Skip to content

crypto: migrate non-TLS crypto primitives from openssl/sha2 to aws-lc-rs#35895

Merged
jasonhernandez merged 1 commit intomainfrom
jason/sec-239-crypto-primitives
Apr 9, 2026
Merged

crypto: migrate non-TLS crypto primitives from openssl/sha2 to aws-lc-rs#35895
jasonhernandez merged 1 commit intomainfrom
jason/sec-239-crypto-primitives

Conversation

@jasonhernandez
Copy link
Copy Markdown
Contributor

@jasonhernandez jasonhernandez commented Apr 7, 2026
edited
Loading

Summary

  • Migrate 5 leaf crates from openssl/sha2/digest to aws-lc-rs for hashing and signing
  • No TLS changes — purely crypto primitive substitution
  • Consolidates on aws-lc-rs ahead of the full TLS migration

Crates migrated

  • mz-auth: SCRAM-SHA-256 (openssl HMAC/SHA → aws-lc-rs HMAC/digest)
  • mz-ssh-util: SSH key fingerprinting (openssl SHA-256 → aws-lc-rs digest)
  • mz-expr: scalar hash functions sha1/sha2/subtle → aws-lc-rs
  • mz-avro: schema fingerprinting (digest/sha2 → aws-lc-rs digest)
  • mz-license-keys: signature verification (sha2 → aws-lc-rs digest)

Test plan

  • cargo test -p mz-auth -p mz-ssh-util -p mz-expr -p mz-avro -p mz-license-keys
  • CI green

🤖 Generated with Claude Code

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 7, 2026
edited by jasonhernandez
Loading

Thanks for opening this PR! Here are a few tips to help make the review process smooth for everyone.

PR title guidelines

  • Use imperative mood: "Fix X" not "Fixed X" or "Fixes X"
  • Be specific: "Fix panic in catalog sync when controller restarts" not "Fix bug" or "Update catalog code"
  • Prefix with area if helpful: compute: , storage: , adapter: , sql:

Pre-merge checklist

  • The PR title is descriptive and will make sense in the git log.
  • This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
  • If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.
  • This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
  • If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
  • If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).

@jasonhernandez jasonhernandez mentioned this pull request Apr 7, 2026
Closed
6 tasks
@jasonhernandez jasonhernandez force-pushed the jason/sec-258-mtls-crash-fix branch from c648256 to 8690248 Compare April 7, 2026 17:30
@jasonhernandez jasonhernandez force-pushed the jason/sec-239-crypto-primitives branch from 4ce57fd to c10ea9f Compare April 7, 2026 17:31
@jasonhernandez jasonhernandez changed the base branch from jason/sec-258-mtls-crash-fix to main April 7, 2026 18:18
@jasonhernandez jasonhernandez force-pushed the jason/sec-239-crypto-primitives branch from c10ea9f to a108aae Compare April 7, 2026 18:19
@jasonhernandez jasonhernandez marked this pull request as ready for review April 7, 2026 18:20
@jasonhernandez jasonhernandez requested a review from a team as a code owner April 7, 2026 18:20
@jasonhernandez @claude
crypto: migrate non-TLS crypto primitives from openssl/sha2 to aws-lc-rs
90b5984 
Migrate 5 leaf crates that use openssl or sha2/digest for hashing and
signing (not TLS) to aws-lc-rs equivalents. This consolidates crypto
backends ahead of the full TLS migration.

Crates migrated:
- mz-auth: SCRAM-SHA-256 (openssl HMAC/SHA → aws-lc-rs HMAC/digest)
- mz-ssh-util: SSH key fingerprinting (openssl SHA-256 → aws-lc-rs digest)
- mz-expr: scalar hash functions (sha1/sha2/subtle → aws-lc-rs)
- mz-avro: schema fingerprinting (digest/sha2 → aws-lc-rs digest)
- mz-license-keys: signature verification (sha2 → aws-lc-rs digest)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jasonhernandez jasonhernandez force-pushed the jason/sec-239-crypto-primitives branch from a108aae to 90b5984 Compare April 9, 2026 19:27
antiguru
antiguru approved these changes Apr 9, 2026
View reviewed changes
Comment thread Cargo.toml
@jasonhernandez jasonhernandez merged commit ed29486 into main Apr 9, 2026
122 checks passed
@jasonhernandez jasonhernandez deleted the jason/sec-239-crypto-primitives branch April 9, 2026 21:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@antiguru antiguru antiguru approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jasonhernandez @antiguru