From 919ae6aa61f7f276a640bef9dd506ef2e0d13668 Mon Sep 17 00:00:00 2001 From: toidiu Date: Tue, 14 May 2024 17:29:41 -0700 Subject: [PATCH] feat(s2n-quic-tls, s2n-quic-rustls): pass `fips` flag to tls backend (#2209) --- .github/workflows/ci.yml | 8 ++++++-- quic/s2n-quic-rustls/Cargo.toml | 3 +++ quic/s2n-quic-rustls/src/cipher_suite.rs | 6 +++++- quic/s2n-quic-tls/Cargo.toml | 2 +- quic/s2n-quic-tls/src/client.rs | 3 +++ quic/s2n-quic-tls/src/server.rs | 3 +++ quic/s2n-quic/Cargo.toml | 1 + 7 files changed, 22 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fe211058ad..ac3e7b87ee 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -284,9 +284,13 @@ jobs: - uses: camshaft/rust-cache@v1 - - name: Run test + - name: Run test (rustls) run: | - cargo test --features provider-tls-fips + cargo test --no-default-features --features "provider-tls-fips provider-tls-rustls" + + - name: Run test (s2n-tls) + run: | + cargo test --no-default-features --features "provider-tls-fips provider-tls-s2n" miri: # miri needs quite a bit of memory so use a larger instance diff --git a/quic/s2n-quic-rustls/Cargo.toml b/quic/s2n-quic-rustls/Cargo.toml index 1a89e55808..c5ea67d4cd 100644 --- a/quic/s2n-quic-rustls/Cargo.toml +++ b/quic/s2n-quic-rustls/Cargo.toml @@ -10,6 +10,9 @@ license = "Apache-2.0" # Exclude corpus files when publishing to crates.io exclude = ["corpus.tar.gz"] +[features] +fips = ["s2n-quic-crypto/fips", "rustls/fips"] + [dependencies] bytes = { version = "1", default-features = false } # By [default](https://docs.rs/crate/rustls/latest/features) rustls includes the `tls12` feature. diff --git a/quic/s2n-quic-rustls/src/cipher_suite.rs b/quic/s2n-quic-rustls/src/cipher_suite.rs index b92bda91dc..54cfe53fe4 100644 --- a/quic/s2n-quic-rustls/src/cipher_suite.rs +++ b/quic/s2n-quic-rustls/src/cipher_suite.rs @@ -11,9 +11,13 @@ use s2n_quic_core::crypto::{self, packet_protection, scatter, tls, HeaderProtect /// `aws_lc_rs` is the default crypto provider since that is also the /// default used by rustls. pub(crate) fn default_crypto_provider() -> Result { + let crypto = aws_lc_rs::default_provider(); + #[cfg(feature = "fips")] + assert!(crypto.fips()); + Ok(CryptoProvider { cipher_suites: DEFAULT_CIPHERSUITES.to_vec(), - ..aws_lc_rs::default_provider() + ..crypto }) } diff --git a/quic/s2n-quic-tls/Cargo.toml b/quic/s2n-quic-tls/Cargo.toml index 981e54f2f9..903885a4fd 100644 --- a/quic/s2n-quic-tls/Cargo.toml +++ b/quic/s2n-quic-tls/Cargo.toml @@ -11,7 +11,7 @@ license = "Apache-2.0" exclude = ["corpus.tar.gz"] [features] -fips = ["s2n-quic-crypto/fips"] +fips = ["s2n-quic-crypto/fips", "s2n-tls/fips"] unstable_client_hello = [] unstable_private_key = [] diff --git a/quic/s2n-quic-tls/src/client.rs b/quic/s2n-quic-tls/src/client.rs index b6fc445285..0739cc50b6 100644 --- a/quic/s2n-quic-tls/src/client.rs +++ b/quic/s2n-quic-tls/src/client.rs @@ -186,6 +186,9 @@ impl Builder { } pub fn build(self) -> Result { + #[cfg(feature = "fips")] + assert!(s2n_tls::init::fips_mode()?.is_enabled()); + Ok(Client { loader: self.config.build()?, keylog: self.keylog, diff --git a/quic/s2n-quic-tls/src/server.rs b/quic/s2n-quic-tls/src/server.rs index 551ce1b40e..ea32fe0271 100644 --- a/quic/s2n-quic-tls/src/server.rs +++ b/quic/s2n-quic-tls/src/server.rs @@ -219,6 +219,9 @@ impl Builder { } pub fn build(self) -> Result { + #[cfg(feature = "fips")] + assert!(s2n_tls::init::fips_mode()?.is_enabled()); + Ok(Server { loader: self.config.build()?, keylog: self.keylog, diff --git a/quic/s2n-quic/Cargo.toml b/quic/s2n-quic/Cargo.toml index c1db00effb..ec3dc58045 100644 --- a/quic/s2n-quic/Cargo.toml +++ b/quic/s2n-quic/Cargo.toml @@ -18,6 +18,7 @@ default = [ provider-tls-fips = [ "s2n-quic-tls-default?/fips", "s2n-quic-tls?/fips", + "s2n-quic-rustls?/fips", ] provider-address-token-default = [ "cuckoofilter",