chore(deps): upgrade async-nats and enable FIPS

Cargo.toml

@@ -348,7 +348,11 @@ lru = { version = "0.13.0", default-features = false, optional = true }
 maxminddb = { version = "0.25.0", default-features = false, optional = true, features = ["simdutf8"] }
 md-5 = { version = "0.10", default-features = false, optional = true }
 mongodb = { version = "2.8.2", default-features = false, features = ["tokio-runtime"], optional = true }
-async-nats = { version = "0.33.0", default-features = false, optional = true }
+
+# Required for FIPS enabled cross compilation
+aws-lc-sys = { version = "0.26.0", features = ["bindgen"] }
+async-nats = { version = "0.39.0", default-features = false, features = ["fips"], optional = true }
+
 nkeys = { version = "0.4.4", default-features = false, optional = true }
 nom = { version = "7.1.3", default-features = false, optional = true }
 notify = { version = "8.0.0", default-features = false, features = ["macos_fsevent"] }
@@ -412,6 +416,7 @@ prost-build = { workspace = true, optional = true }
 tonic-build = { workspace = true, optional = true }
 # update 'openssl_version' in website/config.toml whenever <major.minor> version changes
 openssl-src = { version = "300", default-features = false, features = ["force-engine", "legacy"] }
+bindgen = { version = "0.71.1" }
 
 [dev-dependencies]
 approx = "0.5.1"

LICENSE-3rdparty.csv

@@ -50,6 +50,9 @@ atomic-waker,https://github.com/smol-rs/atomic-waker,Apache-2.0 OR MIT,"Stjepan
 aws-config,https://github.com/smithy-lang/smithy-rs,Apache-2.0,"AWS Rust SDK Team <[email protected]>, Russell Cohen <[email protected]>"
 aws-credential-types,https://github.com/smithy-lang/smithy-rs,Apache-2.0,AWS Rust SDK Team <[email protected]>
 aws-http,https://github.com/smithy-lang/smithy-rs,Apache-2.0,"AWS Rust SDK Team <[email protected]>, Russell Cohen <[email protected]>"
+aws-lc-fips-sys,https://github.com/aws/aws-lc-rs,ISC AND (Apache-2.0 OR ISC) AND OpenSSL,AWS-LC
+aws-lc-rs,https://github.com/aws/aws-lc-rs,ISC AND (Apache-2.0 OR ISC),AWS-LibCrypto
+aws-lc-sys,https://github.com/aws/aws-lc-rs,ISC AND (Apache-2.0 OR ISC) AND OpenSSL,AWS-LC
 aws-runtime,https://github.com/smithy-lang/smithy-rs,Apache-2.0,AWS Rust SDK Team <[email protected]>
 aws-sdk-cloudwatch,https://github.com/awslabs/aws-sdk-rust,Apache-2.0,"AWS Rust SDK Team <[email protected]>, Russell Cohen <[email protected]>"
 aws-sdk-cloudwatchlogs,https://github.com/awslabs/aws-sdk-rust,Apache-2.0,"AWS Rust SDK Team <[email protected]>, Russell Cohen <[email protected]>"
@@ -638,6 +641,7 @@ tokio-postgres,https://github.com/sfackler/rust-postgres,MIT OR Apache-2.0,Steve
 tokio-retry,https://github.com/srijs/rust-tokio-retry,MIT,Sam Rijs <[email protected]>
 tokio-rustls,https://github.com/rustls/tokio-rustls,MIT OR Apache-2.0,The tokio-rustls Authors
 tokio-tungstenite,https://github.com/snapview/tokio-tungstenite,MIT,"Daniel Abramov <[email protected]>, Alexey Galakhov <[email protected]>"
+tokio-websockets,https://github.com/Gelbpunkt/tokio-websockets,MIT,The tokio-websockets Authors
 toml,https://github.com/toml-rs/toml,MIT OR Apache-2.0,Alex Crichton <[email protected]>
 toml_edit,https://github.com/toml-rs/toml,MIT OR Apache-2.0,"Andronik Ordian <[email protected]>, Ed Page <[email protected]>"
 tonic,https://github.com/hyperium/tonic,MIT,Lucio Franco <[email protected]>
@@ -654,6 +658,7 @@ triomphe,https://github.com/Manishearth/triomphe,MIT OR Apache-2.0,"Manish Goreg
 trust-dns-proto,https://github.com/bluejekyll/trust-dns,MIT OR Apache-2.0,Benjamin Fry <[email protected]>
 trust-dns-resolver,https://github.com/bluejekyll/trust-dns,MIT OR Apache-2.0,Benjamin Fry <[email protected]>
 try-lock,https://github.com/seanmonstar/try-lock,MIT,Sean McArthur <[email protected]>
+tryhard,https://github.com/EmbarkStudios/tryhard,MIT OR Apache-2.0,Embark <[email protected]>
 tungstenite,https://github.com/snapview/tungstenite-rs,MIT OR Apache-2.0,"Alexey Galakhov, Daniel Abramov"
 twox-hash,https://github.com/shepmaster/twox-hash,MIT,Jake Goulding <[email protected]>
 typed-builder,https://github.com/idanarye/rust-typed-builder,MIT OR Apache-2.0,"IdanArye <[email protected]>, Chris Morgan <[email protected]>"

