diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 296ebbd1c8..9e6e15ecab 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -44,8 +44,12 @@ jobs: - name: Run clippy on ${{ matrix.platform }} ${{ matrix.rust_version }} shell: bash run: | + if [[ "${{ matrix.platform }}" == "windows-latest" ]]; then + export AWS_LC_FIPS_SYS_NO_ASM=1 + fi # shellcheck disable=SC2046 cargo clippy --workspace --all-targets --all-features -- -D warnings $([ ${{ matrix.rust_version }} = 1.78.0 ] || [ ${{ matrix.rust_version }} = stable ] && echo -Aunknown-lints -Ainvalid_reference_casting -Aclippy::redundant-closure-call) + licensecheck: runs-on: ubuntu-latest name: "Presence of licence headers" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 10faa1c2b2..ce673af2cf 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -56,19 +56,19 @@ jobs: # Run doc tests with cargo test and run tests with nextest and generate junit.xml run: cargo test --workspace --exclude builder --doc --verbose && cargo nextest run --workspace --exclude builder --profile ci --verbose -E '!test(tracing_integration_tests::)' env: - RUST_BACKTRACE: 1 + RUST_BACKTRACE: full - name: "[${{ steps.rust-version.outputs.version}}] Tracing integration tests: cargo nextest run --workspace --exclude builder --profile ci --test-threads=1 --verbose -E 'test(tracing_integration_tests::)'" if: runner.os == 'Linux' shell: bash run: cargo nextest run --workspace --exclude builder --profile ci --test-threads=1 --verbose -E 'test(tracing_integration_tests::)' env: - RUST_BACKTRACE: 1 + RUST_BACKTRACE: full - name: "[${{ steps.rust-version.outputs.version}}] RUSTFLAGS=\"-C prefer-dynamic\" cargo nextest run --package test_spawn_from_lib --features prefer-dynamic -E '!test(tracing_integration_tests::)'" shell: bash run: cargo nextest run --package test_spawn_from_lib --features prefer-dynamic -E '!test(tracing_integration_tests::)' env: RUSTFLAGS: "-C prefer-dynamic" - RUST_BACKTRACE: 1 + RUST_BACKTRACE: full - name: Report Test Results if: success() || failure() uses: mikepenz/action-junit-report@db71d41eb79864e25ab0337e395c352e84523afe # 4.3.1 diff --git a/Cargo.lock b/Cargo.lock index 405d78d0de..378cb33667 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -379,31 +379,42 @@ version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26" +[[package]] +name = "aws-lc-fips-sys" +version = "0.13.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2d9c2e952a1f57e8cbc78b058a968639e70c4ce8b9c0a5e6363d4e5670eed795" +dependencies = [ + "bindgen", + "cc", + "cmake", + "dunce", + "fs_extra", + "regex", +] + [[package]] name = "aws-lc-rs" -version = "1.10.0" +version = "1.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cdd82dba44d209fddb11c190e0a94b78651f95299598e472215667417a03ff1d" +checksum = "19b756939cb2f8dc900aa6dcd505e6e2428e9cae7ff7b028c49e3946efa70878" dependencies = [ + "aws-lc-fips-sys", "aws-lc-sys", - "mirai-annotations", - "paste", "zeroize", ] [[package]] name = "aws-lc-sys" -version = "0.22.0" +version = "0.28.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "df7a4168111d7eb622a31b214057b8509c0a7e1794f44c546d742330dc793972" +checksum = "b9f7720b74ed28ca77f90769a71fd8c637a0137f6fae4ae947e1050229cff57f" dependencies = [ "bindgen", "cc", "cmake", "dunce", "fs_extra", - "libc", - "paste", ] [[package]] @@ -526,7 +537,7 @@ dependencies = [ "bitflags", "cexpr", "clang-sys", - "itertools 0.12.1", + "itertools 0.10.5", "lazy_static", "lazycell", "log", @@ -3149,15 +3160,6 @@ dependencies = [ "either", ] -[[package]] -name = "itertools" -version = "0.12.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ba291022dbbd398a455acf126c1e341954079855bc60dfdda641363bd6922569" -dependencies = [ - "either", -] - [[package]] name = "itoa" version = "1.0.11" @@ -3263,7 +3265,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fc2f4eb4bc735547cfed7c0a4922cbd04a4655978c09b54f1f7b228750664c34" dependencies = [ "cfg-if", - "windows-targets 0.52.6", + "windows-targets 0.48.5", ] [[package]] @@ -3460,12 +3462,6 @@ dependencies = [ "windows-sys 0.52.0", ] -[[package]] -name = "mirai-annotations" -version = "1.12.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c9be0862c1b3f26a88803c4a49de6889c10e608b3ee9344e6ef5b45fb37ad3d1" - [[package]] name = "msvc-demangler" version = "0.10.1" @@ -4049,7 +4045,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "be769465445e8c1474e9c5dac2018218498557af32d9ed057325ec9a41ae81bf" dependencies = [ "heck 0.5.0", - "itertools 0.12.1", + "itertools 0.10.5", "log", "multimap", "once_cell", @@ -4069,7 +4065,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8a56d757972c98b346a9b766e3f02746cde6dd1cd1d1d563472929fdd74bec4d" dependencies = [ "anyhow", - "itertools 0.12.1", + "itertools 0.10.5", "proc-macro2", "quote", "syn 2.0.87", @@ -4530,9 +4526,9 @@ dependencies = [ [[package]] name = "rustls" -version = "0.23.18" +version = "0.23.