Skip to content

Commit 67648cf

Browse files
committed
add opt-in FIPS feature, Linux CI coverage
Using `make FIPS=true` with the Makefiles, or `cmake -DFIPS="true" -S . -B build` with the Windows cmake build will activate the `aws-lc-rs` feature of `rustls-ffi`, and the `rustls/fips` feature of Rustls. On Linux our test client/server binaries Just Work thanks to the magic of static linking. On MacOS/Windows life is more complicated. For now we'll land support without testing on these platforms since the dynamic linking setup required for the end-user application is tricky. See the rustls manual[0] and the aws-lc-rs-fips-sys crate[1] for more information and further FIPS related caveats. [0]: https://docs.rs/rustls/latest/rustls/manual/_06_fips/index.html [1]: https://crates.io/crates/aws-lc-fips-sys
1 parent 4c98260 commit 67648cf

File tree

7 files changed

+62
-2
lines changed

7 files changed

+62
-2
lines changed

.github/workflows/test.yaml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,24 @@ jobs:
9999
- name: Integration tests
100100
run: make PROFILE=debug CERT_COMPRESSION=true integration
101101

102+
# TODO(@cpu): MacOS and Windows FIPS test coverage
103+
fips:
104+
name: FIPS
105+
runs-on: ubuntu-latest
106+
steps:
107+
- uses: actions/checkout@v4
108+
with:
109+
persist-credentials: false
110+
- uses: actions/checkout@v4
111+
with:
112+
persist-credentials: false
113+
- name: Install nightly rust toolchain
114+
uses: dtolnay/rust-toolchain@nightly
115+
- name: Unit tests
116+
run: make FIPS=true test
117+
- name: Integration tests
118+
run: make FIPS=true integration
119+
102120
test-windows-cmake-debug:
103121
name: Windows CMake, Debug configuration
104122
runs-on: windows-latest

CMakeLists.txt

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@ endif ()
1010

1111
set(CERT_COMPRESSION "false" CACHE STRING "Whether to enable brotli and zlib certificate compression support")
1212

13+
set(FIPS "false" CACHE STRING "Whether to enable aws-lc-rs and FIPS support")
14+
1315
set(CARGO_FEATURES --no-default-features)
1416
if (CRYPTO_PROVIDER STREQUAL "aws-lc-rs")
1517
list(APPEND CARGO_FEATURES --features=aws-lc-rs)
@@ -21,6 +23,11 @@ if (CERT_COMPRESSION STREQUAL "true")
2123
list(APPEND CARGO_FEATURES --features=cert_compression)
2224
endif ()
2325

26+
# See https://docs.rs/rustls/latest/rustls/manual/_06_fips/index.html
27+
if (FIPS STREQUAL "true")
28+
list(APPEND CARGO_FEATURES --features=fips)
29+
endif ()
30+
2431
add_subdirectory(tests)
2532

2633
include(ExternalProject)

Cargo.lock

Lines changed: 16 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ capi = []
2424
ring = ["rustls/ring", "webpki/ring"]
2525
aws-lc-rs = ["rustls/aws-lc-rs", "webpki/aws_lc_rs"]
2626
cert_compression = ["rustls/brotli", "rustls/zlib"]
27+
fips = ["aws-lc-rs", "rustls/fips"]
2728

2829
[dependencies]
2930
# Keep in sync with RUSTLS_CRATE_VERSION in build.rs

Makefile

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ CFLAGS := -Werror -Wall -Wextra -Wpedantic -g -I src/
1111
PROFILE := release
1212
CRYPTO_PROVIDER := aws-lc-rs
1313
COMPRESSION := false
14+
FIPS := false
1415
DESTDIR=/usr/local
1516

1617
ifeq ($(PROFILE), debug)
@@ -41,6 +42,11 @@ ifeq ($(COMPRESSION), true)
4142
LDFLAGS += -lm
4243
endif
4344

45+
# See https://docs.rs/rustls/latest/rustls/manual/_06_fips/index.html
46+
ifeq ($(FIPS), true)
47+
CARGOFLAGS += --features fips
48+
endif
49+
4450
default: target/$(PROFILE)/librustls_ffi.a
4551

4652
all: default test integration connect-test

Makefile.pkg-config

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ CFLAGS := -Werror -Wall -Wextra -Wpedantic -g -I src/
1515
PROFILE := release
1616
CRYPTO_PROVIDER := aws-lc-rs
1717
CERT_COMPRESSION := false
18+
FIPS := false
1819
PREFIX=/usr/local
1920

2021
ifeq ($(PROFILE), debug)
@@ -39,6 +40,11 @@ ifeq ($(CERT_COMPRESSION), true)
3940
CARGOFLAGS += --features cert_compression
4041
endif
4142

43+
# See https://docs.rs/rustls/latest/rustls/manual/_06_fips/index.html
44+
ifeq ($(FIPS), true)
45+
CARGOFLAGS += --features fips
46+
endif
47+
4248
all: target/client target/server
4349

4450
integration: all

tests/client_server.rs

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -110,19 +110,25 @@ fn client_server_integration() {
110110
],
111111
};
112112

113+
// CHACHA20 is not FIPS approved :)
114+
#[cfg(not(feature = "fips"))]
115+
let custom_ciphersuite = "TLS13_CHACHA20_POLY1305_SHA256";
116+
#[cfg(feature = "fips")]
117+
let custom_ciphersuite = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
118+
113119
let custom_ciphersuites = TestCase {
114120
name: "client/server with limited ciphersuites",
115121
server_opts: ServerOptions {
116122
valgrind: valgrind.clone(),
117-
env: vec![("RUSTLS_CIPHERSUITE", "TLS13_CHACHA20_POLY1305_SHA256")],
123+
env: vec![("RUSTLS_CIPHERSUITE", custom_ciphersuite)],
118124
},
119125
client_tests: vec![
120126
ClientTest {
121127
name: "limited ciphersuite, supported by server",
122128
valgrind: valgrind.clone(),
123129
env: vec![
124130
("NO_CHECK_CERTIFICATE", "1"),
125-
("RUSTLS_CIPHERSUITE", "TLS13_CHACHA20_POLY1305_SHA256"),
131+
("RUSTLS_CIPHERSUITE", custom_ciphersuite),
126132
],
127133
expect_error: false,
128134
},

0 commit comments

Comments
 (0)