-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please add FIPS feature to mirror rustls FIPS feature to use aws-lc-fips-sys only (without aws-lc-sys) #307
Comments
Hmm. Tricky. I'm still trying to wrap my head around this but it seems to me that it also applies to the main Rustls crate where the |
Here's a couple of PRs to start shaking out the right path forward: Note that due to the time of year I don't expect any substantial movement on this item until 2025. Happy holidays! |
@cpu I fear without cargo support; this is a never ending battle. As all 945 dependants would have to have implement something similar =/ which is not sustainable (and all of their dependants and so on) Filed: For advice and guidance. |
Yeah, I think cargo cooperation is needed to make this better. I don't see any movement on that, so I conclude that building duplicative/discarded dependencies isn't a significant enough pain point for other rust developers. |
@ctz in that case should I close #308 and rustls/rustls#2291 ? I'm not sure what appetite there is for swimming upstream w/ the status quo. |
From FIPS point of view, having duplicate dependencies in the binary is fine. For example, in C/C++ world linking with OpenSSL pretty must always makes 'default' and 'fips' providers always available / linked into binary, and it's all good as long as only 'fips' provider is active. Which rustls provider is active though? and how can one assert that during application usage of rustls and specifically webpki. Will webpki use non-fips cryptography, always? Or is there a way to emit debug information as to which provider webpki has used? |
cargo cooperation is needed to make this good, but I still think stuff like #308 makes it better, and IME there are still plenty of developers trying to solve these kinds of issues. |
Agree! |
Currently when trying to use rustls in fips mode, two aws-lc sys crates are pulled in, both aws-lc-fips-sys and aws-lc-sys.
It seems that rustls-webpki create aws-lc-rs feature lacks a FIPS variant that does not pull in aws-lc-sys.
webpki/Cargo.toml
Line 83 in dad66f2
As an example building rustls-ffi by doing:
And then running rust-audit-info on the resulting
librustls.so.0.*
shows:That duplicate aws-lc got pulled into the binary.
The text was updated successfully, but these errors were encountered: