sources: add bottlerocket-crypto-provider crate#935
Conversation
d825cab to
e5af7ed
Compare
|
forced pushed to rebase to the latest and regenerated the Cargo.lock file |
e5af7ed to
bae9a1b
Compare
|
force pushed to address feedback |
37c75e8 to
a2e3990
Compare
|
forced pushed to turn on fips build and correct branch. |
7469bb4 to
de5e662
Compare
|
forced pushed to address feedback change |
| let fips = fips_enabled().unwrap_or_else(|e| { | ||
| log::error!("Failed to read FIPS status: {e}, defaulting to FIPS mode"); | ||
| true | ||
| }); | ||
| info!( | ||
| "Using {} CryptoProvider", | ||
| if fips { "FIPS" } else { "default" } | ||
| ); | ||
| if fips { | ||
| fips_provider() | ||
| } else { | ||
| default_provider() | ||
| } |
There was a problem hiding this comment.
If fips_enabled returns an error with context, you can do this instead:
let (crypto_mode, provider) = if fips_enabled()? {
("FIPS", fips_provider())
} else {
("default", default_provider())
};
info!("Using {} CrytpProvider", crypto_mode);
providerde5e662 to
ed0d851
Compare
|
forced pushed to address feedback |
ed0d851 to
0a5dbed
Compare
|
git forced push to rebase |
0a5dbed to
12b81e5
Compare
|
forced pushed(s) to rebase and Cargo.lock rebase issue. drop the rustls update commit as develop branch already bump the version |
d78b20b to
3367a45
Compare
Add a centralized CryptoProvider crate that provides runtime FIPS detection and TLS algorithm selection for Bottlerocket Rust binaries. When the kernel FIPS flag is enabled (/proc/sys/crypto/fips_enabled = 1), the provider restricts TLS to FIPS-approved algorithms only (AES-GCM cipher suites, P-256/P-384 key exchange). On non-FIPS systems, the full algorithm set is available. Signed-off-by: Jingwei Wang <jweiw@amazon.com>
3367a45 to
15c15d1
Compare
Description of changes:
Add a centralized CryptoProvider crate that provides runtime FIPS detection and TLS algorithm selection for Bottlerocket Rust binaries.
When the kernel FIPS flag is enabled (/proc/sys/crypto/fips_enabled = 1), the provider restricts TLS to FIPS-approved algorithms only (AES-GCM cipher suites, P-256/P-384 key exchange). On non-FIPS systems, the full algorithm set is available.
This crate exposes three public functions:
Testing done:
Testing with this PR and these two code chunks running on both fips/non-fips fedora host and test pass on both
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.