feat(s2n-quic-tls, s2n-quic-rustls): pass fips flag to tls backend (#…

…2209)
aws · May 15, 2024 · 919ae6a · 919ae6a
1 parent 30ef24c
commit 919ae6a
Show file tree

Hide file tree

Showing 7 changed files with 22 additions and 4 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -284,9 +284,13 @@ jobs:
 
       - uses: camshaft/rust-cache@v1
 
-      - name: Run test
+      - name: Run test (rustls)
         run: |
-          cargo test --features provider-tls-fips
+          cargo test --no-default-features --features "provider-tls-fips provider-tls-rustls"
+
+      - name: Run test (s2n-tls)
+        run: |
+          cargo test --no-default-features --features "provider-tls-fips provider-tls-s2n"
 
   miri:
     # miri needs quite a bit of memory so use a larger instance

diff --git a/quic/s2n-quic-rustls/Cargo.toml b/quic/s2n-quic-rustls/Cargo.toml
@@ -10,6 +10,9 @@ license = "Apache-2.0"
 # Exclude corpus files when publishing to crates.io
 exclude = ["corpus.tar.gz"]
 
+[features]
+fips = ["s2n-quic-crypto/fips", "rustls/fips"]
+
 [dependencies]
 bytes = { version = "1", default-features = false }
 # By [default](https://docs.rs/crate/rustls/latest/features) rustls includes the `tls12` feature.

diff --git a/quic/s2n-quic-rustls/src/cipher_suite.rs b/quic/s2n-quic-rustls/src/cipher_suite.rs
@@ -11,9 +11,13 @@ use s2n_quic_core::crypto::{self, packet_protection, scatter, tls, HeaderProtect
 /// `aws_lc_rs` is the default crypto provider since that is also the
 /// default used by rustls.
 pub(crate) fn default_crypto_provider() -> Result<CryptoProvider, rustls::Error> {
+    let crypto = aws_lc_rs::default_provider();
+    #[cfg(feature = "fips")]
+    assert!(crypto.fips());
+
     Ok(CryptoProvider {
         cipher_suites: DEFAULT_CIPHERSUITES.to_vec(),
-        ..aws_lc_rs::default_provider()
+        ..crypto
     })
 }
 

diff --git a/quic/s2n-quic-tls/Cargo.toml b/quic/s2n-quic-tls/Cargo.toml
@@ -11,7 +11,7 @@ license = "Apache-2.0"
 exclude = ["corpus.tar.gz"]
 
 [features]
-fips = ["s2n-quic-crypto/fips"]
+fips = ["s2n-quic-crypto/fips", "s2n-tls/fips"]
 unstable_client_hello = []
 unstable_private_key = []
 

diff --git a/quic/s2n-quic-tls/src/client.rs b/quic/s2n-quic-tls/src/client.rs
@@ -186,6 +186,9 @@ impl Builder {
     }
 
     pub fn build(self) -> Result<Client, Error> {
+        #[cfg(feature = "fips")]
+        assert!(s2n_tls::init::fips_mode()?.is_enabled());
+
         Ok(Client {
             loader: self.config.build()?,
             keylog: self.keylog,

diff --git a/quic/s2n-quic-tls/src/server.rs b/quic/s2n-quic-tls/src/server.rs
@@ -219,6 +219,9 @@ impl Builder {
     }
 
     pub fn build(self) -> Result<Server, Error> {
+        #[cfg(feature = "fips")]
+        assert!(s2n_tls::init::fips_mode()?.is_enabled());
+
         Ok(Server {
             loader: self.config.build()?,
             keylog: self.keylog,

diff --git a/quic/s2n-quic/Cargo.toml b/quic/s2n-quic/Cargo.toml
@@ -18,6 +18,7 @@ default = [
 provider-tls-fips = [
     "s2n-quic-tls-default?/fips",
     "s2n-quic-tls?/fips",
+    "s2n-quic-rustls?/fips",
 ]
 provider-address-token-default = [
     "cuckoofilter",