From 77144d6c755f99c20aa3bbd8db11900b9c4c38e4 Mon Sep 17 00:00:00 2001 From: Scott Fleener Date: Tue, 29 Jul 2025 12:12:12 -0400 Subject: [PATCH 1/3] chore(tls): Remove ring as crypto backend The broader ecosystem has mostly moved to aws-lc-rs as the primary rustls backend, and we should follow suit. This will also simplify the maintenance of the proxy's TLS implementation in the long term. There will need to be some refactoring to clean up the rustls provider interfaces, but that will come in follow-ups. Signed-off-by: Scott Fleener --- Cargo.lock | 1 - deny.toml | 15 +----- linkerd/meshtls/Cargo.toml | 4 +- linkerd/meshtls/rustls/Cargo.toml | 9 ++-- linkerd/meshtls/rustls/src/backend.rs | 15 +----- linkerd/meshtls/rustls/src/backend/aws_lc.rs | 4 +- linkerd/meshtls/rustls/src/backend/ring.rs | 55 -------------------- linkerd2-proxy/Cargo.toml | 7 ++- linkerd2-proxy/src/main.rs | 7 +-- 9 files changed, 13 insertions(+), 104 deletions(-) delete mode 100644 linkerd/meshtls/rustls/src/backend/ring.rs diff --git a/Cargo.lock b/Cargo.lock index c0aa17fcb2..c899f9e534 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3753,7 +3753,6 @@ dependencies = [ "aws-lc-rs", "log", "once_cell", - "ring", "rustls-pki-types", "rustls-webpki", "subtle", diff --git a/deny.toml b/deny.toml index 315c49ee43..bf8fc90b34 100644 --- a/deny.toml +++ b/deny.toml @@ -23,11 +23,6 @@ allow = [ private = { ignore = true } confidence-threshold = 0.8 exceptions = [ - { allow = [ - "ISC", - "MIT", - "OpenSSL", - ], name = "ring", version = "*" }, { allow = [ "ISC", "OpenSSL", @@ -38,14 +33,6 @@ exceptions = [ ], name = "aws-lc-fips-sys", version = "*" }, ] -[[licenses.clarify]] -name = "ring" -version = "*" -expression = "MIT AND ISC AND OpenSSL" -license-files = [ - { path = "LICENSE", hash = 0xbd0eed23 }, -] - [bans] multiple-versions = "deny" # Wildcard dependencies are used for all workspace-local crates. @@ -55,6 +42,8 @@ deny = [ { name = "rustls", wrappers = ["tokio-rustls"] }, # rustls-webpki should be used instead. { name = "webpki" }, + # aws-lc-rs should be used instead. + { name = "ring" } ] skip = [ # `linkerd-trace-context`, `rustls-pemfile` and `tonic` depend on `base64` diff --git a/linkerd/meshtls/Cargo.toml b/linkerd/meshtls/Cargo.toml index a870e7c513..4ce893ff10 100644 --- a/linkerd/meshtls/Cargo.toml +++ b/linkerd/meshtls/Cargo.toml @@ -8,9 +8,7 @@ publish = { workspace = true } [features] rustls = ["linkerd-meshtls-rustls", "__has_any_tls_impls"] -rustls-aws-lc = ["rustls", "linkerd-meshtls-rustls/aws-lc"] -rustls-aws-lc-fips = ["rustls-aws-lc", "linkerd-meshtls-rustls/aws-lc-fips"] -rustls-ring = ["rustls", "linkerd-meshtls-rustls/ring"] +rustls-fips = ["linkerd-meshtls-rustls/fips"] boring = ["linkerd-meshtls-boring", "__has_any_tls_impls"] boring-fips = ["boring", "linkerd-meshtls-boring/fips"] # Enabled if *any* TLS impl is enabled. diff --git a/linkerd/meshtls/rustls/Cargo.toml b/linkerd/meshtls/rustls/Cargo.toml index f5b34dddc2..c4a6bd9761 100644 --- a/linkerd/meshtls/rustls/Cargo.toml +++ b/linkerd/meshtls/rustls/Cargo.toml @@ -7,19 +7,16 @@ edition = "2018" publish = { workspace = true } [features] -default = ["aws-lc"] -ring = ["tokio-rustls/ring", "rustls-webpki/ring"] -aws-lc = ["tokio-rustls/aws-lc-rs", "rustls-webpki/aws-lc-rs"] -aws-lc-fips = ["aws-lc", "tokio-rustls/fips"] +fips = ["tokio-rustls/fips"] test-util = ["linkerd-tls-test-util"] [dependencies] futures = { version = "0.3", default-features = false } rustls-pemfile = "2.2" -rustls-webpki = { version = "0.103.4", default-features = false, features = ["std"] } +rustls-webpki = { version = "0.103.4", default-features = false, features = ["std", "aws-lc-rs"] } thiserror = "2" tokio = { version = "1", features = ["macros", "rt", "sync"] } -tokio-rustls = { workspace = true } +tokio-rustls = { workspace = true, features = ["aws-lc-rs"] } tracing = { workspace = true } linkerd-dns-name = { path = "../../dns/name" } diff --git a/linkerd/meshtls/rustls/src/backend.rs b/linkerd/meshtls/rustls/src/backend.rs index edfc64d156..bb60c3207b 100644 --- a/linkerd/meshtls/rustls/src/backend.rs +++ b/linkerd/meshtls/rustls/src/backend.rs @@ -1,16 +1,3 @@ -#[cfg(all(feature = "aws-lc", feature = "ring"))] -compile_error!( - "Multiple rustls backends enabled. Enabled one of the \"ring\" or \"aws-lc\" features" -); -#[cfg(not(any(feature = "aws-lc", feature = "ring")))] -compile_error!("No rustls backend enabled. Enabled one of the \"ring\" or \"aws-lc\" features"); +pub use aws_lc::{default_provider, SUPPORTED_SIG_ALGS, TLS_SUPPORTED_CIPHERSUITES}; -#[cfg(feature = "aws-lc")] mod aws_lc; -#[cfg(feature = "ring")] -mod ring; - -#[cfg(feature = "aws-lc")] -pub use aws_lc::{default_provider, SUPPORTED_SIG_ALGS, TLS_SUPPORTED_CIPHERSUITES}; -#[cfg(feature = "ring")] -pub use ring::{default_provider, SUPPORTED_SIG_ALGS, TLS_SUPPORTED_CIPHERSUITES}; diff --git a/linkerd/meshtls/rustls/src/backend/aws_lc.rs b/linkerd/meshtls/rustls/src/backend/aws_lc.rs index 4047d5dca3..ee406b1fb5 100644 --- a/linkerd/meshtls/rustls/src/backend/aws_lc.rs +++ b/linkerd/meshtls/rustls/src/backend/aws_lc.rs @@ -4,14 +4,14 @@ use tokio_rustls::rustls::{ crypto::{aws_lc_rs, WebPkiSupportedAlgorithms}, }; -#[cfg(not(feature = "aws-lc-fips"))] +#[cfg(not(feature = "fips"))] pub static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] = &[ aws_lc_rs::cipher_suite::TLS13_AES_128_GCM_SHA256, aws_lc_rs::cipher_suite::TLS13_AES_256_GCM_SHA384, aws_lc_rs::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256, ]; // Prefer aes-256-gcm if fips is enabled -#[cfg(feature = "aws-lc-fips")] +#[cfg(feature = "fips")] pub static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] = &[ aws_lc_rs::cipher_suite::TLS13_AES_256_GCM_SHA384, aws_lc_rs::cipher_suite::TLS13_AES_128_GCM_SHA256, diff --git a/linkerd/meshtls/rustls/src/backend/ring.rs b/linkerd/meshtls/rustls/src/backend/ring.rs deleted file mode 100644 index 37e54792f3..0000000000 --- a/linkerd/meshtls/rustls/src/backend/ring.rs +++ /dev/null @@ -1,55 +0,0 @@ -pub use ring::default_provider; -use tokio_rustls::rustls::{ - self, - crypto::{ring, WebPkiSupportedAlgorithms}, -}; - -pub static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] = &[ - ring::cipher_suite::TLS13_AES_128_GCM_SHA256, - ring::cipher_suite::TLS13_AES_256_GCM_SHA384, - ring::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256, -]; -// A subset of the algorithms supported by rustls+ring, imported from -// https://github.com/rustls/rustls/blob/v/0.23.21/rustls/src/crypto/ring/mod.rs#L107 -pub static SUPPORTED_SIG_ALGS: &WebPkiSupportedAlgorithms = &WebPkiSupportedAlgorithms { - all: &[ - webpki::ring::ECDSA_P256_SHA256, - webpki::ring::ECDSA_P256_SHA384, - webpki::ring::ECDSA_P384_SHA256, - webpki::ring::ECDSA_P384_SHA384, - webpki::ring::ED25519, - webpki::ring::RSA_PKCS1_2048_8192_SHA256, - webpki::ring::RSA_PKCS1_2048_8192_SHA384, - webpki::ring::RSA_PKCS1_2048_8192_SHA512, - webpki::ring::RSA_PKCS1_3072_8192_SHA384, - ], - mapping: &[ - ( - rustls::SignatureScheme::ECDSA_NISTP384_SHA384, - &[ - webpki::ring::ECDSA_P384_SHA384, - webpki::ring::ECDSA_P256_SHA384, - ], - ), - ( - rustls::SignatureScheme::ECDSA_NISTP256_SHA256, - &[ - webpki::ring::ECDSA_P256_SHA256, - webpki::ring::ECDSA_P384_SHA256, - ], - ), - (rustls::SignatureScheme::ED25519, &[webpki::ring::ED25519]), - ( - rustls::SignatureScheme::RSA_PKCS1_SHA512, - &[webpki::ring::RSA_PKCS1_2048_8192_SHA512], - ), - ( - rustls::SignatureScheme::RSA_PKCS1_SHA384, - &[webpki::ring::RSA_PKCS1_2048_8192_SHA384], - ), - ( - rustls::SignatureScheme::RSA_PKCS1_SHA256, - &[webpki::ring::RSA_PKCS1_2048_8192_SHA256], - ), - ], -}; diff --git a/linkerd2-proxy/Cargo.toml b/linkerd2-proxy/Cargo.toml index 429a494309..960459f802 100644 --- a/linkerd2-proxy/Cargo.toml +++ b/linkerd2-proxy/Cargo.toml @@ -8,12 +8,11 @@ publish = { workspace = true } description = "The main proxy executable" [features] -default = ["meshtls-rustls-aws-lc"] +default = ["meshtls-rustls"] meshtls-boring = ["linkerd-meshtls/boring"] meshtls-boring-fips = ["linkerd-meshtls/boring-fips"] -meshtls-rustls-aws-lc = ["linkerd-meshtls/rustls-aws-lc"] -meshtls-rustls-aws-lc-fips = ["linkerd-meshtls/rustls-aws-lc-fips"] -meshtls-rustls-ring = ["linkerd-meshtls/rustls-ring"] +meshtls-rustls = ["linkerd-meshtls/rustls"] +meshtls-rustls-fips = ["linkerd-meshtls/rustls-fips"] log-streaming = ["linkerd-app/log-streaming"] pprof = ["linkerd-app/pprof"] # From https://github.com/polarsignals/rust-jemalloc-pprof/blob/bcf1ad7f7ad3ec8e71098f4d5a9ce55905c7a602/README.md#usage diff --git a/linkerd2-proxy/src/main.rs b/linkerd2-proxy/src/main.rs index 17fc1f9e3f..f0f7824519 100644 --- a/linkerd2-proxy/src/main.rs +++ b/linkerd2-proxy/src/main.rs @@ -6,12 +6,7 @@ // Emit a compile-time error if no TLS implementations are enabled. When adding // new implementations, add their feature flags here! -#[cfg(not(any( - feature = "meshtls-boring", - feature = "meshtls-rustls-ring", - feature = "meshtls-rustls-aws-lc", - feature = "meshtls-rustls-aws-lc-fips" -)))] +#[cfg(not(any(feature = "meshtls-boring", feature = "meshtls-rustls",)))] compile_error!