sources: add bottlerocket-crypto-provider crate#935
Conversation
sky1122
force-pushed
the
br-crypto-provider
branch
2 times, most recently
from
d825cab to
e5af7ed
Compare
|
forced pushed to rebase to the latest and regenerated the Cargo.lock file |
sky1122
force-pushed
the
br-crypto-provider
branch
from
e5af7ed to
bae9a1b
Compare
|
force pushed to address feedback |
sky1122
force-pushed
the
br-crypto-provider
branch
2 times, most recently
from
37c75e8 to
a2e3990
Compare
|
forced pushed to turn on fips build and correct branch. |
sky1122
force-pushed
the
br-crypto-provider
branch
from
a2e3990 to
7469bb4
Compare
Add a centralized CryptoProvider crate that provides runtime FIPS detection and TLS algorithm selection for Bottlerocket Rust binaries. When the kernel FIPS flag is enabled (/proc/sys/crypto/fips_enabled = 1), the provider restricts TLS to FIPS-approved algorithms only (AES-GCM cipher suites, P-256/P-384 key exchange). On non-FIPS systems, the full algorithm set is available. Signed-off-by: Jingwei Wang <jweiw@amazon.com>
Signed-off-by: Jingwei Wang <jweiw@amazon.com>
sky1122
force-pushed
the
br-crypto-provider
branch
from
7469bb4 to
de5e662
Compare
|
forced pushed to address feedback change |
| match std::fs::read_to_string("/proc/sys/crypto/fips_enabled") { | ||
| Ok(c) => Ok(c.trim() == "1"), | ||
| Err(e) if e.kind() == std::io::ErrorKind::NotFound => Ok(false), | ||
| Err(e) => Err(e), | ||
| } |
There was a problem hiding this comment.
Two things:
-
Lets fail if the read fails for whatever reason, we don't want to be in a situation where we use the wrong default (e.g. FIPS in non-FIPS setup).
-
You could provide context of the error with
snafu, like:
let fips_enabled_content = std::fs::read_to_string("/proc/sys/crypto/fips_enabled").context(error::ReadFipsEnabled)?;
fips_enabled_content == "1"| let fips = fips_enabled().unwrap_or_else(|e| { | ||
| log::error!("Failed to read FIPS status: {e}, defaulting to FIPS mode"); | ||
| true | ||
| }); | ||
| info!( | ||
| "Using {} CryptoProvider", | ||
| if fips { "FIPS" } else { "default" } | ||
| ); | ||
| if fips { | ||
| fips_provider() | ||
| } else { | ||
| default_provider() | ||
| } |
There was a problem hiding this comment.
If fips_enabled returns an error with context, you can do this instead:
let (crypto_mode, provider) = if fips_enabled()? {
("FIPS", fips_provider())
} else {
("default", default_provider())
};
info!("Using {} CrytpProvider", crypto_mode);
provider| assert!(p.kx_groups.iter().any(|g| g.name() == NamedGroup::X25519)); | ||
| } | ||
|
|
||
| #[test] |
There was a problem hiding this comment.
We should have a test that validates that a client in FIPS mode can't talk to a server that doesn't support any of the FIPS ciphers when fips_provider is used.
3 participants
Description of changes:
Add a centralized CryptoProvider crate that provides runtime FIPS detection and TLS algorithm selection for Bottlerocket Rust binaries.
When the kernel FIPS flag is enabled (/proc/sys/crypto/fips_enabled = 1), the provider restricts TLS to FIPS-approved algorithms only (AES-GCM cipher suites, P-256/P-384 key exchange). On non-FIPS systems, the full algorithm set is available.
This crate exposes three public functions:
Testing done:
Testing with this PR and these two code chunks running on both fips/non-fips fedora host and test pass on both
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.