diff --git a/Cargo.lock b/Cargo.lock index 9a28ec68b2..0743728462 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3753,7 +3753,6 @@ dependencies = [ "aws-lc-rs", "log", "once_cell", - "ring", "rustls-pki-types", "rustls-webpki", "subtle", diff --git a/deny.toml b/deny.toml index 315c49ee43..bf8fc90b34 100644 --- a/deny.toml +++ b/deny.toml @@ -23,11 +23,6 @@ allow = [ private = { ignore = true } confidence-threshold = 0.8 exceptions = [ - { allow = [ - "ISC", - "MIT", - "OpenSSL", - ], name = "ring", version = "*" }, { allow = [ "ISC", "OpenSSL", @@ -38,14 +33,6 @@ exceptions = [ ], name = "aws-lc-fips-sys", version = "*" }, ] -[[licenses.clarify]] -name = "ring" -version = "*" -expression = "MIT AND ISC AND OpenSSL" -license-files = [ - { path = "LICENSE", hash = 0xbd0eed23 }, -] - [bans] multiple-versions = "deny" # Wildcard dependencies are used for all workspace-local crates. @@ -55,6 +42,8 @@ deny = [ { name = "rustls", wrappers = ["tokio-rustls"] }, # rustls-webpki should be used instead. { name = "webpki" }, + # aws-lc-rs should be used instead. + { name = "ring" } ] skip = [ # `linkerd-trace-context`, `rustls-pemfile` and `tonic` depend on `base64` diff --git a/linkerd/meshtls/Cargo.toml b/linkerd/meshtls/Cargo.toml index a870e7c513..28e9783489 100644 --- a/linkerd/meshtls/Cargo.toml +++ b/linkerd/meshtls/Cargo.toml @@ -8,9 +8,7 @@ publish = { workspace = true } [features] rustls = ["linkerd-meshtls-rustls", "__has_any_tls_impls"] -rustls-aws-lc = ["rustls", "linkerd-meshtls-rustls/aws-lc"] -rustls-aws-lc-fips = ["rustls-aws-lc", "linkerd-meshtls-rustls/aws-lc-fips"] -rustls-ring = ["rustls", "linkerd-meshtls-rustls/ring"] +rustls-aws-lc-fips = ["linkerd-meshtls-rustls/aws-lc-fips"] boring = ["linkerd-meshtls-boring", "__has_any_tls_impls"] boring-fips = ["boring", "linkerd-meshtls-boring/fips"] # Enabled if *any* TLS impl is enabled. diff --git a/linkerd/meshtls/rustls/Cargo.toml b/linkerd/meshtls/rustls/Cargo.toml index f5b34dddc2..b51b91f1a0 100644 --- a/linkerd/meshtls/rustls/Cargo.toml +++ b/linkerd/meshtls/rustls/Cargo.toml @@ -7,19 +7,16 @@ edition = "2018" publish = { workspace = true } [features] -default = ["aws-lc"] -ring = ["tokio-rustls/ring", "rustls-webpki/ring"] -aws-lc = ["tokio-rustls/aws-lc-rs", "rustls-webpki/aws-lc-rs"] -aws-lc-fips = ["aws-lc", "tokio-rustls/fips"] +aws-lc-fips = ["tokio-rustls/fips"] test-util = ["linkerd-tls-test-util"] [dependencies] futures = { version = "0.3", default-features = false } rustls-pemfile = "2.2" -rustls-webpki = { version = "0.103.4", default-features = false, features = ["std"] } +rustls-webpki = { version = "0.103.4", default-features = false, features = ["std", "aws-lc-rs"] } thiserror = "2" tokio = { version = "1", features = ["macros", "rt", "sync"] } -tokio-rustls = { workspace = true } +tokio-rustls = { workspace = true, features = ["aws-lc-rs"] } tracing = { workspace = true } linkerd-dns-name = { path = "../../dns/name" } diff --git a/linkerd/meshtls/rustls/src/backend.rs b/linkerd/meshtls/rustls/src/backend.rs index edfc64d156..bb60c3207b 100644 --- a/linkerd/meshtls/rustls/src/backend.rs +++ b/linkerd/meshtls/rustls/src/backend.rs @@ -1,16 +1,3 @@ -#[cfg(all(feature = "aws-lc", feature = "ring"))] -compile_error!( - "Multiple rustls backends enabled. Enabled one of the \"ring\" or \"aws-lc\" features" -); -#[cfg(not(any(feature = "aws-lc", feature = "ring")))] -compile_error!