From 857b52932cc483a068c1118c5802a5fab8c824fb Mon Sep 17 00:00:00 2001 From: Andy Jewell Date: Wed, 27 Aug 2025 10:45:16 -0400 Subject: [PATCH] chore(rust): add fips feature flag --- .github/workflows/library_rust_tests.yml | 13 ++++++++++++ AwsEncryptionSDK/runtimes/rust/Cargo.toml | 22 ++++++++++++------- AwsEncryptionSDK/runtimes/rust/src/lib.rs | 6 ++++++ TestVectors/runtimes/rust/Cargo.toml | 26 +++++++++++++---------- TestVectors/runtimes/rust/src/main.rs | 6 ++++++ mpl | 2 +- 6 files changed, 55 insertions(+), 20 deletions(-) diff --git a/.github/workflows/library_rust_tests.yml b/.github/workflows/library_rust_tests.yml index 17f77cdc0..118f40411 100644 --- a/.github/workflows/library_rust_tests.yml +++ b/.github/workflows/library_rust_tests.yml @@ -68,6 +68,12 @@ jobs: if: matrix.os == 'windows-latest' uses: ilammy/setup-nasm@v1 + # Go is needed for aws-lc-FIPS + - name: Install Go + uses: actions/setup-go@v5 + with: + go-version: ">=1.18" + - name: Install Smithy-Dafny codegen dependencies uses: ./.github/actions/install_smithy_dafny_codegen_dependencies @@ -208,3 +214,10 @@ jobs: # Without this, running test vectors fails due to `fatal runtime error: stack overflow` export RUST_MIN_STACK=104857600 cargo test --release -- --test-threads 1 --nocapture + + - name: Test ${{ matrix.library }} Rust Fips + shell: bash + working-directory: ./${{ matrix.library }}/runtimes/rust + run: | + cargo test --release --features fips -- --nocapture + cargo test --features fips -- --nocapture diff --git a/AwsEncryptionSDK/runtimes/rust/Cargo.toml b/AwsEncryptionSDK/runtimes/rust/Cargo.toml index 4d88e5312..262b42db0 100644 --- a/AwsEncryptionSDK/runtimes/rust/Cargo.toml +++ b/AwsEncryptionSDK/runtimes/rust/Cargo.toml @@ -16,21 +16,27 @@ readme = "README.md" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] -aws-config = "1.6.3" -aws-lc-rs = "=1.13.1" -aws-lc-sys = "=0.29.0" +aws-config = "1.8.5" +aws-lc-rs = {version = "1.13.3"} +aws-lc-sys = { version = "0.30", optional = true } +aws-lc-fips-sys = { version = "0.13", optional = true } aws-sdk-dynamodb = "1.73.0" aws-sdk-kms = "1.67.0" -aws-smithy-runtime-api = {version = "1.8.0", features = ["client"] } -aws-smithy-types = "1.3.1" +aws-smithy-runtime-api = {version = "1.9.0", features = ["client"] } +aws-smithy-types = "1.3.2" chrono = "0.4.41" cpu-time = "1.0.0" dafny_runtime = { path = "../../../mpl/smithy-dafny/TestModels/dafny-dependencies/dafny_runtime_rust", features = ["sync","small-int"]} dashmap = "6.1.0" pem = "3.0.5" -rand = "0.9.1" -tokio = {version = "1.45.1", features = ["full"] } -uuid = { version = "1.17.0", features = ["v4"] } +rand = "0.9.2" +tokio = {version = "1.47.1", features = ["full"] } +uuid = { version = "1.18.0", features = ["v4"] } [[example]] name = "main" + +[features] +fips = ["aws-lc-rs/fips", "dep:aws-lc-fips-sys"] +non-fips = ["aws-lc-rs/aws-lc-sys", "dep:aws-lc-sys"] +default = ["non-fips"] diff --git a/AwsEncryptionSDK/runtimes/rust/src/lib.rs b/AwsEncryptionSDK/runtimes/rust/src/lib.rs index 7432afd37..c012e1986 100644 --- a/AwsEncryptionSDK/runtimes/rust/src/lib.rs +++ b/AwsEncryptionSDK/runtimes/rust/src/lib.rs @@ -75,6 +75,12 @@ pub mod operation; /// Types for the transform client. pub mod types; +#[cfg(feature = "fips")] +use aws_lc_fips_sys as aws_lc_sys_impl; + +#[cfg(not(feature = "fips"))] +use aws_lc_sys as aws_lc_sys_impl; + pub use client::Client; pub use types::aws_encryption_sdk_config::AwsEncryptionSdkConfig; diff --git a/TestVectors/runtimes/rust/Cargo.toml b/TestVectors/runtimes/rust/Cargo.toml index 607fdd42f..8c6487446 100644 --- a/TestVectors/runtimes/rust/Cargo.toml +++ b/TestVectors/runtimes/rust/Cargo.toml @@ -10,25 +10,23 @@ readme = "README.md" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html -[features] -wrapped-client = [] - [dependencies] -aws-config = "1.6.3" -aws-lc-rs = "=1.13.1" -aws-lc-sys = "=0.29.0" +aws-config = "1.8.5" +aws-lc-rs = {version = "1.13.3"} +aws-lc-sys = { version = "0.30", optional = true } +aws-lc-fips-sys = { version = "0.13", optional = true } aws-sdk-dynamodb = "1.73.0" aws-sdk-kms = "1.67.0" -aws-smithy-runtime-api = {version = "1.8.0", features = ["client"] } -aws-smithy-types = "1.3.1" +aws-smithy-runtime-api = {version = "1.9.0", features = ["client"] } +aws-smithy-types = "1.3.2" chrono = "0.4.41" cpu-time = "1.0.0" dafny_runtime = { path = "../../../mpl/smithy-dafny/TestModels/dafny-dependencies/dafny_runtime_rust", features = ["sync","small-int"]} dashmap = "6.1.0" pem = "3.0.5" -rand = "0.9.1" -tokio = {version = "1.45.1", features = ["full"] } -uuid = { version = "1.17.0", features = ["v4"] } +rand = "0.9.2" +tokio = {version = "1.47.1", features = ["full"] } +uuid = { version = "1.18.0", features = ["v4"] } ring = "=0.17.14" [dev-dependencies] @@ -37,3 +35,9 @@ aws-esdk-test-vectors = { path = ".", features = ["wrapped-client"] } [[bin]] name = "test-vectors" path = "src/main.rs" + +[features] +wrapped-client = [] +fips = ["aws-lc-rs/fips", "dep:aws-lc-fips-sys"] +non-fips = ["aws-lc-rs/aws-lc-sys", "dep:aws-lc-sys"] +default = ["non-fips"] diff --git a/TestVectors/runtimes/rust/src/main.rs b/TestVectors/runtimes/rust/src/main.rs index f2859937d..dfc3810ee 100644 --- a/TestVectors/runtimes/rust/src/main.rs +++ b/TestVectors/runtimes/rust/src/main.rs @@ -14,6 +14,12 @@ pub mod operation; pub mod types; pub mod validation; +#[cfg(feature = "fips")] +use aws_lc_fips_sys as aws_lc_sys_impl; + +#[cfg(not(feature = "fips"))] +use aws_lc_sys as aws_lc_sys_impl; + #[cfg(feature = "wrapped-client")] pub mod wrapped; diff --git a/mpl b/mpl index ec013f6ba..f6bdd23d4 160000 --- a/mpl +++ b/mpl @@ -1 +1 @@ -Subproject commit ec013f6ba85d62ab41db48fec92baca85625e4b9 +Subproject commit f6bdd23d4ef83e3513554abb41d0ddbd3d89e8b8