fips feature: appears to use rand chacha

[xnox]

When built in fips feature mode, I expect entropy to be gathered by the FIPS module i.e. aws_lc_fips_0_13_0_RAND_priv_bytes such that it can use any appropriated source of entropy, with FIPS approved (ACVP tested) conditioning functions if any (ie. SHA3).

Or forexample use kernel / OS entropy source, i.e. getrandom.

During the build it appears that rand / rand_chacha are pulled in, and as far as I understand CHACHA is not FIPS approved functionality

$ readelf --wide --symbols target/x86_64-unknown-linux-gnu/release/deps/librustls.so  | ~/.cargo/bin/rustfilt | grep -e chacha
    67: 0000000000066be0    24 FUNC    LOCAL  DEFAULT   11 core::ptr::drop_in_place<std::sys::thread_local::native::lazy::State<alloc::rc::Rc<core::cell::UnsafeCell<rand::rngs::adapter::reseeding::ReseedingRng<rand_chacha::chacha::ChaCha12Core,rand_core::os::OsRng>>>,()>>
  1367: 0000000000000000     0 FILE    LOCAL  DEFAULT  ABS rand_chacha.f3ae93e55b950902-cgu.0
  1368: 0000000000067580   869 FUNC    LOCAL  DEFAULT   11 rand_chacha::guts::refill_wide::impl_avx2
  1369: 00000000000678f0  1530 FUNC    LOCAL  DEFAULT   11 rand_chacha::guts::refill_wide::impl_avx
  1370: 0000000000067ef0  1722 FUNC    LOCAL  DEFAULT   11 rand_chacha::guts::refill_wide::impl_sse41
  1371: 00000000000685b0  1758 FUNC    LOCAL  DEFAULT   11 rand_chacha::guts::refill_wide::impl_ssse3
  2326: 0000000000000000     0 FILE    LOCAL  DEFAULT  ABS chacha.c
  3071: 000000000032db18     8 OBJECT  LOCAL  DEFAULT   11 CRYPTO_chacha_20_GOTPCREL_external
  3801: 0000000000000000     0 FILE    LOCAL  DEFAULT  ABS e_chacha20poly1305.c
  4020: 0000000000068d80   120 FUNC    LOCAL  DEFAULT   11 rand_chacha::guts::init_chacha::impl_avx
  4041: 0000000000114340   396 FUNC    LOCAL  DEFAULT   11 aws_lc_fips_0_13_0_CRYPTO_chacha_20
  4237: 0000000000111be0   128 FUNC    LOCAL  DEFAULT   11 <aws_lc_rs::cipher::chacha::ChaCha20Key as core::ops::drop::Drop>::drop
  5380: 0000000000068c90   230 FUNC    LOCAL  DEFAULT   11 rand_chacha::guts::init_chacha
  6261: 0000000000066d00  2163 FUNC    LOCAL  DEFAULT   11 rand_chacha::guts::refill_wide

Can you explain why/how rand_chacha is pulled into a fips build of librustls? Can it be avoided in-favour of using aws_lc_fips functions for randomness? (i.e. RAND_priv_bytes and similar)?

[ctz]

Can you explain why/how rand_chacha is pulled into a fips build of librustls?

I'd theorise that this is

rustls-ffi/librustls/src/crypto_provider.rs

Line 513 in 7bb2ae7

let suite = self.suites.choose(&mut rand::thread_rng())?;

-- If so, that's a non-cryptographic use, but it would be cleaner if we avoided it (and rand crate) altogether.

[cpu]

it would be cleaner if we avoided it (and rand crate) altogether.

My original API for the ECH GREASE left this up to the caller and during review it was suggested to pick it randomly internal to rustls-ffi. We could go back to something closer to that original idea. I'm not sure there's a sensible way to pick one randomly internal to the crate without an extra dep. Edit: Ah, I missed the suggestion to use the crypto provider. That might work.

[cpu]

Fixed in main. Thanks!