("No rustls backend enabled. Enabled one of the \"ring\" or \"aws-lc\" features"); +pub use aws_lc::{default_provider, SUPPORTED_SIG_ALGS, TLS_SUPPORTED_CIPHERSUITES}; -#[cfg(feature = "aws-lc")] mod aws_lc; -#[cfg(feature = "ring")] -mod ring; - -#[cfg(feature = "aws-lc")] -pub use aws_lc::{default_provider, SUPPORTED_SIG_ALGS, TLS_SUPPORTED_CIPHERSUITES}; -#[cfg(feature = "ring")] -pub use ring::{default_provider, SUPPORTED_SIG_ALGS, TLS_SUPPORTED_CIPHERSUITES}; diff --git a/linkerd/meshtls/rustls/src/backend/ring.rs b/linkerd/meshtls/rustls/src/backend/ring.rs deleted file mode 100644 index 37e54792f3..0000000000 --- a/linkerd/meshtls/rustls/src/backend/ring.rs +++ /dev/null @@ -1,55 +0,0 @@ -pub use ring::default_provider; -use tokio_rustls::rustls::{ - self, - crypto::{ring, WebPkiSupportedAlgorithms}, -}; - -pub static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] = &[ - ring::cipher_suite::TLS13_AES_128_GCM_SHA256, - ring::cipher_suite::TLS13_AES_256_GCM_SHA384, - ring::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256, -]; -// A subset of the algorithms supported by rustls+ring, imported from -// https://github.com/rustls/rustls/blob/v/0.23.21/rustls/src/crypto/ring/mod.rs#L107 -pub static SUPPORTED_SIG_ALGS: &WebPkiSupportedAlgorithms = &WebPkiSupportedAlgorithms { - all: &[ - webpki::ring::ECDSA_P256_SHA256, - webpki::ring::ECDSA_P256_SHA384, - webpki::ring::ECDSA_P384_SHA256, - webpki::ring::ECDSA_P384_SHA384, - webpki::ring::ED25519, - webpki::ring::RSA_PKCS1_2048_8192_SHA256, - webpki::ring::RSA_PKCS1_2048_8192_SHA384, - webpki::ring::RSA_PKCS1_2048_8192_SHA512, - webpki::ring::RSA_PKCS1_3072_8192_SHA384, - ], - mapping: &[ - ( - rustls::SignatureScheme::ECDSA_NISTP384_SHA384, - &[ - webpki::ring::ECDSA_P384_SHA384, - webpki::ring::ECDSA_P256_SHA384, - ], - ), - ( - rustls::SignatureScheme::ECDSA_NISTP256_SHA256, - &[ - webpki::ring::ECDSA_P256_SHA256, - webpki::ring::ECDSA_P384_SHA256, - ], - ), - (rustls::SignatureScheme::ED25519, &[webpki::ring::ED25519]), - ( - rustls::SignatureScheme::RSA_PKCS1_SHA512, - &[webpki::ring::RSA_PKCS1_2048_8192_SHA512], - ), - ( - rustls::SignatureScheme::RSA_PKCS1_SHA384, - &[webpki::ring::RSA_PKCS1_2048_8192_SHA384], - ), - ( - rustls::SignatureScheme::RSA_PKCS1_SHA256, - &[webpki::ring::RSA_PKCS1_2048_8192_SHA256], - ), - ], -}; diff --git a/linkerd2-proxy/Cargo.toml b/linkerd2-proxy/Cargo.toml index 429a494309..81f5702508 100644 --- a/linkerd2-proxy/Cargo.toml +++ b/linkerd2-proxy/Cargo.toml @@ -8,12 +8,11 @@ publish = { workspace = true } description = "The main proxy executable" [features] -default = ["meshtls-rustls-aws-lc"] +default = ["meshtls-rustls"] meshtls-boring = ["linkerd-meshtls/boring"] meshtls-boring-fips = ["linkerd-meshtls/boring-fips"] -meshtls-rustls-aws-lc = ["linkerd-meshtls/rustls-aws-lc"] +meshtls-rustls = ["linkerd-meshtls/rustls"] meshtls-rustls-aws-lc-fips = ["linkerd-meshtls/rustls-aws-lc-fips"] -meshtls-rustls-ring = ["linkerd-meshtls/rustls-ring"] log-streaming = ["linkerd-app/log-streaming"] pprof = ["linkerd-app/pprof"] # From https://github.com/polarsignals/rust-jemalloc-pprof/blob/bcf1ad7f7ad3ec8e71098f4d5a9ce55905c7a602/README.md#usage diff --git a/linkerd2-proxy/src/main.rs b/linkerd2-proxy/src/main.rs index 17fc1f9e3f..f0f7824519 100644 --- a/linkerd2-proxy/src/main.rs +++ b/linkerd2-proxy/src/main.rs @@ -6,12 +6,7 @@ // Emit a compile-time error if no TLS implementations are enabled. When adding // new implementations, add their feature flags here! -#[cfg(not(any( - feature = "meshtls-boring", - feature = "meshtls-rustls-ring", - feature = "meshtls-rustls-aws-lc", - feature = "meshtls-rustls-aws-lc-fips" -)))] +#[cfg(not(any(feature = "meshtls-boring", feature = "meshtls-rustls",)))] compile_error!( "at least one of the following TLS implementations must be enabled: 'meshtls-boring', 'meshtls-rustls'" );