sqlx icon indicating copy to clipboard operation
sqlx copied to clipboard
verified publisher icon launchbadge

Support `aws-lc-rs` instead of `rsa`

Open skeggse opened this issue 2 months ago • 1 comments

I have found these related issues/pull requests

Relates to https://github.com/launchbadge/sqlx/issues/4081

Description

When building Rust applications in FIPS mode, it's important to be cognizant of which cryptographic algorithms are being included in the application, and to ensure they are FIPS-validated.

sqlx-mysql uses the rsa crate for authenticating via caching_sha2_password

https://github.com/launchbadge/sqlx/blob/e8384f2a00173c2b120eea72e99d120557fced8b/sqlx-mysql/src/connection/auth.rs#L6

Prefered solution

Many crates in the Rust ecosystem have started supporting an aws_lc_rs feature, which switches their cryptographic backends to AWS Libcrypto. This backend provides a FIPS-validated module, which makes more crates FIPS-compatible.

Is this a breaking change? Why or why not?

Seems strictly additive to me, so non-breaking?

skeggse avatar Nov 01 '25 19:11 skeggse

in addition, there has been a potential attack related to the rsa crate which isn't that trivial to fix and also makes cargo audit complain: https://rustsec.org/advisories/RUSTSEC-2023-0071.html

lielfr avatar Nov 01 '25 20:11 lielfr