diff --git a/boring-sys/build.rs b/boring-sys/build.rs index e71886d5..e50c84fd 100644 --- a/boring-sys/build.rs +++ b/boring-sys/build.rs @@ -308,6 +308,7 @@ fn get_boringssl_cmake_config() -> cmake::Config { /// Verify that the toolchains match https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf /// See "Installation Instructions" under section 12.1. +// TODO: update above URL once BoringCrypto CMVP certification for `fips-20220613` is approved // TODO: maybe this should also verify the Go and Ninja versions? But those haven't been an issue in practice ... fn verify_fips_clang_version() -> (&'static str, &'static str) { fn version(tool: &str) -> String { diff --git a/boring/src/fips.rs b/boring/src/fips.rs index e578ae75..c02ff597 100644 --- a/boring/src/fips.rs +++ b/boring/src/fips.rs @@ -1,11 +1,11 @@ -//! FIPS 140-2 support. +//! FIPS 140-3 support. //! //! See [OpenSSL's documentation] for details. //! //! [OpenSSL's documentation]: https://www.openssl.org/docs/fips/UserGuide-2.0.pdf use crate::ffi; -/// Determines if the library is running in the FIPS 140-2 mode of operation. +/// Determines if the library is running in the FIPS 140-3 mode of operation. /// /// This corresponds to `FIPS_mode`. pub fn enabled() -> bool { diff --git a/boring/src/lib.rs b/boring/src/lib.rs index 27c1ebcd..149eac71 100644 --- a/boring/src/lib.rs +++ b/boring/src/lib.rs @@ -41,8 +41,8 @@ //! //! ## Building with a FIPS-validated module //! -//! Only BoringCrypto module version `853ca1ea1168dff08011e5d42d94609cc0ca2e27`, as certified with -//! [FIPS 140-2 certificate 4407](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4407) +//! Only BoringCrypto module version `0c6f40132b828e92ba365c6b7680e32820c63fa7`, as certified with +//! [FIPS 140-3 certificate XXX](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/XXX) //! is supported by this crate. Support is enabled by this crate's `fips` feature. //! //! `boring-sys` comes with a test that FIPS is enabled/disabled depending on the feature flag. You can run it as follows: diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs index 6b407490..eb92da27 100644 --- a/boring/src/ssl/mod.rs +++ b/boring/src/ssl/mod.rs @@ -703,10 +703,8 @@ impl SslCurve { /// A compliance policy. #[derive(Debug, Copy, Clone, PartialEq, Eq)] -#[cfg(not(feature = "fips"))] pub struct CompliancePolicy(ffi::ssl_compliance_policy_t); -#[cfg(not(feature = "fips"))] impl CompliancePolicy { /// Does nothing, however setting this does not undo other policies, so trying to set this is an error. pub const NONE: Self = Self(ffi::ssl_compliance_policy_t::ssl_compliance_policy_none); @@ -826,6 +824,9 @@ impl SslContextBuilder { init(); let ctx = cvt_p(ffi::SSL_CTX_new(method.as_ptr()))?; + #[cfg(feature = "fips")] + ctx.set_compliance_policy(CompliancePolicy::FIPS_202205).unwrap(); + #[cfg(feature = "rpk")] { Ok(SslContextBuilder::from_ptr(ctx, false)) @@ -1896,8 +1897,6 @@ impl SslContextBuilder { /// This corresponds to [`SSL_CTX_set_compliance_policy`] /// /// [`SSL_CTX_set_compliance_policy`] https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_CTX_set_compliance_policy - /// This feature isn't available in the certified version of BoringSSL. - #[cfg(not(feature = "fips"))] pub fn set_compliance_policy(&mut self, policy: CompliancePolicy) -> Result<(), ErrorStack> { unsafe { cvt_0i(ffi::SSL_CTX_set_compliance_policy(self.as_ptr(), policy.0)).map(|_| ()) } } diff --git a/boring/src/ssl/test/mod.rs b/boring/src/ssl/test/mod.rs index 08ef7e28..77feda45 100644 --- a/boring/src/ssl/test/mod.rs +++ b/boring/src/ssl/test/mod.rs @@ -21,7 +21,6 @@ use crate::ssl::{ use crate::x509::verify::X509CheckFlags; use crate::x509::{X509Name, X509}; -#[cfg(not(feature = "fips"))] use super::CompliancePolicy; mod custom_verify; @@ -948,7 +947,6 @@ fn test_get_ciphers() { } #[test] -#[cfg(not(feature = "fips"))] fn test_set_compliance() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_compliance_policy(CompliancePolicy::FIPS_202205)