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c9cc1d47e243d655ace55ed38201c19ae02c148ae56412ab8750e8f0166ab7f" +checksum = "47796c98c480fce5406ef69d1c76378375492c3b0a0de587be0c1d9feb12f395" dependencies = [ "aws-lc-rs", "once_cell", diff --git a/LICENSE-3rdparty.yml b/LICENSE-3rdparty.yml index 9df97a1fa5..423984455c 100644 --- a/LICENSE-3rdparty.yml +++ b/LICENSE-3rdparty.yml @@ -2492,7 +2492,7 @@ third_party_libraries: IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - package_name: aws-lc-rs - package_version: 1.10.0 + package_version: 1.13.0 repository: https://github.com/aws/aws-lc-rs license: ISC AND (Apache-2.0 OR ISC) licenses: @@ -2905,7 +2905,7 @@ third_party_libraries: ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - package_name: aws-lc-sys - package_version: 0.22.0 + package_version: 0.28.0 repository: https://github.com/aws/aws-lc-rs license: ISC AND (Apache-2.0 OR ISC) AND OpenSSL licenses: @@ -15402,9 +15402,9 @@ third_party_libraries: limitations under the License. - package_name: itertools - package_version: 0.12.1 + package_version: 0.10.5 repository: https://github.com/rust-itertools/itertools - license: MIT OR Apache-2.0 + license: MIT/Apache-2.0 licenses: - license: MIT text: | @@ -17827,13 +17827,6 @@ third_party_libraries: LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -- package_name: mirai-annotations - package_version: 1.12.0 - repository: https://github.com/facebookexperimental/MIRAI - license: MIT - licenses: - - license: MIT - text: NOT FOUND - package_name: msvc-demangler package_version: 0.10.1 repository: https://github.com/mstange/msvc-demangler-rust @@ -23406,7 +23399,7 @@ third_party_libraries: IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - package_name: rustls - package_version: 0.23.18 + package_version: 0.23.23 repository: https://github.com/rustls/rustls license: Apache-2.0 OR ISC OR MIT licenses: diff --git a/ddcommon/Cargo.toml b/ddcommon/Cargo.toml index 579ee909d2..19e42526af 100644 --- a/ddcommon/Cargo.toml +++ b/ddcommon/Cargo.toml @@ -76,3 +76,16 @@ use_webpki_roots = ["hyper-rustls/webpki-roots"] # Enable this feature to enable stubbing of cgroup # php directly import this crate and uses functions gated by this feature for their test cgroup_testing = [] +# FIPS mode uses the FIPS-compliant cryptographic provider (Unix only) +fips = ["https", "hyper-rustls/fips"] + +[lints.rust] +# We run coverage checks in our github actions. These checks are run with +# --all-features which is incompatible with our fips feature. The crypto +# provider default needs to be set by the caller in fips mode. For now, we want +# to make sure that the coverage tests use the non-fips version of the crypto +# provider initialization logic, so we added a coverage cfg check on the +# function in src/connector/mod.rs. The coverage config is actually not used in +# normal environments, so we need to let the rust linter know that it is in +# fact a real thing, though one that shows up only in some situations. +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(coverage)'] } diff --git a/ddcommon/src/connector/mod.rs b/ddcommon/src/connector/mod.rs index 8d378348fd..5fcc06014a 100644 --- a/ddcommon/src/connector/mod.rs +++ b/ddcommon/src/connector/mod.rs @@ -96,6 +96,8 @@ mod https { /// sometimes this is done as a side-effect of other operations, but we need to ensure it /// happens here. On non-unix platforms, ddcommon uses `ring` instead, which handles this /// at rustls initialization. TODO: Move to the more ergonomic LazyLock when MSRV is 1.80 + /// In fips mode we expect someone to have done this already. + #[cfg(any(not(feature = "fips"), coverage))] fn ensure_crypto_provider_initialized() { use std::sync::OnceLock; static INIT_CRYPTO_PROVIDER: OnceLock<()> = OnceLock::new(); @@ -108,6 +110,11 @@ mod https { }); } + // This actually needs to be done by the user somewhere in their own main. This will only + // be active on Unix platforms + #[cfg(all(feature = "fips", not(coverage)))] + fn ensure_crypto_provider_initialized() {} + #[cfg(feature = "use_webpki_roots")] pub(super) fn build_https_connector_with_webpki_roots() -> anyhow::Result< hyper_rustls::HttpsConnector, diff --git a/local-linux.Dockerfile b/local-linux.Dockerfile index e4c1a79bc8..a09f30473a 100644 --- a/local-linux.Dockerfile +++ b/local-linux.Dockerfile @@ -13,8 +13,13 @@ RUN apt-get update && \ protobuf-compiler \ docker.io \ sudo \ + wget \ && rm -rf /var/lib/apt/lists/* +# We need go in order to build aws-lc-fips-sys +RUN wget -O go1.24.2.linux-arm64.tar.gz https://go.dev/dl/go1.24.2.linux-arm64.tar.gz \ + && tar -C /usr/local -xzf go1.24.2.linux-arm64.tar.gz + # Docker-in-Docker configuration (necessary for integration tests) RUN mkdir -p /var/lib/docker EXPOSE 2375 diff --git a/trace-utils/Cargo.toml b/trace-utils/Cargo.toml index cee040b0b2..212cae21f3 100644 --- a/trace-utils/Cargo.toml +++ b/trace-utils/Cargo.toml @@ -76,3 +76,5 @@ test-utils = [ ] proxy = ["hyper-http-proxy"] compression = ["zstd", "flate2"] +# FIPS mode uses the FIPS-compliant cryptographic provider (Unix only) +fips = ["ddcommon/fips"]