Use aws-lc-rs as rust-tls provider (#35106)

Signed-off-by: Jonathan Schwender <schwenderjonathan@gmail.com>
2025-06-06 16:45:39 +00:00 · 2025-01-30 20:10:49 +01:00 · 2025-01-30 20:10:49 +01:00 · 764feada30
commit 764feada30
parent 534e78db53
11 changed files with 124 additions and 26 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -332,6 +332,31 @@ version = "1.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26"

+[[package]]
+name = "aws-lc-rs"
+version = "1.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1ea835662a0af02443aa1396d39be523bbf8f11ee6fad20329607c480bea48c3"
+dependencies = [
+ "aws-lc-sys",
+ "paste",
+ "zeroize",
+]
+
+[[package]]
+name = "aws-lc-sys"
+version = "0.25.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "71b2ddd3ada61a305e1d8bb6c005d1eaa7d14d903681edfc400406d523a9b491"
+dependencies = [
+ "bindgen 0.69.5",
+ "cc",
+ "cmake",
+ "dunce",
+ "fs_extra",
+ "paste",
+]
+
 [[package]]
 name = "background_hang_monitor"
 version = "0.0.1"
@ -412,6 +437,29 @@ dependencies = [
 "serde",
 ]

+[[package]]
+name = "bindgen"
+version = "0.69.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "271383c67ccabffb7381723dea0672a673f292304fcb45c01cc648c7a8d58088"
+dependencies = [
+ "bitflags 2.8.0",
+ "cexpr",
+ "clang-sys",
+ "itertools 0.10.5",
+ "lazy_static",
+ "lazycell",
+ "log",
+ "prettyplease",
+ "proc-macro2",
+ "quote",
+ "regex",
+ "rustc-hash 1.1.0",
+ "shlex",
+ "syn",
+ "which",
+]
+
 [[package]]
 name = "bindgen"
 version = "0.71.1"
@ -898,6 +946,15 @@ dependencies = [
 "error-code",
 ]

+[[package]]
+name = "cmake"
+version = "0.1.52"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c682c223677e0e5b6b7f63a64b9351844c3f1b1678a68b7ee617e30fb082620e"
+dependencies = [
+ "cc",
+]
+
 [[package]]
 name = "cocoa"
 version = "0.25.0"
@ -1652,6 +1709,12 @@ dependencies = [
 "dtoa",
 ]

+[[package]]
+name = "dunce"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813"
+
 [[package]]
 name = "dwrote"
 version = "0.11.2"
@ -2146,6 +2209,12 @@ dependencies = [
 "pkg-config",
 ]

+[[package]]
+name = "fs_extra"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c"
+
 [[package]]
 name = "futf"
 version = "0.1.5"
@ -3059,6 +3128,15 @@ version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "503574f5cbf4ac5e16d20369e85e1562a567e77cf45369fb7e8e06a2cfd7934b"

+[[package]]
+name = "home"
+version = "0.5.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "589533453244b0995c858700322199b2becb13b627df2851f64a2775d024abcf"
+dependencies = [
+ "windows-sys 0.59.0",
+]
+
 [[package]]
 name = "html5ever"
 version = "0.29.0"
@ -4109,6 +4187,12 @@ version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"

+[[package]]
+name = "lazycell"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
+
 [[package]]
 name = "leak"
 version = "0.1.2"
@ -4556,7 +4640,7 @@ version = "0.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0ab823731ea6297e7280dade983df955d1a8209d2deb44f505932b8873168992"
 dependencies = [
- "bindgen",
+ "bindgen 0.71.1",
 "cc",
 "gl_generator",
 "libz-sys",
@ -4568,7 +4652,7 @@ name = "mozjs"
 version = "0.14.1"
 source = "git+https://github.com/servo/mozjs#0081fc4a3f5fc9891d4377844a874651f7c46041"
 dependencies = [
- "bindgen",
+ "bindgen 0.71.1",
 "cc",
 "lazy_static",
 "libc",
@ -4581,7 +4665,7 @@ name = "mozjs_sys"
 version = "0.128.6-1"
 source = "git+https://github.com/servo/mozjs#0081fc4a3f5fc9891d4377844a874651f7c46041"
 dependencies = [
- "bindgen",
+ "bindgen 0.71.1",
 "cc",
 "encoding_c",
 "encoding_c_mem",
@ -5658,6 +5742,16 @@ version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e8cf8e6a8aa66ce33f63993ffc4ea4271eb5b0530a9002db8455ea6050c77bfa"

