Your product needs FIPS 140-3. Your stack is Rust. Until now those two facts were in tension.
The pure-Rust crypto libraries are not FIPS 140-3 validated.
wolfSSL’s Rust crates are different. wolfCrypt has been through FIPS 140-3 validation. The path from Rust to a validated build exists.
Here’s what it actually takes.
The `fips` feature flag
```toml
wolfcrypt = { version = "0.1", features = ["fips"] }
```
This compiles the wolfSSL FIPS 140-3 code path and runs the FIPS self-tests (`wc_RunAllCast()`) at startup. The algorithm set is restricted to what’s inside the FIPS boundary.
This is necessary but not sufficient.
What you also need
- A wolfSSL commercial FIPS license.** The validated source tree is deliverable to you from wolfSSL under a commercial license with support, because what gets validated is a specific snapshot, and modifications to the boundary code void the validation.
- The validated source.** Set `WOLFSSL_SRC` to point at it. The `wolfssl-src` crate will compile it.
- No modifications to the boundary code.** You can wrap, extend, and add Rust abstractions above the boundary. You cannot change what’s inside it.
The bottom line
If you have the license and the source, `features = [“fips”]` gives you a FIPS 140-3 validated build. If you don’t, you get the FIPS code path without the validation, useful for testing and preparation, not for compliance claims.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now