chore(rust): provide fips feature flag (#1703)

Author: ajewellamz

.github/workflows/library_rust_tests.yml

@@ -68,6 +68,12 @@ jobs:
         if: matrix.os == 'windows-latest'
         uses: ilammy/setup-nasm@v1
 
+      # Go is needed for aws-lc-FIPS
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ">=1.18"
+
       - name: Install Smithy-Dafny codegen dependencies
         uses: ./.github/actions/install_smithy_dafny_codegen_dependencies
 
@@ -97,3 +103,11 @@ jobs:
         run: |
           make test_rust
           make test_rust_debug
+
+      - name: Test ${{ matrix.library }} Rust Fips
+        if: matrix.library == 'AwsCryptographyPrimitives' || matrix.library == 'AwsCryptographicMaterialProviders' || matrix.library == 'TestVectorsAwsCryptographicMaterialProviders'
+        shell: bash
+        working-directory: ./${{ matrix.library }}/runtimes/rust
+        run: |
+          cargo test --release --features fips -- --nocapture
+          cargo test --features fips -- --nocapture

AwsCryptographicMaterialProviders/runtimes/rust/Cargo.toml

@@ -13,20 +13,27 @@ readme = "README.md"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-aws-config = "1.6.2"
-aws-lc-rs = "=1.13.0"
-aws-lc-sys = "=0.28.2"
+aws-config = "1.8.5"
+aws-lc-rs = {version = "1.13.3"}
+aws-lc-sys = { version = "=0.30", optional = true }
+aws-lc-fips-sys = { version = "=0.13", optional = true }
 aws-sdk-dynamodb = "1.55.0"
 aws-sdk-kms = "1.51.0"
-aws-smithy-runtime-api = {version = "1.8.0", features = ["client"] }
-aws-smithy-types = "1.3.1"
+aws-smithy-runtime-api = {version = "1.9.0", features = ["client"] }
+aws-smithy-types = "1.3.2"
 chrono = "0.4.41"
 cpu-time = "1.0.0"
 dafny_runtime = { path = "../../../smithy-dafny/TestModels/dafny-dependencies/dafny_runtime_rust", features = ["sync","small-int"]}
 dashmap = "6.1.0"
 pem = "3.0.5"
-tokio = {version = "1.45.0", features = ["full"] }
-uuid = { version = "1.16.0", features = ["v4"] }
+tokio = {version = "1.47.1", features = ["full"] }
+uuid = { version = "1.18.0", features = ["v4"] }
 timeout = "0.1.0"
-rand = "0.9.1"
+rand = "0.9.2"
 futures = "0.3"
+
+[features]
+fips = ["aws-lc-rs/fips", "dep:aws-lc-fips-sys"]
+non-fips = ["aws-lc-rs/aws-lc-sys", "dep:aws-lc-sys"]
+default = ["non-fips"]
+

AwsCryptographicMaterialProviders/runtimes/rust/src/ecdh.rs

@@ -22,14 +22,14 @@ pub mod ECDH {
         use crate::software::amazon::cryptography::primitives::internaldafny::types::ECDHCurveSpec;
         use crate::software::amazon::cryptography::primitives::internaldafny::types::Error as DafnyError;
         use crate::*;
-        use aws_lc_sys;
+        use aws_lc_sys_impl;
         use dafny_runtime::Rc;
 
         fn get_nid(x: &ECDHCurveSpec) -> i32 {
             match x {
-                ECDHCurveSpec::ECC_NIST_P256 {} => aws_lc_sys::NID_X9_62_prime256v1,
-                ECDHCurveSpec::ECC_NIST_P384 {} => aws_lc_sys::NID_secp384r1,
-                ECDHCurveSpec::ECC_NIST_P521 {} => aws_lc_sys::NID_secp521r1,
+                ECDHCurveSpec::ECC_NIST_P256 {} => aws_lc_sys_impl::NID_X9_62_prime256v1,
+                ECDHCurveSpec::ECC_NIST_P384 {} => aws_lc_sys_impl::NID_secp384r1,
+                ECDHCurveSpec::ECC_NIST_P521 {} => aws_lc_sys_impl::NID_secp521r1,
                 ECDHCurveSpec::SM2 {} => panic!("No SM2 in Rust"),
             }
         }
@@ -45,29 +45,29 @@ pub mod ECDH {
             }
         }
 