+[[package]]
+name = "prettyplease"
+version = "0.2.29"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6924ced06e1f7dfe3fa48d57b9f74f55d8915f5036121bef647ef4b204895fac"
+dependencies = [
+ "proc-macro2",
+ "syn",
+]
+
 [[package]]
 name = "proc-macro-crate"
 version = "3.2.0"
@ -6043,9 +6137,9 @@ version = "0.23.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8f287924602bf649d949c63dc8ac8b235fa5387d394020705b80c4eb597ce5b8"
 dependencies = [
+ "aws-lc-rs",
 "log",
 "once_cell",
- "ring",
 "rustls-pki-types",
 "rustls-webpki",
 "subtle",
@ -6073,6 +6167,7 @@ version = "0.102.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "64ca1bc8749bd4cf37b5ce386cc146580777b4e8572c7b97baf22c83f444bee9"
 dependencies = [
+ "aws-lc-rs",
 "ring",
 "rustls-pki-types",
 "untrusted",
@ -6122,6 +6217,7 @@ dependencies = [
 "app_units",
 "arrayvec",
 "atomic_refcell",
+ "aws-lc-rs",
 "background_hang_monitor_api",
 "backtrace",
 "base",
@ -6184,7 +6280,6 @@ dependencies = [
 "range",
 "ref_filter_map",
 "regex",
- "ring",
 "script_bindings",
 "script_layout_interface",
 "script_traits",
@ -8600,6 +8695,18 @@ dependencies = [
 "web-sys",
 ]

+[[package]]
+name = "which"
+version = "4.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "87ba24419a2078cd2b0f2ede2691b6c66d8e47836da3b6db8265ebad47afbfc7"
+dependencies = [
+ "either",
+ "home",
+ "once_cell",
+ "rustix",
+]
+
 [[package]]
 name = "winapi"
 version = "0.3.9"
--- a/Cargo.toml
+++ b/Cargo.toml
@ -23,6 +23,7 @@ aes-gcm = "0.10.3"
 app_units = "0.7"
 arrayvec = "0.7"
 async-tungstenite = { version = "0.28", features = ["tokio-rustls-webpki-roots"] }
+aws-lc-rs = { version = "1.12", default-features = false }
 atomic_refcell = "0.1.13"
 background_hang_monitor_api = { path = "components/shared/background_hang_monitor" }
 backtrace = "0.3"
@ -106,7 +107,6 @@ rand_core = "0.6"
 rand_isaac = "0.3"
 rayon = "1"
 regex = "1.11"
-ring = "0.17.8"
 rustls = { version = "0.23", default-features = false, features = ["logging", "std", "tls12"] }
 rustls-pemfile = "2.0"
 rustls-pki-types = "1.11"
--- a/components/net/Cargo.toml
+++ b/components/net/Cargo.toml
@ -78,7 +78,7 @@ flate2 = "1"
 futures = { version = "0.3", features = ["compat"] }
 hyper = { workspace = true, features = ["full"] }
 hyper-util = { workspace = true, features = ["server-graceful"] }
-rustls = { workspace = true, features = ["ring"] }
+rustls = { workspace = true }

 [[test]]
 name = "main"
--- a/components/net/tests/main.rs
+++ b/components/net/tests/main.rs
@ -149,7 +149,7 @@ fn receive_credential_prompt_msgs(
 }

 fn create_http_state(fc: Option<EmbedderProxy>) -> HttpState {
-    let _ = rustls::crypto::ring::default_provider().install_default();
+    let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();

