*: use OpenSSL for crypto RNG (tikv#16170)

ref tikv#15982

To comply with FIPS 140-2 requirements, it's essential to choose an RNG
that meets these specifications.
This commit replaces the `rand` crate with OpenSSL for cryptographic random
number generation.

Signed-off-by: Neil Shen <[email protected]>

Co-authored-by: ti-chi-bot[bot] <108142056+ti-chi-bot[bot]@users.noreply.github.com>
Co-authored-by: lucasliang <[email protected]>

Author: 3 people

Cargo.lock

@@ -68,6 +68,7 @@ coprocessor_plugin_api = { workspace = true }
 crc32fast = "1.2"
 crc64fast = "0.1"
 crossbeam = "0.8"
+crypto = { workspace = true }
 dashmap = "5"
 encryption_export = { workspace = true }
 engine_panic = { workspace = true }
@@ -78,7 +79,6 @@ engine_traits_tests = { workspace = true }
 error_code = { workspace = true }
 fail = "0.5"
 file_system = { workspace = true }
-fips = { workspace = true }
 flate2 = { version = "1.0", default-features = false, features = ["zlib"] }
 futures = { version = "0.3", features = ["thread-pool", "compat"] }
 futures-executor = "0.3.1"
@@ -243,6 +243,7 @@ members = [
   "components/collections",
   "components/concurrency_manager",
   "components/coprocessor_plugin_api",
+  "components/crypto",
   "components/encryption",
   "components/encryption/export",
   "components/engine_rocks_helper",
@@ -252,7 +253,6 @@ members = [
   "components/error_code",
   "components/external_storage",
   "components/file_system",
-  "components/fips",
   "components/into_other",
   "components/keys",
   "components/log_wrappers",
@@ -328,7 +328,7 @@ engine_traits_tests = { path = "components/engine_traits_tests", default-feature
 error_code = { path = "components/error_code" }
 external_storage = { path = "components/external_storage" }
 file_system = { path = "components/file_system" }
-fips = { path = "components/fips" }
+crypto = { path = "components/crypto" }
 gcp = { path = "components/cloud/gcp" }
 into_other = { path = "components/into_other" }
 keys = { path = "components/keys" }

Cargo.toml

@@ -49,12 +49,12 @@ clap = "2.32"
 collections = { workspace = true }
 concurrency_manager = { workspace = true }
 crossbeam = "0.8"
+crypto = { workspace = true }
 encryption_export = { workspace = true }
 engine_rocks = { workspace = true }
 engine_traits = { workspace = true }
 error_code = { workspace = true }
 file_system = { workspace = true }
-fips = { workspace = true }
 futures = "0.3"
 gag = "1.0"
 grpcio = { workspace = true }
@@ -72,7 +72,6 @@ raft-engine = { git = "https://github.com/tikv/raft-engine.git" }
 raft-engine-ctl = { git = "https://github.com/tikv/raft-engine.git" }
 raft_log_engine = { workspace = true }
 raftstore = { workspace = true }
-rand = "0.8"
 regex = "1"
 security = { workspace = true }
 serde_json = "1.0"

cmd/tikv-ctl/Cargo.toml

@@ -20,6 +20,7 @@ use std::{
 };
 
 use collections::HashMap;
+use crypto::fips;
 use encryption_export::{
     create_backend, data_key_manager_from_config, DataKeyManager, DecrypterReader, Iv,
 };

cmd/tikv-ctl/src/main.rs

@@ -34,9 +34,9 @@ pprof-fp = ["tikv/pprof-fp"]
 
 [dependencies]
 clap = "2.32"
+crypto = { workspace = true }
 encryption_export = { workspace = true }
 engine_traits = { workspace = true }
-fips = { workspace = true }
 keys = { workspace = true }
 kvproto = { workspace = true }
 raft-engine = { git = "https://github.com/tikv/raft-engine.git" }

cmd/tikv-server/Cargo.toml

@@ -5,6 +5,7 @@
 use std::{path::Path, process};
 
 use clap::{crate_authors, App, Arg};
+use crypto::fips;
 use serde_json::{Map, Value};
 use server::setup::{ensure_no_unrecognized_config, validate_and_persist_config};
 use tikv::{

cmd/tikv-server/src/main.rs

@@ -57,7 +57,6 @@ prometheus-static-metric = "0.5"
 protobuf = { version = "2.8", features = ["bytes"] }
 raft = { workspace = true }
 raftstore = { workspace = true }
-rand = "0.8.0"
 regex = "1"
 resolved_ts = { workspace = true }
 security = { path = "../security" }
@@ -83,6 +82,7 @@ engine_test = { workspace = true }
 grpcio = { workspace = true }
 hex = "0.4"
 protobuf = { version = "2.8", features = ["bytes"] }
+rand = "0.8.0"
 tempdir = "0.3"
 tempfile = "3.0"
 test_pd = { workspace = true }

components/backup-stream/Cargo.toml

@@ -121,7 +121,7 @@ impl<W: SstWriter + 'static> Writer<W> {
             .with_label_values(&[cf.into()])
             .inc_by(self.total_kvs);
         let file_name = format!("{}_{}.sst", name, cf);
-        let iv = Iv::new_ctr();
+        let iv = Iv::new_ctr().map_err(|e| Error::Other(box_err!("new IV error: {:?}", e)))?;
         let encrypter_reader =
             EncrypterReader::new(sst_reader, cipher.cipher_type, &cipher.cipher_key, iv)
                 .map_err(|e| Error::Other(box_err!("new EncrypterReader error: {:?}", e)))?;

components/backup/src/writer.rs

@@ -1,5 +1,5 @@
 [package]
-name = "fips"
+name = "crypto"
 version = "0.0.1"
 edition = "2021"
 publish = false