-        use aws_lc_sys::CBB_finish;
-        use aws_lc_sys::CBB_init;
-        use aws_lc_sys::EC_GROUP_get_curve_name;
-        use aws_lc_sys::EC_GROUP_new_by_curve_name;
-        use aws_lc_sys::EC_KEY_get0_group;
-        use aws_lc_sys::EC_KEY_get0_public_key;
-        use aws_lc_sys::EC_KEY_new_by_curve_name;
-        use aws_lc_sys::EC_KEY_set_public_key;
-        use aws_lc_sys::EC_POINT_free;
-        use aws_lc_sys::EC_POINT_new;
-        use aws_lc_sys::EC_POINT_oct2point;
-        use aws_lc_sys::EC_POINT_point2oct;
-        use aws_lc_sys::EVP_PKEY_assign_EC_KEY;
-        use aws_lc_sys::EVP_PKEY_free;
-        use aws_lc_sys::EVP_PKEY_get0_EC_KEY;
-        use aws_lc_sys::EVP_PKEY_new;
-        use aws_lc_sys::EVP_PKEY_size;
-        use aws_lc_sys::EVP_marshal_public_key;
-        use aws_lc_sys::EVP_parse_public_key;
-        use aws_lc_sys::OPENSSL_free;
-        use aws_lc_sys::CBB;
-        use aws_lc_sys::CBS;
-        use aws_lc_sys::EVP_PKEY_EC;
+        use aws_lc_sys_impl::CBB_finish;
+        use aws_lc_sys_impl::CBB_init;
+        use aws_lc_sys_impl::EC_GROUP_get_curve_name;
+        use aws_lc_sys_impl::EC_GROUP_new_by_curve_name;
+        use aws_lc_sys_impl::EC_KEY_get0_group;
+        use aws_lc_sys_impl::EC_KEY_get0_public_key;
+        use aws_lc_sys_impl::EC_KEY_new_by_curve_name;
+        use aws_lc_sys_impl::EC_KEY_set_public_key;
+        use aws_lc_sys_impl::EC_POINT_free;
+        use aws_lc_sys_impl::EC_POINT_new;
+        use aws_lc_sys_impl::EC_POINT_oct2point;
+        use aws_lc_sys_impl::EC_POINT_point2oct;
+        use aws_lc_sys_impl::EVP_PKEY_assign_EC_KEY;
+        use aws_lc_sys_impl::EVP_PKEY_free;
+        use aws_lc_sys_impl::EVP_PKEY_get0_EC_KEY;
+        use aws_lc_sys_impl::EVP_PKEY_new;
+        use aws_lc_sys_impl::EVP_PKEY_size;
+        use aws_lc_sys_impl::EVP_marshal_public_key;
+        use aws_lc_sys_impl::EVP_parse_public_key;
+        use aws_lc_sys_impl::OPENSSL_free;
+        use aws_lc_sys_impl::CBB;
+        use aws_lc_sys_impl::CBS;
+        use aws_lc_sys_impl::EVP_PKEY_EC;
         use std::ptr::null_mut;
 
         const ELEM_MAX_BITS: usize = 521;
@@ -106,9 +106,9 @@ pub mod ECDH {
             }
 
             let comp = if compress {
-                aws_lc_sys::point_conversion_form_t::POINT_CONVERSION_COMPRESSED
+                aws_lc_sys_impl::point_conversion_form_t::POINT_CONVERSION_COMPRESSED
             } else {
-                aws_lc_sys::point_conversion_form_t::POINT_CONVERSION_UNCOMPRESSED
+                aws_lc_sys_impl::point_conversion_form_t::POINT_CONVERSION_UNCOMPRESSED
             };
 
             let mut out_buf = [0u8; PUBLIC_KEY_MAX_LEN];
@@ -184,7 +184,7 @@ pub mod ECDH {
         ) -> Result<Vec<u8>, String> {
             let mut out = null_mut();
             let evp_pkey = unsafe {
-                aws_lc_sys::d2i_PrivateKey(
+                aws_lc_sys_impl::d2i_PrivateKey(
                     EVP_PKEY_EC,
                     &mut out,
                     &mut key_bytes.as_ptr(),
@@ -340,7 +340,7 @@ pub mod ECDH {
             }
             let ec_key = unsafe { EVP_PKEY_get0_EC_KEY(evp_pkey) };
 
