From abe4e373f9ce50db08c7616fe767d1b0bf7624e8 Mon Sep 17 00:00:00 2001 From: Toby Lawrence Date: Thu, 28 Mar 2024 23:19:39 +0000 Subject: [PATCH 1/7] Add feature flag for enabling FIPS. --- Cargo.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/Cargo.toml b/Cargo.toml index 6508406..b58b474 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -42,6 +42,7 @@ native-tokio = ["rustls-native-certs"] ring = ["rustls/ring"] tls12 = ["tokio-rustls/tls12", "rustls/tls12"] logging = ["log", "tokio-rustls/logging", "rustls/logging"] +fips = ["aws-lc-rs", "rustls/fips"] [[example]] name = "client" From c2bed381f9dc9bf4c73828f6421f13afd9b00954 Mon Sep 17 00:00:00 2001 From: Toby Lawrence Date: Fri, 29 Mar 2024 13:25:06 +0000 Subject: [PATCH 2/7] Try and derive feature list automatically to make non-Linux CI jobs run correctly. --- .github/workflows/build.yml | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 05a7f0d..9ee6592 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -11,8 +11,20 @@ on: - cron: '23 6 * * 5' jobs: + collect-features: + name: Collect package features + runs-on: ubuntu-latest + outputs: + NON_FIPS_FEATURES: ${{ steps.collect-non-fips-features.outputs.non-fips-features }} + DEFAULTS_WITH_RING_FEATURES: ${{ steps.collect-non-fips-features.outputs.defaults-with-ring-features }} + steps: + - id: collect-non-fips-features + run: | + yq --no-colors -oy '.features | keys | . - ["default", "fips"] | join(",") | "non-fips-features=" + @sh' Cargo.toml >> "$GITHUB_OUTPUT" + yq --no-colors -oy '.features["default"] + ["ring"] | join(",") | "defaults-with-ring-features=" + @sh' Cargo.toml >> "$GITHUB_OUTPUT" build: name: Build+test + needs: collect-features runs-on: ${{ matrix.os }} strategy: fail-fast: false @@ -67,15 +79,26 @@ jobs: RUST_BACKTRACE: 1 - name: cargo test (debug; defaults+ring) - run: cargo test --no-default-features --features ring,native-tokio,http1,tls12,logging + env: + DEFAULTS_WITH_RING_FEATURES: ${{ needs.collect-features.outputs.DEFAULTS_WITH_RING_FEATURES }} + run: cargo test --no-default-features --features $DEFAULTS_WITH_RING_FEATURES env: RUST_BACKTRACE: 1 - name: cargo test (debug; all features) + if: runner.os == 'Linux' run: cargo test --all-features env: RUST_BACKTRACE: 1 + - name: cargo test (debug; all features, excluding FIPS) + if: runner.os != 'Linux' + env: + NON_FIPS_FEATURES: ${{ needs.collect-features.outputs.NON_FIPS_FEATURES }} + run: cargo test --features $NON_FIPS_FEATURES + env: + RUST_BACKTRACE: 1 + - name: cargo build (debug; no default features) run: cargo build --no-default-features From 2302176597854bb6e91925b75e531deb7f9eb86b Mon Sep 17 00:00:00 2001 From: Toby Lawrence Date: Fri, 29 Mar 2024 13:46:52 +0000 Subject: [PATCH 3/7] update README --- README.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/README.md b/README.md index 274b47f..5e25e0f 100644 --- a/README.md +++ b/README.md @@ -35,3 +35,28 @@ cargo run --example server ```bash cargo run --example client "https://docs.rs/hyper-rustls/latest/hyper_rustls/" ``` + +## Crate features + +This crate exposes a number of features to add support for different portions of `hyper-util`, +`rustls`, and other dependencies. + +| Feature flag | Enabled by default | Description | +| ------------ | ------------------ | ----------- | +| `aws-lc-rs` | **yes** | Enables use of the [AWS-LC][aws-lc-rs] backend for [`rustls`][rustls] | +| `http1` | **yes** | Enables HTTP/1 support in [`hyper-util`][hyper-util] | +| `http2` | **no** | Enables HTTP/2 support in [`hyper-util`][hyper-util] | +| `webpki-tokio` | **no** | Uses a compiled-in set of root certificates trusted by Mozilla (via [`webpki-roots`][webpki-roots]) | +| `native-tokio` | **yes** | Use the platform's native certificate store at runtime (via [`rustls-native-certs`][rustls-native-certs]) | +| `ring` | **no** | Enables use of the [`ring`][ring] backend for [`rustls`][rustls] | +| `tls12` | **yes** | Enables support for TLS 1.2 (only TLS 1.3 supported when disabled) | +| `logging` | **yes** | Enables logging of protocol-level diagnostics and errors via [`log`][log] | +| `fips` | **no** | Enables support for using a FIPS 140-3 compliant backend via AWS-LC (enables `aws-lc-rs` feature) | + +[aws-lc-rs]: https://docs.rs/aws-lc-rs +[rustls]: https://docs.rs/rustls +[hyper-util]: https://docs.rs/hyper-util +[webpki-roots]: https://docs.rs/webpki-roots +[rustls-native-certs]: https://docs.rs/rustls-native-certs +[ring]: https://docs.rs/ring +[log]: https://docs.rs/log From 17cab6e536f89121ae516bbac6781fe32661bcad Mon Sep 17 00:00:00 2001 From: Toby Lawrence Date: Fri, 29 Mar 2024 13:49:16 +0000 Subject: [PATCH 4/7] fix calculation of defaults + ring features --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9ee6592..0a6c9bf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,7 +21,7 @@ jobs: - id: collect-non-fips-features run: | yq --no-colors -oy '.features | keys | . - ["default", "fips"] | join(",") | "non-fips-features=" + @sh' Cargo.toml >> "$GITHUB_OUTPUT" - yq --no-colors -oy '.features["default"] + ["ring"] | join(",") | "defaults-with-ring-features=" + @sh' Cargo.toml >> "$GITHUB_OUTPUT" + yq --no-colors -oy '.features["default"] - ["aws-lc-rs"] + ["ring"] | join(",") | "defaults-with-ring-features=" + @sh' Cargo.toml >> "$GITHUB_OUTPUT" build: name: Build+test needs: collect-features From 28ff30491243e7d675a18dd1e207c6342ad8a40b Mon Sep 17 00:00:00 2001 From: Toby Lawrence Date: Fri, 29 Mar 2024 13:51:34 +0000 Subject: [PATCH 5/7] fix bad step definition w/ duplicate keys --- .github/workflows/build.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0a6c9bf..b71fa9f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -79,11 +79,10 @@ jobs: RUST_BACKTRACE: 1 - name: cargo test (debug; defaults+ring) - env: - DEFAULTS_WITH_RING_FEATURES: ${{ needs.collect-features.outputs.DEFAULTS_WITH_RING_FEATURES }} run: cargo test --no-default-features --features $DEFAULTS_WITH_RING_FEATURES env: RUST_BACKTRACE: 1 + DEFAULTS_WITH_RING_FEATURES: ${{ needs.collect-features.outputs.DEFAULTS_WITH_RING_FEATURES }} - name: cargo test (debug; all features) if: runner.os == 'Linux' @@ -93,11 +92,10 @@ jobs: - name: cargo test (debug; all features, excluding FIPS) if: runner.os != 'Linux' - env: - NON_FIPS_FEATURES: ${{ needs.collect-features.outputs.NON_FIPS_FEATURES }} run: cargo test --features $NON_FIPS_FEATURES env: RUST_BACKTRACE: 1 + NON_FIPS_FEATURES: ${{ needs.collect-features.outputs.NON_FIPS_FEATURES }} - name: cargo build (debug; no default features) run: cargo build --no-default-features From e8f91acc355ab1fe5e6d4cbc72850100c75f0591 Mon Sep 17 00:00:00 2001 From: Toby Lawrence Date: Sun, 31 Mar 2024 17:22:34 +0000 Subject: [PATCH 6/7] go back to hardcoded feature lists --- .github/workflows/build.yml | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b71fa9f..28cfdc8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -11,17 +11,6 @@ on: - cron: '23 6 * * 5' jobs: - collect-features: - name: Collect package features - runs-on: ubuntu-latest - outputs: - NON_FIPS_FEATURES: ${{ steps.collect-non-fips-features.outputs.non-fips-features }} - DEFAULTS_WITH_RING_FEATURES: ${{ steps.collect-non-fips-features.outputs.defaults-with-ring-features }} - steps: - - id: collect-non-fips-features - run: | - yq --no-colors -oy '.features | keys | . - ["default", "fips"] | join(",") | "non-fips-features=" + @sh' Cargo.toml >> "$GITHUB_OUTPUT" - yq --no-colors -oy '.features["default"] - ["aws-lc-rs"] + ["ring"] | join(",") | "defaults-with-ring-features=" + @sh' Cargo.toml >> "$GITHUB_OUTPUT" build: name: Build+test needs: collect-features @@ -79,10 +68,9 @@ jobs: RUST_BACKTRACE: 1 - name: cargo test (debug; defaults+ring) - run: cargo test --no-default-features --features $DEFAULTS_WITH_RING_FEATURES + run: cargo test --no-default-features --features ring,native-tokio,http1,tls12,logging env: RUST_BACKTRACE: 1 - DEFAULTS_WITH_RING_FEATURES: ${{ needs.collect-features.outputs.DEFAULTS_WITH_RING_FEATURES }} - name: cargo test (debug; all features) if: runner.os == 'Linux' @@ -92,10 +80,9 @@ jobs: - name: cargo test (debug; all features, excluding FIPS) if: runner.os != 'Linux' - run: cargo test --features $NON_FIPS_FEATURES + run: cargo test --features aws-lc-rs,http1,http2,webpki-tokio,native-tokio,ring,tls12,logging env: RUST_BACKTRACE: 1 - NON_FIPS_FEATURES: ${{ needs.collect-features.outputs.NON_FIPS_FEATURES }} - name: cargo build (debug; no default features) run: cargo build --no-default-features From 059638e2a936ae0122ddfb391415966ba454735f Mon Sep 17 00:00:00 2001 From: Toby Lawrence Date: Sun, 31 Mar 2024 17:23:13 +0000 Subject: [PATCH 7/7] missed a spot --- .github/workflows/build.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 28cfdc8..9012a2d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,7 +13,6 @@ on: jobs: build: name: Build+test - needs: collect-features runs-on: ${{ matrix.os }} strategy: fail-fast: false