    let override_manager = net::connector::CertificateErrorOverrideManager::new();
    HttpState {
--- a/components/script/Cargo.toml
+++ b/components/script/Cargo.toml
@ -93,7 +93,7 @@ profile_traits = { workspace = true }
 range = { path = "../range" }
 ref_filter_map = "1.0.1"
 regex = { workspace = true }
-ring = { workspace = true }
+aws-lc-rs = { workspace = true }
 script_bindings = { path = "../script_bindings" }
 script_layout_interface = { workspace = true }
 script_traits = { workspace = true }
--- a/components/script/dom/subtlecrypto.rs
+++ b/components/script/dom/subtlecrypto.rs
@ -12,6 +12,7 @@ use aes::cipher::{BlockDecryptMut, BlockEncryptMut, KeyIvInit, StreamCipher};
 use aes::{Aes128, Aes192, Aes256};
 use aes_gcm::{AeadInPlace, AesGcm, KeyInit};
 use aes_kw::{KekAes128, KekAes192, KekAes256};
+use aws_lc_rs::{digest, hkdf, hmac, pbkdf2};
 use base64::prelude::*;
 use cipher::consts::{U12, U16, U32};
 use dom_struct::dom_struct;
@ -20,7 +21,6 @@ use js::jsapi::{JSObject, JS_NewObject};
 use js::jsval::ObjectValue;
 use js::rust::MutableHandleObject;
 use js::typedarray::ArrayBufferU8;
-use ring::{digest, hkdf, hmac, pbkdf2};
 use servo_rand::{RngCore, ServoRng};

 use crate::dom::bindings::buffer_source::create_buffer_source;
--- a/components/servo/Cargo.toml
+++ b/components/servo/Cargo.toml
@ -109,6 +109,6 @@ gaol = "0.2.1"

 [dev-dependencies]
 libservo = { path = ".", features = ["tracing"] }
-rustls = { version = "0.23", default-features = false, features = ["ring"] }
+rustls = { version = "0.23", default-features = false, features = ["aws-lc-rs"] }
 tracing = { workspace = true }
 winit = "0.30.8"
--- a/components/servo/examples/winit_minimal.rs
+++ b/components/servo/examples/winit_minimal.rs
@ -25,7 +25,7 @@ use winit::raw_window_handle::{HasDisplayHandle, HasWindowHandle};
 use winit::window::Window;

 fn main() -> Result<(), Box<dyn Error>> {
-    rustls::crypto::ring::default_provider()
+    rustls::crypto::aws_lc_rs::default_provider()
        .install_default()
        .expect("Failed to install crypto provider");

--- a/deny.toml
+++ b/deny.toml
@ -53,18 +53,6 @@ confidence-threshold = 0.8
 exceptions = [
 ]

-# Some crates don't have (easily) machine readable licensing information,
-# adding a clarification entry for it allows you to manually specify the
-# licensing information
-[[licenses.clarify]]
-crate = "ring"
-# The SPDX expression for the license requirements of the crate
-expression = "MIT AND ISC AND OpenSSL"
-license-files = [
-    # Each entry is a crate relative path, and the (opaque) hash of its contents
-    { path = "LICENSE", hash = 0xbd0eed23 },
-]
-

 # This section is considered when running `cargo deny check bans`.
 # More documentation about the 'bans' section can be found here:
@ -103,6 +91,9 @@ skip = [
    "wasi",
    "wayland-sys",

+    # Duplicated by aws-lc-rs
+    "bindgen",
+
    # New versions of these dependencies is pulled in by GStreamer / GLib.
    "itertools",
    "toml",
--- a/ports/servoshell/Cargo.toml
+++ b/ports/servoshell/Cargo.toml
@ -67,7 +67,7 @@ getopts = { workspace = true }
 hitrace = { workspace = true, optional = true }
 mime_guess = { workspace = true }
 url = { workspace = true }
-rustls = { version = "0.23", default-features = false, features = ["ring"] }
+rustls = { workspace = true, features = ["aws-lc-rs"] }
 tokio = { workspace = true }
 tracing = { workspace = true, optional = true }
 tracing-subscriber = { workspace = true, optional = true, features = ["env-filter"] }
--- a/ports/servoshell/lib.rs
+++ b/ports/servoshell/lib.rs
@ -39,7 +39,7 @@ pub fn main() {
 }

 pub fn init_crypto() {
-    rustls::crypto::ring::default_provider()
+    rustls::crypto::aws_lc_rs::default_provider()
        .install_default()
        .expect("Error initializing crypto provider");
 }