Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: opt-in rustls-ffi FIPS support #478

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

WIP: opt-in rustls-ffi FIPS support #478

wants to merge 3 commits into from

Conversation

cpu
Copy link
Member

@cpu cpu commented Oct 21, 2024

FIPS feature

Using make FIPS=true with the Makefiles, or cmake -DFIPS="true" -S . -B build with the Windows cmake build will activate the aws-lc-rs feature of rustls-ffi, and the rustls/fips feature of Rustls.

On MacOS and Windows this requires some additional build tooling (Golang and Ninja). See the rustls manual and the aws-lc-rs-fips-sys crate for more information.

API additions

  • Ability to instantiate the FIPS default crypto_provider using a new function rustls_default_fips_provider(), available only when the fips feature is activated.

  • Ability to determine if a given crypto_provider is in FIPS mode using a new function rustls_crypto_provider_fips().

  • Ability to determine if a given rustls_client_config would create connections that are FIPS compatible with a new function
    rustls_client_config_fips().

  • Ability to determine if a given rustls_server_config would create connections that are FIPS compatible with a new function
    rustls_server_config_fips().

  • Ability to determine if a given rustls_connection was created from a rustls_client_config that was FIPS enabled with a new function rustls_connection_fips(). Doing equivalent for a server connection is not presently supported upstream (see consistent APIs for connection FIPS indicator rustls#2174).

TODO

  • presently the Mac and Windows FIPS-enabled builds fail with unresolved symbol errors when building the client/server examples
  • there's no FIPS specific integration tests.

@cpu
update rustls 0.23.13 -> 0.23.15
217d833 
No significant changes from the perspective of rustls-ffi, just better
perf \o/
@cpu
add opt-in FIPS feature, CI coverage
75fd188 
Using `make FIPS=true` with the Makefiles, or `cmake -DFIPS="true" -S
. -B build` with the Windows cmake build will activate the `aws-lc-rs`
feature of `rustls-ffi`, and the `rustls/fips` feature of Rustls.

On MacOS and Windows this requires some additional build tooling (Golang
and Ninja). See the rustls manual[0] and the aws-lc-rs-fips-sys crate[1]
for more information.

Note presently the Mac and Windows FIPS-enabled builds fail with
unresolved symbol errors when building the client/server examples. A fix
is TBD.

[0]: https://docs.rs/rustls/latest/rustls/manual/_06_fips/index.html
[1]: https://crates.io/crates/aws-lc-fips-sys
@cpu
expose new FIPS related APIs
660480d 
* Ability to instantiate the FIPS default `crypto_provider` using a new
  function `rustls_default_fips_provider()`, available only when the
  fips feature is activated.

* Ability to determine if a given `crypto_provider` is in FIPS mode
  using a new function `rustls_crypto_provider_fips()`.

* Ability to determine if a given `rustls_client_config` would create
  connections that are FIPS compatible with a new function
  `rustls_client_config_fips()`.

* Ability to determine if a given `rustls_server_config` would create
  connections that are FIPS compatible with a new function
  `rustls_server_config_fips()`.

* Ability to determine if a given `rustls_connection` was created from
  a `rustls_client_config` that was FIPS enabled with a new function
  `rustls_connection_fips()`. Doing equivalent for a server connection
  is not presently supported upstream (will be fixed next release).
@cpu cpu self-assigned this Oct 21, 2024
@cpu cpu marked this pull request as draft October 21, 2024 19:02
@cpu
Copy link
Member Author

cpu commented Oct 21, 2024

update rustls 0.23.13 -> 0.23.15

Pulling this out into a separate PR since I have some TODOs for this one: #479

@cpu
Copy link
Member Author

cpu commented Oct 21, 2024

presently the Mac and Windows FIPS-enabled builds fail with unresolved symbol errors when building the client/server examples

The Ubuntu FIPS CI works great, and so do my local test builds on x86_64-unknown-linux.

Both MacOS and Windows build the Rust rustls-ffi lib and the aws-lc-rs/aws-lc-sys-fips crates without error, but fail to build/link the example C programs:

The MacOS builds fail to compile the client/server example .c programs with errors like:

cc -o target/client target/client.o target/common.o target/release/librustls_ffi.a -Wl,-dead_strip -framework Security -framework Foundation
Undefined symbols for architecture arm64:
  "_aws_lc_fips_0_12_13_AES_ecb_encrypt", referenced from:
      rustls::crypto::aws_lc_rs::quic::HeaderProtectionKey::xor_in_place::h57084e5b13308bb1 in librustls_ffi.a[72](rustls-c38d2f20cf176c7d.rustls.1215cb8b128a8c54-cgu.12.rcgu.o)

Similar failures for the cmake builds on Windows:

  Generating Code...
rustls_ffi.lib(rustls-c4ef5bb999bbcf41.rustls.dd57a86e5d66d92f-cgu.08.rcgu.o) : error LNK2001: unresolved external symbol aws_lc_fips_0_12_13_EVP_PKEY_free [D:\a\rustls-ffi\rustls-ffi\build\tests\client.vcxproj]

Probably missing some extra linker arguments for the C programs (?) - have to put a pin in this for today but will debug further when time permits.

@cpu cpu mentioned this pull request Oct 21, 2024
Open
17 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@cpu cpu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@cpu