chore(rust): fips feature

ajewellamz · ajewellamz · commit 2c5cc0d00ed8 · 2025-08-27T12:54:59.000-04:00
diff --git a/.github/workflows/library_rust_tests.yml b/.github/workflows/library_rust_tests.yml
@@ -91,6 +91,12 @@ jobs:
         if: matrix.os == 'windows-latest'
         uses: ilammy/setup-nasm@v1
 
+      # Go is needed for aws-lc-FIPS
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ">=1.18"
+
       - name: Install Smithy-Dafny codegen dependencies
         uses: ./.github/actions/install_smithy_dafny_codegen_dependencies
 
@@ -121,6 +127,12 @@ jobs:
         run: |
           make test_rust
 
+      - name: Test ${{ matrix.library }} Rust Fips
+        shell: bash
+        working-directory: ./${{ matrix.library }}/runtimes/rust/
+        run: |
+          cargo test --release --features fips -- --nocapture
+
       - name: Test ${{ matrix.library }} Rust Debug
         if: ${{ matrix.library != 'TestVectors' }}
         shell: bash
diff --git a/DynamoDbEncryption/runtimes/rust/Cargo.toml b/DynamoDbEncryption/runtimes/rust/Cargo.toml
@@ -2,7 +2,7 @@
 name = "aws-db-esdk"
 version = "1.1.1"
 edition = "2021"
-rust-version = "1.81.0"
+rust-version = "1.86.0"
 keywords = ["cryptography", "security", "dynamodb", "encryption", "client-side"]
 license = "ISC AND (Apache-2.0 OR ISC)"
 description = "aws-db-esdk is a library for implementing client side encryption with DynamoDB."
@@ -16,20 +16,26 @@ readme = "README.md"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-aws-config = "1.6.3"
-aws-lc-rs = "1.13.1"
-aws-lc-sys = "0.29.0"
-aws-sdk-dynamodb = "1.73.0"
-aws-sdk-kms = "1.67.0"
-aws-smithy-runtime-api = {version = "1.8.0", features = ["client"] }
-aws-smithy-types = "1.3.1"
+aws-config = "1.8.5"
+aws-lc-rs = {version = "1.13.3"}
+aws-lc-sys = { version = "0.30", optional = true }
+aws-lc-fips-sys = { version = "0.13", optional = true }
+aws-sdk-dynamodb = "1.90.0"
+aws-sdk-kms = "1.84.0"
+aws-smithy-runtime-api = {version = "1.9.0", features = ["client"] }
+aws-smithy-types = "1.3.2"
 chrono = "0.4.41"
 cpu-time = "1.0.0"
 dafny_runtime = { path = "../../../submodules/smithy-dafny/TestModels/dafny-dependencies/dafny_runtime_rust", features = ["sync","small-int"] }
 dashmap = "6.1.0"
 pem = "3.0.5"
-tokio = {version = "1.45.1", features = ["full"] }
-uuid = { version = "1.17.0", features = ["v4"] }
+tokio = {version = "1.47.1", features = ["full"] }
+uuid = { version = "1.18.0", features = ["v4"] }
 
 [[example]]
 name = "main"
+
+[features]
+fips = ["aws-lc-rs/fips", "dep:aws-lc-fips-sys"]
+non-fips = ["aws-lc-rs/aws-lc-sys", "dep:aws-lc-sys"]
+default = ["non-fips"]
diff --git a/DynamoDbEncryption/runtimes/rust/src/lib.rs b/DynamoDbEncryption/runtimes/rust/src/lib.rs
@@ -86,6 +86,12 @@ pub mod operation;
 /// Types for the transform client. Rarely useful.
 pub mod types;
 
+#[cfg(feature = "fips")]
+use aws_lc_fips_sys as aws_lc_sys_impl;
+
+#[cfg(not(feature = "fips"))]
+use aws_lc_sys as aws_lc_sys_impl;
+
 pub use client::Client;
 pub use types::dynamo_db_tables_encryption_config::DynamoDbTablesEncryptionConfig;
 
diff --git a/TestVectors/runtimes/rust/Cargo.toml b/TestVectors/runtimes/rust/Cargo.toml
@@ -2,26 +2,29 @@
 name = "aws-db-esdk-test-vectors"
 version = "0.1.0"
 edition = "2021"
-rust-version = "1.81.0"
+rust-version = "1.86.0"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
-[features]
-default = ["wrapped-client"]
-wrapped-client = []
-
 [dependencies]
-aws-config = "1.6.3"
-aws-lc-rs = "1.13.1"
-aws-lc-sys = "0.29.0"
-aws-sdk-dynamodb = "1.73.0"
-aws-sdk-kms = "1.67.0"
-aws-smithy-runtime-api = {version = "1.8.0", features = ["client"] }
-aws-smithy-types = "1.3.1"
+aws-config = "1.8.5"
+aws-lc-rs = {version = "1.13.3"}
+aws-lc-sys = { version = "0.30", optional = true }
+aws-lc-fips-sys = { version = "0.13", optional = true }
+aws-sdk-dynamodb = "1.90.0"
+aws-sdk-kms = "1.84.0"
+aws-smithy-runtime-api = {version = "1.9.0", features = ["client"] }
+aws-smithy-types = "1.3.2"
 chrono = "0.4.41"
 cpu-time = "1.0.0"
 dafny_runtime = { path = "../../../submodules/smithy-dafny/TestModels/dafny-dependencies/dafny_runtime_rust", features = ["sync","small-int"] }
 dashmap = "6.1.0"
 pem = "3.0.5"
-tokio = {version = "1.45.1", features = ["full"] }
-uuid = { version = "1.17.0", features = ["v4"] }
+tokio = {version = "1.47.1", features = ["full"] }
+uuid = { version = "1.18.0", features = ["v4"] }
+
+[features]
+wrapped-client = []
+fips = ["aws-lc-rs/fips", "dep:aws-lc-fips-sys"]
+non-fips = ["aws-lc-rs/aws-lc-sys", "dep:aws-lc-sys"]
+default = ["non-fips", "wrapped-client"]
diff --git a/TestVectors/runtimes/rust/src/lib.rs b/TestVectors/runtimes/rust/src/lib.rs
@@ -17,6 +17,12 @@ pub mod intercept;
 #[cfg(feature = "wrapped-client")]
 pub mod wrapped;
 
+#[cfg(feature = "fips")]
+use aws_lc_fips_sys as aws_lc_sys_impl;
+
+#[cfg(not(feature = "fips"))]
+use aws_lc_sys as aws_lc_sys_impl;
+
 mod standard_library_conversions;
 mod standard_library_externs;
 
diff --git a/submodules/MaterialProviders b/submodules/MaterialProviders
@@ -1 +1 @@
-Subproject commit bb0ec0cb959e6982cf2c154458c39865db083e84
+Subproject commit f6bdd23d4ef83e3513554abb41d0ddbd3d89e8b8
diff --git a/submodules/smithy-dafny b/submodules/smithy-dafny
@@ -1 +1 @@
-Subproject commit b60ee9f53a997838ba02510de40c609b17a3a728
+Subproject commit 2f83e28ad9532b24c93d2229476c9a268355d338
