auth: migrate mz-auth SCRAM-SHA256 crypto from openssl to aws-lc-rs

about.toml

@@ -4,6 +4,7 @@ accepted = [
     "Apache-2.0",
     "Apache-2.0 WITH LLVM-exception",
     "CC0-1.0",
+    "CDLA-Permissive-2.0",
     "0BSD",
     "BSD-2-Clause",
     "BSD-3-Clause",

bin/lint-fips-containers

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+# Copyright Materialize, Inc. and contributors. All rights reserved.
+#
+# Use of this software is governed by the Business Source License
+# included in the LICENSE file at the root of this repository.
+#
+# As of the Change Date specified in that file, in accordance with
+# the Business Source License, use of this software will be governed
+# by the Apache License, Version 2.0.
+#
+# lint-fips-containers -- audit container definitions for FIPS compliance gaps
+
+exec "$(dirname "$0")"/pyactivate -m materialize.cli.lint_fips_containers "$@"

bin/lint-openssl

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+# Copyright Materialize, Inc. and contributors. All rights reserved.
+#
+# Use of this software is governed by the Business Source License
+# included in the LICENSE file at the root of this repository.
+#
+# As of the Change Date specified in that file, in accordance with
+# the Business Source License, use of this software will be governed
+# by the Apache License, Version 2.0.
+#
+# lint-openssl -- detect OpenSSL usage across the codebase
+
+exec "$(dirname "$0")"/pyactivate -m materialize.cli.lint_openssl "$@"

ci/builder/Dockerfile

@@ -181,6 +181,12 @@ RUN gpg --dearmor < nodesource.asc > /etc/apt/keyrings/nodesource.gpg \
     && npm install -g corepack \
     && corepack enable
 
+# Install Go, required by aws-lc-fips-sys to build the FIPS-validated
+# BoringSSL module. Activated when cargo builds with --all-features (which
+# enables the mz-ore `fips` feature). Go 1.18+ is required.
+RUN curl -fsSL https://go.dev/dl/go1.24.2.linux-$ARCH_GO.tar.gz | tar -C /usr/local -xzf -
+ENV PATH="/usr/local/go/bin:${PATH}"
+
 RUN curl -fsSL https://github.com/koalaman/shellcheck/releases/download/v0.11.0/shellcheck-v0.11.0.linux.$ARCH_GCC.tar.xz > shellcheck.tar.xz \
     && tar -xJf shellcheck.tar.xz -C /usr/local/bin --strip-components 1 shellcheck-v0.11.0/shellcheck \
     && rm shellcheck.tar.xz \

deny.toml

@@ -137,6 +137,17 @@ skip = [
     { name = "hashbrown", version = "0.16.1" },
     # aws-lc-rs
     { name = "untrusted", version = "0.7.1" },
+    # Pulled in by rustls ecosystem
+    { name = "base64", version = "0.21.7" },
+    { name = "core-foundation", version = "0.9.4" },
+    { name = "getrandom", version = "0.3.4" },
+    { name = "openssl-probe", version = "0.1.6" },
+    { name = "security-framework", version = "2.11.1" },
+    { name = "security-framework-sys", version = "2.14.0" },
+    { name = "toml_datetime", version = "0.6.11" },
+    { name = "toml_edit", version = "0.22.27" },
+    { name = "webpki-roots", version = "0.26.11" },
+    { name = "winnow", version = "0.7.15" },
 ]
 
 [[bans.deny]]
@@ -185,6 +196,7 @@ wrappers = [
     "eventsource-client",
     "fail",
     "globset",
+    "hyper-rustls",
     "launchdarkly-server-sdk",
     "launchdarkly-server-sdk-evaluation",
     "native-tls",
@@ -197,6 +209,7 @@ wrappers = [
     "rdkafka",
     "reqsign",
     "reqwest",
+    "rustls",
     "tokio-postgres",
     "tokio-tungstenite",
     "tracing-log",
@@ -206,10 +219,93 @@ wrappers = [
     "zopfli",
 ]
 
-# We prefer the system's native TLS or OpenSSL to Rustls, since they are more
-# mature and more widely used.
+# FIPS 140-3 compliance: all cryptographic operations must use `aws-lc-rs` as
+# the single crypto backend. The following crates are not FIPS-validated and
+# must not be used for new code. Existing wrappers should be removed as each
+# crate is migrated to `aws-lc-rs`. See doc/developer/openssl-to-rustls-migration.md.
+
+# Use `aws_lc_rs::digest` instead.
+[[bans.deny]]
+name = "sha2"
+wrappers = [
+    # Third-party crates (not under our control).
+    "aws-sdk-s3",
+    "aws-sigv4",
+    "aws-smithy-checksums",
+    "azure_core",
+    "mysql_common",
+    "oauth2",
+    "pest_meta",
+    "postgres-protocol",
+    "reqsign",
+    "ssh-encoding",
+    "ssh-key",
+    # Workspace crates — TODO: migrate to aws-lc-rs and remove.
+    "mz-adapter",
+    "mz-avro",
+    "mz-catalog",
+    "mz-expr",
+    "mz-fivetran-destination",
+    "mz-npm",
+    "mz-orchestrator-kubernetes",
+    "mz-orchestratord",
+    "mz-persist",
+    "mz-storage",
+]
+
+# Use `aws_lc_rs::hmac` instead.
+[[bans.deny]]
+name = "hmac"
+wrappers = [
+    # Third-party crates.
+    "aws-sdk-s3",
+    "aws-sigv4",
+    "azure_core",
+    "postgres-protocol",
+    "reqsign",
+    # Workspace crates — TODO: migrate to aws-lc-rs and remove.
+    "mz-expr",
+]
+
+# Use `aws_lc_rs::constant_time` instead.
+[[bans.deny]]
+name = "subtle"
+wrappers = [
+    # Third-party crates.
+    "digest",
+    "rustls",
+    "ssh-key",
+    # Workspace crates — TODO: migrate to aws-lc-rs and remove.
+    "mz-expr",
+]
+
+# Use `aws_lc_rs` instead of `ring` — ring is not FIPS-validated.
+[[bans.deny]]
+name = "ring"
+wrappers = [
+    # Third-party crate — TODO: track upstream migration.
+    "aws-config",
+]
+
+# Use `aws_lc_rs::pbkdf2` instead.
+[[bans.deny]]
+name = "pbkdf2"
+
+# Use `aws_lc_rs::signature::Ed25519KeyPair` instead.
+[[bans.deny]]
+name = "ed25519-dalek"
+
+# Use `aws_lc_rs::cipher` (AES-CBC) instead.
+[[bans.deny]]
+name = "aes"
+
+# Use `aws_lc_rs::cipher` instead.
+[[bans.deny]]
+name = "cbc"
+
+# Use `aws_lc_rs::rsa` instead.
 [[bans.deny]]
-name = "rustls"
+name = "rsa"
 
 # once_cell is going to be added to std, and doesn't use macros
 # Unfortunately, its heavily used, so we have lots of exceptions.
@@ -267,6 +363,7 @@ allow = [
     "Apache-2.0",
     "Apache-2.0 WITH LLVM-exception",
     "CC0-1.0",
+    "CDLA-Permissive-2.0",
     "0BSD",
     "BSD-2-Clause",
     "BSD-3-Clause",