-            if unsafe { aws_lc_sys::EC_KEY_check_fips(ec_key) } != 1 {
+            if unsafe { aws_lc_sys_impl::EC_KEY_check_fips(ec_key) } != 1 {
                 return Err(INVALID_KEY.to_string());
             }
             let ec_group = unsafe { EC_KEY_get0_group(ec_key) };

AwsCryptographicMaterialProviders/runtimes/rust/src/ecdsa.rs

@@ -55,8 +55,8 @@ pub mod Signature {
 
         fn get_nid(x: &ECDSASignatureAlgorithm) -> i32 {
             match x {
-                ECDSASignatureAlgorithm::ECDSA_P256 {} => aws_lc_sys::NID_X9_62_prime256v1,
-                ECDSASignatureAlgorithm::ECDSA_P384 {} => aws_lc_sys::NID_secp384r1,
+                ECDSASignatureAlgorithm::ECDSA_P256 {} => aws_lc_sys_impl::NID_X9_62_prime256v1,
+                ECDSASignatureAlgorithm::ECDSA_P384 {} => aws_lc_sys_impl::NID_secp384r1,
             }
         }
 
@@ -71,20 +71,20 @@ pub mod Signature {
             sec1_convert(
                 data,
                 get_nid(alg),
-                aws_lc_sys::point_conversion_form_t::POINT_CONVERSION_COMPRESSED,
+                aws_lc_sys_impl::point_conversion_form_t::POINT_CONVERSION_COMPRESSED,
             )
         }
 
         pub(crate) fn sec1_convert(
             data: &[u8],
             nid: i32,
-            form: aws_lc_sys::point_conversion_form_t,
+            form: aws_lc_sys_impl::point_conversion_form_t,
         ) -> Result<Vec<u8>, String> {
-            use aws_lc_sys::EC_GROUP_new_by_curve_name;
-            use aws_lc_sys::EC_POINT_free;
-            use aws_lc_sys::EC_POINT_new;
-            use aws_lc_sys::EC_POINT_oct2point;
-            use aws_lc_sys::EC_POINT_point2oct;
+            use aws_lc_sys_impl::EC_GROUP_new_by_curve_name;
+            use aws_lc_sys_impl::EC_POINT_free;
+            use aws_lc_sys_impl::EC_POINT_new;
+            use aws_lc_sys_impl::EC_POINT_oct2point;
+            use aws_lc_sys_impl::EC_POINT_point2oct;
             use std::ptr::null_mut;
 
             // no need to free ec_group

AwsCryptographicMaterialProviders/runtimes/rust/src/lib.rs

@@ -14,6 +14,12 @@
 #![allow(clippy::never_loop)]
 #![allow(clippy::absurd_extreme_comparisons)]
 
+#[cfg(feature = "fips")]
+use aws_lc_fips_sys as aws_lc_sys_impl;
+
+#[cfg(not(feature = "fips"))]
+use aws_lc_sys as aws_lc_sys_impl;
+
 pub mod client;
 pub mod conversions;
 pub mod deps;

