Fix FIPS integrity hash patching for Cargo builds on Windows

The FIPS hash injection on Windows uses capture_hash.go, which runs
fips_empty_main.exe to capture the correct integrity hash, then
patches it into crypto.dll. Previously this ran as a POST_BUILD on
fips_empty_main — but fips_empty_main depends on crypto (not vice
versa), so when Cargo's cmake crate builds with '--target install',
fips_empty_main's POST_BUILD could be skipped, leaving crypto.dll
with the placeholder hash.

Replace the POST_BUILD with an OUTPUT-based custom command that
produces a stamp file, driven by a custom target marked ALL. Since
'install' depends on 'all', the dependency chain is now:

  install → all → fips_integrity → stamp → capture_hash
                                         → fips_empty_main → crypto

This ensures the hash injection always runs before install copies
crypto.dll, regardless of how cmake is invoked.

Author: justsmth

.github/workflows/aws-lc-rs.yml

@@ -288,26 +288,27 @@ jobs:
       - name: Build
         working-directory: ./aws-lc-rs
         run: cargo xwin build -p aws-lc-rs --target ${{ matrix.target }} ${{ matrix.fips && '--features fips' || '' }}
-      - name: FIPS integrity sanity check
+      - name: FIPS sanity test (via Wine)
         if: matrix.fips
         working-directory: ./aws-lc-rs
         env:
           WINEDEBUG: "-all"
           DISPLAY: ""
         run: |
-          # fips_empty_main.exe is built alongside crypto.dll during the FIPS
-          # build. It loads crypto.dll which triggers the FIPS power-on
-          # self-test. If the integrity hash was patched correctly the self-test
-          # passes and main() runs; if not the process aborts immediately.
-          CRYPTO_DIR=$(dirname "$(find target -name 'crypto.dll' -path '*/aws-lc-fips-sys*' | head -1)")
-          echo "CRYPTO_DIR=${CRYPTO_DIR}"
-          ls -la "${CRYPTO_DIR}/crypto.dll" "${CRYPTO_DIR}/fips_empty_main.exe"
-          export WINEPATH="$(winepath -w "${CRYPTO_DIR}")"
-          # fips_empty_main.exe always exits with code 1 (by design), so we
-          # capture its output without letting the non-zero exit fail the step.
-          OUTPUT=$(wine "${CRYPTO_DIR}/fips_empty_main.exe" 2>&1 || true)
-          echo "${OUTPUT}"
-          echo "${OUTPUT}" | grep -q "FIPS mode"
+          # The FIPS crypto DLL has a version prefix (e.g.,
+          # aws_lc_fips_0_13_13_crypto.dll) and lives in the cargo build
+          # artifacts directory — not next to the test binary. Set WINEPATH
+          # so Wine can find it at runtime.
+          CRYPTO_DLL=$(find target -name '*crypto.dll' -path '*/aws-lc-fips-sys*' | head -1)
+          if [ -z "${CRYPTO_DLL}" ]; then
+            echo "ERROR: Could not find FIPS crypto DLL"
+            exit 1
+          fi
+          echo "Found FIPS DLL: ${CRYPTO_DLL}"
+          export WINEPATH="$(winepath -w "$(dirname "${CRYPTO_DLL}")")"
+          # Any test that loads the FIPS crypto library triggers the power-on
+          # self-test; if the integrity hash is wrong the process aborts.
+          cargo xwin test -p aws-lc-rs --target ${{ matrix.target }} --features fips
 
   # CMake Rust bindings generation tests
   cmake-rust-bindings:

crypto/CMakeLists.txt

@@ -629,36 +629,34 @@ if(FIPS_SHARED)
   # Rewrite libcrypto.so, libcrypto.dylib, or crypto.dll to inject the correct module
   # hash value. For now we support the FIPS build only on Linux, macOS, iOS, and Windows.
   if(MSVC)
-    # On Windows we use a single-DLL capture-and-patch approach: build
-    # crypto.dll once with a placeholder hash, run fips_empty_main.exe (which
-    # triggers the integrity check, computes the real hash, and prints it),
-    # then binary-patch the placeholder in crypto.dll with the captured hash.
-    # This avoids building two separate DLLs (precrypto.dll vs crypto.dll)
-    # whose linker output may differ — e.g. mandatory ASLR on ARM64 causes
-    # different ADRP immediates, and lld-link (clang-cl) is not guaranteed to
-    # produce byte-identical output across two independent link operations.
+    # On Windows we use capture_hash.go: build crypto.dll with a placeholder
+    # hash, then run fips_empty_main.exe (which triggers the integrity check
+    # and prints the correct hash), then patch the placeholder in crypto.dll.
+    #
+    # The fips_integrity target (marked ALL) ensures the hash injection runs
+    # before 'install' copies crypto.dll. Without this, Cargo builds (which
+    # run 'cmake --build --target install') would skip the hash injection
+    # because fips_empty_main is not in crypto's dependency chain.
     build_libcrypto(NAME crypto MODULE_SOURCE $<TARGET_OBJECTS:fipsmodule> SET_OUTPUT_NAME)
 
     add_executable(fips_empty_main fipsmodule/fips_empty_main.c)
     target_link_libraries(fips_empty_main PUBLIC crypto)
     target_add_awslc_include_paths(TARGET fips_empty_main SCOPE PRIVATE)
 
     add_custom_command(
-      TARGET fips_empty_main POST_BUILD
+      OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/fips_hash_injected.stamp
       COMMAND ${GO_EXECUTABLE} run
         ${AWSLC_SOURCE_DIR}/util/fipstools/capture_hash/capture_hash.go
         -in-executable $<TARGET_FILE:fips_empty_main>
         -patch-dll $<TARGET_FILE:crypto>
+      COMMAND ${CMAKE_COMMAND} -E touch ${CMAKE_CURRENT_BINARY_DIR}/fips_hash_injected.stamp
+      DEPENDS fips_empty_main crypto
+        ${AWSLC_SOURCE_DIR}/util/fipstools/capture_hash/capture_hash.go
       WORKING_DIRECTORY ${AWSLC_SOURCE_DIR}
     )
-
-    # Adding an install rule for fips_empty_main makes it a dependency of the
-    # 'install' target. This is needed because Cargo's cmake crate builds via
-    # 'cmake --build --target install', which only builds targets that have
-    # install() rules. Without this, fips_empty_main is never built during a
-    # Cargo build, so the POST_BUILD hash-patching step above never runs and
-    # crypto.dll is left with the placeholder integrity hash.
-    install(TARGETS fips_empty_main RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR})
+    add_custom_target(fips_integrity ALL
+      DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/fips_hash_injected.stamp
+    )
   else()
     # On Apple and Linux platforms inject_hash.go can parse libcrypto and inject
     # the hash directly into the final library.