-3 certificates for both dynamic and static builds. This provides a high level of security and trustworthiness for users who rely on AWS-LC.

Q: What are the next steps for integrating AWS-LC with Nmap?

A: If you agree that this integration would be useful, I'd be happy to put together a PR. We will work with the Nmap community to ensure a smooth integration and provide any necessary support.

Q: What resources are available for more information?

A: You can find more information about AWS-LC and Nmap integration on our GitHub repository: https://github.com/aws/aws-lc. You can also contact us directly for more information or to discuss the integration further.

Q: How can I contribute to the integration process?

A: We welcome any contributions to the integration process. If you have experience with Nmap or AWS-LC, we would be happy to have you join the effort. Please reach out to us directly to discuss how you can contribute.

Conclusion

Integrating AWS-LC with Nmap would provide several benefits to users, including a secure and trustworthy way to build Nmap against AWS-LC. We have already added Nmap to our CI and have a patch that requires only a minor modification to integrate AWS-LC with Nmap. If you agree that this integration would be useful, we'd be happy to put together a PR and work with the Nmap community to ensure a smooth integration.