AwsCryptographyPrimitives/runtimes/rust/Cargo.toml

@@ -7,15 +7,21 @@ rust-version = "1.80.0"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-aws-config = "1.6.2"
-aws-lc-rs = "1.13.0"
-aws-lc-sys = "0.28.2"
-aws-smithy-runtime-api = "1.8.0"
-aws-smithy-types = "1.3.1"
+aws-config = "1.8.5"
+aws-lc-rs = {version = "1.13.3"}
+aws-lc-sys = { version = "=0.30", optional = true }
+aws-lc-fips-sys = { version = "=0.13", optional = true }
+aws-smithy-runtime-api = "1.9.0"
+aws-smithy-types = "1.3.2"
 chrono = "0.4.41"
 cpu-time = "1.0.0"
 dafny_runtime = { path = "../../../smithy-dafny/TestModels/dafny-dependencies/dafny_runtime_rust", features = ["sync","small-int"]}
 dashmap = "6.1.0"
 pem = "3.0.5"
-tokio = {version = "1.45.0", features = ["full"] }
-uuid = { version = "1.16.0", features = ["v4"] }
+tokio = {version = "1.47.1", features = ["full"] }
+uuid = { version = "1.18.0", features = ["v4"] }
+
+[features]
+fips = ["aws-lc-rs/fips", "dep:aws-lc-fips-sys"]
+non-fips = ["aws-lc-rs/aws-lc-sys", "dep:aws-lc-sys"]
+default = ["non-fips"]

AwsCryptographyPrimitives/runtimes/rust/src/lib.rs

@@ -11,6 +11,12 @@
 #![allow(clippy::never_loop)]
 #![allow(clippy::absurd_extreme_comparisons)]
 
+#[cfg(feature = "fips")]
+use aws_lc_fips_sys as aws_lc_sys_impl;
+
+#[cfg(not(feature = "fips"))]
+use aws_lc_sys as aws_lc_sys_impl;
+
 pub mod client;
 pub mod conversions;
 pub mod error;

TestVectorsAwsCryptographicMaterialProviders/runtimes/rust/Cargo.toml

@@ -6,24 +6,22 @@ rust-version = "1.80.0"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
-[features]
-wrapped-client = []
-
 [dependencies]
-aws-config = "1.6.2"
-aws-lc-rs = "=1.13.0"
-aws-lc-sys = "=0.28.2"
+aws-config = "1.8.5"
+aws-lc-rs = {version = "1.13.3"}
+aws-lc-sys = { version = "=0.30", optional = true }
+aws-lc-fips-sys = { version = "=0.13", optional = true }
 aws-sdk-dynamodb = "1.55.0"
 aws-sdk-kms = "1.51.0"
-aws-smithy-runtime-api = {version = "1.8.0", features = ["client"] }
-aws-smithy-types = "1.3.1"
+aws-smithy-runtime-api = {version = "1.9.0", features = ["client"] }
+aws-smithy-types = "1.3.2"
 chrono = "0.4.41"
 cpu-time = "1.0.0"
 dafny_runtime = { path = "../../../smithy-dafny/TestModels/dafny-dependencies/dafny_runtime_rust", features = ["sync","small-int"]}
 dashmap = "6.1.0"
 pem = "3.0.5"
-tokio = {version = "1.45.0", features = ["full"] }
-uuid = { version = "1.16.0", features = ["v4"] }
+tokio = {version = "1.47.1", features = ["full"] }
+uuid = { version = "1.18.0", features = ["v4"] }
 ring = "0.17.14"
 
 [dev-dependencies]
@@ -32,3 +30,9 @@ aws-mpl-test-vectors = { path = ".", features = ["wrapped-client"] }
 [[bin]]
 name = "test-vectors"
 path = "src/main.rs"
+
+[features]
+wrapped-client = []
+fips = ["aws-lc-rs/fips", "dep:aws-lc-fips-sys"]
+non-fips = ["aws-lc-rs/aws-lc-sys", "dep:aws-lc-sys"]
+default = ["non-fips"]

TestVectorsAwsCryptographicMaterialProviders/runtimes/rust/src/main.rs

@@ -21,6 +21,13 @@ pub mod types;
 pub mod validation;
 pub mod wrapped;
 
+#[cfg(feature = "fips")]
+use aws_lc_fips_sys as aws_lc_sys_impl;
+
+#[cfg(not(feature = "fips"))]
+use aws_lc_sys as aws_lc_sys_impl;
+
+
 pub(crate) mod standard_library_conversions;
 pub(crate) mod standard_library_externs;
 pub use client::Client;