( "at least one of the following TLS implementations must be enabled: 'meshtls-boring', 'meshtls-rustls'" ); From a40cb8a5835440f1c94cf9361bb918c6b0da5689 Mon Sep 17 00:00:00 2001 From: Scott Fleener Date: Wed, 13 Aug 2025 09:29:48 -0400 Subject: [PATCH 2/3] chore(tls): Restore existing aws-lc feature names for compatibility Signed-off-by: Scott Fleener --- linkerd/meshtls/Cargo.toml | 2 +- linkerd/meshtls/rustls/Cargo.toml | 2 +- linkerd2-proxy/Cargo.toml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/linkerd/meshtls/Cargo.toml b/linkerd/meshtls/Cargo.toml index 4ce893ff10..28e9783489 100644 --- a/linkerd/meshtls/Cargo.toml +++ b/linkerd/meshtls/Cargo.toml @@ -8,7 +8,7 @@ publish = { workspace = true } [features] rustls = ["linkerd-meshtls-rustls", "__has_any_tls_impls"] -rustls-fips = ["linkerd-meshtls-rustls/fips"] +rustls-aws-lc-fips = ["linkerd-meshtls-rustls/aws-lc-fips"] boring = ["linkerd-meshtls-boring", "__has_any_tls_impls"] boring-fips = ["boring", "linkerd-meshtls-boring/fips"] # Enabled if *any* TLS impl is enabled. diff --git a/linkerd/meshtls/rustls/Cargo.toml b/linkerd/meshtls/rustls/Cargo.toml index c4a6bd9761..b51b91f1a0 100644 --- a/linkerd/meshtls/rustls/Cargo.toml +++ b/linkerd/meshtls/rustls/Cargo.toml @@ -7,7 +7,7 @@ edition = "2018" publish = { workspace = true } [features] -fips = ["tokio-rustls/fips"] +aws-lc-fips = ["tokio-rustls/fips"] test-util = ["linkerd-tls-test-util"] [dependencies] diff --git a/linkerd2-proxy/Cargo.toml b/linkerd2-proxy/Cargo.toml index 960459f802..81f5702508 100644 --- a/linkerd2-proxy/Cargo.toml +++ b/linkerd2-proxy/Cargo.toml @@ -12,7 +12,7 @@ default = ["meshtls-rustls"] meshtls-boring = ["linkerd-meshtls/boring"] meshtls-boring-fips = ["linkerd-meshtls/boring-fips"] meshtls-rustls = ["linkerd-meshtls/rustls"] -meshtls-rustls-fips = ["linkerd-meshtls/rustls-fips"] +meshtls-rustls-aws-lc-fips = ["linkerd-meshtls/rustls-aws-lc-fips"] log-streaming = ["linkerd-app/log-streaming"] pprof = ["linkerd-app/pprof"] # From https://github.com/polarsignals/rust-jemalloc-pprof/blob/bcf1ad7f7ad3ec8e71098f4d5a9ce55905c7a602/README.md#usage From 96cbbc708921e456aa5b66f44c252fe44925e8e3 Mon Sep 17 00:00:00 2001 From: Scott Fleener Date: Wed, 13 Aug 2025 09:35:04 -0400 Subject: [PATCH 3/3] fix(tls): Use correct feature name for fips conditionals Signed-off-by: Scott Fleener --- linkerd/meshtls/rustls/src/backend/aws_lc.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linkerd/meshtls/rustls/src/backend/aws_lc.rs b/linkerd/meshtls/rustls/src/backend/aws_lc.rs index ee406b1fb5..4047d5dca3 100644 --- a/linkerd/meshtls/rustls/src/backend/aws_lc.rs +++ b/linkerd/meshtls/rustls/src/backend/aws_lc.rs @@ -4,14 +4,14 @@ use tokio_rustls::rustls::{ crypto::{aws_lc_rs, WebPkiSupportedAlgorithms}, }; -#[cfg(not(feature = "fips"))] +#[cfg(not(feature = "aws-lc-fips"))] pub static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] = &[ aws_lc_rs::cipher_suite::TLS13_AES_128_GCM_SHA256, aws_lc_rs::cipher_suite::TLS13_AES_256_GCM_SHA384, aws_lc_rs::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256, ]; // Prefer aes-256-gcm if fips is enabled -#[cfg(feature = "fips")] +#[cfg(feature = "aws-lc-fips")] pub static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] = &[ aws_lc_rs::cipher_suite::TLS13_AES_256_GCM_SHA384, aws_lc_rs::cipher_suite::TLS13_AES_128_GCM_SHA256,