scripts/cross/bootstrap-ubuntu.sh

@@ -25,3 +25,40 @@ apt-get install -y \
       libclang1-9 \
       llvm-9 \
       unzip
+
+# aws-lc-rs dependencies
+apt-get update
+apt-get install -y \
+  gcc-arm-linux-gnueabihf \
+  g++-arm-linux-gnueabihf \
+  gcc-aarch64-linux-gnu \
+  g++-aarch64-linux-gnu \
+  libc6-dev-armhf-cross \
+  libc6-dev-arm64-cross \
+  clang \
+  cmake \
+  libssl-dev \
+  libclang-dev \
+  libsasl2-dev
+
+# Required by the `rdkafka-sys` Rust dependency
+ZLIB_VERSION=1.3.1
+wget https://www.zlib.net/zlib-${ZLIB_VERSION}.tar.gz
+tar xzvf  zlib-${ZLIB_VERSION}.tar.gz
+cd zlib-${ZLIB_VERSION}
+./configure
+make
+make install
+
+# Go installation is required for building aws-lc-rs
+# https://github.com/aws/aws-lc/issues/2129
+GO_VERSION="1.24.0"
+GO_TAR_FILE="go${GO_VERSION}.linux-amd64.tar.gz"
+wget https://go.dev/dl/${GO_TAR_FILE}
+tar -C /usr/local -xzf ${GO_TAR_FILE}
+rm ${GO_TAR_FILE}
+ln -s /usr/local/go/bin/go /usr/local/bin/go
+
+curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+cargo install --force --locked --version 0.71.1 bindgen-cli
+ln -s "$(dirname $(which cargo))/"* /usr/local/bin/

scripts/environment/bootstrap-macos.sh

@@ -15,6 +15,10 @@ brew install ruby@3 coreutils cue-lang/tap/cue protobuf
 # future
 brew reinstall rustup
 
+# Required for building aws-lc-rs
+# https://github.com/aws/aws-lc/issues/2129
+brew install go
+
 gem install bundler
 
 echo "export PATH=\"/usr/local/opt/ruby/bin:\$PATH\"" >> "$HOME/.bash_profile"

scripts/environment/bootstrap-ubuntu-24.04.sh

@@ -47,7 +47,8 @@ apt-get install --yes --no-install-recommends \
     shellcheck \
     sudo \
     unzip \
-    wget
+    wget \
+    golang-go # required by aws-lc-rs - # https://github.com/aws/aws-lc/issues/2129
 
 # Cue
 TEMP=$(mktemp -d)

scripts/environment/bootstrap-windows-2022.ps1

@@ -19,6 +19,11 @@ $env:NUGET_ENABLE_ENHANCED_HTTP_RETRY = "true"
 choco install make
 choco install protoc
 
+# required by aws-lc-rs
+# https://github.com/aws/aws-lc/issues/2129
+choco install ninja
+choco install nasm
+
 # Set a specific override path for libclang.
 echo "LIBCLANG_PATH=$( (gcm clang).source -replace "clang.exe" )" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
 

scripts/integration/Dockerfile

@@ -1,23 +1,6 @@
 ARG RUST_VERSION
 FROM docker.io/rust:${RUST_VERSION}-slim-bookworm
 
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    build-essential \
-    cmake \
-    curl \
-    g++ \
-    libclang1 \
-    libsasl2-dev \
-    libssl-dev \
-    llvm \
-    pkg-config \
-    zlib1g-dev \
-    unzip \
-    git \
-  && rm -rf /var/lib/apt/lists/*
-
-RUN rustup run "${RUST_VERSION}" cargo install cargo-nextest --version 0.9.72 --locked
-
-COPY scripts/environment/install-protoc.sh /
+COPY scripts/cross/bootstrap-ubuntu.sh scripts/environment/install-protoc.sh /
 COPY tests/data/ca/certs /certs
-RUN bash /install-protoc.sh
+RUN /bootstrap-ubuntu.sh

scripts/integration/bootstrap-ubuntu.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+set -o errexit
+
+apt-get update && apt-get install -y --no-install-recommends \
+    build-essential \
+    libc6-dev \
+    cmake \
+    curl \
+    g++ \
+    llvm \
+    libclang-dev \
+    libsasl2-dev \
+    libssl-dev \
+    pkg-config \
+    zlib1g-dev \
+    unzip \
+    git \
+    golang-go \
+  && rm -rf /var/lib/apt/lists/*
+
+rustup run "${RUST_VERSION}" cargo install cargo-nextest --version 0.9.72 --locked
+rustup run "${RUST_VERSION}" cargo install bindgen-cli --version 0.71.1 --locked
+./install-protoc.sh