Enable compliance policy when in FIPS mode

reedloden · reedloden · commit 1db54d256769 · 2024-01-21T20:51:35.000-08:00
diff --git a/boring-sys/build.rs b/boring-sys/build.rs
@@ -308,6 +308,7 @@ fn get_boringssl_cmake_config() -> cmake::Config {
 
 /// Verify that the toolchains match https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf
 /// See "Installation Instructions" under section 12.1.
+// TODO: update above URL once BoringCrypto CMVP certification for `fips-20220613` is approved
 // TODO: maybe this should also verify the Go and Ninja versions? But those haven't been an issue in practice ...
 fn verify_fips_clang_version() -> (&'static str, &'static str) {
     fn version(tool: &str) -> String {
diff --git a/boring/src/fips.rs b/boring/src/fips.rs
@@ -1,11 +1,11 @@
-//! FIPS 140-2 support.
+//! FIPS 140-3 support.
 //!
 //! See [OpenSSL's documentation] for details.
 //!
 //! [OpenSSL's documentation]: https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
 use crate::ffi;
 
-/// Determines if the library is running in the FIPS 140-2 mode of operation.
+/// Determines if the library is running in the FIPS 140-3 mode of operation.
 ///
 /// This corresponds to `FIPS_mode`.
 pub fn enabled() -> bool {
diff --git a/boring/src/lib.rs b/boring/src/lib.rs
@@ -41,8 +41,8 @@
 //!
 //! ## Building with a FIPS-validated module
 //!
-//! Only BoringCrypto module version `853ca1ea1168dff08011e5d42d94609cc0ca2e27`, as certified with
-//! [FIPS 140-2 certificate 4407](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4407)
+//! Only BoringCrypto module version `0c6f40132b828e92ba365c6b7680e32820c63fa7`, as certified with
+//! [FIPS 140-3 certificate XXX](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/XXX)
 //! is supported by this crate. Support is enabled by this crate's `fips` feature.
 //!
 //! `boring-sys` comes with a test that FIPS is enabled/disabled depending on the feature flag. You can run it as follows:
diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs
@@ -703,10 +703,8 @@ impl SslCurve {
 
 /// A compliance policy.
 #[derive(Debug, Copy, Clone, PartialEq, Eq)]
-#[cfg(not(feature = "fips"))]
 pub struct CompliancePolicy(ffi::ssl_compliance_policy_t);
 
-#[cfg(not(feature = "fips"))]
 impl CompliancePolicy {
     /// Does nothing, however setting this does not undo other policies, so trying to set this is an error.
     pub const NONE: Self = Self(ffi::ssl_compliance_policy_t::ssl_compliance_policy_none);
@@ -826,6 +824,9 @@ impl SslContextBuilder {
             init();
             let ctx = cvt_p(ffi::SSL_CTX_new(method.as_ptr()))?;
 
+            #[cfg(feature = "fips")]
+            ctx.set_compliance_policy(CompliancePolicy::FIPS_202205).unwrap();
+
             #[cfg(feature = "rpk")]
             {
                 Ok(SslContextBuilder::from_ptr(ctx, false))
@@ -1896,8 +1897,6 @@ impl SslContextBuilder {
     /// This corresponds to [`SSL_CTX_set_compliance_policy`]
     ///
     /// [`SSL_CTX_set_compliance_policy`] https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_CTX_set_compliance_policy
-    /// This feature isn't available in the certified version of BoringSSL.
-    #[cfg(not(feature = "fips"))]
     pub fn set_compliance_policy(&mut self, policy: CompliancePolicy) -> Result<(), ErrorStack> {
         unsafe { cvt_0i(ffi::SSL_CTX_set_compliance_policy(self.as_ptr(), policy.0)).map(|_| ()) }
     }
diff --git a/boring/src/ssl/test/mod.rs b/boring/src/ssl/test/mod.rs
@@ -21,7 +21,6 @@ use crate::ssl::{
 use crate::x509::verify::X509CheckFlags;
 use crate::x509::{X509Name, X509};
 
-#[cfg(not(feature = "fips"))]
 use super::CompliancePolicy;
 
 mod custom_verify;
@@ -948,7 +947,6 @@ fn test_get_ciphers() {
 }
 
 #[test]
-#[cfg(not(feature = "fips"))]
 fn test_set_compliance() {
     let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
     ctx.set_compliance_policy(CompliancePolicy::FIPS_202205)
