Add feature flag for enabling FIPS. (#268)

tobz · web-flow · commit 16d7e5915d10 · 2024-04-02T20:55:27.000+02:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -72,10 +72,17 @@ jobs:
           RUST_BACKTRACE: 1
 
       - name: cargo test (debug; all features)
+        if: runner.os == 'Linux'
         run: cargo test --all-features
         env:
           RUST_BACKTRACE: 1
 
+      - name: cargo test (debug; all features, excluding FIPS)
+        if: runner.os != 'Linux'
+        run: cargo test --features aws-lc-rs,http1,http2,webpki-tokio,native-tokio,ring,tls12,logging
+        env:
+          RUST_BACKTRACE: 1
+
       - name: cargo build (debug; no default features)
         run: cargo build --no-default-features
 
diff --git a/Cargo.toml b/Cargo.toml
@@ -42,6 +42,7 @@ native-tokio = ["rustls-native-certs"]
 ring = ["rustls/ring"]
 tls12 = ["tokio-rustls/tls12", "rustls/tls12"]
 logging = ["log", "tokio-rustls/logging", "rustls/logging"]
+fips = ["aws-lc-rs", "rustls/fips"]
 
 [[example]]
 name = "client"
diff --git a/README.md b/README.md
@@ -35,3 +35,28 @@ cargo run --example server
 ```bash
 cargo run --example client "https://docs.rs/hyper-rustls/latest/hyper_rustls/"
 ```
+
+## Crate features
+
+This crate exposes a number of features to add support for different portions of `hyper-util`,
+`rustls`, and other dependencies.
+
+| Feature flag | Enabled by default | Description |
+| ------------ | ------------------ | ----------- |
+| `aws-lc-rs`  | **yes** | Enables use of the [AWS-LC][aws-lc-rs] backend for [`rustls`][rustls] |
+| `http1` | **yes** | Enables HTTP/1 support in [`hyper-util`][hyper-util] |
+| `http2` | **no** | Enables HTTP/2 support in [`hyper-util`][hyper-util] |
+| `webpki-tokio` | **no** | Uses a compiled-in set of root certificates trusted by Mozilla (via [`webpki-roots`][webpki-roots]) |
+| `native-tokio` | **yes** | Use the platform's native certificate store at runtime (via [`rustls-native-certs`][rustls-native-certs]) |
+| `ring` | **no** | Enables use of the [`ring`][ring] backend for [`rustls`][rustls] |
+| `tls12` | **yes** | Enables support for TLS 1.2 (only TLS 1.3 supported when disabled) |
+| `logging` | **yes** | Enables logging of protocol-level diagnostics and errors via [`log`][log] |
+| `fips` | **no** | Enables support for using a FIPS 140-3 compliant backend via AWS-LC (enables `aws-lc-rs` feature) |
+
+[aws-lc-rs]: https://docs.rs/aws-lc-rs
+[rustls]: https://docs.rs/rustls
+[hyper-util]: https://docs.rs/hyper-util
+[webpki-roots]: https://docs.rs/webpki-roots
+[rustls-native-certs]: https://docs.rs/rustls-native-certs
+[ring]: https://docs.rs/ring
+[log]: https://docs.rs/log
