| 1 | /*! # Using rustls with FIPS-approved cryptography |
| 2 | |
|---|
| 3 | To use FIPS-approved cryptography with rustls, you should take |
|---|
| 4 | these actions: |
|---|
| 5 | |
|---|
| 6 | ## 1. Enable the `fips` crate feature for rustls. |
|---|
| 7 | |
|---|
| 8 | Use: |
|---|
| 9 | |
|---|
| 10 | ```toml |
|---|
| 11 | rustls = { version = "0.23", features = [ "fips" ] } |
|---|
| 12 | ``` |
|---|
| 13 | |
|---|
| 14 | ## 2. Use the FIPS `CryptoProvider` |
|---|
| 15 | |
|---|
| 16 | This is [`default_fips_provider()`]: |
|---|
| 17 | |
|---|
| 18 | ```rust,ignore |
|---|
| 19 | rustls::crypto::default_fips_provider() |
|---|
| 20 | .install_default() |
|---|
| 21 | .expect("default provider already set elsewhere" ); |
|---|
| 22 | ``` |
|---|
| 23 | |
|---|
| 24 | This snippet makes use of the process-default provider, |
|---|
| 25 | and that assumes all your uses of rustls use that. |
|---|
| 26 | See [`CryptoProvider`] documentation for other ways to |
|---|
| 27 | specify which `CryptoProvider` to use. |
|---|
| 28 | |
|---|
| 29 | ## 3. Validate the FIPS status of your `ClientConfig`/`ServerConfig` at run-time |
|---|
| 30 | |
|---|
| 31 | See [`ClientConfig::fips()`] or [`ServerConfig::fips()`]. |
|---|
| 32 | |
|---|
| 33 | You could, for example: |
|---|
| 34 | |
|---|
| 35 | ```rust,ignore |
|---|
| 36 | # let client_config = unreachable!(); |
|---|
| 37 | assert!(client_config.fips()); |
|---|
| 38 | ``` |
|---|
| 39 | |
|---|
| 40 | But maybe your application has an error handling |
|---|
| 41 | or health-check strategy better than panicking. |
|---|
| 42 | |
|---|
| 43 | # aws-lc-rs FIPS approval status |
|---|
| 44 | |
|---|
| 45 | This is covered by [FIPS 140-3 certificate #4816][cert-4816]. |
|---|
| 46 | See [the security policy][policy-4816] for precisely which |
|---|
| 47 | environments and functions this certificate covers. |
|---|
| 48 | |
|---|
| 49 | Later releases of aws-lc-rs may be covered by later certificates, |
|---|
| 50 | or be pending certification. |
|---|
| 51 | |
|---|
| 52 | For the most up-to-date details see the latest documentation |
|---|
| 53 | for the [`aws-lc-fips-sys`] crate. |
|---|
| 54 | |
|---|
| 55 | [`aws-lc-fips-sys`]: https://crates.io/crates/aws-lc-fips-sys |
|---|
| 56 | [`default_fips_provider()`]: crate::crypto::default_fips_provider |
|---|
| 57 | [`CryptoProvider`]: crate::crypto::CryptoProvider |
|---|
| 58 | [`ClientConfig::fips()`]: crate::client::ClientConfig::fips |
|---|
| 59 | [`ServerConfig::fips()`]: crate::server::ServerConfig::fips |
|---|
| 60 | [cert-4816]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4816 |
|---|
| 61 | [policy-4816]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4816.pdf |
|---|
| 62 | */ |
|---|
| 63 | |
|---|
