add opt-in FIPS feature, Linux CI coverage

Using `make FIPS=true` with the Makefiles, or `cmake -DFIPS="true" -S . -B build` with the Windows cmake build will activate the `aws-lc-rs` feature of `rustls-ffi`, and the `rustls/fips` feature of Rustls. On Linux our test client/server binaries Just Work thanks to the magic of static linking. On MacOS/Windows life is more complicated. For now we'll land support without testing on these platforms since the dynamic linking setup required for the end-user application is tricky. See the rustls manual[0] and the aws-lc-rs-fips-sys crate[1] for more information and further FIPS related caveats. [0]: https://docs.rs/rustls/latest/rustls/manual/_06_fips/index.html [1]: https://crates.io/crates/aws-lc-fips-sys
rustls · Nov 25, 2024 · 4ee886e · 4ee886e
1 parent 72e92f2
commit 4ee886e
Show file tree

Hide file tree

Showing 7 changed files with 62 additions and 2 deletions.
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -99,6 +99,24 @@ jobs:
       - name: Integration tests
         run: make PROFILE=debug CERT_COMPRESSION=true integration
 
+  # TODO(@cpu): MacOS and Windows FIPS test coverage
+  fips:
+    name: FIPS
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Install nightly rust toolchain
+        uses: dtolnay/rust-toolchain@nightly
+      - name: Unit tests
+        run: make FIPS=true test
+      - name: Integration tests
+        run: make FIPS=true integration
+
   test-windows-cmake-debug:
     name: Windows CMake, Debug configuration
     runs-on: windows-latest

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -10,6 +10,8 @@ endif ()
 
 set(CERT_COMPRESSION "false" CACHE STRING "Whether to enable brotli and zlib certificate compression support")
 
+set(FIPS "false" CACHE STRING "Whether to enable aws-lc-rs and FIPS support")
+
 set(CARGO_FEATURES --no-default-features)
 if (CRYPTO_PROVIDER STREQUAL "aws-lc-rs")
     list(APPEND CARGO_FEATURES --features=aws-lc-rs)
@@ -21,6 +23,11 @@ if (CERT_COMPRESSION STREQUAL "true")
     list(APPEND CARGO_FEATURES --features=cert_compression)
 endif ()
 
+# See https://docs.rs/rustls/latest/rustls/manual/_06_fips/index.html
+if (FIPS STREQUAL "true")
+    list(APPEND CARGO_FEATURES --features=fips)
+endif ()
+
 add_subdirectory(tests)
 
 include(ExternalProject)

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -24,6 +24,7 @@ capi = []
 ring = ["rustls/ring", "webpki/ring"]
 aws-lc-rs = ["rustls/aws-lc-rs", "webpki/aws_lc_rs"]
 cert_compression = ["rustls/brotli", "rustls/zlib"]
+fips = ["aws-lc-rs", "rustls/fips"]
 
 [dependencies]
 # Keep in sync with RUSTLS_CRATE_VERSION in build.rs

diff --git a/Makefile b/Makefile
@@ -11,6 +11,7 @@ CFLAGS := -Werror -Wall -Wextra -Wpedantic -g -I src/
 PROFILE := release
 CRYPTO_PROVIDER := aws-lc-rs
 COMPRESSION := false
+FIPS := false
 DESTDIR=/usr/local
 
 ifeq ($(PROFILE), debug)
@@ -41,6 +42,11 @@ ifeq ($(COMPRESSION), true)
 	LDFLAGS += -lm
 endif
 
+# See https://docs.rs/rustls/latest/rustls/manual/_06_fips/index.html
+ifeq ($(FIPS), true)
+	CARGOFLAGS += --features fips
+endif
+
 default: target/$(PROFILE)/librustls_ffi.a
 
 all: default test integration connect-test

diff --git a/Makefile.pkg-config b/Makefile.pkg-config
@@ -15,6 +15,7 @@ CFLAGS := -Werror -Wall -Wextra -Wpedantic -g -I src/
 PROFILE := release
 CRYPTO_PROVIDER := aws-lc-rs
 CERT_COMPRESSION := false
+FIPS := false
 PREFIX=/usr/local
 
 ifeq ($(PROFILE), debug)
@@ -39,6 +40,11 @@ ifeq ($(CERT_COMPRESSION), true)
 	CARGOFLAGS += --features cert_compression
 endif
 
+# See https://docs.rs/rustls/latest/rustls/manual/_06_fips/index.html
+ifeq ($(FIPS), true)
+	CARGOFLAGS += --features fips
+endif
+
 all: target/client target/server
 
 integration: all

diff --git a/tests/client_server.rs b/tests/client_server.rs
@@ -110,19 +110,25 @@ fn client_server_integration() {
         ],
     };
 
+    // CHACHA20 is not FIPS approved :)
+    #[cfg(not(feature = "fips"))]
+    let custom_ciphersuite = "TLS13_CHACHA20_POLY1305_SHA256";
+    #[cfg(feature = "fips")]
+    let custom_ciphersuite = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
+
     let custom_ciphersuites = TestCase {
         name: "client/server with limited ciphersuites",
         server_opts: ServerOptions {
             valgrind: valgrind.clone(),
-            env: vec![("RUSTLS_CIPHERSUITE", "TLS13_CHACHA20_POLY1305_SHA256")],
+            env: vec![("RUSTLS_CIPHERSUITE", custom_ciphersuite)],
         },
         client_tests: vec![
             ClientTest {
                 name: "limited ciphersuite, supported by server",
                 valgrind: valgrind.clone(),
                 env: vec![
                     ("NO_CHECK_CERTIFICATE", "1"),
-                    ("RUSTLS_CIPHERSUITE", "TLS13_CHACHA20_POLY1305_SHA256"),
+                    ("RUSTLS_CIPHERSUITE", custom_ciphersuite),
                 ],
                 expect_error: false,
             },