-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: opt-in rustls-ffi FIPS support #478
base: main
Are you sure you want to change the base?
Conversation
No significant changes from the perspective of rustls-ffi, just better perf \o/
Using `make FIPS=true` with the Makefiles, or `cmake -DFIPS="true" -S . -B build` with the Windows cmake build will activate the `aws-lc-rs` feature of `rustls-ffi`, and the `rustls/fips` feature of Rustls. On MacOS and Windows this requires some additional build tooling (Golang and Ninja). See the rustls manual[0] and the aws-lc-rs-fips-sys crate[1] for more information. Note presently the Mac and Windows FIPS-enabled builds fail with unresolved symbol errors when building the client/server examples. A fix is TBD. [0]: https://docs.rs/rustls/latest/rustls/manual/_06_fips/index.html [1]: https://crates.io/crates/aws-lc-fips-sys
* Ability to instantiate the FIPS default `crypto_provider` using a new function `rustls_default_fips_provider()`, available only when the fips feature is activated. * Ability to determine if a given `crypto_provider` is in FIPS mode using a new function `rustls_crypto_provider_fips()`. * Ability to determine if a given `rustls_client_config` would create connections that are FIPS compatible with a new function `rustls_client_config_fips()`. * Ability to determine if a given `rustls_server_config` would create connections that are FIPS compatible with a new function `rustls_server_config_fips()`. * Ability to determine if a given `rustls_connection` was created from a `rustls_client_config` that was FIPS enabled with a new function `rustls_connection_fips()`. Doing equivalent for a server connection is not presently supported upstream (will be fixed next release).
Pulling this out into a separate PR since I have some TODOs for this one: #479 |
The Ubuntu FIPS CI works great, and so do my local test builds on Both MacOS and Windows build the Rust The MacOS builds fail to compile the client/server example
Similar failures for the
Probably missing some extra linker arguments for the C programs (?) - have to put a pin in this for today but will debug further when time permits. |
FIPS feature
Using
make FIPS=true
with the Makefiles, orcmake -DFIPS="true" -S . -B build
with the Windows cmake build will activate theaws-lc-rs
feature ofrustls-ffi
, and therustls/fips
feature of Rustls.On MacOS and Windows this requires some additional build tooling (Golang and Ninja). See the rustls manual and the aws-lc-rs-fips-sys crate for more information.
API additions
Ability to instantiate the FIPS default
crypto_provider
using a new functionrustls_default_fips_provider()
, available only when the fips feature is activated.Ability to determine if a given
crypto_provider
is in FIPS mode using a new functionrustls_crypto_provider_fips()
.Ability to determine if a given
rustls_client_config
would create connections that are FIPS compatible with a new functionrustls_client_config_fips()
.Ability to determine if a given
rustls_server_config
would create connections that are FIPS compatible with a new functionrustls_server_config_fips()
.Ability to determine if a given
rustls_connection
was created from arustls_client_config
that was FIPS enabled with a new functionrustls_connection_fips()
. Doing equivalent for a server connection is not presently supported upstream (see consistent APIs for connection FIPS indicator rustls#2174).TODO